diff --git a/.github/workflows/appinspect.yml b/.github/workflows/appinspect.yml index 327db26c82..063bfb4add 100644 --- a/.github/workflows/appinspect.yml +++ b/.github/workflows/appinspect.yml @@ -18,7 +18,13 @@ jobs: - name: Install Python Dependencies and ContentCTL and Atomic Red Team run: | - pip install contentctl>=4.0.0 + if [ -n "${{ vars.CONTENTCTL_VERSION }}" ]; then + echo "Installing contentctl version ${{ vars.CONTENTCTL_VERSION }}" + pip install contentctl==${{ vars.CONTENTCTL_VERSION }} + else + echo "Installing latest contentctl version" + pip install contentctl + fi git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git external_repos/atomic-red-team git clone --depth=1 --single-branch --branch=master https://github.com/mitre/cti external_repos/cti diff --git a/.github/workflows/auto-update.yml b/.github/workflows/auto-update.yml deleted file mode 100644 index 3bac079e4a..0000000000 --- a/.github/workflows/auto-update.yml +++ /dev/null @@ -1,37 +0,0 @@ -name: auto-update -on: - push: {} -jobs: - - validate-tag-if-present: - runs-on: ubuntu-latest - - steps: - - name: TAGGED, Validate that the tag is in the correct format - - run: | - echo "The GITHUB_REF: $GITHUB_REF" - #First check to see if the release is a tag - if [[ $GITHUB_REF =~ refs/tags/* ]]; then - #Yes, this is a tag, so we need to test to make sure that the tag - #is in the correct format (like v1.10.20) - if [[ $GITHUB_REF =~ refs/tags/v[0-9]+.[0-9]+.[0-9]+ ]]; then - echo "PASS: Tagged release with good format" - exit 0 - else - echo "FAIL: Tagged release with bad format" - exit 1 - fi - else - echo "PASS: Not a tagged release" - exit 0 - fi - autoupdate: - name: autoupdate - runs-on: ubuntu-latest - steps: - - uses: docker://chinthakagodawita/autoupdate-action:v1 - env: - GITHUB_TOKEN: "${{ secrets.SECURITY_CONTENT_ADMIN_TASKS }}" - DRY_RUN: "false" - MERGE_MSG: "Branch was auto-updated." diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 29d0d995d2..75a1011555 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -19,7 +19,13 @@ jobs: - name: Install Python Dependencies and ContentCTL and Atomic Red Team run: | - pip install contentctl>=4.0.0 + if [ -n "${{ vars.CONTENTCTL_VERSION }}" ]; then + echo "Installing contentctl version ${{ vars.CONTENTCTL_VERSION }}" + pip install contentctl==${{ vars.CONTENTCTL_VERSION }} + else + echo "Installing latest contentctl version" + pip install contentctl + fi git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git external_repos/atomic-red-team git clone --depth=1 --single-branch --branch=master https://github.com/mitre/cti external_repos/cti diff --git a/.github/workflows/unit-testing.yml b/.github/workflows/unit-testing.yml index b18c860bae..3071d016f9 100644 --- a/.github/workflows/unit-testing.yml +++ b/.github/workflows/unit-testing.yml @@ -23,7 +23,13 @@ jobs: - name: Install Python Dependencies and ContentCTL run: | python -m pip install --upgrade pip - pip install contentctl>=4.0.0 + if [ -n "${{ vars.CONTENTCTL_VERSION }}" ]; then + echo "Installing contentctl version ${{ vars.CONTENTCTL_VERSION }}" + pip install contentctl==${{ vars.CONTENTCTL_VERSION }} + else + echo "Installing latest contentctl version" + pip install contentctl + fi # Running contentctl test with a few arguments, before running the command make sure you checkout into the current branch of the pull request. This step only performs unit testing on all the changes against the target-branch. In most cases this target branch will be develop # Make sure we check out the PR, even if it actually lives in a fork diff --git a/baselines/baseline_of_blocked_outbound_traffic_from_aws.yml b/baselines/baseline_of_blocked_outbound_traffic_from_aws.yml index 65e1b43924..6c3e89a2d9 100644 --- a/baselines/baseline_of_blocked_outbound_traffic_from_aws.yml +++ b/baselines/baseline_of_blocked_outbound_traffic_from_aws.yml @@ -4,7 +4,7 @@ version: 1 date: '2018-05-07' author: Bhavin Patel, Splunk type: Baseline -datamodel: [] +status: production description: This search establishes, on a per-hour basis, the average and the standard deviation of the number of outbound connections blocked in your VPC flow logs by each source IP address (IP address of your EC2 instances). Also recorded is the @@ -34,9 +34,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - action - - src_ip - - dest_ip security_domain: network diff --git a/baselines/baseline_of_cloud_infrastructure_api_calls_per_user.yml b/baselines/baseline_of_cloud_infrastructure_api_calls_per_user.yml index 00c8592839..fc25a264eb 100644 --- a/baselines/baseline_of_cloud_infrastructure_api_calls_per_user.yml +++ b/baselines/baseline_of_cloud_infrastructure_api_calls_per_user.yml @@ -4,8 +4,7 @@ version: 1 date: '2020-09-07' author: David Dorsey, Splunk type: Baseline -datamodel: -- Change +status: production description: This search is used to build a Machine Learning Toolkit (MLTK) model for how many API calls are performed by each user. By default, the search uses the last 90 days of data to build the model and the model is rebuilt weekly. The model @@ -40,14 +39,10 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.user - - All_Changes.status security_domain: network deployment: scheduling: cron_schedule: 0 2 * * 0 earliest_time: -90d@d latest_time: -1d@d - schedule_window: auto \ No newline at end of file + schedule_window: auto diff --git a/baselines/baseline_of_cloud_instances_destroyed.yml b/baselines/baseline_of_cloud_instances_destroyed.yml index 1657b41bd0..7c5bf16935 100644 --- a/baselines/baseline_of_cloud_instances_destroyed.yml +++ b/baselines/baseline_of_cloud_instances_destroyed.yml @@ -4,8 +4,7 @@ version: 1 date: '2020-08-25' author: David Dorsey, Splunk type: Baseline -datamodel: -- Change +status: production description: This search is used to build a Machine Learning Toolkit (MLTK) model for how many instances are destroyed in the environment. By default, the search uses the last 90 days of data to build the model and the model is rebuilt weekly. @@ -20,7 +19,7 @@ search: '| tstats count as instances_destroyed from datamodel=Change where All_C <= 5, 0, 1) | table _time instances_destroyed, HourOfDay, isWeekend | fit DensityFunction instances_destroyed by "HourOfDay,isWeekend" into cloud_excessive_instances_destroyed_v1 dist=expon show_density=true' -how_to_implement: 'You must have Enterprise Security 6.0 or later, if not you will +how_to_implement: "You must have Enterprise Security 6.0 or later, if not you will need to verify that the Machine Learning Toolkit (MLTK) version 4.2 or later is installed, along with any required dependencies. Depending on the number of users in your environment, you may also need to adjust the value for max_inputs in the @@ -28,9 +27,8 @@ how_to_implement: 'You must have Enterprise Security 6.0 or later, if not you wi in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically - re-run this search to rebuild the model with the latest data. - - More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.' + re-run this search to rebuild the model with the latest data.\nMore information + on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`." known_false_positives: none references: [] tags: @@ -43,15 +41,10 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.action - - All_Changes.status - - All_Changes.object_category security_domain: network deployment: scheduling: cron_schedule: 0 2 * * 0 earliest_time: -90d@d latest_time: -1d@d - schedule_window: auto \ No newline at end of file + schedule_window: auto diff --git a/baselines/baseline_of_cloud_instances_launched.yml b/baselines/baseline_of_cloud_instances_launched.yml index f555fec293..ef6e0e51b8 100644 --- a/baselines/baseline_of_cloud_instances_launched.yml +++ b/baselines/baseline_of_cloud_instances_launched.yml @@ -4,8 +4,7 @@ version: 1 date: '2020-08-14' author: David Dorsey, Splunk type: Baseline -datamodel: -- Change +status: production description: This search is used to build a Machine Learning Toolkit (MLTK) model for how many instances are created in the environment. By default, the search uses the last 90 days of data to build the model and the model is rebuilt weekly. The @@ -20,7 +19,7 @@ search: '| tstats count as instances_launched from datamodel=Change where (All_C <= 5, 0, 1) | table _time instances_launched, HourOfDay, isWeekend | fit DensityFunction instances_launched by "HourOfDay,isWeekend" into cloud_excessive_instances_created_v1 dist=expon show_density=true' -how_to_implement: 'You must have Enterprise Security 6.0 or later, if not you will +how_to_implement: "You must have Enterprise Security 6.0 or later, if not you will need to verify that the Machine Learning Toolkit (MLTK) version 4.2 or later is installed, along with any required dependencies. Depending on the number of users in your environment, you may also need to adjust the value for max_inputs in the @@ -28,9 +27,8 @@ how_to_implement: 'You must have Enterprise Security 6.0 or later, if not you wi in a reasonable timeframe. By default, the search builds the model using the past 90 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically - re-run this search to rebuild the model with the latest data. - - More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.' + re-run this search to rebuild the model with the latest data.\nMore information + on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`." known_false_positives: none references: [] tags: @@ -43,15 +41,10 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.action - - All_Changes.status - - All_Changes.object_category security_domain: network deployment: scheduling: cron_schedule: 0 2 * * 0 earliest_time: -90d@d latest_time: -1d@d - schedule_window: auto \ No newline at end of file + schedule_window: auto diff --git a/baselines/baseline_of_cloud_security_group_api_calls_per_user.yml b/baselines/baseline_of_cloud_security_group_api_calls_per_user.yml index 9f8e1bad53..f9ba8051dc 100644 --- a/baselines/baseline_of_cloud_security_group_api_calls_per_user.yml +++ b/baselines/baseline_of_cloud_security_group_api_calls_per_user.yml @@ -4,8 +4,7 @@ version: 1 date: '2020-09-07' author: David Dorsey, Splunk type: Baseline -datamodel: -- Change +status: production description: This search is used to build a Machine Learning Toolkit (MLTK) model for how many API calls for security groups are performed by each user. By default, the search uses the last 90 days of data to build the model and the model is rebuilt @@ -39,15 +38,10 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.user - - All_Changes.status - - All_Changes.object_category security_domain: network deployment: scheduling: cron_schedule: 0 2 * * 0 earliest_time: -90d@d latest_time: -1d@d - schedule_window: auto \ No newline at end of file + schedule_window: auto diff --git a/baselines/baseline_of_command_line_length___mltk.yml b/baselines/baseline_of_command_line_length___mltk.yml index fb38d1dd2d..8746b93a71 100644 --- a/baselines/baseline_of_command_line_length___mltk.yml +++ b/baselines/baseline_of_command_line_length___mltk.yml @@ -4,7 +4,7 @@ version: 1 date: '2019-05-08' author: Rico Valdez, Splunk type: Baseline -datamodel: [] +status: production description: This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the length of the command lines observed for each user in the environment. By default, the search uses the last 30 days of data to build the model. The model @@ -24,7 +24,8 @@ how_to_implement: You must be ingesting endpoint data and populating the Endpoin the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. More - information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`. + information on the algorithm used in the search can be found at + `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`. known_false_positives: none references: [] tags: @@ -41,12 +42,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.user - - Processes.dest - - Processes.process_name - - Processes.process security_domain: endpoint deployment: scheduling: diff --git a/baselines/baseline_of_dns_query_length___mltk.yml b/baselines/baseline_of_dns_query_length___mltk.yml index 5558e4df13..e638540f4f 100644 --- a/baselines/baseline_of_dns_query_length___mltk.yml +++ b/baselines/baseline_of_dns_query_length___mltk.yml @@ -4,8 +4,7 @@ version: 1 date: '2019-05-08' author: Rico Valdez, Splunk type: Baseline -datamodel: -- Network_Resolution +status: production description: This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the length of the DNS queries for each DNS record type observed in the environment. By default, the search uses the last 30 days of data to build @@ -22,7 +21,8 @@ how_to_implement: To successfully implement this search, you will need to ensure days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. More information on - the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`. + the algorithm used in the search can be found at + `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`. known_false_positives: none references: [] tags: @@ -36,10 +36,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - DNS.query - - DNS.record_type security_domain: network deployment: scheduling: diff --git a/baselines/baseline_of_kubernetes_container_network_io.yml b/baselines/baseline_of_kubernetes_container_network_io.yml index 16d5674e7c..63ecf5e914 100644 --- a/baselines/baseline_of_kubernetes_container_network_io.yml +++ b/baselines/baseline_of_kubernetes_container_network_io.yml @@ -4,29 +4,38 @@ version: 4 date: '2024-09-24' author: Matthew Moore, Splunk type: Baseline -datamodel: [] -description: This baseline rule calculates the average and standard deviation of inbound and outbound network IO for each Kubernetes container. - It uses metrics from the Kubernetes API and the Splunk Infrastructure Monitoring Add-on. The rule generates a lookup table with the average and - standard deviation of the network IO for each container. This baseline can be used to detect anomalies in network communication behavior, - which may indicate security threats such as data exfiltration, command and control communication, or compromised container behavior. -search: '| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8s.cluster.name k8s.pod.name k8s.node.name direction span=10s - | eval service = replace(''k8s.pod.name'', "-\w{5}$|-[abcdef0-9]{8,10}-\w{5}$", "") - | eval key = ''k8s.cluster.name'' + ":" + ''service'' - | stats avg(eval(if(direction="transmit", io,null()))) as avg_outbound_network_io avg(eval(if(direction="receive", io,null()))) as avg_inbound_network_io - stdev(eval(if(direction="transmit", io,null()))) as stdev_outbound_network_io stdev(eval(if(direction="receive", io,null()))) as stdev_inbound_network_io - count latest(_time) as last_seen by key - | outputlookup k8s_container_network_io_baseline' -how_to_implement: 'To implement this detection, follow these steps: - 1. Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. - 2. Enable the hostmetrics/process receiver in the OTEL configuration. - 3. Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. - 4. Install the Splunk Infrastructure Monitoring (SIM) add-on (ref: https://splunkbase.splunk.com/app/5247) - 5. Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. - 6. Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". - 7. In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. - 8. Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') - 9. Set the Metric Resolution to 10000. - 10. Leave all other settings at their default values.' +status: production +description: This baseline rule calculates the average and standard deviation of inbound + and outbound network IO for each Kubernetes container. It uses metrics from the + Kubernetes API and the Splunk Infrastructure Monitoring Add-on. The rule generates + a lookup table with the average and standard deviation of the network IO for each + container. This baseline can be used to detect anomalies in network communication + behavior, which may indicate security threats such as data exfiltration, command + and control communication, or compromised container behavior. +search: "| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8s.cluster.name + k8s.pod.name k8s.node.name direction span=10s | eval service = replace('k8s.pod.name', + \"-\\w{5}$|-[abcdef0-9]{8,10}-\\w{5}$\", \"\") | eval key = 'k8s.cluster.name' + + \":\" + 'service' | stats avg(eval(if(direction=\"transmit\", io,null()))) as avg_outbound_network_io + avg(eval(if(direction=\"receive\", io,null()))) as avg_inbound_network_io stdev(eval(if(direction=\"\ + transmit\", io,null()))) as stdev_outbound_network_io stdev(eval(if(direction=\"\ + receive\", io,null()))) as stdev_inbound_network_io count latest(_time) as last_seen + by key | outputlookup k8s_container_network_io_baseline" +how_to_implement: "To implement this detection, follow these steps: 1. Deploy the + OpenTelemetry Collector (OTEL) to your Kubernetes cluster. 2. Enable the hostmetrics/process + receiver in the OTEL configuration. 3. Ensure that the process metrics, specifically + Process.cpu.utilization and process.memory.utilization, are enabled. 4. Install + the Splunk Infrastructure Monitoring (SIM) add-on (ref: https://splunkbase.splunk.com/app/5247) + 5. Configure the SIM add-on with your Observability Cloud Organization ID and Access + Token. 6. Set up the SIM modular input to ingest Process Metrics. Name this input + \"sim_process_metrics_to_metrics_index\". 7. In the SIM configuration, set the Organization + ID to your Observability Cloud Organization ID. 8. Set the Signal Flow Program to + the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); + data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); + data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); + data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); + data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); + data('process.threads').publish(label='K') 9. Set the Metric Resolution to 10000. + 10. Leave all other settings at their default values." known_false_positives: none references: [] tags: @@ -38,15 +47,10 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - k8s.pod.network.io - - k8s.cluster.name - - k8s.node.name - - k8s.pod.name security_domain: network deployment: scheduling: cron_schedule: 0 2 * * 0 earliest_time: -30d@d latest_time: -1d@d - schedule_window: auto \ No newline at end of file + schedule_window: auto diff --git a/baselines/baseline_of_kubernetes_container_network_io_ratio.yml b/baselines/baseline_of_kubernetes_container_network_io_ratio.yml index 82964ddaf8..05799ca815 100644 --- a/baselines/baseline_of_kubernetes_container_network_io_ratio.yml +++ b/baselines/baseline_of_kubernetes_container_network_io_ratio.yml @@ -4,32 +4,38 @@ version: 2 date: '2024-09-24' author: Matthew Moore, Splunk type: Baseline -datamodel: [] -description: This baseline rule calculates the average ratio of inbound to outbound network IO for each Kubernetes container. - It uses metrics from the Kubernetes API and the Splunk Infrastructure Monitoring Add-on. - The rule generates a lookup table with the average and standard deviation of the network IO ratio for each container. - This baseline can be used to detect anomalies in network communication behavior, which may indicate security threats such as data exfiltration, - command and control communication, or compromised container behavior. -search: '| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8s.cluster.name k8s.pod.name k8s.node.name direction span=10s - | eval service = replace(''k8s.pod.name'', "-\w{5}$|-[abcdef0-9]{8,10}-\w{5}$", "") - | eval key = ''k8s.cluster.name'' + ":" + ''service'' - | stats avg(eval(if(direction="transmit", io,null()))) as outbound_network_io avg(eval(if(direction="receive", io,null()))) as inbound_network_io by key _time - | eval inbound:outbound = inbound_network_io/outbound_network_io - | eval outbound:inbound = outbound_network_io/inbound_network_io - | stats avg(*:*) as avg_*:* stdev(*:*) as stdev_*:* - count latest(_time) as last_seen by key - | outputlookup k8s_container_network_io_ratio_baseline' -how_to_implement: 'To implement this detection, follow these steps: - 1. Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. - 2. Enable the hostmetrics/process receiver in the OTEL configuration. - 3. Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. - 4. Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) - 5. Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. - 6. Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". - 7. In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. - 8. Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') - 9. Set the Metric Resolution to 10000. - 10. Leave all other settings at their default values.' +status: production +description: This baseline rule calculates the average ratio of inbound to outbound + network IO for each Kubernetes container. It uses metrics from the Kubernetes API + and the Splunk Infrastructure Monitoring Add-on. The rule generates a lookup table + with the average and standard deviation of the network IO ratio for each container. + This baseline can be used to detect anomalies in network communication behavior, + which may indicate security threats such as data exfiltration, command and control + communication, or compromised container behavior. +search: "| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8s.cluster.name + k8s.pod.name k8s.node.name direction span=10s | eval service = replace('k8s.pod.name', + \"-\\w{5}$|-[abcdef0-9]{8,10}-\\w{5}$\", \"\") | eval key = 'k8s.cluster.name' + + \":\" + 'service' | stats avg(eval(if(direction=\"transmit\", io,null()))) as outbound_network_io + avg(eval(if(direction=\"receive\", io,null()))) as inbound_network_io by key _time + | eval inbound:outbound = inbound_network_io/outbound_network_io | eval outbound:inbound + = outbound_network_io/inbound_network_io | stats avg(*:*) as avg_*:* stdev(*:*) + as stdev_*:* count latest(_time) as last_seen by key | outputlookup k8s_container_network_io_ratio_baseline" +how_to_implement: "To implement this detection, follow these steps: 1. Deploy the + OpenTelemetry Collector (OTEL) to your Kubernetes cluster. 2. Enable the hostmetrics/process + receiver in the OTEL configuration. 3. Ensure that the process metrics, specifically + Process.cpu.utilization and process.memory.utilization, are enabled. 4. Install + the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) + 5. Configure the SIM add-on with your Observability Cloud Organization ID and Access + Token. 6. Set up the SIM modular input to ingest Process Metrics. Name this input + \"sim_process_metrics_to_metrics_index\". 7. In the SIM configuration, set the Organization + ID to your Observability Cloud Organization ID. 8. Set the Signal Flow Program to + the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); + data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); + data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); + data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); + data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); + data('process.threads').publish(label='K') 9. Set the Metric Resolution to 10000. + 10. Leave all other settings at their default values." known_false_positives: none references: [] tags: @@ -41,15 +47,10 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - k8s.pod.network.io - - k8s.cluster.name - - k8s.node.name - - k8s.pod.name security_domain: network deployment: scheduling: cron_schedule: 0 2 * * 0 earliest_time: -30d@d latest_time: -1d@d - schedule_window: auto \ No newline at end of file + schedule_window: auto diff --git a/baselines/baseline_of_kubernetes_process_resource.yml b/baselines/baseline_of_kubernetes_process_resource.yml index 24b4d90b62..cb7c999811 100644 --- a/baselines/baseline_of_kubernetes_process_resource.yml +++ b/baselines/baseline_of_kubernetes_process_resource.yml @@ -4,26 +4,34 @@ version: 1 date: '2023-12-18' author: Matthew Moore, Splunk type: Baseline -datamodel: [] -description: This baseline rule calculates the average and standard deviation of various process resources in a Kubernetes environment. - It uses metrics from the Kubernetes API and the Splunk Infrastructure Monitoring Add-on. The rule generates a lookup table with the average and - standard deviation of the resource utilization for each process. This baseline can be used to detect anomalies in process resource utilization, - which may indicate security threats such as resource exhaustion attacks, cryptojacking, or compromised process behavior. -search: '| mstats avg(process.*) as avg_process.* stdev(*) as stdev_* where `kubernetes_metrics` by host.name k8s.cluster.name k8s.node.name process.executable.name - | eval key = ''k8s.cluster.name'' + ":" + ''host.name'' + ":" + ''process.executable.name'' - | fillnull - | outputlookup k8s_process_resource_baseline' -how_to_implement: 'To implement this detection, follow these steps: - 1. Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. - 2. Enable the hostmetrics/process receiver in the OTEL configuration. - 3. Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. - 4. Install the Splunk Infrastructure Monitoring (SIM) add-on. - 5. Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. - 6. Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". - 7. In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. - 8. Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') - 9. Set the Metric Resolution to 10000. - 10. Leave all other settings at their default values.' +status: production +description: This baseline rule calculates the average and standard deviation of various + process resources in a Kubernetes environment. It uses metrics from the Kubernetes + API and the Splunk Infrastructure Monitoring Add-on. The rule generates a lookup + table with the average and standard deviation of the resource utilization for each + process. This baseline can be used to detect anomalies in process resource utilization, + which may indicate security threats such as resource exhaustion attacks, cryptojacking, + or compromised process behavior. +search: "| mstats avg(process.*) as avg_process.* stdev(*) as stdev_* where `kubernetes_metrics` + by host.name k8s.cluster.name k8s.node.name process.executable.name | eval key = + 'k8s.cluster.name' + \":\" + 'host.name' + \":\" + 'process.executable.name' | fillnull + | outputlookup k8s_process_resource_baseline" +how_to_implement: "To implement this detection, follow these steps: 1. Deploy the + OpenTelemetry Collector (OTEL) to your Kubernetes cluster. 2. Enable the hostmetrics/process + receiver in the OTEL configuration. 3. Ensure that the process metrics, specifically + Process.cpu.utilization and process.memory.utilization, are enabled. 4. Install + the Splunk Infrastructure Monitoring (SIM) add-on. 5. Configure the SIM add-on with + your Observability Cloud Organization ID and Access Token. 6. Set up the SIM modular + input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\"\ + . 7. In the SIM configuration, set the Organization ID to your Observability Cloud + Organization ID. 8. Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); + data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); + data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); + data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); + data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); + data('process.handles').publish(label='J'); data('process.threads').publish(label='K') + 9. Set the Metric Resolution to 10000. 10. Leave all other settings at their default + values." known_false_positives: none references: [] tags: @@ -35,16 +43,10 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - process.* - - host.name - - k8s.cluster.name - - k8s.node.name - - process.executable.name security_domain: network deployment: scheduling: cron_schedule: 0 2 * * 0 earliest_time: -30d@d latest_time: -1d@d - schedule_window: auto \ No newline at end of file + schedule_window: auto diff --git a/baselines/baseline_of_kubernetes_process_resource_ratio.yml b/baselines/baseline_of_kubernetes_process_resource_ratio.yml index dbfb5abe47..a92b872bd1 100644 --- a/baselines/baseline_of_kubernetes_process_resource_ratio.yml +++ b/baselines/baseline_of_kubernetes_process_resource_ratio.yml @@ -4,34 +4,42 @@ version: 2 date: '2024-09-24' author: Matthew Moore, Splunk type: Baseline -datamodel: [] -description: This baseline rule calculates the average and standard deviation of the ratio of various process resources in a Kubernetes environment. - It uses metrics from the Kubernetes API and the Splunk Infrastructure Monitoring Add-on. The rule generates a lookup table with the average and - standard deviation of the resource ratios for each process. This baseline can be used to detect anomalies in process resource utilization, - which may indicate security threats such as resource exhaustion attacks, cryptojacking, or compromised process behavior. -search: '| mstats avg(process.*) as process.* where `kubernetes_metrics` by host.name k8s.cluster.name k8s.node.name process.executable.name span=10s - | eval cpu:mem = ''process.cpu.utilization''/''process.memory.utilization'' - | eval cpu:disk = ''process.cpu.utilization''/''process.disk.operations'' - | eval mem:disk = ''process.memory.utilization''/''process.memory.utilization'' - | eval cpu:threads = ''process.cpu.utilization''/''process.threads'' - | eval disk:threads = ''process.disk.operations''/''process.threads'' - | eval key = ''k8s.cluster.name'' + ":" + ''host.name'' + ":" + ''process.executable.name'' - | fillnull - | stats avg(cpu:mem) as avg_cpu:mem stdev(cpu:mem) as stdev_cpu:mem avg(cpu:disk) as avg_cpu:disk stdev(cpu:disk) as stdev_cpu:disk - avg(mem:disk) as avg_mem:disk stdev(mem:disk) as stdev_mem:disk avg(cpu:threads) as avg_cpu:threads stdev(cpu:threads) as stdev_cpu:threads - avg(disk:threads) as avg_disk:threads stdev(disk:threads) as stdev_disk:threads count latest(_time) as last_seen by key - | outputlookup k8s_process_resource_ratio_baseline' -how_to_implement: 'To implement this detection, follow these steps: - 1. Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. - 2. Enable the hostmetrics/process receiver in the OTEL configuration. - 3. Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. - 4. Install the Splunk Infrastructure Monitoring (SIM) add-on.(ref: https://splunkbase.splunk.com/app/5247) - 5. Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. - 6. Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". - 7. In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. - 8. Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') - 9. Set the Metric Resolution to 10000. - 10. Leave all other settings at their default values.' +status: production +description: This baseline rule calculates the average and standard deviation of the + ratio of various process resources in a Kubernetes environment. It uses metrics + from the Kubernetes API and the Splunk Infrastructure Monitoring Add-on. The rule + generates a lookup table with the average and standard deviation of the resource + ratios for each process. This baseline can be used to detect anomalies in process + resource utilization, which may indicate security threats such as resource exhaustion + attacks, cryptojacking, or compromised process behavior. +search: "| mstats avg(process.*) as process.* where `kubernetes_metrics` by host.name + k8s.cluster.name k8s.node.name process.executable.name span=10s | eval cpu:mem = + 'process.cpu.utilization'/'process.memory.utilization' | eval cpu:disk = 'process.cpu.utilization'/'process.disk.operations' + | eval mem:disk = 'process.memory.utilization'/'process.memory.utilization' | eval + cpu:threads = 'process.cpu.utilization'/'process.threads' | eval disk:threads = + 'process.disk.operations'/'process.threads' | eval key = 'k8s.cluster.name' + \"\ + :\" + 'host.name' + \":\" + 'process.executable.name' | fillnull | stats avg(cpu:mem) + as avg_cpu:mem stdev(cpu:mem) as stdev_cpu:mem avg(cpu:disk) as avg_cpu:disk stdev(cpu:disk) + as stdev_cpu:disk avg(mem:disk) as avg_mem:disk stdev(mem:disk) as stdev_mem:disk + avg(cpu:threads) as avg_cpu:threads stdev(cpu:threads) as stdev_cpu:threads avg(disk:threads) + as avg_disk:threads stdev(disk:threads) as stdev_disk:threads count latest(_time) + as last_seen by key | outputlookup k8s_process_resource_ratio_baseline" +how_to_implement: "To implement this detection, follow these steps: 1. Deploy the + OpenTelemetry Collector (OTEL) to your Kubernetes cluster. 2. Enable the hostmetrics/process + receiver in the OTEL configuration. 3. Ensure that the process metrics, specifically + Process.cpu.utilization and process.memory.utilization, are enabled. 4. Install + the Splunk Infrastructure Monitoring (SIM) add-on.(ref: https://splunkbase.splunk.com/app/5247) + 5. Configure the SIM add-on with your Observability Cloud Organization ID and Access + Token. 6. Set up the SIM modular input to ingest Process Metrics. Name this input + \"sim_process_metrics_to_metrics_index\". 7. In the SIM configuration, set the Organization + ID to your Observability Cloud Organization ID. 8. Set the Signal Flow Program to + the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); + data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); + data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); + data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); + data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); + data('process.threads').publish(label='K') 9. Set the Metric Resolution to 10000. + 10. Leave all other settings at their default values." known_false_positives: none references: [] tags: @@ -49,16 +57,10 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - process.* - - host.name - - k8s.cluster.name - - k8s.node.name - - process.executable.name security_domain: network deployment: scheduling: cron_schedule: 0 2 * * 0 earliest_time: -30d@d latest_time: -1d@d - schedule_window: auto \ No newline at end of file + schedule_window: auto diff --git a/baselines/baseline_of_network_acl_activity_by_arn.yml b/baselines/baseline_of_network_acl_activity_by_arn.yml index b3b816c5d4..e56f565690 100644 --- a/baselines/baseline_of_network_acl_activity_by_arn.yml +++ b/baselines/baseline_of_network_acl_activity_by_arn.yml @@ -4,7 +4,7 @@ version: 1 date: '2018-05-21' author: Bhavin Patel, Splunk type: Baseline -datamodel: [] +status: production description: This search establishes, on a per-hour basis, the average and the standard deviation of the number of API calls that were related to network ACLs made by each user. Also recorded is the number of data points for each user. This table is then @@ -29,7 +29,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - userIdentity.arn security_domain: network diff --git a/baselines/baseline_of_s3_bucket_deletion_activity_by_arn.yml b/baselines/baseline_of_s3_bucket_deletion_activity_by_arn.yml index a48856dc77..a8661c3264 100644 --- a/baselines/baseline_of_s3_bucket_deletion_activity_by_arn.yml +++ b/baselines/baseline_of_s3_bucket_deletion_activity_by_arn.yml @@ -4,7 +4,7 @@ version: 1 date: '2018-07-17' author: Bhavin Patel, Splunk type: Baseline -datamodel: [] +status: production description: This search establishes, on a per-hour basis, the average and standard deviation for the number of API calls related to deleting an S3 bucket by each user. Also recorded is the number of data points for each user. This table is then outputted @@ -28,7 +28,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - userIdentity.arn security_domain: network diff --git a/baselines/baseline_of_security_group_activity_by_arn.yml b/baselines/baseline_of_security_group_activity_by_arn.yml index 43cabcd1cb..c5a8812fba 100644 --- a/baselines/baseline_of_security_group_activity_by_arn.yml +++ b/baselines/baseline_of_security_group_activity_by_arn.yml @@ -4,7 +4,7 @@ version: 1 date: '2018-04-17' author: Bhavin Patel, Splunk type: Baseline -datamodel: [] +status: production description: This search establishes, on a per-hour basis, the average and the standard deviation for the number of API calls related to security groups made by each user. Also recorded is the number of data points for each user. This table is then outputted @@ -29,7 +29,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - userIdentity.arn security_domain: network diff --git a/baselines/baseline_of_smb_traffic___mltk.yml b/baselines/baseline_of_smb_traffic___mltk.yml index 8e8dcb31ef..7dfa90cf4b 100644 --- a/baselines/baseline_of_smb_traffic___mltk.yml +++ b/baselines/baseline_of_smb_traffic___mltk.yml @@ -4,8 +4,7 @@ version: 1 date: '2019-05-08' author: Rico Valdez, Splunk type: Baseline -datamodel: -- Network_Traffic +status: production description: This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the number of SMB connections observed each hour for every day of week. By default, the search uses the last 30 days of data to build the model. The @@ -29,7 +28,8 @@ how_to_implement: You must be ingesting network traffic and populating the Netwo You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. More information on the algorithm - used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`. + used in the search can be found at + `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`. known_false_positives: none references: [] tags: @@ -46,9 +46,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Traffic.dest_port - - All_Traffic.app - - All_Traffic.src security_domain: network diff --git a/baselines/count_of_assets_by_category.yml b/baselines/count_of_assets_by_category.yml index 2e3ff8569a..7824f09bb9 100644 --- a/baselines/count_of_assets_by_category.yml +++ b/baselines/count_of_assets_by_category.yml @@ -4,7 +4,7 @@ version: 1 date: '2017-09-13' author: Bhavin Patel, Splunk type: Baseline -datamodel: [] +status: production description: This search shows you every asset category you have and the assets that belong to those categories. search: '| from datamodel Identity_Management.All_Assets | stats count values(nt_host) @@ -25,8 +25,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Identity_Management.All_Assets - - category security_domain: endpoint diff --git a/baselines/count_of_unique_ips_connecting_to_ports.yml b/baselines/count_of_unique_ips_connecting_to_ports.yml index 3dd9fddaa8..f11befde8a 100644 --- a/baselines/count_of_unique_ips_connecting_to_ports.yml +++ b/baselines/count_of_unique_ips_connecting_to_ports.yml @@ -4,8 +4,7 @@ version: 1 date: '2017-09-13' author: David Dorsey, Splunk type: Baseline -datamodel: -- Network_Traffic +status: production description: The search counts the number of times a connection was observed to each destination port, and the number of unique source IPs connecting to them. search: '| tstats `security_content_summariesonly` count dc(All_Traffic.src) as numberOfUniqueHosts @@ -26,8 +25,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Traffic.dest_port - - All_Traffic.src security_domain: network diff --git a/baselines/create_a_list_of_approved_aws_service_accounts.yml b/baselines/create_a_list_of_approved_aws_service_accounts.yml index b60bf256a4..f8b46ac7ff 100644 --- a/baselines/create_a_list_of_approved_aws_service_accounts.yml +++ b/baselines/create_a_list_of_approved_aws_service_accounts.yml @@ -4,7 +4,7 @@ version: 2 date: '2018-12-03' author: Bhavin Patel, Splunk type: Baseline -datamodel: [] +status: production description: This search looks for successful API activity in CloudTrail within the last 30 days, filters out known users from the identity table, and outputs values of users into `aws_service_accounts.csv` lookup file. @@ -27,8 +27,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - errorCode - - userName security_domain: network diff --git a/baselines/deprecated/add_prohibited_processes_to_enterprise_security.yml b/baselines/deprecated/add_prohibited_processes_to_enterprise_security.yml index 6aa827b83b..607a5f9829 100644 --- a/baselines/deprecated/add_prohibited_processes_to_enterprise_security.yml +++ b/baselines/deprecated/add_prohibited_processes_to_enterprise_security.yml @@ -4,7 +4,7 @@ version: 1 date: '2017-09-15' author: David Dorsey, Splunk type: Baseline -datamodel: [] +status: deprecated description: This search takes the existing interesting process table from ES, filters out any existing additions added by ESCU and then updates the table with processes identified by ESCU that should be prohibited on your endpoints. @@ -20,26 +20,10 @@ tags: - Emotet Malware DHS Report TA18-201A - Monitor for Unauthorized Software - SamSam Ransomware - asset_type: Endpoint detections: - Prohibited Software On Endpoint product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time security_domain: endpoint - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown diff --git a/baselines/deprecated/baseline_of_api_calls_per_user_arn.yml b/baselines/deprecated/baseline_of_api_calls_per_user_arn.yml index 02874c9c4a..461b657a67 100644 --- a/baselines/deprecated/baseline_of_api_calls_per_user_arn.yml +++ b/baselines/deprecated/baseline_of_api_calls_per_user_arn.yml @@ -4,7 +4,7 @@ version: 1 date: '2018-04-09' author: David Dorsey, Splunk type: Baseline -datamodel: [] +status: deprecated description: This search establishes, on a per-hour basis, the average and the standard deviation of the number of API calls made by each user. Also recorded is the number of data points for each user. This table is then outputted to a lookup file to allow @@ -28,21 +28,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventType - - userIdentity.arn security_domain: network - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown diff --git a/baselines/deprecated/baseline_of_excessive_aws_instances_launched_by_user___mltk.yml b/baselines/deprecated/baseline_of_excessive_aws_instances_launched_by_user___mltk.yml index d1dcf15f47..ade1932593 100644 --- a/baselines/deprecated/baseline_of_excessive_aws_instances_launched_by_user___mltk.yml +++ b/baselines/deprecated/baseline_of_excessive_aws_instances_launched_by_user___mltk.yml @@ -4,29 +4,26 @@ version: 1 date: '2019-11-14' author: Jason Brewer, Splunk type: Baseline -datamodel: [] +status: deprecated description: This search is used to build a Machine Learning Toolkit (MLTK) model for how many RunInstances users do in the environment. By default, the search uses the last 90 days of data to build the model. The model created by this search is then used in the corresponding detection search, which identifies subsequent outliers in the number of RunInstances performed by a user in a small time window. -search: '`cloudtrail` eventName=RunInstances errorCode=success - | bucket span=10m _time | stats count as instances_launched by _time src_user | - fit DensityFunction instances_launched threshold=0.0005 into ec2_excessive_runinstances_v1' -how_to_implement: 'You must install the AWS App for Splunk (version 5.1.0 or later) +search: '`cloudtrail` eventName=RunInstances errorCode=success | bucket span=10m _time + | stats count as instances_launched by _time src_user | fit DensityFunction instances_launched + threshold=0.0005 into ec2_excessive_runinstances_v1' +how_to_implement: "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail - inputs. - - In addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, - along with any required dependencies. Depending on the number of users in your environment, - you may also need to adjust the value for max_inputs in the MLTK settings for the - DensityFunction algorithm, then ensure that the search completes in a reasonable - timeframe. By default, the search builds the model using the past 30 days of data. - You can modify the search window to build the model over a longer period of time, - which may give you better results. You may also want to periodically re-run this - search to rebuild the model with the latest data. - - More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.' + inputs.\nIn addition, you must have the Machine Learning Toolkit (MLTK) version + >= 4.2 installed, along with any required dependencies. Depending on the number + of users in your environment, you may also need to adjust the value for max_inputs + in the MLTK settings for the DensityFunction algorithm, then ensure that the search + completes in a reasonable timeframe. By default, the search builds the model using + the past 30 days of data. You can modify the search window to build the model over + a longer period of time, which may give you better results. You may also want to + periodically re-run this search to rebuild the model with the latest data.\nMore + information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`." known_false_positives: none references: [] tags: @@ -39,22 +36,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - errorCode - - src_user security_domain: network - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown diff --git a/baselines/deprecated/baseline_of_excessive_aws_instances_terminated_by_user___mltk.yml b/baselines/deprecated/baseline_of_excessive_aws_instances_terminated_by_user___mltk.yml index 1643566a67..a6d890da08 100644 --- a/baselines/deprecated/baseline_of_excessive_aws_instances_terminated_by_user___mltk.yml +++ b/baselines/deprecated/baseline_of_excessive_aws_instances_terminated_by_user___mltk.yml @@ -4,30 +4,27 @@ version: 1 date: '2019-11-14' author: Jason Brewer, Splunk type: Baseline -datamodel: [] +status: deprecated description: This search is used to build a Machine Learning Toolkit (MLTK) model for how many TerminateInstances users do in the environment. By default, the search uses the last 90 days of data to build the model. The model created by this search is then used in the corresponding detection search, which identifies subsequent outliers in the number of TerminateInstances performed by a user in a small time window. -search: '`cloudtrail` eventName=TerminateInstances errorCode=success - | bucket span=10m _time | stats count as instances_terminated by _time src_user - | fit DensityFunction instances_terminated threshold=0.0005 into ec2_excessive_terminateinstances_v1' -how_to_implement: 'You must install the AWS App for Splunk (version 5.1.0 or later) +search: '`cloudtrail` eventName=TerminateInstances errorCode=success | bucket span=10m + _time | stats count as instances_terminated by _time src_user | fit DensityFunction + instances_terminated threshold=0.0005 into ec2_excessive_terminateinstances_v1' +how_to_implement: "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail - inputs. - - In addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, - along with any required dependencies. Depending on the number of users in your environment, - you may also need to adjust the value for max_inputs in the MLTK settings for the - DensityFunction algorithm, then ensure that the search completes in a reasonable - timeframe. By default, the search builds the model using the past 30 days of data. - You can modify the search window to build the model over a longer period of time, - which may give you better results. You may also want to periodically re-run this - search to rebuild the model with the latest data. - - More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.' + inputs.\nIn addition, you must have the Machine Learning Toolkit (MLTK) version + >= 4.2 installed, along with any required dependencies. Depending on the number + of users in your environment, you may also need to adjust the value for max_inputs + in the MLTK settings for the DensityFunction algorithm, then ensure that the search + completes in a reasonable timeframe. By default, the search builds the model using + the past 30 days of data. You can modify the search window to build the model over + a longer period of time, which may give you better results. You may also want to + periodically re-run this search to rebuild the model with the latest data.\nMore + information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`." known_false_positives: none references: [] tags: @@ -39,22 +36,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - errorCode - - src_user security_domain: network - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown diff --git a/baselines/deprecated/previously_seen_api_call_per_user_roles_in_cloudtrail.yml b/baselines/deprecated/previously_seen_api_call_per_user_roles_in_cloudtrail.yml index cfb61398a8..71a860c70b 100644 --- a/baselines/deprecated/previously_seen_api_call_per_user_roles_in_cloudtrail.yml +++ b/baselines/deprecated/previously_seen_api_call_per_user_roles_in_cloudtrail.yml @@ -4,7 +4,7 @@ version: 1 date: '2018-04-16' author: Bhavin Patel, Splunk type: Baseline -datamodel: [] +status: deprecated description: This search looks for successful API calls made by different user roles, then creates a baseline of the earliest and latest times we have encountered this user role. It also returns the name of the API call in our dataset--grouped by user @@ -28,24 +28,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventType - - errorCode - - userIdentity.type - - userName - - eventName security_domain: network - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown diff --git a/baselines/deprecated/previously_seen_aws_provisioning_activity_sources.yml b/baselines/deprecated/previously_seen_aws_provisioning_activity_sources.yml index 9c977eb85c..b0c5e90290 100644 --- a/baselines/deprecated/previously_seen_aws_provisioning_activity_sources.yml +++ b/baselines/deprecated/previously_seen_aws_provisioning_activity_sources.yml @@ -4,14 +4,14 @@ version: 1 date: '2018-03-16' author: David Dorsey, Splunk type: Baseline -datamodel: [] +status: deprecated description: This search builds a table of the first and last times seen for every IP address (along with its physical location) previously associated with cloud-provisioning activity. This is broadly defined as any event that runs or creates something. search: '`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, - City, Region, Country | outputlookup previously_seen_provisioning_activity_src - | stats count' + City, Region, Country | outputlookup previously_seen_provisioning_activity_src | + stats count' how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. @@ -29,21 +29,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - sourceIPAddress security_domain: network - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown diff --git a/baselines/deprecated/previously_seen_ec2_amis.yml b/baselines/deprecated/previously_seen_ec2_amis.yml index 7c07f5b16c..1550cdf588 100644 --- a/baselines/deprecated/previously_seen_ec2_amis.yml +++ b/baselines/deprecated/previously_seen_ec2_amis.yml @@ -1,15 +1,15 @@ name: Previously Seen EC2 AMIs id: bb1bd99d-1e93-45f1-9571-cfed42d372b9 -version: 1 -date: '2018-03-12' +version: 2 +date: '2025-01-16' author: David Dorsey, Splunk type: Baseline -datamodel: [] +status: deprecated description: This search builds a table of previously seen AMIs used to launch EC2 instances search: '`cloudtrail` eventName=RunInstances errorCode=success | rename requestParameters.instancesSet.items{}.imageId as amiID | stats earliest(_time) as firstTime latest(_time) as lastTime by amiID - | outputlookup previously_seen_ec2_amis | stats count' + | outputlookup previously_seen_ec2_amis_lookup | stats count' how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. @@ -24,22 +24,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - errorCode - - requestParameters.instancesSet.items{}.imageId security_domain: network - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown diff --git a/baselines/deprecated/previously_seen_ec2_instance_types.yml b/baselines/deprecated/previously_seen_ec2_instance_types.yml index caa4874b07..cfff4e6d58 100644 --- a/baselines/deprecated/previously_seen_ec2_instance_types.yml +++ b/baselines/deprecated/previously_seen_ec2_instance_types.yml @@ -1,14 +1,14 @@ name: Previously Seen EC2 Instance Types id: b8f029f2-65a6-4d76-be98-dad1c9d59c45 -version: 1 -date: '2018-03-08' +version: 2 +date: '2025-01-16' author: David Dorsey, Splunk type: Baseline -datamodel: [] +status: deprecated description: This search builds a table of previously seen EC2 instance types search: '`cloudtrail` eventName=RunInstances errorCode=success | rename requestParameters.instanceType as instanceType | fillnull value="m1.small" instanceType | stats earliest(_time) - as earliest latest(_time) as latest by instanceType | outputlookup previously_seen_ec2_instance_types + as earliest latest(_time) as latest by instanceType | outputlookup previously_seen_ec2_instance_types_lookup | stats count' how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail @@ -24,22 +24,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - errorCode - - requestParameters.instanceType security_domain: network - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown diff --git a/baselines/deprecated/previously_seen_ec2_launches_by_user.yml b/baselines/deprecated/previously_seen_ec2_launches_by_user.yml index b9055ec06d..d1aa8e8045 100644 --- a/baselines/deprecated/previously_seen_ec2_launches_by_user.yml +++ b/baselines/deprecated/previously_seen_ec2_launches_by_user.yml @@ -1,15 +1,15 @@ name: Previously Seen EC2 Launches By User id: 6c767ac0-0906-4355-9a83-927f5ee7bdad -version: 1 -date: '2018-03-15' +version: 2 +date: '2025-01-16' author: David Dorsey, Splunk type: Baseline -datamodel: [] +status: deprecated description: This search builds a table of previously seen ARNs that have launched a EC2 instance. search: '`cloudtrail` eventName=RunInstances errorCode=success | rename userIdentity.arn as arn | stats earliest(_time) as firstTime latest(_time) as lastTime by arn | outputlookup - previously_seen_ec2_launches_by_user | stats count' + previously_seen_ec2_launches_by_user_lookup | stats count' how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. @@ -25,22 +25,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - errorCode - - requestParameters.instanceType security_domain: network - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown diff --git a/baselines/deprecated/previously_seen_users_in_cloudtrail.yml b/baselines/deprecated/previously_seen_users_in_cloudtrail.yml index c10e6be865..f8e40480d7 100644 --- a/baselines/deprecated/previously_seen_users_in_cloudtrail.yml +++ b/baselines/deprecated/previously_seen_users_in_cloudtrail.yml @@ -4,7 +4,7 @@ version: 1 date: '2018-04-30' author: Jason Brewer, Splunk type: Baseline -datamodel: [] +status: deprecated description: This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by ARN, within the last 30 @@ -13,10 +13,10 @@ description: This search looks for CloudTrail events where a user logs into the search: '`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE "",src,City),Region=if(Region LIKE "",src,Region) | stats earliest(_time) as firstTime latest(_time) as lastTime by user src City Region - Country | outputlookup previously_seen_users_console_logins_cloudtrail | stats count' + Country | outputlookup previously_seen_users_console_logins | stats count' how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail - inputs. Please validate the user name entries in `previously_seen_users_console_logins_cloudtrail`, + inputs. Please validate the user name entries in `previously_seen_users_console_logins`, which is a lookup file created as a result of running this support search. known_false_positives: none references: [] @@ -32,22 +32,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - userIdentity.arn - - src security_domain: network - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown diff --git a/baselines/deprecated/update_previously_seen_users_in_cloudtrail.yml b/baselines/deprecated/update_previously_seen_users_in_cloudtrail.yml index f7672203b6..063ad93dcc 100644 --- a/baselines/deprecated/update_previously_seen_users_in_cloudtrail.yml +++ b/baselines/deprecated/update_previously_seen_users_in_cloudtrail.yml @@ -1,10 +1,10 @@ name: Update previously seen users in CloudTrail id: 06c036e6-d6d7-4daa-bd76-411c3d356031 -version: 1 -date: '2018-04-30' +version: 2 +date: '2025-01-16' author: Jason Brewer, Splunk type: Baseline -datamodel: [] +status: deprecated description: This search looks for CloudTrail events where a user logs into the console, then updates the baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by ARN, within the last hour. @@ -13,12 +13,12 @@ description: This search looks for CloudTrail events where a user logs into the search: '`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE "",src,City),Region=if(Region LIKE "",src,Region) | stats earliest(_time) AS firstTime latest(_time) AS lastTime by user src City Region - Country | inputlookup append=t previously_seen_users_console_logins_cloudtrail | + Country | inputlookup append=t previously_seen_users_console_logins | stats min(firstTime) as firstTime max(lastTime) as lastTime by user src City Region - Country | outputlookup previously_seen_users_console_logins_cloudtrail' + Country | outputlookup previously_seen_users_console_logins' how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail - inputs. Please validate the user name entries in `previously_seen_users_console_logins_cloudtrail`, + inputs. Please validate the user name entries in `previously_seen_users_console_logins`, which is a lookup file created as a result of running this support search. known_false_positives: none references: [] @@ -34,22 +34,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - userIdentity.arn - - src security_domain: network - kill_chain_phases: - - Exploitation - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: field - type: Unknown - role: - - Unknown diff --git a/baselines/discover_dns_records.yml b/baselines/discover_dns_records.yml index ea2d436f9d..2faf30e568 100644 --- a/baselines/discover_dns_records.yml +++ b/baselines/discover_dns_records.yml @@ -1,17 +1,16 @@ name: Discover DNS records id: c096f721-8842-42ce-bfc7-74bd8c72b7c3 version: 1 -date: '2019-02-14' +date: '2025-01-16' author: Jose Hernandez, Splunk type: Baseline -datamodel: -- Network_Resolution +status: production description: The search takes corporate and common cloud provider domains configured under `cim_corporate_email_domains.csv`, `cim_corporate_web_domains.csv`, and `cloud_domains.csv` finds their responses across the last 30 days from data in the `Network_Resolution ` datamodel, then stores the output under the `discovered_dns_records.csv` lookup -search: '| inputlookup cim_corporate_email_domains.csv | inputlookup append=T cim_corporate_web_domains.csv - | inputlookup append=T cim_cloud_domains.csv | eval domain = trim(replace(domain, +search: '| inputlookup cim_corporate_email_domain_lookup | inputlookup append=T cim_corporate_web_domain_lookup + | inputlookup append=T cim_cloud_domain_lookup | eval domain = trim(replace(domain, "\*", "")) | join domain [|tstats `security_content_summariesonly` count values(DNS.record_type) as type, values(DNS.answer) as answer from datamodel=Network_Resolution where DNS.message_type=RESPONSE DNS.answer!="unknown" DNS.answer!="" by DNS.query | rename DNS.query as query | @@ -33,9 +32,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - DNS.record_type - - DNS.answer - - DNS.query security_domain: network diff --git a/baselines/dnstwist_domain_names.yml b/baselines/dnstwist_domain_names.yml index 56d143e729..dbfba119f7 100644 --- a/baselines/dnstwist_domain_names.yml +++ b/baselines/dnstwist_domain_names.yml @@ -4,7 +4,7 @@ version: 2 date: '2018-10-08' author: David Dorsey, Splunk type: Baseline -datamodel: [] +status: production description: This search creates permutations of your existing domains, removes the valid domain names and stores them in a specified lookup file so they can be checked for in the associated detection searches. @@ -19,7 +19,6 @@ tags: analytic_story: - Brand Monitoring - Suspicious Emails - asset_type: Endpoint detections: - Monitor Email For Brand Abuse - Monitor DNS For Brand Abuse @@ -28,19 +27,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - kill_chain_phases: - - Exploitation - required_fields: - - _time security_domain: network - confidence: 50 - impact: 50 - risk_score: 25 - context: - - Unknown - message: tbd - observable: - - name: dest - type: Other - role: - - Other diff --git a/baselines/identify_systems_creating_remote_desktop_traffic.yml b/baselines/identify_systems_creating_remote_desktop_traffic.yml index 6ed4f0c880..f466963093 100644 --- a/baselines/identify_systems_creating_remote_desktop_traffic.yml +++ b/baselines/identify_systems_creating_remote_desktop_traffic.yml @@ -4,8 +4,7 @@ version: 1 date: '2017-09-15' author: David Dorsey, Splunk type: Baseline -datamodel: -- Network_Traffic +status: production description: This search counts the numbers of times the system has generated remote desktop traffic. search: '| tstats `security_content_summariesonly` count from datamodel=Network_Traffic @@ -27,8 +26,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Traffic.dest_port - - All_Traffic.src security_domain: network diff --git a/baselines/identify_systems_receiving_remote_desktop_traffic.yml b/baselines/identify_systems_receiving_remote_desktop_traffic.yml index 82ce7d8312..19fc44ca03 100644 --- a/baselines/identify_systems_receiving_remote_desktop_traffic.yml +++ b/baselines/identify_systems_receiving_remote_desktop_traffic.yml @@ -4,8 +4,7 @@ version: 1 date: '2017-09-15' author: David Dorsey, Splunk type: Baseline -datamodel: -- Network_Traffic +status: production description: This search counts the numbers of times the system has created remote desktop traffic search: '| tstats `security_content_summariesonly` count from datamodel=Network_Traffic @@ -28,8 +27,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Traffic.dest_port - - All_Traffic.dest security_domain: network diff --git a/baselines/identify_systems_using_remote_desktop.yml b/baselines/identify_systems_using_remote_desktop.yml index aad6d64306..434b290d1f 100644 --- a/baselines/identify_systems_using_remote_desktop.yml +++ b/baselines/identify_systems_using_remote_desktop.yml @@ -4,8 +4,7 @@ version: 1 date: '2019-04-01' author: David Dorsey, Splunk type: Baseline -datamodel: -- Endpoint +status: production description: This search counts the numbers of times the remote desktop process, mstsc.exe, has run on each system. search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes @@ -27,8 +26,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_name - - Processes.dest security_domain: endpoint diff --git a/baselines/monitor_successful_backups.yml b/baselines/monitor_successful_backups.yml index 469a6b3876..fe0c140a5a 100644 --- a/baselines/monitor_successful_backups.yml +++ b/baselines/monitor_successful_backups.yml @@ -4,7 +4,7 @@ version: 1 date: '2017-09-12' author: David Dorsey, Splunk type: Baseline -datamodel: [] +status: production description: This search is intended to give you a feel for how often successful backups are conducted in your environment. Fluctuations in these numbers will allow you to determine when you should investigate. @@ -24,6 +24,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time security_domain: endpoint diff --git a/baselines/monitor_unsuccessful_backups.yml b/baselines/monitor_unsuccessful_backups.yml index 08267228d4..83195cbae0 100644 --- a/baselines/monitor_unsuccessful_backups.yml +++ b/baselines/monitor_unsuccessful_backups.yml @@ -4,7 +4,7 @@ version: 1 date: '2017-09-12' author: David Dorsey, Splunk type: Baseline -datamodel: [] +status: production description: This search is intended to give you a feel for how often backup failures happen in your environments. Fluctuations in these numbers will allow you to determine when you should investigate. @@ -23,6 +23,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time security_domain: endpoint diff --git a/baselines/previously_seen_aws_cross_account_activity.yml b/baselines/previously_seen_aws_cross_account_activity.yml index 9cac5a7a27..ed2cad1585 100644 --- a/baselines/previously_seen_aws_cross_account_activity.yml +++ b/baselines/previously_seen_aws_cross_account_activity.yml @@ -4,7 +4,7 @@ version: 1 date: '2018-06-04' author: David Dorsey, Splunk type: Baseline -datamodel: [] +status: production description: This search looks for **AssumeRole** events where the requesting account differs from the requested account, then writes these relationships to a lookup file. @@ -28,9 +28,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - userIdentity.accountId - - resources{}.accountId security_domain: network diff --git a/baselines/previously_seen_aws_cross_account_activity___initial.yml b/baselines/previously_seen_aws_cross_account_activity___initial.yml index f615b6c25e..6fad8d0f18 100644 --- a/baselines/previously_seen_aws_cross_account_activity___initial.yml +++ b/baselines/previously_seen_aws_cross_account_activity___initial.yml @@ -4,8 +4,7 @@ version: 1 date: '2020-08-15' author: Rico Valdez, Splunk type: Baseline -datamodel: -- Authentication +status: production description: This search looks for **AssumeRole** events where the requesting account differs from the requested account, then writes these relationships to a lookup file. @@ -32,17 +31,10 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Authentication.signature - - Authentication.vendor_account - - Authentication.user - - Authentication.src - - Authentication.user_role security_domain: network deployment: scheduling: cron_schedule: 0 2 * * 0 earliest_time: -90d@d latest_time: -1d@d - schedule_window: auto \ No newline at end of file + schedule_window: auto diff --git a/baselines/previously_seen_aws_cross_account_activity___update.yml b/baselines/previously_seen_aws_cross_account_activity___update.yml index c067f69b15..9cb9c956b9 100644 --- a/baselines/previously_seen_aws_cross_account_activity___update.yml +++ b/baselines/previously_seen_aws_cross_account_activity___update.yml @@ -4,8 +4,7 @@ version: 1 date: '2020-08-15' author: Rico Valdez, Splunk type: Baseline -datamodel: -- Authentication +status: production description: This search looks for **AssumeRole** events where the requesting account differs from the requested account, then writes these relationships to a lookup file. @@ -32,11 +31,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Authentication.signature - - Authentication.vendor_account - - Authentication.user - - Authentication.src - - Authentication.user_role security_domain: network diff --git a/baselines/previously_seen_aws_regions.yml b/baselines/previously_seen_aws_regions.yml index 81db14b95d..da7bd98582 100644 --- a/baselines/previously_seen_aws_regions.yml +++ b/baselines/previously_seen_aws_regions.yml @@ -4,7 +4,7 @@ version: 1 date: '2018-01-08' author: Bhavin Patel, Splunk type: Baseline -datamodel: [] +status: production description: This search looks for CloudTrail events where an AWS instance is started and creates a baseline of most recent time (latest) and the first time (earliest) we've seen this region in our dataset grouped by the value awsRegion for the last @@ -26,7 +26,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - awsRegion security_domain: network diff --git a/baselines/previously_seen_cloud_api_calls_per_user_role___initial.yml b/baselines/previously_seen_cloud_api_calls_per_user_role___initial.yml index 1625cba2d3..76a9d53576 100644 --- a/baselines/previously_seen_cloud_api_calls_per_user_role___initial.yml +++ b/baselines/previously_seen_cloud_api_calls_per_user_role___initial.yml @@ -4,8 +4,7 @@ version: 1 date: '2020-09-03' author: David Dorsey, Splunk type: Baseline -datamodel: -- Change +status: production description: This search builds a table of the first and last times seen for every user role and command combination. This is broadly defined as any event that runs or creates something. This table is then cached. @@ -28,16 +27,10 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.user_type - - All_Changes.status - - All_Changes.user - - All_Changes.command security_domain: network deployment: scheduling: cron_schedule: 0 2 * * 0 earliest_time: -90d@d latest_time: -1d@d - schedule_window: auto \ No newline at end of file + schedule_window: auto diff --git a/baselines/previously_seen_cloud_api_calls_per_user_role___update.yml b/baselines/previously_seen_cloud_api_calls_per_user_role___update.yml index 5171f6a2fe..dadd790f96 100644 --- a/baselines/previously_seen_cloud_api_calls_per_user_role___update.yml +++ b/baselines/previously_seen_cloud_api_calls_per_user_role___update.yml @@ -4,8 +4,7 @@ version: 1 date: '2020-09-03' author: David Dorsey, Splunk type: Baseline -datamodel: -- Change +status: production description: This search updates the table of the first and last times seen for every user role and command combination. search: '| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen @@ -30,10 +29,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.user_type - - All_Changes.status - - All_Changes.user - - All_Changes.command security_domain: network diff --git a/baselines/previously_seen_cloud_compute_creations_by_user___initial.yml b/baselines/previously_seen_cloud_compute_creations_by_user___initial.yml index 91fd9115a9..ed6a275c00 100644 --- a/baselines/previously_seen_cloud_compute_creations_by_user___initial.yml +++ b/baselines/previously_seen_cloud_compute_creations_by_user___initial.yml @@ -4,8 +4,7 @@ version: 1 date: '2020-08-15' author: Rico Valdez, Splunk type: Baseline -datamodel: -- Change +status: production description: This search builds a table of previously seen users that have launched a cloud compute instance. search: '| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen @@ -25,15 +24,10 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.action - - All_Changes.object_category - - All_Changes.user security_domain: network deployment: scheduling: cron_schedule: 0 2 * * 0 earliest_time: -90d@d latest_time: -1d@d - schedule_window: auto \ No newline at end of file + schedule_window: auto diff --git a/baselines/previously_seen_cloud_compute_creations_by_user___update.yml b/baselines/previously_seen_cloud_compute_creations_by_user___update.yml index 4896094581..29d5b5952f 100644 --- a/baselines/previously_seen_cloud_compute_creations_by_user___update.yml +++ b/baselines/previously_seen_cloud_compute_creations_by_user___update.yml @@ -4,8 +4,7 @@ version: 1 date: '2020-08-15' author: Rico Valdez, Splunk type: Baseline -datamodel: -- Change +status: production description: This search builds a table of previously seen users that have launched a cloud compute instance. search: '| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen @@ -28,9 +27,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.action - - All_Changes.object_category - - All_Changes.user security_domain: network diff --git a/baselines/previously_seen_cloud_compute_images___initial.yml b/baselines/previously_seen_cloud_compute_images___initial.yml index 1e8db27323..963cdf7af0 100644 --- a/baselines/previously_seen_cloud_compute_images___initial.yml +++ b/baselines/previously_seen_cloud_compute_images___initial.yml @@ -4,8 +4,7 @@ version: 1 date: '2020-10-08' author: David Dorsey, Splunk type: Baseline -datamodel: -- Change +status: production description: This search builds a table of previously seen images used to launch cloud compute instances search: '| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen @@ -27,14 +26,10 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.action - - All_Changes.Instance_Changes.image_id security_domain: network deployment: scheduling: cron_schedule: 0 2 * * 0 earliest_time: -90d@d latest_time: -1d@d - schedule_window: auto \ No newline at end of file + schedule_window: auto diff --git a/baselines/previously_seen_cloud_compute_images___update.yml b/baselines/previously_seen_cloud_compute_images___update.yml index cefb0afda5..580b2ad13c 100644 --- a/baselines/previously_seen_cloud_compute_images___update.yml +++ b/baselines/previously_seen_cloud_compute_images___update.yml @@ -4,8 +4,7 @@ version: 1 date: '2020-08-12' author: David Dorsey, Splunk type: Baseline -datamodel: -- Change +status: production description: This search builds a table of previously seen images used to launch cloud compute instances search: '| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen @@ -28,8 +27,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.action - - All_Changes.Instance_Changes.image_id security_domain: network diff --git a/baselines/previously_seen_cloud_compute_instance_types___initial.yml b/baselines/previously_seen_cloud_compute_instance_types___initial.yml index fb8057565e..1f325d98c9 100644 --- a/baselines/previously_seen_cloud_compute_instance_types___initial.yml +++ b/baselines/previously_seen_cloud_compute_instance_types___initial.yml @@ -4,8 +4,7 @@ version: 1 date: '2020-09-03' author: David Dorsey, Splunk type: Baseline -datamodel: -- Change +status: production description: This search builds a table of previously seen cloud compute instance types search: '| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen @@ -26,10 +25,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.action - - All_Changes.Instance_Changes.instance_type security_domain: network deployment: scheduling: diff --git a/baselines/previously_seen_cloud_compute_instance_types___update.yml b/baselines/previously_seen_cloud_compute_instance_types___update.yml index 0c17305924..4c426ae70e 100644 --- a/baselines/previously_seen_cloud_compute_instance_types___update.yml +++ b/baselines/previously_seen_cloud_compute_instance_types___update.yml @@ -4,8 +4,7 @@ version: 1 date: '2020-09-03' author: David Dorsey, Splunk type: Baseline -datamodel: -- Change +status: production description: This search builds a table of previously seen cloud compute instance types search: '| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen @@ -28,8 +27,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.action - - All_Changes.Instance_Changes.instance_type security_domain: network diff --git a/baselines/previously_seen_cloud_instance_modifications_by_user___initial.yml b/baselines/previously_seen_cloud_instance_modifications_by_user___initial.yml index 48b1d73252..4685a5d45e 100644 --- a/baselines/previously_seen_cloud_instance_modifications_by_user___initial.yml +++ b/baselines/previously_seen_cloud_instance_modifications_by_user___initial.yml @@ -4,8 +4,7 @@ version: 1 date: '2020-07-29' author: Rico Valdez, Splunk type: Baseline -datamodel: -- Change +status: production description: This search builds a table of previously seen users that have modified a cloud instance. search: '| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen @@ -26,16 +25,10 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.action - - All_Changes.change_type - - All_Changes.status - - All_Changes.user security_domain: network deployment: scheduling: cron_schedule: 0 2 * * 0 earliest_time: -90d@d latest_time: -1d@d - schedule_window: auto \ No newline at end of file + schedule_window: auto diff --git a/baselines/previously_seen_cloud_instance_modifications_by_user___update.yml b/baselines/previously_seen_cloud_instance_modifications_by_user___update.yml index b51943b350..68d81025a8 100644 --- a/baselines/previously_seen_cloud_instance_modifications_by_user___update.yml +++ b/baselines/previously_seen_cloud_instance_modifications_by_user___update.yml @@ -4,8 +4,7 @@ version: 1 date: '2020-07-29' author: Rico Valdez, Splunk type: Baseline -datamodel: -- Change +status: production description: This search updates a table of previously seen Cloud Instance modifications that have been made by a user search: '| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen @@ -30,10 +29,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.action - - All_Changes.change_type - - All_Changes.status - - All_Changes.user security_domain: network diff --git a/baselines/previously_seen_cloud_provisioning_activity_sources___initial.yml b/baselines/previously_seen_cloud_provisioning_activity_sources___initial.yml index 22542e4d13..0296b5697c 100644 --- a/baselines/previously_seen_cloud_provisioning_activity_sources___initial.yml +++ b/baselines/previously_seen_cloud_provisioning_activity_sources___initial.yml @@ -4,8 +4,7 @@ version: 1 date: '2020-08-19' author: Rico Valdez, Splunk type: Baseline -datamodel: -- Change +status: production description: This search builds a table of the first and last times seen for every IP address (along with its physical location) previously associated with cloud-provisioning activity. This is broadly defined as any event that runs or creates something. This @@ -33,15 +32,10 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.action - - All_Changes.src - - All_Changes.status security_domain: network deployment: scheduling: cron_schedule: 0 2 * * 0 earliest_time: -90d@d latest_time: -1d@d - schedule_window: auto \ No newline at end of file + schedule_window: auto diff --git a/baselines/previously_seen_cloud_provisioning_activity_sources___update.yml b/baselines/previously_seen_cloud_provisioning_activity_sources___update.yml index 104740b59d..6997f09948 100644 --- a/baselines/previously_seen_cloud_provisioning_activity_sources___update.yml +++ b/baselines/previously_seen_cloud_provisioning_activity_sources___update.yml @@ -4,8 +4,7 @@ version: 1 date: '2020-08-20' author: David Dorsey, Splunk type: Baseline -datamodel: -- Change +status: production description: This returns the first and last times seen for every IP address (along with its physical location) previously associated with cloud-provisioning activity within the last day. Cloud provisioning is broadly defined as any event that runs @@ -38,9 +37,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.action - - All_Changes.src - - All_Changes.status security_domain: network diff --git a/baselines/previously_seen_cloud_regions___initial.yml b/baselines/previously_seen_cloud_regions___initial.yml index 8c83ae3cb2..68a9aaac84 100644 --- a/baselines/previously_seen_cloud_regions___initial.yml +++ b/baselines/previously_seen_cloud_regions___initial.yml @@ -4,8 +4,7 @@ version: 1 date: '2020-09-02' author: David Dorsey, Splunk type: Baseline -datamodel: -- Change +status: production description: This search looks for cloud compute events where a compute instance is started and creates a baseline of most recent time, `lastTime` and the first time `firstTime` we've seen this region in our dataset grouped by the region for the @@ -28,14 +27,10 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.action - - All_Changes.vendor_region security_domain: network deployment: scheduling: cron_schedule: 0 2 * * 0 earliest_time: -90d@d latest_time: -1d@d - schedule_window: auto \ No newline at end of file + schedule_window: auto diff --git a/baselines/previously_seen_cloud_regions___update.yml b/baselines/previously_seen_cloud_regions___update.yml index d51eeb25b1..fe6e4e31a4 100644 --- a/baselines/previously_seen_cloud_regions___update.yml +++ b/baselines/previously_seen_cloud_regions___update.yml @@ -4,8 +4,7 @@ version: 1 date: '2020-09-02' author: David Dorsey, Splunk type: Baseline -datamodel: -- Change +status: production description: This search looks for cloud compute events where a compute instance is started and creates a baseline of most recent time, `lastTime` and the first time `firstTime` we've seen this region in our dataset grouped by the region for the @@ -31,8 +30,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.action - - All_Changes.vendor_region security_domain: network diff --git a/baselines/previously_seen_command_line_arguments.yml b/baselines/previously_seen_command_line_arguments.yml index 6f29d709d1..f797569828 100644 --- a/baselines/previously_seen_command_line_arguments.yml +++ b/baselines/previously_seen_command_line_arguments.yml @@ -4,8 +4,7 @@ version: 2 date: '2019-03-01' author: Bhavin Patel, Splunk type: Baseline -datamodel: -- Endpoint +status: production description: This search looks for command-line arguments where `cmd.exe /c` is used to execute a program, then creates a baseline of the earliest and latest times we have encountered this command-line argument in our dataset within the last 30 days. @@ -36,8 +35,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_name - - Processes.process security_domain: endpoint diff --git a/baselines/previously_seen_ec2_modifications_by_user.yml b/baselines/previously_seen_ec2_modifications_by_user.yml index 86e14cc330..fdf51c1460 100644 --- a/baselines/previously_seen_ec2_modifications_by_user.yml +++ b/baselines/previously_seen_ec2_modifications_by_user.yml @@ -4,7 +4,7 @@ version: 1 date: '2018-04-05' author: David Dorsey, Splunk type: Baseline -datamodel: [] +status: production description: This search builds a table of previously seen ARNs that have launched a EC2 instance. search: '`cloudtrail` `ec2_modification_api_calls` errorCode=success | spath output=arn @@ -24,8 +24,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - userIdentity.arn - - errorCode security_domain: network diff --git a/baselines/previously_seen_running_windows_services___initial.yml b/baselines/previously_seen_running_windows_services___initial.yml index 2a4504f319..429efbceae 100644 --- a/baselines/previously_seen_running_windows_services___initial.yml +++ b/baselines/previously_seen_running_windows_services___initial.yml @@ -4,7 +4,7 @@ version: 3 date: '2020-06-23' author: David Dorsey, Splunk type: Baseline -datamodel: [] +status: production description: This collects the services that have been started across your entire enterprise. search: '`wineventlog_system` EventCode=7036 | rex field=Message "The (?[-\(\)\s\w]+) @@ -26,14 +26,10 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Message security_domain: endpoint deployment: scheduling: cron_schedule: 0 2 * * 0 earliest_time: -90d@d latest_time: -1d@d - schedule_window: auto \ No newline at end of file + schedule_window: auto diff --git a/baselines/previously_seen_running_windows_services___update.yml b/baselines/previously_seen_running_windows_services___update.yml index 00d4063ef8..e5ef21ba42 100644 --- a/baselines/previously_seen_running_windows_services___update.yml +++ b/baselines/previously_seen_running_windows_services___update.yml @@ -4,7 +4,7 @@ version: 3 date: '2020-06-23' author: David Dorsey, Splunk type: Baseline -datamodel: [] +status: production description: This search returns the first and last time a Windows service was seen across your enterprise within the last hour. It then updates this information with historical data and filters out Windows services pairs that have not been seen within @@ -31,14 +31,10 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Message security_domain: endpoint deployment: scheduling: cron_schedule: 55 * * * * earliest_time: -70m@m latest_time: -10m@m - schedule_window: auto \ No newline at end of file + schedule_window: auto diff --git a/baselines/previously_seen_s3_bucket_access_by_remote_ip.yml b/baselines/previously_seen_s3_bucket_access_by_remote_ip.yml index afff188900..ed80570f70 100644 --- a/baselines/previously_seen_s3_bucket_access_by_remote_ip.yml +++ b/baselines/previously_seen_s3_bucket_access_by_remote_ip.yml @@ -4,7 +4,7 @@ version: 1 date: '2018-06-28' author: Bhavin Patel, Splunk type: Baseline -datamodel: [] +status: production description: This search looks for successful access to S3 buckets from remote IP addresses, then creates a baseline of the earliest and latest times we have encountered this remote IP within the last 30 days. In this support search, we are only looking @@ -27,9 +27,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - http_status - - bucket_name - - remote_ip security_domain: network diff --git a/baselines/previously_seen_users_in_cloudtrail___initial.yml b/baselines/previously_seen_users_in_cloudtrail___initial.yml index 8982ce24cb..39b4d4f14c 100644 --- a/baselines/previously_seen_users_in_cloudtrail___initial.yml +++ b/baselines/previously_seen_users_in_cloudtrail___initial.yml @@ -4,8 +4,7 @@ version: 1 date: '2020-05-28' author: Rico Valdez, Splunk type: Baseline -datamodel: -- Authentication +status: production description: This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by username, within the last @@ -34,15 +33,10 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Authentication.signature - - Authentication.user - - Authentication.src security_domain: network deployment: scheduling: cron_schedule: 0 2 * * 0 earliest_time: -90d@d latest_time: -1d@d - schedule_window: auto \ No newline at end of file + schedule_window: auto diff --git a/baselines/previously_seen_users_in_cloudtrail___update.yml b/baselines/previously_seen_users_in_cloudtrail___update.yml index 60e463be04..06983af330 100644 --- a/baselines/previously_seen_users_in_cloudtrail___update.yml +++ b/baselines/previously_seen_users_in_cloudtrail___update.yml @@ -4,8 +4,7 @@ version: 1 date: '2020-05-28' author: Rico Valdez, Splunk type: Baseline -datamodel: -- Authentication +status: production description: This search looks for CloudTrail events where a user logs into the console, then updates the baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by user, within the last hour. @@ -34,9 +33,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Authentication.signature - - Authentication.user - - Authentication.src security_domain: network diff --git a/baselines/previously_seen_zoom_child_processes___initial.yml b/baselines/previously_seen_zoom_child_processes___initial.yml index 94e2d11d9a..812ab81ab0 100644 --- a/baselines/previously_seen_zoom_child_processes___initial.yml +++ b/baselines/previously_seen_zoom_child_processes___initial.yml @@ -4,8 +4,7 @@ version: 1 date: '2020-05-20' author: David Dorsey, Splunk type: Baseline -datamodel: -- Endpoint +status: production description: This search returns the first and last time a process was seen per endpoint with a parent process of zoom.exe (Windows) or zoom.us (macOS). This table is then cached. @@ -28,15 +27,10 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.parent_process_name - - Processes.process_name - - Processes.dest security_domain: endpoint deployment: scheduling: cron_schedule: 0 2 * * 0 earliest_time: -90d@d latest_time: -1d@d - schedule_window: auto \ No newline at end of file + schedule_window: auto diff --git a/baselines/previously_seen_zoom_child_processes___update.yml b/baselines/previously_seen_zoom_child_processes___update.yml index dc968e2e40..350131e49a 100644 --- a/baselines/previously_seen_zoom_child_processes___update.yml +++ b/baselines/previously_seen_zoom_child_processes___update.yml @@ -4,8 +4,7 @@ version: 1 date: '2020-05-20' author: David Dorsey, Splunk type: Baseline -datamodel: -- Endpoint +status: production description: This search returns the first and last time a process was seen per endpoint with a parent process of zoom.exe (Windows) or zoom.us (macOS) within the last hour. It then updates this information with historical data and filters out proces_name @@ -33,15 +32,10 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.parent_process_name - - Processes.process_name - - Processes.dest security_domain: endpoint deployment: scheduling: cron_schedule: 55 * * * * earliest_time: -70m@m latest_time: -10m@m - schedule_window: auto \ No newline at end of file + schedule_window: auto diff --git a/baselines/systems_ready_for_spectre_meltdown_windows_patch.yml b/baselines/systems_ready_for_spectre_meltdown_windows_patch.yml index 40628afaf9..7b26e9e44d 100644 --- a/baselines/systems_ready_for_spectre_meltdown_windows_patch.yml +++ b/baselines/systems_ready_for_spectre_meltdown_windows_patch.yml @@ -4,8 +4,7 @@ version: 1 date: '2018-01-08' author: David Dorsey, Splunk type: Baseline -datamodel: -- Change +status: production description: Some AV applications can cause the Spectre/Meltdown patch for Windows not to install successfully. This registry key is supposed to be created by the AV engine when it has been patched to be able to handle the Windows patch. If this @@ -30,12 +29,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.object_category - - All_Changes.object_path - - All_Changes.dest - - All_Changes.command - - All_Changes.user - - All_Changes.object security_domain: endpoint diff --git a/baselines/windows_updates_install_failures.yml b/baselines/windows_updates_install_failures.yml index c74fffda1d..d9bd881691 100644 --- a/baselines/windows_updates_install_failures.yml +++ b/baselines/windows_updates_install_failures.yml @@ -4,7 +4,7 @@ version: 1 date: '2017-09-14' author: David Dorsey, Splunk type: Baseline -datamodel: [] +status: production description: This search is intended to give you a feel for how often Windows updates fail to install in your environment. Fluctuations in these numbers will allow you to determine when you should be concerned. @@ -23,8 +23,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Updates.vendor_product - - Updates.status security_domain: endpoint diff --git a/baselines/windows_updates_install_successes.yml b/baselines/windows_updates_install_successes.yml index ea2bd56702..cac97fe4e8 100644 --- a/baselines/windows_updates_install_successes.yml +++ b/baselines/windows_updates_install_successes.yml @@ -4,7 +4,7 @@ version: 1 date: '2017-09-14' author: David Dorsey, Splunk type: Baseline -datamodel: [] +status: production description: This search is intended to give you a feel for how often successful Windows updates are applied in your environments. Fluctuations in these numbers will allow you to determine when you should be concerned. @@ -23,8 +23,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Updates.vendor_product - - Updates.status security_domain: endpoint diff --git a/contentctl.yml b/contentctl.yml index 1608f85298..c1a4789702 100644 --- a/contentctl.yml +++ b/contentctl.yml @@ -3,7 +3,7 @@ app: uid: 3449 title: ES Content Updates appid: DA-ESS-ContentUpdate - version: 4.44.0 + version: 5.0.0 description: Explore the Analytic Stories included with ES Content Updates. prefix: ESCU label: ESCU @@ -71,9 +71,9 @@ apps: - uid: 833 title: Splunk Add-on for Unix and Linux appid: Splunk_TA_nix - version: 9.2.0 + version: 10.0.0 description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-unix-and-linux_920.tgz + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-unix-and-linux_1000.tgz - uid: 5579 title: Splunk Add-on for CrowdStrike FDR appid: Splunk_TA_CrowdStrike_FDR @@ -155,9 +155,9 @@ apps: - uid: 3110 title: Splunk Add-on for Microsoft Cloud Services appid: SPLUNK_TA_MICROSOFT_CLOUD_SERVICES - version: 5.4.1 + version: 5.4.2 description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-cloud-services_541.tgz + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-cloud-services_542.tgz - uid: 4055 title: Splunk Add-on for Microsoft Office 365 appid: SPLUNK_ADD_ON_FOR_MICROSOFT_OFFICE_365 diff --git a/data_sources/azure_active_directory.yml b/data_sources/azure_active_directory.yml index 5acf9c76b5..2fa460b33f 100644 --- a/data_sources/azure_active_directory.yml +++ b/data_sources/azure_active_directory.yml @@ -10,4 +10,4 @@ separator: operationName supported_TA: - name: Splunk Add-on for Microsoft Cloud Services url: https://splunkbase.splunk.com/app/3110 - version: 5.4.1 + version: 5.4.2 diff --git a/data_sources/azure_active_directory_add_app_role_assignment_to_service_principal.yml b/data_sources/azure_active_directory_add_app_role_assignment_to_service_principal.yml index 9db213655d..f527bda794 100644 --- a/data_sources/azure_active_directory_add_app_role_assignment_to_service_principal.yml +++ b/data_sources/azure_active_directory_add_app_role_assignment_to_service_principal.yml @@ -11,7 +11,7 @@ separator: operationName supported_TA: - name: Splunk Add-on for Microsoft Cloud Services url: https://splunkbase.splunk.com/app/3110 - version: 5.4.1 + version: 5.4.2 fields: - _time - Level diff --git a/data_sources/azure_active_directory_add_member_to_role.yml b/data_sources/azure_active_directory_add_member_to_role.yml index c62d91a8c2..3a0db1013e 100644 --- a/data_sources/azure_active_directory_add_member_to_role.yml +++ b/data_sources/azure_active_directory_add_member_to_role.yml @@ -10,7 +10,7 @@ separator: operationName supported_TA: - name: Splunk Add-on for Microsoft Cloud Services url: https://splunkbase.splunk.com/app/3110 - version: 5.4.1 + version: 5.4.2 fields: - _time - Level diff --git a/data_sources/azure_active_directory_add_owner_to_application.yml b/data_sources/azure_active_directory_add_owner_to_application.yml index 6e3b00d39a..a58de4a47b 100644 --- a/data_sources/azure_active_directory_add_owner_to_application.yml +++ b/data_sources/azure_active_directory_add_owner_to_application.yml @@ -10,7 +10,7 @@ separator: operationName supported_TA: - name: Splunk Add-on for Microsoft Cloud Services url: https://splunkbase.splunk.com/app/3110 - version: 5.4.1 + version: 5.4.2 fields: - _time - Level diff --git a/data_sources/azure_active_directory_add_service_principal.yml b/data_sources/azure_active_directory_add_service_principal.yml index 798a1dd0c9..e3970586a3 100644 --- a/data_sources/azure_active_directory_add_service_principal.yml +++ b/data_sources/azure_active_directory_add_service_principal.yml @@ -10,7 +10,7 @@ separator: operationName supported_TA: - name: Splunk Add-on for Microsoft Cloud Services url: https://splunkbase.splunk.com/app/3110 - version: 5.4.1 + version: 5.4.2 fields: - _time - Level diff --git a/data_sources/azure_active_directory_add_unverified_domain.yml b/data_sources/azure_active_directory_add_unverified_domain.yml index 2cb8e93738..d4103cfef6 100644 --- a/data_sources/azure_active_directory_add_unverified_domain.yml +++ b/data_sources/azure_active_directory_add_unverified_domain.yml @@ -10,7 +10,7 @@ separator: operationName supported_TA: - name: Splunk Add-on for Microsoft Cloud Services url: https://splunkbase.splunk.com/app/3110 - version: 5.4.1 + version: 5.4.2 fields: - _time - Level diff --git a/data_sources/azure_active_directory_consent_to_application.yml b/data_sources/azure_active_directory_consent_to_application.yml index 9464b69c7a..d7a04aa5ad 100644 --- a/data_sources/azure_active_directory_consent_to_application.yml +++ b/data_sources/azure_active_directory_consent_to_application.yml @@ -10,7 +10,7 @@ separator: operationName supported_TA: - name: Splunk Add-on for Microsoft Cloud Services url: https://splunkbase.splunk.com/app/3110 - version: 5.4.1 + version: 5.4.2 fields: - _time - Level diff --git a/data_sources/azure_active_directory_disable_strong_authentication.yml b/data_sources/azure_active_directory_disable_strong_authentication.yml index 2b1fd79f79..2ef98d1f69 100644 --- a/data_sources/azure_active_directory_disable_strong_authentication.yml +++ b/data_sources/azure_active_directory_disable_strong_authentication.yml @@ -10,7 +10,7 @@ separator: operationName supported_TA: - name: Splunk Add-on for Microsoft Cloud Services url: https://splunkbase.splunk.com/app/3110 - version: 5.4.1 + version: 5.4.2 fields: - _time - Level diff --git a/data_sources/azure_active_directory_enable_account.yml b/data_sources/azure_active_directory_enable_account.yml index 710007e9f8..b09a4f4204 100644 --- a/data_sources/azure_active_directory_enable_account.yml +++ b/data_sources/azure_active_directory_enable_account.yml @@ -10,7 +10,7 @@ separator: operationName supported_TA: - name: Splunk Add-on for Microsoft Cloud Services url: https://splunkbase.splunk.com/app/3110 - version: 5.4.1 + version: 5.4.2 fields: - _time - Level diff --git a/data_sources/azure_active_directory_invite_external_user.yml b/data_sources/azure_active_directory_invite_external_user.yml index ebb0a4dea9..e66920d152 100644 --- a/data_sources/azure_active_directory_invite_external_user.yml +++ b/data_sources/azure_active_directory_invite_external_user.yml @@ -10,7 +10,7 @@ separator: operationName supported_TA: - name: Splunk Add-on for Microsoft Cloud Services url: https://splunkbase.splunk.com/app/3110 - version: 5.4.1 + version: 5.4.2 fields: - _time - Level diff --git a/data_sources/azure_active_directory_reset_password_(by_admin).yml b/data_sources/azure_active_directory_reset_password_(by_admin).yml index 1247baa3b5..b3fb17cd5e 100644 --- a/data_sources/azure_active_directory_reset_password_(by_admin).yml +++ b/data_sources/azure_active_directory_reset_password_(by_admin).yml @@ -10,7 +10,7 @@ separator: operationName supported_TA: - name: Splunk Add-on for Microsoft Cloud Services url: https://splunkbase.splunk.com/app/3110 - version: 5.4.1 + version: 5.4.2 fields: - _time - Level diff --git a/data_sources/azure_active_directory_set_domain_authentication.yml b/data_sources/azure_active_directory_set_domain_authentication.yml index 07fbd4945f..dda3730b7f 100644 --- a/data_sources/azure_active_directory_set_domain_authentication.yml +++ b/data_sources/azure_active_directory_set_domain_authentication.yml @@ -10,7 +10,7 @@ separator: operationName supported_TA: - name: Splunk Add-on for Microsoft Cloud Services url: https://splunkbase.splunk.com/app/3110 - version: 5.4.1 + version: 5.4.2 fields: - _time - Level diff --git a/data_sources/azure_active_directory_sign_in_activity.yml b/data_sources/azure_active_directory_sign_in_activity.yml index 71e28dc986..7b53354989 100644 --- a/data_sources/azure_active_directory_sign_in_activity.yml +++ b/data_sources/azure_active_directory_sign_in_activity.yml @@ -10,7 +10,7 @@ separator: operationName supported_TA: - name: Splunk Add-on for Microsoft Cloud Services url: https://splunkbase.splunk.com/app/3110 - version: 5.4.1 + version: 5.4.2 fields: - _time - Level diff --git a/data_sources/azure_active_directory_update_application.yml b/data_sources/azure_active_directory_update_application.yml index 821d432ecf..b77b1dfa80 100644 --- a/data_sources/azure_active_directory_update_application.yml +++ b/data_sources/azure_active_directory_update_application.yml @@ -10,7 +10,7 @@ separator: operationName supported_TA: - name: Splunk Add-on for Microsoft Cloud Services url: https://splunkbase.splunk.com/app/3110 - version: 5.4.1 + version: 5.4.2 fields: - _time - Level diff --git a/data_sources/azure_active_directory_update_authorization_policy.yml b/data_sources/azure_active_directory_update_authorization_policy.yml index 6d43b471e6..d04c125346 100644 --- a/data_sources/azure_active_directory_update_authorization_policy.yml +++ b/data_sources/azure_active_directory_update_authorization_policy.yml @@ -10,7 +10,7 @@ separator: operationName supported_TA: - name: Splunk Add-on for Microsoft Cloud Services url: https://splunkbase.splunk.com/app/3110 - version: 5.4.1 + version: 5.4.2 fields: - _time - Level diff --git a/data_sources/azure_active_directory_update_user.yml b/data_sources/azure_active_directory_update_user.yml index 4efa2a3816..c589966ec2 100644 --- a/data_sources/azure_active_directory_update_user.yml +++ b/data_sources/azure_active_directory_update_user.yml @@ -10,7 +10,7 @@ separator: operationName supported_TA: - name: Splunk Add-on for Microsoft Cloud Services url: https://splunkbase.splunk.com/app/3110 - version: 5.4.1 + version: 5.4.2 fields: - _time - Level diff --git a/data_sources/azure_active_directory_user_registered_security_info.yml b/data_sources/azure_active_directory_user_registered_security_info.yml index f7bef825fe..5880ca36cd 100644 --- a/data_sources/azure_active_directory_user_registered_security_info.yml +++ b/data_sources/azure_active_directory_user_registered_security_info.yml @@ -11,7 +11,7 @@ separator: operationName supported_TA: - name: Splunk Add-on for Microsoft Cloud Services url: https://splunkbase.splunk.com/app/3110 - version: 5.4.1 + version: 5.4.2 fields: - _time - Level diff --git a/data_sources/azure_audit_create_or_update_an_azure_automation_account.yml b/data_sources/azure_audit_create_or_update_an_azure_automation_account.yml index 8e30686b23..b341d24461 100644 --- a/data_sources/azure_audit_create_or_update_an_azure_automation_account.yml +++ b/data_sources/azure_audit_create_or_update_an_azure_automation_account.yml @@ -11,7 +11,7 @@ separator: operationName.localizedValue supported_TA: - name: Splunk Add-on for Microsoft Cloud Services url: https://splunkbase.splunk.com/app/3110 - version: 5.4.1 + version: 5.4.2 fields: - _time - authorization.action diff --git a/data_sources/azure_audit_create_or_update_an_azure_automation_runbook.yml b/data_sources/azure_audit_create_or_update_an_azure_automation_runbook.yml index 024427c038..6511f9fe3e 100644 --- a/data_sources/azure_audit_create_or_update_an_azure_automation_runbook.yml +++ b/data_sources/azure_audit_create_or_update_an_azure_automation_runbook.yml @@ -11,7 +11,7 @@ separator: operationName.localizedValue supported_TA: - name: Splunk Add-on for Microsoft Cloud Services url: https://splunkbase.splunk.com/app/3110 - version: 5.4.1 + version: 5.4.2 fields: - _time - authorization.action diff --git a/data_sources/azure_audit_create_or_update_an_azure_automation_webhook.yml b/data_sources/azure_audit_create_or_update_an_azure_automation_webhook.yml index 35fccd817e..da046c0e0b 100644 --- a/data_sources/azure_audit_create_or_update_an_azure_automation_webhook.yml +++ b/data_sources/azure_audit_create_or_update_an_azure_automation_webhook.yml @@ -11,7 +11,7 @@ separator: operationName.localizedValue supported_TA: - name: Splunk Add-on for Microsoft Cloud Services url: https://splunkbase.splunk.com/app/3110 - version: 5.4.1 + version: 5.4.2 fields: - _time - authorization.action diff --git a/data_sources/azure_monitor_activity.yml b/data_sources/azure_monitor_activity.yml index 4a4eb3f0b0..d3526f723c 100644 --- a/data_sources/azure_monitor_activity.yml +++ b/data_sources/azure_monitor_activity.yml @@ -3,14 +3,17 @@ id: 1997a515-a61a-4f78-ada9-54af34c764f2 version: 1 date: '2025-01-13' author: Bhavin Patel, Splunk -description: Data source object for Azure Monitor Activity. The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest In-Tune audit logs via Azure EventHub. To configure this logging, visit Intune > Tenant administration > Diagnostic settings > Add diagnostic settings & send events to the activity audit event hub. +description: Data source object for Azure Monitor Activity. The Splunk Add-on for + Microsoft Cloud Services add-on is required to ingest In-Tune audit logs via Azure + EventHub. To configure this logging, visit Intune > Tenant administration > Diagnostic + settings > Add diagnostic settings & send events to the activity audit event hub. source: Azure AD sourcetype: azure:monitor:activity separator: operationName supported_TA: - name: Splunk Add-on for Microsoft Cloud Services url: https://splunkbase.splunk.com/app/3110 - version: 5.4.1 + version: 5.4.2 fields: - column - action @@ -93,4 +96,16 @@ fields: - vendor_product - vendor_region - _time -example_log: '{"time": "2024-04-29T13:30:28.8622000Z", "tenantId": "26db52ee-c1b5-4c96-a0d4-129e25dc0388", "category": "AuditLogs", "operationName": "createDeviceHealthScript DeviceHealthScript", "properties": {"ActivityDate": "4/29/2024 1:30:28 PM", "ActivityResultStatus": 1, "ActivityType": 0, "Actor": {"ActorType": 1, "Application": "5926fc8e-304e-4f59-8bed-58ca97cc39a4", "ApplicationName": "Microsoft Intune portal extension", "IsDelegatedAdmin": false, "Name": null, "ObjectId": "cf2ef473-7d3b-4f14-961c-2e470e9a70f2", "PartnerTenantId": "00000000-0000-0000-0000-000000000000", "UserPermissions": ["*"], "UPN": "brian.cove@frothlydev.onmicrosoft.com"}, "AdditionalDetails": "", "AuditEventId": "3e7e790e-f15a-4c2c-a91a-516483bb4e37", "Category": 3, "RelationId": null, "TargetDisplayNames": [""], "TargetObjectIds": ["b16fcad4-b9f5-46fe-9bf0-841cd9be7bc9"], "Targets": [{"ModifiedProperties": [{"Name": "DeviceManagementAPIVersion", "Old": null, "New": "5024-02-13"}], "Name": null}]}, "resultType": "Success", "resultDescription": "None", "correlationId": "949ac544-b4e5-4576-a117-915c47c0ee00", "identity": "brian.cove@frothlydev.onmicrosoft.com"}' +example_log: '{"time": "2024-04-29T13:30:28.8622000Z", "tenantId": "26db52ee-c1b5-4c96-a0d4-129e25dc0388", + "category": "AuditLogs", "operationName": "createDeviceHealthScript DeviceHealthScript", + "properties": {"ActivityDate": "4/29/2024 1:30:28 PM", "ActivityResultStatus": 1, + "ActivityType": 0, "Actor": {"ActorType": 1, "Application": "5926fc8e-304e-4f59-8bed-58ca97cc39a4", + "ApplicationName": "Microsoft Intune portal extension", "IsDelegatedAdmin": false, + "Name": null, "ObjectId": "cf2ef473-7d3b-4f14-961c-2e470e9a70f2", "PartnerTenantId": + "00000000-0000-0000-0000-000000000000", "UserPermissions": ["*"], "UPN": "brian.cove@frothlydev.onmicrosoft.com"}, + "AdditionalDetails": "", "AuditEventId": "3e7e790e-f15a-4c2c-a91a-516483bb4e37", + "Category": 3, "RelationId": null, "TargetDisplayNames": [""], "TargetObjectIds": + ["b16fcad4-b9f5-46fe-9bf0-841cd9be7bc9"], "Targets": [{"ModifiedProperties": [{"Name": + "DeviceManagementAPIVersion", "Old": null, "New": "5024-02-13"}], "Name": null}]}, + "resultType": "Success", "resultDescription": "None", "correlationId": "949ac544-b4e5-4576-a117-915c47c0ee00", + "identity": "brian.cove@frothlydev.onmicrosoft.com"}' diff --git a/data_sources/linux_auditd_add_user.yml b/data_sources/linux_auditd_add_user.yml index c1d4736a2e..d8604f8794 100644 --- a/data_sources/linux_auditd_add_user.yml +++ b/data_sources/linux_auditd_add_user.yml @@ -10,7 +10,7 @@ configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules supported_TA: - name: Splunk Add-on for Unix and Linux url: https://splunkbase.splunk.com/app/833 - version: 9.2.0 + version: 10.0.0 fields: - msg - type @@ -30,4 +30,6 @@ fields: - UID - AUID - ID -example_log: 'type=ADD_USER msg=audit(1722950859.266:6994): pid=1788 uid=0 auid=1000 ses=1 subj=unconfined msg=''op=adding user id=1002 exe="/usr/sbin/useradd" hostname=ar-linux1 addr=? terminal=pts/1 res=success''UID="root" AUID="ubuntu" ID="unknown(1002)"' +example_log: 'type=ADD_USER msg=audit(1722950859.266:6994): pid=1788 uid=0 auid=1000 + ses=1 subj=unconfined msg=''op=adding user id=1002 exe="/usr/sbin/useradd" hostname=ar-linux1 + addr=? terminal=pts/1 res=success''UID="root" AUID="ubuntu" ID="unknown(1002)"' diff --git a/data_sources/linux_auditd_execve.yml b/data_sources/linux_auditd_execve.yml index 0752725a0f..04f7bb6c35 100644 --- a/data_sources/linux_auditd_execve.yml +++ b/data_sources/linux_auditd_execve.yml @@ -10,10 +10,11 @@ configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules supported_TA: - name: Splunk Add-on for Unix and Linux url: https://splunkbase.splunk.com/app/833 - version: 9.2.0 + version: 10.0.0 fields: - msg - type - msg - argc -example_log: 'type=EXECVE msg=audit(1723044684.257:15795): argc=3 a0="sudo" a1="LD_PRELOAD=./myfopen.so" a2="./prog"' +example_log: 'type=EXECVE msg=audit(1723044684.257:15795): argc=3 a0="sudo" a1="LD_PRELOAD=./myfopen.so" + a2="./prog"' diff --git a/data_sources/linux_auditd_path.yml b/data_sources/linux_auditd_path.yml index 03703ad47b..9ff6f3cdef 100644 --- a/data_sources/linux_auditd_path.yml +++ b/data_sources/linux_auditd_path.yml @@ -10,7 +10,7 @@ configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules supported_TA: - name: Splunk Add-on for Unix and Linux url: https://splunkbase.splunk.com/app/833 - version: 9.2.0 + version: 10.0.0 fields: - msg - type @@ -30,4 +30,6 @@ fields: - cap_frootid - OUID - OGID -example_log: 'type=PATH msg=audit(1723043687.149:14898): item=1 name="/etc/ssh/ssh_config~" inode=1292 dev=103:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root"' +example_log: 'type=PATH msg=audit(1723043687.149:14898): item=1 name="/etc/ssh/ssh_config~" + inode=1292 dev=103:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 + cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root"' diff --git a/data_sources/linux_auditd_proctitle.yml b/data_sources/linux_auditd_proctitle.yml index 4831ba4585..b20cf3036c 100644 --- a/data_sources/linux_auditd_proctitle.yml +++ b/data_sources/linux_auditd_proctitle.yml @@ -10,7 +10,7 @@ configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules supported_TA: - name: Splunk Add-on for Unix and Linux url: https://splunkbase.splunk.com/app/833 - version: 9.2.0 + version: 10.0.0 fields: - proctitle - msg diff --git a/data_sources/linux_auditd_service_stop.yml b/data_sources/linux_auditd_service_stop.yml index 151da0bdca..f58756c5ae 100644 --- a/data_sources/linux_auditd_service_stop.yml +++ b/data_sources/linux_auditd_service_stop.yml @@ -10,7 +10,7 @@ configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules supported_TA: - name: Splunk Add-on for Unix and Linux url: https://splunkbase.splunk.com/app/833 - version: 9.2.0 + version: 10.0.0 fields: - msg - type @@ -28,4 +28,6 @@ fields: - res - UID - AUID -example_log: 'type=SERVICE_STOP msg=audit(1722957155.494:4802): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg=''unit=atd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success''UID="root" AUID="unset"' +example_log: 'type=SERVICE_STOP msg=audit(1722957155.494:4802): pid=1 uid=0 auid=4294967295 + ses=4294967295 subj=unconfined msg=''unit=atd comm="systemd" exe="/usr/lib/systemd/systemd" + hostname=? addr=? terminal=? res=success''UID="root" AUID="unset"' diff --git a/data_sources/linux_auditd_syscall.yml b/data_sources/linux_auditd_syscall.yml index 73a300e2be..6246b98eaf 100644 --- a/data_sources/linux_auditd_syscall.yml +++ b/data_sources/linux_auditd_syscall.yml @@ -10,7 +10,7 @@ configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules supported_TA: - name: Splunk Add-on for Unix and Linux url: https://splunkbase.splunk.com/app/833 - version: 9.2.0 + version: 10.0.0 fields: - msg - type @@ -20,7 +20,7 @@ fields: - success - exit - a1 -- a2 +- a2 - a3 - items - ppid @@ -51,4 +51,9 @@ fields: - EGID - SGID - FSGID -example_log: 'type=SYSCALL msg=audit(1723035666.627:3663): arch=c000003e syscall=59 success=yes exit=0 a0=556a6d697a58 a1=556a6d68ad00 a2=556a6d69c980 a3=0 items=2 ppid=1300 pid=1301 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="lsmod" exe="/usr/bin/kmod" subj=unconfined key="rootcmd" ARCH=x86_64 SYSCALL=execve AUID="ubuntu" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"' +example_log: 'type=SYSCALL msg=audit(1723035666.627:3663): arch=c000003e syscall=59 + success=yes exit=0 a0=556a6d697a58 a1=556a6d68ad00 a2=556a6d69c980 a3=0 items=2 + ppid=1300 pid=1301 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 + tty=pts1 ses=1 comm="lsmod" exe="/usr/bin/kmod" subj=unconfined key="rootcmd" ARCH=x86_64 + SYSCALL=execve AUID="ubuntu" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" + EGID="root" SGID="root" FSGID="root"' diff --git a/data_sources/linux_secure.yml b/data_sources/linux_secure.yml index cd08575aa2..468d387446 100644 --- a/data_sources/linux_secure.yml +++ b/data_sources/linux_secure.yml @@ -6,7 +6,10 @@ author: Patrick Bareiss, Splunk description: Data source object for Linux Secure source: /var/log/secure sourcetype: linux_secure -supported_TA: [] +supported_TA: +- name: Splunk Add-on for Unix and Linux + url: https://splunkbase.splunk.com/app/833 + version: 9.2.0 fields: - _time - action diff --git a/detections/application/crushftp_server_side_template_injection.yml b/detections/application/crushftp_server_side_template_injection.yml index 0d5c05dcf5..01fc428ed4 100644 --- a/detections/application/crushftp_server_side_template_injection.yml +++ b/detections/application/crushftp_server_side_template_injection.yml @@ -1,16 +1,36 @@ name: CrushFTP Server Side Template Injection id: ccf6b7a3-bd39-4bc9-a949-143a8d640dbc -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-21' author: Michael Haag, Splunk data_source: - CrushFTP type: TTP status: production -description: This analytic is designed to identify attempts to exploit a server-side template injection vulnerability in CrushFTP, designated as CVE-2024-4040. This severe vulnerability enables unauthenticated remote attackers to access and read files beyond the VFS Sandbox, circumvent authentication protocols, and execute arbitrary commands on the affected server. The issue impacts all versions of CrushFTP up to 10.7.1 and 11.1.0 on all supported platforms. It is highly recommended to apply patches immediately to prevent unauthorized access to the system and avoid potential data compromises. The search specifically looks for patterns in the raw log data that match the exploitation attempts, including READ or WRITE actions, and extracts relevant information such as the protocol, session ID, user, IP address, HTTP method, and the URI queried. It then evaluates these logs to confirm traces of exploitation based on the presence of specific keywords and the originating IP address, counting and sorting these events for further analysis. -search: '`crushftp` | rex field=_raw "\[(?HTTPS|HTTP):(?[^\:]+):(?[^\:]+):(?\d+\.\d+\.\d+\.\d+)\] (?READ|WROTE): \*(?[A-Z]+) (?[^\s]+) HTTP/[^\*]+\*" | eval message=if(match(_raw, "INCLUDE") and isnotnull(src_ip), "traces of exploitation by " . src_ip, "false") | search message!=false | rename host as dest | stats count by _time, dest, source, message, src_ip, http_method, uri_query, user, action | sort -_time| `crushftp_server_side_template_injection_filter`' -how_to_implement: CrushFTP Session logs, from Windows or Linux, must be ingested to Splunk. Currently, there is no TA for CrushFTP, so the data must be extracted from the raw logs. -known_false_positives: False positives should be limited, however tune or filter as needed. +description: This analytic is designed to identify attempts to exploit a server-side + template injection vulnerability in CrushFTP, designated as CVE-2024-4040. This + severe vulnerability enables unauthenticated remote attackers to access and read + files beyond the VFS Sandbox, circumvent authentication protocols, and execute arbitrary + commands on the affected server. The issue impacts all versions of CrushFTP up to + 10.7.1 and 11.1.0 on all supported platforms. It is highly recommended to apply + patches immediately to prevent unauthorized access to the system and avoid potential + data compromises. The search specifically looks for patterns in the raw log data + that match the exploitation attempts, including READ or WRITE actions, and extracts + relevant information such as the protocol, session ID, user, IP address, HTTP method, + and the URI queried. It then evaluates these logs to confirm traces of exploitation + based on the presence of specific keywords and the originating IP address, counting + and sorting these events for further analysis. +search: '`crushftp` | rex field=_raw "\[(?HTTPS|HTTP):(?[^\:]+):(?[^\:]+):(?\d+\.\d+\.\d+\.\d+)\] + (?READ|WROTE): \*(?[A-Z]+) (?[^\s]+) HTTP/[^\*]+\*" + | eval message=if(match(_raw, "INCLUDE") and isnotnull(src_ip), "traces of exploitation + by " . src_ip, "false") | search message!=false | rename host as dest | stats count + by _time, dest, source, message, src_ip, http_method, uri_query, user, action | + sort -_time| `crushftp_server_side_template_injection_filter`' +how_to_implement: CrushFTP Session logs, from Windows or Linux, must be ingested to + Splunk. Currently, there is no TA for CrushFTP, so the data must be extracted from + the raw logs. +known_false_positives: False positives should be limited, however tune or filter as + needed. references: - https://github.com/airbus-cert/CVE-2024-4040 - https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/ @@ -20,48 +40,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potential exploitation of CrushFTP Server Side Template Injection Vulnerability + on $dest$ by $src_ip$. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - CrushFTP Vulnerabilities asset_type: Web Application - confidence: 80 - impact: 80 - message: Potential exploitation of CrushFTP Server Side Template Injection Vulnerability on $dest$ by $src_ip$. mitre_attack_id: - T1190 - observable: - - name: dest - type: IP Address - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - source - - src_ip - - http_method - - uri_query - - user - - action - - message - risk_score: 64 security_domain: network cve: - CVE-2024-4040 tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/crushftp/crushftp.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/crushftp/crushftp.log sourcetype: crushftp:sessionlogs source: crushftp diff --git a/detections/application/detect_distributed_password_spray_attempts.yml b/detections/application/detect_distributed_password_spray_attempts.yml index f9ddef4d0b..a25a797b90 100644 --- a/detections/application/detect_distributed_password_spray_attempts.yml +++ b/detections/application/detect_distributed_password_spray_attempts.yml @@ -1,48 +1,59 @@ name: Detect Distributed Password Spray Attempts id: b1a82fc8-8a9f-4344-9ec2-bde5c5331b57 -version: 2 -date: '2024-10-17' +version: 3 +date: '2025-01-21' author: Dean Luxton status: production type: Hunting data_source: - Azure Active Directory Sign-in activity -description: This analytic employs the 3-sigma approach to identify distributed password spray attacks. A - distributed password spray attack is a type of brute force attack where the attacker attempts a few - common passwords against many different accounts, connecting from multiple IP addresses to avoid detection. - By utilizing the Authentication Data Model, this detection is effective for all CIM-mapped authentication - events, providing comprehensive coverage and enhancing security against these attacks. +description: This analytic employs the 3-sigma approach to identify distributed password + spray attacks. A distributed password spray attack is a type of brute force attack + where the attacker attempts a few common passwords against many different accounts, + connecting from multiple IP addresses to avoid detection. By utilizing the Authentication + Data Model, this detection is effective for all CIM-mapped authentication events, + providing comprehensive coverage and enhancing security against these attacks. search: >- - | tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts dc(Authentication.src) as unique_src values(Authentication.app) as app values(Authentication.src) as src count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" NOT Authentication.src IN ("-","unknown") Authentication.user_agent="*" by Authentication.signature_id, Authentication.user_agent, sourcetype, _time span=10m + | tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts + dc(Authentication.src) as unique_src values(Authentication.app) as app values(Authentication.src) + as src count(Authentication.user) as total_failures from datamodel=Authentication.Authentication + where Authentication.action="failure" NOT Authentication.src IN ("-","unknown") + Authentication.user_agent="*" by Authentication.signature_id, Authentication.user_agent, + sourcetype, _time span=10m | `drop_dm_object_name("Authentication")` ```fill out time buckets for 0-count events during entire search length``` | appendpipe [| timechart limit=0 span=10m count | table _time] | fillnull value=0 unique_accounts, unique_src ``` Create aggregation field & apply to all null events``` | eval counter=sourcetype+"__"+signature_id - | eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter) - | stats values(total_failures) as total_failures values(signature_id) as signature_id values(src) as src values(sourcetype) as sourcetype values(app) as app count by counter unique_accounts unique_src user_agent _time + | eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter) | + stats values(total_failures) as total_failures values(signature_id) as signature_id + values(src) as src values(sourcetype) as sourcetype values(app) as app count by + counter unique_accounts unique_src user_agent _time ``` remove 0 count rows where counter has data``` | sort - _time unique_accounts | dedup _time counter ``` 3-sigma detection logic ``` - | eventstats avg(unique_accounts) as comp_avg_user , stdev(unique_accounts) as comp_std_user avg(unique_src) as comp_avg_src , stdev(unique_src) as comp_std_src by counter user_agent + | eventstats avg(unique_accounts) as comp_avg_user , stdev(unique_accounts) as comp_std_user + avg(unique_src) as comp_avg_src , stdev(unique_src) as comp_std_src by counter user_agent | eval upperBoundUser=(comp_avg_user+comp_std_user*3), upperBoundsrc=(comp_avg_src+comp_std_src*3) - | eval isOutlier=if((unique_accounts > 30 and unique_accounts >= upperBoundUser) and (unique_src > 30 and unique_src >= upperBoundsrc), 1, 0) + | eval isOutlier=if((unique_accounts > 30 and unique_accounts >= upperBoundUser) + and (unique_src > 30 and unique_src >= upperBoundsrc), 1, 0) | replace "::ffff:*" with * in src | where isOutlier=1 | foreach * [ eval <> = if(<>="null",null(),<>)] - | mvexpand src - | iplocation src - | table _time, unique_src, unique_accounts, total_failures, sourcetype, signature_id, user_agent, src, Country + | mvexpand src | iplocation src | table _time, unique_src, unique_accounts, total_failures, + sourcetype, signature_id, user_agent, src, Country | eval date_wday=strftime(_time,"%a"), date_hour=strftime(_time,"%H") | `detect_distributed_password_spray_attempts_filter` -how_to_implement: Ensure that all relevant authentication data is mapped to the Common Information Model (CIM) - and that the src field is populated with the source device information. Additionally, ensure that - fill_nullvalue is set within the security_content_summariesonly macro to include authentication events from - log sources that do not feature the signature_id field in the results. -known_false_positives: It is common to see a spike of legitimate failed authentication events on monday mornings. +how_to_implement: Ensure that all relevant authentication data is mapped to the Common + Information Model (CIM) and that the src field is populated with the source device + information. Additionally, ensure that fill_nullvalue is set within the security_content_summariesonly + macro to include authentication events from log sources that do not feature the + signature_id field in the results. +known_false_positives: It is common to see a spike of legitimate failed authentication + events on monday mornings. references: - https://attack.mitre.org/techniques/T1110/003/ tags: @@ -52,34 +63,20 @@ tags: asset_type: Endpoint atomic_guid: - 90bc2e54-6c84-47a5-9439-0a2a92b4b175 - confidence: 70 - impact: 70 - message: Distributed Password Spray Attempt Detected from $src$ mitre_attack_id: - T1110.003 - T1110 - observable: - - name: src - type: IP Address - role: - - Attacker - - name: user_agent - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - Authentication.user - - Authentication.src security_domain: access - manual_test: The dataset & hardcoded timerange doesn't meet the criteria for this detection. + manual_test: The dataset & hardcoded timerange doesn't meet the criteria for this + detection. tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.log source: azure:monitor:aad sourcetype: azure:monitor:aad diff --git a/detections/application/detect_new_login_attempts_to_routers.yml b/detections/application/detect_new_login_attempts_to_routers.yml index 1177fe653b..fb892eaaa3 100644 --- a/detections/application/detect_new_login_attempts_to_routers.yml +++ b/detections/application/detect_new_login_attempts_to_routers.yml @@ -1,40 +1,45 @@ name: Detect New Login Attempts to Routers id: bce3ed7c-9b1f-42a0-abdf-d8b123a34836 -version: 3 -date: '2024-10-17' +version: 4 +date: '2025-01-21' author: Bhavin Patel, Splunk status: experimental type: TTP -description: The following analytic identifies new login attempts to routers. It leverages authentication logs from the ES Assets and Identity Framework, focusing on assets categorized as routers. The detection flags connections that have not been observed in the past 30 days. This activity is significant because unauthorized access to routers can lead to network disruptions or data interception. If confirmed malicious, attackers could gain control over network traffic, potentially leading to data breaches or further network compromise. +description: The following analytic identifies new login attempts to routers. It leverages + authentication logs from the ES Assets and Identity Framework, focusing on assets + categorized as routers. The detection flags connections that have not been observed + in the past 30 days. This activity is significant because unauthorized access to + routers can lead to network disruptions or data interception. If confirmed malicious, + attackers could gain control over network traffic, potentially leading to data breaches + or further network compromise. data_source: [] -search: '| tstats `security_content_summariesonly` count earliest(_time) as earliest latest(_time) as latest from datamodel=Authentication where Authentication.dest_category=router by Authentication.dest Authentication.user| eval isOutlier=if(earliest >= relative_time(now(), "-30d@d"), 1, 0) | where isOutlier=1| `security_content_ctime(earliest)`| `security_content_ctime(latest)` | `drop_dm_object_name("Authentication")` | `detect_new_login_attempts_to_routers_filter`' -how_to_implement: To successfully implement this search, you must ensure the network router devices are categorized as "router" in the Assets and identity table. You must also populate the Authentication data model with logs related to users authenticating to routing infrastructure. +search: '| tstats `security_content_summariesonly` count earliest(_time) as earliest + latest(_time) as latest from datamodel=Authentication where Authentication.dest_category=router + by Authentication.dest Authentication.user| eval isOutlier=if(earliest >= relative_time(now(), + "-30d@d"), 1, 0) | where isOutlier=1| `security_content_ctime(earliest)`| `security_content_ctime(latest)` + | `drop_dm_object_name("Authentication")` | `detect_new_login_attempts_to_routers_filter`' +how_to_implement: To successfully implement this search, you must ensure the network + router devices are categorized as "router" in the Assets and identity table. You + must also populate the Authentication data model with logs related to users authenticating + to routing infrastructure. known_false_positives: Legitimate router connections may appear as new connections references: [] +rba: + message: New login on $dest$ from $user$ + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Router and Infrastructure Security asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Authentication.dest_category - - Authentication.dest - - Authentication.user - risk_score: 25 security_domain: network diff --git a/detections/application/detect_password_spray_attempts.yml b/detections/application/detect_password_spray_attempts.yml index 9caf4200d9..9089026b9d 100644 --- a/detections/application/detect_password_spray_attempts.yml +++ b/detections/application/detect_password_spray_attempts.yml @@ -1,48 +1,52 @@ name: Detect Password Spray Attempts id: 086ab581-8877-42b3-9aee-4a7ecb0923af -version: 4 -date: '2024-10-17' +version: 5 +date: '2025-01-21' author: Dean Luxton status: production type: TTP data_source: - Windows Event Log Security 4625 -description: This analytic employs the 3-sigma approach to detect an unusual volume of failed authentication attempts - from a single source. A password spray attack is a type of brute force attack where an attacker tries a few - common passwords across many different accounts to avoid detection and account lockouts. By utilizing the - Authentication Data Model, this detection is effective for all CIM-mapped authentication events, providing - comprehensive coverage and enhancing security against these attacks. +description: This analytic employs the 3-sigma approach to detect an unusual volume + of failed authentication attempts from a single source. A password spray attack + is a type of brute force attack where an attacker tries a few common passwords across + many different accounts to avoid detection and account lockouts. By utilizing the + Authentication Data Model, this detection is effective for all CIM-mapped authentication + events, providing comprehensive coverage and enhancing security against these attacks. search: >- - | tstats `security_content_summariesonly` values(Authentication.user) AS unique_user_names dc(Authentication.user) AS unique_accounts values(Authentication.app) as app count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" NOT Authentication.src IN ("-","unknown") by Authentication.src, Authentication.action, Authentication.signature_id, sourcetype, _time span=5m - | `drop_dm_object_name("Authentication")` + | tstats `security_content_summariesonly` values(Authentication.user) AS unique_user_names + dc(Authentication.user) AS unique_accounts values(Authentication.app) as app count(Authentication.user) + as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" + NOT Authentication.src IN ("-","unknown") by Authentication.src, Authentication.action, + Authentication.signature_id, sourcetype, _time span=5m | `drop_dm_object_name("Authentication")` ```fill out time buckets for 0-count events during entire search length``` | appendpipe [| timechart limit=0 span=5m count | table _time] | fillnull value=0 unique_accounts ``` Create aggregation field & apply to all null events``` - | eval counter=src+"__"+sourcetype+"__"+signature_id - | eventstats values(counter) as fnscounter - | eval counter=coalesce(counter,fnscounter) + | eval counter=src+"__"+sourcetype+"__"+signature_id | eventstats values(counter) + as fnscounter | eval counter=coalesce(counter,fnscounter) ``` stats version of mvexpand ``` - | stats values(app) as app values(unique_user_names) as unique_user_names values(total_failures) as total_failures values(src) as src values(signature_id) as signature_id values(sourcetype) as sourcetype count by counter unique_accounts _time + | stats values(app) as app values(unique_user_names) as unique_user_names values(total_failures) + as total_failures values(src) as src values(signature_id) as signature_id values(sourcetype) + as sourcetype count by counter unique_accounts _time ``` remove duplicate time buckets for each unique source``` | sort - _time unique_accounts | dedup _time counter ```Find the outliers``` - | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by counter + | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std + by counter | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 30 and unique_accounts >= upperBound, 1, 0) - | replace "::ffff:*" with * in src - | where isOutlier=1 - | foreach * + | replace "::ffff:*" with * in src | where isOutlier=1 | foreach * [ eval <> = if(<>="null",null(),<>)] - | table _time, src, action, app, unique_accounts, unique_user_names, total_failures, sourcetype, signature_id, counter + | table _time, src, action, app, unique_accounts, unique_user_names, total_failures, + sourcetype, signature_id, counter | `detect_password_spray_attempts_filter` how_to_implement: >- - Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. - Also ensure fill_nullvalue is set within the macro security_content_summariesonly. - - This search operates best on a 5 minute schedule, looking back over the past 70 minutes. - Configure 70 minute throttling on the two fields _time and counter. + Ensure in-scope authentication data is CIM mapped and the src field is populated + with the source device. Also ensure fill_nullvalue is set within the macro security_content_summariesonly. + This search opporates best on a 5 minute schedule, looking back over the past 70 + minutes. Configure 70 minute throttling on the two fields _time and counter. known_false_positives: Unknown references: - https://attack.mitre.org/techniques/T1110/003/ @@ -52,9 +56,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$sourcetype$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$sourcetype$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$sourcetype$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potential Password Spraying attack from $src$ targeting $unique_accounts$ + unique accounts. + risk_objects: + - field: unique_user_names + type: user + score: 49 + threat_objects: + - field: src + type: system tags: analytic_story: - Compromised User Account @@ -62,34 +81,18 @@ tags: asset_type: Endpoint atomic_guid: - 90bc2e54-6c84-47a5-9439-0a2a92b4b175 - confidence: 70 - impact: 70 - message: Potential Password Spraying attack from $src$ targeting $unique_accounts$ unique accounts. mitre_attack_id: - T1110.003 - T1110 - observable: - - name: unique_user_names - type: User - role: - - Victim - - name: src - type: Endpoint - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 70 - required_fields: - - Authentication.action - - Authentication.user - - Authentication.src security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/application/email_attachments_with_lots_of_spaces.yml b/detections/application/email_attachments_with_lots_of_spaces.yml index a25822aab7..e75c27439a 100644 --- a/detections/application/email_attachments_with_lots_of_spaces.yml +++ b/detections/application/email_attachments_with_lots_of_spaces.yml @@ -1,20 +1,47 @@ name: Email Attachments With Lots Of Spaces id: 56e877a6-1455-4479-ada6-0550dc1e22f8 -version: 4 -date: '2024-10-17' +version: 5 +date: '2025-01-21' author: David Dorsey, Splunk status: experimental type: Anomaly -description: The following analytic detects email attachments with an unusually high number of spaces in their file names, which is a common tactic used by attackers to obfuscate file extensions. It leverages the Email data model to identify attachments where the ratio of spaces to the total file name length exceeds 10%. This behavior is significant as it may indicate an attempt to bypass security filters and deliver malicious payloads. If confirmed malicious, this activity could lead to the execution of harmful code or unauthorized access to sensitive information within the recipient's environment. +description: The following analytic detects email attachments with an unusually high + number of spaces in their file names, which is a common tactic used by attackers + to obfuscate file extensions. It leverages the Email data model to identify attachments + where the ratio of spaces to the total file name length exceeds 10%. This behavior + is significant as it may indicate an attempt to bypass security filters and deliver + malicious payloads. If confirmed malicious, this activity could lead to the execution + of harmful code or unauthorized access to sensitive information within the recipient's + environment. data_source: [] -search: '| tstats `security_content_summariesonly` count values(All_Email.recipient) as recipient_address min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name="*" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Email")` | eval space_ratio = (mvcount(split(file_name," "))-1)/len(file_name) | search space_ratio >= 0.1 | rex field=recipient_address "(?.*)@" | `email_attachments_with_lots_of_spaces_filter`' -how_to_implement: 'You need to ingest data from emails. Specifically, the sender''s address and the file names of any attachments must be mapped to the Email data model. The threshold ratio is set to 10%, but this value can be configured to suit each environment. - - **Splunk Phantom Playbook Integration** - - If Splunk Phantom is also configured in your environment, a playbook called "Suspicious Email Attachment Investigate and Delete" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/` and add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user''s inbox.' +search: '| tstats `security_content_summariesonly` count values(All_Email.recipient) + as recipient_address min(_time) as firstTime max(_time) as lastTime from datamodel=Email + where All_Email.file_name="*" by All_Email.src_user, All_Email.file_name All_Email.message_id + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Email")` + | eval space_ratio = (mvcount(split(file_name," "))-1)/len(file_name) | search space_ratio + >= 0.1 | rex field=recipient_address "(?.*)@" | `email_attachments_with_lots_of_spaces_filter`' +how_to_implement: "You need to ingest data from emails. Specifically, the sender's + address and the file names of any attachments must be mapped to the Email data model. + The threshold ratio is set to 10%, but this value can be configured to suit each + environment.\n**Splunk Phantom Playbook Integration**\nIf Splunk Phantom is also + configured in your environment, a playbook called \"Suspicious Email Attachment + Investigate and Delete\" can be configured to run when any results are found by + this detection search. To use this integration, install the Phantom App for Splunk + `https://splunkbase.splunk.com/app/3411/` and add the correct hostname to the \"\ + Phantom Instance\" field in the Adaptive Response Actions when configuring this + detection search. The finding based event will be sent to Phantom and the playbook will + gather further information about the file attachment and its network behaviors. + If Phantom finds malicious behavior and an analyst approves of the results, the + email will be deleted from the user's inbox." known_false_positives: None at this time references: [] +rba: + message: Abnormal number of spaces present in attachment filename from $src_user$ + risk_objects: + - field: src_user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Data Destruction @@ -22,24 +49,8 @@ tags: - Hermetic Wiper - Suspicious Emails asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Email.recipient - - All_Email.file_name - - All_Email.src_user - - All_Email.file_name - - All_Email.message_id - risk_score: 25 security_domain: network diff --git a/detections/application/email_files_written_outside_of_the_outlook_directory.yml b/detections/application/email_files_written_outside_of_the_outlook_directory.yml index b30ba515aa..b60204ed4f 100644 --- a/detections/application/email_files_written_outside_of_the_outlook_directory.yml +++ b/detections/application/email_files_written_outside_of_the_outlook_directory.yml @@ -1,42 +1,53 @@ name: Email files written outside of the Outlook directory id: 8d52cf03-ba25-4101-aa78-07994aed4f74 -version: 5 -date: '2024-10-17' +version: 6 +date: '2025-01-21' author: Bhavin Patel, Splunk status: experimental type: TTP -description: The following analytic detects email files (.pst or .ost) being created outside the standard Outlook directories. It leverages the Endpoint.Filesystem data model to identify file creation events and filters for email files not located in "C:\Users\*\My Documents\Outlook Files\*" or "C:\Users\*\AppData\Local\Microsoft\Outlook*". This activity is significant as it may indicate data exfiltration or unauthorized access to email data. If confirmed malicious, an attacker could potentially access sensitive email content, leading to data breaches or further exploitation within the network. +description: The following analytic detects email files (.pst or .ost) being created + outside the standard Outlook directories. It leverages the Endpoint.Filesystem data + model to identify file creation events and filters for email files not located in + "C:\Users\*\My Documents\Outlook Files\*" or "C:\Users\*\AppData\Local\Microsoft\Outlook*". + This activity is significant as it may indicate data exfiltration or unauthorized + access to email data. If confirmed malicious, an attacker could potentially access + sensitive email content, leading to data breaches or further exploitation within + the network. data_source: - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name=*.pst OR Filesystem.file_name=*.ost) Filesystem.file_path != "C:\\Users\\*\\My Documents\\Outlook Files\\*" Filesystem.file_path!="C:\\Users\\*\\AppData\\Local\\Microsoft\\Outlook*" by Filesystem.action Filesystem.process_id Filesystem.file_name Filesystem.dest | `drop_dm_object_name("Filesystem")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `email_files_written_outside_of_the_outlook_directory_filter`' -how_to_implement: To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes. -known_false_positives: Administrators and users sometimes prefer backing up their email data by moving the email files into a different folder. These attempts will be detected by the search. +search: '| tstats `security_content_summariesonly` count values(Filesystem.file_path) + as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem + where (Filesystem.file_name=*.pst OR Filesystem.file_name=*.ost) Filesystem.file_path + != "C:\\Users\\*\\My Documents\\Outlook Files\\*" Filesystem.file_path!="C:\\Users\\*\\AppData\\Local\\Microsoft\\Outlook*" + by Filesystem.action Filesystem.process_id Filesystem.file_name Filesystem.dest + | `drop_dm_object_name("Filesystem")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `email_files_written_outside_of_the_outlook_directory_filter`' +how_to_implement: To successfully implement this search, you must be ingesting data + that records the file-system activity from your hosts to populate the Endpoint.Filesystem + data model node. This is typically populated via endpoint detection-and-response + product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. + The data used for this search is typically generated via logs that report file-system + reads and writes. +known_false_positives: Administrators and users sometimes prefer backing up their + email data by moving the email files into a different folder. These attempts will + be detected by the search. references: [] +rba: + message: Email files written outside of Outlook's Directory on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Collection and Staging asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1114 - T1114.001 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.file_path - - Filesystem.file_name - - Filesystem.action - - Filesystem.process_id - - Filesystem.dest - risk_score: 25 security_domain: endpoint diff --git a/detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml b/detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml index d978a5a014..7a4e2f7bd3 100644 --- a/detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml +++ b/detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml @@ -1,40 +1,60 @@ name: Email servers sending high volume traffic to hosts id: 7f5fb3e1-4209-4914-90db-0ec21b556378 -version: 4 -date: '2024-10-17' +version: 5 +date: '2025-01-21' author: Bhavin Patel, Splunk status: experimental type: Anomaly -description: The following analytic identifies a significant increase in data transfers from your email server to client hosts. It leverages the Network_Traffic data model to monitor outbound traffic from email servers, using statistical analysis to detect anomalies based on average and standard deviation metrics. This activity is significant as it may indicate a malicious actor exfiltrating data via your email server. If confirmed malicious, this could lead to unauthorized data access and potential data breaches, compromising sensitive information and impacting organizational security. +description: The following analytic identifies a significant increase in data transfers + from your email server to client hosts. It leverages the Network_Traffic data model + to monitor outbound traffic from email servers, using statistical analysis to detect + anomalies based on average and standard deviation metrics. This activity is significant + as it may indicate a malicious actor exfiltrating data via your email server. If + confirmed malicious, this could lead to unauthorized data access and potential data + breaches, compromising sensitive information and impacting organizational security. data_source: [] -search: '| tstats `security_content_summariesonly` sum(All_Traffic.bytes_out) as bytes_out from datamodel=Network_Traffic where All_Traffic.src_category=email_server by All_Traffic.dest_ip _time span=1d | `drop_dm_object_name("All_Traffic")` | eventstats avg(bytes_out) as avg_bytes_out stdev(bytes_out) as stdev_bytes_out | eventstats count as num_data_samples avg(eval(if(_time < relative_time(now(), "@d"), bytes_out, null))) as per_source_avg_bytes_out stdev(eval(if(_time < relative_time(now(), "@d"), bytes_out, null))) as per_source_stdev_bytes_out by dest_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples >= minimum_data_samples AND bytes_out > (avg_bytes_out + (deviation_threshold * stdev_bytes_out)) AND bytes_out > (per_source_avg_bytes_out + (deviation_threshold * per_source_stdev_bytes_out)) AND _time >= relative_time(now(), "@d") | eval num_standard_deviations_away_from_server_average = round(abs(bytes_out - avg_bytes_out) / stdev_bytes_out, 2), num_standard_deviations_away_from_client_average = round(abs(bytes_out - per_source_avg_bytes_out) / per_source_stdev_bytes_out, 2) | table dest_ip, _time, bytes_out, avg_bytes_out, per_source_avg_bytes_out, num_standard_deviations_away_from_server_average, num_standard_deviations_away_from_client_average | `email_servers_sending_high_volume_traffic_to_hosts_filter`' -how_to_implement: This search requires you to be ingesting your network traffic and populating the Network_Traffic data model. Your email servers must be categorized as "email_server" for the search to work, as well. You may need to adjust the deviation_threshold and minimum_data_samples values based on the network traffic in your environment. The "deviation_threshold" field is a multiplying factor to control how much variation you're willing to tolerate. The "minimum_data_samples" field is the minimum number of connections of data samples required for the statistic to be valid. -known_false_positives: The false-positive rate will vary based on how you set the deviation_threshold and data_samples values. Our recommendation is to adjust these values based on your network traffic to and from your email servers. +search: '| tstats `security_content_summariesonly` sum(All_Traffic.bytes_out) as bytes_out + from datamodel=Network_Traffic where All_Traffic.src_category=email_server by All_Traffic.dest_ip + _time span=1d | `drop_dm_object_name("All_Traffic")` | eventstats avg(bytes_out) + as avg_bytes_out stdev(bytes_out) as stdev_bytes_out | eventstats count as num_data_samples + avg(eval(if(_time < relative_time(now(), "@d"), bytes_out, null))) as per_source_avg_bytes_out + stdev(eval(if(_time < relative_time(now(), "@d"), bytes_out, null))) as per_source_stdev_bytes_out + by dest_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples + >= minimum_data_samples AND bytes_out > (avg_bytes_out + (deviation_threshold * + stdev_bytes_out)) AND bytes_out > (per_source_avg_bytes_out + (deviation_threshold + * per_source_stdev_bytes_out)) AND _time >= relative_time(now(), "@d") | eval num_standard_deviations_away_from_server_average + = round(abs(bytes_out - avg_bytes_out) / stdev_bytes_out, 2), num_standard_deviations_away_from_client_average + = round(abs(bytes_out - per_source_avg_bytes_out) / per_source_stdev_bytes_out, + 2) | table dest_ip, _time, bytes_out, avg_bytes_out, per_source_avg_bytes_out, num_standard_deviations_away_from_server_average, + num_standard_deviations_away_from_client_average | `email_servers_sending_high_volume_traffic_to_hosts_filter`' +how_to_implement: This search requires you to be ingesting your network traffic and + populating the Network_Traffic data model. Your email servers must be categorized + as "email_server" for the search to work, as well. You may need to adjust the deviation_threshold + and minimum_data_samples values based on the network traffic in your environment. + The "deviation_threshold" field is a multiplying factor to control how much variation + you're willing to tolerate. The "minimum_data_samples" field is the minimum number + of connections of data samples required for the statistic to be valid. +known_false_positives: The false-positive rate will vary based on how you set the + deviation_threshold and data_samples values. Our recommendation is to adjust these + values based on your network traffic to and from your email servers. references: [] +rba: + message: High volume of network traffic from $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Collection and Staging - HAFNIUM Group asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1114 - T1114.002 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Traffic.bytes_out - - All_Traffic.src_category - - All_Traffic.dest_ip - risk_score: 25 security_domain: network diff --git a/detections/application/ivanti_vtm_new_account_creation.yml b/detections/application/ivanti_vtm_new_account_creation.yml index 800c5cd88c..1cb41a1d85 100644 --- a/detections/application/ivanti_vtm_new_account_creation.yml +++ b/detections/application/ivanti_vtm_new_account_creation.yml @@ -1,16 +1,30 @@ name: Ivanti VTM New Account Creation id: b04be6e5-2002-4349-8742-52285635b8f5 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-21' author: Michael Haag, Splunk data_source: - Ivanti VTM Audit type: TTP status: production -description: This analytic detects potential exploitation of the Ivanti Virtual Traffic Manager (vTM) authentication bypass vulnerability (CVE-2024-7593) to create new administrator accounts. The vulnerability allows unauthenticated remote attackers to bypass authentication on the admin panel and create new admin users. This detection looks for suspicious new account creation events in the Ivanti vTM audit logs that lack expected authentication details, which may indicate exploitation attempts. -search: '`ivanti_vtm_audit` OPERATION="adduser" MODGROUP="admin" IP="!!ABSENT!!" | stats count min(_time) as firstTime max(_time) as lastTime by IP, MODUSER, OPERATION, MODGROUP, AUTH | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_vtm_new_account_creation_filter`' -how_to_implement: To implement this detection, ensure that Ivanti vTM audit logs are being ingested into Splunk. Configure the Ivanti vTM to send its audit logs to Splunk via syslog or by monitoring the log files directly. The sourcetype should be set to "ivanti_vtm_audit" or a similar custom sourcetype for these logs. -known_false_positives: Legitimate new account creation by authorized administrators will generate similar log entries. However, those should include proper authentication details. Verify any detected events against expected administrative activities and authorized user lists. +description: This analytic detects potential exploitation of the Ivanti Virtual Traffic + Manager (vTM) authentication bypass vulnerability (CVE-2024-7593) to create new + administrator accounts. The vulnerability allows unauthenticated remote attackers + to bypass authentication on the admin panel and create new admin users. This detection + looks for suspicious new account creation events in the Ivanti vTM audit logs that + lack expected authentication details, which may indicate exploitation attempts. +search: '`ivanti_vtm_audit` OPERATION="adduser" MODGROUP="admin" IP="!!ABSENT!!" | + stats count min(_time) as firstTime max(_time) as lastTime by IP, MODUSER, OPERATION, + MODGROUP, AUTH | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `ivanti_vtm_new_account_creation_filter`' +how_to_implement: To implement this detection, ensure that Ivanti vTM audit logs are + being ingested into Splunk. Configure the Ivanti vTM to send its audit logs to Splunk + via syslog or by monitoring the log files directly. The sourcetype should be set + to "ivanti_vtm_audit" or a similar custom sourcetype for these logs. +known_false_positives: Legitimate new account creation by authorized administrators + will generate similar log entries. However, those should include proper authentication + details. Verify any detected events against expected administrative activities and + authorized user lists. references: - https://www.ivanti.com/security/security-advisories/ivanti-virtual-traffic-manager-vtm-cve-2024-7593 - https://nvd.nist.gov/vuln/detail/CVE-2024-7593 @@ -20,41 +34,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$MODUSER$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$MODUSER$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$MODUSER$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A new administrator account, $MODUSER$, was created on Ivanti vTM device + without proper authentication, which may indicate exploitation of CVE-2024-7593. + risk_objects: + - field: MODUSER + type: user + score: 72 + threat_objects: [] tags: analytic_story: - Ivanti Virtual Traffic Manager CVE-2024-7593 asset_type: Web Application - confidence: 80 - impact: 90 - message: A new administrator account, $MODUSER$, was created on Ivanti vTM device without proper authentication, which may indicate exploitation of CVE-2024-7593. mitre_attack_id: - T1190 - observable: - - name: MODUSER - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - IP - - MODUSER - - OPERATION - - MODGROUP - - AUTH - risk_score: 72 security_domain: access cve: - CVE-2024-7593 tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/ivanti_vtm_audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/ivanti_vtm_audit.log sourcetype: ivanti_vtm_audit source: ivanti_vtm diff --git a/detections/application/monitor_email_for_brand_abuse.yml b/detections/application/monitor_email_for_brand_abuse.yml index 3ecae133f8..fb4e90525e 100644 --- a/detections/application/monitor_email_for_brand_abuse.yml +++ b/detections/application/monitor_email_for_brand_abuse.yml @@ -1,37 +1,45 @@ name: Monitor Email For Brand Abuse id: b2ea1f38-3a3e-4b8a-9cf1-82760d86a6b8 -version: 4 -date: '2024-10-17' +version: 5 +date: '2025-01-21' author: David Dorsey, Splunk status: experimental type: TTP -description: The following analytic identifies emails claiming to be sent from a domain similar to one you are monitoring for potential abuse. It leverages email header data, specifically the sender's address, and cross-references it with a lookup table of known domain permutations generated by the "ESCU - DNSTwist Domain Names" search. This activity is significant as it can indicate phishing attempts or brand impersonation, which are common tactics used in social engineering attacks. If confirmed malicious, this could lead to unauthorized access, data theft, or reputational damage. +description: The following analytic identifies emails claiming to be sent from a domain + similar to one you are monitoring for potential abuse. It leverages email header + data, specifically the sender's address, and cross-references it with a lookup table + of known domain permutations generated by the "ESCU - DNSTwist Domain Names" search. + This activity is significant as it can indicate phishing attempts or brand impersonation, + which are common tactics used in social engineering attacks. If confirmed malicious, + this could lead to unauthorized access, data theft, or reputational damage. data_source: [] -search: '| tstats `security_content_summariesonly` values(All_Email.recipient) as recipients, min(_time) as firstTime, max(_time) as lastTime from datamodel=Email by All_Email.src_user, All_Email.message_id | `drop_dm_object_name("All_Email")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval temp=split(src_user, "@") | eval email_domain=mvindex(temp, 1) | lookup update=true brandMonitoring_lookup domain as email_domain OUTPUT domain_abuse | search domain_abuse=true | table message_id, src_user, email_domain, recipients, firstTime, lastTime | `monitor_email_for_brand_abuse_filter`' -how_to_implement: You need to ingest email header data. Specifically the sender's address (src_user) must be populated. You also need to have run the search "ESCU - DNSTwist Domain Names", which creates the permutations of the domain that will be checked for. +search: '| tstats `security_content_summariesonly` values(All_Email.recipient) as + recipients, min(_time) as firstTime, max(_time) as lastTime from datamodel=Email + by All_Email.src_user, All_Email.message_id | `drop_dm_object_name("All_Email")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval + temp=split(src_user, "@") | eval email_domain=mvindex(temp, 1) | lookup update=true + brandMonitoring_lookup domain as email_domain OUTPUT domain_abuse | search domain_abuse=true + | table message_id, src_user, email_domain, recipients, firstTime, lastTime | `monitor_email_for_brand_abuse_filter`' +how_to_implement: You need to ingest email header data. Specifically the sender's + address (src_user) must be populated. You also need to have run the search "ESCU + - DNSTwist Domain Names", which creates the permutations of the domain that will + be checked for. known_false_positives: None at this time references: [] +rba: + message: Possible Brand Abuse from $email_domain$ + risk_objects: + - field: src_user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Brand Monitoring - Suspicious Emails asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Email.recipient - - All_Email.src_user - - All_Email.message_id - risk_score: 25 security_domain: network diff --git a/detections/application/no_windows_updates_in_a_time_frame.yml b/detections/application/no_windows_updates_in_a_time_frame.yml index 3e5cbbfab8..5c20fa4d04 100644 --- a/detections/application/no_windows_updates_in_a_time_frame.yml +++ b/detections/application/no_windows_updates_in_a_time_frame.yml @@ -1,36 +1,40 @@ name: No Windows Updates in a time frame id: 1a77c08c-2f56-409c-a2d3-7d64617edd4f -version: 3 -date: '2024-10-17' +version: 4 +date: '2025-01-21' author: Bhavin Patel, Splunk status: experimental type: Hunting -description: The following analytic identifies Windows endpoints that have not generated an event indicating a successful Windows update in the last 60 days. It leverages the 'Update' data model in Splunk, specifically looking for the latest 'Installed' status events from Microsoft Windows. This activity is significant for a SOC because endpoints that are not regularly patched are vulnerable to known exploits and security vulnerabilities. If confirmed malicious, this could indicate a compromised endpoint that is intentionally being kept unpatched, potentially allowing attackers to exploit unpatched vulnerabilities and gain unauthorized access or control. +description: The following analytic identifies Windows endpoints that have not generated + an event indicating a successful Windows update in the last 60 days. It leverages + the 'Update' data model in Splunk, specifically looking for the latest 'Installed' + status events from Microsoft Windows. This activity is significant for a SOC because + endpoints that are not regularly patched are vulnerable to known exploits and security + vulnerabilities. If confirmed malicious, this could indicate a compromised endpoint + that is intentionally being kept unpatched, potentially allowing attackers to exploit + unpatched vulnerabilities and gain unauthorized access or control. data_source: [] -search: '| tstats `security_content_summariesonly` max(_time) as lastTime from datamodel=Updates where Updates.status=Installed Updates.vendor_product="Microsoft Windows" by Updates.dest Updates.status Updates.vendor_product | rename Updates.dest as Host | rename Updates.status as "Update Status" | rename Updates.vendor_product as Product | eval isOutlier=if(lastTime <= relative_time(now(), "-60d@d"), 1, 0) | `security_content_ctime(lastTime)` | search isOutlier=1 | rename lastTime as "Last Update Time", | table Host, "Update Status", Product, "Last Update Time" | `no_windows_updates_in_a_time_frame_filter`' -how_to_implement: To successfully implement this search, it requires that the 'Update' data model is being populated. This can be accomplished by ingesting Windows events or the Windows Update log via a universal forwarder on the Windows endpoints you wish to monitor. The Windows add-on should be also be installed and configured to properly parse Windows events in Splunk. There may be other data sources which can populate this data model, including vulnerability management systems. +search: '| tstats `security_content_summariesonly` max(_time) as lastTime from datamodel=Updates + where Updates.status=Installed Updates.vendor_product="Microsoft Windows" by Updates.dest + Updates.status Updates.vendor_product | rename Updates.dest as Host | rename Updates.status + as "Update Status" | rename Updates.vendor_product as Product | eval isOutlier=if(lastTime + <= relative_time(now(), "-60d@d"), 1, 0) | `security_content_ctime(lastTime)` | + search isOutlier=1 | rename lastTime as "Last Update Time", | table Host, "Update + Status", Product, "Last Update Time" | `no_windows_updates_in_a_time_frame_filter`' +how_to_implement: To successfully implement this search, it requires that the 'Update' + data model is being populated. This can be accomplished by ingesting Windows events + or the Windows Update log via a universal forwarder on the Windows endpoints you + wish to monitor. The Windows add-on should be also be installed and configured to + properly parse Windows events in Splunk. There may be other data sources which can + populate this data model, including vulnerability management systems. known_false_positives: None identified references: [] tags: analytic_story: - Monitor for Updates asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Updates.status - - Updates.vendor_product - - Updates.dest - risk_score: 25 security_domain: endpoint diff --git a/detections/application/okta_authentication_failed_during_mfa_challenge.yml b/detections/application/okta_authentication_failed_during_mfa_challenge.yml index 22fa5d249f..48faea347a 100644 --- a/detections/application/okta_authentication_failed_during_mfa_challenge.yml +++ b/detections/application/okta_authentication_failed_during_mfa_challenge.yml @@ -1,16 +1,33 @@ name: Okta Authentication Failed During MFA Challenge id: e2b99e7d-d956-411a-a120-2b14adfdde93 -version: 3 -date: '2024-09-30' +version: 4 +date: '2025-01-21' author: Bhavin Patel, Splunk data_source: - Okta type: TTP status: production -description: The following analytic identifies failed authentication attempts during the Multi-Factor Authentication (MFA) challenge in an Okta tenant. It uses the Authentication datamodel to detect specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This activity is significant as it may indicate an adversary attempting to authenticate with compromised credentials on an account with MFA enabled. If confirmed malicious, this could suggest an ongoing attempt to bypass MFA protections, potentially leading to unauthorized access and further compromise of the affected account. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Authentication.app) as app values(Authentication.reason) as reason values(Authentication.signature) as signature values(Authentication.method) as method from datamodel=Authentication where Authentication.signature=user.authentication.auth_via_mfa Authentication.action = failure by _time Authentication.src Authentication.user Authentication.dest Authentication.action | `drop_dm_object_name("Authentication")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| iplocation src | `okta_authentication_failed_during_mfa_challenge_filter`' -how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -known_false_positives: A user may have accidentally entered the wrong credentials during the MFA challenge. If the user is new to MFA, they may have trouble authenticating. Ensure that the user is aware of the MFA process and has the correct credentials. +description: The following analytic identifies failed authentication attempts during + the Multi-Factor Authentication (MFA) challenge in an Okta tenant. It uses the Authentication + datamodel to detect specific failed events where the authentication signature is + `user.authentication.auth_via_mfa`. This activity is significant as it may indicate + an adversary attempting to authenticate with compromised credentials on an account + with MFA enabled. If confirmed malicious, this could suggest an ongoing attempt + to bypass MFA protections, potentially leading to unauthorized access and further + compromise of the affected account. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime values(Authentication.app) as app values(Authentication.reason) as + reason values(Authentication.signature) as signature values(Authentication.method) + as method from datamodel=Authentication where Authentication.signature=user.authentication.auth_via_mfa + Authentication.action = failure by _time Authentication.src Authentication.user + Authentication.dest Authentication.action | `drop_dm_object_name("Authentication")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| iplocation + src | `okta_authentication_failed_during_mfa_challenge_filter`' +how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the + Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). +known_false_positives: A user may have accidentally entered the wrong credentials + during the MFA challenge. If the user is new to MFA, they may have trouble authenticating. + Ensure that the user is aware of the MFA process and has the correct credentials. references: - https://sec.okta.com/everythingisyes - https://splunkbase.splunk.com/app/6553 @@ -20,50 +37,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A user [$user$] has failed to authenticate via MFA from IP Address - [$src$]" + risk_objects: + - field: user + type: user + score: 48 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - Okta Account Takeover asset_type: Okta Tenant - confidence: 60 - impact: 80 - message: A user [$user$] has failed to authenticate via MFA from IP Address - [$src$]" mitre_attack_id: - T1586 - T1586.003 - T1078 - T1078.004 - T1621 - observable: - - name: user - type: User - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Authentication.app - - Authentication.action - - Authentication.user - - Authentication.reason - - Authentication.dest - - Authentication.signature - - Authentication.method - - Authentication.src - risk_score: 48 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/okta_mfa_login_failed/okta_mfa_login_failed.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/okta_mfa_login_failed/okta_mfa_login_failed.log source: okta_log sourcetype: OktaIM2:log diff --git a/detections/application/okta_idp_lifecycle_modifications.yml b/detections/application/okta_idp_lifecycle_modifications.yml index a8530426c8..aaaf5d028c 100644 --- a/detections/application/okta_idp_lifecycle_modifications.yml +++ b/detections/application/okta_idp_lifecycle_modifications.yml @@ -1,16 +1,32 @@ name: Okta IDP Lifecycle Modifications id: e0be2c83-5526-4219-a14f-c3db2e763d15 -version: 3 -date: '2024-09-30' +version: 4 +date: '2025-01-21' author: Bhavin Patel, Splunk data_source: - Okta type: Anomaly status: production -description: The following analytic identifies modifications to Okta Identity Provider (IDP) lifecycle events, including creation, activation, deactivation, and deletion of IDP configurations. It uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity Cloud. Monitoring these events is crucial for maintaining the integrity and security of authentication mechanisms. Unauthorized or anomalous changes could indicate potential security breaches or misconfigurations. If confirmed malicious, attackers could manipulate authentication processes, potentially gaining unauthorized access or disrupting identity management systems. -search: '`okta` eventType IN ("system.idp.lifecycle.activate","system.idp.lifecycle.create","system.idp.lifecycle.delete","system.idp.lifecycle.deactivate") | stats count min(_time) as firstTime max(_time) as lastTime values(target{}.id) as target_id values(target{}.type) as target_modified by src dest src_user_id user user_agent command description | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_idp_lifecycle_modifications_filter`' -how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -known_false_positives: It's possible for legitimate administrative actions or automated processes to trigger this detection, especially if there are bulk modifications to Okta IDP lifecycle events. Review the context of the modification, such as the user making the change and the specific lifecycle event modified, to determine if it aligns with expected behavior. +description: The following analytic identifies modifications to Okta Identity Provider + (IDP) lifecycle events, including creation, activation, deactivation, and deletion + of IDP configurations. It uses OktaIm2 logs ingested via the Splunk Add-on for Okta + Identity Cloud. Monitoring these events is crucial for maintaining the integrity + and security of authentication mechanisms. Unauthorized or anomalous changes could + indicate potential security breaches or misconfigurations. If confirmed malicious, + attackers could manipulate authentication processes, potentially gaining unauthorized + access or disrupting identity management systems. +search: '`okta` eventType IN ("system.idp.lifecycle.activate","system.idp.lifecycle.create","system.idp.lifecycle.delete","system.idp.lifecycle.deactivate") + | stats count min(_time) as firstTime max(_time) as lastTime values(target{}.id) + as target_id values(target{}.type) as target_modified by src dest src_user_id user + user_agent command description | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `okta_idp_lifecycle_modifications_filter`' +how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the + Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). +known_false_positives: It's possible for legitimate administrative actions or automated + processes to trigger this detection, especially if there are bulk modifications + to Okta IDP lifecycle events. Review the context of the modification, such as the + user making the change and the specific lifecycle event modified, to determine if + it aligns with expected behavior. references: - https://www.obsidiansecurity.com/blog/behind-the-breach-cross-tenant-impersonation-in-okta/ - https://splunkbase.splunk.com/app/6553 @@ -20,47 +36,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A user [$user$] is attempting IDP lifecycle modification - [$description$] + from IP Address - [$src$]" + risk_objects: + - field: user + type: user + score: 81 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - Suspicious Okta Activity asset_type: Okta Tenant - confidence: 90 - impact: 90 - message: A user [$user$] is attempting IDP lifecycle modification - [$description$] from IP Address - [$src$]" mitre_attack_id: - T1087.004 - observable: - - name: user - type: User - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - eventType - - target{}.id - - target{}.type - - src - - dest - - src_user_id - - user - - user_agent - - command - - description - risk_score: 81 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/okta_idp/okta.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/okta_idp/okta.log source: Okta sourcetype: OktaIM2:log diff --git a/detections/application/okta_mfa_exhaustion_hunt.yml b/detections/application/okta_mfa_exhaustion_hunt.yml index 6ee99861d9..44e343d505 100644 --- a/detections/application/okta_mfa_exhaustion_hunt.yml +++ b/detections/application/okta_mfa_exhaustion_hunt.yml @@ -1,16 +1,37 @@ name: Okta MFA Exhaustion Hunt id: 97e2fe57-3740-402c-988a-76b64ce04b8d -version: 4 -date: '2024-10-17' +version: 5 +date: '2025-01-21' author: Michael Haag, Marissa Bower, Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects patterns of successful and failed Okta MFA push attempts to identify potential MFA exhaustion attacks. It leverages Okta event logs, specifically focusing on push verification events, and uses statistical evaluations to determine suspicious activity. This activity is significant as it may indicate an attacker attempting to bypass MFA by overwhelming the user with push notifications. If confirmed malicious, this could lead to unauthorized access, compromising the security of the affected accounts and potentially the entire environment. +description: The following analytic detects patterns of successful and failed Okta + MFA push attempts to identify potential MFA exhaustion attacks. It leverages Okta + event logs, specifically focusing on push verification events, and uses statistical + evaluations to determine suspicious activity. This activity is significant as it + may indicate an attacker attempting to bypass MFA by overwhelming the user with + push notifications. If confirmed malicious, this could lead to unauthorized access, + compromising the security of the affected accounts and potentially the entire environment. data_source: - Okta -search: '`okta` eventType=system.push.send_factor_verify_push OR ((legacyEventType=core.user.factor.attempt_success) AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) OR ((legacyEventType=core.user.factor.attempt_fail) AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) | stats count(eval(legacyEventType="core.user.factor.attempt_success")) as successes count(eval(legacyEventType="core.user.factor.attempt_fail")) as failures count(eval(eventType="system.push.send_factor_verify_push")) as pushes by user,_time | stats latest(_time) as lasttime earliest(_time) as firsttime sum(successes) as successes sum(failures) as failures sum(pushes) as pushes by user | eval seconds=lasttime-firsttime | eval lasttime=strftime(lasttime, "%c") | search (pushes>1) | eval totalattempts=successes+failures | eval finding="Normal authentication pattern" | eval finding=if(failures==pushes AND pushes>1,"Authentication attempts not successful because multiple pushes denied",finding) | eval finding=if(totalattempts==0,"Multiple pushes sent and ignored",finding) | eval finding=if(successes>0 AND pushes>3,"Probably should investigate. Multiple pushes sent, eventual successful authentication!",finding) | `okta_mfa_exhaustion_hunt_filter`' -how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -known_false_positives: False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete. +search: '`okta` eventType=system.push.send_factor_verify_push OR ((legacyEventType=core.user.factor.attempt_success) + AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) OR ((legacyEventType=core.user.factor.attempt_fail) + AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) | stats count(eval(legacyEventType="core.user.factor.attempt_success")) as + successes count(eval(legacyEventType="core.user.factor.attempt_fail")) as failures + count(eval(eventType="system.push.send_factor_verify_push")) as pushes by user,_time + | stats latest(_time) as lasttime earliest(_time) as firsttime sum(successes) as + successes sum(failures) as failures sum(pushes) as pushes by user | eval seconds=lasttime-firsttime + | eval lasttime=strftime(lasttime, "%c") | search (pushes>1) | eval totalattempts=successes+failures + | eval finding="Normal authentication pattern" | eval finding=if(failures==pushes + AND pushes>1,"Authentication attempts not successful because multiple pushes denied",finding) + | eval finding=if(totalattempts==0,"Multiple pushes sent and ignored",finding) | + eval finding=if(successes>0 AND pushes>3,"Probably should investigate. Multiple + pushes sent, eventual successful authentication!",finding) | `okta_mfa_exhaustion_hunt_filter`' +how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the + Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). +known_false_positives: False positives may be present. Tune Okta and tune the analytic + to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning + is complete. references: - https://developer.okta.com/docs/reference/api/event-types/?q=user.acount.lock - https://sec.okta.com/everythingisyes @@ -20,31 +41,17 @@ tags: - Okta Account Takeover - Okta MFA Exhaustion asset_type: Okta Tenant - confidence: 60 - impact: 30 - message: $user$ account has rejected multiple Okta pushes. mitre_attack_id: - T1110 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - user - - src_ip - - eventType - - status - risk_score: 18 security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_pushes/okta_multiple_failed_mfa_pushes.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_pushes/okta_multiple_failed_mfa_pushes.log source: Okta sourcetype: OktaIM2:log diff --git a/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml b/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml index 30bfd5dfeb..5b2d38b889 100644 --- a/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml +++ b/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml @@ -1,83 +1,87 @@ name: Okta Mismatch Between Source and Response for Verify Push Request id: 8085b79b-9b85-4e67-ad63-351c9e9a5e9a -version: 4 -date: '2024-11-19' +version: 5 +date: '2025-01-21' author: John Murphy and Jordan Ruocco, Okta, Michael Haag, Bhavin Patel, Splunk type: TTP status: production data_source: - Okta -description: The following analytic identifies discrepancies between the source and response events for Okta Verify Push requests, indicating potential suspicious behavior. It leverages Okta System Log events, specifically `system.push.send_factor_verify_push` and `user.authentication.auth_via_mfa` with the factor "OKTA_VERIFY_PUSH." The detection groups events by SessionID, calculates the ratio of successful sign-ins to push requests, and checks for session roaming and new device/IP usage. This activity is significant as it may indicate push spam or unauthorized access attempts. If confirmed malicious, attackers could bypass MFA, leading to unauthorized access to sensitive systems. -search: '`okta` eventType IN (system.push.send_factor_verify_push) OR (eventType IN (user.authentication.auth_via_mfa) debugContext.debugData.factor="OKTA_VERIFY_PUSH") - | eval groupby="authenticationContext.externalSessionId" - | eval group_push_time=_time - | bin span=2s group_push_time - | fillnull value=NULL - | stats min(_time) as _time by authenticationContext.externalSessionId eventType debugContext.debugData.factor outcome.result actor.alternateId client.device client.ipAddress client.userAgent.rawUserAgent debugContext.debugData.behaviors group_push_time - | iplocation client.ipAddress - | fields - lat, lon, group_push_time - | stats min(_time) as _time - dc(client.ipAddress) as dc_ip - sum(eval(if(eventType="system.push.send_factor_verify_push" AND $outcome.result$="SUCCESS", 1, 0))) as total_pushes - sum(eval(if(eventType="user.authentication.auth_via_mfa" AND $outcome.result$="SUCCESS", 1, 0))) as total_successes - sum(eval(if(eventType="user.authentication.auth_via_mfa" AND $outcome.result$="FAILURE", 1, 0))) as total_rejected - sum(eval(if(eventType="system.push.send_factor_verify_push" AND $debugContext.debugData.behaviors$ LIKE "%New Device=POSITIVE%", 1, 0))) as suspect_device_from_source - sum(eval(if(eventType="system.push.send_factor_verify_push" AND $debugContext.debugData.behaviors$ LIKE "%New IP=POSITIVE%", 1, 0))) as suspect_ip_from_source - values(eval(if(eventType="system.push.send_factor_verify_push", $client.ipAddress$, ""))) as src - values(eval(if(eventType="user.authentication.auth_via_mfa", $client.ipAddress$, ""))) as dest - values(*) as * by authenticationContext.externalSessionId - | eval ratio = round(total_successes / total_pushes, 2) - | search ((ratio < 0.5 AND total_pushes > 1) OR (total_rejected > 0)) AND dc_ip > 1 AND suspect_device_from_source > 0 AND suspect_ip_from_source > 0 |rename actor.alternateId as user | `okta_mismatch_between_source_and_response_for_verify_push_request_filter`' -how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -known_false_positives: False positives may be present based on organization size and configuration of Okta. Monitor, tune and filter as needed. +description: The following analytic identifies discrepancies between the source and + response events for Okta Verify Push requests, indicating potential suspicious behavior. + It leverages Okta System Log events, specifically `system.push.send_factor_verify_push` + and `user.authentication.auth_via_mfa` with the factor "OKTA_VERIFY_PUSH." The detection + groups events by SessionID, calculates the ratio of successful sign-ins to push + requests, and checks for session roaming and new device/IP usage. This activity + is significant as it may indicate push spam or unauthorized access attempts. If + confirmed malicious, attackers could bypass MFA, leading to unauthorized access + to sensitive systems. +search: '`okta` eventType IN (system.push.send_factor_verify_push) OR (eventType IN + (user.authentication.auth_via_mfa) debugContext.debugData.factor="OKTA_VERIFY_PUSH") + | eval groupby="authenticationContext.externalSessionId" | eval group_push_time=_time + | bin span=2s group_push_time | fillnull value=NULL | stats min(_time) as _time + by authenticationContext.externalSessionId eventType debugContext.debugData.factor + outcome.result actor.alternateId client.device client.ipAddress client.userAgent.rawUserAgent + debugContext.debugData.behaviors group_push_time | iplocation client.ipAddress | + fields - lat, lon, group_push_time | stats min(_time) as _time dc(client.ipAddress) + as dc_ip sum(eval(if(eventType="system.push.send_factor_verify_push" AND $outcome.result$="SUCCESS", + 1, 0))) as total_pushes sum(eval(if(eventType="user.authentication.auth_via_mfa" + AND $outcome.result$="SUCCESS", 1, 0))) as total_successes sum(eval(if(eventType="user.authentication.auth_via_mfa" + AND $outcome.result$="FAILURE", 1, 0))) as total_rejected sum(eval(if(eventType="system.push.send_factor_verify_push" + AND $debugContext.debugData.behaviors$ LIKE "%New Device=POSITIVE%", 1, 0))) as + suspect_device_from_source sum(eval(if(eventType="system.push.send_factor_verify_push" + AND $debugContext.debugData.behaviors$ LIKE "%New IP=POSITIVE%", 1, 0))) as suspect_ip_from_source + values(eval(if(eventType="system.push.send_factor_verify_push", $client.ipAddress$, + ""))) as src values(eval(if(eventType="user.authentication.auth_via_mfa", $client.ipAddress$, + ""))) as dest values(*) as * by authenticationContext.externalSessionId | eval ratio + = round(total_successes / total_pushes, 2) | search ((ratio < 0.5 AND total_pushes + > 1) OR (total_rejected > 0)) AND dc_ip > 1 AND suspect_device_from_source > 0 AND + suspect_ip_from_source > 0 |rename actor.alternateId as user | `okta_mismatch_between_source_and_response_for_verify_push_request_filter`' +how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the + Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). +known_false_positives: False positives may be present based on organization size and + configuration of Okta. Monitor, tune and filter as needed. drilldown_searches: - name: View the detection results for - "$user$" search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ references: - https://attack.mitre.org/techniques/T1621 - https://splunkbase.splunk.com/app/6553 +rba: + message: A mismatch between source and response for verifying a push request has + occurred for $user$ + risk_objects: + - field: user + type: user + score: 64 + threat_objects: [] tags: analytic_story: - Okta Account Takeover - Okta MFA Exhaustion asset_type: Okta Tenant - confidence: 80 - impact: 80 - message: A mismatch between source and response for verifying a push request has occurred for $user$ mitre_attack_id: - T1621 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - authenticationContext.externalSessionId - - eventType - - debugContext.debugData.factor - - outcome.result - - actor.alternateId - - client.device - - client.ipAddress - - client.userAgent.rawUserAgent - - debugContext.debugData.behaviors - - group_push_time - risk_score: 64 security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/okta_mismatch/okta_mismatch.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/okta_mismatch/okta_mismatch.log source: Okta sourcetype: OktaIM2:log diff --git a/detections/application/okta_multi_factor_authentication_disabled.yml b/detections/application/okta_multi_factor_authentication_disabled.yml index 328f02f3e7..fbef02e3e1 100644 --- a/detections/application/okta_multi_factor_authentication_disabled.yml +++ b/detections/application/okta_multi_factor_authentication_disabled.yml @@ -1,16 +1,30 @@ name: Okta Multi-Factor Authentication Disabled id: 7c0348ce-bdf9-45f6-8a57-c18b5976f00a -version: 4 -date: '2024-09-30' +version: 5 +date: '2025-01-21' author: Mauricio Velazco, Splunk data_source: - Okta type: TTP status: production -description: The following analytic identifies an attempt to disable multi-factor authentication (MFA) for an Okta user. It leverages OktaIM2 logs to detect when the 'user.mfa.factor.deactivate' command is executed. This activity is significant because disabling MFA can allow an adversary to maintain persistence within the environment using a compromised valid account. If confirmed malicious, this action could enable attackers to bypass additional security layers, potentially leading to unauthorized access to sensitive information and prolonged undetected presence in the network. -search: '| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Change where sourcetype="OktaIM2:log" All_Changes.object_category=User AND All_Changes.action=modified All_Changes.command=user.mfa.factor.deactivate by All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src | `drop_dm_object_name("All_Changes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multi_factor_authentication_disabled_filter`' -how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -known_false_positives: Legitimate use case may require for users to disable MFA. Filter lightly and monitor for any unusual activity. +description: The following analytic identifies an attempt to disable multi-factor + authentication (MFA) for an Okta user. It leverages OktaIM2 logs to detect when + the 'user.mfa.factor.deactivate' command is executed. This activity is significant + because disabling MFA can allow an adversary to maintain persistence within the + environment using a compromised valid account. If confirmed malicious, this action + could enable attackers to bypass additional security layers, potentially leading + to unauthorized access to sensitive information and prolonged undetected presence + in the network. +search: '| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) + as firstTime from datamodel=Change where sourcetype="OktaIM2:log" All_Changes.object_category=User + AND All_Changes.action=modified All_Changes.command=user.mfa.factor.deactivate by + All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src + | `drop_dm_object_name("All_Changes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `okta_multi_factor_authentication_disabled_filter`' +how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the + Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). +known_false_positives: Legitimate use case may require for users to disable MFA. Filter + lightly and monitor for any unusual activity. references: - https://attack.mitre.org/techniques/T1556/ - https://splunkbase.splunk.com/app/6553 @@ -20,46 +34,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: MFA was disabled for User [$user$] initiated by [$src$]. Investigate further + to determine if this was authorized. + risk_objects: + - field: user + type: user + score: 30 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - Okta Account Takeover asset_type: Okta Tenant - confidence: 60 - impact: 50 - message: MFA was disabled for User [$user$] initiated by [$src$]. Investigate further to determine if this was authorized. mitre_attack_id: - T1556 - T1556.006 - observable: - - name: user - type: User - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.object_category - - All_Changes.action - - All_Changes.command - - All_Changes.user - - All_Changes.result - - All_Changes.src - - sourcetype - risk_score: 30 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/okta_mfa_method_disabled/okta_mfa_method_disabled.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/okta_mfa_method_disabled/okta_mfa_method_disabled.log source: Okta sourcetype: OktaIM2:log diff --git a/detections/application/okta_multiple_accounts_locked_out.yml b/detections/application/okta_multiple_accounts_locked_out.yml index c52dab5f39..4a83589bca 100644 --- a/detections/application/okta_multiple_accounts_locked_out.yml +++ b/detections/application/okta_multiple_accounts_locked_out.yml @@ -1,16 +1,29 @@ name: Okta Multiple Accounts Locked Out id: a511426e-184f-4de6-8711-cfd2af29d1e1 -version: 3 -date: '2024-09-30' +version: 4 +date: '2025-01-21' author: Michael Haag, Mauricio Velazco, Splunk data_source: - Okta type: Anomaly status: production -description: The following analytic detects multiple Okta accounts being locked out within a short period. It uses the user.account.lock event from Okta logs, aggregated over a 5-minute window, to identify this behavior. This activity is significant as it may indicate a brute force or password spraying attack, where an adversary attempts to guess passwords, leading to account lockouts. If confirmed malicious, this could result in potential account takeovers or unauthorized access to sensitive Okta accounts, posing a significant security risk. -search: '| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime values(All_Changes.user) as user from datamodel=Change where All_Changes.change_type=AAA All_Changes.object_category=User AND All_Changes.action=lockout AND All_Changes.command=user.account.lock by _time span=5m All_Changes.result All_Changes.command sourcetype All_Changes.src | where count > 5 | `drop_dm_object_name("All_Changes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multiple_accounts_locked_out_filter`' -how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -known_false_positives: Multiple account lockouts may be also triggered by an application malfunction. Filter as needed, and monitor for any unusual activity. +description: The following analytic detects multiple Okta accounts being locked out + within a short period. It uses the user.account.lock event from Okta logs, aggregated + over a 5-minute window, to identify this behavior. This activity is significant + as it may indicate a brute force or password spraying attack, where an adversary + attempts to guess passwords, leading to account lockouts. If confirmed malicious, + this could result in potential account takeovers or unauthorized access to sensitive + Okta accounts, posing a significant security risk. +search: '| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) + as firstTime values(All_Changes.user) as user from datamodel=Change where All_Changes.change_type=AAA + All_Changes.object_category=User AND All_Changes.action=lockout AND All_Changes.command=user.account.lock + by _time span=5m All_Changes.result All_Changes.command sourcetype All_Changes.src + | where count > 5 | `drop_dm_object_name("All_Changes")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `okta_multiple_accounts_locked_out_filter`' +how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the + Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). +known_false_positives: Multiple account lockouts may be also triggered by an application + malfunction. Filter as needed, and monitor for any unusual activity. references: - https://attack.mitre.org/techniques/T1110/ - https://splunkbase.splunk.com/app/6553 @@ -20,45 +33,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Multiple accounts locked out in Okta from [$src$]. Investigate further + to determine if this was authorized. + risk_objects: + - field: user + type: user + score: 49 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - Okta Account Takeover asset_type: Okta Tenant - confidence: 70 - impact: 70 - message: Multiple accounts locked out in Okta from [$src$]. Investigate further to determine if this was authorized. mitre_attack_id: - T1110 - observable: - - name: src - type: IP Address - role: - - Attacker - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.change_type - - All_Changes.object_category - - All_Changes.action - - All_Changes.command - - All_Changes.result - - All_Changes.src - - sourcetype - risk_score: 49 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/okta_multiple_accounts_lockout.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/okta_multiple_accounts_lockout.log source: Okta sourcetype: OktaIM2:log diff --git a/detections/application/okta_multiple_failed_mfa_requests_for_user.yml b/detections/application/okta_multiple_failed_mfa_requests_for_user.yml index 2c8978c81a..c5659a666c 100644 --- a/detections/application/okta_multiple_failed_mfa_requests_for_user.yml +++ b/detections/application/okta_multiple_failed_mfa_requests_for_user.yml @@ -1,16 +1,29 @@ name: Okta Multiple Failed MFA Requests For User id: 826dbaae-a1e6-4c8c-b384-d16898956e73 -version: 4 -date: '2024-09-30' +version: 5 +date: '2025-01-21' author: Mauricio Velazco, Splunk data_source: - Okta type: Anomaly status: production -description: The following analytic identifies multiple failed multi-factor authentication (MFA) requests for a single user within an Okta tenant. It triggers when more than 10 MFA attempts fail within 5 minutes, using Okta event logs to detect this pattern. This activity is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication requests, a technique used by threat actors like Lapsus and APT29. If confirmed malicious, this could lead to unauthorized access, potentially compromising sensitive information and systems. -search: '`okta` eventType=user.authentication.auth_via_mfa outcome.result=FAILURE debugContext.debugData.factor!=PASSWORD_AS_FACTOR | bucket _time span=5m | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) values(src_ip) as src_ip values(debugContext.debugData.factor) by _time src_user | where count >= 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multiple_failed_mfa_requests_for_user_filter`' -how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -known_false_positives: Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed and monitor for any unusual activity. +description: The following analytic identifies multiple failed multi-factor authentication + (MFA) requests for a single user within an Okta tenant. It triggers when more than + 10 MFA attempts fail within 5 minutes, using Okta event logs to detect this pattern. + This activity is significant as it may indicate an adversary attempting to bypass + MFA by bombarding the user with repeated authentication requests, a technique used + by threat actors like Lapsus and APT29. If confirmed malicious, this could lead + to unauthorized access, potentially compromising sensitive information and systems. +search: '`okta` eventType=user.authentication.auth_via_mfa outcome.result=FAILURE + debugContext.debugData.factor!=PASSWORD_AS_FACTOR | bucket _time span=5m | stats + count min(_time) as firstTime max(_time) as lastTime values(displayMessage) values(src_ip) + as src_ip values(debugContext.debugData.factor) by _time src_user | where count + >= 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `okta_multiple_failed_mfa_requests_for_user_filter`' +how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the + Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). +known_false_positives: Multiple Failed MFA requests may also be a sign of authentication + or application issues. Filter as needed and monitor for any unusual activity. references: - https://attack.mitre.org/techniques/T1621/ drilldown_searches: @@ -19,44 +32,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Multiple failed MFA requests for user $src_user$ from IP Address - $src_ip$ + risk_objects: + - field: src_user + type: user + score: 42 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Okta Account Takeover asset_type: Okta Tenant - confidence: 70 - impact: 60 - message: Multiple failed MFA requests for user $src_user$ from IP Address - $src_ip$ mitre_attack_id: - T1621 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventType - - outcome.result - - debugContext.debugData.factor - - displayMessage - - src_user - - src_ip - risk_score: 42 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_requests/okta_multiple_failed_mfa_requests.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_requests/okta_multiple_failed_mfa_requests.log source: Okta sourcetype: OktaIM2:log diff --git a/detections/application/okta_multiple_failed_requests_to_access_applications.yml b/detections/application/okta_multiple_failed_requests_to_access_applications.yml index 55e920f461..66af928a39 100644 --- a/detections/application/okta_multiple_failed_requests_to_access_applications.yml +++ b/detections/application/okta_multiple_failed_requests_to_access_applications.yml @@ -1,16 +1,40 @@ name: Okta Multiple Failed Requests to Access Applications id: 1c21fed1-7000-4a2e-9105-5aaafa437247 -version: 3 -date: '2024-10-17' +version: 4 +date: '2025-01-21' author: John Murphy, Okta, Michael Haag, Splunk type: Hunting status: experimental data_source: - Okta -description: The following analytic detects multiple failed attempts to access applications in Okta, potentially indicating the reuse of a stolen web session cookie. It leverages Okta logs to evaluate policy and SSO events, aggregating data by user, session, and IP. The detection triggers when more than half of the app sign-on attempts are unsuccessful across multiple applications. This activity is significant as it may indicate an attempt to bypass authentication mechanisms. If confirmed malicious, it could lead to unauthorized access to sensitive applications and data, posing a significant security risk. -search: '`okta` target{}.type=AppInstance (eventType=policy.evaluate_sign_on outcome.result=CHALLENGE) OR (eventType=user.authentication.sso outcome.result=SUCCESS) | eval targets=mvzip(''target{}.type'', ''target{}.displayName'', ": ") | eval targets=mvfilter(targets LIKE "AppInstance%") | stats count min(_time) as _time values(outcome.result) as outcome.result dc(eval(if(eventType="policy.evaluate_sign_on",targets,NULL))) as total_challenges sum(eval(if(eventType="user.authentication.sso",1,0))) as total_successes by authenticationContext.externalSessionId targets actor.alternateId client.ipAddress | search total_challenges > 0 | stats min(_time) as _time values(*) as * sum(total_challenges) as total_challenges sum(total_successes) as total_successes values(eval(if("outcome.result"="SUCCESS",targets,NULL))) as success_apps values(eval(if(":outcome.result"!="SUCCESS",targets,NULL))) as no_success_apps by authenticationContext.externalSessionId actor.alternateId client.ipAddress | fillnull | eval ratio=round(total_successes/total_challenges,2), severity="HIGH", mitre_technique_id="T1538", description="actor.alternateId". " from " . "client.ipAddress" . " seen opening " . total_challenges . " chiclets/apps with " . total_successes . " challenges successfully passed" | fields - count, targets | search ratio < 0.5 total_challenges > 2 | `okta_multiple_failed_requests_to_access_applications_filter`' -how_to_implement: This analytic is specific to Okta and requires Okta:im2 logs to be ingested. -known_false_positives: False positives may be present based on organization size and configuration of Okta. +description: The following analytic detects multiple failed attempts to access applications + in Okta, potentially indicating the reuse of a stolen web session cookie. It leverages + Okta logs to evaluate policy and SSO events, aggregating data by user, session, + and IP. The detection triggers when more than half of the app sign-on attempts are + unsuccessful across multiple applications. This activity is significant as it may + indicate an attempt to bypass authentication mechanisms. If confirmed malicious, + it could lead to unauthorized access to sensitive applications and data, posing + a significant security risk. +search: "`okta` target{}.type=AppInstance (eventType=policy.evaluate_sign_on outcome.result=CHALLENGE) + OR (eventType=user.authentication.sso outcome.result=SUCCESS) | eval targets=mvzip('target{}.type', + 'target{}.displayName', \": \") | eval targets=mvfilter(targets LIKE \"AppInstance%\"\ + ) | stats count min(_time) as _time values(outcome.result) as outcome.result dc(eval(if(eventType=\"\ + policy.evaluate_sign_on\",targets,NULL))) as total_challenges sum(eval(if(eventType=\"\ + user.authentication.sso\",1,0))) as total_successes by authenticationContext.externalSessionId + targets actor.alternateId client.ipAddress | search total_challenges > 0 | stats + min(_time) as _time values(*) as * sum(total_challenges) as total_challenges sum(total_successes) + as total_successes values(eval(if(\"outcome.result\"=\"SUCCESS\",targets,NULL))) + as success_apps values(eval(if(\":outcome.result\"!=\"SUCCESS\",targets,NULL))) + as no_success_apps by authenticationContext.externalSessionId actor.alternateId + client.ipAddress | fillnull | eval ratio=round(total_successes/total_challenges,2), + severity=\"HIGH\", mitre_technique_id=\"T1538\", description=\"actor.alternateId\"\ + . \" from \" . \"client.ipAddress\" . \" seen opening \" . total_challenges . \"\ + \ chiclets/apps with \" . total_successes . \" challenges successfully passed\" + | fields - count, targets | search ratio < 0.5 total_challenges > 2 | `okta_multiple_failed_requests_to_access_applications_filter`" +how_to_implement: This analytic is specific to Okta and requires Okta:im2 logs to + be ingested. +known_false_positives: False positives may be present based on organization size and + configuration of Okta. references: - https://attack.mitre.org/techniques/T1538 - https://attack.mitre.org/techniques/T1550/004 @@ -18,27 +42,11 @@ tags: analytic_story: - Okta Account Takeover asset_type: Okta Tenant - confidence: 70 - impact: 80 - message: Multiple Failed Requests to Access Applications via Okta for $actor.alternateId$. mitre_attack_id: - T1550.004 - T1538 - observable: - - name: actor.alternateId - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - authenticationContext.externalSessionId - - targets - - actor.alternateId - - client.ipAddress - - eventType - risk_score: 56 security_domain: access diff --git a/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml b/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml index ef0695c6d9..ba4d1413d8 100644 --- a/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml @@ -1,16 +1,31 @@ name: Okta Multiple Users Failing To Authenticate From Ip id: de365ffa-42f5-46b5-b43f-fa72290b8218 -version: 4 -date: '2024-09-30' +version: 5 +date: '2025-01-21' author: Michael Haag, Mauricio Velazco, Splunk data_source: - Okta type: Anomaly status: production -description: The following analytic identifies instances where more than 10 unique user accounts have failed to authenticate from a single IP address within a 5-minute window in an Okta tenant. This detection uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity Cloud. Such activity is significant as it may indicate brute-force attacks or password spraying attempts. If confirmed malicious, this behavior suggests an external entity is attempting to compromise multiple user accounts, potentially leading to unauthorized access to organizational resources and data breaches. -search: '| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime dc(Authentication.user) as unique_accounts values(Authentication.signature) as signature values(Authentication.user) as user values(Authentication.app) as app values(Authentication.authentication_method) as authentication_method from datamodel=Authentication where Authentication.action="failure" AND Authentication.signature=user.session.start by _time span=5m Authentication.src sourcetype | where unique_accounts > 9 | `drop_dm_object_name("Authentication")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multiple_users_failing_to_authenticate_from_ip_filter`' -how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -known_false_positives: A source Ip failing to authenticate with multiple users in a short period of time is not common legitimate behavior. +description: The following analytic identifies instances where more than 10 unique + user accounts have failed to authenticate from a single IP address within a 5-minute + window in an Okta tenant. This detection uses OktaIm2 logs ingested via the Splunk + Add-on for Okta Identity Cloud. Such activity is significant as it may indicate + brute-force attacks or password spraying attempts. If confirmed malicious, this + behavior suggests an external entity is attempting to compromise multiple user accounts, + potentially leading to unauthorized access to organizational resources and data + breaches. +search: '| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) + as firstTime dc(Authentication.user) as unique_accounts values(Authentication.signature) + as signature values(Authentication.user) as user values(Authentication.app) as app + values(Authentication.authentication_method) as authentication_method from datamodel=Authentication + where Authentication.action="failure" AND Authentication.signature=user.session.start + by _time span=5m Authentication.src sourcetype | where unique_accounts > 9 | `drop_dm_object_name("Authentication")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multiple_users_failing_to_authenticate_from_ip_filter`' +how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the + Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). +known_false_positives: A source Ip failing to authenticate with multiple users in + a short period of time is not common legitimate behavior. references: - https://attack.mitre.org/techniques/T1110/003/ - https://splunkbase.splunk.com/app/6553 @@ -20,45 +35,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Multiple users failing to authenticate from a single source IP Address + - [$src$]. Investigate further to determine if this was authorized. + risk_objects: + - field: user + type: user + score: 54 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - Okta Account Takeover asset_type: Okta Tenant - confidence: 90 - impact: 60 - message: Multiple users failing to authenticate from a single source IP Address - [$src$]. Investigate further to determine if this was authorized. mitre_attack_id: - T1110.003 - observable: - - name: src - type: IP Address - role: - - Attacker - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Authentication.user - - Authentication.signature - - Authentication.user - - Authentication.app - - Authentication.authentication_method - - Authentication.action - - Authentication.src - risk_score: 54 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/okta_multiple_users_from_ip.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/okta_multiple_users_from_ip.log source: Okta sourcetype: OktaIM2:log diff --git a/detections/application/okta_new_api_token_created.yml b/detections/application/okta_new_api_token_created.yml index efc52c59fb..7a8e0e78e3 100644 --- a/detections/application/okta_new_api_token_created.yml +++ b/detections/application/okta_new_api_token_created.yml @@ -1,16 +1,29 @@ name: Okta New API Token Created id: c3d22720-35d3-4da4-bd0a-740d37192bd4 -version: 5 -date: '2024-09-30' +version: 6 +date: '2025-01-21' author: Michael Haag, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the creation of a new API token within an Okta tenant. It uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity Cloud to identify events where the `system.api_token.create` command is executed. This activity is significant because creating a new API token can indicate potential account takeover attempts or unauthorized access, allowing an adversary to maintain persistence. If confirmed malicious, this could enable attackers to execute API calls, access sensitive data, and perform administrative actions within the Okta environment. +description: The following analytic detects the creation of a new API token within + an Okta tenant. It uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity + Cloud to identify events where the `system.api_token.create` command is executed. + This activity is significant because creating a new API token can indicate potential + account takeover attempts or unauthorized access, allowing an adversary to maintain + persistence. If confirmed malicious, this could enable attackers to execute API + calls, access sensitive data, and perform administrative actions within the Okta + environment. data_source: - Okta -search: '| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Change where All_Changes.action=created AND All_Changes.command=system.api_token.create by _time span=5m All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src All_Changes.action All_Changes.object_category | `drop_dm_object_name("All_Changes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_new_api_token_created_filter`' -how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -known_false_positives: False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. +search: '| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) + as firstTime from datamodel=Change where All_Changes.action=created AND All_Changes.command=system.api_token.create + by _time span=5m All_Changes.user All_Changes.result All_Changes.command sourcetype + All_Changes.src All_Changes.action All_Changes.object_category | `drop_dm_object_name("All_Changes")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_new_api_token_created_filter`' +how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the + Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). +known_false_positives: False positives may be present. Tune Okta and tune the analytic + to ensure proper fidelity. Modify risk score as needed. references: - https://developer.okta.com/docs/reference/api/event-types/?q=security.threat.detected - https://splunkbase.splunk.com/app/6553 @@ -20,46 +33,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A new API token was created in Okta by [$user$]. Investigate further to + determine if this was authorized. + risk_objects: + - field: user + type: user + score: 64 + threat_objects: [] tags: analytic_story: - Okta Account Takeover asset_type: Okta Tenant - confidence: 80 - impact: 80 - message: A new API token was created in Okta by [$user$]. Investigate further to determine if this was authorized. mitre_attack_id: - T1078 - T1078.001 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - signature - - eventType - - displayMessage - - client.device - - city - - state - - country - - user_agent - - outcome.reason - - outcome.result - - severity - risk_score: 64 security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.001/okta_new_api_token_created/okta_new_api_token_created.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.001/okta_new_api_token_created/okta_new_api_token_created.log source: Okta sourcetype: OktaIM2:log diff --git a/detections/application/okta_new_device_enrolled_on_account.yml b/detections/application/okta_new_device_enrolled_on_account.yml index f22e0a0020..a95db4b8ce 100644 --- a/detections/application/okta_new_device_enrolled_on_account.yml +++ b/detections/application/okta_new_device_enrolled_on_account.yml @@ -1,16 +1,29 @@ name: Okta New Device Enrolled on Account id: bb27cbce-d4de-432c-932f-2e206e9130fb -version: 5 -date: '2024-09-30' +version: 6 +date: '2025-01-21' author: Michael Haag, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies when a new device is enrolled on an Okta account. It uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity Cloud to detect the creation of new device enrollments. This activity is significant as it may indicate a legitimate user setting up a new device or an adversary adding a device to maintain unauthorized access. If confirmed malicious, this could lead to potential account takeover, unauthorized access, and persistent control over the compromised Okta account. Monitoring this behavior is crucial for detecting and mitigating unauthorized access attempts. +description: The following analytic identifies when a new device is enrolled on an + Okta account. It uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity + Cloud to detect the creation of new device enrollments. This activity is significant + as it may indicate a legitimate user setting up a new device or an adversary adding + a device to maintain unauthorized access. If confirmed malicious, this could lead + to potential account takeover, unauthorized access, and persistent control over + the compromised Okta account. Monitoring this behavior is crucial for detecting + and mitigating unauthorized access attempts. data_source: - Okta -search: '| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Change where All_Changes.action=created All_Changes.command=device.enrollment.create by _time span=5m All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src All_Changes.action All_Changes.object_category | `drop_dm_object_name("All_Changes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_new_device_enrolled_on_account_filter`' -how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -known_false_positives: It is possible that the user has legitimately added a new device to their account. Please verify this activity. +search: '| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) + as firstTime from datamodel=Change where All_Changes.action=created All_Changes.command=device.enrollment.create + by _time span=5m All_Changes.user All_Changes.result All_Changes.command sourcetype + All_Changes.src All_Changes.action All_Changes.object_category | `drop_dm_object_name("All_Changes")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_new_device_enrolled_on_account_filter`' +how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the + Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). +known_false_positives: It is possible that the user has legitimately added a new device + to their account. Please verify this activity. references: - https://attack.mitre.org/techniques/T1098/005/ - https://developer.okta.com/docs/reference/api/event-types/?q=device.enrollment.create @@ -20,42 +33,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A new device was enrolled on an Okta account for user [$user$]. Investigate + further to determine if this was authorized. + risk_objects: + - field: user + type: user + score: 24 + threat_objects: [] tags: analytic_story: - Okta Account Takeover asset_type: Okta Tenant - confidence: 60 - impact: 40 - message: A new device was enrolled on an Okta account for user [$user$]. Investigate further to determine if this was authorized. mitre_attack_id: - T1098 - T1098.005 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - displayMessage - - user - - eventType - - client.userAgent.rawUserAgent - - client.userAgent.browser - - client.geographicalContext.city - - client.geographicalContext.country - risk_score: 24 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.005/okta_new_device_enrolled/okta_new_device_enrolled.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.005/okta_new_device_enrolled/okta_new_device_enrolled.log source: Okta sourcetype: OktaIM2:log diff --git a/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml b/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml index 65f1958031..8171b96c75 100644 --- a/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml +++ b/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml @@ -1,44 +1,48 @@ name: Okta Phishing Detection with FastPass Origin Check id: f4ca0057-cbf3-44f8-82ea-4e330ee901d3 -version: 3 -date: '2024-10-17' +version: 4 +date: '2025-01-21' author: Okta, Inc, Michael Haag, Splunk type: TTP status: experimental data_source: - Okta -description: The following analytic identifies failed user authentication attempts in Okta due to FastPass declining a phishing attempt. It leverages Okta logs, specifically looking for events where multi-factor authentication (MFA) fails with the reason "FastPass declined phishing attempt." This activity is significant as it indicates that attackers are targeting users with real-time phishing proxies, attempting to capture credentials. If confirmed malicious, this could lead to unauthorized access to user accounts, potentially compromising sensitive information and furthering lateral movement within the organization. -search: '`okta` eventType="user.authentication.auth_via_mfa" AND result="FAILURE" AND outcome.reason="FastPass declined phishing attempt" | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_phishing_detection_with_fastpass_origin_check_filter`' -how_to_implement: This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment. -known_false_positives: Fidelity of this is high as Okta is specifying malicious infrastructure. Filter and modify as needed. +description: The following analytic identifies failed user authentication attempts + in Okta due to FastPass declining a phishing attempt. It leverages Okta logs, specifically + looking for events where multi-factor authentication (MFA) fails with the reason + "FastPass declined phishing attempt." This activity is significant as it indicates + that attackers are targeting users with real-time phishing proxies, attempting to + capture credentials. If confirmed malicious, this could lead to unauthorized access + to user accounts, potentially compromising sensitive information and furthering + lateral movement within the organization. +search: '`okta` eventType="user.authentication.auth_via_mfa" AND result="FAILURE" + AND outcome.reason="FastPass declined phishing attempt" | stats count min(_time) + as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent + client.userAgent.browser outcome.reason | `security_content_ctime(firstTime)` | + `security_content_ctime(lastTime)` | `okta_phishing_detection_with_fastpass_origin_check_filter`' +how_to_implement: This search is specific to Okta and requires Okta logs to be ingested + in your Splunk deployment. +known_false_positives: Fidelity of this is high as Okta is specifying malicious infrastructure. + Filter and modify as needed. references: - https://sec.okta.com/fastpassphishingdetection +rba: + message: Okta FastPass has prevented $user$ from authenticating to a malicious site. + risk_objects: + - field: user + type: user + score: 100 + threat_objects: [] tags: analytic_story: - Okta Account Takeover asset_type: Infrastructure - confidence: 100 - impact: 100 - message: Okta FastPass has prevented $user$ from authenticating to a malicious site. mitre_attack_id: - T1078 - T1078.001 - T1556 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventType - - client.userAgent.rawUserAgent - - client.userAgent.browser - - outcome.reason - - displayMessage - risk_score: 100 security_domain: access diff --git a/detections/application/okta_risk_threshold_exceeded.yml b/detections/application/okta_risk_threshold_exceeded.yml index c360e4a827..f96b59ed7a 100644 --- a/detections/application/okta_risk_threshold_exceeded.yml +++ b/detections/application/okta_risk_threshold_exceeded.yml @@ -1,16 +1,39 @@ name: Okta Risk Threshold Exceeded id: d8b967dd-657f-4d88-93b5-c588bcd7218c -version: 4 -date: '2024-09-30' +version: 5 +date: '2025-01-21' author: Michael Haag, Bhavin Patel, Splunk status: production type: Correlation -description: The following correlation identifies when a user exceeds a risk threshold based on multiple suspicious Okta activities. It leverages the Risk Framework from Enterprise Security, aggregating risk events from "Suspicious Okta Activity," "Okta Account Takeover," and "Okta MFA Exhaustion" analytic stories. This detection is significant as it highlights potentially compromised user accounts exhibiting multiple tactics, techniques, and procedures (TTPs) within a 24-hour period. If confirmed malicious, this activity could indicate a serious security breach, allowing attackers to gain unauthorized access, escalate privileges, or persist within the environment. +description: The following correlation identifies when a user exceeds a risk threshold + based on multiple suspicious Okta activities. It leverages the Risk Framework from + Enterprise Security, aggregating risk events from "Suspicious Okta Activity," "Okta + Account Takeover," and "Okta MFA Exhaustion" analytic stories. This detection is + significant as it highlights potentially compromised user accounts exhibiting multiple + tactics, techniques, and procedures (TTPs) within a 24-hour period. If confirmed + malicious, this activity could indicate a serious security breach, allowing attackers + to gain unauthorized access, escalate privileges, or persist within the environment. data_source: - Okta -search: '| tstats `security_content_summariesonly` values(All_Risk.analyticstories) as analyticstories sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count,values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.risk_object_type = user All_Risk.analyticstories IN ("Okta Account Takeover", "Suspicious Okta Activity","Okta MFA Exhaustion") by All_Risk.risk_object,All_Risk.risk_object_type | `drop_dm_object_name("All_Risk")` | search mitre_technique_id_count > 5 | `okta_risk_threshold_exceeded_filter`' -how_to_implement: This search leverages the Risk Framework from Enterprise Security. Ensure that "Suspicious Okta Activity", "Okta Account Takeover", and "Okta MFA Exhaustion" analytic stories are enabled. TTPs may be set to Notables for point detections; anomalies should not be notables but rather risk generators. The correlation relies on risk before generating a notable. Modify the value as needed. -known_false_positives: False positives will be limited to the number of events generated by the analytics tied to the stories. Analytics will need to be tested and tuned, and the risk score reduced as needed based on the organization. +search: '| tstats `security_content_summariesonly` values(All_Risk.analyticstories) + as analyticstories sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) + as risk_event_count,values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as + annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) + as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) + as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) + as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, + dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.risk_object_type + = user All_Risk.analyticstories IN ("Okta Account Takeover", "Suspicious Okta Activity","Okta + MFA Exhaustion") by All_Risk.risk_object,All_Risk.risk_object_type | `drop_dm_object_name("All_Risk")` + | search mitre_technique_id_count > 5 | `okta_risk_threshold_exceeded_filter`' +how_to_implement: This search leverages the Risk Framework from Enterprise Security. + Ensure that "Suspicious Okta Activity", "Okta Account Takeover", and "Okta MFA Exhaustion" + analytic stories are enabled. TTPs may be set to finding for point detections; + anomalies should not be findings but rather intermediate findings. The correlation relies + on intermediate findings before generating a findings. Modify the value as needed. +known_false_positives: False positives will be limited to the number of events generated + by the analytics tied to the stories. Analytics will need to be tested and tuned, + and the risk score reduced as needed based on the organization. references: - https://developer.okta.com/docs/reference/api/event-types - https://sec.okta.com/everythingisyes @@ -20,7 +43,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$risk_object$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: @@ -29,35 +57,18 @@ tags: - Okta MFA Exhaustion - Suspicious Okta Activity asset_type: Okta Tenant - confidence: 80 - impact: 70 - message: Okta Risk threshold exceeded for user [$risk_object$]. Investigate further to determine if this was authorized. mitre_attack_id: - T1078 - T1110 - observable: - - name: risk_object - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - All_Risk.risk_object - - All_Risk.risk_object_type - - All_Risk.analyticstories - - All_Risk.calculated_risk_score - - All_Risk.annotations.mitre_attack.mitre_tactic_id - - All_Risk.annotations.mitre_attack.mitre_technique_id - - All_Risk.tag - - _time - risk_score: 56 security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/okta_account_takeover_risk_events/okta_risk.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/okta_account_takeover_risk_events/okta_risk.log source: risk_data sourcetype: stash diff --git a/detections/application/okta_successful_single_factor_authentication.yml b/detections/application/okta_successful_single_factor_authentication.yml index fa763224c2..1c0f03def8 100644 --- a/detections/application/okta_successful_single_factor_authentication.yml +++ b/detections/application/okta_successful_single_factor_authentication.yml @@ -1,16 +1,30 @@ name: Okta Successful Single Factor Authentication id: 98f6ad4f-4325-4096-9d69-45dc8e638e82 -version: 3 -date: '2024-09-30' +version: 4 +date: '2025-01-21' author: Bhavin Patel, Splunk data_source: - Okta type: Anomaly status: production -description: The following analytic identifies successful single-factor authentication events against the Okta Dashboard for accounts without Multi-Factor Authentication (MFA) enabled. It detects this activity by analyzing Okta logs for successful authentication events where "Okta Verify" is not used. This behavior is significant as it may indicate a misconfiguration, policy violation, or potential account takeover. If confirmed malicious, an attacker could gain unauthorized access to the account, potentially leading to data breaches or further exploitation within the environment. -search: '`okta` action=success src_user_type = User eventType = user.authentication.verify OR eventType = user.authentication.auth_via_mfa| stats dc(eventType) values(eventType) as eventType values(target{}.displayName) as targets values(debugContext.debugData.url) min(_time) as firstTime max(_time) as lastTime values(authentication_method) by src_ip user action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search targets !="Okta Verify" | `okta_successful_single_factor_authentication_filter`' -how_to_implement: This detection utilizes logs from Okta environments and requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -known_false_positives: Although not recommended, certain users may be exempt from multi-factor authentication. Adjust the filter as necessary. +description: The following analytic identifies successful single-factor authentication + events against the Okta Dashboard for accounts without Multi-Factor Authentication + (MFA) enabled. It detects this activity by analyzing Okta logs for successful authentication + events where "Okta Verify" is not used. This behavior is significant as it may indicate + a misconfiguration, policy violation, or potential account takeover. If confirmed + malicious, an attacker could gain unauthorized access to the account, potentially + leading to data breaches or further exploitation within the environment. +search: '`okta` action=success src_user_type = User eventType = user.authentication.verify + OR eventType = user.authentication.auth_via_mfa| stats dc(eventType) values(eventType) + as eventType values(target{}.displayName) as targets values(debugContext.debugData.url) + min(_time) as firstTime max(_time) as lastTime values(authentication_method) by + src_ip user action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | search targets !="Okta Verify" | `okta_successful_single_factor_authentication_filter`' +how_to_implement: This detection utilizes logs from Okta environments and requires + the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud + (https://splunkbase.splunk.com/app/6553). +known_false_positives: Although not recommended, certain users may be exempt from + multi-factor authentication. Adjust the filter as necessary. references: - https://sec.okta.com/everythingisyes - https://attack.mitre.org/techniques/T1078/004/ @@ -20,47 +34,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A user [$user$] has successfully logged in to Okta Dashboard with single + factor authentication from IP Address - [$src_ip$]. + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] tags: analytic_story: - Okta Account Takeover asset_type: Okta Tenant - confidence: 60 - impact: 80 - message: A user [$user$] has successfully logged in to Okta Dashboard with single factor authentication from IP Address - [$src_ip$]. mitre_attack_id: - T1586 - T1586.003 - T1078 - T1078.004 - T1621 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - tag - - action - - src_user_type - - eventType - - target{}.displayName - - debugContext.debugData.url - - authentication_method - - src_ip - - user - - _time - risk_score: 48 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/okta_single_factor_auth/okta_single_factor_auth.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/okta_single_factor_auth/okta_single_factor_auth.log source: okta_log sourcetype: OktaIM2:log diff --git a/detections/application/okta_suspicious_activity_reported.yml b/detections/application/okta_suspicious_activity_reported.yml index 29ac37c307..363f2487b6 100644 --- a/detections/application/okta_suspicious_activity_reported.yml +++ b/detections/application/okta_suspicious_activity_reported.yml @@ -1,16 +1,31 @@ name: Okta Suspicious Activity Reported id: bfc840f5-c9c6-454c-aa13-b46fd0bf1e79 -version: 4 -date: '2024-09-30' +version: 5 +date: '2025-01-21' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies when an associate reports a login attempt as suspicious via an email from Okta. It leverages Okta Identity Management logs, specifically the `user.account.report_suspicious_activity_by_enduser` event type. This activity is significant as it indicates potential unauthorized access attempts, warranting immediate investigation to prevent possible security breaches. If confirmed malicious, the attacker could gain unauthorized access to sensitive systems and data, leading to data theft, privilege escalation, or further compromise of the environment. +description: The following analytic identifies when an associate reports a login attempt + as suspicious via an email from Okta. It leverages Okta Identity Management logs, + specifically the `user.account.report_suspicious_activity_by_enduser` event type. + This activity is significant as it indicates potential unauthorized access attempts, + warranting immediate investigation to prevent possible security breaches. If confirmed + malicious, the attacker could gain unauthorized access to sensitive systems and + data, leading to data theft, privilege escalation, or further compromise of the + environment. data_source: - Okta -search: '`okta` eventType=user.account.report_suspicious_activity_by_enduser | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser client.geographicalContext.city client.geographicalContext.country | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_suspicious_activity_reported_filter`' -how_to_implement: This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). Additionally, it necessitates the activation of suspicious activity reporting and training for associates to report such activities. -known_false_positives: False positives should be minimal, given the high fidelity of this detection. marker. +search: '`okta` eventType=user.account.report_suspicious_activity_by_enduser | stats + count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user + eventType client.userAgent.rawUserAgent client.userAgent.browser client.geographicalContext.city client.geographicalContext.country + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_suspicious_activity_reported_filter`' +how_to_implement: This detection utilizes logs from Okta Identity Management (IM) + environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on + for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). Additionally, + it necessitates the activation of suspicious activity reporting and training for + associates to report such activities. +known_false_positives: False positives should be minimal, given the high fidelity + of this detection. marker. references: - https://help.okta.com/en-us/Content/Topics/Security/suspicious-activity-reporting.htm drilldown_searches: @@ -19,42 +34,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A user [$user$] reported suspicious activity in Okta. Investigate further + to determine if this was authorized. + risk_objects: + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Okta Account Takeover asset_type: Okta Tenant - confidence: 50 - impact: 50 - message: A user [$user$] reported suspicious activity in Okta. Investigate further to determine if this was authorized. mitre_attack_id: - T1078 - T1078.001 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - displayMessage - - user - - eventType - - client.userAgent.rawUserAgent - - client.userAgent.browser - - client.geographicalContext.city - - client.geographicalContext.country - risk_score: 25 security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/okta_suspicious_activity_reported_by_user/okta_suspicious_activity_reported_by_user.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/okta_suspicious_activity_reported_by_user/okta_suspicious_activity_reported_by_user.log source: Okta sourcetype: OktaIM2:log diff --git a/detections/application/okta_suspicious_use_of_a_session_cookie.yml b/detections/application/okta_suspicious_use_of_a_session_cookie.yml index ec8d918f49..cc38b599fc 100644 --- a/detections/application/okta_suspicious_use_of_a_session_cookie.yml +++ b/detections/application/okta_suspicious_use_of_a_session_cookie.yml @@ -1,16 +1,33 @@ name: Okta Suspicious Use of a Session Cookie id: 71ad47d1-d6bd-4e0a-b35c-020ad9a6959e -version: 4 -date: '2024-09-30' +version: 5 +date: '2025-01-21' author: Scott Dermott, Felicity Robson, Okta, Michael Haag, Bhavin Patel, Splunk type: Anomaly status: production data_source: - Okta -description: The following analytic identifies suspicious use of a session cookie by detecting multiple client values (IP, User Agent, etc.) changing for the same Device Token associated with a specific user. It leverages policy evaluation events from successful authentication logs in Okta. This activity is significant as it may indicate an adversary attempting to reuse a stolen web session cookie, potentially bypassing authentication mechanisms. If confirmed malicious, this could allow unauthorized access to user accounts, leading to data breaches or further exploitation within the environment. -search: '`okta` eventType IN (policy.evaluate_sign_on) outcome.result IN (ALLOW, SUCCESS) | stats earliest(_time) as _time, values(client.ipAddress) as src_ip, values(client.userAgent.rawUserAgent) as user_agent, values(client.userAgent.os) as userAgentOS_list, values(client.geographicalContext.city) as city, values(client.userAgent.browser) as userAgentBrowser_list, values(device.os_platform) as okta_device_os, dc(client.userAgent.browser) as dc_userAgentBrowser, dc(client.userAgent.os) as dc_userAgentOS, dc(client.ipAddress) as dc_src_ip, values(outcome.reason) as reason by debugContext.debugData.dtHash, user | where dc_src_ip>1 AND (dc_userAgentOS>1 OR dc_userAgentBrowser>1) | `okta_suspicious_use_of_a_session_cookie_filter`' -how_to_implement: This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -known_false_positives: False positives may occur, depending on the organization's size and the configuration of Okta. +description: The following analytic identifies suspicious use of a session cookie + by detecting multiple client values (IP, User Agent, etc.) changing for the same + Device Token associated with a specific user. It leverages policy evaluation events + from successful authentication logs in Okta. This activity is significant as it + may indicate an adversary attempting to reuse a stolen web session cookie, potentially + bypassing authentication mechanisms. If confirmed malicious, this could allow unauthorized + access to user accounts, leading to data breaches or further exploitation within + the environment. +search: '`okta` eventType IN (policy.evaluate_sign_on) outcome.result IN (ALLOW, SUCCESS) + | stats earliest(_time) as _time, values(client.ipAddress) as src_ip, values(client.userAgent.rawUserAgent) + as user_agent, values(client.userAgent.os) as userAgentOS_list, values(client.geographicalContext.city) + as city, values(client.userAgent.browser) as userAgentBrowser_list, values(device.os_platform) + as okta_device_os, dc(client.userAgent.browser) as dc_userAgentBrowser, dc(client.userAgent.os) + as dc_userAgentOS, dc(client.ipAddress) as dc_src_ip, values(outcome.reason) as + reason by debugContext.debugData.dtHash, user | where dc_src_ip>1 AND (dc_userAgentOS>1 + OR dc_userAgentBrowser>1) | `okta_suspicious_use_of_a_session_cookie_filter`' +how_to_implement: This detection utilizes logs from Okta Identity Management (IM) + environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on + for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). +known_false_positives: False positives may occur, depending on the organization's + size and the configuration of Okta. references: - https://attack.mitre.org/techniques/T1539/ drilldown_searches: @@ -19,43 +36,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A user [$user$] is attempting to use a session cookie from multiple IP + addresses or devices. Investigate further to determine if this was authorized. + risk_objects: + - field: user + type: user + score: 56 + threat_objects: [] tags: analytic_story: - Suspicious Okta Activity - Okta Account Takeover asset_type: Okta Tenant - confidence: 70 - impact: 80 - message: A user [$user$] is attempting to use a session cookie from multiple IP addresses or devices. Investigate further to determine if this was authorized. mitre_attack_id: - T1539 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - client.ipAddress - - client.userAgent.rawUserAgent - - client.userAgent.os - - client.geographicalContext.city - - client.userAgent.browser - - device.os_platform - - debugContext.debugData.dtHash - - actor.alternateId - risk_score: 56 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1539/okta_web_session_multiple_ip/okta_web_session_multiple_ip.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1539/okta_web_session_multiple_ip/okta_web_session_multiple_ip.log source: Okta sourcetype: OktaIM2:log diff --git a/detections/application/okta_threatinsight_threat_detected.yml b/detections/application/okta_threatinsight_threat_detected.yml index ff8e450573..04d5e1e5fe 100644 --- a/detections/application/okta_threatinsight_threat_detected.yml +++ b/detections/application/okta_threatinsight_threat_detected.yml @@ -1,16 +1,30 @@ name: Okta ThreatInsight Threat Detected id: 140504ae-5fe2-4d65-b2bc-a211813fbca6 -version: 4 -date: '2024-09-30' +version: 5 +date: '2025-01-21' author: Michael Haag, Mauricio Velazco, Splunk status: production type: Anomaly -description: The following analytic identifies threats detected by Okta ThreatInsight, such as password spraying, login failures, and high counts of unknown user login attempts. It leverages Okta Identity Management logs, specifically focusing on security.threat.detected events. This activity is significant for a SOC as it highlights potential unauthorized access attempts and credential-based attacks. If confirmed malicious, these activities could lead to unauthorized access, data breaches, and further exploitation of compromised accounts, posing a significant risk to the organization's security posture. +description: The following analytic identifies threats detected by Okta ThreatInsight, + such as password spraying, login failures, and high counts of unknown user login + attempts. It leverages Okta Identity Management logs, specifically focusing on security.threat.detected + events. This activity is significant for a SOC as it highlights potential unauthorized + access attempts and credential-based attacks. If confirmed malicious, these activities + could lead to unauthorized access, data breaches, and further exploitation of compromised + accounts, posing a significant risk to the organization's security posture. data_source: - Okta -search: '`okta` eventType = security.threat.detected | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | stats count min(_time) as firstTime max(_time) as lastTime by app src_ip signature eventType displayMessage client.device city state country user_agent outcome.reason outcome.result severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_threatinsight_threat_detected_filter`' -how_to_implement: This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -known_false_positives: False positives may occur. It is recommended to fine-tune Okta settings and the analytic to ensure high fidelity. Adjust the risk score as necessary. +search: '`okta` eventType = security.threat.detected | rename client.geographicalContext.country + as country, client.geographicalContext.state as state, client.geographicalContext.city + as city | stats count min(_time) as firstTime max(_time) as lastTime by app src_ip + signature eventType displayMessage client.device city state country user_agent outcome.reason + outcome.result severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `okta_threatinsight_threat_detected_filter`' +how_to_implement: This detection utilizes logs from Okta Identity Management (IM) + environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on + for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). +known_false_positives: False positives may occur. It is recommended to fine-tune Okta + settings and the analytic to ensure high fidelity. Adjust the risk score as necessary. references: - https://developer.okta.com/docs/reference/api/event-types/?q=security.threat.detected drilldown_searches: @@ -19,50 +33,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$app$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$app$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$app$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The following $src_ip$ has been identified as a threat by Okta ThreatInsight. + Investigate further to determine if this was authorized. + risk_objects: + - field: app + type: system + score: 25 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Okta Account Takeover asset_type: Infrastructure - confidence: 50 - impact: 50 - message: The following $src_ip$ has been identified as a threat by Okta ThreatInsight. Investigate further to determine if this was authorized. mitre_attack_id: - T1078 - T1078.004 - observable: - - name: app - type: Endpoint - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - signature - - eventType - - displayMessage - - client.device - - city - - state - - country - - user_agent - - outcome.reason - - outcome.result - - severity - risk_score: 25 security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/okta_threatinsight_threat_detected/okta_threatinsight_threat_detected.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/okta_threatinsight_threat_detected/okta_threatinsight_threat_detected.log source: Okta sourcetype: OktaIM2:log diff --git a/detections/application/okta_unauthorized_access_to_application.yml b/detections/application/okta_unauthorized_access_to_application.yml index b0c9aa46ea..eb6bafb02b 100644 --- a/detections/application/okta_unauthorized_access_to_application.yml +++ b/detections/application/okta_unauthorized_access_to_application.yml @@ -1,16 +1,31 @@ name: Okta Unauthorized Access to Application id: 5f661629-9750-4cb9-897c-1f05d6db8727 -version: 3 -date: '2024-09-30' +version: 4 +date: '2025-01-21' author: Bhavin Patel, Splunk data_source: - Okta type: Anomaly status: production -description: The following analytic identifies attempts by users to access Okta applications that have not been assigned to them. It leverages Okta Identity Management logs, specifically focusing on failed access attempts to unassigned applications. This activity is significant for a SOC as it may indicate potential unauthorized access attempts, which could lead to exposure of sensitive information or disruption of services. If confirmed malicious, such activity could result in data breaches, non-compliance with data protection laws, and overall compromise of the IT environment. -search: '| tstats values(Authentication.app) as app values(Authentication.action) as action values(Authentication.user) as user values(Authentication.reason) as reason from datamodel=Authentication where Authentication.signature=app.generic.unauth_app_access_attempt Authentication.action="failure" by _time Authentication.src Authentication.user | `drop_dm_object_name("Authentication")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | iplocation src | `okta_unauthorized_access_to_application_filter`' -how_to_implement: This detection utilizes logs from Okta Identity Management (IM) environments and requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -known_false_positives: There is a possibility that a user may accidentally click on the wrong application, which could trigger this event. It is advisable to verify the location from which this activity originates. +description: The following analytic identifies attempts by users to access Okta applications + that have not been assigned to them. It leverages Okta Identity Management logs, + specifically focusing on failed access attempts to unassigned applications. This + activity is significant for a SOC as it may indicate potential unauthorized access + attempts, which could lead to exposure of sensitive information or disruption of + services. If confirmed malicious, such activity could result in data breaches, non-compliance + with data protection laws, and overall compromise of the IT environment. +search: '| tstats values(Authentication.app) as app values(Authentication.action) + as action values(Authentication.user) as user values(Authentication.reason) as reason + from datamodel=Authentication where Authentication.signature=app.generic.unauth_app_access_attempt + Authentication.action="failure" by _time Authentication.src Authentication.user + | `drop_dm_object_name("Authentication")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | iplocation src | `okta_unauthorized_access_to_application_filter`' +how_to_implement: This detection utilizes logs from Okta Identity Management (IM) + environments and requires the ingestion of OktaIm2 logs through the Splunk Add-on + for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). +known_false_positives: There is a possibility that a user may accidentally click on + the wrong application, which could trigger this event. It is advisable to verify + the location from which this activity originates. references: - https://attack.mitre.org/techniques/T1110/003/ drilldown_searches: @@ -19,46 +34,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A user [$user$] is attempting to access an unauthorized application from + IP Address - [$src$] + risk_objects: + - field: user + type: user + score: 81 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - Okta Account Takeover asset_type: Okta Tenant - confidence: 90 - impact: 90 - message: A user [$user$] is attempting to access an unauthorized application from IP Address - [$src$] mitre_attack_id: - T1087.004 - observable: - - name: user - type: User - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Authentication.app - - Authentication.action - - Authentication.user - - Authentication.reason - - Authentication.dest - - Authentication.signature - - Authentication.method - - Authentication.src - risk_score: 81 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.004/okta_unauth_access/okta_unauth_access.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.004/okta_unauth_access/okta_unauth_access.log source: Okta sourcetype: OktaIM2:log diff --git a/detections/application/okta_user_logins_from_multiple_cities.yml b/detections/application/okta_user_logins_from_multiple_cities.yml index 49a48a1e63..46695a6647 100644 --- a/detections/application/okta_user_logins_from_multiple_cities.yml +++ b/detections/application/okta_user_logins_from_multiple_cities.yml @@ -1,16 +1,35 @@ name: Okta User Logins from Multiple Cities id: a3d1df37-c2a9-41d0-aa8f-59f82d6192a8 -version: 3 -date: '2024-09-30' +version: 4 +date: '2025-01-21' author: Bhavin Patel, Splunk data_source: - Okta type: Anomaly status: production -description: The following analytic identifies instances where the same Okta user logs in from different cities within a 24-hour period. This detection leverages Okta Identity Management logs, analyzing login events and their geographic locations. Such behavior is significant as it may indicate a compromised account, with an attacker attempting unauthorized access from multiple locations. If confirmed malicious, this activity could lead to account takeovers and data breaches, allowing attackers to access sensitive information and potentially escalate their privileges within the environment. -search: '| tstats `security_content_summariesonly` values(Authentication.app) as app values(Authentication.action) as action values(Authentication.user) as user values(Authentication.reason) as reason values(Authentication.dest) as dest values(Authentication.signature) as signature values(Authentication.method) as method from datamodel=Authentication where Authentication.signature=user.session.start by _time Authentication.src | `drop_dm_object_name("Authentication")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | iplocation src | stats count min(_time) as firstTime max(_time) as lastTime dc(src) as distinct_src dc(City) as distinct_city values(src) as src values(City) as City values(Country) as Country values(action) as action by user | where distinct_city > 1 | `okta_user_logins_from_multiple_cities_filter`' -how_to_implement: This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -known_false_positives: It is uncommon for a user to log in from multiple cities simultaneously, which may indicate a false positive. +description: The following analytic identifies instances where the same Okta user + logs in from different cities within a 24-hour period. This detection leverages + Okta Identity Management logs, analyzing login events and their geographic locations. + Such behavior is significant as it may indicate a compromised account, with an attacker + attempting unauthorized access from multiple locations. If confirmed malicious, + this activity could lead to account takeovers and data breaches, allowing attackers + to access sensitive information and potentially escalate their privileges within + the environment. +search: '| tstats `security_content_summariesonly` values(Authentication.app) as + app values(Authentication.action) as action values(Authentication.user) as user + values(Authentication.reason) as reason values(Authentication.dest) as dest values(Authentication.signature) + as signature values(Authentication.method) as method from datamodel=Authentication + where Authentication.signature=user.session.start by _time Authentication.src | + `drop_dm_object_name("Authentication")` | `security_content_ctime(firstTime)` | + `security_content_ctime(lastTime)` | iplocation src | stats count min(_time) as + firstTime max(_time) as lastTime dc(src) as distinct_src dc(City) as distinct_city + values(src) as src values(City) as City values(Country) as Country values(action) + as action by user | where distinct_city > 1 | `okta_user_logins_from_multiple_cities_filter`' +how_to_implement: This detection utilizes logs from Okta Identity Management (IM) + environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on + for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). +known_false_positives: It is uncommon for a user to log in from multiple cities simultaneously, + which may indicate a false positive. references: - https://attack.mitre.org/techniques/T1110/003/ drilldown_searches: @@ -19,46 +38,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A user [$user$] has logged in from multiple cities [$City$] from IP Address + - [$src$]. Investigate further to determine if this was authorized. + risk_objects: + - field: user + type: user + score: 81 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - Okta Account Takeover asset_type: Okta Tenant - confidence: 90 - impact: 90 - message: A user [$user$] has logged in from multiple cities [$City$] from IP Address - [$src$]. Investigate further to determine if this was authorized. mitre_attack_id: - T1586.003 - observable: - - name: src - type: IP Address - role: - - Attacker - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Authentication.app - - Authentication.action - - Authentication.user - - Authentication.reason - - Authentication.dest - - Authentication.signature - - Authentication.method - - Authentication.src - risk_score: 81 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1586.003/okta_multiple_city/okta_multiple_city_im2.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1586.003/okta_multiple_city/okta_multiple_city_im2.log source: Okta sourcetype: OktaIM2:log diff --git a/detections/application/pingid_mismatch_auth_source_and_verification_response.yml b/detections/application/pingid_mismatch_auth_source_and_verification_response.yml index 6efe1f2075..17e059d927 100644 --- a/detections/application/pingid_mismatch_auth_source_and_verification_response.yml +++ b/detections/application/pingid_mismatch_auth_source_and_verification_response.yml @@ -1,16 +1,42 @@ name: PingID Mismatch Auth Source and Verification Response id: 15b0694e-caa2-4009-8d83-a1f98b86d086 -version: 3 -date: '2024-09-30' +version: 5 +date: '2025-01-21' author: Steven Dick status: production type: TTP -description: The following analytic identifies discrepancies between the IP address of an authentication event and the IP address of the verification response event, focusing on differences in the originating countries. It leverages JSON logs from PingID, comparing the 'auth_Country' and 'verify_Country' fields. This activity is significant as it may indicate suspicious sign-in behavior, such as account compromise or unauthorized access attempts. If confirmed malicious, this could allow attackers to bypass authentication mechanisms, potentially leading to unauthorized access to sensitive systems and data. +description: The following analytic identifies discrepancies between the IP address + of an authentication event and the IP address of the verification response event, + focusing on differences in the originating countries. It leverages JSON logs from + PingID, comparing the 'auth_Country' and 'verify_Country' fields. This activity + is significant as it may indicate suspicious sign-in behavior, such as account compromise + or unauthorized access attempts. If confirmed malicious, this could allow attackers + to bypass authentication mechanisms, potentially leading to unauthorized access + to sensitive systems and data. data_source: - PingID -search: '`pingid` ("result.status" IN ("SUCCESS*","FAIL*","UNSUCCESSFUL*") NOT "result.message" IN ("*pair*","*create*","*delete*")) | eval user = upper(''actors{}.name''), session_id = ''resources{}.websession'', dest = ''resources{}.ipaddress'', reason = ''result.message'', object = ''resources{}.devicemodel'', status = ''result.status'' | join user session_id [ search `pingid` ("result.status" IN ("POLICY") AND "resources{}.ipaddress"=*) AND "result.message" IN("*Action: Authenticate*","*Action: Approve*","*Action: Allowed*") | rex field=result.message "IP Address: (?:N\/A)?(?.+)?\n" | rex field=result.message "Action: (?:N\/A)?(?.+)?\n" | rex field=result.message "Requested Application Name: (?:N\/A)?(?.+)?\n" | rex field=result.message "Requested Application ID: (?:N\/A)?(?.+)?\n" | eval user = upper(''actors{}.name''), session_id = ''resources{}.websession'', src = coalesce(''resources{}.ipaddress'',policy_ipaddress), app = coalesce(Requested_Application_ID,Requested_Application_Name) | fields app, user, session_id, src, signature ] | iplocation prefix=auth_ dest | iplocation prefix=verify_ src | stats count min(_time) as firstTime max(_time) as lastTime values(app) as app values(session_id) as session_id by user, dest, auth_Country, src, verify_Country, object, signature, status, reason | where auth_Country != verify_Country | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `pingid_mismatch_auth_source_and_verification_response_filter`' -how_to_implement: Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription. -known_false_positives: False positives may be generated by users working out the geographic region where the organizations services or technology is hosted. +search: "`pingid` (\"result.status\" IN (\"SUCCESS*\",\"FAIL*\",\"UNSUCCESSFUL*\" + ) NOT \"result.message\" IN (\"*pair*\",\"*create*\",\"*delete*\")) | eval user + = upper('actors{}.name'), session_id = 'resources{}.websession', dest = 'resources{}.ipaddress', + reason = 'result.message', object = 'resources{}.devicemodel', status = 'result.status' + | join user session_id [ search `pingid` (\"result.status\" IN (\"POLICY\") AND + \"resources{}.ipaddress\"=*) AND \"result.message\" IN(\"*Action: Authenticate*\"\ + ,\"*Action: Approve*\",\"*Action: Allowed*\") | rex field=result.message \"IP Address: + (?:N\\/A)?(?.+)?\\n\" | rex field=result.message \"Action: (?:N\\\ + /A)?(?.+)?\\n\" | rex field=result.message \"Requested Application Name: + (?:N\\/A)?(?.+)?\\n\" | rex field=result.message \" + Requested Application ID: (?:N\\/A)?(?.+)?\\n\" | eval + user = upper('actors{}.name'), session_id = 'resources{}.websession', src = coalesce('resources{}.ipaddress',policy_ipaddress), + app = coalesce(Requested_Application_ID,Requested_Application_Name) | fields app, + user, session_id, src, signature ] | iplocation prefix=auth_ dest | iplocation prefix=verify_ + src | stats count min(_time) as firstTime max(_time) as lastTime values(app) as + app values(session_id) as session_id by user, dest, auth_Country, src, verify_Country, + object, signature, status, reason | where auth_Country != verify_Country | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `pingid_mismatch_auth_source_and_verification_response_filter`" +how_to_implement: Target environment must ingest JSON logging from a PingID(PingOne) + enterprise environment, either via Webhook or Push Subscription. +known_false_positives: False positives may be generated by users working out the geographic + region where the organizations services or technology is hosted. references: - https://twitter.com/jhencinski/status/1618660062352007174 - https://attack.mitre.org/techniques/T1098/005/ @@ -22,51 +48,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$src$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as + lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" + values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" + values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An authentication by [$user$] was detected from [$dest$ - $auth_Country$] + and the verification was received from [$src$ - $verify_Country$]. + risk_objects: + - field: user + type: user + score: 25 + - field: src + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Compromised User Account asset_type: Identity - confidence: 50 - impact: 50 - message: An authentication by [$user$] was detected from [$dest$ - $auth_Country$] and the verification was received from [$src$ - $verify_Country$]. mitre_attack_id: - T1621 - T1556.006 - T1098.005 - observable: - - name: user - type: User - role: - - Victim - - name: src - type: IP Address - role: - - Victim - - name: object - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - resources{}.ipaddress - - actors{}.name - - result.message - - resources{}.devicemodel - - result.status - - resources{}.websession - risk_score: 25 security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/pingid/pingid.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/pingid/pingid.log source: PINGID sourcetype: _json - update_timestamp: true diff --git a/detections/application/pingid_multiple_failed_mfa_requests_for_user.yml b/detections/application/pingid_multiple_failed_mfa_requests_for_user.yml index d00607d0bf..cc54651de5 100644 --- a/detections/application/pingid_multiple_failed_mfa_requests_for_user.yml +++ b/detections/application/pingid_multiple_failed_mfa_requests_for_user.yml @@ -1,16 +1,29 @@ name: PingID Multiple Failed MFA Requests For User id: c1bc706a-0025-4814-ad30-288f38865036 -version: 3 -date: '2024-09-30' +version: 4 +date: '2025-01-21' author: Steven Dick status: production type: TTP -description: The following analytic identifies multiple failed multi-factor authentication (MFA) requests for a single user within a PingID environment. It triggers when 10 or more MFA prompts fail within 10 minutes, using JSON logs from PingID. This activity is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication requests. If confirmed malicious, this could lead to unauthorized access, as the user might eventually accept the fraudulent request, compromising the security of the account and potentially the entire network. +description: The following analytic identifies multiple failed multi-factor authentication + (MFA) requests for a single user within a PingID environment. It triggers when 10 + or more MFA prompts fail within 10 minutes, using JSON logs from PingID. This activity + is significant as it may indicate an adversary attempting to bypass MFA by bombarding + the user with repeated authentication requests. If confirmed malicious, this could + lead to unauthorized access, as the user might eventually accept the fraudulent + request, compromising the security of the account and potentially the entire network. data_source: - PingID -search: '`pingid` "result.status" IN ("FAILURE,authFail","UNSUCCESSFUL_ATTEMPT") | eval time = _time, src = coalesce(''resources{}.ipaddress'',''resources{}.devicemodel''), user = upper(''actors{}.name''), object = ''resources{}.devicemodel'', reason = ''result.message''| bucket span=10m _time | stats dc(_raw) AS mfa_prompts min(time) as firstTime, max(time) as lastTime values(src) as src by user, reason, _time | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | where mfa_prompts >= 10 | `pingid_multiple_failed_mfa_requests_for_user_filter`' -how_to_implement: Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription. -known_false_positives: False positives may be generated by normal provisioning workflows for user device registration. +search: "`pingid` \"result.status\" IN (\"FAILURE,authFail\",\"UNSUCCESSFUL_ATTEMPT\"\ + ) | eval time = _time, src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), + user = upper('actors{}.name'), object = 'resources{}.devicemodel', reason = 'result.message'| + bucket span=10m _time | stats dc(_raw) AS mfa_prompts min(time) as firstTime, max(time) + as lastTime values(src) as src by user, reason, _time | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)` | where mfa_prompts >= 10 | `pingid_multiple_failed_mfa_requests_for_user_filter`" +how_to_implement: Target environment must ingest JSON logging from a PingID(PingOne) + enterprise environment, either via Webhook or Push Subscription. +known_false_positives: False positives may be generated by normal provisioning workflows + for user device registration. references: - https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/ - https://attack.mitre.org/techniques/T1621/ @@ -23,41 +36,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Multiple Failed MFA requests $mfa_prompts$ for user $user$ between $firstTime$ + and $lastTime$. + risk_objects: + - field: user + type: user + score: 50 + threat_objects: [] tags: analytic_story: - Compromised User Account asset_type: Identity - confidence: 50 - impact: 100 - message: Multiple Failed MFA requests $mfa_prompts$ for user $user$ between $firstTime$ and $lastTime$. mitre_attack_id: - T1621 - T1078 - T1110 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - resources{}.ipaddress - - actors{}.name - - result.message - - resources{}.devicemodel - - result.status - risk_score: 50 security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/pingid/pingid.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/pingid/pingid.log source: PINGID sourcetype: _json diff --git a/detections/application/pingid_new_mfa_method_after_credential_reset.yml b/detections/application/pingid_new_mfa_method_after_credential_reset.yml index 1acd9b572e..b8edaa08af 100644 --- a/detections/application/pingid_new_mfa_method_after_credential_reset.yml +++ b/detections/application/pingid_new_mfa_method_after_credential_reset.yml @@ -1,16 +1,38 @@ name: PingID New MFA Method After Credential Reset id: 2fcbce12-cffa-4c84-b70c-192604d201d0 -version: 3 -date: '2024-09-30' +version: 4 +date: '2025-01-21' author: Steven Dick status: production type: TTP -description: The following analytic identifies the provisioning of a new MFA device shortly after a password reset. It detects this activity by correlating Windows Event Log events for password changes (EventID 4723, 4724) with PingID logs indicating device pairing. This behavior is significant as it may indicate a social engineering attack where a threat actor impersonates a valid user to reset credentials and add a new MFA device. If confirmed malicious, this activity could allow an attacker to gain persistent access to the compromised account, bypassing traditional security measures. +description: The following analytic identifies the provisioning of a new MFA device + shortly after a password reset. It detects this activity by correlating Windows + Event Log events for password changes (EventID 4723, 4724) with PingID logs indicating + device pairing. This behavior is significant as it may indicate a social engineering + attack where a threat actor impersonates a valid user to reset credentials and add + a new MFA device. If confirmed malicious, this activity could allow an attacker + to gain persistent access to the compromised account, bypassing traditional security + measures. data_source: - PingID -search: '`pingid` "result.message" = "*Device Paired*" | rex field=result.message "Device (Unp)?(P)?aired (?.+)" | eval src = coalesce(''resources{}.ipaddress'',''resources{}.devicemodel''), user = upper(''actors{}.name''), reason = ''result.message'' | eval object=CASE(ISNOTNULL(''resources{}.devicemodel''),''resources{}.devicemodel'',true(),device_extract) | eval action=CASE(match(''result.message'',"Device Paired*"),"created",match(''result.message'', "Device Unpaired*"),"deleted") | stats count min(_time) as firstTime, max(_time) as lastTime, values(reason) as reason by src,user,action,object | join type=outer user [| search `wineventlog_security` EventID IN(4723,4724) | eval PW_Change_Time = _time, user = upper(user) | fields user,src_user,EventID,PW_Change_Time] | eval timeDiffRaw = round(lastTime - PW_Change_Time) | eval timeDiff = replace(tostring(abs(timeDiffRaw) ,"duration"),"(\d*)\+*(\d+):(\d+):(\d+)","\2 hours \3 minutes") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `security_content_ctime(PW_Change_Time)` | where timeDiffRaw > 0 AND timeDiffRaw < 3600 | `pingid_new_mfa_method_after_credential_reset_filter`' -how_to_implement: Target environment must ingest Windows Event Log and PingID(PingOne) data sources. Specifically from logs from Active Directory Domain Controllers and JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription. -known_false_positives: False positives may be generated by normal provisioning workflows that generate a password reset followed by a device registration. +search: "`pingid` \"result.message\" = \"*Device Paired*\" | rex field=result.message + \"Device (Unp)?(P)?aired (?.+)\" | eval src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), + user = upper('actors{}.name'), reason = 'result.message' | eval object=CASE(ISNOTNULL('resources{}.devicemodel'),'resources{}.devicemodel',true(),device_extract) + | eval action=CASE(match('result.message',\"Device Paired*\"),\"created\",match('result.message', + \"Device Unpaired*\"),\"deleted\") | stats count min(_time) as firstTime, max(_time) + as lastTime, values(reason) as reason by src,user,action,object | join type=outer + user [| search `wineventlog_security` EventID IN(4723,4724) | eval PW_Change_Time + = _time, user = upper(user) | fields user,src_user,EventID,PW_Change_Time] | eval + timeDiffRaw = round(lastTime - PW_Change_Time) | eval timeDiff = replace(tostring(abs(timeDiffRaw) + ,\"duration\"),\"(\\d*)\\+*(\\d+):(\\d+):(\\d+)\",\"\\2 hours \\3 minutes\") | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `security_content_ctime(PW_Change_Time)` + | where timeDiffRaw > 0 AND timeDiffRaw < 3600 | `pingid_new_mfa_method_after_credential_reset_filter`" +how_to_implement: Target environment must ingest Windows Event Log and PingID(PingOne) + data sources. Specifically from logs from Active Directory Domain Controllers and + JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or + Push Subscription. +known_false_positives: False positives may be generated by normal provisioning workflows + that generate a password reset followed by a device registration. references: - https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/defend-your-users-from-mfa-fatigue-attacks/ba-p/2365677 - https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favorite-tactic-in-high-profile-breaches/ @@ -23,51 +45,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An MFA configuration change was detected for [$user$] within [$timeDiff$] + of a password reset. The device [$object$] was $action$. + risk_objects: + - field: user + type: user + score: 50 + threat_objects: [] tags: analytic_story: - Compromised User Account asset_type: Identity - confidence: 50 - impact: 100 - message: An MFA configuration change was detected for [$user$] within [$timeDiff$] of a password reset. The device [$object$] was $action$. mitre_attack_id: - T1621 - T1556.006 - T1098.005 - observable: - - name: user - type: User - role: - - Victim - - name: object - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - user - - src_user - - src - - EventID - - resources{}.ipaddress - - actors{}.name - - result.message - - resources{}.devicemodel - risk_score: 50 security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/pingid/windows_pw_reset.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/pingid/windows_pw_reset.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/pingid/pingid.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/pingid/pingid.log source: PINGID sourcetype: _json diff --git a/detections/application/pingid_new_mfa_method_registered_for_user.yml b/detections/application/pingid_new_mfa_method_registered_for_user.yml index addf5d57bd..0547d0d3b2 100644 --- a/detections/application/pingid_new_mfa_method_registered_for_user.yml +++ b/detections/application/pingid_new_mfa_method_registered_for_user.yml @@ -1,16 +1,31 @@ name: PingID New MFA Method Registered For User id: 892dfeaf-461d-4a78-aac8-b07e185c9bce -version: 3 -date: '2024-09-30' +version: 4 +date: '2025-01-21' author: Steven Dick status: production type: TTP -description: The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for a PingID (PingOne) account. It leverages JSON logs from PingID, specifically looking for successful device pairing events. This activity is significant as adversaries who gain unauthorized access to a user account may register a new MFA method to maintain persistence. If confirmed malicious, this could allow attackers to bypass existing security measures, maintain long-term access, and potentially escalate their privileges within the compromised environment. +description: The following analytic detects the registration of a new Multi-Factor + Authentication (MFA) method for a PingID (PingOne) account. It leverages JSON logs + from PingID, specifically looking for successful device pairing events. This activity + is significant as adversaries who gain unauthorized access to a user account may + register a new MFA method to maintain persistence. If confirmed malicious, this + could allow attackers to bypass existing security measures, maintain long-term access, + and potentially escalate their privileges within the compromised environment. data_source: - PingID -search: '`pingid` "result.message"="Device Paired*" result.status="SUCCESS" | rex field=result.message "Device (Unp)?(P)?aired (?.+)" | eval src = coalesce(''resources{}.ipaddress'',''resources{}.devicemodel''), user = upper(''actors{}.name''), reason = ''result.message'' | eval object=CASE(ISNOTNULL(''resources{}.devicemodel''),''resources{}.devicemodel'',true(),device_extract) | eval action=CASE(match(''result.message'',"Device Paired*"),"created",match(''result.message'', "Device Unpaired*"),"deleted") | stats count min(_time) as firstTime, max(_time) as lastTime by src,user,object,action,reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `pingid_new_mfa_method_registered_for_user_filter`' -how_to_implement: Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription. -known_false_positives: False positives may be generated by normal provisioning workflows for user device registration. +search: "`pingid` \"result.message\"=\"Device Paired*\" result.status=\"SUCCESS\"\ + \ | rex field=result.message \"Device (Unp)?(P)?aired (?.+)\" + | eval src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user = + upper('actors{}.name'), reason = 'result.message' | eval object=CASE(ISNOTNULL('resources{}.devicemodel'),'resources{}.devicemodel',true(),device_extract) + | eval action=CASE(match('result.message',\"Device Paired*\"),\"created\",match('result.message', + \"Device Unpaired*\"),\"deleted\") | stats count min(_time) as firstTime, max(_time) + as lastTime by src,user,object,action,reason | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `pingid_new_mfa_method_registered_for_user_filter`" +how_to_implement: Target environment must ingest JSON logging from a PingID(PingOne) + enterprise environment, either via Webhook or Push Subscription. +known_false_positives: False positives may be generated by normal provisioning workflows + for user device registration. references: - https://twitter.com/jhencinski/status/1618660062352007174 - https://attack.mitre.org/techniques/T1098/005/ @@ -22,50 +37,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$src$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as + lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" + values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" + values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An MFA configuration change was detected for [$user$], the device [$object$] + was $action$. + risk_objects: + - field: user + type: user + score: 10 + - field: src + type: system + score: 10 + threat_objects: [] tags: analytic_story: - Compromised User Account asset_type: Identity - confidence: 50 - impact: 20 - message: An MFA configuration change was detected for [$user$], the device [$object$] was $action$. mitre_attack_id: - T1621 - T1556.006 - T1098.005 - observable: - - name: user - type: User - role: - - Victim - - name: src - type: IP Address - role: - - Victim - - name: object - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - resources{}.ipaddress - - actors{}.name - - result.message - - resources{}.devicemodel - - result.status - risk_score: 10 security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/pingid/pingid.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/pingid/pingid.log source: PINGID sourcetype: _json - update_timestamp: true diff --git a/detections/application/suspicious_email_attachment_extensions.yml b/detections/application/suspicious_email_attachment_extensions.yml index fd986ae658..3a44f76bfa 100644 --- a/detections/application/suspicious_email_attachment_extensions.yml +++ b/detections/application/suspicious_email_attachment_extensions.yml @@ -1,20 +1,44 @@ name: Suspicious Email Attachment Extensions id: 473bd65f-06ca-4dfe-a2b8-ba04ab4a0084 -version: 5 -date: '2024-10-17' +version: 6 +date: '2025-01-21' author: David Dorsey, Splunk status: experimental type: Anomaly -description: The following analytic detects emails containing attachments with suspicious file extensions. It leverages the Email data model in Splunk, using the tstats command to identify emails where the attachment filename is not empty. This detection is significant for SOC analysts as it highlights potential phishing or malware delivery attempts, which are common vectors for data breaches and malware infections. If confirmed malicious, this activity could lead to unauthorized access to sensitive information, system compromise, or data exfiltration. Immediate review and analysis of the identified emails and attachments are crucial to mitigate these risks. +description: The following analytic detects emails containing attachments with suspicious + file extensions. It leverages the Email data model in Splunk, using the tstats command + to identify emails where the attachment filename is not empty. This detection is + significant for SOC analysts as it highlights potential phishing or malware delivery + attempts, which are common vectors for data breaches and malware infections. If + confirmed malicious, this activity could lead to unauthorized access to sensitive + information, system compromise, or data exfiltration. Immediate review and analysis + of the identified emails and attachments are crucial to mitigate these risks. data_source: [] -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name="*" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Email")` | `suspicious_email_attachments` | `suspicious_email_attachment_extensions_filter`' -how_to_implement: 'You need to ingest data from emails. Specifically, the sender''s address and the file names of any attachments must be mapped to the Email data model. - - **Splunk Phantom Playbook Integration** - - If Splunk Phantom is also configured in your environment, a Playbook called "Suspicious Email Attachment Investigate and Delete" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, and add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user''s inbox.''' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Email where All_Email.file_name="*" by All_Email.src_user, + All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | + `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Email")` | `suspicious_email_attachments` + | `suspicious_email_attachment_extensions_filter`' +how_to_implement: "You need to ingest data from emails. Specifically, the sender's + address and the file names of any attachments must be mapped to the Email data model.\n + **Splunk Phantom Playbook Integration**\nIf Splunk Phantom is also configured in + your environment, a Playbook called \"Suspicious Email Attachment Investigate and + Delete\" can be configured to run when any results are found by this detection search. + To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, + and add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response + Actions when configuring this detection search. The finding event will be sent to + Phantom and the playbook will gather further information about the file attachment + and its network behaviors. If Phantom finds malicious behavior and an analyst approves + of the results, the email will be deleted from the user's inbox.'" known_false_positives: None identified references: [] +rba: + message: Suspicious attachment from $src_user$ + risk_objects: + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Data Destruction @@ -22,25 +46,11 @@ tags: - Hermetic Wiper - Suspicious Emails asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1566.001 - T1566 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Email.file_name - - All_Email.src_user - - All_Email.message_id - risk_score: 25 security_domain: network diff --git a/detections/application/suspicious_java_classes.yml b/detections/application/suspicious_java_classes.yml index b918ceb4d0..d97372c093 100644 --- a/detections/application/suspicious_java_classes.yml +++ b/detections/application/suspicious_java_classes.yml @@ -1,45 +1,46 @@ name: Suspicious Java Classes id: 6ed33786-5e87-4f55-b62c-cb5f1168b831 -version: 3 -date: '2024-10-17' +version: 4 +date: '2025-01-21' author: Jose Hernandez, Splunk status: experimental type: Anomaly -description: The following analytic identifies suspicious Java classes often used for remote command execution exploits in Java frameworks like Apache Struts. It detects this activity by analyzing HTTP POST requests with specific content patterns using Splunk's `stream_http` data source. This behavior is significant because it may indicate an attempt to exploit vulnerabilities in web applications, potentially leading to unauthorized remote code execution. If confirmed malicious, this activity could allow attackers to execute arbitrary commands on the server, leading to data breaches, system compromise, and further network infiltration. +description: The following analytic identifies suspicious Java classes often used + for remote command execution exploits in Java frameworks like Apache Struts. It + detects this activity by analyzing HTTP POST requests with specific content patterns + using Splunk's `stream_http` data source. This behavior is significant because it + may indicate an attempt to exploit vulnerabilities in web applications, potentially + leading to unauthorized remote code execution. If confirmed malicious, this activity + could allow attackers to execute arbitrary commands on the server, leading to data + breaches, system compromise, and further network infiltration. data_source: [] -search: '`stream_http` http_method=POST http_content_length>1 | regex form_data="(?i)java\.lang\.(?:runtime|processbuilder)" | rename src_ip as src | stats count earliest(_time) as firstTime, latest(_time) as lastTime, values(url) as uri, values(status) as status, values(http_user_agent) as http_user_agent by src, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_java_classes_filter`' -how_to_implement: In order to properly run this search, Splunk needs to ingest data from your web-traffic appliances that serve or sit in the path of your Struts application servers. This can be accomplished by indexing data from a web proxy, or by using network traffic-analysis tools, such as Splunk Stream or Bro. +search: '`stream_http` http_method=POST http_content_length>1 | regex form_data="(?i)java\.lang\.(?:runtime|processbuilder)" + | rename src_ip as src | stats count earliest(_time) as firstTime, latest(_time) + as lastTime, values(url) as uri, values(status) as status, values(http_user_agent) + as http_user_agent by src, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `suspicious_java_classes_filter`' +how_to_implement: In order to properly run this search, Splunk needs to ingest data + from your web-traffic appliances that serve or sit in the path of your Struts application + servers. This can be accomplished by indexing data from a web proxy, or by using + network traffic-analysis tools, such as Splunk Stream or Bro. known_false_positives: There are no known false positives. references: [] +rba: + message: Suspicious Java Classes in HTTP requests involving $src$ and $dest$ + risk_objects: + - field: src + type: system + score: 25 + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Apache Struts Vulnerability asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - http_method - - http_content_length - - src_ip - - url - - status - - http_user_agent - - src - - dest - risk_score: 25 security_domain: threat diff --git a/detections/application/web_servers_executing_suspicious_processes.yml b/detections/application/web_servers_executing_suspicious_processes.yml index 8c79f797d2..728ef8c11c 100644 --- a/detections/application/web_servers_executing_suspicious_processes.yml +++ b/detections/application/web_servers_executing_suspicious_processes.yml @@ -1,45 +1,56 @@ name: Web Servers Executing Suspicious Processes id: ec3b7601-689a-4463-94e0-c9f45638efb9 -version: 3 -date: '2024-10-17' +version: 4 +date: '2025-01-21' author: David Dorsey, Splunk status: experimental type: TTP -description: The following analytic detects the execution of suspicious processes on systems identified as web servers. It leverages the Splunk data model "Endpoint.Processes" to search for specific process names such as "whoami", "ping", "iptables", "wget", "service", and "curl". This activity is significant because these processes are often used by attackers for reconnaissance, persistence, or data exfiltration. If confirmed malicious, this could lead to data theft, deployment of additional malware, or even ransomware attacks. Immediate investigation is required to determine the legitimacy of the activity and mitigate potential threats. +description: The following analytic detects the execution of suspicious processes + on systems identified as web servers. It leverages the Splunk data model "Endpoint.Processes" + to search for specific process names such as "whoami", "ping", "iptables", "wget", + "service", and "curl". This activity is significant because these processes are + often used by attackers for reconnaissance, persistence, or data exfiltration. If + confirmed malicious, this could lead to data theft, deployment of additional malware, + or even ransomware attacks. Immediate investigation is required to determine the + legitimacy of the activity and mitigate potential threats. data_source: - Sysmon EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.dest_category="web_server" AND (Processes.process="*whoami*" OR Processes.process="*ping*" OR Processes.process="*iptables*" OR Processes.process="*wget*" OR Processes.process="*service*" OR Processes.process="*curl*") by Processes.process Processes.process_name, Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_servers_executing_suspicious_processes_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Some of these processes may be used legitimately on web servers during maintenance or other administrative tasks. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.dest_category="web_server" + AND (Processes.process="*whoami*" OR Processes.process="*ping*" OR Processes.process="*iptables*" + OR Processes.process="*wget*" OR Processes.process="*service*" OR Processes.process="*curl*") + by Processes.process Processes.process_name, Processes.dest Processes.user| `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_servers_executing_suspicious_processes_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Some of these processes may be used legitimately on web servers + during maintenance or other administrative tasks. references: [] +rba: + message: Suspicious Processes observed on web server $dest$ + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Apache Struts Vulnerability asset_type: Web Server - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1082 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest_category - - Processes.process - - Processes.process_name - - Processes.dest - - Processes.user - risk_score: 25 security_domain: endpoint diff --git a/detections/application/windows_ad_add_self_to_group.yml b/detections/application/windows_ad_add_self_to_group.yml index f07ffac090..898b7fbfb8 100644 --- a/detections/application/windows_ad_add_self_to_group.yml +++ b/detections/application/windows_ad_add_self_to_group.yml @@ -1,14 +1,22 @@ name: Windows AD add Self to Group id: 065f2701-b7ea-42f5-9ec4-fbc2261165f9 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-21' author: Dean Luxton status: production type: TTP data_source: - Windows Event Log Security 4728 -description: This analytic detects instances where a user adds themselves to an Active Directory (AD) group. This activity is a common indicator of privilege escalation, where a user attempts to gain unauthorized access to higher privileges or sensitive resources. By monitoring AD logs, this detection identifies such suspicious behavior, which could be part of a larger attack strategy aimed at compromising critical systems and data. -search: '`wineventlog_security` EventCode IN (4728) | where user=src_user | stats min(_time) as _time dc(user) as usercount, values(user) as user values(user_category) as user_category values(src_user_category) as src_user_category values(dvc) as dvc by signature, Group_Name, src_user | `windows_ad_add_self_to_group_filter`' +description: This analytic detects instances where a user adds themselves to an Active + Directory (AD) group. This activity is a common indicator of privilege escalation, + where a user attempts to gain unauthorized access to higher privileges or sensitive + resources. By monitoring AD logs, this detection identifies such suspicious behavior, + which could be part of a larger attack strategy aimed at compromising critical systems + and data. +search: '`wineventlog_security` EventCode IN (4728) | where user=src_user | stats + min(_time) as _time dc(user) as usercount, values(user) as user values(user_category) + as user_category values(src_user_category) as src_user_category values(dvc) as dvc + by signature, Group_Name, src_user | `windows_ad_add_self_to_group_filter`' how_to_implement: This analytic requires eventCode 4728 to be ingested. known_false_positives: Unknown references: [] @@ -18,40 +26,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $user$ added themselves to AD Group $Group_Name$ + risk_objects: + - field: user + type: user + score: 50 + threat_objects: [] tags: analytic_story: - Active Directory Privilege Escalation - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 100 - impact: 50 - message: $user$ added themselves to AD Group $Group_Name$ mitre_attack_id: - T1098 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 50 - required_fields: - - EventCode - - user - - src_user - - signature - - Group_Name security_domain: audit tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/application/windows_ad_dangerous_deny_acl_modification.yml b/detections/application/windows_ad_dangerous_deny_acl_modification.yml index 0ba903b988..40076288f5 100644 --- a/detections/application/windows_ad_dangerous_deny_acl_modification.yml +++ b/detections/application/windows_ad_dangerous_deny_acl_modification.yml @@ -1,15 +1,46 @@ name: Windows AD Dangerous Deny ACL Modification id: 8e897153-2ebd-4cb2-85d3-09ad57db2fb7 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-21' author: Dean Luxton status: production type: TTP data_source: - Windows Security 5136 -description: This detection identifies an Active Directory access-control list (ACL) modification event, which applies permissions that deny the ability to enumerate permissions of the object. -search: '`wineventlog_security` EventCode=5136 | stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId | rex field=old_value max_match=10000 "\((?P.*?)\)" | rex field=new_value max_match=10000 "\((?P.*?)\)" | mvexpand new_ace | where NOT new_ace IN (old_values) | rex field=new_ace "(?P.*?);(?P.*?);(?P.*?);(?P.*?);(?P.*?);(?P.*?)$" | rex max_match=100 field=aceAccessRights "(?P[A-Z]{2})" | rex max_match=100 field=aceFlags "(?P[A-Z]{2})" | lookup msad_guid_lookup guid as aceObjectGuid OUTPUT displayName as ControlAccessRights | lookup ace_access_rights_lookup access_rights_string as AccessRights OUTPUT access_rights_value | lookup ace_type_lookup ace_type_string as aceType OUTPUT ace_type_value as aceType | lookup ace_flag_lookup flag_string as aceFlags OUTPUT flag_value as ace_flag_value ``` Optional SID resolution lookups | lookup identity_lookup_expanded objectSid as aceSid OUTPUT downLevelDomainName as user | lookup admon_groups_def objectSid as aceSid OUTPUT cn as group ``` | lookup builtin_groups_lookup builtin_group_string as aceSid OUTPUT builtin_group_name as builtin_group | eval aceType=coalesce(ace_type_value,aceType), aceFlags=coalesce(ace_flag_value,"This object only"), aceAccessRights=if(aceAccessRights="CCDCLCSWRPWPDTLOCRSDRCWDWO","Full control",coalesce(access_rights_value,AccessRights)), aceControlAccessRights=coalesce(ControlAccessRights,aceObjectGuid), user=coalesce(user, group, builtin_group, aceSid) | stats values(aceType) as aceType values(aceFlags) as aceFlags values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(aceInheritedTypeGuid) as aceInheritedTypeGuid by _time ObjectClass ObjectDN src_user SubjectLogonId user OpCorrelationID | eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 AND aceControlAccessRights="","All rights",''aceControlAccessRights'') | search aceType IN ("Access denied",D) AND aceAccessRights IN ("Full control","Read permissions",RC) | `windows_ad_dangerous_deny_acl_modification_filter`' -how_to_implement: Ensure you are ingesting Active Directory audit logs - specifically event 5136. See lantern article in references for further on how to onboard AD audit data. Ensure the wineventlog_security macro is configured with the correct indexes and include lookups for SID resolution if evt_resolve_ad_obj is set to 0. +description: This detection identifies an Active Directory access-control list (ACL) + modification event, which applies permissions that deny the ability to enumerate + permissions of the object. +search: "`wineventlog_security` EventCode=5136 | stats min(_time) as _time values(eval(if(OperationType==\"\ + %%14675\",AttributeValue,null))) as old_value values(eval(if(OperationType==\"%%14674\"\ + ,AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass + ObjectDN OpCorrelationID src_user SubjectLogonId | rex field=old_value max_match=10000 + \"\\((?P.*?)\\)\" | rex field=new_value max_match=10000 \"\\((?P.*?)\\\ + )\" | mvexpand new_ace | where NOT new_ace IN (old_values) | rex field=new_ace + \"(?P.*?);(?P.*?);(?P.*?);(?P.*?);(?P.*?);(?P.*?)$\"\ + \ | rex max_match=100 field=aceAccessRights \"(?P[A-Z]{2})\" | rex + max_match=100 field=aceFlags \"(?P[A-Z]{2})\" | lookup msad_guid_lookup + guid as aceObjectGuid OUTPUT displayName as ControlAccessRights | lookup ace_access_rights_lookup + access_rights_string as AccessRights OUTPUT access_rights_value | lookup ace_type_lookup + ace_type_string as aceType OUTPUT ace_type_value as aceType | lookup ace_flag_lookup + flag_string as aceFlags OUTPUT flag_value as ace_flag_value ``` Optional SID resolution + lookups | lookup identity_lookup_expanded objectSid as aceSid OUTPUT downLevelDomainName + as user | lookup admon_groups_def objectSid as aceSid OUTPUT cn as group ``` | + lookup builtin_groups_lookup builtin_group_string as aceSid OUTPUT builtin_group_name + as builtin_group | eval aceType=coalesce(ace_type_value,aceType), aceFlags=coalesce(ace_flag_value,\"\ + This object only\"), aceAccessRights=if(aceAccessRights=\"CCDCLCSWRPWPDTLOCRSDRCWDWO\"\ + ,\"Full control\",coalesce(access_rights_value,AccessRights)), aceControlAccessRights=coalesce(ControlAccessRights,aceObjectGuid), + user=coalesce(user, group, builtin_group, aceSid) | stats values(aceType) as aceType + values(aceFlags) as aceFlags values(aceControlAccessRights) as aceControlAccessRights + values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(aceInheritedTypeGuid) + as aceInheritedTypeGuid by _time ObjectClass ObjectDN src_user SubjectLogonId user + OpCorrelationID | eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 + AND aceControlAccessRights=\"\",\"All rights\",'aceControlAccessRights') | search + aceType IN (\"Access denied\",D) AND aceAccessRights IN (\"Full control\",\"Read + permissions\",RC) | `windows_ad_dangerous_deny_acl_modification_filter`" +how_to_implement: Ensure you are ingesting Active Directory audit logs - specifically + event 5136. See lantern article in references for further on how to onboard AD audit + data. Ensure the wineventlog_security macro is configured with the correct indexes + and include lookups for SID resolution if evt_resolve_ad_obj is set to 0. known_false_positives: None. references: - https://happycamper84.medium.com/sneaky-persistence-via-hidden-objects-in-ad-1c91fc37bf54 @@ -21,49 +52,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $src_user$ has added ACL rights to deny $user$ $aceControlAccessRights$ + $aceAccessRights$ to $ObjectDN$ + risk_objects: + - field: user + type: user + score: 100 + - field: src_user + type: user + score: 100 + threat_objects: [] tags: analytic_story: - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 100 - impact: 100 - message: $src_user$ has added ACL rights to deny $user$ $aceControlAccessRights$ $aceAccessRights$ to $ObjectDN$ mitre_attack_id: - T1484 - T1222 - T1222.001 - observable: - - name: user - type: User - role: - - Victim - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 - required_fields: - - _time - - OperationType - - ObjectDN - - OpCorrelationID - - src_user - - AttributeLDAPDisplayName - - AttributeValue - - ObjectClass - - SubjectLogonId - - DSName security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/hidden_object_windows-security-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/hidden_object_windows-security-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/application/windows_ad_dangerous_group_acl_modification.yml b/detections/application/windows_ad_dangerous_group_acl_modification.yml index 9f496117de..c6bffd639e 100644 --- a/detections/application/windows_ad_dangerous_group_acl_modification.yml +++ b/detections/application/windows_ad_dangerous_group_acl_modification.yml @@ -1,15 +1,54 @@ name: Windows AD Dangerous Group ACL Modification id: 59b0fc85-7a0d-4585-97ec-06a382801990 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-21' author: Dean Luxton status: production type: TTP data_source: - Windows Security 5136 -description: 'This detection monitors the addition of the following ACLs to an Active Directory group object: "Full control", "All extended rights", "All validated writes", "Create all child objects", "Delete all child objects", "Delete subtree", "Delete", "Modify permissions", "Modify owner", and "Write all properties". Such modifications can indicate potential privilege escalation or malicious activity. Immediate investigation is recommended upon alert.' -search: '`wineventlog_security` EventCode=5136 ObjectClass=group | stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId | rex field=old_value max_match=10000 "\((?P.*?)\)" | rex field=new_value max_match=10000 "\((?P.*?)\)" | mvexpand new_ace | where NOT new_ace IN (old_values) | rex field=new_ace "(?P.*?);(?P.*?);(?P.*?);(?P.*?);(?P.*?);(?P.*?)$" | rex max_match=100 field=aceAccessRights "(?P[A-Z]{2})" | rex max_match=100 field=aceFlags "(?P[A-Z]{2})" | lookup ace_type_lookup ace_type_string as aceType OUTPUT ace_type_value as aceType | lookup ace_flag_lookup flag_string as aceFlags OUTPUT flag_value as ace_flag_value | lookup ace_access_rights_lookup access_rights_string as AccessRights OUTPUT access_rights_value | lookup msad_guid_lookup guid as aceObjectGuid OUTPUT displayName as ControlAccessRights ``` Optional SID resolution lookups | lookup identity_lookup_expanded objectSid as aceSid OUTPUT downLevelDomainName as user | lookup admon_groups_def objectSid as aceSid OUTPUT cn as group ``` | lookup builtin_groups_lookup builtin_group_string as aceSid OUTPUT builtin_group_name as builtin_group | eval aceType=coalesce(ace_type_value,aceType), aceInheritance=coalesce(ace_flag_value,"This object only"), aceAccessRights=if(aceAccessRights="CCDCLCSWRPWPDTLOCRSDRCWDWO","Full control",coalesce(access_rights_value,AccessRights)), aceControlAccessRights=if((ControlAccessRights="Write member" OR aceObjectGuid="bf9679c0-0de6-11d0-a285-00aa003049e2") AND (aceAccessRights="All validated writes" OR AccessRights="SW"),"Add/remove self as member",coalesce(ControlAccessRights,aceObjectGuid)), user=coalesce(user, group, builtin_group, aceSid) | stats values(aceType) as aceType values(aceInheritance) as aceInheritance values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(aceInheritedTypeGuid) as aceInheritedTypeGuid by _time ObjectClass ObjectDN src_user SubjectLogonId user OpCorrelationID | eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 AND aceControlAccessRights="","All rights",''aceControlAccessRights'') | search NOT aceType IN ("*denied*","D","OD","XD") AND aceAccessRights IN ("Full control","All extended rights","All validated writes","Create all child objects","Delete all child objects","Delete subtree","Delete","Modify permissions","Modify owner","Write all properties",CC,CR,DC,DT,SD,SW,WD,WO,WP) | `windows_ad_dangerous_group_acl_modification_filter`' -how_to_implement: Ensure you are ingesting Active Directory audit logs - specifically event 5136. See lantern article in references for further on how to onboard AD audit data. Ensure the wineventlog_security macro is configured with the correct indexes and include lookups for SID resolution if evt_resolve_ad_obj is set to 0. +description: 'This detection monitors the addition of the following ACLs to an Active + Directory group object: "Full control", "All extended rights", "All validated writes", "Create + all child objects", "Delete all child objects", "Delete subtree", "Delete", "Modify + permissions", "Modify owner", and "Write all properties". Such modifications can + indicate potential privilege escalation or malicious activity. Immediate investigation + is recommended upon alert.' +search: "`wineventlog_security` EventCode=5136 ObjectClass=group | stats min(_time) + as _time values(eval(if(OperationType==\"%%14675\",AttributeValue,null))) as old_value + values(eval(if(OperationType==\"%%14674\",AttributeValue,null))) as new_value values(OperationType) + as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId\ + \ | rex field=old_value max_match=10000 \"\\((?P.*?)\\)\" | rex field=new_value + max_match=10000 \"\\((?P.*?)\\)\" | mvexpand new_ace | where NOT new_ace + IN (old_values) | rex field=new_ace \"(?P.*?);(?P.*?);(?P.*?);(?P.*?);(?P.*?);(?P.*?)$\"\ + \ | rex max_match=100 field=aceAccessRights \"(?P[A-Z]{2})\" | rex + max_match=100 field=aceFlags \"(?P[A-Z]{2})\" | lookup ace_type_lookup + ace_type_string as aceType OUTPUT ace_type_value as aceType | lookup ace_flag_lookup + flag_string as aceFlags OUTPUT flag_value as ace_flag_value | lookup ace_access_rights_lookup + access_rights_string as AccessRights OUTPUT access_rights_value | lookup msad_guid_lookup + guid as aceObjectGuid OUTPUT displayName as ControlAccessRights ``` Optional SID + resolution lookups | lookup identity_lookup_expanded objectSid as aceSid OUTPUT + downLevelDomainName as user | lookup admon_groups_def objectSid as aceSid OUTPUT + cn as group ``` | lookup builtin_groups_lookup builtin_group_string as aceSid OUTPUT + builtin_group_name as builtin_group | eval aceType=coalesce(ace_type_value,aceType), + aceInheritance=coalesce(ace_flag_value,\"This object only\"), aceAccessRights=if(aceAccessRights=\"\ + CCDCLCSWRPWPDTLOCRSDRCWDWO\",\"Full control\",coalesce(access_rights_value,AccessRights)), + aceControlAccessRights=if((ControlAccessRights=\"Write member\" OR aceObjectGuid=\"\ + bf9679c0-0de6-11d0-a285-00aa003049e2\") AND (aceAccessRights=\"All validated writes\"\ + \ OR AccessRights=\"SW\"),\"Add/remove self as member\",coalesce(ControlAccessRights,aceObjectGuid)), + user=coalesce(user, group, builtin_group, aceSid) | stats values(aceType) as aceType + values(aceInheritance) as aceInheritance values(aceControlAccessRights) as aceControlAccessRights + values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(aceInheritedTypeGuid) + as aceInheritedTypeGuid by _time ObjectClass ObjectDN src_user SubjectLogonId user + OpCorrelationID | eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 + AND aceControlAccessRights=\"\",\"All rights\",'aceControlAccessRights') | search + NOT aceType IN (\"*denied*\",\"D\",\"OD\",\"XD\") AND aceAccessRights IN (\"Full + control\",\"All extended rights\",\"All validated writes\",\"Create all child objects\"\ + ,\"Delete all child objects\",\"Delete subtree\",\"Delete\",\"Modify permissions\"\ + ,\"Modify owner\",\"Write all properties\",CC,CR,DC,DT,SD,SW,WD,WO,WP) | `windows_ad_dangerous_group_acl_modification_filter`" +how_to_implement: Ensure you are ingesting Active Directory audit logs - specifically + event 5136. See lantern article in references for further on how to onboard AD audit + data. Ensure the wineventlog_security macro is configured with the correct indexes + and include lookups for SID resolution if evt_resolve_ad_obj is set to 0. known_false_positives: Unknown references: - https://learn.microsoft.com/en-us/windows/win32/secauthz/ace-strings @@ -22,49 +61,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $src_user$ has added ACL rights to grant $user$ $aceControlAccessRights$ + $aceAccessRights$ to group $ObjectDN$ + risk_objects: + - field: user + type: user + score: 100 + - field: src_user + type: user + score: 100 + threat_objects: [] tags: analytic_story: - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 100 - impact: 100 - message: $src_user$ has added ACL rights to grant $user$ $aceControlAccessRights$ $aceAccessRights$ to group $ObjectDN$ mitre_attack_id: - T1484 - T1222 - T1222.001 - observable: - - name: user - type: User - role: - - Victim - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 - required_fields: - - _time - - OperationType - - ObjectDN - - OpCorrelationID - - src_user - - AttributeLDAPDisplayName - - AttributeValue - - ObjectClass - - SubjectLogonId - - DSName security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/group_dacl_mod_windows-security-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/group_dacl_mod_windows-security-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/application/windows_ad_dangerous_user_acl_modification.yml b/detections/application/windows_ad_dangerous_user_acl_modification.yml index d420f37861..f298e0616d 100644 --- a/detections/application/windows_ad_dangerous_user_acl_modification.yml +++ b/detections/application/windows_ad_dangerous_user_acl_modification.yml @@ -1,15 +1,51 @@ name: Windows AD Dangerous User ACL Modification id: ec5b6790-595a-4fb8-ad43-56e5b55a9617 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-21' author: Dean Luxton status: production type: TTP data_source: - Windows Security 5136 -description: 'This detection monitors the addition of the following ACLs to an Active Directory user object: "Full control","All extended rights","All validated writes", "Create all child objects","Delete all child objects","Delete subtree","Delete","Modify permissions","Modify owner","Write all properties". Such modifications can indicate potential privilege escalation or malicious activity. Immediate investigation is recommended upon alert.' -search: '`wineventlog_security` EventCode=5136 ObjectClass=user | stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId | rex field=old_value max_match=10000 "\((?P.*?)\)" | rex field=new_value max_match=10000 "\((?P.*?)\)" | mvexpand new_ace | where NOT new_ace IN (old_values) | rex field=new_ace "(?P.*?);(?P.*?);(?P.*?);(?P.*?);(?P.*?);(?P.*?)$" | rex max_match=100 field=aceAccessRights "(?P[A-Z]{2})" | rex max_match=100 field=aceFlags "(?P[A-Z]{2})" | lookup msad_guid_lookup guid as aceObjectGuid OUTPUT displayName as ControlAccessRights | lookup ace_access_rights_lookup access_rights_string as AccessRights OUTPUT access_rights_value | lookup ace_type_lookup ace_type_string as aceType OUTPUT ace_type_value as aceType | lookup ace_flag_lookup flag_string as aceFlags OUTPUT flag_value as ace_flag_value ``` Optional SID resolution lookups | lookup identity_lookup_expanded objectSid as aceSid OUTPUT downLevelDomainName as user | lookup admon_groups_def objectSid as aceSid OUTPUT cn as group ``` | lookup builtin_groups_lookup builtin_group_string as aceSid OUTPUT builtin_group_name as builtin_group | eval aceType=coalesce(ace_type_value,aceType), aceFlags=coalesce(ace_flag_value,"This object only"), aceAccessRights=if(aceAccessRights="CCDCLCSWRPWPDTLOCRSDRCWDWO","Full control",coalesce(access_rights_value,AccessRights)), aceControlAccessRights=coalesce(ControlAccessRights,aceObjectGuid), user=coalesce(user, group, builtin_group, aceSid) | stats values(aceType) as aceType values(aceFlags) as aceFlags values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(aceInheritedTypeGuid) as aceInheritedTypeGuid by _time ObjectClass ObjectDN src_user SubjectLogonId user OpCorrelationID | eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 AND aceControlAccessRights="","All rights",''aceControlAccessRights'') | search NOT aceType IN (*denied*,D,OD,XD) AND aceAccessRights IN ("Full control","All extended rights","All validated writes","Create all child objects","Delete all child objects","Delete subtree","Delete","Modify permissions","Modify owner","Write all properties",CC,CR,DC,DT,SD,SW,WD,WO,WP) | `windows_ad_dangerous_user_acl_modification_filter`' -how_to_implement: Ensure you are ingesting Active Directory audit logs - specifically event 5136. See lantern article in references for further on how to onboard AD audit data. Ensure the wineventlog_security macro is configured with the correct indexes and include lookups for SID resolution if evt_resolve_ad_obj is set to 0. +description: 'This detection monitors the addition of the following ACLs to an Active + Directory user object: "Full control","All extended rights","All validated writes", + "Create all child objects","Delete all child objects","Delete subtree","Delete","Modify + permissions","Modify owner","Write all properties". Such modifications can indicate + potential privilege escalation or malicious activity. Immediate investigation is + recommended upon alert.' +search: "`wineventlog_security` EventCode=5136 ObjectClass=user | stats min(_time) + as _time values(eval(if(OperationType==\"%%14675\",AttributeValue,null))) as old_value + values(eval(if(OperationType==\"%%14674\",AttributeValue,null))) as new_value values(OperationType) + as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId\ + \ | rex field=old_value max_match=10000 \"\\((?P.*?)\\)\" | rex field=new_value + max_match=10000 \"\\((?P.*?)\\)\" | mvexpand new_ace | where NOT new_ace + IN (old_values) | rex field=new_ace \"(?P.*?);(?P.*?);(?P.*?);(?P.*?);(?P.*?);(?P.*?)$\"\ + \ | rex max_match=100 field=aceAccessRights \"(?P[A-Z]{2})\" | rex + max_match=100 field=aceFlags \"(?P[A-Z]{2})\" | lookup msad_guid_lookup + guid as aceObjectGuid OUTPUT displayName as ControlAccessRights | lookup ace_access_rights_lookup + access_rights_string as AccessRights OUTPUT access_rights_value | lookup ace_type_lookup + ace_type_string as aceType OUTPUT ace_type_value as aceType | lookup ace_flag_lookup + flag_string as aceFlags OUTPUT flag_value as ace_flag_value ``` Optional SID resolution + lookups | lookup identity_lookup_expanded objectSid as aceSid OUTPUT downLevelDomainName + as user | lookup admon_groups_def objectSid as aceSid OUTPUT cn as group ``` | + lookup builtin_groups_lookup builtin_group_string as aceSid OUTPUT builtin_group_name + as builtin_group | eval aceType=coalesce(ace_type_value,aceType), aceFlags=coalesce(ace_flag_value,\"\ + This object only\"), aceAccessRights=if(aceAccessRights=\"CCDCLCSWRPWPDTLOCRSDRCWDWO\"\ + ,\"Full control\",coalesce(access_rights_value,AccessRights)), aceControlAccessRights=coalesce(ControlAccessRights,aceObjectGuid), + user=coalesce(user, group, builtin_group, aceSid) | stats values(aceType) as aceType + values(aceFlags) as aceFlags values(aceControlAccessRights) as aceControlAccessRights + values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(aceInheritedTypeGuid) + as aceInheritedTypeGuid by _time ObjectClass ObjectDN src_user SubjectLogonId user + OpCorrelationID | eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 + AND aceControlAccessRights=\"\",\"All rights\",'aceControlAccessRights') | search + NOT aceType IN (*denied*,D,OD,XD) AND aceAccessRights IN (\"Full control\",\"All + extended rights\",\"All validated writes\",\"Create all child objects\",\"Delete + all child objects\",\"Delete subtree\",\"Delete\",\"Modify permissions\",\"Modify + owner\",\"Write all properties\",CC,CR,DC,DT,SD,SW,WD,WO,WP) | `windows_ad_dangerous_user_acl_modification_filter`" +how_to_implement: Ensure you are ingesting Active Directory audit logs - specifically + event 5136. See lantern article in references for further on how to onboard AD audit + data. Ensure the wineventlog_security macro is configured with the correct indexes + and include lookups for SID resolution if evt_resolve_ad_obj is set to 0. known_false_positives: Unknown references: - https://learn.microsoft.com/en-us/windows/win32/secauthz/ace-strings @@ -22,49 +58,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $src_user$ has added ACL rights to grant $user$ $aceControlAccessRights$ + $aceAccessRights$ to user $ObjectDN$ + risk_objects: + - field: user + type: user + score: 100 + - field: src_user + type: user + score: 100 + threat_objects: [] tags: analytic_story: - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 100 - impact: 100 - message: $src_user$ has added ACL rights to grant $user$ $aceControlAccessRights$ $aceAccessRights$ to user $ObjectDN$ mitre_attack_id: - T1484 - T1222 - T1222.001 - observable: - - name: user - type: User - role: - - Victim - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 - required_fields: - - _time - - OperationType - - ObjectDN - - OpCorrelationID - - src_user - - AttributeLDAPDisplayName - - AttributeValue - - ObjectClass - - SubjectLogonId - - DSName security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/user_dacl_mod_windows-security-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/user_dacl_mod_windows-security-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/application/windows_ad_dcshadow_privileges_acl_addition.yml b/detections/application/windows_ad_dcshadow_privileges_acl_addition.yml index 0af44c4fc4..2e4977e6c4 100644 --- a/detections/application/windows_ad_dcshadow_privileges_acl_addition.yml +++ b/detections/application/windows_ad_dcshadow_privileges_acl_addition.yml @@ -1,15 +1,47 @@ name: Windows AD DCShadow Privileges ACL Addition id: ae915743-1aa8-4a94-975c-8062ebc8b723 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-21' author: Dean Luxton status: production type: TTP data_source: - Windows Security 5136 -description: This detection identifies an Active Directory access-control list (ACL) modification event, which applies the minimum required extended rights to perform the DCShadow attack. -search: '`wineventlog_security` EventCode=5136 ObjectClass=domainDNS | stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId | rex field=old_value max_match=10000 "\((?P.*?)\)" | rex field=new_value max_match=10000 "\((?P.*?)\)" | mvexpand new_ace | where NOT new_ace IN (old_values) | rex field=new_ace "(?P.*?);(?P.*?);(?P.*?);(?P.*?);;(?P.*?)$" | search aceObjectGuid IN ("9923a32a-3607-11d2-b9be-0000f87a36b2","1131f6ab-9c07-11d1-f79f-00c04fc2dcd2","1131f6ac-9c07-11d1-f79f-00c04fc2dcd2") | rex max_match=100 field=aceAccessRights "(?P[A-Z]{2})" | rex max_match=100 field=aceFlags "(?P[A-Z]{2})" | lookup msad_guid_lookup guid as aceObjectGuid OUTPUT displayName as ControlAccessRights | lookup ace_access_rights_lookup access_rights_string as AccessRights OUTPUT access_rights_value | lookup ace_type_lookup ace_type_string as aceType OUTPUT ace_type_value | lookup ace_flag_lookup flag_string as aceFlags OUTPUT flag_value as ace_flag_value ``` Optional SID resolution lookups | lookup identity_lookup_expanded objectSid as aceSid OUTPUT downLevelDomainName as user | lookup admon_groups_def objectSid as aceSid OUTPUT cn as group ``` | lookup builtin_groups_lookup builtin_group_string as aceSid OUTPUT builtin_group_name as builtin_group | eval aceType=coalesce(ace_type_value,aceType), aceFlags=coalesce(ace_flag_value,"This object only"), aceAccessRights=if(aceAccessRights="CCDCLCSWRPWPDTLOCRSDRCWDWO","Full control",coalesce(access_rights_value,AccessRights)), aceControlAccessRights=coalesce(ControlAccessRights,aceObjectGuid), user=coalesce(user, group, builtin_group, aceSid) | stats min(_time) as _time values(aceType) as aceType values(aceFlags) as aceFlags(inheritance) values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(SubjectLogonId) as SubjectLogonId by ObjectClass ObjectDN src_user user | search (aceControlAccessRights="Add/Remove Replica In Domain" AND aceControlAccessRights="Manage Replication Topology" AND aceControlAccessRights="Replication Synchronization") OR (aceControlAccessRights="9923a32a-3607-11d2-b9be-0000f87a36b2" AND aceControlAccessRights="1131f6ab-9c07-11d1-f79f-00c04fc2dcd2" AND aceControlAccessRights="1131f6ac-9c07-11d1-f79f-00c04fc2dcd2") | `windows_ad_dcshadow_privileges_acl_addition_filter`' -how_to_implement: Ensure you are ingesting Active Directory audit logs - specifically event 5136. See lantern article in references for further on how to onboard AD audit data. Ensure the wineventlog_security macro is configured with the correct indexes and include lookups for SID resolution if evt_resolve_ad_obj is set to 0. +description: This detection identifies an Active Directory access-control list (ACL) + modification event, which applies the minimum required extended rights to perform + the DCShadow attack. +search: '`wineventlog_security` EventCode=5136 ObjectClass=domainDNS | stats min(_time) + as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value + values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) + as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId | + rex field=old_value max_match=10000 "\((?P.*?)\)" | rex field=new_value + max_match=10000 "\((?P.*?)\)" | mvexpand new_ace | where NOT new_ace IN + (old_values) | rex field=new_ace "(?P.*?);(?P.*?);(?P.*?);(?P.*?);;(?P.*?)$" + | search aceObjectGuid IN ("9923a32a-3607-11d2-b9be-0000f87a36b2","1131f6ab-9c07-11d1-f79f-00c04fc2dcd2","1131f6ac-9c07-11d1-f79f-00c04fc2dcd2") + | rex max_match=100 field=aceAccessRights "(?P[A-Z]{2})" | rex max_match=100 + field=aceFlags "(?P[A-Z]{2})" | lookup msad_guid_lookup guid as aceObjectGuid + OUTPUT displayName as ControlAccessRights | lookup ace_access_rights_lookup access_rights_string + as AccessRights OUTPUT access_rights_value | lookup ace_type_lookup ace_type_string + as aceType OUTPUT ace_type_value | lookup ace_flag_lookup flag_string as aceFlags + OUTPUT flag_value as ace_flag_value ``` Optional SID resolution lookups | lookup + identity_lookup_expanded objectSid as aceSid OUTPUT downLevelDomainName as user | + lookup admon_groups_def objectSid as aceSid OUTPUT cn as group ``` | lookup builtin_groups_lookup + builtin_group_string as aceSid OUTPUT builtin_group_name as builtin_group | eval + aceType=coalesce(ace_type_value,aceType), aceFlags=coalesce(ace_flag_value,"This + object only"), aceAccessRights=if(aceAccessRights="CCDCLCSWRPWPDTLOCRSDRCWDWO","Full + control",coalesce(access_rights_value,AccessRights)), aceControlAccessRights=coalesce(ControlAccessRights,aceObjectGuid), + user=coalesce(user, group, builtin_group, aceSid) | stats min(_time) as _time values(aceType) + as aceType values(aceFlags) as aceFlags(inheritance) values(aceControlAccessRights) + as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) + as new_ace values(SubjectLogonId) as SubjectLogonId by ObjectClass ObjectDN src_user + user | search (aceControlAccessRights="Add/Remove Replica In Domain" AND aceControlAccessRights="Manage + Replication Topology" AND aceControlAccessRights="Replication Synchronization") + OR (aceControlAccessRights="9923a32a-3607-11d2-b9be-0000f87a36b2" AND aceControlAccessRights="1131f6ab-9c07-11d1-f79f-00c04fc2dcd2" + AND aceControlAccessRights="1131f6ac-9c07-11d1-f79f-00c04fc2dcd2") | `windows_ad_dcshadow_privileges_acl_addition_filter`' +how_to_implement: Ensure you are ingesting Active Directory audit logs - specifically + event 5136. See lantern article in references for further on how to onboard AD audit + data. Ensure the wineventlog_security macro is configured with the correct indexes + and include lookups for SID resolution if evt_resolve_ad_obj is set to 0. known_false_positives: Unknown references: - https://www.labofapenetrationtester.com/2018/04/dcshadow.html @@ -22,47 +54,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: ACL modification Event Initiated by $src_user$ applying $user$ the minimum + required extended rights to perform a DCShadow attack. + risk_objects: + - field: user + type: user + score: 100 + - field: src_user + type: user + score: 100 + threat_objects: [] tags: analytic_story: - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 100 - impact: 100 - message: ACL modification Event Initiated by $src_user$ applying $user$ the minimum required extended rights to perform a DCShadow attack. mitre_attack_id: - T1484 - T1207 - T1222.001 - observable: - - name: user - type: User - role: - - Victim - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 - required_fields: - - _time - - OperationType - - src_user - - AttributeLDAPDisplayName - - AttributeValue - - ObjectClass - - SubjectLogonId - - DSName security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/DCShadowPermissions/windows-security-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/DCShadowPermissions/windows-security-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/application/windows_ad_domain_root_acl_deletion.yml b/detections/application/windows_ad_domain_root_acl_deletion.yml index 83750b99b1..c4bfa9c916 100644 --- a/detections/application/windows_ad_domain_root_acl_deletion.yml +++ b/detections/application/windows_ad_domain_root_acl_deletion.yml @@ -1,15 +1,44 @@ name: Windows AD Domain Root ACL Deletion id: 3cb56e57-5642-4638-907f-8dfde9afb889 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-21' author: Dean Luxton status: production type: TTP data_source: - Windows Security 5136 -description: ACL deletion performed on the domain root object, significant AD change with high impact. Following MS guidance all changes at this level should be reviewed. Drill into the logonID within EventCode 4624 for information on the source device during triage. -search: '`wineventlog_security` EventCode=5136 ObjectClass=domainDNS | stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId | rex field=old_value max_match=10000 "\((?P.*?)\)" | rex field=new_value max_match=10000 "\((?P.*?)\)" | mvexpand old_values | where NOT old_values IN (new_values) | rex field=old_values "(?P.*?);(?P.*?);(?P.*?);(?P.*?);;(?P.*?)$" | rex max_match=100 field=aceAccessRights "(?P[A-Z]{2})" | rex max_match=100 field=aceFlags "(?P[A-Z]{2})" | lookup msad_guid_lookup guid as aceObjectGuid OUTPUT displayName as ControlAccessRights | lookup ace_access_rights_lookup access_rights_string as AccessRights OUTPUT access_rights_value | lookup ace_type_lookup ace_type_string as aceType OUTPUT ace_type_value | lookup ace_flag_lookup flag_string as aceFlags OUTPUT flag_value as ace_flag_value ``` Optional SID resolution lookups | lookup identity_lookup_expanded objectSid as aceSid OUTPUT downLevelDomainName as user | lookup admon_groups_def objectSid as aceSid OUTPUT cn as group ``` | lookup builtin_groups_lookup builtin_group_string as aceSid OUTPUT builtin_group_name as builtin_group | eval aceType=coalesce(ace_type_value,aceType), aceFlags=coalesce(ace_flag_value,"This object only"), aceAccessRights=if(aceAccessRights="CCDCLCSWRPWPDTLOCRSDRCWDWO","Full control",coalesce(access_rights_value,AccessRights)), aceControlAccessRights=coalesce(ControlAccessRights,aceObjectGuid), user=coalesce(user, group, builtin_group, aceSid) | stats values(aceType) as aceType values(aceFlags) as aceFlags(inheritance) values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(old_values) as old_values by _time ObjectClass ObjectDN src_user SubjectLogonId user OpCorrelationID | eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 AND aceControlAccessRights="","All rights",''aceControlAccessRights'') | `windows_ad_domain_root_acl_deletion_filter`' -how_to_implement: Ensure you are ingesting Active Directory audit logs - specifically event 5136. See lantern article in references for further on how to onboard AD audit data. Ensure the wineventlog_security macro is configured with the correct indexes and include lookups for SID resolution if evt_resolve_ad_obj is set to 0. +description: ACL deletion performed on the domain root object, significant AD change + with high impact. Following MS guidance all changes at this level should be reviewed. + Drill into the logonID within EventCode 4624 for information on the source device + during triage. +search: "`wineventlog_security` EventCode=5136 ObjectClass=domainDNS | stats min(_time) + as _time values(eval(if(OperationType==\"%%14675\",AttributeValue,null))) as old_value + values(eval(if(OperationType==\"%%14674\",AttributeValue,null))) as new_value values(OperationType) + as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId\ + \ | rex field=old_value max_match=10000 \"\\((?P.*?)\\)\" | rex field=new_value + max_match=10000 \"\\((?P.*?)\\)\" | mvexpand old_values | where NOT + old_values IN (new_values) | rex field=old_values \"(?P.*?);(?P.*?);(?P.*?);(?P.*?);;(?P.*?)$\"\ + \ | rex max_match=100 field=aceAccessRights \"(?P[A-Z]{2})\" | rex + max_match=100 field=aceFlags \"(?P[A-Z]{2})\" | lookup msad_guid_lookup + guid as aceObjectGuid OUTPUT displayName as ControlAccessRights | lookup ace_access_rights_lookup + access_rights_string as AccessRights OUTPUT access_rights_value | lookup ace_type_lookup + ace_type_string as aceType OUTPUT ace_type_value | lookup ace_flag_lookup flag_string + as aceFlags OUTPUT flag_value as ace_flag_value ``` Optional SID resolution lookups + | lookup identity_lookup_expanded objectSid as aceSid OUTPUT downLevelDomainName + as user | lookup admon_groups_def objectSid as aceSid OUTPUT cn as group ``` | + lookup builtin_groups_lookup builtin_group_string as aceSid OUTPUT builtin_group_name + as builtin_group | eval aceType=coalesce(ace_type_value,aceType), aceFlags=coalesce(ace_flag_value,\"\ + This object only\"), aceAccessRights=if(aceAccessRights=\"CCDCLCSWRPWPDTLOCRSDRCWDWO\"\ + ,\"Full control\",coalesce(access_rights_value,AccessRights)), aceControlAccessRights=coalesce(ControlAccessRights,aceObjectGuid), + user=coalesce(user, group, builtin_group, aceSid) | stats values(aceType) as aceType + values(aceFlags) as aceFlags(inheritance) values(aceControlAccessRights) as aceControlAccessRights + values(aceAccessRights) as aceAccessRights values(old_values) as old_values by _time + ObjectClass ObjectDN src_user SubjectLogonId user OpCorrelationID | eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 + AND aceControlAccessRights=\"\",\"All rights\",'aceControlAccessRights') | `windows_ad_domain_root_acl_deletion_filter`" +how_to_implement: Ensure you are ingesting Active Directory audit logs - specifically + event 5136. See lantern article in references for further on how to onboard AD audit + data. Ensure the wineventlog_security macro is configured with the correct indexes + and include lookups for SID resolution if evt_resolve_ad_obj is set to 0. known_false_positives: Unknown references: - https://learn.microsoft.com/en-us/windows/win32/secauthz/ace-strings @@ -22,49 +51,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $src_user$ has removed $user$ $aceAccessRights$ ACL rights to domain root + $ObjectDN$ + risk_objects: + - field: user + type: user + score: 100 + - field: src_user + type: user + score: 100 + threat_objects: [] tags: analytic_story: - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 100 - impact: 100 - message: $src_user$ has removed $user$ $aceAccessRights$ ACL rights to domain root $ObjectDN$ mitre_attack_id: - T1484 - T1222 - T1222.001 - observable: - - name: user - type: User - role: - - Victim - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 - required_fields: - - _time - - OperationType - - ObjectDN - - OpCorrelationID - - src_user - - AttributeLDAPDisplayName - - AttributeValue - - ObjectClass - - SubjectLogonId - - DSName security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_deletion_windows-security-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_deletion_windows-security-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/application/windows_ad_domain_root_acl_modification.yml b/detections/application/windows_ad_domain_root_acl_modification.yml index 7e1026fc34..56d121c7d2 100644 --- a/detections/application/windows_ad_domain_root_acl_modification.yml +++ b/detections/application/windows_ad_domain_root_acl_modification.yml @@ -1,15 +1,44 @@ name: Windows AD Domain Root ACL Modification id: 4981e2db-1372-440d-816e-3e7e2ed74433 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-21' author: Dean Luxton status: production type: TTP data_source: - Windows Security 5136 -description: ACL modification performed on the domain root object, significant AD change with high impact. Following MS guidance all changes at this level should be reviewed. Drill into the logonID within EventCode 4624 for information on the source device during triage. -search: '`wineventlog_security` EventCode=5136 ObjectClass=domainDNS | stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId | rex field=old_value max_match=10000 "\((?P.*?)\)" | rex field=new_value max_match=10000 "\((?P.*?)\)" | mvexpand new_ace | where NOT new_ace IN (old_values) | rex field=new_ace "(?P.*?);(?P.*?);(?P.*?);(?P.*?);;(?P.*?)$" | rex max_match=100 field=aceAccessRights "(?P[A-Z]{2})" | rex max_match=100 field=aceFlags "(?P[A-Z]{2})" | lookup msad_guid_lookup guid as aceObjectGuid OUTPUT displayName as ControlAccessRights | lookup ace_access_rights_lookup access_rights_string as AccessRights OUTPUT access_rights_value | lookup ace_type_lookup ace_type_string as aceType OUTPUT ace_type_value | lookup ace_flag_lookup flag_string as aceFlags OUTPUT flag_value as ace_flag_value ``` Optional SID resolution lookups | lookup identity_lookup_expanded objectSid as aceSid OUTPUT downLevelDomainName as user | lookup admon_groups_def objectSid as aceSid OUTPUT cn as group ``` | lookup builtin_groups_lookup builtin_group_string as aceSid OUTPUT builtin_group_name as builtin_group | eval aceAccessRights=if(aceAccessRights="CCDCLCSWRPWPDTLOCRSDRCWDWO","Full control",''access_rights_value''), aceType=ace_type_value, aceFlags=coalesce(ace_flag_value,"This object only"), aceControlAccessRights=ControlAccessRights, user=coalesce(user, group, builtin_group, aceSid) | stats values(aceType) as aceType values(aceFlags) as aceFlags(inheritance) values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace by _time ObjectClass ObjectDN src_user SubjectLogonId user OpCorrelationID | eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 AND aceControlAccessRights="","All rights",''aceControlAccessRights'') | `windows_ad_domain_root_acl_modification_filter`' -how_to_implement: Ensure you are ingesting Active Directory audit logs - specifically event 5136. See lantern article in references for further on how to onboard AD audit data. Ensure the wineventlog_security macro is configured with the correct indexes and include lookups for SID resolution if evt_resolve_ad_obj is set to 0. +description: ACL modification performed on the domain root object, significant AD + change with high impact. Following MS guidance all changes at this level should + be reviewed. Drill into the logonID within EventCode 4624 for information on the + source device during triage. +search: "`wineventlog_security` EventCode=5136 ObjectClass=domainDNS | stats min(_time) + as _time values(eval(if(OperationType==\"%%14675\",AttributeValue,null))) as old_value + values(eval(if(OperationType==\"%%14674\",AttributeValue,null))) as new_value values(OperationType) + as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId\ + \ | rex field=old_value max_match=10000 \"\\((?P.*?)\\)\" | rex field=new_value + max_match=10000 \"\\((?P.*?)\\)\" | mvexpand new_ace | where NOT new_ace + IN (old_values) | rex field=new_ace \"(?P.*?);(?P.*?);(?P.*?);(?P.*?);;(?P.*?)$\"\ + \ | rex max_match=100 field=aceAccessRights \"(?P[A-Z]{2})\" | rex + max_match=100 field=aceFlags \"(?P[A-Z]{2})\" | lookup msad_guid_lookup + guid as aceObjectGuid OUTPUT displayName as ControlAccessRights | lookup ace_access_rights_lookup + access_rights_string as AccessRights OUTPUT access_rights_value | lookup ace_type_lookup + ace_type_string as aceType OUTPUT ace_type_value | lookup ace_flag_lookup flag_string + as aceFlags OUTPUT flag_value as ace_flag_value ``` Optional SID resolution lookups + | lookup identity_lookup_expanded objectSid as aceSid OUTPUT downLevelDomainName + as user | lookup admon_groups_def objectSid as aceSid OUTPUT cn as group ``` | + lookup builtin_groups_lookup builtin_group_string as aceSid OUTPUT builtin_group_name + as builtin_group | eval aceAccessRights=if(aceAccessRights=\"CCDCLCSWRPWPDTLOCRSDRCWDWO\"\ + ,\"Full control\",'access_rights_value'), aceType=ace_type_value, aceFlags=coalesce(ace_flag_value,\"\ + This object only\"), aceControlAccessRights=ControlAccessRights, user=coalesce(user, + group, builtin_group, aceSid) | stats values(aceType) as aceType values(aceFlags) + as aceFlags(inheritance) values(aceControlAccessRights) as aceControlAccessRights + values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace by _time ObjectClass + ObjectDN src_user SubjectLogonId user OpCorrelationID | eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 + AND aceControlAccessRights=\"\",\"All rights\",'aceControlAccessRights') | `windows_ad_domain_root_acl_modification_filter`" +how_to_implement: Ensure you are ingesting Active Directory audit logs - specifically + event 5136. See lantern article in references for further on how to onboard AD audit + data. Ensure the wineventlog_security macro is configured with the correct indexes + and include lookups for SID resolution if evt_resolve_ad_obj is set to 0. known_false_positives: Unknown references: - https://learn.microsoft.com/en-us/windows/win32/secauthz/ace-strings @@ -22,49 +51,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $src_user$ has granted $user$ $aceAccessRights$ ACL rights to domain root + $ObjectDN$ + risk_objects: + - field: user + type: user + score: 100 + - field: src_user + type: user + score: 100 + threat_objects: [] tags: analytic_story: - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 100 - impact: 100 - message: $src_user$ has granted $user$ $aceAccessRights$ ACL rights to domain root $ObjectDN$ mitre_attack_id: - T1484 - T1222 - T1222.001 - observable: - - name: user - type: User - role: - - Victim - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 - required_fields: - - _time - - OperationType - - ObjectDN - - OpCorrelationID - - src_user - - AttributeLDAPDisplayName - - AttributeValue - - ObjectClass - - SubjectLogonId - - DSName security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_mod_windows-security-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_mod_windows-security-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/application/windows_ad_gpo_deleted.yml b/detections/application/windows_ad_gpo_deleted.yml index 71e1516dd5..995e41b3d2 100644 --- a/detections/application/windows_ad_gpo_deleted.yml +++ b/detections/application/windows_ad_gpo_deleted.yml @@ -1,15 +1,30 @@ name: Windows AD GPO Deleted id: 0d41772b-35ab-4e1c-a2ba-d0b455481aee -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-21' author: Dean Luxton status: production type: TTP data_source: - Windows Security 5136 -description: This detection identifies when an Active Directory Group Policy is deleted using the Group Policy Management Console. -search: '`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=gpLink | eval ObjectDN=upper(ObjectDN) | stats min(_time) as eventTime values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType values(src_user) as src_user by OpCorrelationID ObjectDN SubjectLogonId | rex field=old_value max_match=10000 "(?i)LDAP://(?Pcn.*?);(?P\d)\]" | rex field=new_value max_match=10000 "(?i)LDAP://(?Pcn.*?);(?P\d)\]" | mvexpand old_dn | where NOT old_dn IN (new_dn) | eval ObjectDN=upper(old_dn) | join ObjectDN type=outer [| search `admon` objectCategory="CN=Group-Policy-Container*" admonEventType=Update | eval ObjectDN=upper(distinguishedName) | stats latest(displayName) as displayName by ObjectDN ] | stats min(eventTime) as _time values(OpCorrelationID) as OpCorrelationID values(displayName) as policyName values(src_user) as src_user by ObjectDN SubjectLogonId | `windows_ad_gpo_deleted_filter`' -how_to_implement: Ensure you are ingesting Active Directory audit logs - specifically event 5136, admon data is also used to display the display name of the GPO. See lantern article in references for further on how to onboard AD audit data. Ensure the wineventlog_security and admon macros are configured with the correct indexes. +description: This detection identifies when an Active Directory Group Policy is deleted + using the Group Policy Management Console. +search: '`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=gpLink | eval ObjectDN=upper(ObjectDN) + | stats min(_time) as eventTime values(eval(if(OperationType=="%%14675",AttributeValue,null))) + as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value + values(OperationType) as OperationType values(src_user) as src_user by OpCorrelationID + ObjectDN SubjectLogonId | rex field=old_value max_match=10000 "(?i)LDAP://(?Pcn.*?);(?P\d)\]" + | rex field=new_value max_match=10000 "(?i)LDAP://(?Pcn.*?);(?P\d)\]" + | mvexpand old_dn | where NOT old_dn IN (new_dn) | eval ObjectDN=upper(old_dn) | + join ObjectDN type=outer [| search `admon` objectCategory="CN=Group-Policy-Container*" + admonEventType=Update | eval ObjectDN=upper(distinguishedName) | stats latest(displayName) + as displayName by ObjectDN ] | stats min(eventTime) as _time values(OpCorrelationID) + as OpCorrelationID values(displayName) as policyName values(src_user) as src_user + by ObjectDN SubjectLogonId | `windows_ad_gpo_deleted_filter`' +how_to_implement: Ensure you are ingesting Active Directory audit logs - specifically + event 5136, admon data is also used to display the display name of the GPO. See + lantern article in references for further on how to onboard AD audit data. Ensure + the wineventlog_security and admon macros are configured with the correct indexes. known_false_positives: Unknown references: - https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory @@ -19,47 +34,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: GPO $policyName$ was deleted by $src_user$ + risk_objects: + - field: src_user + type: user + score: 64 + threat_objects: [] tags: analytic_story: - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 80 - impact: 80 - message: GPO $policyName$ was deleted by $src_user$ mitre_attack_id: - T1562.001 - T1484.001 - observable: - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 - required_fields: - - _time - - OperationType - - ObjectDN - - OpCorrelationID - - src_user - - AttributeLDAPDisplayName - - AttributeValue - - ObjectClass - - SubjectLogonId - - DSName security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_deleted/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_deleted/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_deleted/windows-admon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_deleted/windows-admon.log source: ActiveDirectory sourcetype: ActiveDirectory diff --git a/detections/application/windows_ad_gpo_disabled.yml b/detections/application/windows_ad_gpo_disabled.yml index e33028676f..a694166f05 100644 --- a/detections/application/windows_ad_gpo_disabled.yml +++ b/detections/application/windows_ad_gpo_disabled.yml @@ -1,15 +1,28 @@ name: Windows AD GPO Disabled id: 72793bc0-c0cd-400e-9e60-fdf36f278917 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-21' author: Dean Luxton status: production type: TTP data_source: - Windows Security 5136 -description: This detection identifies when an Active Directory Group Policy is disabled using the Group Policy Management Console. -search: '`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=flags OperationType="%%14674" AttributeValue!=0 | eval AttributeValueExp=case(AttributeValue==0,"Enabled",AttributeValue==1,"User configuration settings disabled",AttributeValue==2,"Computer configuration settings disabled",AttributeValue==3,"Disabled"), ObjectDN=upper(ObjectDN) | join ObjectDN type=inner [| search `admon` objectCategory="CN=Group-Policy-Container*" admonEventType=Update | eval ObjectDN=upper(distinguishedName) | stats latest(displayName) as displayName by ObjectDN ] | stats min(_time) as _time values(AttributeValue) as AttributeValue values(AttributeValueExp) as AttributeValueExp values(OpCorrelationID) as OpCorrelationID values(displayName) as policyName values(src_user) as src_user by ObjectDN SubjectLogonId | `windows_ad_gpo_disabled_filter`' -how_to_implement: Ensure you are ingesting Active Directory audit logs - specifically event 5136, admon data is also used to display the display name of the GPO. See lantern article in references for further on how to onboard AD audit data. Ensure the wineventlog_security and admon macros are configured with the correct indexes. +description: This detection identifies when an Active Directory Group Policy is disabled + using the Group Policy Management Console. +search: '`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=flags OperationType="%%14674" + AttributeValue!=0 | eval AttributeValueExp=case(AttributeValue==0,"Enabled",AttributeValue==1,"User + configuration settings disabled",AttributeValue==2,"Computer configuration settings + disabled",AttributeValue==3,"Disabled"), ObjectDN=upper(ObjectDN) | join ObjectDN + type=inner [| search `admon` objectCategory="CN=Group-Policy-Container*" admonEventType=Update + | eval ObjectDN=upper(distinguishedName) | stats latest(displayName) as displayName + by ObjectDN ] | stats min(_time) as _time values(AttributeValue) as AttributeValue + values(AttributeValueExp) as AttributeValueExp values(OpCorrelationID) as OpCorrelationID + values(displayName) as policyName values(src_user) as src_user by ObjectDN SubjectLogonId + | `windows_ad_gpo_disabled_filter`' +how_to_implement: Ensure you are ingesting Active Directory audit logs - specifically + event 5136, admon data is also used to display the display name of the GPO. See + lantern article in references for further on how to onboard AD audit data. Ensure + the wineventlog_security and admon macros are configured with the correct indexes. known_false_positives: Unknown references: - https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory @@ -19,47 +32,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $src_user$ has disabled GPO $policyName$ + risk_objects: + - field: src_user + type: user + score: 64 + threat_objects: [] tags: analytic_story: - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 80 - impact: 80 - message: $src_user$ has disabled GPO $policyName$ mitre_attack_id: - T1562.001 - T1484.001 - observable: - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 - required_fields: - - _time - - OperationType - - ObjectDN - - OpCorrelationID - - src_user - - AttributeLDAPDisplayName - - AttributeValue - - ObjectClass - - SubjectLogonId - - DSName security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_disabled/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_disabled/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_disabled/windows-admon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_disabled/windows-admon.log source: ActiveDirectory sourcetype: ActiveDirectory diff --git a/detections/application/windows_ad_gpo_new_cse_addition.yml b/detections/application/windows_ad_gpo_new_cse_addition.yml index 656115a834..4f0f4fce8f 100644 --- a/detections/application/windows_ad_gpo_new_cse_addition.yml +++ b/detections/application/windows_ad_gpo_new_cse_addition.yml @@ -1,16 +1,37 @@ name: Windows AD GPO New CSE Addition id: 700c11d1-da09-47b2-81aa-358c143c7986 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-21' author: Dean Luxton status: production type: TTP data_source: - Windows Security 5136 -description: This detection identifies when a a new client side extension is added to an Active Directory Group Policy using the Group Policy Management Console. -search: '`wineventlog_security` EventCode=5136 ObjectClass=groupPolicyContainer AttributeLDAPDisplayName=gPCMachineExtensionNames | stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId | rex field=old_value max_match=10000 "(?P\{.*?\})" | rex field=new_value max_match=10000 "(?P\{.*?\})" | rex field=ObjectDN max_match=10000 "CN=(?P\{.*?\})" | mvexpand new_values | where NOT new_values IN (old_values,"{00000000-0000-0000-0000-000000000000}",policy_guid) AND match(new_values, "^\{[A-Z|\d]+\-[A-Z|\d]+\-[A-Z|\d]+\-[A-Z|\d]+\-[A-Z|\d]+\}") | lookup msad_guid_lookup guid as new_values OUTPUTNEW displayName as policyType | eval newPolicy=if(policyType like "%",policyType,new_values) | join ObjectDN [| search `admon` objectCategory="CN=Group-Policy-Container*" admonEventType=Update | stats latest(displayName) as displayName by distinguishedName | eval ObjectDN=upper(distinguishedName)] | stats values(OpCorrelationID) as OpCorrelationID values(src_user) as src_user values(SubjectLogonId) as SubjectLogonId values(newPolicy) as newPolicy values(displayName) as policyName by ObjectDN | `windows_ad_gpo_new_cse_addition_filter`' -how_to_implement: Ensure you are ingesting Active Directory audit logs - specifically event 5136, admon data is also used to display the display name of the GPO. See lantern article in references for further on how to onboard AD audit data. Ensure the wineventlog_security and admon macros are configured with the correct indexes. -known_false_positives: General usage of group policy will trigger this detection, also please not GPOs modified using tools such as SharpGPOAbuse will not generate the AD audit events which enable this detection. +description: This detection identifies when a a new client side extension is added + to an Active Directory Group Policy using the Group Policy Management Console. +search: '`wineventlog_security` EventCode=5136 ObjectClass=groupPolicyContainer AttributeLDAPDisplayName=gPCMachineExtensionNames + | stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) + as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value + values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user + SubjectLogonId | rex field=old_value max_match=10000 "(?P\{.*?\})" | + rex field=new_value max_match=10000 "(?P\{.*?\})" | rex field=ObjectDN + max_match=10000 "CN=(?P\{.*?\})" | mvexpand new_values | where NOT + new_values IN (old_values,"{00000000-0000-0000-0000-000000000000}",policy_guid) + AND match(new_values, "^\{[A-Z|\d]+\-[A-Z|\d]+\-[A-Z|\d]+\-[A-Z|\d]+\-[A-Z|\d]+\}") + | lookup msad_guid_lookup guid as new_values OUTPUTNEW displayName as policyType + | eval newPolicy=if(policyType like "%",policyType,new_values) | join ObjectDN [| + search `admon` objectCategory="CN=Group-Policy-Container*" admonEventType=Update + | stats latest(displayName) as displayName by distinguishedName | eval ObjectDN=upper(distinguishedName)] + | stats values(OpCorrelationID) as OpCorrelationID values(src_user) as src_user + values(SubjectLogonId) as SubjectLogonId values(newPolicy) as newPolicy values(displayName) + as policyName by ObjectDN | `windows_ad_gpo_new_cse_addition_filter`' +how_to_implement: Ensure you are ingesting Active Directory audit logs - specifically + event 5136, admon data is also used to display the display name of the GPO. See + lantern article in references for further on how to onboard AD audit data. Ensure + the wineventlog_security and admon macros are configured with the correct indexes. +known_false_positives: General usage of group policy will trigger this detection, + also please not GPOs modified using tools such as SharpGPOAbuse will not generate + the AD audit events which enable this detection. references: - https://wald0.com/?p=179 - https://learn.microsoft.com/en-gb/archive/blogs/mempson/group-policy-client-side-extension-list @@ -22,49 +43,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $src_user$ has added new GPO Client Side Extensions $newPolicy$ to the + policy $policyName$ + risk_objects: + - field: src_user + type: user + score: 100 + threat_objects: [] tags: analytic_story: - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 100 - impact: 100 - message: $src_user$ has added new GPO Client Side Extensions $newPolicy$ to the policy $policyName$ mitre_attack_id: - T1484 - T1484.001 - T1222 - T1222.001 - observable: - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 - required_fields: - - _time - - OperationType - - ObjectDN - - OpCorrelationID - - src_user - - AttributeLDAPDisplayName - - AttributeValue - - ObjectClass - - SubjectLogonId - - DSName security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-admon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-admon.log source: ActiveDirectory sourcetype: ActiveDirectory diff --git a/detections/application/windows_ad_hidden_ou_creation.yml b/detections/application/windows_ad_hidden_ou_creation.yml index 31dd669905..2885f00678 100644 --- a/detections/application/windows_ad_hidden_ou_creation.yml +++ b/detections/application/windows_ad_hidden_ou_creation.yml @@ -1,15 +1,46 @@ name: Windows AD Hidden OU Creation id: 66b6ad5e-339a-40af-b721-dacefc7bdb75 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-21' author: Dean Luxton status: production type: TTP data_source: - Windows Security 5136 -description: This analytic is looking for when an ACL is applied to an OU which denies listing the objects residing in the OU. This activity combined with modifying the owner of the OU will hide AD objects even from domain administrators. -search: '`wineventlog_security` EventCode=5136 ObjectClass=organizationalUnit | stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId | rex field=old_value max_match=10000 "\((?P.*?)\)" | rex field=new_value max_match=10000 "\((?P.*?)\)" | mvexpand new_ace | where NOT new_ace IN (old_values) | rex field=new_ace "(?P.*?);(?P.*?);(?P.*?);(?P.*?);(?P.*?);(?P.*?)$" | rex max_match=100 field=aceAccessRights "(?P[A-Z]{2})" | rex max_match=100 field=aceFlags "(?P[A-Z]{2})" | lookup msad_guid_lookup guid as aceObjectGuid OUTPUT displayName as ControlAccessRights | lookup ace_access_rights_lookup access_rights_string as AccessRights OUTPUT access_rights_value | lookup ace_type_lookup ace_type_string as aceType OUTPUT ace_type_value as aceType | lookup ace_flag_lookup flag_string as aceFlags OUTPUT flag_value as ace_flag_value ``` Optional SID resolution lookups | lookup identity_lookup_expanded objectSid as aceSid OUTPUT downLevelDomainName as user | lookup admon_groups_def objectSid as aceSid OUTPUT cn as group ``` | lookup builtin_groups_lookup builtin_group_string as aceSid OUTPUT builtin_group_name as builtin_group | eval aceType=coalesce(ace_type_value,aceType), aceFlags=coalesce(ace_flag_value,"This object only"), aceAccessRights=if(aceAccessRights="CCDCLCSWRPWPDTLOCRSDRCWDWO","Full control",coalesce(access_rights_value,AccessRights)), aceControlAccessRights=coalesce(ControlAccessRights,aceObjectGuid), user=coalesce(user, group, builtin_group, aceSid) | stats values(aceType) as aceType values(aceFlags) as aceFlags values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(aceInheritedTypeGuid) as aceInheritedTypeGuid by _time ObjectClass ObjectDN src_user SubjectLogonId user OpCorrelationID | eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 AND aceControlAccessRights="","All rights",''aceControlAccessRights'') | search aceType IN ("Access denied",D) AND aceAccessRights IN ("List contents","List objects",LC,LO) | `windows_ad_hidden_ou_creation_filter`' -how_to_implement: Ensure you are ingesting Active Directory audit logs - specifically event 5136. See lantern article in references for further on how to onboard AD audit data. Ensure the wineventlog_security macro is configured with the correct indexes and include lookups for SID resolution if evt_resolve_ad_obj is set to 0. +description: This analytic is looking for when an ACL is applied to an OU which denies + listing the objects residing in the OU. This activity combined with modifying the + owner of the OU will hide AD objects even from domain administrators. +search: "`wineventlog_security` EventCode=5136 ObjectClass=organizationalUnit | stats + min(_time) as _time values(eval(if(OperationType==\"%%14675\",AttributeValue,null))) + as old_value values(eval(if(OperationType==\"%%14674\",AttributeValue,null))) as + new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID + src_user SubjectLogonId | rex field=old_value max_match=10000 \"\\((?P.*?)\\\ + )\" | rex field=new_value max_match=10000 \"\\((?P.*?)\\)\" | mvexpand + new_ace | where NOT new_ace IN (old_values) | rex field=new_ace \"(?P.*?);(?P.*?);(?P.*?);(?P.*?);(?P.*?);(?P.*?)$\"\ + \ | rex max_match=100 field=aceAccessRights \"(?P[A-Z]{2})\" | rex + max_match=100 field=aceFlags \"(?P[A-Z]{2})\" | lookup msad_guid_lookup + guid as aceObjectGuid OUTPUT displayName as ControlAccessRights | lookup ace_access_rights_lookup + access_rights_string as AccessRights OUTPUT access_rights_value | lookup ace_type_lookup + ace_type_string as aceType OUTPUT ace_type_value as aceType | lookup ace_flag_lookup + flag_string as aceFlags OUTPUT flag_value as ace_flag_value ``` Optional SID resolution + lookups | lookup identity_lookup_expanded objectSid as aceSid OUTPUT downLevelDomainName + as user | lookup admon_groups_def objectSid as aceSid OUTPUT cn as group ``` | + lookup builtin_groups_lookup builtin_group_string as aceSid OUTPUT builtin_group_name + as builtin_group | eval aceType=coalesce(ace_type_value,aceType), aceFlags=coalesce(ace_flag_value,\"\ + This object only\"), aceAccessRights=if(aceAccessRights=\"CCDCLCSWRPWPDTLOCRSDRCWDWO\"\ + ,\"Full control\",coalesce(access_rights_value,AccessRights)), aceControlAccessRights=coalesce(ControlAccessRights,aceObjectGuid), + user=coalesce(user, group, builtin_group, aceSid) | stats values(aceType) as aceType + values(aceFlags) as aceFlags values(aceControlAccessRights) as aceControlAccessRights + values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(aceInheritedTypeGuid) + as aceInheritedTypeGuid by _time ObjectClass ObjectDN src_user SubjectLogonId user + OpCorrelationID | eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 + AND aceControlAccessRights=\"\",\"All rights\",'aceControlAccessRights') | search + aceType IN (\"Access denied\",D) AND aceAccessRights IN (\"List contents\",\"List + objects\",LC,LO) | `windows_ad_hidden_ou_creation_filter`" +how_to_implement: Ensure you are ingesting Active Directory audit logs - specifically + event 5136. See lantern article in references for further on how to onboard AD audit + data. Ensure the wineventlog_security macro is configured with the correct indexes + and include lookups for SID resolution if evt_resolve_ad_obj is set to 0. known_false_positives: None. references: - https://happycamper84.medium.com/sneaky-persistence-via-hidden-objects-in-ad-1c91fc37bf54 @@ -20,49 +51,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $src_user$ has hidden the contents of OU $ObjectDN$ from $user$ + risk_objects: + - field: user + type: user + score: 100 + - field: src_user + type: user + score: 100 + threat_objects: [] tags: analytic_story: - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 100 - impact: 100 - message: $src_user$ has hidden the contents of OU $ObjectDN$ from $user$ mitre_attack_id: - T1484 - T1222 - T1222.001 - observable: - - name: user - type: User - role: - - Victim - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 - required_fields: - - _time - - OperationType - - ObjectDN - - OpCorrelationID - - src_user - - AttributeLDAPDisplayName - - AttributeValue - - ObjectClass - - SubjectLogonId - - DSName security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/hidden_ou_windows-security-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/hidden_ou_windows-security-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/application/windows_ad_object_owner_updated.yml b/detections/application/windows_ad_object_owner_updated.yml index 76ccb9cf3c..fb234c3f1a 100644 --- a/detections/application/windows_ad_object_owner_updated.yml +++ b/detections/application/windows_ad_object_owner_updated.yml @@ -1,15 +1,36 @@ name: Windows AD Object Owner Updated id: 4af01f6b-d8d4-4f96-8635-758a01557130 -version: 3 -date: '2024-09-30' +version: 4 +date: '2025-01-21' author: Dean Luxton status: production type: TTP data_source: - Windows Security 5136 -description: AD Object Owner Updated. The owner provides Full control level privileges over the target AD Object. This event has significant impact alone and is also a precursor activity for hiding an AD object. -search: '`wineventlog_security` EventCode=5136 | stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId DSName | rex field=old_value "O:(?P.*?)G:" | rex field=new_value "O:(?P.*?)G:" | where old_owner!=new_owner ``` optional SID resolution lookups | lookup identity_lookup_expanded objectSid as new_owner OUTPUT downLevelDomainName as new_owner_user | lookup admon_groups_def objectSid as new_owner OUTPUT cn as new_owner_group | lookup identity_lookup_expanded objectSid as old_owner OUTPUT downLevelDomainName as old_owner_user | lookup admon_groups_def objectSid as old_owner OUTPUT cn as old_owner_group ``` | lookup builtin_groups_lookup builtin_group_string as new_owner_group OUTPUT builtin_group_name as new_owner_group_builtin_group | lookup builtin_groups_lookup builtin_group_string as old_owner OUTPUT builtin_group_name as old_owner_group_builtin_group | eval user=coalesce(new_owner_user, new_owner_group, new_owner_group_builtin_group, new_owner), previousOwner=coalesce(old_owner_user, old_owner_group, old_owner_group_builtin_group, old_owner) | stats values(previousOwner) as previousOwner values(user) as user values(SubjectLogonId) as SubjectLogonId by _time ObjectClass ObjectDN src_user OpCorrelationID DSName | `windows_ad_object_owner_updated_filter`' -how_to_implement: Ensure you are ingesting Active Directory audit logs - specifically event 5136. See lantern article in references for further on how to onboard AD audit data. Ensure the wineventlog_security macro is configured with the correct indexes and include lookups for SID resolution if evt_resolve_ad_obj is set to 0. +description: AD Object Owner Updated. The owner provides Full control level privileges + over the target AD Object. This event has significant impact alone and is also a + precursor activity for hiding an AD object. +search: '`wineventlog_security` EventCode=5136 | stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) + as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value + values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user + SubjectLogonId DSName | rex field=old_value "O:(?P.*?)G:" | rex field=new_value + "O:(?P.*?)G:" | where old_owner!=new_owner ``` optional SID resolution + lookups | lookup identity_lookup_expanded objectSid as new_owner OUTPUT downLevelDomainName + as new_owner_user | lookup admon_groups_def objectSid as new_owner OUTPUT cn as + new_owner_group | lookup identity_lookup_expanded objectSid as old_owner OUTPUT + downLevelDomainName as old_owner_user | lookup admon_groups_def objectSid as old_owner + OUTPUT cn as old_owner_group ``` | lookup builtin_groups_lookup builtin_group_string as + new_owner_group OUTPUT builtin_group_name as new_owner_group_builtin_group | lookup + builtin_groups_lookup builtin_group_string as old_owner OUTPUT builtin_group_name + as old_owner_group_builtin_group | eval user=coalesce(new_owner_user, new_owner_group, + new_owner_group_builtin_group, new_owner), previousOwner=coalesce(old_owner_user, + old_owner_group, old_owner_group_builtin_group, old_owner) | stats values(previousOwner) + as previousOwner values(user) as user values(SubjectLogonId) as SubjectLogonId by + _time ObjectClass ObjectDN src_user OpCorrelationID DSName | `windows_ad_object_owner_updated_filter`' +how_to_implement: Ensure you are ingesting Active Directory audit logs - specifically + event 5136. See lantern article in references for further on how to onboard AD audit + data. Ensure the wineventlog_security macro is configured with the correct indexes + and include lookups for SID resolution if evt_resolve_ad_obj is set to 0. known_false_positives: Unknown references: - https://learn.microsoft.com/en-us/windows/win32/secauthz/ace-strings @@ -22,49 +43,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $src_user$ has made $user$ the owner of AD object $ObjectDN$ + risk_objects: + - field: user + type: user + score: 100 + - field: src_user + type: user + score: 100 + threat_objects: [] tags: analytic_story: - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 100 - impact: 100 - message: $src_user$ has made $user$ the owner of AD object $ObjectDN$ mitre_attack_id: - T1484 - T1222 - T1222.001 - observable: - - name: user - type: User - role: - - Victim - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 - required_fields: - - _time - - OperationType - - ObjectDN - - OpCorrelationID - - src_user - - AttributeLDAPDisplayName - - AttributeValue - - ObjectClass - - SubjectLogonId - - DSName security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/owner_updated_windows-security-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/owner_updated_windows-security-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/application/windows_ad_privileged_group_modification.yml b/detections/application/windows_ad_privileged_group_modification.yml index 3256d9d220..1d45a23098 100644 --- a/detections/application/windows_ad_privileged_group_modification.yml +++ b/detections/application/windows_ad_privileged_group_modification.yml @@ -1,50 +1,50 @@ name: Windows AD Privileged Group Modification id: 187bf937-c436-4c65-bbcb-7539ffe02da1 -version: 3 -date: '2024-10-17' +version: 4 +date: '2025-01-21' author: Dean Luxton status: experimental type: TTP data_source: - Windows Event Log Security 4728 description: Detect users added to privileged AD Groups. -search: '`wineventlog_security` EventCode IN (4728) | stats min(_time) as _time dc(user) as usercount, values(user) as user values(user_category) as user_category values(src_user_category) as src_user_category values(dvc) as dvc by signature, Group_Name,src_user | lookup admon_groups_def cn as Group_Name OUTPUT category | where category="privileged" | `windows_ad_privileged_group_modification_filter`' -how_to_implement: This analytic requires eventCode 4728 to be ingested along with the admon_groups_def lookup being configured to include a list of AD groups along with a category to identify privileged groups. See splunkbase app listed in the references for further details. +search: '`wineventlog_security` EventCode IN (4728) | stats min(_time) as _time dc(user) + as usercount, values(user) as user values(user_category) as user_category values(src_user_category) + as src_user_category values(dvc) as dvc by signature, Group_Name,src_user | lookup + admon_groups_def cn as Group_Name OUTPUT category | where category="privileged" + | `windows_ad_privileged_group_modification_filter`' +how_to_implement: This analytic requires eventCode 4728 to be ingested along with + the admon_groups_def lookup being configured to include a list of AD groups along + with a category to identify privileged groups. See splunkbase app listed in the + references for further details. known_false_positives: None references: - https://splunkbase.splunk.com/app/6853 +rba: + message: $user$ was added to privileged AD Group $Group_Name$ by $src_user$ + risk_objects: + - field: user + type: user + score: 50 + threat_objects: [] tags: analytic_story: - Active Directory Privilege Escalation - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 100 - impact: 50 - message: $user$ was added to privileged AD Group $Group_Name$ by $src_user$ mitre_attack_id: - T1098 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 50 - required_fields: - - EventCode - - user - - src_user - - signature - - Group_Name - - dest security_domain: identity - manual_test: This search uses a lookup provided by Enterprise Security and needs to be manually tested. + manual_test: This search uses a lookup provided by Enterprise Security and needs + to be manually tested. tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/application/windows_ad_self_dacl_assignment.yml b/detections/application/windows_ad_self_dacl_assignment.yml index 04987480df..c80ffee6da 100644 --- a/detections/application/windows_ad_self_dacl_assignment.yml +++ b/detections/application/windows_ad_self_dacl_assignment.yml @@ -1,15 +1,46 @@ name: Windows AD Self DACL Assignment id: 16132445-da9f-4d03-ad44-56d717dcd67d -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-21' author: Dean Luxton status: production type: TTP data_source: - Windows Security 5136 description: Detect when a user creates a new DACL in AD for their own AD object. -search: '`wineventlog_security` EventCode=5136 | stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId | rex field=old_value max_match=10000 "\((?P.*?)\)" | rex field=new_value max_match=10000 "\((?P.*?)\)" | mvexpand new_ace | where NOT new_ace IN (old_values) | rex field=new_ace "(?P.*?);(?P.*?);(?P.*?);(?P.*?);(?P.*?);(?P.*?)$" | rex max_match=100 field=aceAccessRights "(?P[A-Z]{2})" | rex max_match=100 field=aceFlags "(?P[A-Z]{2})" | lookup ace_type_lookup ace_type_string as aceType OUTPUT ace_type_value as aceType | lookup ace_flag_lookup flag_string as aceFlags OUTPUT flag_value as ace_flag_value | lookup ace_access_rights_lookup access_rights_string as AccessRights OUTPUT access_rights_value | lookup msad_guid_lookup guid as aceObjectGuid OUTPUT displayName as ControlAccessRights ``` Optional SID resolution lookups | lookup identity_lookup_expanded objectSid as aceSid OUTPUT downLevelDomainName as user | lookup admon_groups_def objectSid as aceSid OUTPUT cn as group ``` | lookup builtin_groups_lookup builtin_group_string as aceSid OUTPUT builtin_group_name as builtin_group | eval aceType=coalesce(ace_type_value,aceType), aceInheritance=coalesce(ace_flag_value,"This object only"), aceAccessRights=if(aceAccessRights="CCDCLCSWRPWPDTLOCRSDRCWDWO","Full control",coalesce(access_rights_value,AccessRights)), aceControlAccessRights=if((ControlAccessRights="Write member" OR aceObjectGuid="bf9679c0-0de6-11d0-a285-00aa003049e2") AND (aceAccessRights="All validated writes" OR AccessRights="SW"),"Add/remove self as member",coalesce(ControlAccessRights,aceObjectGuid)), user=coalesce(user, group, builtin_group, aceSid) | stats values(aceType) as aceType values(aceInheritance) as aceInheritance values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(aceInheritedTypeGuid) as aceInheritedTypeGuid by _time ObjectClass ObjectDN src_user SubjectLogonId user OpCorrelationID | eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 AND aceControlAccessRights="","All rights",''aceControlAccessRights'') | rex field=user "\\\(?P.*?)$" | where lower(src_user)=lower(nt_user) | `windows_ad_self_dacl_assignment_filter`' -how_to_implement: Ensure you are ingesting Active Directory audit logs - specifically event 5136. See lantern article in references for further on how to onboard AD audit data. Ensure the wineventlog_security macro is configured with the correct indexes and include lookups for SID resolution if evt_resolve_ad_obj is set to 0. +search: "`wineventlog_security` EventCode=5136 | stats min(_time) as _time values(eval(if(OperationType==\"\ + %%14675\",AttributeValue,null))) as old_value values(eval(if(OperationType==\"%%14674\"\ + ,AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass + ObjectDN OpCorrelationID src_user SubjectLogonId | rex field=old_value max_match=10000 + \"\\((?P.*?)\\)\" | rex field=new_value max_match=10000 \"\\((?P.*?)\\\ + )\" | mvexpand new_ace | where NOT new_ace IN (old_values) | rex field=new_ace + \"(?P.*?);(?P.*?);(?P.*?);(?P.*?);(?P.*?);(?P.*?)$\"\ + \ | rex max_match=100 field=aceAccessRights \"(?P[A-Z]{2})\" | rex + max_match=100 field=aceFlags \"(?P[A-Z]{2})\" | lookup ace_type_lookup + ace_type_string as aceType OUTPUT ace_type_value as aceType | lookup ace_flag_lookup + flag_string as aceFlags OUTPUT flag_value as ace_flag_value | lookup ace_access_rights_lookup + access_rights_string as AccessRights OUTPUT access_rights_value | lookup msad_guid_lookup + guid as aceObjectGuid OUTPUT displayName as ControlAccessRights ``` Optional SID + resolution lookups | lookup identity_lookup_expanded objectSid as aceSid OUTPUT + downLevelDomainName as user | lookup admon_groups_def objectSid as aceSid OUTPUT + cn as group ``` | lookup builtin_groups_lookup builtin_group_string as aceSid OUTPUT + builtin_group_name as builtin_group | eval aceType=coalesce(ace_type_value,aceType), + aceInheritance=coalesce(ace_flag_value,\"This object only\"), aceAccessRights=if(aceAccessRights=\"\ + CCDCLCSWRPWPDTLOCRSDRCWDWO\",\"Full control\",coalesce(access_rights_value,AccessRights)), + aceControlAccessRights=if((ControlAccessRights=\"Write member\" OR aceObjectGuid=\"\ + bf9679c0-0de6-11d0-a285-00aa003049e2\") AND (aceAccessRights=\"All validated writes\"\ + \ OR AccessRights=\"SW\"),\"Add/remove self as member\",coalesce(ControlAccessRights,aceObjectGuid)), + user=coalesce(user, group, builtin_group, aceSid) | stats values(aceType) as aceType + values(aceInheritance) as aceInheritance values(aceControlAccessRights) as aceControlAccessRights + values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(aceInheritedTypeGuid) + as aceInheritedTypeGuid by _time ObjectClass ObjectDN src_user SubjectLogonId user + OpCorrelationID | eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 + AND aceControlAccessRights=\"\",\"All rights\",'aceControlAccessRights') | rex field=user + \"\\\\\\(?P.*?)$\" | where lower(src_user)=lower(nt_user) | `windows_ad_self_dacl_assignment_filter`" +how_to_implement: Ensure you are ingesting Active Directory audit logs - specifically + event 5136. See lantern article in references for further on how to onboard AD audit + data. Ensure the wineventlog_security macro is configured with the correct indexes + and include lookups for SID resolution if evt_resolve_ad_obj is set to 0. known_false_positives: Unknown references: - https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory @@ -19,44 +50,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $src_user$ has created a DACL on $ObjectDN$ to grant themselves $aceControlAccessRights$ + across $aceAccessRights$ + risk_objects: + - field: src_user + type: user + score: 80 + threat_objects: [] tags: analytic_story: - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 100 - impact: 80 - message: $src_user$ has created a DACL on $ObjectDN$ to grant themselves $aceControlAccessRights$ across $aceAccessRights$ mitre_attack_id: - T1484 - T1098 - observable: - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 80 - required_fields: - - _time - - OperationType - - ObjectDN - - OpCorrelationID - - src_user - - AttributeLDAPDisplayName - - AttributeValue - - ObjectClass - - SubjectLogonId - - DSName security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/aclmodification/windows-security-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/aclmodification/windows-security-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/application/windows_ad_suspicious_attribute_modification.yml b/detections/application/windows_ad_suspicious_attribute_modification.yml index a55f2540fc..01c2dd31bc 100644 --- a/detections/application/windows_ad_suspicious_attribute_modification.yml +++ b/detections/application/windows_ad_suspicious_attribute_modification.yml @@ -1,16 +1,34 @@ name: Windows AD Suspicious Attribute Modification id: 5682052e-ce55-4f9f-8d28-59191420b7e0 -version: 2 -date: '2024-09-30' +version: 4 +date: '2025-01-21' author: Dean Luxton status: production type: TTP data_source: - Windows Security 5136 -description: 'This detection monitors changes to the following Active Directory attributes: "msDS-AllowedToDelegateTo", "msDS-AllowedToActOnBehalfOfOtherIdentity", "msDS-KeyCredentialLink", "scriptPath", and "msTSInitialProgram". Modifications to these attributes can indicate potential malicious activity or privilege escalation attempts. Immediate investigation is recommended upon alert.' -search: '`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName IN ("msDS-AllowedToDelegateTo","msDS-AllowedToActOnBehalfOfOtherIdentity","scriptPath","msTSInitialProgram") OperationType=%%14674 ```Changes to the attribute "msDS-KeyCredentialLink" are also worth moniroting, however tuning will need to be applied``` | table _time ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId DSName AttributeValue AttributeLDAPDisplayName | rename SubjectLogonId as TargetLogonId, src_user as initiator, _time as eventTime | appendpipe [| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"] | stats min(eventTime) as _time values(initiator) as src_user, values(DSName) as targetDomain, values(ObjectDN) as ObjectDN, values(ObjectClass) as ObjectClass, values(src_category) as src_category, values(src_ip) as src_ip values(LogonType) as LogonType values(AttributeValue) as AttributeValue values(AttributeLDAPDisplayName) as AttributeLDAPDisplayName by TargetLogonId | rex field=ObjectDN "^CN=(?P.*?),[A-Z]{2}\=" | eval dest=if(ObjectClass="computer",cn,null), user=if(ObjectClass="user",cn,null) | fields - cn | `windows_ad_suspicious_attribute_modification_filter`' -how_to_implement: Ensure you are ingesting Active Directory audit logs - specifically event 5136. See lantern article in references for further on how to onboard AD audit data. Ensure the wineventlog_security macro is configured with the correct indexes. -known_false_positives: If key credentials are regularly assigned to users, these events will need to be tuned out. +description: 'This detection monitors changes to the following Active Directory attributes: + "msDS-AllowedToDelegateTo", "msDS-AllowedToActOnBehalfOfOtherIdentity", "msDS-KeyCredentialLink", + "scriptPath", and "msTSInitialProgram". Modifications to these attributes can indicate + potential malicious activity or privilege escalation attempts. Immediate investigation + is recommended upon alert.' +search: '`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName IN ("msDS-AllowedToDelegateTo","msDS-AllowedToActOnBehalfOfOtherIdentity","scriptPath","msTSInitialProgram") + OperationType=%%14674 ```Changes to the attribute "msDS-KeyCredentialLink" are + also worth moniroting, however tuning will need to be applied``` | table _time ObjectClass + ObjectDN OpCorrelationID src_user SubjectLogonId DSName AttributeValue AttributeLDAPDisplayName | + rename SubjectLogonId as TargetLogonId, src_user as initiator, _time as eventTime | + appendpipe [| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"] | + stats min(eventTime) as _time values(initiator) as src_user, values(DSName) as targetDomain, + values(ObjectDN) as ObjectDN, values(ObjectClass) as ObjectClass, values(src_category) + as src_category, values(src_ip) as src_ip values(LogonType) as LogonType values(AttributeValue) + as AttributeValue values(AttributeLDAPDisplayName) as AttributeLDAPDisplayName by + TargetLogonId | rex field=ObjectDN "^CN=(?P.*?),[A-Z]{2}\=" | eval dest=if(ObjectClass="computer",cn,null), + user=if(ObjectClass="user",cn,null) | fields - cn | `windows_ad_suspicious_attribute_modification_filter`' +how_to_implement: Ensure you are ingesting Active Directory audit logs - specifically + event 5136. See lantern article in references for further on how to onboard AD audit + data. Ensure the wineventlog_security macro is configured with the correct indexes. +known_false_positives: If key credentials are regularly assigned to users, these events + will need to be tuned out. references: - https://trustedsec.com/blog/a-hitchhackers-guide-to-dacl-based-detections-part-1-a - https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory @@ -20,49 +38,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src_user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $src_user$ has added $AttributeLDAPDisplayName$ ACL rights to $ObjectClass$ + $ObjectDN$ + risk_objects: + - field: src_user + type: user + score: 100 + - field: dest + type: system + score: 100 + threat_objects: [] tags: analytic_story: - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 100 - impact: 100 - message: $src_user$ has added $AttributeLDAPDisplayName$ ACL rights to $ObjectClass$ $ObjectDN$ mitre_attack_id: - T1550 - T1222 - T1222.001 - observable: - - name: src_user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 - required_fields: - - _time - - OperationType - - ObjectDN - - OpCorrelationID - - src_user - - AttributeLDAPDisplayName - - AttributeValue - - ObjectClass - - SubjectLogonId - - DSName security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/suspicious_acl_modification-windows-security-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/suspicious_acl_modification-windows-security-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/application/windows_ad_suspicious_gpo_modification.yml b/detections/application/windows_ad_suspicious_gpo_modification.yml index d959ca51fb..00ca4b7616 100644 --- a/detections/application/windows_ad_suspicious_gpo_modification.yml +++ b/detections/application/windows_ad_suspicious_gpo_modification.yml @@ -1,17 +1,52 @@ name: Windows AD Suspicious GPO Modification id: 0a2afc18-a3b5-4452-b60a-2e774214f9bf -version: 2 -date: '2024-10-17' +version: 4 +date: '2025-01-21' author: Dean Luxton status: experimental type: TTP data_source: - Windows Security 5136 - Windows Security 5145 -description: This analytic looks for a the creation of potentially harmful GPO which could lead to persistence or code execution on remote hosts. Note, this analyic is looking for the absence of the corresponding 5136 events which is evidence of the GPOs being manually edited (using a tool like PowerView) or potentially missing logs. -search: "`wineventlog_security` EventCode=5145 ShareName=\"\\\\\\\\*\\\\SYSVOL\" RelativeTargetName IN (*\\\\ScheduledTasks.xml, *\\\\Groups.xml, *\\\\Registry.xml, *\\\\Services.xml, *\\\\Scripts\\\\*) NOT RelativeTargetName=*\\\\Scripts\\\\scripts.ini AccessMask=0x2 | rex field=AccessList max_match=0 \"(?P%%\\d+)\" | table _time AccessMask src_ip src_user RelativeTargetName Logon_ID dvc | rex field=RelativeTargetName \"Policies\\\\\\(?P{.*?})\\\\\\(?P\\w+?)\\\\\\(\\w+)\\\\\\(?P\\w+)\\\\\\(?P\\w+\\.\\w+)$\" | eval src=if(match(src_ip, \"(?i)^fe80:\"),dvc,src_ip), folder=case(RelativeTargetName like \"%\\\\Scripts\\\\%\",\"Scripts\",folder=\"Groups\",\"Local users and groups\",1=1,folder) | appendpipe \n [| map search=\"search `wineventlog_security` EventCode=5136 ObjectClass=groupPolicyContainer AttributeLDAPDisplayName=gPCMachineExtensionNames $gpo_guid$\" \n | stats min(_time) as _time values(eval(if(OperationType==\"%%14675\",AttributeValue,null))) as old_value values(eval(if(OperationType==\"%%14674\",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId \n | rex field=old_value max_match=10000 \"(?P\\{.*?\\})\" \n | rex field=new_value max_match=10000 \"(?P\\{.*?\\})\" \n | rex field=ObjectDN max_match=10000 \"CN=(?P\\{.*?\\})\" \n | mvexpand new_values \n | where NOT new_values IN (old_values,\"{00000000-0000-0000-0000-000000000000}\",policy_guid) AND match(new_values, \"^\\{[A-Z|\\d]+\\-[A-Z|\\d]+\\-[A-Z|\\d]+\\-[A-Z|\\d]+\\-[A-Z|\\d]+\\}\") \n | lookup msad_guid_lookup guid as new_values OUTPUTNEW displayName as policyType \n | eval newPolicy=if(policyType like \"%\",policyType,new_values) \n | stats values(OpCorrelationID) as OpCorrelationID values(newPolicy) as newPolicy by ObjectDN \n | rex field=ObjectDN max_match=10000 \"CN=(?P\\{.*?\\})\" \n | fields - ObjectDN] \n| stats values(AccessMask) as AccessMask values(src) as src values(src_user) as src_user values(RelativeTargetName) as RelativeTargetName values(Logon_ID) as Logon_ID values(newPolicy) as newPolicy values(OpCorrelationID) as OpCorrelationID values(folder) as folder values(file) as file by gpo_guid | mvexpand folder | where NOT folder IN (newPolicy) | `windows_ad_suspicious_gpo_modification_filter`" -how_to_implement: Ingest EventCodes 5145 and 5136 from domain controllers. Additional SACLs required to capture EventCode 5136, see references for further information on how to configure this. The Group Policy - Audit Detailed File Share will need to be enabled on the DCs to generate event code 5145, this event is very noisy on DCs, consider tuning out sysvol events which do not match access mask 0x2. -known_false_positives: When a GPO is manually edited and 5136 events are not logging to Splunk. +description: This analytic looks for a the creation of potentially harmful GPO which + could lead to persistence or code execution on remote hosts. Note, this analyic + is looking for the absence of the corresponding 5136 events which is evidence of + the GPOs being manually edited (using a tool like PowerView) or potentially missing + logs. +search: "`wineventlog_security` EventCode=5145 ShareName=\"\\\\\\\\*\\\\SYSVOL\" RelativeTargetName + IN (*\\\\ScheduledTasks.xml, *\\\\Groups.xml, *\\\\Registry.xml, *\\\\Services.xml, + *\\\\Scripts\\\\*) NOT RelativeTargetName=*\\\\Scripts\\\\scripts.ini AccessMask=0x2\ + \ | rex field=AccessList max_match=0 \"(?P%%\\d+)\" | table _time + AccessMask src_ip src_user RelativeTargetName Logon_ID dvc | rex field=RelativeTargetName + \"Policies\\\\\\(?P{.*?})\\\\\\(?P\\w+?)\\\\\\(\\w+)\\\\\\(?P\\\ + w+)\\\\\\(?P\\w+\\.\\w+)$\" | eval src=if(match(src_ip, \"(?i)^fe80:\"),dvc,src_ip), + folder=case(RelativeTargetName like \"%\\\\Scripts\\\\%\",\"Scripts\",folder=\"\ + Groups\",\"Local users and groups\",1=1,folder) | appendpipe \n [| map search=\"\ + search `wineventlog_security` EventCode=5136 ObjectClass=groupPolicyContainer AttributeLDAPDisplayName=gPCMachineExtensionNames + $gpo_guid$\" \n | stats min(_time) as _time values(eval(if(OperationType==\"%%14675\"\ + ,AttributeValue,null))) as old_value values(eval(if(OperationType==\"%%14674\",AttributeValue,null))) + as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID + src_user SubjectLogonId \n | rex field=old_value max_match=10000 \"(?P\\\ + {.*?\\})\" \n | rex field=new_value max_match=10000 \"(?P\\{.*?\\})\"\ + \ \n | rex field=ObjectDN max_match=10000 \"CN=(?P\\{.*?\\})\" \n\ + \ | mvexpand new_values \n | where NOT new_values IN (old_values,\"{00000000-0000-0000-0000-000000000000}\"\ + ,policy_guid) AND match(new_values, \"^\\{[A-Z|\\d]+\\-[A-Z|\\d]+\\-[A-Z|\\d]+\\\ + -[A-Z|\\d]+\\-[A-Z|\\d]+\\}\") \n | lookup msad_guid_lookup guid as new_values + OUTPUTNEW displayName as policyType \n | eval newPolicy=if(policyType like \"%\"\ + ,policyType,new_values) \n | stats values(OpCorrelationID) as OpCorrelationID values(newPolicy) + as newPolicy by ObjectDN \n | rex field=ObjectDN max_match=10000 \"CN=(?P\\\ + {.*?\\})\" \n | fields - ObjectDN] \n| stats values(AccessMask) as AccessMask values(src) + as src values(src_user) as src_user values(RelativeTargetName) as RelativeTargetName + values(Logon_ID) as Logon_ID values(newPolicy) as newPolicy values(OpCorrelationID) + as OpCorrelationID values(folder) as folder values(file) as file by gpo_guid | + mvexpand folder | where NOT folder IN (newPolicy) | `windows_ad_suspicious_gpo_modification_filter`" +how_to_implement: Ingest EventCodes 5145 and 5136 from domain controllers. Additional + SACLs required to capture EventCode 5136, see references for further information + on how to configure this. The Group Policy - Audit Detailed File Share will need + to be enabled on the DCs to generate event code 5145, this event is very noisy on + DCs, consider tuning out sysvol events which do not match access mask 0x2. +known_false_positives: When a GPO is manually edited and 5136 events are not logging + to Splunk. references: - https://github.com/PowerShellMafia/PowerSploit/blob/26a0757612e5654b4f792b012ab8f10f95d391c9/Recon/PowerView.ps1#L5907-L6122 - https://github.com/X-C3LL/GPOwned @@ -19,47 +54,35 @@ references: - https://wald0.com/?p=179 - https://github.com/FSecureLABS/SharpGPOAbuse - https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory +rba: + message: $src_user$ has added new GPO Client Side Extensions $folder$ to the policy + $gpo_guid$ + risk_objects: + - field: user + type: user + score: 80 + - field: src_user + type: user + score: 80 + threat_objects: [] tags: analytic_story: - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 80 - impact: 100 - message: $src_user$ has added new GPO Client Side Extensions $folder$ to the policy $gpo_guid$ mitre_attack_id: - T1484 - T1484.001 - T1222 - T1222.001 - observable: - - name: user - type: User - role: - - Victim - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 80 - required_fields: - - _time - - OperationType - - ObjectDN - - OpCorrelationID - - src_user - - AttributeLDAPDisplayName - - AttributeValue - - ObjectClass - - SubjectLogonId - - DSName security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_new_cse/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_new_cse/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/application/windows_increase_in_group_or_object_modification_activity.yml b/detections/application/windows_increase_in_group_or_object_modification_activity.yml index f2a1a593ec..51f33607d6 100644 --- a/detections/application/windows_increase_in_group_or_object_modification_activity.yml +++ b/detections/application/windows_increase_in_group_or_object_modification_activity.yml @@ -1,14 +1,24 @@ name: Windows Increase in Group or Object Modification Activity id: 4f9564dd-a204-4f22-b375-4dfca3a68731 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-21' author: Dean Luxton status: production type: TTP data_source: - Windows Event Log Security 4663 -description: This analytic detects an increase in modifications to AD groups or objects. Frequent changes to AD groups or objects can indicate potential security risks, such as unauthorized access attempts, impairing defences or establishing persistence. By monitoring AD logs for unusual modification patterns, this detection helps identify suspicious behavior that could compromise the integrity and security of the AD environment. -search: '`wineventlog_security` EventCode IN (4670,4727,4731,4734,4735,4764) | bucket span=5m _time | stats values(object) as object, dc(object) as objectCount, values(src_user_category) as src_user_category, values(dest) as dest, values(dest_category) as dest_category by _time, src_user, signature, status | eventstats avg(objectCount) as comp_avg, stdev(objectCount) as comp_std by src_user, signature | eval upperBound=(comp_avg+comp_std) | eval isOutlier=if(objectCount > 10 and (objectCount >= upperBound), 1, 0) | search isOutlier=1 | `windows_increase_in_group_or_object_modification_activity_filter`' +description: This analytic detects an increase in modifications to AD groups or objects. + Frequent changes to AD groups or objects can indicate potential security risks, + such as unauthorized access attempts, impairing defences or establishing persistence. + By monitoring AD logs for unusual modification patterns, this detection helps identify + suspicious behavior that could compromise the integrity and security of the AD environment. +search: '`wineventlog_security` EventCode IN (4670,4727,4731,4734,4735,4764) | bucket + span=5m _time | stats values(object) as object, dc(object) as objectCount, values(src_user_category) + as src_user_category, values(dest) as dest, values(dest_category) as dest_category + by _time, src_user, signature, status | eventstats avg(objectCount) as comp_avg, + stdev(objectCount) as comp_std by src_user, signature | eval upperBound=(comp_avg+comp_std) + | eval isOutlier=if(objectCount > 10 and (objectCount >= upperBound), 1, 0) | search + isOutlier=1 | `windows_increase_in_group_or_object_modification_activity_filter`' how_to_implement: Run this detection looking over a 7 day timeframe for best results. known_false_positives: Unknown references: [] @@ -18,37 +28,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Spike in Group or Object Modifications performed by $src_user$ + risk_objects: + - field: src_user + type: user + score: 8 + threat_objects: [] tags: analytic_story: - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 40 - impact: 20 - message: Spike in Group or Object Modifications performed by $src_user$ mitre_attack_id: - T1098 - T1562 - observable: - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 8 - required_fields: - - EventCode - - src_user - - signature security_domain: audit tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/application/windows_increase_in_user_modification_activity.yml b/detections/application/windows_increase_in_user_modification_activity.yml index 11c461d17f..f3fcfca207 100644 --- a/detections/application/windows_increase_in_user_modification_activity.yml +++ b/detections/application/windows_increase_in_user_modification_activity.yml @@ -1,14 +1,28 @@ name: Windows Increase in User Modification Activity id: 0995fca1-f346-432f-b0bf-a66d14e6b428 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-21' author: Dean Luxton status: production type: TTP data_source: - Windows Event Log Security 4720 -description: This analytic detects an increase in modifications to AD user objects. A large volume of changes to user objects can indicate potential security risks, such as unauthorized access attempts, impairing defences or establishing persistence. By monitoring AD logs for unusual modification patterns, this detection helps identify suspicious behavior that could compromise the integrity and security of the AD environment. -search: '`wineventlog_security` EventCode IN (4720,4722,4723,4724,4725,4726,4728,4732,4733,4738,4743,4780) | bucket span=5m _time | stats values(TargetDomainName) as TargetDomainName, values(user) as user, dc(user) as userCount, values(user_category) as user_category, values(src_user_category) as src_user_category, values(dest) as dest, values(dest_category) as dest_category by _time, src_user, signature, status | eventstats avg(userCount) as comp_avg , stdev(userCount) as comp_std by src_user, signature | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(userCount > 10 and userCount >= upperBound, 1, 0) | search isOutlier=1 | stats values(TargetDomainName) as TargetDomainName, values(user) as user, dc(user) as userCount, values(user_category) as user_category, values(src_user_category) as src_user_category, values(dest) as dest, values(dest_category) as dest_category values(signature) as signature by _time, src_user, status | `windows_increase_in_user_modification_activity_filter`' +description: This analytic detects an increase in modifications to AD user objects. + A large volume of changes to user objects can indicate potential security risks, + such as unauthorized access attempts, impairing defences or establishing persistence. + By monitoring AD logs for unusual modification patterns, this detection helps identify + suspicious behavior that could compromise the integrity and security of the AD environment. +search: '`wineventlog_security` EventCode IN (4720,4722,4723,4724,4725,4726,4728,4732,4733,4738,4743,4780) + | bucket span=5m _time | stats values(TargetDomainName) as TargetDomainName, values(user) + as user, dc(user) as userCount, values(user_category) as user_category, values(src_user_category) + as src_user_category, values(dest) as dest, values(dest_category) as dest_category + by _time, src_user, signature, status | eventstats avg(userCount) as comp_avg , + stdev(userCount) as comp_std by src_user, signature | eval upperBound=(comp_avg+comp_std*3) + | eval isOutlier=if(userCount > 10 and userCount >= upperBound, 1, 0) | search + isOutlier=1 | stats values(TargetDomainName) as TargetDomainName, values(user) as + user, dc(user) as userCount, values(user_category) as user_category, values(src_user_category) + as src_user_category, values(dest) as dest, values(dest_category) as dest_category + values(signature) as signature by _time, src_user, status | `windows_increase_in_user_modification_activity_filter`' how_to_implement: Run this detection looking over a 7 day timeframe for best results. known_false_positives: Genuine activity references: [] @@ -18,37 +32,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Spike in User Modification actions performed by $src_user$ + risk_objects: + - field: src_user + type: user + score: 8 + threat_objects: [] tags: analytic_story: - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 40 - impact: 20 - message: Spike in User Modification actions performed by $src_user$ mitre_attack_id: - T1098 - T1562 - observable: - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 8 - required_fields: - - EventCode - - src_user - - signature security_domain: audit tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml b/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml index 5c8ebae8a8..969f05f721 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml +++ b/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml @@ -1,48 +1,61 @@ name: Abnormally High Number Of Cloud Infrastructure API Calls id: 0840ddf1-8c89-46ff-b730-c8d6722478c0 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: David Dorsey, Splunk status: experimental type: Anomaly -description: The following analytic detects a spike in the number of API calls made to your cloud infrastructure by a user. It leverages cloud infrastructure logs and compares the current API call volume against a baseline probability density function to identify anomalies. This activity is significant because an unusual increase in API calls can indicate potential misuse or compromise of cloud resources. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or disruption of cloud services, posing a significant risk to the organization's cloud environment. +description: The following analytic detects a spike in the number of API calls made + to your cloud infrastructure by a user. It leverages cloud infrastructure logs and + compares the current API call volume against a baseline probability density function + to identify anomalies. This activity is significant because an unusual increase + in API calls can indicate potential misuse or compromise of cloud resources. If + confirmed malicious, this could lead to unauthorized access, data exfiltration, + or disruption of cloud services, posing a significant risk to the organization's + cloud environment. data_source: - AWS CloudTrail -search: '| tstats count as api_calls values(All_Changes.command) as command from datamodel=Change where All_Changes.user!=unknown All_Changes.status=success by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")` | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join user HourOfDay isWeekend [ summary cloud_excessive_api_calls_v1] | where cardinality >=16 | apply cloud_excessive_api_calls_v1 threshold=0.005 | rename "IsOutlier(api_calls)" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) | where api_calls > expected_upper_threshold | eval distance_from_threshold = api_calls - expected_upper_threshold | table _time, user, command, api_calls, expected_upper_threshold, distance_from_threshold | `abnormally_high_number_of_cloud_infrastructure_api_calls_filter`' -how_to_implement: You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Infrastructure API Calls Per User` to create the probability density function. +search: '| tstats count as api_calls values(All_Changes.command) as command from datamodel=Change + where All_Changes.user!=unknown All_Changes.status=success by All_Changes.user _time + span=1h | `drop_dm_object_name("All_Changes")` | eval HourOfDay=strftime(_time, + "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, "%w") + | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join user HourOfDay + isWeekend [ summary cloud_excessive_api_calls_v1] | where cardinality >=16 | apply + cloud_excessive_api_calls_v1 threshold=0.005 | rename "IsOutlier(api_calls)" as + isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, + -1), ":"), 0) | where api_calls > expected_upper_threshold | eval distance_from_threshold + = api_calls - expected_upper_threshold | table _time, user, command, api_calls, + expected_upper_threshold, distance_from_threshold | `abnormally_high_number_of_cloud_infrastructure_api_calls_filter`' +how_to_implement: You must be ingesting your cloud infrastructure logs. You also must + run the baseline search `Baseline Of Cloud Infrastructure API Calls Per User` to + create the probability density function. known_false_positives: None. references: [] +rba: + message: user $user$ has made $api_calls$ api calls, violating the dynamic threshold + of $expected_upper_threshold$ with the following command $command$. + risk_objects: + - field: user + type: user + score: 15 + threat_objects: [] tags: analytic_story: - Suspicious Cloud User Activities - Compromised User Account asset_type: AWS Instance - confidence: 50 - impact: 30 - message: user $user$ has made $api_calls$ api calls, violating the dynamic threshold of $expected_upper_threshold$ with the following command $command$. mitre_attack_id: - T1078.004 - T1078 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.command - - All_Changes.user - - All_Changes.status - risk_score: 15 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml b/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml index f08c410c3f..8175e9709c 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml +++ b/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml @@ -1,46 +1,56 @@ name: Abnormally High Number Of Cloud Instances Destroyed id: ef629fc9-1583-4590-b62a-f2247fbf7bbf -version: 4 -date: '2024-10-22' +version: 5 +date: '2024-11-14' author: David Dorsey, Splunk status: experimental type: Anomaly -description: The following analytic identifies an abnormally high number of cloud instances being destroyed within a 4-hour period. It leverages cloud infrastructure logs and applies a probability density model to detect outliers. This activity is significant for a SOC because a sudden spike in destroyed instances could indicate malicious activity, such as an insider threat or a compromised account attempting to disrupt services. If confirmed malicious, this could lead to significant operational disruptions, data loss, and potential financial impact due to the destruction of critical cloud resources. +description: The following analytic identifies an abnormally high number of cloud + instances being destroyed within a 4-hour period. It leverages cloud infrastructure + logs and applies a probability density model to detect outliers. This activity is + significant for a SOC because a sudden spike in destroyed instances could indicate + malicious activity, such as an insider threat or a compromised account attempting + to disrupt services. If confirmed malicious, this could lead to significant operational + disruptions, data loss, and potential financial impact due to the destruction of + critical cloud resources. data_source: - AWS CloudTrail -search: '| tstats count as instances_destroyed values(All_Changes.object_id) as object_id from datamodel=Change where All_Changes.action=deleted AND All_Changes.status=success AND All_Changes.object_category=instance by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")` | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join HourOfDay isWeekend [summary cloud_excessive_instances_destroyed_v1] | where cardinality >=16 | apply cloud_excessive_instances_destroyed_v1 threshold=0.005 | rename "IsOutlier(instances_destroyed)" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) | eval distance_from_threshold = instances_destroyed - expected_upper_threshold | table _time, user, instances_destroyed, expected_upper_threshold, distance_from_threshold, object_id | `abnormally_high_number_of_cloud_instances_destroyed_filter`' -how_to_implement: You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Instances Destroyed` to create the probability density function. -known_false_positives: Many service accounts configured within a cloud infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user. +search: '| tstats count as instances_destroyed values(All_Changes.object_id) as object_id + from datamodel=Change where All_Changes.action=deleted AND All_Changes.status=success + AND All_Changes.object_category=instance by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")` + | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval + DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek + <= 5, 0, 1) | join HourOfDay isWeekend [summary cloud_excessive_instances_destroyed_v1] + | where cardinality >=16 | apply cloud_excessive_instances_destroyed_v1 threshold=0.005 + | rename "IsOutlier(instances_destroyed)" as isOutlier | where isOutlier=1 | eval + expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) | + eval distance_from_threshold = instances_destroyed - expected_upper_threshold | + table _time, user, instances_destroyed, expected_upper_threshold, distance_from_threshold, + object_id | `abnormally_high_number_of_cloud_instances_destroyed_filter`' +how_to_implement: You must be ingesting your cloud infrastructure logs. You also must + run the baseline search `Baseline Of Cloud Instances Destroyed` to create the probability + density function. +known_false_positives: Many service accounts configured within a cloud infrastructure + are known to exhibit this behavior. Please adjust the threshold values and filter + out service accounts from the output. Always verify if this search alerted on a + human user. references: [] +rba: + message: At least $instances_destroyed$ instances destroyed by $user$ + risk_objects: + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Suspicious Cloud Instance Activities asset_type: Cloud Instance - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1078.004 - T1078 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.object_id - - All_Changes.action - - All_Changes.status - - All_Changes.object_category - - All_Changes.user - risk_score: 25 security_domain: threat diff --git a/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml b/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml index 93a18c80b5..e88f2c8f16 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml +++ b/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml @@ -1,43 +1,56 @@ name: Abnormally High Number Of Cloud Instances Launched id: f2361e9f-3928-496c-a556-120cd4223a65 -version: 5 -date: '2024-10-22' +version: 6 +date: '2024-11-14' author: David Dorsey, Splunk status: experimental type: Anomaly -description: The following analytic detects an abnormally high number of cloud instances launched within a 4-hour period. It leverages cloud infrastructure logs and applies a probability density model to identify outliers based on historical data. This activity is significant for a SOC because a sudden spike in instance creation could indicate unauthorized access or misuse of cloud resources. If confirmed malicious, this behavior could lead to resource exhaustion, increased costs, or provide attackers with additional compute resources to further their objectives. +description: The following analytic detects an abnormally high number of cloud instances + launched within a 4-hour period. It leverages cloud infrastructure logs and applies + a probability density model to identify outliers based on historical data. This + activity is significant for a SOC because a sudden spike in instance creation could + indicate unauthorized access or misuse of cloud resources. If confirmed malicious, + this behavior could lead to resource exhaustion, increased costs, or provide attackers + with additional compute resources to further their objectives. data_source: - AWS CloudTrail -search: '| tstats count as instances_launched values(All_Changes.object_id) as object_id from datamodel=Change where (All_Changes.action=created) AND All_Changes.status=success AND All_Changes.object_category=instance by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")` | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join HourOfDay isWeekend [summary cloud_excessive_instances_created_v1] | where cardinality >=16 | apply cloud_excessive_instances_created_v1 threshold=0.005 | rename "IsOutlier(instances_launched)" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) | eval distance_from_threshold = instances_launched - expected_upper_threshold | table _time, user, instances_launched, expected_upper_threshold, distance_from_threshold, object_id | `abnormally_high_number_of_cloud_instances_launched_filter`' -how_to_implement: You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Instances Launched` to create the probability density function. -known_false_positives: Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user. +search: '| tstats count as instances_launched values(All_Changes.object_id) as object_id + from datamodel=Change where (All_Changes.action=created) AND All_Changes.status=success + AND All_Changes.object_category=instance by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")` + | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval + DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek + <= 5, 0, 1) | join HourOfDay isWeekend [summary cloud_excessive_instances_created_v1] + | where cardinality >=16 | apply cloud_excessive_instances_created_v1 threshold=0.005 + | rename "IsOutlier(instances_launched)" as isOutlier | where isOutlier=1 | eval + expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) | + eval distance_from_threshold = instances_launched - expected_upper_threshold | table + _time, user, instances_launched, expected_upper_threshold, distance_from_threshold, + object_id | `abnormally_high_number_of_cloud_instances_launched_filter`' +how_to_implement: You must be ingesting your cloud infrastructure logs. You also must + run the baseline search `Baseline Of Cloud Instances Launched` to create the probability + density function. +known_false_positives: Many service accounts configured within an AWS infrastructure + are known to exhibit this behavior. Please adjust the threshold values and filter + out service accounts from the output. Always verify if this search alerted on a + human user. references: [] +rba: + message: At least $instances_launched$ instances launched by $user$ + risk_objects: + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Cloud Cryptomining - Suspicious Cloud Instance Activities asset_type: Cloud Instance - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1078.004 - T1078 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.object_id - - All_Changes.action - - All_Changes.status - - All_Changes.object_category - - All_Changes.user - risk_score: 25 security_domain: threat diff --git a/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml b/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml index ac1b861904..2360113251 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml +++ b/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml @@ -1,48 +1,61 @@ name: Abnormally High Number Of Cloud Security Group API Calls id: d4dfb7f3-7a37-498a-b5df-f19334e871af -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: David Dorsey, Splunk status: experimental type: Anomaly -description: The following analytic detects a spike in the number of API calls made to cloud security groups by a user. It leverages data from the Change data model, focusing on successful firewall-related changes. This activity is significant because an abnormal increase in security group API calls can indicate potential malicious activity, such as unauthorized access or configuration changes. If confirmed malicious, this could allow an attacker to manipulate security group settings, potentially exposing sensitive resources or disrupting network security controls. +description: The following analytic detects a spike in the number of API calls made + to cloud security groups by a user. It leverages data from the Change data model, + focusing on successful firewall-related changes. This activity is significant because + an abnormal increase in security group API calls can indicate potential malicious + activity, such as unauthorized access or configuration changes. If confirmed malicious, + this could allow an attacker to manipulate security group settings, potentially + exposing sensitive resources or disrupting network security controls. data_source: - AWS CloudTrail -search: '| tstats count as security_group_api_calls values(All_Changes.command) as command from datamodel=Change where All_Changes.object_category=firewall AND All_Changes.status=success by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")` | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join user HourOfDay isWeekend [ summary cloud_excessive_security_group_api_calls_v1] | where cardinality >=16 | apply cloud_excessive_security_group_api_calls_v1 threshold=0.005 | rename "IsOutlier(security_group_api_calls)" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) | where security_group_api_calls > expected_upper_threshold | eval distance_from_threshold = security_group_api_calls - expected_upper_threshold | table _time, user, command, security_group_api_calls, expected_upper_threshold, distance_from_threshold | `abnormally_high_number_of_cloud_security_group_api_calls_filter`' -how_to_implement: You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Security Group API Calls Per User` to create the probability density function model. +search: '| tstats count as security_group_api_calls values(All_Changes.command) as + command from datamodel=Change where All_Changes.object_category=firewall AND All_Changes.status=success + by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")` | eval + HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, + "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join user HourOfDay + isWeekend [ summary cloud_excessive_security_group_api_calls_v1] | where cardinality + >=16 | apply cloud_excessive_security_group_api_calls_v1 threshold=0.005 | rename + "IsOutlier(security_group_api_calls)" as isOutlier | where isOutlier=1 | eval expected_upper_threshold + = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) | where security_group_api_calls + > expected_upper_threshold | eval distance_from_threshold = security_group_api_calls + - expected_upper_threshold | table _time, user, command, security_group_api_calls, + expected_upper_threshold, distance_from_threshold | `abnormally_high_number_of_cloud_security_group_api_calls_filter`' +how_to_implement: You must be ingesting your cloud infrastructure logs. You also must + run the baseline search `Baseline Of Cloud Security Group API Calls Per User` to + create the probability density function model. known_false_positives: None. references: [] +rba: + message: user $user$ has made $api_calls$ api calls related to security groups, + violating the dynamic threshold of $expected_upper_threshold$ with the following + command $command$. + risk_objects: + - field: user + type: user + score: 15 + threat_objects: [] tags: analytic_story: - Suspicious Cloud User Activities asset_type: AWS Instance - confidence: 50 - impact: 30 - message: user $user$ has made $api_calls$ api calls related to security groups, violating the dynamic threshold of $expected_upper_threshold$ with the following command $command$. mitre_attack_id: - T1078.004 - T1078 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.command - - All_Changes.object_category - - All_Changes.status - - All_Changes.user - risk_score: 15 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/amazon_eks_kubernetes_cluster_scan_detection.yml b/detections/cloud/amazon_eks_kubernetes_cluster_scan_detection.yml index 16e8024f5b..2f2bc30292 100644 --- a/detections/cloud/amazon_eks_kubernetes_cluster_scan_detection.yml +++ b/detections/cloud/amazon_eks_kubernetes_cluster_scan_detection.yml @@ -1,45 +1,38 @@ name: Amazon EKS Kubernetes cluster scan detection id: 294c4686-63dd-4fe6-93a2-ca807626704a -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rod Soto, Splunk status: experimental type: Hunting -description: The following analytic detects unauthenticated requests to an Amazon EKS Kubernetes cluster, specifically identifying actions by the "system:anonymous" user. It leverages AWS CloudWatch Logs data, focusing on user agents and authentication details. This activity is significant as it may indicate unauthorized scanning or probing of the Kubernetes cluster, which could be a precursor to an attack. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or disruption of services within the Kubernetes environment. +description: The following analytic detects unauthenticated requests to an Amazon + EKS Kubernetes cluster, specifically identifying actions by the "system:anonymous" + user. It leverages AWS CloudWatch Logs data, focusing on user agents and authentication + details. This activity is significant as it may indicate unauthorized scanning or + probing of the Kubernetes cluster, which could be a precursor to an attack. If confirmed + malicious, this could lead to unauthorized access, data exfiltration, or disruption + of services within the Kubernetes environment. data_source: [] -search: '`aws_cloudwatchlogs_eks` "user.username"="system:anonymous" userAgent!="AWS Security Scanner" | rename sourceIPs{} as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(source) as cluster_name values(responseStatus.code) values(userAgent) as http_user_agent values(verb) values(requestURI) by src_ip user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` |`amazon_eks_kubernetes_cluster_scan_detection_filter`' -how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudWatch EKS Logs inputs. -known_false_positives: Not all unauthenticated requests are malicious, but frequency, UA and source IPs will provide context. +search: '`aws_cloudwatchlogs_eks` "user.username"="system:anonymous" userAgent!="AWS + Security Scanner" | rename sourceIPs{} as src_ip | stats count min(_time) as firstTime + max(_time) as lastTime values(responseStatus.reason) values(source) as cluster_name + values(responseStatus.code) values(userAgent) as http_user_agent values(verb) values(requestURI) + by src_ip user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` + |`amazon_eks_kubernetes_cluster_scan_detection_filter`' +how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) + and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudWatch + EKS Logs inputs. +known_false_positives: Not all unauthenticated requests are malicious, but frequency, + UA and source IPs will provide context. references: [] tags: analytic_story: - Kubernetes Scanning Activity asset_type: Amazon EKS Kubernetes cluster - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1526 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - user.username - - userAgent - - sourceIPs{} - - responseStatus.reason - - source - - responseStatus.code - - verb - - requestURI - - src_ip - - user.groups{} - risk_score: 25 security_domain: threat diff --git a/detections/cloud/amazon_eks_kubernetes_pod_scan_detection.yml b/detections/cloud/amazon_eks_kubernetes_pod_scan_detection.yml index 3795333aaf..3467645f6f 100644 --- a/detections/cloud/amazon_eks_kubernetes_pod_scan_detection.yml +++ b/detections/cloud/amazon_eks_kubernetes_pod_scan_detection.yml @@ -1,46 +1,40 @@ name: Amazon EKS Kubernetes Pod scan detection id: dbfca1dd-b8e5-4ba4-be0e-e565e5d62002 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rod Soto, Splunk status: experimental type: Hunting -description: The following analytic detects unauthenticated requests made against the Kubernetes Pods API, indicating potential unauthorized access attempts. It leverages the `aws_cloudwatchlogs_eks` data source, filtering for events where `user.username` is "system:anonymous", `verb` is "list", and `objectRef.resource` is "pods", with `requestURI` set to "/api/v1/pods". This activity is significant as it may signal attempts to access sensitive resources or execute unauthorized commands within the Kubernetes environment. If confirmed malicious, such access could lead to data compromise, unauthorized command execution, or lateral movement within the cluster. +description: The following analytic detects unauthenticated requests made against + the Kubernetes Pods API, indicating potential unauthorized access attempts. It leverages + the `aws_cloudwatchlogs_eks` data source, filtering for events where `user.username` + is "system:anonymous", `verb` is "list", and `objectRef.resource` is "pods", with + `requestURI` set to "/api/v1/pods". This activity is significant as it may signal + attempts to access sensitive resources or execute unauthorized commands within the + Kubernetes environment. If confirmed malicious, such access could lead to data compromise, + unauthorized command execution, or lateral movement within the cluster. data_source: [] -search: '`aws_cloudwatchlogs_eks` "user.username"="system:anonymous" verb=list objectRef.resource=pods requestURI="/api/v1/pods" | rename source as cluster_name sourceIPs{} as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(responseStatus.code) values(userAgent) values(verb) values(requestURI) by src_ip cluster_name user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `amazon_eks_kubernetes_pod_scan_detection_filter`' -how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on forAWS (version 4.4.0 or later), then configure your AWS CloudWatch EKS Logs.Please also customize the `kubernetes_pods_aws_scan_fingerprint_detection` macro to filter out the false positives. -known_false_positives: Not all unauthenticated requests are malicious, but frequency, UA and source IPs and direct request to API provide context. +search: '`aws_cloudwatchlogs_eks` "user.username"="system:anonymous" verb=list objectRef.resource=pods + requestURI="/api/v1/pods" | rename source as cluster_name sourceIPs{} as src_ip + | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) + values(responseStatus.code) values(userAgent) values(verb) values(requestURI) by + src_ip cluster_name user.username user.groups{} | `security_content_ctime(lastTime)` + | `security_content_ctime(firstTime)` | `amazon_eks_kubernetes_pod_scan_detection_filter`' +how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) + and Splunk Add-on forAWS (version 4.4.0 or later), then configure your AWS CloudWatch + EKS Logs.Please also customize the `kubernetes_pods_aws_scan_fingerprint_detection` + macro to filter out the false positives. +known_false_positives: Not all unauthenticated requests are malicious, but frequency, + UA and source IPs and direct request to API provide context. references: [] tags: analytic_story: - Kubernetes Scanning Activity asset_type: Amazon EKS Kubernetes cluster Pod - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1526 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - user.username - - verb - - objectRef.resource - - requestURI - - source - - sourceIPs{} - - responseStatus.reason - - responseStatus.code - - userAgent - - src_ip - - user.groups{} - risk_score: 25 security_domain: threat diff --git a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml index 2e1b0f688f..b3bf16236b 100644 --- a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml @@ -1,7 +1,7 @@ name: ASL AWS Concurrent Sessions From Different Ips id: b3424bbe-3204-4469-887b-ec144483a336 version: 6 -date: '2024-09-30' +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -21,40 +21,35 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ has concurrent sessions from more than one unique IP address + in the span of 5 minutes. + risk_objects: + - field: user + type: user + score: 42 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Compromised User Account - AWS Identity and Access Management Account Takeover asset_type: AWS Account - confidence: 60 - impact: 70 - message: User $user$ has concurrent sessions from more than one unique IP address in the span of 5 minutes. mitre_attack_id: - T1185 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: user - type: User - role: - - Victim - required_fields: - - api.operation - - actor.user.uid - - http_request.user_agent - - src_endpoint.ip - - src_endpoint.domain - - cloud.region product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 42 security_domain: threat manual_test: Can't be tested automatically because of time span. tests: diff --git a/detections/cloud/asl_aws_create_access_key.yml b/detections/cloud/asl_aws_create_access_key.yml index 25df72cac5..eeb433eaa8 100644 --- a/detections/cloud/asl_aws_create_access_key.yml +++ b/detections/cloud/asl_aws_create_access_key.yml @@ -18,34 +18,13 @@ tags: analytic_story: - AWS IAM Privilege Escalation asset_type: AWS Account - confidence: 90 - impact: 70 - message: User $user$ is attempting to create access keys mitre_attack_id: - T1136.003 - T1136 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - actor.user.uid - - actor.user.account.uid - - http_request.user_agent - - src_endpoint.ip - - src_endpoint.domain - - cloud.region - risk_score: 63 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml b/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml index e26aea3882..d4620bd070 100644 --- a/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml +++ b/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml @@ -23,35 +23,24 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ created a policy version that allows them to access any resource in their account + risk_objects: + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - AWS IAM Privilege Escalation asset_type: AWS Account - confidence: 70 - impact: 70 - message: User $user$ created a policy version that allows them to access any resource in their account. mitre_attack_id: - T1078.004 - T1078 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - actor.user.account.uid - - api.request.data - - actor.user.uid - - http_request.user_agent - - src_endpoint.ip - - src_endpoint.domain - - cloud.region - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_credential_access_getpassworddata.yml b/detections/cloud/asl_aws_credential_access_getpassworddata.yml index e748f22103..4c112af04c 100644 --- a/detections/cloud/asl_aws_credential_access_getpassworddata.yml +++ b/detections/cloud/asl_aws_credential_access_getpassworddata.yml @@ -23,40 +23,28 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ is seen to make `GetPasswordData` API calls + risk_objects: + - field: user + type: user + score: 49 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - AWS Identity and Access Management Account Takeover asset_type: AWS Account - confidence: 70 - impact: 70 - message: User $user$ is seen to make `GetPasswordData` API calls mitre_attack_id: - T1586 - T1586.003 - T1110 - T1110.001 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - actor.user.uid - - actor.user.account.uid - - http_request.user_agent - - src_endpoint.ip - - src_endpoint.domain - - cloud.region - risk_score: 49 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml index 732863d4fb..300892fee9 100644 --- a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml +++ b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml @@ -22,40 +22,27 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ is seen to reset the password for database + risk_objects: + - field: user + type: user + score: 49 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - AWS Identity and Access Management Account Takeover asset_type: AWS Account - confidence: 70 - impact: 70 - message: User $user$ is seen to reset the password for database mitre_attack_id: - T1586 - T1586.003 - T1110 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - api.request.data - - actor.user.uid - - actor.user.account.uid - - http_request.user_agent - - src_endpoint.ip - - src_endpoint.domain - - cloud.region - risk_score: 49 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml index 1a7c2f1613..bc99f507d0 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml @@ -1,7 +1,7 @@ name: ASL AWS Defense Evasion Delete Cloudtrail id: 1f0b47e5-0134-43eb-851c-e3258638945e version: 6 -date: '2024-09-30' +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: TTP @@ -19,41 +19,34 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ has deleted CloudTrail logging + risk_objects: + - field: user + type: user + score: 90 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - AWS Defense Evasion asset_type: AWS Account - confidence: 90 - impact: 100 - message: User $user$ has deleted a CloudTrail mitre_attack_id: - T1562.008 - T1562 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: user - type: User - role: - - Victim - required_fields: - - api.operation - - actor.user.uid - - actor.user.account.uid - - http_request.user_agent - - src_endpoint.ip - - src_endpoint.domain - - cloud.region product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 90 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml index c7200975b5..7a1806f3c9 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml @@ -1,7 +1,7 @@ name: ASL AWS Defense Evasion Delete CloudWatch Log Group id: 0f701b38-a0fb-43fd-a83d-d12265f71f33 version: 5 -date: '2024-09-30' +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: TTP @@ -19,45 +19,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ has deleted a CloudWatch logging group + risk_objects: + - field: user + type: user + score: 90 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - AWS Defense Evasion asset_type: AWS Account - confidence: 90 - impact: 100 - message: User $user$ has deleted a CloudWatch mitre_attack_id: - T1562 - T1562.008 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - actor.user.uid - - actor.user.account.uid - - http_request.user_agent - - src_endpoint.ip - - src_endpoint.domain - - cloud.region - risk_score: 90 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/asl_ocsf_cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/asl_ocsf_cloudtrail.json source: aws_asl sourcetype: aws:asl diff --git a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml index ae41522216..a6a76f9130 100644 --- a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml +++ b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml @@ -1,7 +1,7 @@ name: ASL AWS Defense Evasion Impair Security Services id: 5029b681-0462-47b7-82e7-f7e3d37f5a2d version: 5 -date: '2024-10-17' +date: '2024-11-14' author: Patrick Bareiss, Bhavin Patel, Gowthamaraj Rajendran, Splunk status: production type: Hunting @@ -19,34 +19,13 @@ tags: analytic_story: - AWS Defense Evasion asset_type: AWS Account - confidence: 60 - impact: 70 - message: User $user$ has made potentially risky api calls $api.operation$ that could impair AWS security services for account id $aws_account_id$ mitre_attack_id: - T1562.008 - T1562 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - actor.user.uid - - actor.user.account.uid - - http_request.user_agent - - src_endpoint.ip - - src_endpoint.domain - - cloud.region - risk_score: 42 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml b/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml index 3190e8f264..2b843cd24f 100644 --- a/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml +++ b/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml @@ -17,37 +17,15 @@ tags: analytic_story: - AWS Defense Evasion asset_type: AWS Account - confidence: 40 - impact: 50 - message: User $user$ has created a new rule to on an S3 bucket $bucketName$ with short expiration days mitre_attack_id: - T1562.008 - T1562 - T1485.001 - T1485 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: user - type: User - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - api.request.data - - actor.user.uid - - actor.user.account.uid - - http_request.user_agent - - src_endpoint.ip - - src_endpoint.domain - - cloud.region - risk_score: 20 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml index 42e436bcaf..28a9d9a628 100644 --- a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml @@ -1,14 +1,15 @@ name: ASL AWS Defense Evasion Stop Logging Cloudtrail id: 0b78a8f9-1d31-4d23-85c8-56ad13d5b4c1 version: 4 -date: '2024-09-30' +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: TTP description: The following analytic detects `StopLogging` events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker's actions. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=StopLogging | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`' +search: '`amazon_security_lake` api.operation=StopLogging | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account.uid + as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has stopped cloudtrail logging. Please investigate this activity. references: @@ -19,41 +20,35 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ has stopped Cloudtrail logging for account id $aws_account_id$ + from IP $src_ip$ + risk_objects: + - field: user + type: user + score: 90 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - AWS Defense Evasion asset_type: AWS Account - confidence: 90 - impact: 100 - message: User $user$ has stopped Cloudtrail logging for account id $aws_account_id$ from IP $src_ip$ mitre_attack_id: - T1562.008 - T1562 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - actor.user.uid - - actor.user.account.uid - - http_request.user_agent - - src_endpoint.ip - - src_endpoint.domain - - cloud.region - risk_score: 90 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml index 83b5fd9408..1b45a81b7f 100644 --- a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml @@ -1,14 +1,14 @@ name: ASL AWS Defense Evasion Update Cloudtrail id: f3eb471c-16d0-404d-897c-7653f0a78cba version: 4 -date: '2024-09-30' +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: TTP description: The following analytic detects `UpdateTrail` events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary's intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=UpdateTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_update_cloudtrail_filter`' +search: '`amazon_security_lake` api.operation=UpdateTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account.uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_update_cloudtrail_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has updated cloudtrail logging. Please investigate this activity. references: @@ -19,41 +19,35 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ has updated a cloudtrail logging for account id $aws_account_id$ + from IP $src_ip$ + risk_objects: + - field: user + type: user + score: 90 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - AWS Defense Evasion asset_type: AWS Account - confidence: 90 - impact: 100 - message: User $user$ has updated a cloudtrail logging for account id $aws_account_id$ from IP $src_ip$ mitre_attack_id: - T1562 - T1562.008 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - actor.user.uid - - actor.user.account.uid - - http_request.user_agent - - src_endpoint.ip - - src_endpoint.domain - - cloud.region - risk_score: 90 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml b/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml index 9098fe9358..41ee11048f 100644 --- a/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml +++ b/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml @@ -37,34 +37,23 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: AWS account is potentially compromised and user $user$ is trying to compromise other accounts + risk_objects: + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Ransomware Cloud asset_type: AWS Account - confidence: 50 - impact: 50 - message: AWS account is potentially compromised and user $user$ is trying to compromise other accounts. mitre_attack_id: - T1486 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - actor.user.uid - - actor.user.account.uid - - api.request.data - - http_request.user_agent - - src_endpoint.ip - - src_endpoint.domain - - cloud.region - risk_score: 25 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_disable_bucket_versioning.yml b/detections/cloud/asl_aws_disable_bucket_versioning.yml index bc2f2f2887..b475b18556 100644 --- a/detections/cloud/asl_aws_disable_bucket_versioning.yml +++ b/detections/cloud/asl_aws_disable_bucket_versioning.yml @@ -30,39 +30,26 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Bucket Versioning is suspended for S3 buckets- $bucketName$ by user $user$ from IP address $src_ip$ + risk_objects: + - field: user + type: user + score: 64 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Suspicious AWS S3 Activities - Data Exfiltration asset_type: AWS Account - confidence: 80 - impact: 80 - message: Bucket Versioning is suspended for S3 buckets- $bucketName$ by user $user$ from IP address $src_ip$ mitre_attack_id: - T1490 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - actor.user.uid - - actor.user.account.uid - - api.request.data - - http_request.user_agent - - src_endpoint.ip - - src_endpoint.domain - - cloud.region - risk_score: 64 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml b/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml index 8fc0cf56fa..baeb005631 100644 --- a/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml +++ b/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml @@ -30,39 +30,26 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: AWS EC2 snapshot from user $user$ is shared publicly by user $user$ + risk_objects: + - field: user + type: user + score: 48 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Suspicious Cloud Instance Activities - Data Exfiltration asset_type: EC2 Snapshot - confidence: 80 - impact: 60 - message: AWS EC2 snapshot from user $user$ is shared publicly by user $user$ mitre_attack_id: - T1537 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - actor.user.uid - - actor.user.account.uid - - api.request.data - - http_request.user_agent - - src_endpoint.ip - - src_endpoint.domain - - cloud.region - risk_score: 48 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml index 2894275771..6222a0b4f0 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml @@ -1,7 +1,7 @@ name: ASL AWS ECR Container Upload Outside Business Hours id: 739ed682-27e9-4ba0-80e5-a91b97698213 version: 5 -date: '2024-09-30' +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -19,37 +19,32 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Container uploaded outside business hours from $user$ + risk_objects: + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - Dev Sec Ops asset_type: AWS Account - confidence: 70 - impact: 70 - message: Container uploaded outside business hours from $user$ mitre_attack_id: - T1204.003 - T1204 - observable: - - name: user - type: User - role: - - Victim - required_fields: - - api.operation - - actor.user.uid - - actor.user.account.uid - - http_request.user_agent - - src_endpoint.ip - - src_endpoint.domain - - cloud.region product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 security_domain: network manual_test: Can't be tested automatically because of outside of business hours time tests: diff --git a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml index 8ce8bd56dd..156aab0bc0 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml @@ -1,7 +1,7 @@ name: ASL AWS ECR Container Upload Unknown User id: 886a8f46-d7e2-4439-b9ba-aec238e31732 version: 4 -date: '2024-09-30' +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -19,41 +19,34 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Container uploaded from unknown user $user$ + risk_objects: + - field: user + type: user + score: 49 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Dev Sec Ops asset_type: AWS Account - confidence: 70 - impact: 70 - message: Container uploaded from unknown user $user$ mitre_attack_id: - T1204.003 - T1204 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: user - type: User - role: - - Victim - required_fields: - - api.operation - - actor.user.uid - - actor.user.account.uid - - http_request.user_agent - - src_endpoint.ip - - src_endpoint.domain - - cloud.region product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml b/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml index 59de0fd09c..c4c121d8b5 100644 --- a/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml +++ b/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml @@ -28,34 +28,25 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ is seen to perform excessive number of discovery related api calls- $failures$, within an hour where the access was denied. + risk_objects: + - field: user + type: user + score: 10 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Suspicious Cloud User Activities asset_type: AWS Account - confidence: 50 - impact: 20 - message: User $user$ is seen to perform excessive number of discovery related api calls- $failures$, within an hour where the access was denied. mitre_attack_id: - T1580 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - actor.user.uid - - src_endpoint.ip - - cloud.region - risk_score: 10 security_domain: access tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml b/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml index b93bc70162..3eab43490b 100644 --- a/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml +++ b/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml @@ -29,36 +29,26 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ has caused multiple failures with errorCode AccessDenied, which potentially means adversary is attempting to identify a role name. + risk_objects: + - field: user + type: user + score: 28 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - AWS IAM Privilege Escalation asset_type: AWS Account - confidence: 70 - impact: 40 - message: User $user$ has caused multiple failures with errorCode AccessDenied, which potentially means adversary is attempting to identify a role name. mitre_attack_id: - T1580 - T1110 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - api.operation - - actor.user.uid - - src_endpoint.ip - - cloud.region - risk_score: 28 security_domain: access tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_iam_delete_policy.yml b/detections/cloud/asl_aws_iam_delete_policy.yml index 42fdd2bb27..ea67cfda56 100644 --- a/detections/cloud/asl_aws_iam_delete_policy.yml +++ b/detections/cloud/asl_aws_iam_delete_policy.yml @@ -1,7 +1,7 @@ name: ASL AWS IAM Delete Policy id: 609ced68-d420-4ff7-8164-ae98b4b4018c version: 5 -date: '2024-10-17' +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: Hunting @@ -18,33 +18,12 @@ tags: analytic_story: - AWS IAM Privilege Escalation asset_type: AWS Account - confidence: 50 - impact: 20 - message: User $user$ has deleted AWS Policies from IP address $src_ip$. mitre_attack_id: - T1098 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - actor.user.uid - - actor.user.account.uid - - http_request.user_agent - - src_endpoint.ip - - src_endpoint.domain - - cloud.region - risk_score: 10 security_domain: access tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_iam_failure_group_deletion.yml b/detections/cloud/asl_aws_iam_failure_group_deletion.yml index 9baebc2f81..81c04e1523 100644 --- a/detections/cloud/asl_aws_iam_failure_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_failure_group_deletion.yml @@ -1,7 +1,7 @@ name: ASL AWS IAM Failure Group Deletion id: 8d12f268-c567-4557-9813-f8389e235c06 version: 6 -date: '2024-10-22' +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -20,40 +20,34 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ has had mulitple failures while attempting to delete groups + from $src_ip$ + risk_objects: + - field: user + type: user + score: 5 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - AWS IAM Privilege Escalation asset_type: AWS Account - confidence: 50 - impact: 10 - message: User $user$ has had mulitple failures while attempting to delete groups from $src_ip$ mitre_attack_id: - T1098 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - actor.user.uid - - actor.user.account.uid - - http_request.user_agent - - src_endpoint.ip - - src_endpoint.domain - - cloud.region - risk_score: 5 security_domain: access tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_iam_successful_group_deletion.yml b/detections/cloud/asl_aws_iam_successful_group_deletion.yml index 1479756ad8..0eb874ecb5 100644 --- a/detections/cloud/asl_aws_iam_successful_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_successful_group_deletion.yml @@ -1,7 +1,7 @@ name: ASL AWS IAM Successful Group Deletion id: 1bbe54f1-93d7-4764-8a01-ddaa12ece7ac version: 5 -date: '2024-10-22' +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: Hunting @@ -18,35 +18,14 @@ tags: analytic_story: - AWS IAM Privilege Escalation asset_type: AWS Account - confidence: 50 - impact: 10 - message: User $user$ has sucessfully deleted a user group from $src_ip$ mitre_attack_id: - T1069.003 - T1098 - T1069 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - actor.user.uid - - actor.user.account.uid - - http_request.user_agent - - src_endpoint.ip - - src_endpoint.domain - - cloud.region - risk_score: 5 security_domain: access tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml index b8803bcf64..a26e3c1500 100644 --- a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml +++ b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml @@ -1,7 +1,7 @@ name: ASL AWS Multi-Factor Authentication Disabled id: 4d2df5e0-1092-4817-88a8-79c7fa054668 version: 5 -date: '2024-09-30' +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: TTP @@ -20,44 +20,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ has disabled Multi-Factor authentication + risk_objects: + - field: user + type: user + score: 64 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - AWS Identity and Access Management Account Takeover asset_type: AWS Account - confidence: 80 - impact: 80 - message: User $user$ has disabled Multi-Factor authentication mitre_attack_id: - T1586 - T1586.003 - T1621 - T1556 - T1556.006 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - actor.user.uid - - actor.user.account.uid - - http_request.user_agent - - src_endpoint.ip - - src_endpoint.domain - - cloud.region - risk_score: 64 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml b/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml index 5b1bdcfe81..7d42dfa04e 100644 --- a/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml +++ b/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml @@ -16,8 +16,8 @@ search: '`amazon_security_lake` api.operation=CreateNetworkAclEntry OR api.opera | spath input=api.request.data path=networkAclId output=networkAclId | search ruleAction=allow AND egress=false AND aclProtocol=-1 AND cidrBlock=0.0.0.0/0 | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region networkAclId - | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region networkAclId cidrBlock + | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account.uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_network_access_control_list_created_with_all_open_ports_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: It's possible that an admin has created this ACL with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment. @@ -31,38 +31,26 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ has created network ACLs with all the ports opens to $cidrBlock$ + risk_objects: + - field: user + type: user + score: 48 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - AWS Network ACL Activity asset_type: AWS Instance - confidence: 80 - impact: 60 - message: User $user$ has created network ACLs with all the ports open to a specified CIDR $requestParameters.cidrBlock$ mitre_attack_id: - T1562.007 - T1562 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - api.request.data - - actor.user.uid - - actor.user.account.uid - - http_request.user_agent - - src_endpoint.ip - - cloud.region - risk_score: 48 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_network_access_control_list_deleted.yml b/detections/cloud/asl_aws_network_access_control_list_deleted.yml index 0995a94097..067e4b543f 100644 --- a/detections/cloud/asl_aws_network_access_control_list_deleted.yml +++ b/detections/cloud/asl_aws_network_access_control_list_deleted.yml @@ -28,38 +28,26 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ from $src_ip$ has sucessfully deleted network ACLs entry. + risk_objects: + - field: user + type: user + score: 5 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - AWS Network ACL Activity asset_type: AWS Instance - confidence: 50 - impact: 10 - message: User $user$ from $src_ip$ has sucessfully deleted network ACLs entry. mitre_attack_id: - T1562.007 - T1562 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - api.request.data - - actor.user.uid - - actor.user.account.uid - - http_request.user_agent - - src_endpoint.ip - - cloud.region - risk_score: 5 security_domain: network tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml index 2235799ae9..bf67c362b9 100644 --- a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml @@ -1,7 +1,7 @@ name: ASL AWS New MFA Method Registered For User id: 33ae0931-2a03-456b-b1d7-b016c5557fbd version: 6 -date: '2024-10-17' +date: '2024-11-14' author: Patrick Bareiss, Splunk status: experimental type: TTP @@ -16,38 +16,26 @@ references: - https://attack.mitre.org/techniques/T1556/ - https://attack.mitre.org/techniques/T1556/006/ - https://twitter.com/jhencinski/status/1618660062352007174 +rba: + message: A new virtual device is added to user $user$ + risk_objects: + - field: user + type: user + score: 64 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - AWS Identity and Access Management Account Takeover asset_type: AWS Account - confidence: 80 - impact: 80 - message: A new virtual device is added to user $user$ mitre_attack_id: - T1556 - T1556.006 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - actor.user.uid - - actor.user.account.uid - - http_request.user_agent - - src_endpoint.ip - - src_endpoint.domain - - cloud.region - risk_score: 64 security_domain: identity tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_saml_update_identity_provider.yml b/detections/cloud/asl_aws_saml_update_identity_provider.yml index bc0a9502cd..a33f61d9ed 100644 --- a/detections/cloud/asl_aws_saml_update_identity_provider.yml +++ b/detections/cloud/asl_aws_saml_update_identity_provider.yml @@ -29,36 +29,25 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ from IP address $src_ip$ updated the SAML provider + risk_objects: + - field: user + type: user + score: 64 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Cloud Federated Credential Abuse asset_type: AWS Federated Account - confidence: 80 - impact: 80 - message: User $user$ from IP address $src_ip$ updated the SAML provider mitre_attack_id: - T1078 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - actor.user.uid - - actor.user.account.uid - - http_request.user_agent - - src_endpoint.ip - - cloud.region - risk_score: 64 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/asl_aws_updateloginprofile.yml b/detections/cloud/asl_aws_updateloginprofile.yml index edd8676be2..eab3050952 100644 --- a/detections/cloud/asl_aws_updateloginprofile.yml +++ b/detections/cloud/asl_aws_updateloginprofile.yml @@ -27,37 +27,26 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ from IP address $src_ip$ updated the login profile of another user + risk_objects: + - field: user + type: user + score: 30 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - AWS IAM Privilege Escalation asset_type: AWS Account - confidence: 60 - impact: 50 - message: User $user$ from IP address $src_ip$ updated the login profile of another user mitre_attack_id: - T1136.003 - T1136 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - actor.user.uid - - actor.user.account.uid - - http_request.user_agent - - src_endpoint.ip - - cloud.region - risk_score: 30 security_domain: threat tests: - name: True Positive Test diff --git a/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml b/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml index 8ed30c0d5b..dbe7760777 100644 --- a/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml +++ b/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml @@ -1,16 +1,31 @@ name: AWS AMI Attribute Modification for Exfiltration id: f2132d74-cf81-4c5e-8799-ab069e67dc9f -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Bhavin Patel, Splunk status: production type: TTP data_source: - AWS CloudTrail ModifyImageAttribute -description: The following analytic detects suspicious modifications to AWS AMI attributes, such as sharing an AMI with another AWS account or making it publicly accessible. It leverages AWS CloudTrail logs to identify these changes by monitoring specific API calls. This activity is significant because adversaries can exploit these modifications to exfiltrate sensitive data stored in AWS resources. If confirmed malicious, this could lead to unauthorized access and potential data breaches, compromising the confidentiality and integrity of organizational information. -search: '`cloudtrail` eventName=ModifyImageAttribute (requestParameters.launchPermission.add.items{}.userId = * OR requestParameters.launchPermission.add.items{}.group = all) | rename requestParameters.launchPermission.add.items{}.group as group_added | rename requestParameters.launchPermission.add.items{}.userId as accounts_added | eval ami_status=if(match(group_added,"all") ,"Public AMI", "Not Public") | stats count min(_time) as firstTime max(_time) as lastTime values(group_added) values(accounts_added) as accounts_added values(ami_status) by src_ip region eventName userAgent user_arn aws_account_id userIdentity.principalId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_ami_attribute_modification_for_exfiltration_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -known_false_positives: It is possible that an AWS admin has legitimately shared a snapshot with others for a specific purpose. +description: The following analytic detects suspicious modifications to AWS AMI attributes, + such as sharing an AMI with another AWS account or making it publicly accessible. + It leverages AWS CloudTrail logs to identify these changes by monitoring specific + API calls. This activity is significant because adversaries can exploit these modifications + to exfiltrate sensitive data stored in AWS resources. If confirmed malicious, this + could lead to unauthorized access and potential data breaches, compromising the + confidentiality and integrity of organizational information. +search: '`cloudtrail` eventName=ModifyImageAttribute (requestParameters.launchPermission.add.items{}.userId + = * OR requestParameters.launchPermission.add.items{}.group = all) | rename requestParameters.launchPermission.add.items{}.group + as group_added | rename requestParameters.launchPermission.add.items{}.userId as + accounts_added | eval ami_status=if(match(group_added,"all") ,"Public AMI", "Not + Public") | stats count min(_time) as firstTime max(_time) as lastTime values(group_added) + values(accounts_added) as accounts_added values(ami_status) by src_ip region eventName + userAgent user_arn aws_account_id userIdentity.principalId | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)` | `aws_ami_attribute_modification_for_exfiltration_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This + search works with AWS CloudTrail logs. +known_false_positives: It is possible that an AWS admin has legitimately shared a + snapshot with others for a specific purpose. references: - https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/ - https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/ @@ -21,52 +36,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$aws_account_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: AWS AMI from account $aws_account_id$ is shared externally with $accounts_added$ + from $src_ip$ or AMI made is made Public. + risk_objects: + - field: user_arn + type: user + score: 80 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Suspicious Cloud Instance Activities - Data Exfiltration asset_type: EC2 Snapshot - confidence: 80 - impact: 100 - message: AWS AMI from account $aws_account_id$ is shared externally with $accounts_added$ from $src_ip$ or AMI made is made Public. mitre_attack_id: - T1537 - observable: - - name: user_arn - type: User - role: - - Attacker - - name: src_ip - type: IP Address - role: - - Attacker - - name: aws_account_id - type: Other - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - user_arn - - src_ip - - requestParameters.attributeType - - aws_account_id - - vendor_region - - user_agent - - userIdentity.principalId - risk_score: 80 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_ami_shared_public/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_ami_shared_public/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/aws_concurrent_sessions_from_different_ips.yml index bfe25effd2..fe2a6912a7 100644 --- a/detections/cloud/aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/aws_concurrent_sessions_from_different_ips.yml @@ -1,16 +1,29 @@ name: AWS Concurrent Sessions From Different Ips id: 51c04fdb-2746-465a-b86e-b413a09c9085 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Bhavin Patel, Splunk status: production type: TTP -description: The following analytic identifies an AWS IAM account with concurrent sessions originating from more than one unique IP address within a 5-minute window. It leverages AWS CloudTrail logs, specifically the `DescribeEventAggregates` event, to detect this behavior. This activity is significant as it may indicate a session hijacking attack, where an adversary uses stolen session cookies to access AWS resources from a different location. If confirmed malicious, this could allow unauthorized access to sensitive corporate resources, leading to potential data breaches or further exploitation within the AWS environment. +description: The following analytic identifies an AWS IAM account with concurrent + sessions originating from more than one unique IP address within a 5-minute window. + It leverages AWS CloudTrail logs, specifically the `DescribeEventAggregates` event, + to detect this behavior. This activity is significant as it may indicate a session + hijacking attack, where an adversary uses stolen session cookies to access AWS resources + from a different location. If confirmed malicious, this could allow unauthorized + access to sensitive corporate resources, leading to potential data breaches or further + exploitation within the AWS environment. data_source: - AWS CloudTrail DescribeEventAggregates -search: '`cloudtrail` eventName = DescribeEventAggregates src_ip!="AWS Internal" | bin span=5m _time | stats values(userAgent) values(eventName) values(src_ip) as src_ip dc(src_ip) as distinct_ip_count by _time user_arn | where distinct_ip_count > 1 | `aws_concurrent_sessions_from_different_ips_filter`' -how_to_implement: You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -known_false_positives: A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment. +search: '`cloudtrail` eventName = DescribeEventAggregates src_ip!="AWS Internal" | + bin span=5m _time | stats values(userAgent) values(eventName) values(src_ip) as + src_ip dc(src_ip) as distinct_ip_count by _time user_arn | where distinct_ip_count + > 1 | `aws_concurrent_sessions_from_different_ips_filter`' +how_to_implement: You must install Splunk AWS Add on and Splunk App for AWS. This + search works with AWS CloudTrail logs. +known_false_positives: A user with concurrent sessions from different Ips may also + represent the legitimate use of more than one device. Filter as needed and/or customize + the threshold to fit your environment. references: - https://attack.mitre.org/techniques/T1185/ - https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/ @@ -21,46 +34,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user_arn$ has concurrent sessions from more than one unique IP address + $src_ip$ in the span of 5 minutes. + risk_objects: + - field: user_arn + type: user + score: 42 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Compromised User Account - AWS Identity and Access Management Account Takeover asset_type: AWS Account - confidence: 60 - impact: 70 - message: User $user_arn$ has concurrent sessions from more than one unique IP address $src_ip$ in the span of 5 minutes. mitre_attack_id: - T1185 - observable: - - name: user_arn - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - userAgent - - errorCode - - user_arn - - aws_account_id - - src_ip - risk_score: 42 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml b/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml index 753a51ea7a..7938f15e75 100644 --- a/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml +++ b/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml @@ -1,16 +1,29 @@ name: AWS Console Login Failed During MFA Challenge id: 55349868-5583-466f-98ab-d3beb321961e -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Bhavin Patel, Splunk status: production type: TTP -description: The following analytic identifies failed authentication attempts to the AWS Console during the Multi-Factor Authentication (MFA) challenge. It leverages AWS CloudTrail logs, specifically the `additionalEventData` field, to detect when MFA was used but the login attempt still failed. This activity is significant as it may indicate an adversary attempting to access an account with compromised credentials but being thwarted by MFA. If confirmed malicious, this could suggest an ongoing attempt to breach the account, potentially leading to unauthorized access and further attacks if MFA is bypassed. +description: The following analytic identifies failed authentication attempts to the + AWS Console during the Multi-Factor Authentication (MFA) challenge. It leverages + AWS CloudTrail logs, specifically the `additionalEventData` field, to detect when + MFA was used but the login attempt still failed. This activity is significant as + it may indicate an adversary attempting to access an account with compromised credentials + but being thwarted by MFA. If confirmed malicious, this could suggest an ongoing + attempt to breach the account, potentially leading to unauthorized access and further + attacks if MFA is bypassed. data_source: - AWS CloudTrail ConsoleLogin -search: '`cloudtrail` eventName= ConsoleLogin errorMessage="Failed authentication" additionalEventData.MFAUsed = "Yes" | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion user_name userIdentity.arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_console_login_failed_during_mfa_challenge_filter`' -how_to_implement: The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs. -known_false_positives: Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake. +search: '`cloudtrail` eventName= ConsoleLogin errorMessage="Failed authentication" + additionalEventData.MFAUsed = "Yes" | stats count min(_time) as firstTime max(_time) + as lastTime by src eventName eventSource aws_account_id errorCode errorMessage userAgent + eventID awsRegion user_name userIdentity.arn | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `aws_console_login_failed_during_mfa_challenge_filter`' +how_to_implement: The Splunk AWS Add-on is required to utilize this data. The search + requires AWS CloudTrail logs. +known_false_positives: Legitimate users may miss to reply the MFA challenge within + the time window or deny it by mistake. references: - https://attack.mitre.org/techniques/T1621/ - https://aws.amazon.com/what-is/mfa/ @@ -20,52 +33,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user_name$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_name$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user_name$ failed to pass MFA challenge while logging into console + from $src$ + risk_objects: + - field: user_name + type: user + score: 64 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - AWS Identity and Access Management Account Takeover - Compromised User Account asset_type: AWS Account - confidence: 80 - impact: 80 - message: User $user_name$ failed to pass MFA challenge while logging into console from $src$ mitre_attack_id: - T1586 - T1586.003 - T1621 - observable: - - name: user_name - type: User - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - src - - eventName - - eventSource - - aws_account_id - - errorCode - - errorMessage - - userAgent - - eventID - - awsRegion - - user_name - - userIdentity.arn - risk_score: 64 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_failed_mfa/cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_failed_mfa/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml b/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml index 567992adfa..5f46f6eb98 100644 --- a/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml +++ b/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml @@ -1,16 +1,32 @@ name: AWS Create Policy Version to allow all resources id: 2a9b80d3-6340-4345-b5ad-212bf3d0dac4 -version: 6 -date: '2024-09-30' +version: 7 +date: '2024-11-14' author: Bhavin Patel, Splunk status: production type: TTP -description: The following analytic identifies the creation of a new AWS IAM policy version that allows access to all resources. It detects this activity by analyzing AWS CloudTrail logs for the CreatePolicyVersion event with a policy document that grants broad permissions. This behavior is significant because it violates the principle of least privilege, potentially exposing the environment to misuse or abuse. If confirmed malicious, an attacker could gain extensive access to AWS resources, leading to unauthorized actions, data exfiltration, or further compromise of the AWS environment. +description: The following analytic identifies the creation of a new AWS IAM policy + version that allows access to all resources. It detects this activity by analyzing + AWS CloudTrail logs for the CreatePolicyVersion event with a policy document that + grants broad permissions. This behavior is significant because it violates the principle + of least privilege, potentially exposing the environment to misuse or abuse. If + confirmed malicious, an attacker could gain extensive access to AWS resources, leading + to unauthorized actions, data exfiltration, or further compromise of the AWS environment. data_source: - AWS CloudTrail CreatePolicyVersion -search: '`cloudtrail` eventName=CreatePolicyVersion eventSource = iam.amazonaws.com errorCode = success | spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} | mvexpand key_policy_statements | spath input=key_policy_statements output=key_policy_action_1 path=Action | where key_policy_action_1 = "*" | stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`aws_create_policy_version_to_allow_all_resources_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created a policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources and you must verify this activity. +search: '`cloudtrail` eventName=CreatePolicyVersion eventSource = iam.amazonaws.com + errorCode = success | spath input=requestParameters.policyDocument output=key_policy_statements + path=Statement{} | mvexpand key_policy_statements | spath input=key_policy_statements + output=key_policy_action_1 path=Action | where key_policy_action_1 = "*" | stats + count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) + as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID + awsRegion user user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`aws_create_policy_version_to_allow_all_resources_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This + search works with AWS CloudTrail logs. +known_false_positives: While this search has no known false positives, it is possible + that an AWS admin has legitimately created a policy to allow a user to access all + resources. That said, AWS strongly advises against granting full control to all + AWS resources and you must verify this activity. references: - https://bishopfox.com/blog/privilege-escalation-in-aws - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ @@ -20,45 +36,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ created a policy version that allows them to access any resource + in their account. + risk_objects: + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - AWS IAM Privilege Escalation asset_type: AWS Account - confidence: 70 - impact: 70 - message: User $user$ created a policy version that allows them to access any resource in their account. mitre_attack_id: - T1078.004 - T1078 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - userAgent - - errorCode - - eventSource - - requestParameters.userName - - requestParameters.policyDocument - - aws_account_id - - awsRegion - - eventID - risk_score: 49 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_create_policy_version/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_create_policy_version/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_createaccesskey.yml b/detections/cloud/aws_createaccesskey.yml index 80e4d0492a..5e4a3636e3 100644 --- a/detections/cloud/aws_createaccesskey.yml +++ b/detections/cloud/aws_createaccesskey.yml @@ -1,16 +1,29 @@ name: AWS CreateAccessKey id: 2a9b80d3-6340-4345-11ad-212bf3d0d111 -version: 5 -date: '2024-10-17' +version: 6 +date: '2024-11-14' author: Bhavin Patel, Splunk status: production type: Hunting -description: The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment. +description: The following analytic identifies the creation of AWS IAM access keys + by a user for another user, which can indicate privilege escalation. It leverages + AWS CloudTrail logs to detect instances where the user creating the access key is + different from the user for whom the key is created. This activity is significant + because unauthorized access key creation can allow attackers to establish persistence + or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized + access to AWS services, data exfiltration, and long-term persistence in the environment. data_source: - AWS CloudTrail CreateAccessKey -search: '`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success | eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) | search match=0 | stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`aws_createaccesskey_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. +search: '`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com + errorCode = success | eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) + | search match=0 | stats count min(_time) as firstTime max(_time) as lastTime by + requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent + eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` |`aws_createaccesskey_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This + search works with AWS CloudTrail logs. +known_false_positives: While this search has no known false positives, it is possible + that an AWS admin has legitimately created keys for another user. references: - https://bishopfox.com/blog/privilege-escalation-in-aws - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ @@ -18,37 +31,18 @@ tags: analytic_story: - AWS IAM Privilege Escalation asset_type: AWS Account - confidence: 90 - impact: 70 - message: User $user_arn$ is attempting to create access keys for $requestParameters.userName$ from this IP $src$ mitre_attack_id: - T1136.003 - T1136 - observable: - - name: src - type: IP Address - role: - - Attacker - - name: user_arn - type: User - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - userAgent - - errorCode - - requestParameters.userName - risk_score: 63 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createaccesskey/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createaccesskey/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_createloginprofile.yml b/detections/cloud/aws_createloginprofile.yml index df61daf43b..d72c2ed8a9 100644 --- a/detections/cloud/aws_createloginprofile.yml +++ b/detections/cloud/aws_createloginprofile.yml @@ -1,16 +1,31 @@ name: AWS CreateLoginProfile id: 2a9b80d3-6340-4345-11ad-212bf444d111 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Bhavin Patel, Splunk status: production type: TTP -description: The following analytic identifies the creation of a login profile for one AWS user by another, followed by a console login from the same source IP. It uses AWS CloudTrail logs to correlate the `CreateLoginProfile` and `ConsoleLogin` events based on the source IP and user identity. This activity is significant as it may indicate privilege escalation, where an attacker creates a new login profile to gain unauthorized access. If confirmed malicious, this could allow the attacker to escalate privileges and maintain persistent access to the AWS environment. +description: The following analytic identifies the creation of a login profile for + one AWS user by another, followed by a console login from the same source IP. It + uses AWS CloudTrail logs to correlate the `CreateLoginProfile` and `ConsoleLogin` + events based on the source IP and user identity. This activity is significant as + it may indicate privilege escalation, where an attacker creates a new login profile + to gain unauthorized access. If confirmed malicious, this could allow the attacker + to escalate privileges and maintain persistent access to the AWS environment. data_source: - AWS CloudTrail CreateLoginProfile AND AWS CloudTrail ConsoleLogin -search: '`cloudtrail` eventName = CreateLoginProfile | rename requestParameters.userName as new_login_profile | table src_ip eventName new_login_profile userIdentity.userName | join new_login_profile src_ip [| search `cloudtrail` eventName = ConsoleLogin | rename userIdentity.userName as new_login_profile | stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`] | `aws_createloginprofile_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created a login profile for another user. +search: '`cloudtrail` eventName = CreateLoginProfile | rename requestParameters.userName + as new_login_profile | table src_ip eventName new_login_profile userIdentity.userName | + join new_login_profile src_ip [| search `cloudtrail` eventName = ConsoleLogin | + rename userIdentity.userName as new_login_profile | stats count values(eventName) + min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode + userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile + src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`] + | `aws_createloginprofile_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This + search works with AWS CloudTrail logs. +known_false_positives: While this search has no known false positives, it is possible + that an AWS admin has legitimately created a login profile for another user. references: - https://bishopfox.com/blog/privilege-escalation-in-aws - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ @@ -20,44 +35,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user_arn$ is attempting to create a login profile for $new_login_profile$ + and did a console login from this IP $src_ip$ + risk_objects: + - field: user_arn + type: user + score: 72 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - AWS IAM Privilege Escalation asset_type: AWS Account - confidence: 80 - impact: 90 - message: User $user_arn$ is attempting to create a login profile for $new_login_profile$ and did a console login from this IP $src_ip$ mitre_attack_id: - T1136.003 - T1136 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: user_arn - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - userAgent - - errorCode - - requestParameters.userName - risk_score: 72 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createloginprofile/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createloginprofile/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_credential_access_failed_login.yml b/detections/cloud/aws_credential_access_failed_login.yml index 725eaabcc0..7b19d32062 100644 --- a/detections/cloud/aws_credential_access_failed_login.yml +++ b/detections/cloud/aws_credential_access_failed_login.yml @@ -1,15 +1,28 @@ name: AWS Credential Access Failed Login id: a19b354d-0d7f-47f3-8ea6-1a7c36434968 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Gowthamaraj Rajendran, Bhavin Patel, Splunk status: production type: TTP -description: The following analytic identifies unsuccessful login attempts to the AWS Management Console using a specific user identity. It leverages AWS CloudTrail logs to detect failed authentication events associated with the AWS ConsoleLogin action. This activity is significant for a SOC because repeated failed login attempts may indicate a brute force attack or unauthorized access attempts. If confirmed malicious, an attacker could potentially gain access to AWS account services and resources, leading to data breaches, resource manipulation, or further exploitation within the AWS environment. +description: The following analytic identifies unsuccessful login attempts to the + AWS Management Console using a specific user identity. It leverages AWS CloudTrail + logs to detect failed authentication events associated with the AWS ConsoleLogin + action. This activity is significant for a SOC because repeated failed login attempts + may indicate a brute force attack or unauthorized access attempts. If confirmed + malicious, an attacker could potentially gain access to AWS account services and + resources, leading to data breaches, resource manipulation, or further exploitation + within the AWS environment. data_source: - AWS CloudTrail -search: '| tstats count earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Authentication where Authentication.action = failure Authentication.app=AwsConsoleSignIn Authentication.signature=ConsoleLogin BY Authentication.app Authentication.signature Authentication.dest Authentication.user Authentication.action Authentication.user_id Authentication.src | `drop_dm_object_name(Authentication)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_credential_access_failed_login_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. +search: '| tstats count earliest(_time) as firstTime, latest(_time) as lastTime from + datamodel=Authentication where Authentication.action = failure Authentication.app=AwsConsoleSignIn + Authentication.signature=ConsoleLogin BY Authentication.app Authentication.signature + Authentication.dest Authentication.user Authentication.action Authentication.user_id + Authentication.src | `drop_dm_object_name(Authentication)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `aws_credential_access_failed_login_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This + search works with AWS CloudTrail logs. known_false_positives: Users may genuinely mistype or forget the password. references: - https://attack.mitre.org/techniques/T1110/001/ @@ -19,49 +32,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ has a login failure from IP $src$ + risk_objects: + - field: user + type: user + score: 49 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - AWS Identity and Access Management Account Takeover asset_type: AWS Account - confidence: 70 - impact: 70 - message: User $user$ has a login failure from IP $src$ mitre_attack_id: - T1586 - T1586.003 - T1110 - T1110.001 - observable: - - name: src - type: IP Address - role: - - Attacker - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - app - - eventSource - - action - - signature - - dest - - user - - user_id - risk_score: 49 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/aws_login_failure/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/aws_login_failure/aws_cloudtrail_events.json source: aws_cloudtrail sourcetype: aws:cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_credential_access_getpassworddata.yml b/detections/cloud/aws_credential_access_getpassworddata.yml index e44bd0923d..24b5b4f9f6 100644 --- a/detections/cloud/aws_credential_access_getpassworddata.yml +++ b/detections/cloud/aws_credential_access_getpassworddata.yml @@ -1,16 +1,30 @@ name: AWS Credential Access GetPasswordData id: 4d347c4a-306e-41db-8d10-b46baf71b3e2 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Bhavin Patel, Splunk status: production type: Anomaly -description: The following analytic identifies more than 10 GetPasswordData API calls within a 5-minute window in your AWS account. It leverages AWS CloudTrail logs to detect this activity by counting the distinct instance IDs accessed. This behavior is significant as it may indicate an attempt to retrieve encrypted administrator passwords for running Windows instances, which is a critical security concern. If confirmed malicious, attackers could gain unauthorized access to administrative credentials, potentially leading to full control over the affected instances and further compromise of the AWS environment. +description: The following analytic identifies more than 10 GetPasswordData API calls + within a 5-minute window in your AWS account. It leverages AWS CloudTrail logs to + detect this activity by counting the distinct instance IDs accessed. This behavior + is significant as it may indicate an attempt to retrieve encrypted administrator + passwords for running Windows instances, which is a critical security concern. If + confirmed malicious, attackers could gain unauthorized access to administrative + credentials, potentially leading to full control over the affected instances and + further compromise of the AWS environment. data_source: - AWS CloudTrail GetPasswordData -search: '`cloudtrail` eventName=GetPasswordData eventSource = ec2.amazonaws.com | bin _time span=5m | stats count values(errorCode) as errorCode dc(requestParameters.instanceId) as distinct_instance_ids values(requestParameters.instanceId) as instance_ids by aws_account_id src_ip user_arn userAgent eventName _time | where distinct_instance_ids > 10 | `aws_credential_access_getpassworddata_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. We encourage the users to adjust the values of `distinct_instance_ids` and tweak the `span` value according to their environment. -known_false_positives: Administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time. +search: '`cloudtrail` eventName=GetPasswordData eventSource = ec2.amazonaws.com | bin + _time span=5m | stats count values(errorCode) as errorCode dc(requestParameters.instanceId) + as distinct_instance_ids values(requestParameters.instanceId) as instance_ids by + aws_account_id src_ip user_arn userAgent eventName _time | where distinct_instance_ids + > 10 | `aws_credential_access_getpassworddata_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This + search works with AWS CloudTrail logs. We encourage the users to adjust the values + of `distinct_instance_ids` and tweak the `span` value according to their environment. +known_false_positives: Administrator tooling or automated scripts may make these calls + but it is highly unlikely to make several calls in a short period of time. references: - https://attack.mitre.org/techniques/T1552/ - https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/ @@ -20,49 +34,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user_arn$ is seen to make mulitple `GetPasswordData` API calls to + instance ids $instance_ids$ from IP $src_ip$ + risk_objects: + - field: user_arn + type: user + score: 49 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - AWS Identity and Access Management Account Takeover asset_type: AWS Account - confidence: 70 - impact: 70 - message: User $user_arn$ is seen to make mulitple `GetPasswordData` API calls to instance ids $instance_ids$ from IP $src_ip$ mitre_attack_id: - T1586 - T1586.003 - T1110 - T1110.001 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: user_arn - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - eventSource - - userIdentity.userName - - userAgent - - userIdentity.accountId - - sourceIPAddress - - awsRegion - risk_score: 49 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552/aws_getpassworddata/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552/aws_getpassworddata/aws_cloudtrail_events.json source: aws_cloudtrail sourcetype: aws:cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_credential_access_rds_password_reset.yml b/detections/cloud/aws_credential_access_rds_password_reset.yml index 12fec148b6..16d5d8fce2 100644 --- a/detections/cloud/aws_credential_access_rds_password_reset.yml +++ b/detections/cloud/aws_credential_access_rds_password_reset.yml @@ -1,15 +1,26 @@ name: AWS Credential Access RDS Password reset id: 6153c5ea-ed30-4878-81e6-21ecdb198189 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Gowthamaraj Rajendran, Splunk status: production type: TTP -description: The following analytic detects the resetting of the master user password for an Amazon RDS DB instance. It leverages AWS CloudTrail logs to identify events where the `ModifyDBInstance` API call includes a new `masterUserPassword` parameter. This activity is significant because unauthorized password resets can grant attackers access to sensitive data stored in production databases, such as credit card information, PII, and healthcare data. If confirmed malicious, this could lead to data breaches, regulatory non-compliance, and significant reputational damage. Immediate investigation is required to determine the legitimacy of the password reset. +description: The following analytic detects the resetting of the master user password + for an Amazon RDS DB instance. It leverages AWS CloudTrail logs to identify events + where the `ModifyDBInstance` API call includes a new `masterUserPassword` parameter. + This activity is significant because unauthorized password resets can grant attackers + access to sensitive data stored in production databases, such as credit card information, + PII, and healthcare data. If confirmed malicious, this could lead to data breaches, + regulatory non-compliance, and significant reputational damage. Immediate investigation + is required to determine the legitimacy of the password reset. data_source: - AWS CloudTrail ModifyDBInstance -search: '`cloudtrail` eventSource="rds.amazonaws.com" eventName=ModifyDBInstance "requestParameters.masterUserPassword"=* | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.dBInstanceIdentifier) as database_id by src awsRegion eventName userAgent user_arn| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_credential_access_rds_password_reset_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. +search: '`cloudtrail` eventSource="rds.amazonaws.com" eventName=ModifyDBInstance "requestParameters.masterUserPassword"=* + | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.dBInstanceIdentifier) + as database_id by src awsRegion eventName userAgent user_arn| `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)` | `aws_credential_access_rds_password_reset_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This + search works with AWS CloudTrail logs. known_false_positives: Users may genuinely reset the RDS password. references: - https://aws.amazon.com/premiumsupport/knowledge-center/reset-master-user-password-rds @@ -19,47 +30,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$database_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$database_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$database_id$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $database_id$ password has been reset from IP $src$ + risk_objects: + - field: database_id + type: system + score: 49 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - AWS Identity and Access Management Account Takeover asset_type: AWS Account - confidence: 70 - impact: 70 - message: $database_id$ password has been reset from IP $src$ mitre_attack_id: - T1586 - T1586.003 - T1110 - observable: - - name: database_id - type: Endpoint - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - eventSource - - requestParameters.dBInstanceIdentifier - - userAgent - - sourceIPAddress - - awsRegion - risk_score: 49 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.002/aws_rds_password_reset/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.002/aws_rds_password_reset/aws_cloudtrail_events.json source: aws_cloudtrail sourcetype: aws:cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml b/detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml index b4ab080433..709d1872fe 100644 --- a/detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml +++ b/detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml @@ -1,50 +1,62 @@ name: AWS Cross Account Activity From Previously Unseen Account id: 21193641-cb96-4a2c-a707-d9b9a7f7792b -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rico Valdez, Splunk status: experimental type: Anomaly -description: The following analytic identifies AssumeRole events where an IAM role in a different AWS account is accessed for the first time. It detects this activity by analyzing authentication logs and comparing the requesting and requested account IDs, flagging new cross-account activities. This behavior is significant because unauthorized cross-account access can indicate potential lateral movement or privilege escalation attempts. If confirmed malicious, an attacker could gain unauthorized access to resources in another account, potentially leading to data exfiltration, service disruption, or further compromise of the AWS environment. +description: The following analytic identifies AssumeRole events where an IAM role + in a different AWS account is accessed for the first time. It detects this activity + by analyzing authentication logs and comparing the requesting and requested account + IDs, flagging new cross-account activities. This behavior is significant because + unauthorized cross-account access can indicate potential lateral movement or privilege + escalation attempts. If confirmed malicious, an attacker could gain unauthorized + access to resources in another account, potentially leading to data exfiltration, + service disruption, or further compromise of the AWS environment. data_source: - AWS CloudTrail -search: '| tstats min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication where Authentication.signature=AssumeRole by Authentication.vendor_account Authentication.user Authentication.src Authentication.user_role | `drop_dm_object_name(Authentication)` | rex field=user_role "arn:aws:sts:*:(?.*):" | where vendor_account != dest_account | rename vendor_account as requestingAccountId dest_account as requestedAccountId | lookup previously_seen_aws_cross_account_activity requestingAccountId, requestedAccountId, OUTPUTNEW firstTime | eval status = if(firstTime > relative_time(now(), "-24h@h"),"New Cross Account Activity","Previously Seen") | where status = "New Cross Account Activity" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_cross_account_activity_from_previously_unseen_account_filter`' -how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen AWS Cross Account Activity - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen AWS Cross Account Activity - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `aws_cross_account_activity_from_previously_unseen_account_filter` macro. -known_false_positives: Using multiple AWS accounts and roles is perfectly valid behavior. It's suspicious when an account requests privileges of an account it hasn't before. You should validate with the account owner that this is a legitimate request. +search: '| tstats min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication + where Authentication.signature=AssumeRole by Authentication.vendor_account Authentication.user + Authentication.src Authentication.user_role | `drop_dm_object_name(Authentication)` + | rex field=user_role "arn:aws:sts:*:(?.*):" | where vendor_account + != dest_account | rename vendor_account as requestingAccountId dest_account as requestedAccountId + | lookup previously_seen_aws_cross_account_activity requestingAccountId, requestedAccountId, + OUTPUTNEW firstTime | eval status = if(firstTime > relative_time(now(), "-24h@h"),"New + Cross Account Activity","Previously Seen") | where status = "New Cross Account + Activity" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `aws_cross_account_activity_from_previously_unseen_account_filter`' +how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud + provider. You should run the baseline search `Previously Seen AWS Cross Account + Activity - Initial` to build the initial table of source IP address, geographic + locations, and times. You must also enable the second baseline search `Previously + Seen AWS Cross Account Activity - Update` to keep this table up to date and to age + out old data. You can also provide additional filtering for this search by customizing + the `aws_cross_account_activity_from_previously_unseen_account_filter` macro. +known_false_positives: Using multiple AWS accounts and roles is perfectly valid behavior. + It's suspicious when an account requests privileges of an account it hasn't before. + You should validate with the account owner that this is a legitimate request. references: [] +rba: + message: AWS account $requestingAccountId$ is trying to access resource from some + other account $requestedAccountId$, for the first time. + risk_objects: + - field: user + type: user + score: 15 + threat_objects: [] tags: analytic_story: - Suspicious Cloud Authentication Activities asset_type: AWS Instance - confidence: 50 - impact: 30 - message: AWS account $requestingAccountId$ is trying to access resource from some other account $requestedAccountId$, for the first time. - observable: - - name: requestingAccountId - type: Other - role: - - Attacker - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Authentication.signature - - Authentication.vendor_account - - Authentication.user - - Authentication.user_role - - Authentication.src - risk_score: 15 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml b/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml index 6f641c7a60..15acf34a9a 100644 --- a/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml +++ b/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml @@ -1,16 +1,29 @@ name: AWS Defense Evasion Delete Cloudtrail id: 82092925-9ca1-4e06-98b8-85a2d3889552 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Bhavin Patel, Splunk status: production type: TTP -description: The following analytic detects the deletion of AWS CloudTrail logs by identifying `DeleteTrail` events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful `DeleteTrail` actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation. +description: The following analytic detects the deletion of AWS CloudTrail logs by + identifying `DeleteTrail` events within CloudTrail logs. This detection leverages + CloudTrail data to monitor for successful `DeleteTrail` actions, excluding those + initiated from the AWS console. This activity is significant because adversaries + may delete CloudTrail logs to evade detection and operate stealthily within the + compromised environment. If confirmed malicious, this action could allow attackers + to cover their tracks, making it difficult to trace their activities and potentially + leading to prolonged unauthorized access and further exploitation. data_source: - AWS CloudTrail DeleteTrail -search: '`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_defense_evasion_delete_cloudtrail_filter`' -how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. -known_false_positives: While this search has no known false positives, it is possible that an AWS admin has stopped cloudTrail logging. Please investigate this activity. +search: '`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com + userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as + firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name + by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)`| `aws_defense_evasion_delete_cloudtrail_filter`' +how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in + your AWS Environment. +known_false_positives: While this search has no known false positives, it is possible + that an AWS admin has stopped cloudTrail logging. Please investigate this activity. references: - https://attack.mitre.org/techniques/T1562/008/ drilldown_searches: @@ -19,46 +32,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user_arn$ has delete a CloudTrail logging for account id $aws_account_id$ + from IP $src$ + risk_objects: + - field: user_arn + type: user + score: 90 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - AWS Defense Evasion asset_type: AWS Account - confidence: 90 - impact: 100 - message: User $user_arn$ has delete a CloudTrail logging for account id $aws_account_id$ from IP $src$ mitre_attack_id: - T1562.008 - T1562 - observable: - - name: src - type: IP Address - role: - - Attacker - - name: user_arn - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - eventSource - - requestParameters.name - - userAgent - - aws_account_id - - src - - region - risk_score: 90 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail diff --git a/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml b/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml index b3592458d3..50d8d4f9f7 100644 --- a/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml +++ b/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml @@ -1,16 +1,29 @@ name: AWS Defense Evasion Delete CloudWatch Log Group id: d308b0f1-edb7-4a62-a614-af321160710f -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Gowthamaraj Rajendran, Splunk status: production type: TTP -description: The following analytic detects the deletion of CloudWatch log groups in AWS, identified through `DeleteLogGroup` events in CloudTrail logs. This detection leverages CloudTrail data to monitor for successful log group deletions, excluding console-based actions. This activity is significant as it indicates potential attempts to evade logging and monitoring, which is crucial for maintaining visibility into AWS activities. If confirmed malicious, this could allow attackers to hide their tracks, making it difficult to detect further malicious actions or investigate incidents within the compromised AWS environment. +description: The following analytic detects the deletion of CloudWatch log groups + in AWS, identified through `DeleteLogGroup` events in CloudTrail logs. This detection + leverages CloudTrail data to monitor for successful log group deletions, excluding + console-based actions. This activity is significant as it indicates potential attempts + to evade logging and monitoring, which is crucial for maintaining visibility into + AWS activities. If confirmed malicious, this could allow attackers to hide their + tracks, making it difficult to detect further malicious actions or investigate incidents + within the compromised AWS environment. data_source: - AWS CloudTrail DeleteLogGroup -search: '`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_defense_evasion_delete_cloudwatch_log_group_filter`' -how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. -known_false_positives: While this search has no known false positives, it is possible that an AWS admin has deleted CloudWatch logging. Please investigate this activity. +search: '`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com + userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as + firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name + by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)`| `aws_defense_evasion_delete_cloudwatch_log_group_filter`' +how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in + your AWS Environment. +known_false_positives: While this search has no known false positives, it is possible + that an AWS admin has deleted CloudWatch logging. Please investigate this activity. references: - https://attack.mitre.org/techniques/T1562/008/ drilldown_searches: @@ -19,47 +32,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user_arn$ has deleted a CloudWatch logging group for account id $aws_account_id$ + from IP $src$ + risk_objects: + - field: user_arn + type: user + score: 90 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - AWS Defense Evasion asset_type: AWS Account - confidence: 90 - impact: 100 - message: User $user_arn$ has deleted a CloudWatch logging group for account id $aws_account_id$ from IP $src$ mitre_attack_id: - T1562 - T1562.008 - observable: - - name: src - type: IP Address - role: - - Attacker - - name: user_arn - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - eventSource - - requestParameters.name - - userAgent - - aws_account_id - - src - - region - risk_score: 90 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/aws_cloudtrail_events.json source: aws_cloudtrail sourcetype: aws:cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_defense_evasion_impair_security_services.yml b/detections/cloud/aws_defense_evasion_impair_security_services.yml index 3f56568fb1..1f05298c2f 100644 --- a/detections/cloud/aws_defense_evasion_impair_security_services.yml +++ b/detections/cloud/aws_defense_evasion_impair_security_services.yml @@ -1,11 +1,18 @@ name: AWS Defense Evasion Impair Security Services id: b28c4957-96a6-47e0-a965-6c767aac1458 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Bhavin Patel, Gowthamaraj Rajendran, Splunk status: production type: Hunting -description: The following analytic detects attempts to delete critical AWS security service configurations, such as CloudWatch alarms, GuardDuty detectors, and Web Application Firewall rules. It leverages CloudTrail logs to identify specific API calls like "DeleteLogStream" and "DeleteDetector." This activity is significant because it indicates potential efforts to disable security monitoring and evade detection. If confirmed malicious, this could allow attackers to operate undetected, escalate privileges, or exfiltrate data without triggering security alerts, severely compromising the security posture of the AWS environment. +description: The following analytic detects attempts to delete critical AWS security + service configurations, such as CloudWatch alarms, GuardDuty detectors, and Web + Application Firewall rules. It leverages CloudTrail logs to identify specific API + calls like "DeleteLogStream" and "DeleteDetector." This activity is significant + because it indicates potential efforts to disable security monitoring and evade + detection. If confirmed malicious, this could allow attackers to operate undetected, + escalate privileges, or exfiltrate data without triggering security alerts, severely + compromising the security posture of the AWS environment. data_source: - AWS CloudTrail DeleteLogStream - AWS CloudTrail DeleteDetector @@ -15,9 +22,16 @@ data_source: - AWS CloudTrail DeleteRuleGroup - AWS CloudTrail DeleteLoggingConfiguration - AWS CloudTrail DeleteAlarms -search: '`cloudtrail` eventName IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms") | stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName values(eventSource) as eventSource values(requestParameters.*) as * by src region user_arn aws_account_id user_type user_agent errorCode| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_defense_evasion_impair_security_services_filter`' -how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. -known_false_positives: While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names. +search: '`cloudtrail` eventName IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms") + | stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as + eventName values(eventSource) as eventSource values(requestParameters.*) as * by + src region user_arn aws_account_id user_type user_agent errorCode| `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `aws_defense_evasion_impair_security_services_filter`' +how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in + your AWS Environment. +known_false_positives: While this search has no known false positives, it is possible + that it is a legitimate admin activity. Please consider filtering out these noisy + events using userAgent, user_arn field names. references: - https://docs.aws.amazon.com/cli/latest/reference/guardduty/index.html - https://docs.aws.amazon.com/cli/latest/reference/waf/index.html @@ -26,41 +40,18 @@ tags: analytic_story: - AWS Defense Evasion asset_type: AWS Account - confidence: 60 - impact: 70 - message: User $user_arn$ has made potentially risky api calls $eventName$ that could impair AWS security services for account id $aws_account_id$ mitre_attack_id: - T1562.008 - T1562 - observable: - - name: src - type: IP Address - role: - - Attacker - - name: user_arn - type: User - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - eventSource - - user_agent - - user_type - - aws_account_id - - src - - region - - errorCode - risk_score: 42 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/aws_delete_security_services/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/aws_delete_security_services/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml b/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml index eaaf7d469a..4d98499ce9 100644 --- a/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml +++ b/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml @@ -1,60 +1,51 @@ name: AWS Defense Evasion PutBucketLifecycle id: ce1c0e2b-9303-4903-818b-0d9002fc6ea4 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Bhavin Patel status: production type: Hunting -description: The following analytic detects `PutBucketLifecycle` events in AWS CloudTrail logs where a user sets a lifecycle rule for an S3 bucket with an expiration period of fewer than three days. This detection leverages CloudTrail logs to identify suspicious lifecycle configurations. This activity is significant because attackers may use it to delete CloudTrail logs quickly, thereby evading detection and impairing forensic investigations. If confirmed malicious, this could allow attackers to cover their tracks, making it difficult to trace their actions and respond to the breach effectively. +description: The following analytic detects `PutBucketLifecycle` events in AWS CloudTrail + logs where a user sets a lifecycle rule for an S3 bucket with an expiration period + of fewer than three days. This detection leverages CloudTrail logs to identify suspicious + lifecycle configurations. This activity is significant because attackers may use + it to delete CloudTrail logs quickly, thereby evading detection and impairing forensic + investigations. If confirmed malicious, this could allow attackers to cover their + tracks, making it difficult to trace their actions and respond to the breach effectively. data_source: - AWS CloudTrail PutBucketLifecycle -search: '`cloudtrail` eventName=PutBucketLifecycle user_type=IAMUser errorCode=success | spath path=requestParameters{}.LifecycleConfiguration{}.Rule{}.Expiration{}.Days output=expiration_days | spath path=requestParameters{}.bucketName output=bucket_name | stats count min(_time) as firstTime max(_time) as lastTime by src region eventName userAgent user_arn aws_account_id expiration_days bucket_name user_type| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where expiration_days < 3 | `aws_defense_evasion_putbucketlifecycle_filter`' -how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. We recommend our users to set the expiration days value according to your company's log retention policies. -known_false_positives: While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names. +search: '`cloudtrail` eventName=PutBucketLifecycle user_type=IAMUser errorCode=success + | spath path=requestParameters{}.LifecycleConfiguration{}.Rule{}.Expiration{}.Days + output=expiration_days | spath path=requestParameters{}.bucketName output=bucket_name + | stats count min(_time) as firstTime max(_time) as lastTime by src region eventName + userAgent user_arn aws_account_id expiration_days bucket_name user_type| `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | where expiration_days < 3 | `aws_defense_evasion_putbucketlifecycle_filter`' +how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in + your AWS Environment. We recommend our users to set the expiration days value according + to your company's log retention policies. +known_false_positives: While this search has no known false positives, it is possible + that it is a legitimate admin activity. Please consider filtering out these noisy + events using userAgent, user_arn field names. references: - https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/ tags: analytic_story: - AWS Defense Evasion asset_type: AWS Account - confidence: 40 - impact: 50 - message: User $user_arn$ has created a new rule to on an S3 bucket $bucket_name$ with short expiration days mitre_attack_id: - T1562.008 - T1562 - T1485.001 - T1485 - observable: - - name: src - type: IP Address - role: - - Attacker - - name: user_arn - type: User - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - eventSource - - requestParameters.name - - userAgent - - aws_account_id - - src - - region - - requestParameters{}.LifecycleConfiguration{}.Rule{}.Expiration{}.Days - - requestParameters{}.bucketName - risk_score: 20 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/put_bucketlifecycle/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/put_bucketlifecycle/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml b/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml index 295ffc430a..e59c2100ae 100644 --- a/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml +++ b/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml @@ -1,16 +1,29 @@ name: AWS Defense Evasion Stop Logging Cloudtrail id: 8a2f3ca2-4eb5-4389-a549-14063882e537 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Bhavin Patel, Splunk status: production type: TTP -description: The following analytic detects `StopLogging` events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration. +description: The following analytic detects `StopLogging` events in AWS CloudTrail + logs. It leverages CloudTrail event data to identify when logging is intentionally + stopped, excluding console-based actions and focusing on successful attempts. This + activity is significant because adversaries may stop logging to evade detection + and operate stealthily within the compromised environment. If confirmed malicious, + this action could allow attackers to perform further activities without being logged, + hindering incident response and forensic investigations, and potentially leading + to unauthorized access or data exfiltration. data_source: - AWS CloudTrail StopLogging -search: '`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_defense_evasion_stop_logging_cloudtrail_filter`' -how_to_implement: You must install Splunk AWS Add on and enable Cloudtrail logs in your AWS Environment. -known_false_positives: While this search has no known false positives, it is possible that an AWS admin has stopped cloudtrail logging. Please investigate this activity. +search: '`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com + userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as + firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name + by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)` | `aws_defense_evasion_stop_logging_cloudtrail_filter`' +how_to_implement: You must install Splunk AWS Add on and enable Cloudtrail logs in + your AWS Environment. +known_false_positives: While this search has no known false positives, it is possible + that an AWS admin has stopped cloudtrail logging. Please investigate this activity. references: - https://attack.mitre.org/techniques/T1562/008/ drilldown_searches: @@ -19,46 +32,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user_arn$ has stopped Cloudtrail logging for account id $aws_account_id$ + from IP $src$ + risk_objects: + - field: user_arn + type: user + score: 90 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - AWS Defense Evasion asset_type: AWS Account - confidence: 90 - impact: 100 - message: User $user_arn$ has stopped Cloudtrail logging for account id $aws_account_id$ from IP $src$ mitre_attack_id: - T1562.008 - T1562 - observable: - - name: src - type: IP Address - role: - - Attacker - - name: user_arn - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - eventSource - - requestParameters.name - - userAgent - - aws_account_id - - src - - region - risk_score: 90 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail diff --git a/detections/cloud/aws_defense_evasion_update_cloudtrail.yml b/detections/cloud/aws_defense_evasion_update_cloudtrail.yml index df108b6ae9..89559d06de 100644 --- a/detections/cloud/aws_defense_evasion_update_cloudtrail.yml +++ b/detections/cloud/aws_defense_evasion_update_cloudtrail.yml @@ -1,16 +1,29 @@ name: AWS Defense Evasion Update Cloudtrail id: 7c921d28-ef48-4f1b-85b3-0af8af7697db -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Gowthamaraj Rajendran, Splunk status: production type: TTP -description: The following analytic detects `UpdateTrail` events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on `UpdateTrail` events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment. +description: The following analytic detects `UpdateTrail` events in AWS CloudTrail + logs. It identifies attempts to modify CloudTrail settings, potentially to evade + logging. The detection leverages CloudTrail logs, focusing on `UpdateTrail` events + where the user agent is not the AWS console and the operation is successful. This + activity is significant because altering CloudTrail settings can disable or limit + logging, hindering visibility into AWS account activities. If confirmed malicious, + this could allow attackers to operate undetected, compromising the integrity and + security of the AWS environment. data_source: - AWS CloudTrail UpdateTrail -search: '`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_defense_evasion_update_cloudtrail_filter`' -how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. -known_false_positives: While this search has no known false positives, it is possible that an AWS admin has updated cloudtrail logging. Please investigate this activity. +search: '`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com + userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as + firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name + by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)`| `aws_defense_evasion_update_cloudtrail_filter`' +how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in + your AWS Environment. +known_false_positives: While this search has no known false positives, it is possible + that an AWS admin has updated cloudtrail logging. Please investigate this activity. references: - https://attack.mitre.org/techniques/T1562/008/ drilldown_searches: @@ -19,47 +32,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user_arn$ has updated a cloudtrail logging for account id $aws_account_id$ + from IP $src$ + risk_objects: + - field: user_arn + type: user + score: 90 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - AWS Defense Evasion asset_type: AWS Account - confidence: 90 - impact: 100 - message: User $user_arn$ has updated a cloudtrail logging for account id $aws_account_id$ from IP $src$ mitre_attack_id: - T1562 - T1562.008 - observable: - - name: src - type: IP Address - role: - - Attacker - - name: user_arn - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - eventSource - - requestParameters.name - - userAgent - - aws_account_id - - src - - region - risk_score: 90 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/update_cloudtrail/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/update_cloudtrail/aws_cloudtrail_events.json source: aws_cloudtrail sourcetype: aws:cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_detect_attach_to_role_policy.yml b/detections/cloud/aws_detect_attach_to_role_policy.yml index ac2ad5e64a..b3b55c8829 100644 --- a/detections/cloud/aws_detect_attach_to_role_policy.yml +++ b/detections/cloud/aws_detect_attach_to_role_policy.yml @@ -1,36 +1,37 @@ name: aws detect attach to role policy id: 88fc31dd-f331-448c-9856-d3d51dd5d3a1 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rod Soto, Splunk status: experimental type: Hunting -description: The following analytic identifies a user attaching a policy to a different role's trust policy in AWS. It leverages CloudWatch logs to detect the `attach policy` event, extracting relevant fields such as `policyArn`, `sourceIPAddress`, and `userIdentity`. This activity is significant as it can indicate attempts at lateral movement or privilege escalation within the AWS environment. If confirmed malicious, an attacker could gain elevated permissions, potentially compromising sensitive resources and data within the AWS infrastructure. +description: The following analytic identifies a user attaching a policy to a different + role's trust policy in AWS. It leverages CloudWatch logs to detect the `attach policy` + event, extracting relevant fields such as `policyArn`, `sourceIPAddress`, and `userIdentity`. + This activity is significant as it can indicate attempts at lateral movement or + privilege escalation within the AWS environment. If confirmed malicious, an attacker + could gain elevated permissions, potentially compromising sensitive resources and + data within the AWS infrastructure. data_source: [] -search: '`aws_cloudwatchlogs_eks` attach policy| spath requestParameters.policyArn | table sourceIPAddress user_access_key userIdentity.arn userIdentity.sessionContext.sessionIssuer.arn eventName errorCode errorMessage status action requestParameters.policyArn userIdentity.sessionContext.attributes.mfaAuthenticated userIdentity.sessionContext.attributes.creationDate | `aws_detect_attach_to_role_policy_filter`' -how_to_implement: You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs -known_false_positives: Attach to policy can create a lot of noise. This search can be adjusted to provide specific values to identify cases of abuse (i.e status=failure). The search can provide context for common users attaching themselves to higher privilege policies or even newly created policies. +search: '`aws_cloudwatchlogs_eks` attach policy| spath requestParameters.policyArn + | table sourceIPAddress user_access_key userIdentity.arn userIdentity.sessionContext.sessionIssuer.arn + eventName errorCode errorMessage status action requestParameters.policyArn userIdentity.sessionContext.attributes.mfaAuthenticated + userIdentity.sessionContext.attributes.creationDate | `aws_detect_attach_to_role_policy_filter`' +how_to_implement: You must install splunk AWS add-on and Splunk App for AWS. This + search works with cloudwatch logs +known_false_positives: Attach to policy can create a lot of noise. This search can + be adjusted to provide specific values to identify cases of abuse (i.e status=failure). + The search can provide context for common users attaching themselves to higher privilege + policies or even newly created policies. references: [] tags: analytic_story: - AWS Cross Account Activity asset_type: AWS Account - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1078 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - requestParameters.policyArn - risk_score: 25 security_domain: threat diff --git a/detections/cloud/aws_detect_permanent_key_creation.yml b/detections/cloud/aws_detect_permanent_key_creation.yml index feb8296518..49c164d0b4 100644 --- a/detections/cloud/aws_detect_permanent_key_creation.yml +++ b/detections/cloud/aws_detect_permanent_key_creation.yml @@ -1,45 +1,34 @@ name: aws detect permanent key creation id: 12d6d713-3cb4-4ffc-a064-1dca3d1cca01 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rod Soto, Splunk status: experimental type: Hunting -description: The following analytic detects the creation of permanent access keys in AWS accounts. It leverages CloudWatch logs to identify events where the `CreateAccessKey` action is performed by IAM users. Monitoring the creation of permanent keys is crucial as they are not created by default and are typically used for programmatic access. If confirmed malicious, this activity could allow attackers to gain persistent access to AWS resources, potentially leading to unauthorized actions and data exfiltration. +description: The following analytic detects the creation of permanent access keys + in AWS accounts. It leverages CloudWatch logs to identify events where the `CreateAccessKey` + action is performed by IAM users. Monitoring the creation of permanent keys is crucial + as they are not created by default and are typically used for programmatic access. + If confirmed malicious, this activity could allow attackers to gain persistent access + to AWS resources, potentially leading to unauthorized actions and data exfiltration. data_source: [] -search: '`aws_cloudwatchlogs_eks` CreateAccessKey | spath eventName | search eventName=CreateAccessKey "userIdentity.type"=IAMUser | table sourceIPAddress userName userIdentity.type userAgent action status responseElements.accessKey.createDate responseElements.accessKey.status responseElements.accessKey.accessKeyId |`aws_detect_permanent_key_creation_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs -known_false_positives: Not all permanent key creations are malicious. If there is a policy of rotating keys this search can be adjusted to provide better context. +search: '`aws_cloudwatchlogs_eks` CreateAccessKey | spath eventName | search eventName=CreateAccessKey + "userIdentity.type"=IAMUser | table sourceIPAddress userName userIdentity.type userAgent + action status responseElements.accessKey.createDate responseElements.accessKey.status + responseElements.accessKey.accessKeyId |`aws_detect_permanent_key_creation_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This + search works with cloudwatch logs +known_false_positives: Not all permanent key creations are malicious. If there is + a policy of rotating keys this search can be adjusted to provide better context. references: [] tags: analytic_story: - AWS Cross Account Activity asset_type: AWS Account - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1078 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - userIdentity.type - - sourceIPAddress - - userName userIdentity.type - - userAgent - - action - - status - - responseElements.accessKey.createDate - - esponseElements.accessKey.status - - responseElements.accessKey.accessKeyId - risk_score: 25 security_domain: threat diff --git a/detections/cloud/aws_detect_role_creation.yml b/detections/cloud/aws_detect_role_creation.yml index 6b9fa9aba6..068b428177 100644 --- a/detections/cloud/aws_detect_role_creation.yml +++ b/detections/cloud/aws_detect_role_creation.yml @@ -1,52 +1,36 @@ name: aws detect role creation id: 5f04081e-ddee-4353-afe4-504f288de9ad -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rod Soto, Splunk status: experimental type: Hunting -description: The following analytic identifies the creation of new IAM roles by users in AWS. It leverages CloudWatch logs to detect events where the `CreateRole` action is performed, focusing on roles with specific trust policies. This activity is significant as unauthorized role creation can facilitate lateral movement and privilege escalation within the AWS environment. If confirmed malicious, attackers could gain elevated permissions, potentially compromising sensitive resources and data. +description: The following analytic identifies the creation of new IAM roles by users + in AWS. It leverages CloudWatch logs to detect events where the `CreateRole` action + is performed, focusing on roles with specific trust policies. This activity is significant + as unauthorized role creation can facilitate lateral movement and privilege escalation + within the AWS environment. If confirmed malicious, attackers could gain elevated + permissions, potentially compromising sensitive resources and data. data_source: [] -search: '`aws_cloudwatchlogs_eks` event_name=CreateRole action=created userIdentity.type=AssumedRole requestParameters.description=Allows* | table sourceIPAddress userIdentity.principalId userIdentity.arn action event_name awsRegion http_user_agent mfa_auth msg requestParameters.roleName requestParameters.description responseElements.role.arn responseElements.role.createDate | `aws_detect_role_creation_filter`' -how_to_implement: You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs -known_false_positives: CreateRole is not very common in common users. This search can be adjusted to provide specific values to identify cases of abuse. In general AWS provides plenty of trust policies that fit most use cases. +search: '`aws_cloudwatchlogs_eks` event_name=CreateRole action=created userIdentity.type=AssumedRole + requestParameters.description=Allows* | table sourceIPAddress userIdentity.principalId + userIdentity.arn action event_name awsRegion http_user_agent mfa_auth msg requestParameters.roleName + requestParameters.description responseElements.role.arn responseElements.role.createDate + | `aws_detect_role_creation_filter`' +how_to_implement: You must install splunk AWS add-on and Splunk App for AWS. This + search works with cloudwatch logs +known_false_positives: CreateRole is not very common in common users. This search + can be adjusted to provide specific values to identify cases of abuse. In general + AWS provides plenty of trust policies that fit most use cases. references: [] tags: analytic_story: - AWS Cross Account Activity asset_type: AWS Account - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1078 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - event_name - - action - - userIdentity.type - - requestParameters.description - - sourceIPAddress - - userIdentity.principalId - - userIdentity.arn - - action - - event_name - - awsRegion - - http_user_agent - - mfa_auth - - msg - - requestParameters.roleName - - requestParameters.description - - responseElements.role.arn - - responseElements.role.createDate - risk_score: 25 security_domain: threat diff --git a/detections/cloud/aws_detect_sts_assume_role_abuse.yml b/detections/cloud/aws_detect_sts_assume_role_abuse.yml index cfac2757f8..4a67dd42fc 100644 --- a/detections/cloud/aws_detect_sts_assume_role_abuse.yml +++ b/detections/cloud/aws_detect_sts_assume_role_abuse.yml @@ -1,46 +1,37 @@ name: aws detect sts assume role abuse id: 8e565314-b6a2-46d8-9f05-1a34a176a662 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rod Soto, Splunk status: experimental type: Hunting -description: The following analytic identifies suspicious use of the AWS STS AssumeRole action. It leverages AWS CloudTrail logs to detect instances where roles are assumed, focusing on specific fields like source IP address, user ARN, and role names. This activity is significant because attackers can use assumed roles to move laterally within the AWS environment and escalate privileges. If confirmed malicious, this could allow attackers to gain unauthorized access to sensitive resources, execute code, or further entrench themselves within the environment, leading to potential data breaches or service disruptions. +description: The following analytic identifies suspicious use of the AWS STS AssumeRole + action. It leverages AWS CloudTrail logs to detect instances where roles are assumed, + focusing on specific fields like source IP address, user ARN, and role names. This + activity is significant because attackers can use assumed roles to move laterally + within the AWS environment and escalate privileges. If confirmed malicious, this + could allow attackers to gain unauthorized access to sensitive resources, execute + code, or further entrench themselves within the environment, leading to potential + data breaches or service disruptions. data_source: [] -search: '`cloudtrail` user_type=AssumedRole userIdentity.sessionContext.sessionIssuer.type=Role | table sourceIPAddress userIdentity.arn user_agent user_access_key status action requestParameters.roleName responseElements.role.roleName responseElements.role.createDate | `aws_detect_sts_assume_role_abuse_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs -known_false_positives: Sts:AssumeRole can be very noisy as it is a standard mechanism to provide cross account and cross resources access. This search can be adjusted to provide specific values to identify cases of abuse. +search: '`cloudtrail` user_type=AssumedRole userIdentity.sessionContext.sessionIssuer.type=Role + | table sourceIPAddress userIdentity.arn user_agent user_access_key status action + requestParameters.roleName responseElements.role.roleName responseElements.role.createDate + | `aws_detect_sts_assume_role_abuse_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This + search works with AWS CloudTrail logs +known_false_positives: Sts:AssumeRole can be very noisy as it is a standard mechanism + to provide cross account and cross resources access. This search can be adjusted + to provide specific values to identify cases of abuse. references: [] tags: analytic_story: - AWS Cross Account Activity asset_type: AWS Account - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1078 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - user_type - - userIdentity.sessionContext.sessionIssuer.type - - sourceIPAddress - - userIdentity.arn - - user_agent - - user_access_key - - status - - action - - requestParameters.roleName - - esponseElements.role.roleName - - esponseElements.role.createDate - risk_score: 25 security_domain: threat diff --git a/detections/cloud/aws_detect_sts_get_session_token_abuse.yml b/detections/cloud/aws_detect_sts_get_session_token_abuse.yml index 786a155632..0ff88c17b8 100644 --- a/detections/cloud/aws_detect_sts_get_session_token_abuse.yml +++ b/detections/cloud/aws_detect_sts_get_session_token_abuse.yml @@ -1,45 +1,36 @@ name: aws detect sts get session token abuse id: 85d7b35f-b8b5-4b01-916f-29b81e7a0551 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rod Soto, Splunk status: experimental type: Hunting -description: The following analytic identifies the suspicious use of the AWS STS GetSessionToken API call. It leverages CloudWatch logs to detect instances where this API is invoked, focusing on fields such as source IP address, event time, user identity, and status. This activity is significant because attackers can use these tokens to move laterally within the AWS environment and escalate privileges. If confirmed malicious, this could lead to unauthorized access and control over AWS resources, potentially compromising sensitive data and critical infrastructure. +description: The following analytic identifies the suspicious use of the AWS STS GetSessionToken + API call. It leverages CloudWatch logs to detect instances where this API is invoked, + focusing on fields such as source IP address, event time, user identity, and status. + This activity is significant because attackers can use these tokens to move laterally + within the AWS environment and escalate privileges. If confirmed malicious, this + could lead to unauthorized access and control over AWS resources, potentially compromising + sensitive data and critical infrastructure. data_source: [] -search: '`aws_cloudwatchlogs_eks` ASIA userIdentity.type=IAMUser| spath eventName | search eventName=GetSessionToken | table sourceIPAddress eventTime userIdentity.arn userName userAgent user_type status region | `aws_detect_sts_get_session_token_abuse_filter`' -how_to_implement: You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs -known_false_positives: Sts:GetSessionToken can be very noisy as in certain environments numerous calls of this type can be executed. This search can be adjusted to provide specific values to identify cases of abuse. In specific environments the use of field requestParameters.serialNumber will need to be used. +search: '`aws_cloudwatchlogs_eks` ASIA userIdentity.type=IAMUser| spath eventName + | search eventName=GetSessionToken | table sourceIPAddress eventTime userIdentity.arn + userName userAgent user_type status region | `aws_detect_sts_get_session_token_abuse_filter`' +how_to_implement: You must install splunk AWS add-on and Splunk App for AWS. This + search works with cloudwatch logs +known_false_positives: Sts:GetSessionToken can be very noisy as in certain environments + numerous calls of this type can be executed. This search can be adjusted to provide + specific values to identify cases of abuse. In specific environments the use of + field requestParameters.serialNumber will need to be used. references: [] tags: analytic_story: - AWS Cross Account Activity asset_type: AWS Account - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1550 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - userIdentity.type - - eventName - - sourceIPAddress - - eventTime - - userIdentity.arn - - userName - - userAgent - - user_type - - status - - region - risk_score: 25 security_domain: threat diff --git a/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml b/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml index bd135750bd..c5241c74bc 100644 --- a/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml +++ b/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml @@ -1,16 +1,32 @@ name: AWS Detect Users creating keys with encrypt policy without MFA id: c79c164f-4b21-4847-98f9-cf6a9f49179e -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Rod Soto, Patrick Bareiss Splunk status: production type: TTP -description: The following analytic detects the creation of AWS KMS keys with an encryption policy accessible to everyone, including external entities. It leverages AWS CloudTrail logs to identify `CreateKey` or `PutKeyPolicy` events where the `kms:Encrypt` action is granted to all principals. This activity is significant as it may indicate a compromised account, allowing an attacker to misuse the encryption key to target other organizations. If confirmed malicious, this could lead to unauthorized data encryption, potentially disrupting operations and compromising sensitive information across multiple entities. +description: The following analytic detects the creation of AWS KMS keys with an encryption + policy accessible to everyone, including external entities. It leverages AWS CloudTrail + logs to identify `CreateKey` or `PutKeyPolicy` events where the `kms:Encrypt` action + is granted to all principals. This activity is significant as it may indicate a + compromised account, allowing an attacker to misuse the encryption key to target + other organizations. If confirmed malicious, this could lead to unauthorized data + encryption, potentially disrupting operations and compromising sensitive information + across multiple entities. data_source: - AWS CloudTrail CreateKey - AWS CloudTrail PutKeyPolicy -search: '`cloudtrail` eventName=CreateKey OR eventName=PutKeyPolicy | spath input=requestParameters.policy output=key_policy_statements path=Statement{} | mvexpand key_policy_statements | spath input=key_policy_statements output=key_policy_action_1 path=Action | spath input=key_policy_statements output=key_policy_action_2 path=Action{} | eval key_policy_action=mvappend(key_policy_action_1, key_policy_action_2) | spath input=key_policy_statements output=key_policy_principal path=Principal.AWS | search key_policy_action="kms:Encrypt" AND key_policy_principal="*" | stats count min(_time) as firstTime max(_time) as lastTime by eventName eventSource eventID awsRegion userIdentity.principalId user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs +search: '`cloudtrail` eventName=CreateKey OR eventName=PutKeyPolicy | spath input=requestParameters.policy + output=key_policy_statements path=Statement{} | mvexpand key_policy_statements | + spath input=key_policy_statements output=key_policy_action_1 path=Action | spath + input=key_policy_statements output=key_policy_action_2 path=Action{} | eval key_policy_action=mvappend(key_policy_action_1, + key_policy_action_2) | spath input=key_policy_statements output=key_policy_principal + path=Principal.AWS | search key_policy_action="kms:Encrypt" AND key_policy_principal="*" + | stats count min(_time) as firstTime max(_time) as lastTime by eventName eventSource + eventID awsRegion userIdentity.principalId user | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)` |`aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This + search works with AWS CloudTrail logs known_false_positives: unknown references: - https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/ @@ -22,41 +38,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: AWS account is potentially compromised and user $user$ is trying to compromise + other accounts. + risk_objects: + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Ransomware Cloud asset_type: AWS Account - confidence: 50 - impact: 50 - message: AWS account is potentially compromised and user $user$ is trying to compromise other accounts. mitre_attack_id: - T1486 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - eventSource - - eventID - - awsRegion - - requestParameters.policy - - userIdentity.principalId - risk_score: 25 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/aws_kms_key/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/aws_kms_key/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml b/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml index 0e8a27b026..074c3883c1 100644 --- a/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml +++ b/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml @@ -1,15 +1,28 @@ name: AWS Detect Users with KMS keys performing encryption S3 id: 884a5f59-eec7-4f4a-948b-dbde18225fdc -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Rod Soto, Patrick Bareiss Splunk status: production type: Anomaly -description: The following analytic identifies users with KMS keys performing encryption operations on S3 buckets. It leverages AWS CloudTrail logs to detect the `CopyObject` event where server-side encryption with AWS KMS is specified. This activity is significant as it may indicate unauthorized or suspicious encryption of data, potentially masking exfiltration or tampering efforts. If confirmed malicious, an attacker could be encrypting sensitive data to evade detection or preparing it for exfiltration, posing a significant risk to data integrity and confidentiality. +description: The following analytic identifies users with KMS keys performing encryption + operations on S3 buckets. It leverages AWS CloudTrail logs to detect the `CopyObject` + event where server-side encryption with AWS KMS is specified. This activity is significant + as it may indicate unauthorized or suspicious encryption of data, potentially masking + exfiltration or tampering efforts. If confirmed malicious, an attacker could be + encrypting sensitive data to evade detection or preparing it for exfiltration, posing + a significant risk to data integrity and confidentiality. data_source: - AWS CloudTrail -search: '`cloudtrail` eventName=CopyObject requestParameters.x-amz-server-side-encryption="aws:kms" | rename requestParameters.bucketName AS bucketName, requestParameters.x-amz-copy-source AS src_file, requestParameters.key AS dest_file | stats count min(_time) as firstTime max(_time) as lastTime values(bucketName) as bucketName values(src_file) AS src_file values(dest_file) AS dest_file values(userAgent) AS userAgent values(region) AS region values(src) AS src by user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_detect_users_with_kms_keys_performing_encryption_s3_filter`' -how_to_implement: You must install Splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs +search: '`cloudtrail` eventName=CopyObject requestParameters.x-amz-server-side-encryption="aws:kms" + | rename requestParameters.bucketName AS bucketName, requestParameters.x-amz-copy-source + AS src_file, requestParameters.key AS dest_file | stats count min(_time) as firstTime + max(_time) as lastTime values(bucketName) as bucketName values(src_file) AS src_file + values(dest_file) AS dest_file values(userAgent) AS userAgent values(region) AS + region values(src) AS src by user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + |`aws_detect_users_with_kms_keys_performing_encryption_s3_filter`' +how_to_implement: You must install Splunk AWS add on and Splunk App for AWS. This + search works with AWS CloudTrail logs known_false_positives: There maybe buckets provisioned with S3 encryption references: - https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/ @@ -21,42 +34,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ with KMS keys is performing encryption, against S3 buckets + on these files $dest_file$ + risk_objects: + - field: user + type: user + score: 15 + threat_objects: [] tags: analytic_story: - Ransomware Cloud asset_type: S3 Bucket - confidence: 50 - impact: 30 - message: User $user$ with KMS keys is performing encryption, against S3 buckets on these files $dest_file$ mitre_attack_id: - T1486 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - requestParameters.x-amz-server-side-encryption - - requestParameters.bucketName - - requestParameters.x-amz-copy-source - - requestParameters.key - - userAgent - - region - risk_score: 15 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/s3_file_encryption/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/s3_file_encryption/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_disable_bucket_versioning.yml b/detections/cloud/aws_disable_bucket_versioning.yml index 6fa9db70cd..8fd550eba5 100644 --- a/detections/cloud/aws_disable_bucket_versioning.yml +++ b/detections/cloud/aws_disable_bucket_versioning.yml @@ -1,16 +1,28 @@ name: AWS Disable Bucket Versioning id: 657902a9-987d-4879-a1b2-e7a65512824b -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Bhavin Patel, Splunk status: production type: Anomaly data_source: - AWS CloudTrail PutBucketVersioning -description: The following analytic detects when AWS S3 bucket versioning is suspended by a user. It leverages AWS CloudTrail logs to identify `PutBucketVersioning` events with the `VersioningConfiguration.Status` set to `Suspended`. This activity is significant because disabling versioning can prevent recovery of deleted or modified data, which is a common tactic in ransomware attacks. If confirmed malicious, this action could lead to data loss and hinder recovery efforts, severely impacting data integrity and availability. -search: '`cloudtrail` eventName= PutBucketVersioning "requestParameters.VersioningConfiguration.Status"=Suspended | stats count values(requestParameters.bucketName) as bucket_name values(resources{}.ARN) as resource_arn by src_ip aws_account_id awsRegion eventName userAgent user_arn userIdentity.principalId errorCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_disable_bucket_versioning_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -known_false_positives: It is possible that an AWS Administrator has legitimately disabled versioning on certain buckets to avoid costs. +description: The following analytic detects when AWS S3 bucket versioning is suspended + by a user. It leverages AWS CloudTrail logs to identify `PutBucketVersioning` events + with the `VersioningConfiguration.Status` set to `Suspended`. This activity is significant + because disabling versioning can prevent recovery of deleted or modified data, which + is a common tactic in ransomware attacks. If confirmed malicious, this action could + lead to data loss and hinder recovery efforts, severely impacting data integrity + and availability. +search: '`cloudtrail` eventName= PutBucketVersioning "requestParameters.VersioningConfiguration.Status"=Suspended + | stats count values(requestParameters.bucketName) as bucket_name values(resources{}.ARN) + as resource_arn by src_ip aws_account_id awsRegion eventName userAgent user_arn + userIdentity.principalId errorCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `aws_disable_bucket_versioning_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This + search works with AWS CloudTrail logs. +known_false_positives: It is possible that an AWS Administrator has legitimately disabled + versioning on certain buckets to avoid costs. references: - https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82 - https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436 @@ -20,52 +32,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$aws_account_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Bucket Versioning is suspended for S3 buckets- $bucket_name$ by user $user_arn$ + from IP address $src_ip$ + risk_objects: + - field: user_arn + type: user + score: 64 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Suspicious AWS S3 Activities - Data Exfiltration asset_type: AWS Account - confidence: 80 - impact: 80 - message: Bucket Versioning is suspended for S3 buckets- $bucket_name$ by user $user_arn$ from IP address $src_ip$ mitre_attack_id: - T1490 - observable: - - name: user_arn - type: User - role: - - Attacker - - name: src_ip - type: IP Address - role: - - Attacker - - name: aws_account_id - type: Other - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - user_arn - - src_ip - - aws_account_id - - destinationLocationArn - - sourceLocationArn - - userAgent - - userIdentity.principalId - risk_score: 64 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/aws_bucket_version/cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/aws_bucket_version/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_ec2_snapshot_shared_externally.yml b/detections/cloud/aws_ec2_snapshot_shared_externally.yml index ef27377ae0..8b0bed9a24 100644 --- a/detections/cloud/aws_ec2_snapshot_shared_externally.yml +++ b/detections/cloud/aws_ec2_snapshot_shared_externally.yml @@ -1,16 +1,29 @@ name: AWS EC2 Snapshot Shared Externally id: 2a9b80d3-6340-4345-b5ad-290bf3d222c4 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Bhavin Patel, Splunk status: production type: TTP -description: The following analytic detects when an EC2 snapshot is shared with an external AWS account by analyzing AWS CloudTrail events. This detection method leverages CloudTrail logs to identify modifications in snapshot permissions, specifically when the snapshot is shared outside the originating AWS account. This activity is significant as it may indicate an attempt to exfiltrate sensitive data stored in the snapshot. If confirmed malicious, an attacker could gain unauthorized access to the snapshot's data, potentially leading to data breaches or further exploitation of the compromised information. +description: The following analytic detects when an EC2 snapshot is shared with an + external AWS account by analyzing AWS CloudTrail events. This detection method leverages + CloudTrail logs to identify modifications in snapshot permissions, specifically + when the snapshot is shared outside the originating AWS account. This activity is + significant as it may indicate an attempt to exfiltrate sensitive data stored in + the snapshot. If confirmed malicious, an attacker could gain unauthorized access + to the snapshot's data, potentially leading to data breaches or further exploitation + of the compromised information. data_source: - AWS CloudTrail ModifySnapshotAttribute -search: '`cloudtrail` eventName=ModifySnapshotAttribute | rename requestParameters.createVolumePermission.add.items{}.userId as requested_account_id | search requested_account_id != NULL | eval match=if(requested_account_id==aws_account_id,"Match","No Match") | table _time user_arn src_ip requestParameters.attributeType requested_account_id aws_account_id match vendor_region user_agent userIdentity.principalId | where match = "No Match" | `aws_ec2_snapshot_shared_externally_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -known_false_positives: It is possible that an AWS admin has legitimately shared a snapshot with others for a specific purpose. +search: '`cloudtrail` eventName=ModifySnapshotAttribute | rename requestParameters.createVolumePermission.add.items{}.userId + as requested_account_id | search requested_account_id != NULL | eval match=if(requested_account_id==aws_account_id,"Match","No + Match") | table _time user_arn src_ip requestParameters.attributeType requested_account_id + aws_account_id match vendor_region user_agent userIdentity.principalId | where match + = "No Match" | `aws_ec2_snapshot_shared_externally_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This + search works with AWS CloudTrail logs. +known_false_positives: It is possible that an AWS admin has legitimately shared a + snapshot with others for a specific purpose. references: - https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/ - https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/ @@ -21,52 +34,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$aws_account_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: AWS EC2 snapshot from account $aws_account_id$ is shared with $requested_account_id$ + by user $user_arn$ from $src_ip$ + risk_objects: + - field: user_arn + type: user + score: 48 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Suspicious Cloud Instance Activities - Data Exfiltration asset_type: EC2 Snapshot - confidence: 80 - impact: 60 - message: AWS EC2 snapshot from account $aws_account_id$ is shared with $requested_account_id$ by user $user_arn$ from $src_ip$ mitre_attack_id: - T1537 - observable: - - name: user_arn - type: User - role: - - Attacker - - name: src_ip - type: IP Address - role: - - Attacker - - name: aws_account_id - type: Other - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - user_arn - - src_ip - - requestParameters.attributeType - - aws_account_id - - vendor_region - - user_agent - - userIdentity.principalId - risk_score: 48 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_snapshot_exfil/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_snapshot_exfil/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_ecr_container_scanning_findings_high.yml b/detections/cloud/aws_ecr_container_scanning_findings_high.yml index d2a76017a5..2d8b0c01a9 100644 --- a/detections/cloud/aws_ecr_container_scanning_findings_high.yml +++ b/detections/cloud/aws_ecr_container_scanning_findings_high.yml @@ -1,15 +1,32 @@ name: AWS ECR Container Scanning Findings High id: 30a0e9f8-f1dd-4f9d-8fc2-c622461d781c -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: TTP -description: The following analytic identifies high-severity findings from AWS Elastic Container Registry (ECR) image scans. It detects these activities by analyzing AWS CloudTrail logs for the DescribeImageScanFindings event, specifically filtering for findings with a high severity level. This activity is significant for a SOC because high-severity vulnerabilities in container images can lead to potential exploitation if not addressed. If confirmed malicious, attackers could exploit these vulnerabilities to gain unauthorized access, execute arbitrary code, or escalate privileges within the container environment, posing a significant risk to the overall security posture. +description: The following analytic identifies high-severity findings from AWS Elastic + Container Registry (ECR) image scans. It detects these activities by analyzing AWS + CloudTrail logs for the DescribeImageScanFindings event, specifically filtering + for findings with a high severity level. This activity is significant for a SOC + because high-severity vulnerabilities in container images can lead to potential + exploitation if not addressed. If confirmed malicious, attackers could exploit these + vulnerabilities to gain unauthorized access, execute arbitrary code, or escalate + privileges within the container environment, posing a significant risk to the overall + security posture. data_source: - AWS CloudTrail DescribeImageScanFindings -search: '`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand findings | spath input=findings | search severity=HIGH | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repository, userIdentity.principalId as user | eval finding = finding_name.", ".finding_description | eval phase="release" | eval severity="high" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, imageDigest, repository, user, src_ip, finding, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_high_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. +search: '`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings + | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand + findings | spath input=findings | search severity=HIGH | rename name as finding_name, + description as finding_description, requestParameters.imageId.imageDigest as imageDigest, + requestParameters.repositoryName as repository, userIdentity.principalId as user + | eval finding = finding_name.", ".finding_description | eval phase="release" | + eval severity="high" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, + eventName, eventSource, imageDigest, repository, user, src_ip, finding, phase, severity + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_high_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This + search works with AWS CloudTrail logs. known_false_positives: unknown references: - https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html @@ -19,47 +36,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$repository$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$repository$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$repository$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Vulnerabilities with severity high found in repository $repository$ + risk_objects: + - field: user + type: user + score: 70 + threat_objects: [] tags: analytic_story: - Dev Sec Ops asset_type: AWS Account - confidence: 100 - impact: 70 - message: Vulnerabilities with severity high found in repository $repository$ mitre_attack_id: - T1204.003 - T1204 - observable: - - name: user - type: User - role: - - Attacker - - name: repository - type: Other - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - eventSource - - eventName - - responseElements.imageScanFindings.findings{} - - awsRegion - - requestParameters.imageId.imageDigest - - requestParameters.repositoryName - - user - - userName - - src_ip - risk_score: 70 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/aws_ecr_scanning_findings_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/aws_ecr_scanning_findings_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail diff --git a/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml b/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml index 245e8ca743..12c75e5cdc 100644 --- a/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml +++ b/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml @@ -1,15 +1,32 @@ name: AWS ECR Container Scanning Findings Low Informational Unknown id: cbc95e44-7c22-443f-88fd-0424478f5589 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Patrick Bareiss, Eric McGinnis Splunk status: production type: Anomaly -description: The following analytic identifies low, informational, or unknown severity findings from AWS Elastic Container Registry (ECR) image scans. It leverages AWS CloudTrail logs, specifically the DescribeImageScanFindings event, to detect these findings. This activity is significant for a SOC as it helps in early identification of potential vulnerabilities or misconfigurations in container images, which could be exploited if left unaddressed. If confirmed malicious, these findings could lead to unauthorized access, data breaches, or further exploitation within the containerized environment. +description: The following analytic identifies low, informational, or unknown severity + findings from AWS Elastic Container Registry (ECR) image scans. It leverages AWS + CloudTrail logs, specifically the DescribeImageScanFindings event, to detect these + findings. This activity is significant for a SOC as it helps in early identification + of potential vulnerabilities or misconfigurations in container images, which could + be exploited if left unaddressed. If confirmed malicious, these findings could lead + to unauthorized access, data breaches, or further exploitation within the containerized + environment. data_source: - AWS CloudTrail DescribeImageScanFindings -search: '`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand findings | spath input=findings| search severity IN ("LOW", "INFORMATIONAL", "UNKNOWN") | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repository, userIdentity.principalId as user | eval finding = finding_name.", ".finding_description | eval phase="release" | eval severity="low" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, imageDigest, repository, user, src_ip, finding, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_low_informational_unknown_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. +search: '`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings + | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand + findings | spath input=findings| search severity IN ("LOW", "INFORMATIONAL", "UNKNOWN") + | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest + as imageDigest, requestParameters.repositoryName as repository, userIdentity.principalId + as user | eval finding = finding_name.", ".finding_description | eval phase="release" + | eval severity="low" | stats min(_time) as firstTime max(_time) as lastTime by + awsRegion, eventName, eventSource, imageDigest, repository, user, src_ip, finding, + phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `aws_ecr_container_scanning_findings_low_informational_unknown_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This + search works with AWS CloudTrail logs. known_false_positives: unknown references: - https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html @@ -19,47 +36,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$repository$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$repository$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$repository$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Vulnerabilities with severity $severity$ found in repository $repository$ + risk_objects: + - field: user + type: user + score: 5 + threat_objects: [] tags: analytic_story: - Dev Sec Ops asset_type: AWS Account - confidence: 50 - impact: 10 - message: Vulnerabilities with severity $severity$ found in repository $repository$ mitre_attack_id: - T1204.003 - T1204 - observable: - - name: user - type: User - role: - - Attacker - - name: repository - type: Other - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - eventSource - - eventName - - responseElements.imageScanFindings.findings{} - - awsRegion - - requestParameters.imageId.imageDigest - - requestParameters.repositoryName - - user - - userName - - src_ip - risk_score: 5 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/aws_ecr_scanning_findings_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/aws_ecr_scanning_findings_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail diff --git a/detections/cloud/aws_ecr_container_scanning_findings_medium.yml b/detections/cloud/aws_ecr_container_scanning_findings_medium.yml index ee7ebcdc9a..74e533680f 100644 --- a/detections/cloud/aws_ecr_container_scanning_findings_medium.yml +++ b/detections/cloud/aws_ecr_container_scanning_findings_medium.yml @@ -1,15 +1,31 @@ name: AWS ECR Container Scanning Findings Medium id: 0b80e2c8-c746-4ddb-89eb-9efd892220cf -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: The following analytic identifies medium-severity findings from AWS Elastic Container Registry (ECR) image scans. It leverages AWS CloudTrail logs, specifically the DescribeImageScanFindings event, to detect vulnerabilities in container images. This activity is significant for a SOC as it highlights potential security risks in containerized applications, which could be exploited if not addressed. If confirmed malicious, these vulnerabilities could lead to unauthorized access, data breaches, or further exploitation within the container environment, compromising the overall security posture. +description: The following analytic identifies medium-severity findings from AWS Elastic + Container Registry (ECR) image scans. It leverages AWS CloudTrail logs, specifically + the DescribeImageScanFindings event, to detect vulnerabilities in container images. + This activity is significant for a SOC as it highlights potential security risks + in containerized applications, which could be exploited if not addressed. If confirmed + malicious, these vulnerabilities could lead to unauthorized access, data breaches, + or further exploitation within the container environment, compromising the overall + security posture. data_source: - AWS CloudTrail DescribeImageScanFindings -search: '`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand findings | spath input=findings| search severity=MEDIUM | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repository, userIdentity.principalId as user| eval finding = finding_name.", ".finding_description | eval phase="release" | eval severity="medium" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, imageDigest, repository, user, src_ip, finding, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_medium_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. +search: '`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings + | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand + findings | spath input=findings| search severity=MEDIUM | rename name as finding_name, + description as finding_description, requestParameters.imageId.imageDigest as imageDigest, + requestParameters.repositoryName as repository, userIdentity.principalId as user| + eval finding = finding_name.", ".finding_description | eval phase="release" | eval + severity="medium" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, + eventName, eventSource, imageDigest, repository, user, src_ip, finding, phase, severity + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_medium_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This + search works with AWS CloudTrail logs. known_false_positives: unknown references: - https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html @@ -19,47 +35,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$repository$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$repository$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$repository$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Vulnerabilities with severity $severity$ found in repository $repository$ + risk_objects: + - field: user + type: user + score: 21 + threat_objects: [] tags: analytic_story: - Dev Sec Ops asset_type: AWS Account - confidence: 70 - impact: 30 - message: Vulnerabilities with severity $severity$ found in repository $repository$ mitre_attack_id: - T1204.003 - T1204 - observable: - - name: user - type: User - role: - - Attacker - - name: repository - type: Other - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - eventSource - - eventName - - responseElements.imageScanFindings.findings{} - - awsRegion - - requestParameters.imageId.imageDigest - - requestParameters.repositoryName - - user - - userName - - src_ip - risk_score: 21 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/aws_ecr_scanning_findings_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/aws_ecr_scanning_findings_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail diff --git a/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml b/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml index 4b6163a01a..0f3a5de777 100644 --- a/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml +++ b/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml @@ -1,16 +1,30 @@ name: AWS ECR Container Upload Outside Business Hours id: d4c4d4eb-3994-41ca-a25e-a82d64e125bb -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: The following analytic detects the upload of a new container image to AWS Elastic Container Registry (ECR) outside of standard business hours. It leverages AWS CloudTrail logs to identify `PutImage` events occurring between 8 PM and 8 AM or on weekends. This activity is significant because container uploads outside business hours can indicate unauthorized or suspicious activity, potentially pointing to a compromised account or insider threat. If confirmed malicious, this could allow an attacker to deploy unauthorized or malicious containers, leading to potential data breaches or service disruptions. +description: The following analytic detects the upload of a new container image to + AWS Elastic Container Registry (ECR) outside of standard business hours. It leverages + AWS CloudTrail logs to identify `PutImage` events occurring between 8 PM and 8 AM + or on weekends. This activity is significant because container uploads outside business + hours can indicate unauthorized or suspicious activity, potentially pointing to + a compromised account or insider threat. If confirmed malicious, this could allow + an attacker to deploy unauthorized or malicious containers, leading to potential + data breaches or service disruptions. data_source: - AWS CloudTrail PutImage -search: '`cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage date_hour>=20 OR date_hour<8 OR date_wday=saturday OR date_wday=sunday | rename requestParameters.* as * | rename repositoryName AS repository | eval phase="release" | eval severity="medium" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, user, userName, src_ip, imageTag, registryId, repository, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_upload_outside_business_hours_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -known_false_positives: When your development is spreaded in different time zones, applying this rule can be difficult. +search: '`cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage date_hour>=20 + OR date_hour<8 OR date_wday=saturday OR date_wday=sunday | rename requestParameters.* + as * | rename repositoryName AS repository | eval phase="release" | eval severity="medium" + | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, + eventSource, user, userName, src_ip, imageTag, registryId, repository, phase, severity + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_upload_outside_business_hours_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This + search works with AWS CloudTrail logs. +known_false_positives: When your development is spreaded in different time zones, + applying this rule can be difficult. references: - https://attack.mitre.org/techniques/T1204/003/ drilldown_searches: @@ -19,47 +33,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Container uploaded outside business hours from $user$ + risk_objects: + - field: user + type: user + score: 49 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Dev Sec Ops asset_type: AWS Account - confidence: 70 - impact: 70 - message: Container uploaded outside business hours from $user$ mitre_attack_id: - T1204.003 - T1204 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - eventSource - - eventName - - awsRegion - - requestParameters.imageTag - - requestParameters.registryId - - requestParameters.repositoryName - - user - - userName - - src_ip - risk_score: 49 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/aws_ecr_container_upload.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/aws_ecr_container_upload.json sourcetype: aws:cloudtrail source: aws_cloudtrail diff --git a/detections/cloud/aws_ecr_container_upload_unknown_user.yml b/detections/cloud/aws_ecr_container_upload_unknown_user.yml index 291255f240..bdb09cde4c 100644 --- a/detections/cloud/aws_ecr_container_upload_unknown_user.yml +++ b/detections/cloud/aws_ecr_container_upload_unknown_user.yml @@ -1,15 +1,27 @@ name: AWS ECR Container Upload Unknown User id: 300688e4-365c-4486-a065-7c884462b31d -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: The following analytic detects the upload of a new container image to AWS Elastic Container Registry (ECR) by an unknown user. It leverages AWS CloudTrail logs to identify `PutImage` events from the ECR service, filtering out known users. This activity is significant because container uploads should typically be performed by a limited set of authorized users. If confirmed malicious, this could indicate unauthorized access, potentially leading to the deployment of malicious containers, data exfiltration, or further compromise of the AWS environment. +description: The following analytic detects the upload of a new container image to + AWS Elastic Container Registry (ECR) by an unknown user. It leverages AWS CloudTrail + logs to identify `PutImage` events from the ECR service, filtering out known users. + This activity is significant because container uploads should typically be performed + by a limited set of authorized users. If confirmed malicious, this could indicate + unauthorized access, potentially leading to the deployment of malicious containers, + data exfiltration, or further compromise of the AWS environment. data_source: - AWS CloudTrail PutImage -search: '`cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage NOT `aws_ecr_users` | rename requestParameters.* as * | rename repositoryName AS image | eval phase="release" | eval severity="high" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, user, userName, src_ip, imageTag, registryId, image, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_upload_unknown_user_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. +search: '`cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage NOT `aws_ecr_users` + | rename requestParameters.* as * | rename repositoryName AS image | eval phase="release" + | eval severity="high" | stats min(_time) as firstTime max(_time) as lastTime by + awsRegion, eventName, eventSource, user, userName, src_ip, imageTag, registryId, + image, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `aws_ecr_container_upload_unknown_user_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This + search works with AWS CloudTrail logs. known_false_positives: unknown references: - https://attack.mitre.org/techniques/T1204/003/ @@ -19,47 +31,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Container uploaded from unknown user $user$ + risk_objects: + - field: user + type: user + score: 49 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Dev Sec Ops asset_type: AWS Account - confidence: 70 - impact: 70 - message: Container uploaded from unknown user $user$ mitre_attack_id: - T1204.003 - T1204 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - eventSource - - eventName - - awsRegion - - requestParameters.imageTag - - requestParameters.registryId - - requestParameters.repositoryName - - user - - userName - - src_ip - risk_score: 49 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/aws_ecr_container_upload.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/aws_ecr_container_upload.json sourcetype: aws:cloudtrail source: aws_cloudtrail diff --git a/detections/cloud/aws_excessive_security_scanning.yml b/detections/cloud/aws_excessive_security_scanning.yml index 0ef9f0ba6e..777ddb58a0 100644 --- a/detections/cloud/aws_excessive_security_scanning.yml +++ b/detections/cloud/aws_excessive_security_scanning.yml @@ -1,15 +1,26 @@ name: AWS Excessive Security Scanning id: 1fdd164a-def8-4762-83a9-9ffe24e74d5a -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: TTP -description: The following analytic identifies excessive security scanning activities in AWS by detecting a high number of Describe, List, or Get API calls from a single user. It leverages AWS CloudTrail logs to count distinct event names and flags users with more than 50 such events. This behavior is significant as it may indicate reconnaissance activities by an attacker attempting to map out your AWS environment. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further exploitation of your cloud infrastructure. +description: The following analytic identifies excessive security scanning activities + in AWS by detecting a high number of Describe, List, or Get API calls from a single + user. It leverages AWS CloudTrail logs to count distinct event names and flags users + with more than 50 such events. This behavior is significant as it may indicate reconnaissance + activities by an attacker attempting to map out your AWS environment. If confirmed + malicious, this could lead to unauthorized access, data exfiltration, or further + exploitation of your cloud infrastructure. data_source: - AWS CloudTrail -search: '`cloudtrail` eventName=Describe* OR eventName=List* OR eventName=Get* | stats dc(eventName) as dc_events min(_time) as firstTime max(_time) as lastTime values(eventName) as command values(src) as src values(userAgent) as userAgent by user userIdentity.arn | where dc_events > 50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`aws_excessive_security_scanning_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. +search: '`cloudtrail` eventName=Describe* OR eventName=List* OR eventName=Get* | + stats dc(eventName) as dc_events min(_time) as firstTime max(_time) as lastTime + values(eventName) as command values(src) as src values(userAgent) as userAgent by + user userIdentity.arn | where dc_events > 50 | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`|`aws_excessive_security_scanning_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This + search works with AWS CloudTrail logs. known_false_positives: While this search has no known false positives. references: - https://github.com/aquasecurity/cloudsploit @@ -19,44 +30,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ has excessive number of api calls $dc_events$ from these IP + addresses $src$, violating the threshold of 50, using the following commands $command$. + risk_objects: + - field: user + type: user + score: 18 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - AWS User Monitoring asset_type: AWS Account - confidence: 60 - impact: 30 - message: User $user$ has excessive number of api calls $dc_events$ from these IP addresses $src$, violating the threshold of 50, using the following commands $command$. mitre_attack_id: - T1526 - observable: - - name: src - type: IP Address - role: - - Attacker - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - src - - userAgent - - user - - userIdentity.arn - risk_score: 18 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1526/aws_security_scanner/aws_security_scanner.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1526/aws_security_scanner/aws_security_scanner.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml b/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml index 164fa36716..76a669be53 100644 --- a/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml +++ b/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml @@ -1,16 +1,28 @@ name: AWS Exfiltration via Anomalous GetObject API Activity id: e4384bbf-5835-4831-8d85-694de6ad2cc6 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Bhavin Patel, Splunk status: production type: Anomaly data_source: - AWS CloudTrail GetObject -description: The following analytic identifies anomalous GetObject API activity in AWS, indicating potential data exfiltration attempts. It leverages AWS CloudTrail logs and uses the `anomalydetection` command to detect unusual patterns in the frequency of GetObject API calls by analyzing fields such as "count," "user_type," and "user_arn" within a 10-minute window. This activity is significant as it may indicate unauthorized data access or exfiltration from S3 buckets. If confirmed malicious, attackers could exfiltrate sensitive data, leading to data breaches and compliance violations. -search: '`cloudtrail` eventName=GetObject | bin _time span=10m | stats count values(requestParameters.bucketName) as bucketName by _time src_ip aws_account_id user_type user_arn userIdentity.principalId | anomalydetection "count" "user_type" "user_arn" action=annotate | search probable_cause=* |`aws_exfiltration_via_anomalous_getobject_api_activity_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -known_false_positives: It is possible that a user downloaded these files to use them locally and there are AWS services in configured that perform these activities for a legitimate reason. Filter is needed. +description: The following analytic identifies anomalous GetObject API activity in + AWS, indicating potential data exfiltration attempts. It leverages AWS CloudTrail + logs and uses the `anomalydetection` command to detect unusual patterns in the frequency + of GetObject API calls by analyzing fields such as "count," "user_type," and "user_arn" + within a 10-minute window. This activity is significant as it may indicate unauthorized + data access or exfiltration from S3 buckets. If confirmed malicious, attackers could + exfiltrate sensitive data, leading to data breaches and compliance violations. +search: '`cloudtrail` eventName=GetObject | bin _time span=10m | stats count values(requestParameters.bucketName) + as bucketName by _time src_ip aws_account_id user_type user_arn userIdentity.principalId + | anomalydetection "count" "user_type" "user_arn" action=annotate | search probable_cause=* + |`aws_exfiltration_via_anomalous_getobject_api_activity_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This + search works with AWS CloudTrail logs. +known_false_positives: It is possible that a user downloaded these files to use them + locally and there are AWS services in configured that perform these activities for + a legitimate reason. Filter is needed. references: - https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/ - https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Anomalydetection @@ -21,49 +33,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$aws_account_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Anomalous S3 activities detected by user $user_arn$ from $src_ip$ + risk_objects: + - field: user_arn + type: user + score: 64 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Data Exfiltration asset_type: AWS Account - confidence: 80 - impact: 80 - message: Anomalous S3 activities detected by user $user_arn$ from $src_ip$ mitre_attack_id: - T1119 - observable: - - name: user_arn - type: User - role: - - Attacker - - name: src_ip - type: IP Address - role: - - Attacker - - name: aws_account_id - type: Other - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - user_arn - - src_ip - - aws_account_id - - userAgent - - userIdentity.principalId - risk_score: 64 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1530/aws_exfil_high_no_getobject/cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1530/aws_exfil_high_no_getobject/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_exfiltration_via_batch_service.yml b/detections/cloud/aws_exfiltration_via_batch_service.yml index b781649f91..5e36251cd2 100644 --- a/detections/cloud/aws_exfiltration_via_batch_service.yml +++ b/detections/cloud/aws_exfiltration_via_batch_service.yml @@ -1,16 +1,27 @@ name: AWS Exfiltration via Batch Service id: 04455dd3-ced7-480f-b8e6-5469b99e98e2 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Bhavin Patel, Splunk status: production type: TTP data_source: - AWS CloudTrail JobCreated -description: The following analytic identifies the creation of AWS Batch jobs that could potentially abuse the AWS Bucket Replication feature on S3 buckets. It leverages AWS CloudTrail logs to detect the `JobCreated` event, analyzing job details and their status. This activity is significant because attackers can exploit this feature to exfiltrate data by creating malicious batch jobs. If confirmed malicious, this could lead to unauthorized data transfer between S3 buckets, resulting in data breaches and loss of sensitive information. -search: '`cloudtrail` eventName = JobCreated | stats count min(_time) as firstTime max(_time) as lastTime values(serviceEventDetails.jobArn) as job_arn values(serviceEventDetails.status) as status by src_ip aws_account_id eventName errorCode userAgent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_exfiltration_via_batch_service_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -known_false_positives: It is possible that an AWS Administrator or a user has legitimately created this job for some tasks. +description: The following analytic identifies the creation of AWS Batch jobs that + could potentially abuse the AWS Bucket Replication feature on S3 buckets. It leverages + AWS CloudTrail logs to detect the `JobCreated` event, analyzing job details and + their status. This activity is significant because attackers can exploit this feature + to exfiltrate data by creating malicious batch jobs. If confirmed malicious, this + could lead to unauthorized data transfer between S3 buckets, resulting in data breaches + and loss of sensitive information. +search: '`cloudtrail` eventName = JobCreated | stats count min(_time) as firstTime + max(_time) as lastTime values(serviceEventDetails.jobArn) as job_arn values(serviceEventDetails.status) + as status by src_ip aws_account_id eventName errorCode userAgent | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `aws_exfiltration_via_batch_service_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This + search works with AWS CloudTrail logs. +known_false_positives: It is possible that an AWS Administrator or a user has legitimately + created this job for some tasks. references: - https://hackingthe.cloud/aws/exploitation/s3-bucket-replication-exfiltration/ - https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436 @@ -20,44 +31,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$aws_account_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: AWS Batch Job is created on account id - $aws_account_id$ from src_ip $src_ip$ + risk_objects: + - field: aws_account_id + type: other + score: 64 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Data Exfiltration asset_type: AWS Account - confidence: 80 - impact: 80 - message: AWS Batch Job is created on account id - $aws_account_id$ from src_ip $src_ip$ mitre_attack_id: - T1119 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: aws_account_id - type: Other - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - user_arn - - src_ip - - aws_account_id - - userAgent - risk_score: 64 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1119/aws_exfil_datasync/cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1119/aws_exfil_datasync/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_exfiltration_via_bucket_replication.yml b/detections/cloud/aws_exfiltration_via_bucket_replication.yml index 71340c194c..496174416a 100644 --- a/detections/cloud/aws_exfiltration_via_bucket_replication.yml +++ b/detections/cloud/aws_exfiltration_via_bucket_replication.yml @@ -1,71 +1,72 @@ name: AWS Exfiltration via Bucket Replication id: eeb432d6-2212-43b6-9e89-fcd753f7da4c -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Bhavin Patel, Splunk status: production type: TTP data_source: - AWS CloudTrail PutBucketReplication -description: The following analytic detects API calls to enable S3 bucket replication services. It leverages AWS CloudTrail logs to identify `PutBucketReplication` events, focusing on fields like `bucketName`, `ReplicationConfiguration.Rule.Destination.Bucket`, and user details. This activity is significant as it can indicate unauthorized data replication, potentially leading to data exfiltration. If confirmed malicious, attackers could replicate sensitive data to external accounts, leading to data breaches and compliance violations. -search: '`cloudtrail` eventName = PutBucketReplication eventSource = s3.amazonaws.com | rename requestParameters.* as * | stats count values(bucketName) as source_bucket values(ReplicationConfiguration.Rule.ID) as rule_id values(ReplicationConfiguration.Rule.Destination.Bucket) as destination_bucket by _time user_arn userName user_type src_ip aws_account_id userIdentity.principalId user_agent | `aws_exfiltration_via_bucket_replication_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -known_false_positives: It is possible that an AWS admin has legitimately implemented data replication to ensure data availability and improve data protection/backup strategies. +description: The following analytic detects API calls to enable S3 bucket replication + services. It leverages AWS CloudTrail logs to identify `PutBucketReplication` events, + focusing on fields like `bucketName`, `ReplicationConfiguration.Rule.Destination.Bucket`, + and user details. This activity is significant as it can indicate unauthorized data + replication, potentially leading to data exfiltration. If confirmed malicious, attackers + could replicate sensitive data to external accounts, leading to data breaches and + compliance violations. +search: '`cloudtrail` eventName = PutBucketReplication eventSource = s3.amazonaws.com + | rename requestParameters.* as * | stats count values(bucketName) as source_bucket + values(ReplicationConfiguration.Rule.ID) as rule_id values(ReplicationConfiguration.Rule.Destination.Bucket) + as destination_bucket by _time user_arn userName user_type src_ip aws_account_id + userIdentity.principalId user_agent | `aws_exfiltration_via_bucket_replication_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This + search works with AWS CloudTrail logs. +known_false_positives: It is possible that an AWS admin has legitimately implemented + data replication to ensure data availability and improve data protection/backup + strategies. references: - https://hackingthe.cloud/aws/exploitation/s3-bucket-replication-exfiltration/ drilldown_searches: - name: View the detection results for - "$user_arn$" and "$aws_account_id$" - search: '%original_detection_search% | search user_arn = "$user_arn$" aws_account_id = "$aws_account_id$"' + search: '%original_detection_search% | search user_arn = "$user_arn$" aws_account_id + = "$aws_account_id$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user_arn$" and "$aws_account_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$", "$aws_account_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$", + "$aws_account_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: AWS Bucket Replication rule $rule_id$ added on $source_bucket$ to $destination_bucket$ + by user $user_arn$ from IP Address - $src_ip$ + risk_objects: + - field: user_arn + type: user + score: 64 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Suspicious AWS S3 Activities - Data Exfiltration asset_type: EC2 Snapshot - confidence: 80 - impact: 80 - message: AWS Bucket Replication rule $rule_id$ added on $source_bucket$ to $destination_bucket$ by user $user_arn$ from IP Address - $src_ip$ mitre_attack_id: - T1537 - observable: - - name: user_arn - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker - - name: aws_account_id - type: Other - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - user_arn - - src_ip - - eventSource - - requestParameters.* - - aws_account_id - - vendor_region - - user_agent - - userIdentity.principalId - risk_score: 64 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1119/aws_exfil_datasync/cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1119/aws_exfil_datasync/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_exfiltration_via_datasync_task.yml b/detections/cloud/aws_exfiltration_via_datasync_task.yml index 94e59c0583..74dd45c149 100644 --- a/detections/cloud/aws_exfiltration_via_datasync_task.yml +++ b/detections/cloud/aws_exfiltration_via_datasync_task.yml @@ -1,16 +1,29 @@ name: AWS Exfiltration via DataSync Task id: 05c4b09f-ea28-4c7c-a7aa-a246f665c8a2 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Bhavin Patel, Splunk status: production type: TTP data_source: - AWS CloudTrail CreateTask -description: The following analytic detects the creation of an AWS DataSync task, which could indicate potential data exfiltration. It leverages AWS CloudTrail logs to identify the `CreateTask` event from the DataSync service. This activity is significant because attackers can misuse DataSync to transfer sensitive data from a private AWS location to a public one, leading to data compromise. If confirmed malicious, this could result in unauthorized access to sensitive information, causing severe data breaches and compliance violations. -search: '`cloudtrail` eventName = CreateTask eventSource="datasync.amazonaws.com" | rename requestParameters.* as * | stats count min(_time) as firstTime max(_time) as lastTime by src_ip aws_account_id awsRegion eventName destinationLocationArn sourceLocationArn userAgent user_arn userIdentity.principalId errorCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_exfiltration_via_datasync_task_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -known_false_positives: It is possible that an AWS Administrator has legitimately created this task for creating backup. Please check the `sourceLocationArn` and `destinationLocationArn` of this task +description: The following analytic detects the creation of an AWS DataSync task, + which could indicate potential data exfiltration. It leverages AWS CloudTrail logs + to identify the `CreateTask` event from the DataSync service. This activity is significant + because attackers can misuse DataSync to transfer sensitive data from a private + AWS location to a public one, leading to data compromise. If confirmed malicious, + this could result in unauthorized access to sensitive information, causing severe + data breaches and compliance violations. +search: '`cloudtrail` eventName = CreateTask eventSource="datasync.amazonaws.com" + | rename requestParameters.* as * | stats count min(_time) as firstTime max(_time) + as lastTime by src_ip aws_account_id awsRegion eventName destinationLocationArn + sourceLocationArn userAgent user_arn userIdentity.principalId errorCode | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `aws_exfiltration_via_datasync_task_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This + search works with AWS CloudTrail logs. +known_false_positives: It is possible that an AWS Administrator has legitimately created + this task for creating backup. Please check the `sourceLocationArn` and `destinationLocationArn` + of this task references: - https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/ - https://www.shehackske.com/how-to/data-exfiltration-on-cloud-1606/ @@ -20,52 +33,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$aws_account_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: DataSync task created on account id - $aws_account_id$ by user $user_arn$ + from src_ip $src_ip$ + risk_objects: + - field: user_arn + type: user + score: 64 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Suspicious AWS S3 Activities - Data Exfiltration asset_type: AWS Account - confidence: 80 - impact: 80 - message: DataSync task created on account id - $aws_account_id$ by user $user_arn$ from src_ip $src_ip$ mitre_attack_id: - T1119 - observable: - - name: user_arn - type: User - role: - - Attacker - - name: src_ip - type: IP Address - role: - - Attacker - - name: aws_account_id - type: Other - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - user_arn - - src_ip - - aws_account_id - - destinationLocationArn - - sourceLocationArn - - userAgent - - userIdentity.principalId - risk_score: 64 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1119/aws_exfil_datasync/cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1119/aws_exfil_datasync/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml b/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml index 3a8df695ce..713d7de058 100644 --- a/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml +++ b/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml @@ -1,7 +1,7 @@ name: AWS Exfiltration via EC2 Snapshot id: ac90b339-13fc-4f29-a18c-4abbba1f2171 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Bhavin Patel, Splunk status: production type: TTP @@ -10,10 +10,27 @@ data_source: - AWS CloudTrail DescribeSnapshotAttribute - AWS CloudTrail ModifySnapshotAttribute - AWS CloudTrail DeleteSnapshot -description: The following analytic detects a series of AWS API calls related to EC2 snapshots within a short time window, indicating potential exfiltration via EC2 Snapshot modifications. It leverages AWS CloudTrail logs to identify actions such as creating, describing, and modifying snapshot attributes. This activity is significant as it may indicate an attacker attempting to exfiltrate data by sharing EC2 snapshots externally. If confirmed malicious, the attacker could gain access to sensitive information stored in the snapshots, leading to data breaches and potential compliance violations. -search: '`cloudtrail` eventName IN ("CreateSnapshot", "DescribeSnapshotAttribute", "ModifySnapshotAttribute", "DeleteSnapshot") src_ip !="guardduty.amazonaws.com" | bin _time span=5m | stats count dc(eventName) as distinct_api_calls values(eventName) values(requestParameters.attributeType) as attributeType values(requestParameters.createVolumePermission.add.items{}.userId) as aws_account_id_added values(userAgent) as userAgent by _time userName src_ip aws_account_id | where distinct_api_calls >= 2 | `aws_exfiltration_via_ec2_snapshot_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. We have intentionally removed `guardduty.amazonaws.com` from src_ip to remove false positives caused by guard duty. We recommend you adjust the time window as per your environment. -known_false_positives: It is possible that an AWS admin has legitimately shared a snapshot with an other account for a specific purpose. Please check any recent change requests filed in your organization. +description: The following analytic detects a series of AWS API calls related to EC2 + snapshots within a short time window, indicating potential exfiltration via EC2 + Snapshot modifications. It leverages AWS CloudTrail logs to identify actions such + as creating, describing, and modifying snapshot attributes. This activity is significant + as it may indicate an attacker attempting to exfiltrate data by sharing EC2 snapshots + externally. If confirmed malicious, the attacker could gain access to sensitive + information stored in the snapshots, leading to data breaches and potential compliance + violations. +search: '`cloudtrail` eventName IN ("CreateSnapshot", "DescribeSnapshotAttribute", + "ModifySnapshotAttribute", "DeleteSnapshot") src_ip !="guardduty.amazonaws.com" + | bin _time span=5m | stats count dc(eventName) as distinct_api_calls values(eventName) values(requestParameters.attributeType) + as attributeType values(requestParameters.createVolumePermission.add.items{}.userId) + as aws_account_id_added values(userAgent) as userAgent by _time userName src_ip + aws_account_id | where distinct_api_calls >= 2 | `aws_exfiltration_via_ec2_snapshot_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This + search works with AWS CloudTrail logs. We have intentionally removed `guardduty.amazonaws.com` + from src_ip to remove false positives caused by guard duty. We recommend you adjust + the time window as per your environment. +known_false_positives: It is possible that an AWS admin has legitimately shared a + snapshot with an other account for a specific purpose. Please check any recent change + requests filed in your organization. references: - https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/ - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html @@ -25,53 +42,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$aws_account_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potential AWS EC2 Exfiltration detected on account id - $aws_account_id$ + by user $userName$ from src_ip $src_ip$ + risk_objects: + - field: userName + type: user + score: 64 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Suspicious Cloud Instance Activities - Data Exfiltration asset_type: EC2 Snapshot - confidence: 80 - impact: 80 - message: Potential AWS EC2 Exfiltration detected on account id - $aws_account_id$ by user $userName$ from src_ip $src_ip$ mitre_attack_id: - T1537 - observable: - - name: userName - type: User - role: - - Attacker - - name: src_ip - type: IP Address - role: - - Attacker - - name: aws_account_id - type: Other - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - user_arn - - src_ip - - requestParameters.attributeType - - aws_account_id - - vendor_region - - user_agent - - userIdentity.principalId - - requestParameters.createVolumePermission.add.items{}.userId - risk_score: 64 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_snapshot_exfil/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_snapshot_exfil/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml b/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml index 255ec8a16b..577fbd911f 100644 --- a/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml +++ b/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml @@ -1,16 +1,27 @@ name: AWS High Number Of Failed Authentications For User id: e3236f49-daf3-4b70-b808-9290912ac64d -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Bhavin Patel, Splunk status: production type: Anomaly -description: The following analytic detects an AWS account experiencing more than 20 failed authentication attempts within a 5-minute window. It leverages AWS CloudTrail logs to identify multiple failed ConsoleLogin events. This behavior is significant as it may indicate a brute force attack targeting the account. If confirmed malicious, the attacker could potentially gain unauthorized access, leading to data breaches or further exploitation of the AWS environment. Security teams should consider adjusting the threshold based on their specific environment to reduce false positives. +description: The following analytic detects an AWS account experiencing more than + 20 failed authentication attempts within a 5-minute window. It leverages AWS CloudTrail + logs to identify multiple failed ConsoleLogin events. This behavior is significant + as it may indicate a brute force attack targeting the account. If confirmed malicious, + the attacker could potentially gain unauthorized access, leading to data breaches + or further exploitation of the AWS environment. Security teams should consider adjusting + the threshold based on their specific environment to reduce false positives. data_source: - AWS CloudTrail ConsoleLogin -search: '`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time | stats dc(_raw) AS failed_attempts values(src_ip) as src_ip values(user_agent) by _time, user_name, eventName, eventSource aws_account_id | where failed_attempts > 20 | `aws_high_number_of_failed_authentications_for_user_filter`' -how_to_implement: You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -known_false_positives: A user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application. +search: '`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time + | stats dc(_raw) AS failed_attempts values(src_ip) as src_ip values(user_agent) + by _time, user_name, eventName, eventSource aws_account_id | where failed_attempts + > 20 | `aws_high_number_of_failed_authentications_for_user_filter`' +how_to_implement: You must install Splunk AWS Add on and Splunk App for AWS. This + search works with AWS CloudTrail logs. +known_false_positives: A user with more than 20 failed authentication attempts in + the span of 5 minutes may also be triggered by a broken application. references: - https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/password-policy.html drilldown_searches: @@ -19,44 +30,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user_name$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_name$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user_name$ failed to authenticate more than 20 times in the span + of 5 minutes for AWS Account $aws_account_id$ + risk_objects: + - field: user_name + type: user + score: 35 + threat_objects: [] tags: analytic_story: - Compromised User Account - AWS Identity and Access Management Account Takeover asset_type: AWS Account - confidence: 70 - impact: 50 - message: User $user_name$ failed to authenticate more than 20 times in the span of 5 minutes for AWS Account $aws_account_id$ mitre_attack_id: - T1201 - observable: - - name: user_name - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - userAgent - - errorCode - - requestParameters.userName - - eventSource - - user_arn - - aws_account_id - - src_ip - risk_score: 35 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_multiple_login_fail_per_user/cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_multiple_login_fail_per_user/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml b/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml index 660947adec..58d7a9e5e7 100644 --- a/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml @@ -1,16 +1,28 @@ name: AWS High Number Of Failed Authentications From Ip id: f75b7f1a-b8eb-4975-a214-ff3e0a944757 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Bhavin Patel, Splunk status: production type: Anomaly -description: The following analytic detects an IP address with 20 or more failed authentication attempts to the AWS Web Console within a 5-minute window. This detection leverages CloudTrail logs, aggregating failed login events by IP address and time span. This activity is significant as it may indicate a brute force attack aimed at gaining unauthorized access or escalating privileges within an AWS environment. If confirmed malicious, this could lead to unauthorized access, data breaches, or further exploitation of AWS resources. +description: The following analytic detects an IP address with 20 or more failed authentication + attempts to the AWS Web Console within a 5-minute window. This detection leverages + CloudTrail logs, aggregating failed login events by IP address and time span. This + activity is significant as it may indicate a brute force attack aimed at gaining + unauthorized access or escalating privileges within an AWS environment. If confirmed + malicious, this could lead to unauthorized access, data breaches, or further exploitation + of AWS resources. data_source: - AWS CloudTrail ConsoleLogin -search: '`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(user_name) as tried_accounts values(user_agent) by _time, src_ip, eventName, eventSource aws_account_id | where failed_attempts > 20 | `aws_high_number_of_failed_authentications_from_ip_filter`' -how_to_implement: You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the tried account threshold to tune this search according to their environment. -known_false_positives: An Ip address with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application. +search: '`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=5m _time + | stats dc(_raw) AS failed_attempts values(user_name) as tried_accounts values(user_agent) + by _time, src_ip, eventName, eventSource aws_account_id | where failed_attempts + > 20 | `aws_high_number_of_failed_authentications_from_ip_filter`' +how_to_implement: You must install Splunk Add-on for AWS in order to ingest Cloudtrail. + We recommend the users to try different combinations of the bucket span time and + the tried account threshold to tune this search according to their environment. +known_false_positives: An Ip address with more than 20 failed authentication attempts + in the span of 5 minutes may also be triggered by a broken application. references: - https://attack.mitre.org/techniques/T1110/003/ - https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/ @@ -21,42 +33,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$tried_accounts$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$tried_accounts$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$tried_accounts$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: 'Multiple failed console login attempts (Count: $failed_attempts$) against + users from IP Address - $src_ip$' + risk_objects: + - field: tried_accounts + type: user + score: 54 + threat_objects: [] tags: analytic_story: - AWS Identity and Access Management Account Takeover - Compromised User Account asset_type: AWS Account - confidence: 90 - impact: 60 - message: 'Multiple failed console login attempts (Count: $failed_attempts$) against users from IP Address - $src_ip$' mitre_attack_id: - T1110 - T1110.003 - T1110.004 - observable: - - name: tried_accounts - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - user - - action - - eventName - - src_ip - risk_score: 54 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_cloudtrail.json source: aws_cloudtrail sourcetype: aws:cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_iam_accessdenied_discovery_events.yml b/detections/cloud/aws_iam_accessdenied_discovery_events.yml index c68b8b492b..b35a8f0526 100644 --- a/detections/cloud/aws_iam_accessdenied_discovery_events.yml +++ b/detections/cloud/aws_iam_accessdenied_discovery_events.yml @@ -1,16 +1,29 @@ name: AWS IAM AccessDenied Discovery Events id: 3e1f1568-9633-11eb-a69c-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic identifies excessive AccessDenied events within an hour timeframe for IAM users in AWS. It leverages AWS CloudTrail logs to detect multiple failed access attempts from the same source IP and user identity. This activity is significant as it may indicate that an access key has been compromised and is being misused for unauthorized discovery actions. If confirmed malicious, this could allow attackers to gather information about the AWS environment, potentially leading to further exploitation or privilege escalation. +description: The following analytic identifies excessive AccessDenied events within + an hour timeframe for IAM users in AWS. It leverages AWS CloudTrail logs to detect + multiple failed access attempts from the same source IP and user identity. This + activity is significant as it may indicate that an access key has been compromised + and is being misused for unauthorized discovery actions. If confirmed malicious, + this could allow attackers to gather information about the AWS environment, potentially + leading to further exploitation or privilege escalation. data_source: - AWS CloudTrail -search: '`cloudtrail` (errorCode = "AccessDenied") user_type=IAMUser (userAgent!=*.amazonaws.com) | bucket _time span=1h | stats count as failures min(_time) as firstTime max(_time) as lastTime, dc(eventName) as methods, dc(eventSource) as sources by src_ip, userIdentity.arn, _time | where failures >= 5 and methods >= 1 and sources >= 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_accessdenied_discovery_events_filter`' -how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. -known_false_positives: It is possible to start this detection will need to be tuned by source IP or user. In addition, change the count values to an upper threshold to restrict false positives. +search: '`cloudtrail` (errorCode = "AccessDenied") user_type=IAMUser (userAgent!=*.amazonaws.com) + | bucket _time span=1h | stats count as failures min(_time) as firstTime max(_time) + as lastTime, dc(eventName) as methods, dc(eventSource) as sources by src_ip, userIdentity.arn, + _time | where failures >= 5 and methods >= 1 and sources >= 1 | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `aws_iam_accessdenied_discovery_events_filter`' +how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize + this data. The search requires AWS CloudTrail logs. +known_false_positives: It is possible to start this detection will need to be tuned + by source IP or user. In addition, change the count values to an upper threshold + to restrict false positives. references: - https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-iam-permission-errors/ drilldown_searches: @@ -19,44 +32,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$userIdentity.arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$userIdentity.arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$userIdentity.arn$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $userIdentity.arn$ is seen to perform excessive number of discovery + related api calls- $failures$, within an hour where the access was denied. + risk_objects: + - field: userIdentity.arn + type: user + score: 10 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Suspicious Cloud User Activities asset_type: AWS Account - confidence: 50 - impact: 20 - message: User $userIdentity.arn$ is seen to perform excessive number of discovery related api calls- $failures$, within an hour where the access was denied. mitre_attack_id: - T1580 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: userIdentity.arn - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - eventSource - - userAgent - - errorCode - - userIdentity.type - risk_score: 10 security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1580/aws_iam_accessdenied_discovery_events/aws_iam_accessdenied_discovery_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1580/aws_iam_accessdenied_discovery_events/aws_iam_accessdenied_discovery_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_iam_assume_role_policy_brute_force.yml b/detections/cloud/aws_iam_assume_role_policy_brute_force.yml index 642ae1547a..53c734eb11 100644 --- a/detections/cloud/aws_iam_assume_role_policy_brute_force.yml +++ b/detections/cloud/aws_iam_assume_role_policy_brute_force.yml @@ -1,16 +1,32 @@ name: AWS IAM Assume Role Policy Brute Force id: f19e09b0-9308-11eb-b7ec-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects multiple failed attempts to assume an AWS IAM role, indicating a potential brute force attack. It leverages AWS CloudTrail logs to identify `MalformedPolicyDocumentException` errors with a status of `failure` and filters out legitimate AWS services. This activity is significant as repeated failures to assume roles can indicate an adversary attempting to guess role names, which is a precursor to unauthorized access. If confirmed malicious, this could lead to unauthorized access to AWS resources, potentially compromising sensitive data and services. +description: The following analytic detects multiple failed attempts to assume an + AWS IAM role, indicating a potential brute force attack. It leverages AWS CloudTrail + logs to identify `MalformedPolicyDocumentException` errors with a status of `failure` + and filters out legitimate AWS services. This activity is significant as repeated + failures to assume roles can indicate an adversary attempting to guess role names, + which is a precursor to unauthorized access. If confirmed malicious, this could + lead to unauthorized access to AWS resources, potentially compromising sensitive + data and services. data_source: - AWS CloudTrail -search: '`cloudtrail` (errorCode=MalformedPolicyDocumentException) status=failure (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyName) as policy_name by src eventName eventSource aws_account_id errorCode requestParameters.policyDocument userAgent eventID awsRegion userIdentity.principalId user_arn | where count >= 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_assume_role_policy_brute_force_filter`' -how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. Set the `where count` greater than a value to identify suspicious activity in your environment. -known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. +search: '`cloudtrail` (errorCode=MalformedPolicyDocumentException) status=failure + (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as + lastTime values(requestParameters.policyName) as policy_name by src eventName eventSource + aws_account_id errorCode requestParameters.policyDocument userAgent eventID awsRegion + userIdentity.principalId user_arn | where count >= 2 | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `aws_iam_assume_role_policy_brute_force_filter`' +how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize + this data. The search requires AWS CloudTrail logs. Set the `where count` greater + than a value to identify suspicious activity in your environment. +known_false_positives: This detection will require tuning to provide high fidelity + detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) + or by groups of users. references: - https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities/ - https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/ @@ -21,44 +37,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user_arn$ has caused multiple failures with errorCode $errorCode$, + which potentially means adversary is attempting to identify a role name. + risk_objects: + - field: user_arn + type: user + score: 28 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - AWS IAM Privilege Escalation asset_type: AWS Account - confidence: 70 - impact: 40 - message: User $user_arn$ has caused multiple failures with errorCode $errorCode$, which potentially means adversary is attempting to identify a role name. mitre_attack_id: - T1580 - T1110 - observable: - - name: src - type: IP Address - role: - - Attacker - - name: user_arn - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - userAgent - - errorCode - - requestParameters.policyName - risk_score: 28 security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1580/aws_iam_assume_role_policy_brute_force/aws_iam_assume_role_policy_brute_force.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1580/aws_iam_assume_role_policy_brute_force/aws_iam_assume_role_policy_brute_force.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_iam_delete_policy.yml b/detections/cloud/aws_iam_delete_policy.yml index cf68ebc5f7..3ce2296eff 100644 --- a/detections/cloud/aws_iam_delete_policy.yml +++ b/detections/cloud/aws_iam_delete_policy.yml @@ -1,16 +1,32 @@ name: AWS IAM Delete Policy id: ec3a9362-92fe-11eb-99d0-acde48001122 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic detects the deletion of an IAM policy in AWS. It leverages AWS CloudTrail logs to identify `DeletePolicy` events, excluding those from AWS internal services. This activity is significant as unauthorized policy deletions can disrupt access controls and weaken security postures. If confirmed malicious, an attacker could remove critical security policies, potentially leading to privilege escalation, unauthorized access, or data exfiltration. Monitoring this behavior helps ensure that only authorized changes are made to IAM policies, maintaining the integrity and security of the AWS environment. +description: The following analytic detects the deletion of an IAM policy in AWS. + It leverages AWS CloudTrail logs to identify `DeletePolicy` events, excluding those + from AWS internal services. This activity is significant as unauthorized policy + deletions can disrupt access controls and weaken security postures. If confirmed + malicious, an attacker could remove critical security policies, potentially leading + to privilege escalation, unauthorized access, or data exfiltration. Monitoring this + behavior helps ensure that only authorized changes are made to IAM policies, maintaining + the integrity and security of the AWS environment. data_source: - AWS CloudTrail DeletePolicy -search: '`cloudtrail` eventName=DeletePolicy (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) as policyArn by src user_arn eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion userIdentity.principalId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_delete_policy_filter`' -how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. -known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only. +search: '`cloudtrail` eventName=DeletePolicy (userAgent!=*.amazonaws.com) | stats + count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) + as policyArn by src user_arn eventName eventSource aws_account_id errorCode errorMessage + userAgent eventID awsRegion userIdentity.principalId | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `aws_iam_delete_policy_filter`' +how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize + this data. The search requires AWS CloudTrail logs. +known_false_positives: This detection will require tuning to provide high fidelity + detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) + or by groups of users. Not every user with AWS access should have permission to + delete policies (least privilege). In addition, this may be saved seperately and + tuned for failed or success attempts only. references: - https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicy.html - https://docs.aws.amazon.com/cli/latest/reference/iam/delete-policy.html @@ -18,36 +34,17 @@ tags: analytic_story: - AWS IAM Privilege Escalation asset_type: AWS Account - confidence: 50 - impact: 20 - message: User $user_arn$ has deleted AWS Policies from IP address $src$ by executing the following command $eventName$ mitre_attack_id: - T1098 - observable: - - name: src - type: IP Address - role: - - Attacker - - name: user_arn - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - userAgent - - errorCode - - requestParameters.policyArn - risk_score: 10 security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_delete_policy/aws_iam_delete_policy.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_delete_policy/aws_iam_delete_policy.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_iam_failure_group_deletion.yml b/detections/cloud/aws_iam_failure_group_deletion.yml index 5a154ffabb..b69c6f006d 100644 --- a/detections/cloud/aws_iam_failure_group_deletion.yml +++ b/detections/cloud/aws_iam_failure_group_deletion.yml @@ -1,16 +1,32 @@ name: AWS IAM Failure Group Deletion id: 723b861a-92eb-11eb-93b8-acde48001122 -version: 5 -date: '2024-10-22' +version: 6 +date: '2024-11-14' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic identifies failed attempts to delete AWS IAM groups. It leverages AWS CloudTrail logs to detect events where the DeleteGroup action fails due to errors like NoSuchEntityException, DeleteConflictException, or AccessDenied. This activity is significant as it may indicate unauthorized attempts to modify IAM group configurations, which could be a precursor to privilege escalation or other malicious actions. If confirmed malicious, this could allow an attacker to disrupt IAM policies, potentially leading to unauthorized access or denial of service within the AWS environment. +description: The following analytic identifies failed attempts to delete AWS IAM groups. + It leverages AWS CloudTrail logs to detect events where the DeleteGroup action fails + due to errors like NoSuchEntityException, DeleteConflictException, or AccessDenied. + This activity is significant as it may indicate unauthorized attempts to modify + IAM group configurations, which could be a precursor to privilege escalation or + other malicious actions. If confirmed malicious, this could allow an attacker to + disrupt IAM policies, potentially leading to unauthorized access or denial of service + within the AWS environment. data_source: - AWS CloudTrail DeleteGroup -search: '`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode IN (NoSuchEntityException,DeleteConflictException, AccessDenied) (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.groupName) as group_name by src eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_failure_group_deletion_filter`' -how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. -known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege). +search: '`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode + IN (NoSuchEntityException,DeleteConflictException, AccessDenied) (userAgent!=*.amazonaws.com) + | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.groupName) + as group_name by src eventName eventSource aws_account_id errorCode errorMessage + userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `aws_iam_failure_group_deletion_filter`' +how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize + this data. The search requires AWS CloudTrail logs. +known_false_positives: This detection will require tuning to provide high fidelity + detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) + or by groups of users. Not every user with AWS access should have permission to + delete groups (least privilege). references: - https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html - https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html @@ -20,43 +36,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user_arn$ has had mulitple failures while attempting to delete groups + from $src$ + risk_objects: + - field: user_arn + type: user + score: 5 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - AWS IAM Privilege Escalation asset_type: AWS Account - confidence: 50 - impact: 10 - message: User $user_arn$ has had mulitple failures while attempting to delete groups from $src$ mitre_attack_id: - T1098 - observable: - - name: src - type: IP Address - role: - - Attacker - - name: user_arn - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - userAgent - - errorCode - - requestParameters.groupName - risk_score: 5 security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_failure_group_deletion/aws_iam_failure_group_deletion.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_failure_group_deletion/aws_iam_failure_group_deletion.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_iam_successful_group_deletion.yml b/detections/cloud/aws_iam_successful_group_deletion.yml index 1a0a4cdd0b..82f8c5e8fb 100644 --- a/detections/cloud/aws_iam_successful_group_deletion.yml +++ b/detections/cloud/aws_iam_successful_group_deletion.yml @@ -1,16 +1,31 @@ name: AWS IAM Successful Group Deletion id: e776d06c-9267-11eb-819b-acde48001122 -version: 4 -date: '2024-10-22' +version: 5 +date: '2024-11-14' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies the successful deletion of an IAM group in AWS. It leverages CloudTrail logs to detect `DeleteGroup` events with a success status. This activity is significant as it could indicate potential changes in user permissions or access controls, which may be a precursor to further unauthorized actions. If confirmed malicious, an attacker could disrupt access management, potentially leading to privilege escalation or unauthorized access to sensitive resources. Analysts should review related IAM events, such as recent user additions or new group creations, to assess the broader context. +description: The following analytic identifies the successful deletion of an IAM group + in AWS. It leverages CloudTrail logs to detect `DeleteGroup` events with a success + status. This activity is significant as it could indicate potential changes in user + permissions or access controls, which may be a precursor to further unauthorized + actions. If confirmed malicious, an attacker could disrupt access management, potentially + leading to privilege escalation or unauthorized access to sensitive resources. Analysts + should review related IAM events, such as recent user additions or new group creations, + to assess the broader context. data_source: - AWS CloudTrail DeleteGroup -search: '`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode=success (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.groupName) as group_deleted by src eventName eventSource errorCode user_agent awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_successful_group_deletion_filter`' -how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. -known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege). +search: '`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode=success + (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as + lastTime values(requestParameters.groupName) as group_deleted by src eventName eventSource + errorCode user_agent awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `aws_iam_successful_group_deletion_filter`' +how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize + this data. The search requires AWS CloudTrail logs. +known_false_positives: This detection will require tuning to provide high fidelity + detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) + or by groups of users. Not every user with AWS access should have permission to + delete groups (least privilege). references: - https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html - https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html @@ -18,42 +33,19 @@ tags: analytic_story: - AWS IAM Privilege Escalation asset_type: AWS Account - confidence: 50 - impact: 10 - message: User $user_arn$ has sucessfully deleted mulitple groups $group_deleted$ from $src$ mitre_attack_id: - T1069.003 - T1098 - T1069 - observable: - - name: src - type: IP Address - role: - - Attacker - - name: user_arn - type: User - role: - - Victim - - name: group_deleted - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - userAgent - - errorCode - - requestParameters.groupName - risk_score: 5 security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_successful_group_deletion/aws_iam_successful_group_deletion.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_successful_group_deletion/aws_iam_successful_group_deletion.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_lambda_updatefunctioncode.yml b/detections/cloud/aws_lambda_updatefunctioncode.yml index 7a6423711f..a56d5651f3 100644 --- a/detections/cloud/aws_lambda_updatefunctioncode.yml +++ b/detections/cloud/aws_lambda_updatefunctioncode.yml @@ -1,16 +1,27 @@ name: AWS Lambda UpdateFunctionCode id: 211b80d3-6340-4345-11ad-212bf3d0d111 -version: 4 -date: '2024-10-22' +version: 5 +date: '2024-11-14' author: Bhavin Patel, Splunk status: production type: Hunting -description: The following analytic identifies IAM users attempting to update or modify AWS Lambda code via the AWS CLI. It leverages CloudTrail logs to detect successful `UpdateFunctionCode` events initiated by IAM users. This activity is significant as it may indicate an attempt to gain persistence, further access, or plant backdoors within your AWS environment. If confirmed malicious, an attacker could upload and execute malicious code automatically when the Lambda function is triggered, potentially compromising the integrity and security of your AWS infrastructure. +description: The following analytic identifies IAM users attempting to update or modify + AWS Lambda code via the AWS CLI. It leverages CloudTrail logs to detect successful + `UpdateFunctionCode` events initiated by IAM users. This activity is significant + as it may indicate an attempt to gain persistence, further access, or plant backdoors + within your AWS environment. If confirmed malicious, an attacker could upload and + execute malicious code automatically when the Lambda function is triggered, potentially + compromising the integrity and security of your AWS infrastructure. data_source: - AWS CloudTrail -search: '`cloudtrail` eventSource=lambda.amazonaws.com eventName=UpdateFunctionCode* errorCode = success user_type=IAMUser | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.functionName) as function_updated by src_ip user_arn user_agent user_type eventName aws_account_id |`aws_lambda_updatefunctioncode_filter`' -how_to_implement: You must install Splunk AWS Add on and enable Cloudtrail logs in your AWS Environment. -known_false_positives: While this search has no known false positives, it is possible that an AWS admin or an autorized IAM user has updated the lambda fuction code legitimately. +search: '`cloudtrail` eventSource=lambda.amazonaws.com eventName=UpdateFunctionCode* errorCode + = success user_type=IAMUser | stats count min(_time) as firstTime max(_time) as + lastTime values(requestParameters.functionName) as function_updated by src_ip user_arn + user_agent user_type eventName aws_account_id |`aws_lambda_updatefunctioncode_filter`' +how_to_implement: You must install Splunk AWS Add on and enable Cloudtrail logs in + your AWS Environment. +known_false_positives: While this search has no known false positives, it is possible + that an AWS admin or an autorized IAM user has updated the lambda fuction code legitimately. references: - http://detectioninthe.cloud/execution/modify_lambda_function_code/ - https://sysdig.com/blog/exploit-mitigate-aws-lambdas-mitre/ @@ -18,35 +29,17 @@ tags: analytic_story: - Suspicious Cloud User Activities asset_type: AWS Account - confidence: 90 - impact: 70 - message: User $user_arn$ is attempting to update the lambda function code of $function_updated$ from this IP $src_ip$ mitre_attack_id: - T1204 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: user_arn - type: User - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - userAgent - - errorCode - risk_score: 63 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_multi_factor_authentication_disabled.yml b/detections/cloud/aws_multi_factor_authentication_disabled.yml index 7ac1b5a8b4..827af91c86 100644 --- a/detections/cloud/aws_multi_factor_authentication_disabled.yml +++ b/detections/cloud/aws_multi_factor_authentication_disabled.yml @@ -1,77 +1,75 @@ name: AWS Multi-Factor Authentication Disabled id: 374832b1-3603-420c-b456-b373e24d34c0 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Bhavin Patel, Splunk status: production type: TTP -description: The following analytic detects attempts to disable multi-factor authentication (MFA) for an AWS IAM user. It leverages AWS CloudTrail logs to identify events where MFA devices are deleted or deactivated. This activity is significant because disabling MFA can indicate an adversary attempting to weaken account security, potentially to maintain persistence using a compromised account. If confirmed malicious, this action could allow attackers to retain access to the AWS environment without detection, posing a significant risk to the security and integrity of the cloud infrastructure. +description: The following analytic detects attempts to disable multi-factor authentication + (MFA) for an AWS IAM user. It leverages AWS CloudTrail logs to identify events where + MFA devices are deleted or deactivated. This activity is significant because disabling + MFA can indicate an adversary attempting to weaken account security, potentially + to maintain persistence using a compromised account. If confirmed malicious, this + action could allow attackers to retain access to the AWS environment without detection, + posing a significant risk to the security and integrity of the cloud infrastructure. data_source: - AWS CloudTrail DeleteVirtualMFADevice - AWS CloudTrail DeactivateMFADevice -search: '`cloudtrail` (eventName= DeleteVirtualMFADevice OR eventName=DeactivateMFADevice) | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id userAgent eventID awsRegion user_name userIdentity.arn status | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_multi_factor_authentication_disabled_filter`' -how_to_implement: The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs. -known_false_positives: AWS Administrators may disable MFA but it is highly unlikely for this event to occur without prior notice to the company +search: '`cloudtrail` (eventName= DeleteVirtualMFADevice OR eventName=DeactivateMFADevice) + | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource + aws_account_id userAgent eventID awsRegion user_name userIdentity.arn status | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `aws_multi_factor_authentication_disabled_filter`' +how_to_implement: The Splunk AWS Add-on is required to utilize this data. The search + requires AWS CloudTrail logs. +known_false_positives: AWS Administrators may disable MFA but it is highly unlikely + for this event to occur without prior notice to the company references: - https://attack.mitre.org/techniques/T1621/ - https://aws.amazon.com/what-is/mfa/ drilldown_searches: - name: View the detection results for - "$aws_account_id$" and "$user_name$" - search: '%original_detection_search% | search aws_account_id = "$aws_account_id$" user_name = "$user_name$"' + search: '%original_detection_search% | search aws_account_id = "$aws_account_id$" + user_name = "$user_name$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$aws_account_id$" and "$user_name$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$", "$user_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$", + "$user_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user_name$ has disabled Multi-Factor authentication for AWS account + $aws_account_id$ + risk_objects: + - field: user_name + type: user + score: 64 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - AWS Identity and Access Management Account Takeover asset_type: AWS Account - confidence: 80 - impact: 80 - message: User $user_name$ has disabled Multi-Factor authentication for AWS account $aws_account_id$ mitre_attack_id: - T1586 - T1586.003 - T1621 - T1556 - T1556.006 - observable: - - name: aws_account_id - type: Other - role: - - Victim - - name: user_name - type: User - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - src - - eventName - - eventSource - - aws_account_id - - errorCode - - errorMessage - - userAgent - - eventID - - awsRegion - - user_name - - userIdentity.arn - risk_score: 64 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_mfa_disabled/cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_mfa_disabled/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml index c40308c3db..0e087f273c 100644 --- a/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml @@ -1,16 +1,27 @@ name: AWS Multiple Failed MFA Requests For User id: 1fece617-e614-4329-9e61-3ba228c0f353 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Bhavin Patel status: production type: Anomaly -description: The following analytic identifies multiple failed multi-factor authentication (MFA) requests to an AWS Console for a single user. It leverages AWS CloudTrail logs, specifically the `additionalEventData` field, to detect more than 10 failed MFA prompts within 5 minutes. This activity is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication requests. If confirmed malicious, this could lead to unauthorized access to the AWS environment, potentially compromising sensitive data and resources. +description: The following analytic identifies multiple failed multi-factor authentication + (MFA) requests to an AWS Console for a single user. It leverages AWS CloudTrail + logs, specifically the `additionalEventData` field, to detect more than 10 failed + MFA prompts within 5 minutes. This activity is significant as it may indicate an + adversary attempting to bypass MFA by bombarding the user with repeated authentication + requests. If confirmed malicious, this could lead to unauthorized access to the + AWS environment, potentially compromising sensitive data and resources. data_source: - AWS CloudTrail ConsoleLogin -search: '`cloudtrail` eventName= ConsoleLogin "additionalEventData.MFAUsed"=Yes errorMessage="Failed authentication" | bucket span=5m _time | stats dc(_raw) as mfa_prompts values(userAgent) as userAgent values(src) as src by _time user_name user_arn aws_account_id eventName errorMessage | where mfa_prompts > 10| `aws_multiple_failed_mfa_requests_for_user_filter`' -how_to_implement: The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs. -known_false_positives: Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed. +search: '`cloudtrail` eventName= ConsoleLogin "additionalEventData.MFAUsed"=Yes errorMessage="Failed + authentication" | bucket span=5m _time | stats dc(_raw) as mfa_prompts values(userAgent) + as userAgent values(src) as src by _time user_name user_arn aws_account_id eventName + errorMessage | where mfa_prompts > 10| `aws_multiple_failed_mfa_requests_for_user_filter`' +how_to_implement: The Splunk AWS Add-on is required to utilize this data. The search + requires AWS CloudTrail logs. +known_false_positives: Multiple Failed MFA requests may also be a sign of authentication + or application issues. Filter as needed. references: - https://attack.mitre.org/techniques/T1621/ - https://aws.amazon.com/what-is/mfa/ @@ -20,51 +31,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user_name$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_name$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user_name$ is seen to have high number of MFA prompt failures within + a short period of time. + risk_objects: + - field: user_name + type: user + score: 64 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - AWS Identity and Access Management Account Takeover asset_type: AWS Account - confidence: 80 - impact: 80 - message: User $user_name$ is seen to have high number of MFA prompt failures within a short period of time. mitre_attack_id: - T1586 - T1586.003 - T1621 - observable: - - name: user_name - type: User - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - src - - eventName - - eventSource - - aws_account_id - - errorCode - - errorMessage - - userAgent - - eventID - - awsRegion - - user_name - - userIdentity.arn - risk_score: 64 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_failed_mfa/cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_failed_mfa/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml index fe54a04cb1..7fdb466244 100644 --- a/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml @@ -1,17 +1,23 @@ name: AWS Multiple Users Failing To Authenticate From Ip id: 71e1fb89-dd5f-4691-8523-575420de4630 -version: 3 -date: '2024-10-16' +version: 4 +date: '2024-11-14' author: Bhavin Patel status: production type: Anomaly -description: The following analytic identifies a single source IP failing to authenticate into the AWS Console with 30 unique valid users within 10 minutes. It leverages CloudTrail logs to detect multiple failed login attempts from the same IP address. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain unauthorized access or elevate privileges by trying common passwords across many accounts. If confirmed malicious, this activity could lead to unauthorized access, data breaches, or further exploitation within the AWS environment. +description: The following analytic identifies a single source IP failing to authenticate + into the AWS Console with 30 unique valid users within 10 minutes. It leverages + CloudTrail logs to detect multiple failed login attempts from the same IP address. + This behavior is significant as it may indicate a Password Spraying attack, where + an adversary attempts to gain unauthorized access or elevate privileges by trying + common passwords across many accounts. If confirmed malicious, this activity could + lead to unauthorized access, data breaches, or further exploitation within the AWS + environment. data_source: - AWS CloudTrail ConsoleLogin search: '`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time - | stats dc(user_name) AS unique_accounts values(user_name) as tried_accounts by _time, src_ip - | where unique_accounts>30 - | `aws_multiple_users_failing_to_authenticate_from_ip_filter`' + | stats dc(user_name) AS unique_accounts values(user_name) as tried_accounts by + _time, src_ip | where unique_accounts>30 | `aws_multiple_users_failing_to_authenticate_from_ip_filter`' how_to_implement: You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the tried account threshold to tune this search according to their environment. @@ -27,46 +33,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$tried_accounts$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$tried_accounts$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$tried_accounts$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: 'Multiple failed console login attempts (Count: $unique_accounts$) against + users from IP Address - $src_ip$' + risk_objects: + - field: tried_accounts + type: user + score: 54 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - AWS Identity and Access Management Account Takeover - Compromised User Account asset_type: AWS Account - confidence: 90 - impact: 60 - message: 'Multiple failed console login attempts (Count: $unique_accounts$) against users from IP Address - $src_ip$' mitre_attack_id: - T1110 - T1110.003 - T1110.004 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: tried_accounts - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - user - - action - - eventName - - src_ip - risk_score: 54 security_domain: threat - manual_test: This search needs a specific number of events in a time window for the alert to trigger and events split up in CI testing while updating timestamp. + manual_test: This search needs a specific number of events in a time window for + the alert to trigger and events split up in CI testing while updating timestamp. tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_cloudtrail.json source: aws_cloudtrail sourcetype: aws:cloudtrail diff --git a/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml b/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml index 451dcbaaa5..9c3254ca93 100644 --- a/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml +++ b/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml @@ -1,17 +1,37 @@ name: AWS Network Access Control List Created with All Open Ports id: ada0f478-84a8-4641-a3f1-d82362d6bd75 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Bhavin Patel, Patrick Bareiss, Splunk status: production type: TTP -description: The following analytic detects the creation of AWS Network Access Control Lists (ACLs) with all ports open to a specified CIDR. It leverages AWS CloudTrail events, specifically monitoring for `CreateNetworkAclEntry` or `ReplaceNetworkAclEntry` actions with rules allowing all traffic. This activity is significant because it can expose the network to unauthorized access, increasing the risk of data breaches and other malicious activities. If confirmed malicious, an attacker could exploit this misconfiguration to gain unrestricted access to the network, potentially leading to data exfiltration, service disruption, or further compromise of the AWS environment. +description: The following analytic detects the creation of AWS Network Access Control + Lists (ACLs) with all ports open to a specified CIDR. It leverages AWS CloudTrail + events, specifically monitoring for `CreateNetworkAclEntry` or `ReplaceNetworkAclEntry` + actions with rules allowing all traffic. This activity is significant because it + can expose the network to unauthorized access, increasing the risk of data breaches + and other malicious activities. If confirmed malicious, an attacker could exploit + this misconfiguration to gain unrestricted access to the network, potentially leading + to data exfiltration, service disruption, or further compromise of the AWS environment. data_source: - AWS CloudTrail CreateNetworkAclEntry - AWS CloudTrail ReplaceNetworkAclEntry -search: '`cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol=-1 | append [search `cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol!=-1 | eval port_range=''requestParameters.portRange.to'' - ''requestParameters.portRange.from'' | where port_range>1024] | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by userName user_arn userIdentity.principalId eventName requestParameters.ruleAction requestParameters.egress requestParameters.aclProtocol requestParameters.portRange.to requestParameters.portRange.from src userAgent requestParameters.cidrBlock | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_network_access_control_list_created_with_all_open_ports_filter`' -how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS, version 4.4.0 or later, and configure your AWS CloudTrail inputs. -known_false_positives: It's possible that an admin has created this ACL with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment. +search: "`cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry + requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol=-1 + | append [search `cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry + requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol!=-1 + | eval port_range='requestParameters.portRange.to' - 'requestParameters.portRange.from' + | where port_range>1024] | fillnull | stats count min(_time) as firstTime max(_time) + as lastTime by userName user_arn userIdentity.principalId eventName requestParameters.ruleAction + requestParameters.egress requestParameters.aclProtocol requestParameters.portRange.to + requestParameters.portRange.from src userAgent requestParameters.cidrBlock | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)` | `aws_network_access_control_list_created_with_all_open_ports_filter`" +how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) + and Splunk Add-on for AWS, version 4.4.0 or later, and configure your AWS CloudTrail + inputs. +known_false_positives: It's possible that an admin has created this ACL with all ports + open for some legitimate purpose however, this should be scoped and not allowed + in production environment. references: [] drilldown_searches: - name: View the detection results for - "$user_arn$" @@ -19,50 +39,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user_arn$ has created network ACLs with all the ports open to a specified + CIDR $requestParameters.cidrBlock$ + risk_objects: + - field: user_arn + type: user + score: 48 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - AWS Network ACL Activity asset_type: AWS Instance - confidence: 80 - impact: 60 - message: User $user_arn$ has created network ACLs with all the ports open to a specified CIDR $requestParameters.cidrBlock$ mitre_attack_id: - T1562.007 - T1562 - observable: - - name: src - type: IP Address - role: - - Attacker - - name: user_arn - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - requestParameters.ruleAction - - requestParameters.egress - - requestParameters.aclProtocol - - requestParameters.portRange.to - - requestParameters.portRange.from - - requestParameters.cidrBlock - - userName - - userIdentity.principalId - - userAgent - risk_score: 48 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.007/aws_create_acl/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.007/aws_create_acl/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_network_access_control_list_deleted.yml b/detections/cloud/aws_network_access_control_list_deleted.yml index 5202562353..8499371040 100644 --- a/detections/cloud/aws_network_access_control_list_deleted.yml +++ b/detections/cloud/aws_network_access_control_list_deleted.yml @@ -1,16 +1,28 @@ name: AWS Network Access Control List Deleted id: ada0f478-84a8-4641-a3f1-d82362d6fd75 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Bhavin Patel, Patrick Bareiss, Splunk status: production type: Anomaly -description: The following analytic detects the deletion of AWS Network Access Control Lists (ACLs). It leverages AWS CloudTrail logs to identify events where a user deletes a network ACL entry. This activity is significant because deleting a network ACL can remove critical access restrictions, potentially allowing unauthorized access to cloud instances. If confirmed malicious, this action could enable attackers to bypass network security controls, leading to unauthorized access, data exfiltration, or further compromise of the cloud environment. +description: The following analytic detects the deletion of AWS Network Access Control + Lists (ACLs). It leverages AWS CloudTrail logs to identify events where a user deletes + a network ACL entry. This activity is significant because deleting a network ACL + can remove critical access restrictions, potentially allowing unauthorized access + to cloud instances. If confirmed malicious, this action could enable attackers to + bypass network security controls, leading to unauthorized access, data exfiltration, + or further compromise of the cloud environment. data_source: - AWS CloudTrail DeleteNetworkAclEntry -search: '`cloudtrail` eventName=DeleteNetworkAclEntry requestParameters.egress=false | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId eventName requestParameters.egress src userAgent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_network_access_control_list_deleted_filter`' -how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. -known_false_positives: It's possible that a user has legitimately deleted a network ACL. +search: '`cloudtrail` eventName=DeleteNetworkAclEntry requestParameters.egress=false + | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by user_arn + userIdentity.principalId eventName requestParameters.egress src userAgent | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)` | `aws_network_access_control_list_deleted_filter`' +how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) + and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail + inputs. +known_false_positives: It's possible that a user has legitimately deleted a network + ACL. references: [] drilldown_searches: - name: View the detection results for - "$user_arn$" @@ -18,46 +30,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user_arn$ from $src$ has sucessfully deleted network ACLs entry (eventName= + $eventName$), such that the instance is accessible from anywhere + risk_objects: + - field: user_arn + type: user + score: 5 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - AWS Network ACL Activity asset_type: AWS Instance - confidence: 50 - impact: 10 - message: User $user_arn$ from $src$ has sucessfully deleted network ACLs entry (eventName= $eventName$), such that the instance is accessible from anywhere mitre_attack_id: - T1562.007 - T1562 - observable: - - name: src - type: IP Address - role: - - Attacker - - name: user_arn - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - requestParameters.egress - - userName - - userIdentity.principalId - - src - - userAgent - risk_score: 5 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.007/aws_delete_acl/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.007/aws_delete_acl/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_new_mfa_method_registered_for_user.yml b/detections/cloud/aws_new_mfa_method_registered_for_user.yml index 644a6ca2de..1891036414 100644 --- a/detections/cloud/aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/aws_new_mfa_method_registered_for_user.yml @@ -1,16 +1,28 @@ name: AWS New MFA Method Registered For User id: 4e3c26f2-4fb9-4bd7-ab46-1b76ffa2a23b -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Bhavin Patel, Splunk status: production type: TTP -description: The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for an AWS account. It leverages AWS CloudTrail logs to identify the `CreateVirtualMFADevice` event. This activity is significant because adversaries who gain unauthorized access to an AWS account may register a new MFA method to maintain persistence. If confirmed malicious, this could allow attackers to secure their access, making it difficult to detect and remove their presence, potentially leading to further unauthorized activities and data breaches. +description: The following analytic detects the registration of a new Multi-Factor + Authentication (MFA) method for an AWS account. It leverages AWS CloudTrail logs + to identify the `CreateVirtualMFADevice` event. This activity is significant because + adversaries who gain unauthorized access to an AWS account may register a new MFA + method to maintain persistence. If confirmed malicious, this could allow attackers + to secure their access, making it difficult to detect and remove their presence, + potentially leading to further unauthorized activities and data breaches. data_source: - AWS CloudTrail CreateVirtualMFADevice -search: '`cloudtrail` eventName=CreateVirtualMFADevice | stats count values(requestParameters.virtualMFADeviceName) as virtualMFADeviceName min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_new_mfa_method_registered_for_user_filter`' -how_to_implement: You must install Splunk AWS add on and Splunk App for AWS. This search works when AWS CloudTrail logs. -known_false_positives: Newly onboarded users who are registering an MFA method for the first time will also trigger this detection. +search: '`cloudtrail` eventName=CreateVirtualMFADevice | stats count values(requestParameters.virtualMFADeviceName) + as virtualMFADeviceName min(_time) as firstTime max(_time) as lastTime by eventSource + aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn + src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `aws_new_mfa_method_registered_for_user_filter`' +how_to_implement: You must install Splunk AWS add on and Splunk App for AWS. This + search works when AWS CloudTrail logs. +known_false_positives: Newly onboarded users who are registering an MFA method for + the first time will also trigger this detection. references: - https://aws.amazon.com/blogs/security/you-can-now-assign-multiple-mfa-devices-in-iam/ - https://attack.mitre.org/techniques/T1556/ @@ -22,50 +34,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A new virtual device $virtualMFADeviceName$ is added to user $user_arn$ + risk_objects: + - field: user_arn + type: user + score: 64 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - AWS Identity and Access Management Account Takeover asset_type: AWS Account - confidence: 80 - impact: 80 - message: A new virtual device $virtualMFADeviceName$ is added to user $user_arn$ mitre_attack_id: - T1556 - T1556.006 - observable: - - name: user_arn - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - src_ip - - eventName - - eventSource - - requestParameters.virtualMFADeviceName - - errorCode - - userIdentity.principalId - - userAgent - - awsRegion - - user_name - - userIdentity.arn - - _time - risk_score: 64 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_password_policy_changes.yml b/detections/cloud/aws_password_policy_changes.yml index b09c1efbf5..a9c930cfca 100644 --- a/detections/cloud/aws_password_policy_changes.yml +++ b/detections/cloud/aws_password_policy_changes.yml @@ -1,18 +1,32 @@ name: AWS Password Policy Changes id: aee4a575-7064-4e60-b511-246f9baf9895 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Bhavin Patel, Splunk status: production type: Hunting -description: The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as "UpdateAccountPasswordPolicy," "GetAccountPasswordPolicy," and "DeleteAccountPasswordPolicy." This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources. +description: The following analytic detects successful API calls to view, update, + or delete the password policy in an AWS organization. It leverages AWS CloudTrail + logs to identify events such as "UpdateAccountPasswordPolicy," "GetAccountPasswordPolicy," + and "DeleteAccountPasswordPolicy." This activity is significant because it is uncommon + for regular users to perform these actions, and such changes can indicate an adversary + attempting to understand or weaken password defenses. If confirmed malicious, this + could lead to compromised accounts and increased attack surface, potentially allowing + unauthorized access and control over AWS resources. data_source: - AWS CloudTrail UpdateAccountPasswordPolicy - AWS CloudTrail GetAccountPasswordPolicy - AWS CloudTrail DeleteAccountPasswordPolicy -search: '`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success | stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_password_policy_changes_filter`' -how_to_implement: You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately triggered an AWS audit tool activity which may trigger this event. +search: '`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") + errorCode=success | stats count values(eventName) as eventName values(userAgent) + min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion + userIdentity.principalId user_arn src_ip | `security_content_ctime(firstTime)` | + `security_content_ctime(lastTime)` | `aws_password_policy_changes_filter`' +how_to_implement: You must install Splunk AWS Add on and Splunk App for AWS. This + search works with AWS CloudTrail logs. +known_false_positives: While this search has no known false positives, it is possible + that an AWS admin has legitimately triggered an AWS audit tool activity which may + trigger this event. references: - https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/password-policy.html tags: @@ -20,40 +34,17 @@ tags: - AWS IAM Privilege Escalation - Compromised User Account asset_type: AWS Account - confidence: 80 - impact: 90 - message: User $user_arn$ is attempting to $eventName$ the password policy for account id $aws_account_id$ mitre_attack_id: - T1201 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: user_arn - type: User - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - userAgent - - errorCode - - requestParameters.userName - - eventSource - - user_arn - - aws_account_id - - src_ip - risk_score: 72 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/aws_password_policy/cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/aws_password_policy/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_s3_exfiltration_behavior_identified.yml b/detections/cloud/aws_s3_exfiltration_behavior_identified.yml index e7f799bd4e..e340530aa9 100644 --- a/detections/cloud/aws_s3_exfiltration_behavior_identified.yml +++ b/detections/cloud/aws_s3_exfiltration_behavior_identified.yml @@ -1,15 +1,35 @@ name: AWS S3 Exfiltration Behavior Identified id: 85096389-a443-42df-b89d-200efbb1b560 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Bhavin Patel, Splunk status: production type: Correlation data_source: [] -description: The following analytic identifies potential AWS S3 exfiltration behavior by correlating multiple risk events related to Collection and Exfiltration techniques. It leverages risk events from AWS sources, focusing on instances where two or more unique analytics and distinct MITRE ATT&CK IDs are triggered for a specific risk object. This activity is significant as it may indicate an ongoing data exfiltration attempt, which is critical for security teams to monitor. If confirmed malicious, this could lead to unauthorized access and theft of sensitive information, compromising the organization's data integrity and confidentiality. -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count values(All_Risk.risk_message) as risk_message from datamodel=Risk.All_Risk where All_Risk.annotations.mitre_attack.mitre_tactic = "collection" OR All_Risk.annotations.mitre_attack.mitre_tactic = "exfiltration" source = *AWS* by All_Risk.risk_object | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 2 and mitre_tactic_id_count>=2 | `aws_s3_exfiltration_behavior_identified_filter`' -how_to_implement: You must enable all the detection searches in the Data Exfiltration Analytic story to create risk events in Enterprise Security. -known_false_positives: alse positives may be present based on automated tooling or system administrators. Filter as needed. +description: The following analytic identifies potential AWS S3 exfiltration behavior + by correlating multiple risk events related to Collection and Exfiltration techniques. + It leverages risk events from AWS sources, focusing on instances where two or more + unique analytics and distinct MITRE ATT&CK IDs are triggered for a specific risk + object. This activity is significant as it may indicate an ongoing data exfiltration + attempt, which is critical for security teams to monitor. If confirmed malicious, + this could lead to unauthorized access and theft of sensitive information, compromising + the organization's data integrity and confidentiality. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) + as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as + annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) + as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) + as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) + as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, + dc(source) as source_count values(All_Risk.risk_message) as risk_message from datamodel=Risk.All_Risk + where All_Risk.annotations.mitre_attack.mitre_tactic = "collection" OR All_Risk.annotations.mitre_attack.mitre_tactic + = "exfiltration" source = *AWS* by All_Risk.risk_object | `drop_dm_object_name(All_Risk)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where + source_count >= 2 and mitre_tactic_id_count>=2 | `aws_s3_exfiltration_behavior_identified_filter`' +how_to_implement: You must enable all the detection searches in the Data Exfiltration + Analytic story to create risk events in Enterprise Security. +known_false_positives: alse positives may be present based on automated tooling or + system administrators. Filter as needed. references: - https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/ - https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/ @@ -20,7 +40,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$risk_object$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: @@ -28,33 +53,17 @@ tags: - Suspicious Cloud Instance Activities - Data Exfiltration asset_type: AWS Account - confidence: 90 - impact: 90 - message: Multiple AWS Exfiltration detections $source$ and techniques $annotations.mitre_attack.mitre_tactic_id$ trigged for risk object $risk_object$ mitre_attack_id: - T1537 - observable: - - name: risk_object - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - All_Risk.analyticstories - - All_Risk.risk_object_type - - All_Risk.risk_object - - All_Risk.annotations.mitre_attack.mitre_tactic - - All_Risk.calculated_risk_score - - source - risk_score: 81 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_exfil_risk_events/aws_risk.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_exfil_risk_events/aws_risk.log sourcetype: stash source: aws_exfil - update_timestamp: true diff --git a/detections/cloud/aws_saml_access_by_provider_user_and_principal.yml b/detections/cloud/aws_saml_access_by_provider_user_and_principal.yml index cdc1df64c1..15f1a67871 100644 --- a/detections/cloud/aws_saml_access_by_provider_user_and_principal.yml +++ b/detections/cloud/aws_saml_access_by_provider_user_and_principal.yml @@ -1,16 +1,33 @@ name: AWS SAML Access by Provider User and Principal id: bbe23980-6019-11eb-ae93-0242ac130002 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Rod Soto, Splunk status: production type: Anomaly -description: The following analytic identifies specific SAML access events by a service provider, user, and targeted principal within AWS. It leverages AWS CloudTrail logs to detect the `AssumeRoleWithSAML` event, analyzing fields such as `principalArn`, `roleArn`, and `roleSessionName`. This activity is significant as it can indicate abnormal access patterns or potential credential hijacking, especially in federated environments using the SAML protocol. If confirmed malicious, this could allow attackers to assume roles and gain unauthorized access to sensitive AWS resources, leading to data breaches or further exploitation. +description: The following analytic identifies specific SAML access events by a service + provider, user, and targeted principal within AWS. It leverages AWS CloudTrail logs + to detect the `AssumeRoleWithSAML` event, analyzing fields such as `principalArn`, + `roleArn`, and `roleSessionName`. This activity is significant as it can indicate + abnormal access patterns or potential credential hijacking, especially in federated + environments using the SAML protocol. If confirmed malicious, this could allow attackers + to assume roles and gain unauthorized access to sensitive AWS resources, leading + to data breaches or further exploitation. data_source: - AWS CloudTrail AssumeRoleWithSAML -search: '`cloudtrail` eventName=Assumerolewithsaml | stats count min(_time) as firstTime max(_time) as lastTime by eventName requestParameters.principalArn requestParameters.roleArn requestParameters.roleSessionName recipientAccountId responseElements.issuer sourceIPAddress userAgent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_saml_access_by_provider_user_and_principal_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs -known_false_positives: Attacks using a Golden SAML or SAML assertion hijacks or forgeries are very difficult to detect as accessing cloud providers with these assertions looks exactly like normal access, however things such as source IP sourceIPAddress user, and principal targeted at receiving cloud provider along with endpoint credential access and abuse detection searches can provide the necessary context to detect these attacks. +search: '`cloudtrail` eventName=Assumerolewithsaml | stats count min(_time) as firstTime + max(_time) as lastTime by eventName requestParameters.principalArn requestParameters.roleArn + requestParameters.roleSessionName recipientAccountId responseElements.issuer sourceIPAddress + userAgent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + |`aws_saml_access_by_provider_user_and_principal_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This + search works with AWS CloudTrail logs +known_false_positives: Attacks using a Golden SAML or SAML assertion hijacks or forgeries + are very difficult to detect as accessing cloud providers with these assertions + looks exactly like normal access, however things such as source IP sourceIPAddress + user, and principal targeted at receiving cloud provider along with endpoint credential + access and abuse detection searches can provide the necessary context to detect + these attacks. references: - https://www.cisa.gov/uscert/ncas/alerts/aa21-008a - https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html @@ -22,47 +39,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$recipientAccountId$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$recipientAccountId$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$recipientAccountId$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: From IP address $sourceIPAddress$, user agent $userAgent$ has trigged an + event $eventName$ for account ID $recipientAccountId$ + risk_objects: + - field: recipientAccountId + type: other + score: 64 + threat_objects: + - field: sourceIPAddress + type: ip_address tags: analytic_story: - Cloud Federated Credential Abuse asset_type: AWS Federated Account - confidence: 80 - impact: 80 - message: From IP address $sourceIPAddress$, user agent $userAgent$ has trigged an event $eventName$ for account ID $recipientAccountId$ mitre_attack_id: - T1078 - observable: - - name: sourceIPAddress - type: IP Address - role: - - Attacker - - name: recipientAccountId - type: Other - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - requestParameters.principalArn - - requestParameters.roleArn - - requestParameters.roleSessionName - - recipientAccountId - - responseElements.issuer - - sourceIPAddress - - userAgent - risk_score: 64 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/assume_role_with_saml/assume_role_with_saml.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/assume_role_with_saml/assume_role_with_saml.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_saml_update_identity_provider.yml b/detections/cloud/aws_saml_update_identity_provider.yml index 08f761d472..c92114d370 100644 --- a/detections/cloud/aws_saml_update_identity_provider.yml +++ b/detections/cloud/aws_saml_update_identity_provider.yml @@ -1,16 +1,29 @@ name: AWS SAML Update identity provider id: 2f0604c6-6030-11eb-ae93-0242ac130002 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Rod Soto, Splunk status: production type: TTP -description: The following analytic detects updates to the SAML provider in AWS. It leverages AWS CloudTrail logs to identify the `UpdateSAMLProvider` event, analyzing fields such as `sAMLProviderArn`, `sourceIPAddress`, and `userIdentity` details. Monitoring updates to the SAML provider is crucial as it may indicate a perimeter compromise of federated credentials or unauthorized backdoor access set by an attacker. If confirmed malicious, this activity could allow attackers to manipulate identity federation, potentially leading to unauthorized access to cloud resources and sensitive data. +description: The following analytic detects updates to the SAML provider in AWS. It + leverages AWS CloudTrail logs to identify the `UpdateSAMLProvider` event, analyzing + fields such as `sAMLProviderArn`, `sourceIPAddress`, and `userIdentity` details. + Monitoring updates to the SAML provider is crucial as it may indicate a perimeter + compromise of federated credentials or unauthorized backdoor access set by an attacker. + If confirmed malicious, this activity could allow attackers to manipulate identity + federation, potentially leading to unauthorized access to cloud resources and sensitive + data. data_source: - AWS CloudTrail UpdateSAMLProvider -search: '`cloudtrail` eventName=UpdateSAMLProvider | stats count min(_time) as firstTime max(_time) as lastTime by eventType eventName requestParameters.sAMLProviderArn userIdentity.sessionContext.sessionIssuer.arn sourceIPAddress userIdentity.accessKeyId userIdentity.principalId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_saml_update_identity_provider_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -known_false_positives: Updating a SAML provider or creating a new one may not necessarily be malicious however it needs to be closely monitored. +search: '`cloudtrail` eventName=UpdateSAMLProvider | stats count min(_time) as firstTime + max(_time) as lastTime by eventType eventName requestParameters.sAMLProviderArn + userIdentity.sessionContext.sessionIssuer.arn sourceIPAddress userIdentity.accessKeyId + userIdentity.principalId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + |`aws_saml_update_identity_provider_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This + search works with AWS CloudTrail logs. +known_false_positives: Updating a SAML provider or creating a new one may not necessarily + be malicious however it needs to be closely monitored. references: - https://www.cisa.gov/uscert/ncas/alerts/aa21-008a - https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html @@ -22,46 +35,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$userIdentity.principalId$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$userIdentity.principalId$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$userIdentity.principalId$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $userIdentity.principalId$ from IP address $sourceIPAddress$ has trigged + an event $eventName$ to update the SAML provider to $requestParameters.sAMLProviderArn$ + risk_objects: + - field: userIdentity.principalId + type: user + score: 64 + threat_objects: + - field: sourceIPAddress + type: ip_address tags: analytic_story: - Cloud Federated Credential Abuse asset_type: AWS Federated Account - confidence: 80 - impact: 80 - message: User $userIdentity.principalId$ from IP address $sourceIPAddress$ has trigged an event $eventName$ to update the SAML provider to $requestParameters.sAMLProviderArn$ mitre_attack_id: - T1078 - observable: - - name: sourceIPAddress - type: IP Address - role: - - Attacker - - name: userIdentity.principalId - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - eventType - - requestParameters.sAMLProviderArn - - userIdentity.sessionContext.sessionIssuer.arn - - sourceIPAddress - - userIdentity.accessKeyId - - userIdentity.principalId - risk_score: 64 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/update_saml_provider/update_saml_provider.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/update_saml_provider/update_saml_provider.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_setdefaultpolicyversion.yml b/detections/cloud/aws_setdefaultpolicyversion.yml index ce14202849..b927809aa5 100644 --- a/detections/cloud/aws_setdefaultpolicyversion.yml +++ b/detections/cloud/aws_setdefaultpolicyversion.yml @@ -1,16 +1,30 @@ name: AWS SetDefaultPolicyVersion id: 2a9b80d3-6340-4345-11ad-212bf3d0dac4 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Bhavin Patel, Splunk status: production type: TTP -description: The following analytic detects when a user sets a default policy version in AWS. It leverages AWS CloudTrail logs to identify the `SetDefaultPolicyVersion` event from the IAM service. This activity is significant because attackers may exploit this technique for privilege escalation, especially if previous policy versions grant more extensive permissions than the current one. If confirmed malicious, this could allow an attacker to gain elevated access to AWS resources, potentially leading to unauthorized actions and data breaches. +description: The following analytic detects when a user sets a default policy version + in AWS. It leverages AWS CloudTrail logs to identify the `SetDefaultPolicyVersion` + event from the IAM service. This activity is significant because attackers may exploit + this technique for privilege escalation, especially if previous policy versions + grant more extensive permissions than the current one. If confirmed malicious, this + could allow an attacker to gain elevated access to AWS resources, potentially leading + to unauthorized actions and data breaches. data_source: - AWS CloudTrail SetDefaultPolicyVersion -search: '`cloudtrail` eventName=SetDefaultPolicyVersion eventSource = iam.amazonaws.com | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) as policy_arn by src requestParameters.versionId eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_setdefaultpolicyversion_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately set a default policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources +search: '`cloudtrail` eventName=SetDefaultPolicyVersion eventSource = iam.amazonaws.com + | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) + as policy_arn by src requestParameters.versionId eventName eventSource aws_account_id + errorCode userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `aws_setdefaultpolicyversion_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This + search works with AWS CloudTrail logs. +known_false_positives: While this search has no known false positives, it is possible + that an AWS admin has legitimately set a default policy to allow a user to access + all resources. That said, AWS strongly advises against granting full control to + all AWS resources references: - https://bishopfox.com/blog/privilege-escalation-in-aws - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ @@ -20,45 +34,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: From IP address $src$, user $user_arn$ has trigged an event $eventName$ + for updating the the default policy version + risk_objects: + - field: user_arn + type: user + score: 30 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - AWS IAM Privilege Escalation asset_type: AWS Account - confidence: 60 - impact: 50 - message: From IP address $src$, user $user_arn$ has trigged an event $eventName$ for updating the the default policy version mitre_attack_id: - T1078.004 - T1078 - observable: - - name: src - type: IP Address - role: - - Attacker - - name: user_arn - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - userAgent - - errorCode - - requestParameters.userName - - eventSource - risk_score: 30 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_setdefaultpolicyversion/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_setdefaultpolicyversion/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml b/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml index 13c9247aa6..558280bf33 100644 --- a/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml +++ b/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml @@ -1,16 +1,27 @@ name: AWS Successful Console Authentication From Multiple IPs id: 395e50e1-2b87-4fa3-8632-0dfbdcbcd2cb -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Bhavin Patel, Splunk status: production type: Anomaly -description: The following analytic detects an AWS account successfully authenticating from multiple unique IP addresses within a 5-minute window. It leverages AWS CloudTrail logs, specifically monitoring `ConsoleLogin` events and counting distinct source IPs. This behavior is significant as it may indicate compromised credentials, potentially from a phishing attack, being used concurrently by an adversary and a legitimate user. If confirmed malicious, this activity could allow unauthorized access to corporate resources, leading to data breaches or further exploitation within the AWS environment. +description: The following analytic detects an AWS account successfully authenticating + from multiple unique IP addresses within a 5-minute window. It leverages AWS CloudTrail + logs, specifically monitoring `ConsoleLogin` events and counting distinct source + IPs. This behavior is significant as it may indicate compromised credentials, potentially + from a phishing attack, being used concurrently by an adversary and a legitimate + user. If confirmed malicious, this activity could allow unauthorized access to corporate + resources, leading to data breaches or further exploitation within the AWS environment. data_source: - AWS CloudTrail ConsoleLogin -search: '`cloudtrail` eventName = ConsoleLogin | bin span=5m _time | stats values(userAgent) as userAgent values(eventName) as eventName values(src_ip) as src_ip dc(src_ip) as distinct_ip_count by _time user_arn | where distinct_ip_count>1 | `aws_successful_console_authentication_from_multiple_ips_filter`' -how_to_implement: You must install Splunk AWS add on and Splunk App for AWS. This search works when AWS CloudTrail events are normalized use the Authentication datamodel. -known_false_positives: A user with successful authentication events from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment. +search: '`cloudtrail` eventName = ConsoleLogin | bin span=5m _time | stats values(userAgent) + as userAgent values(eventName) as eventName values(src_ip) as src_ip dc(src_ip) + as distinct_ip_count by _time user_arn | where distinct_ip_count>1 | `aws_successful_console_authentication_from_multiple_ips_filter`' +how_to_implement: You must install Splunk AWS add on and Splunk App for AWS. This + search works when AWS CloudTrail events are normalized use the Authentication datamodel. +known_false_positives: A user with successful authentication events from different + Ips may also represent the legitimate use of more than one device. Filter as needed + and/or customize the threshold to fit your environment. references: - https://rhinosecuritylabs.com/aws/mfa-phishing-on-aws/ drilldown_searches: @@ -19,45 +30,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user_arn$ has successfully logged into the AWS Console from different + IP addresses $src_ip$ within 5 mins + risk_objects: + - field: user_arn + type: user + score: 72 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Suspicious AWS Login Activities - Compromised User Account asset_type: AWS Account - confidence: 80 - impact: 90 - message: User $user_arn$ has successfully logged into the AWS Console from different IP addresses $src_ip$ within 5 mins mitre_attack_id: - T1586 - T1535 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: user_arn - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - userAgent - - src_ip - - user_arn - risk_score: 72 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1586.003/aws_console_login_multiple_ips/cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1586.003/aws_console_login_multiple_ips/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_successful_single_factor_authentication.yml b/detections/cloud/aws_successful_single_factor_authentication.yml index 4fb97224a7..0e3b986294 100644 --- a/detections/cloud/aws_successful_single_factor_authentication.yml +++ b/detections/cloud/aws_successful_single_factor_authentication.yml @@ -1,16 +1,28 @@ name: AWS Successful Single-Factor Authentication id: a520b1fe-cc9e-4f56-b762-18354594c52f -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Bhavin Patel, Splunk status: production type: TTP -description: The following analytic identifies a successful Console Login authentication event for an AWS IAM user account without Multi-Factor Authentication (MFA) enabled. It leverages AWS CloudTrail logs to detect instances where MFA was not used during login. This activity is significant as it may indicate a misconfiguration, policy violation, or potential account takeover attempt. If confirmed malicious, an attacker could gain unauthorized access to the AWS environment, potentially leading to data exfiltration, resource manipulation, or further privilege escalation. +description: The following analytic identifies a successful Console Login authentication + event for an AWS IAM user account without Multi-Factor Authentication (MFA) enabled. + It leverages AWS CloudTrail logs to detect instances where MFA was not used during + login. This activity is significant as it may indicate a misconfiguration, policy + violation, or potential account takeover attempt. If confirmed malicious, an attacker + could gain unauthorized access to the AWS environment, potentially leading to data + exfiltration, resource manipulation, or further privilege escalation. data_source: - AWS CloudTrail ConsoleLogin -search: '`cloudtrail` eventName= ConsoleLogin errorCode=success "additionalEventData.MFAUsed"=No | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id errorCode additionalEventData.MFAUsed userAgent eventID awsRegion user_name userIdentity.arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_successful_single_factor_authentication_filter`' -how_to_implement: The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs. -known_false_positives: It is possible that some accounts do not have MFA enabled for the AWS account however its agaisnt the best practices of securing AWS. +search: '`cloudtrail` eventName= ConsoleLogin errorCode=success "additionalEventData.MFAUsed"=No + | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource + aws_account_id errorCode additionalEventData.MFAUsed userAgent eventID awsRegion + user_name userIdentity.arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `aws_successful_single_factor_authentication_filter`' +how_to_implement: The Splunk AWS Add-on is required to utilize this data. The search + requires AWS CloudTrail logs. +known_false_positives: It is possible that some accounts do not have MFA enabled for + the AWS account however its agaisnt the best practices of securing AWS. references: - https://attack.mitre.org/techniques/T1621/ - https://attack.mitre.org/techniques/T1078/004/ @@ -21,52 +33,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user_name$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_name$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user_name$ has successfully logged into an AWS Console without Multi-Factor + Authentication from $src$ + risk_objects: + - field: user_name + type: user + score: 64 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - AWS Identity and Access Management Account Takeover asset_type: AWS Account - confidence: 80 - impact: 80 - message: User $user_name$ has successfully logged into an AWS Console without Multi-Factor Authentication from $src$ mitre_attack_id: - T1586 - T1586.003 - T1078 - T1078.004 - observable: - - name: user_name - type: User - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - src - - eventName - - eventSource - - aws_account_id - - errorCode - - additionalEventData.MFAUsed - - userAgent - - eventID - - awsRegion - - user_name - - userIdentity.arn - risk_score: 64 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/aws_login_sfa/cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/aws_login_sfa/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml index bd7f9794e1..6e86b15927 100644 --- a/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml @@ -1,16 +1,29 @@ name: AWS Unusual Number of Failed Authentications From Ip id: 0b5c9c2b-e2cb-4831-b4f1-af125ceb1386 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Bhavin Patel, Splunk status: production type: Anomaly -description: The following analytic identifies a single source IP failing to authenticate into the AWS Console with multiple valid users. It uses CloudTrail logs and calculates the standard deviation for source IP, leveraging the 3-sigma rule to detect unusual numbers of failed authentication attempts. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access, data breaches, or further exploitation within the AWS environment. +description: The following analytic identifies a single source IP failing to authenticate + into the AWS Console with multiple valid users. It uses CloudTrail logs and calculates + the standard deviation for source IP, leveraging the 3-sigma rule to detect unusual + numbers of failed authentication attempts. This behavior is significant as it may + indicate a Password Spraying attack, where an adversary attempts to gain initial + access or elevate privileges. If confirmed malicious, this activity could lead to + unauthorized access, data breaches, or further exploitation within the AWS environment. data_source: - AWS CloudTrail ConsoleLogin -search: '`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time | stats dc(_raw) AS distinct_attempts values(user_name) as tried_accounts by _time, src_ip | eventstats avg(distinct_attempts) as avg_attempts , stdev(distinct_attempts) as ip_std by _time | eval upperBound=(avg_attempts+ip_std*3) | eval isOutlier=if(distinct_attempts > 10 and distinct_attempts >= upperBound, 1, 0) | where isOutlier = 1 |`aws_unusual_number_of_failed_authentications_from_ip_filter`' -how_to_implement: You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the calculation of the upperBound field to tune this search according to their environment -known_false_positives: No known false postives for this detection. Please review this alert +search: '`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time + | stats dc(_raw) AS distinct_attempts values(user_name) as tried_accounts by _time, + src_ip | eventstats avg(distinct_attempts) as avg_attempts , stdev(distinct_attempts) + as ip_std by _time | eval upperBound=(avg_attempts+ip_std*3) | eval isOutlier=if(distinct_attempts + > 10 and distinct_attempts >= upperBound, 1, 0) | where isOutlier = 1 |`aws_unusual_number_of_failed_authentications_from_ip_filter`' +how_to_implement: You must install Splunk Add-on for AWS in order to ingest Cloudtrail. + We recommend the users to try different combinations of the bucket span time and + the calculation of the upperBound field to tune this search according to their environment +known_false_positives: No known false postives for this detection. Please review this + alert references: - https://attack.mitre.org/techniques/T1110/003/ - https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/ @@ -21,47 +34,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$tried_accounts$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$tried_accounts$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$tried_accounts$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: 'Unusual number of failed console login attempts (Count: $distinct_attempts$) + against users from IP Address - $src_ip$' + risk_objects: + - field: tried_accounts + type: user + score: 54 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - AWS Identity and Access Management Account Takeover asset_type: AWS Account - confidence: 90 - impact: 60 - message: 'Unusual number of failed console login attempts (Count: $distinct_attempts$) against users from IP Address - $src_ip$' mitre_attack_id: - T1586 - T1586.003 - T1110 - T1110.003 - T1110.004 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: tried_accounts - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - user - - action - - eventName - - src_ip - risk_score: 54 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_cloudtrail.json source: aws_cloudtrail sourcetype: aws:cloudtrail - update_timestamp: true diff --git a/detections/cloud/aws_updateloginprofile.yml b/detections/cloud/aws_updateloginprofile.yml index 5b7afc1a65..a8ffb62a72 100644 --- a/detections/cloud/aws_updateloginprofile.yml +++ b/detections/cloud/aws_updateloginprofile.yml @@ -1,16 +1,30 @@ name: AWS UpdateLoginProfile id: 2a9b80d3-6a40-4115-11ad-212bf3d0d111 -version: 6 -date: '2024-09-30' +version: 7 +date: '2024-11-14' author: Bhavin Patel, Splunk status: production type: TTP -description: The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment. +description: The following analytic detects an AWS CloudTrail event where a user with + permissions updates the login profile of another user. It leverages CloudTrail logs + to identify instances where the user making the change is different from the user + whose profile is being updated. This activity is significant because it can indicate + privilege escalation attempts, where an attacker uses a compromised account to gain + higher privileges. If confirmed malicious, this could allow the attacker to escalate + their privileges, potentially leading to unauthorized access and control over sensitive + resources within the AWS environment. data_source: - AWS CloudTrail UpdateLoginProfile -search: '`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success | eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) | search match=0 | stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_updateloginprofile_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. +search: '`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com + errorCode = success | eval match=if(match(userIdentity.userName,requestParameters.userName), + 1,0) | search match=0 | stats count min(_time) as firstTime max(_time) as lastTime + by requestParameters.userName src eventName eventSource aws_account_id errorCode + userAgent eventID awsRegion userIdentity.userName user_arn | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `aws_updateloginprofile_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This + search works with AWS CloudTrail logs. +known_false_positives: While this search has no known false positives, it is possible + that an AWS admin has legitimately created keys for another user. references: - https://bishopfox.com/blog/privilege-escalation-in-aws - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ @@ -20,44 +34,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: From IP address $src$, user agent $userAgent$ has trigged an event $eventName$ + for updating the existing login profile, potentially giving user $user_arn$ more + access privilleges + risk_objects: + - field: user_arn + type: user + score: 30 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - AWS IAM Privilege Escalation asset_type: AWS Account - confidence: 60 - impact: 50 - message: From IP address $src$, user agent $userAgent$ has trigged an event $eventName$ for updating the existing login profile, potentially giving user $user_arn$ more access privilleges mitre_attack_id: - T1136.003 - T1136 - observable: - - name: src - type: IP Address - role: - - Attacker - - name: user_arn - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - userAgent - - errorCode - - requestParameters.userName - risk_score: 30 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_updateloginprofile/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_updateloginprofile/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/azure_active_directory_high_risk_sign_in.yml b/detections/cloud/azure_active_directory_high_risk_sign_in.yml index c12e138e56..0153fff2b2 100644 --- a/detections/cloud/azure_active_directory_high_risk_sign_in.yml +++ b/detections/cloud/azure_active_directory_high_risk_sign_in.yml @@ -1,16 +1,30 @@ name: Azure Active Directory High Risk Sign-in id: 1ecff169-26d7-4161-9a7b-2ac4c8e61bea -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP -description: The following analytic detects high-risk sign-in attempts against Azure Active Directory, identified by Azure Identity Protection. It leverages the RiskyUsers and UserRiskEvents log categories from Azure AD events ingested via EventHub. This activity is significant as it indicates potentially compromised accounts, flagged by heuristics and machine learning. If confirmed malicious, attackers could gain unauthorized access to sensitive resources, leading to data breaches or further exploitation within the environment. +description: The following analytic detects high-risk sign-in attempts against Azure + Active Directory, identified by Azure Identity Protection. It leverages the RiskyUsers + and UserRiskEvents log categories from Azure AD events ingested via EventHub. This + activity is significant as it indicates potentially compromised accounts, flagged + by heuristics and machine learning. If confirmed malicious, attackers could gain + unauthorized access to sensitive resources, leading to data breaches or further + exploitation within the environment. data_source: - Azure Active Directory -search: '`azure_monitor_aad` category=UserRiskEvents properties.riskLevel=high | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, activity, riskLevel, riskEventType, additionalInfo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_active_directory_high_risk_sign_in_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. Specifically, this analytic leverages the RiskyUsers and UserRiskEvents log category in the azure:monitor:aad sourcetype. -known_false_positives: Details for the risk calculation algorithm used by Identity Protection are unknown and may be prone to false positives. +search: '`azure_monitor_aad` category=UserRiskEvents properties.riskLevel=high | rename + properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) + as user by src_ip, activity, riskLevel, riskEventType, additionalInfo | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_active_directory_high_risk_sign_in_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. Specifically, this analytic leverages the RiskyUsers and UserRiskEvents + log category in the azure:monitor:aad sourcetype. +known_false_positives: Details for the risk calculation algorithm used by Identity + Protection are unknown and may be prone to false positives. references: - https://attack.mitre.org/techniques/T1110/003/ - https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray @@ -22,49 +36,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A high risk event was identified by Identify Protection for user $user$ + risk_objects: + - field: user + type: user + score: 54 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Azure Active Directory Account Takeover asset_type: Azure Active Directory - confidence: 90 - impact: 60 - message: A high risk event was identified by Identify Protection for user $user$ mitre_attack_id: - T1586 - T1586.003 - T1110 - T1110.003 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - category - - properties.riskLevel - - user - - src_ip - - properties.activity - - properties.riskEventType - - properties.additionalInfo - risk_score: 54 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azuread_highrisk/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azuread_highrisk/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml b/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml index bcf5ca35c1..436b972194 100644 --- a/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml +++ b/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml @@ -1,16 +1,38 @@ name: Azure AD Admin Consent Bypassed by Service Principal id: 9d4fea43-9182-4c5a-ada8-13701fd5615d -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Mauricio Velazco, Splunk data_source: - Azure Active Directory Add app role assignment to service principal type: TTP status: production -description: The following analytic identifies instances where a service principal in Azure Active Directory assigns app roles without standard admin consent. It uses Entra ID logs from the `azure_monitor_aad` data source, focusing on the "Add app role assignment to service principal" operation. This detection is significant as it highlights potential bypasses of critical administrative consent processes, which could lead to unauthorized privileges being granted. If confirmed malicious, this activity could allow attackers to exploit automation to assign sensitive permissions without proper oversight, potentially compromising the security of the Azure AD environment. -search: '`azure_monitor_aad` (operationName="Add app role assignment to service principal" OR operationName="Add member to role*") src_user_type=servicePrincipal | rename properties.* as * | eval roleId = mvindex(''targetResources{}.modifiedProperties{}.newValue'', 0) | eval roleValue = mvindex(''targetResources{}.modifiedProperties{}.newValue'', 1) | eval roleDescription = mvindex(''targetResources{}.modifiedProperties{}.newValue'', 2) | eval user_id = mvindex(''targetResources{}.id'', 0), user=coalesce(user,mvindex(''targetResources{}.displayName'', 0)) | rename initiatedBy.app.displayName as src_user | stats count earliest(_time) as firstTime latest(_time) as lastTime by src_user user user_id roleId roleValue roleDescription | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_admin_consent_bypassed_by_service_principal_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlog log category -known_false_positives: Service Principals are sometimes configured to legitimately bypass the consent process for purposes of automation. Filter as needed. +description: The following analytic identifies instances where a service principal + in Azure Active Directory assigns app roles without standard admin consent. It uses + Entra ID logs from the `azure_monitor_aad` data source, focusing on the "Add app + role assignment to service principal" operation. This detection is significant as + it highlights potential bypasses of critical administrative consent processes, which + could lead to unauthorized privileges being granted. If confirmed malicious, this + activity could allow attackers to exploit automation to assign sensitive permissions + without proper oversight, potentially compromising the security of the Azure AD + environment. +search: "`azure_monitor_aad` (operationName=\"Add app role assignment to service principal\"\ + \ OR operationName=\"Add member to role*\") src_user_type=servicePrincipal | rename + properties.* as * | eval roleId = mvindex('targetResources{}.modifiedProperties{}.newValue', + 0) | eval roleValue = mvindex('targetResources{}.modifiedProperties{}.newValue', + 1) | eval roleDescription = mvindex('targetResources{}.modifiedProperties{}.newValue', + 2) | eval user_id = mvindex('targetResources{}.id', 0), user=coalesce(user,mvindex('targetResources{}.displayName', + 0)) | rename initiatedBy.app.displayName as src_user | stats count earliest(_time) + as firstTime latest(_time) as lastTime by src_user user user_id roleId roleValue + roleDescription | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`\ + \ | `azure_ad_admin_consent_bypassed_by_service_principal_filter`" +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment. + This analytic was written to be used with the azure:monitor:aad sourcetype leveraging + the Auditlog log category +known_false_positives: Service Principals are sometimes configured to legitimately + bypass the consent process for purposes of automation. Filter as needed. references: - https://attack.mitre.org/techniques/T1098/003/ drilldown_searches: @@ -19,43 +41,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Service principal $src_user$ bypassed the admin consent process and granted + permissions to $user$ + risk_objects: + - field: user + type: user + score: 54 + - field: src_user + type: user + score: 54 + threat_objects: [] tags: analytic_story: - Azure Active Directory Privilege Escalation - NOBELIUM Group asset_type: Azure Active Directory - confidence: 60 - impact: 90 - message: Service principal $src_user$ bypassed the admin consent process and granted permissions to $user$ mitre_attack_id: - T1098.003 - observable: - - name: user - type: User - role: - - Victim - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - operationName - - targetResources{}.modifiedProperties{}.newValue - - targetResources{}.id - risk_score: 54 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_bypass_admin_consent/azure_ad_bypass_admin_consent.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_bypass_admin_consent/azure_ad_bypass_admin_consent.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_application_administrator_role_assigned.yml b/detections/cloud/azure_ad_application_administrator_role_assigned.yml index 5b148f2137..33305b12f6 100644 --- a/detections/cloud/azure_ad_application_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_application_administrator_role_assigned.yml @@ -1,16 +1,32 @@ name: Azure AD Application Administrator Role Assigned id: eac4de87-7a56-4538-a21b-277897af6d8d -version: 5 -date: '2024-09-30' +version: 7 +date: '2024-11-14' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP data_source: - Azure Active Directory Add member to role -description: The following analytic identifies the assignment of the Application Administrator role to an Azure AD user. It leverages Azure Active Directory events, specifically monitoring the "Add member to role" operation. This activity is significant because users in this role can manage all aspects of enterprise applications, including credentials, which can be used to impersonate application identities. If confirmed malicious, an attacker could escalate privileges, manage application settings, and potentially access sensitive resources by impersonating application identities, posing a significant security risk to the Azure AD tenant. -search: '`azure_monitor_aad` "operationName"="Add member to role" "properties.targetResources{}.modifiedProperties{}.newValue"="\"Application Administrator\"" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime by user initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_application_administrator_role_assigned_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlog log category -known_false_positives: Administrators may legitimately assign the Application Administrator role to a user. Filter as needed. +description: The following analytic identifies the assignment of the Application Administrator + role to an Azure AD user. It leverages Azure Active Directory events, specifically + monitoring the "Add member to role" operation. This activity is significant because + users in this role can manage all aspects of enterprise applications, including + credentials, which can be used to impersonate application identities. If confirmed + malicious, an attacker could escalate privileges, manage application settings, and + potentially access sensitive resources by impersonating application identities, + posing a significant security risk to the Azure AD tenant. +search: '`azure_monitor_aad` "operationName"="Add member to role" "properties.targetResources{}.modifiedProperties{}.newValue"="\"Application + Administrator\"" | rename properties.* as * | rename initiatedBy.user.userPrincipalName + as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime by user + initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `azure_ad_application_administrator_role_assigned_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment. + This analytic was written to be used with the azure:monitor:aad sourcetype leveraging + the Auditlog log category +known_false_positives: Administrators may legitimately assign the Application Administrator + role to a user. Filter as needed. references: - https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/ - https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5 @@ -23,45 +39,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The privileged Azure AD role Application Administrator was assigned for + User $user$ initiated by $initiatedBy$ + risk_objects: + - field: user + type: user + score: 35 + - field: initiatedBy + type: user + score: 35 + threat_objects: [] tags: analytic_story: - Azure Active Directory Privilege Escalation asset_type: Azure Active Directory atomic_guid: [] - confidence: 50 - impact: 70 - message: The privileged Azure AD role Application Administrator was assigned for User $user$ initiated by $initiatedBy$ mitre_attack_id: - T1098 - T1098.003 - observable: - - name: user - type: User - role: - - Victim - - name: initiatedBy - type: User - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - user - - properties.targetResources{}.type - - properties.initiatedBy.user.userPrincipalName - - properties.result - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml b/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml index 5932c5e285..0ccbb9b85a 100644 --- a/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml +++ b/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml @@ -1,18 +1,42 @@ name: Azure AD Authentication Failed During MFA Challenge id: e62c9c2e-bf51-4719-906c-3074618fcc1c -version: 6 -date: '2024-10-31' +version: 7 +date: '2024-11-14' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk, 0xC0FFEEEE status: production type: TTP -description: The following analytic identifies failed authentication attempts against an Azure AD tenant during the Multi-Factor Authentication (MFA) challenge, specifically flagged by error code 500121. It leverages Azure AD SignInLogs to detect these events. This activity is significant as it may indicate an adversary attempting to authenticate using compromised credentials on an account with MFA enabled. If confirmed malicious, this could suggest an ongoing effort to bypass MFA protections, potentially leading to unauthorized access and further compromise of the affected account. +description: The following analytic identifies failed authentication attempts against + an Azure AD tenant during the Multi-Factor Authentication (MFA) challenge, specifically + flagged by error code 500121. It leverages Azure AD SignInLogs to detect these events. + This activity is significant as it may indicate an adversary attempting to authenticate + using compromised credentials on an account with MFA enabled. If confirmed malicious, + this could suggest an ongoing effort to bypass MFA protections, potentially leading + to unauthorized access and further compromise of the affected account. data_source: - Azure Active Directory -search: '`azure_monitor_aad` category=SignInLogs properties.status.errorCode=500121 | rename properties.* as *, authenticationDetails{}.* as * | eval time=strptime(authenticationStepDateTime, "%Y-%m-%dT%H:%M:%S") | eval auth_detail=mvzip(strftime(time, "%Y-%m-%dT%H:%M:%S"),authenticationStepResultDetail," - "), auth_msg=mvappend(''status.additionalDetails'', authenticationStepResultDetail) | eval auth_method=mvmap(authenticationMethod, if(isnull(mvfind(''mfaDetail.authMethod'', authenticationMethod)), authenticationMethod, null())) | stats min(_time) as firstTime, max(_time) as lastTime, values(user) as user, values(src_ip) as src_ip, values(mfaDetail.authMethod) as mfa_method, values(auth_method) as auth_method, values(auth_detail) as auth_detail, values(auth_msg) as auth_msg, values(appDisplayName) as appDisplayName, values(user_agent) as user_agent by tenantId originalRequestId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search NOT auth_msg="MFA successfully completed" | sort 0 - firstTime | `azure_ad_authentication_failed_during_mfa_challenge_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -known_false_positives: 'False positives have been minimized by removing attempts that result in ''MFA successfully completed messages'', which were found to be generated when a user opts to use a different MFA method than the default. - - Further reductions in notable events can be achieved through filtering ''MFA denied; duplicate authentication attempt'' messages within the auth_msg field, as they could arguably be considered as false positives.' +search: "`azure_monitor_aad` category=SignInLogs properties.status.errorCode=500121 + | rename properties.* as *, authenticationDetails{}.* as * | eval time=strptime(authenticationStepDateTime, + \"%Y-%m-%dT%H:%M:%S\") | eval auth_detail=mvzip(strftime(time, \"%Y-%m-%dT%H:%M:%S\"\ + ),authenticationStepResultDetail,\" - \"), auth_msg=mvappend('status.additionalDetails', + authenticationStepResultDetail) | eval auth_method=mvmap(authenticationMethod, if(isnull(mvfind('mfaDetail.authMethod', + authenticationMethod)), authenticationMethod, null())) | stats min(_time) as firstTime, + max(_time) as lastTime, values(user) as user, values(src_ip) as src_ip, values(mfaDetail.authMethod) + as mfa_method, values(auth_method) as auth_method, values(auth_detail) as auth_detail, + values(auth_msg) as auth_msg, values(appDisplayName) as appDisplayName, values(user_agent) + as user_agent by tenantId originalRequestId | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | search NOT auth_msg=\"MFA successfully completed\"\ + \ | sort 0 - firstTime | `azure_ad_authentication_failed_during_mfa_challenge_filter`" +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the SignInLogs log category. +known_false_positives: "False positives have been minimized by removing attempts that + result in 'MFA successfully completed messages', which were found to be generated + when a user opts to use a different MFA method than the default.\nFurther reductions + in finding events can be achieved through filtering 'MFA denied; duplicate authentication + attempt' messages within the auth_msg field, as they could arguably be considered + as false positives." references: - https://attack.mitre.org/techniques/T1621/ - https://attack.mitre.org/techniques/T1078/004/ @@ -24,50 +48,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ failed to pass MFA challenge + risk_objects: + - field: user + type: user + score: 54 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Azure Active Directory Account Takeover asset_type: Azure Active Directory - confidence: 90 - impact: 60 - message: User $user$ failed to pass MFA challenge mitre_attack_id: - T1586 - T1586.003 - T1078 - T1078.004 - T1621 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - category - - properties.status.errorCode - - user - - src_ip - - properties.status.additionalDetails - - properties.appDisplayName - - properties.userAgent - risk_score: 54 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/azuread/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/azuread/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_azurehound_useragent_detected.yml b/detections/cloud/azure_ad_azurehound_useragent_detected.yml index 68fe9f4144..b81c81b399 100644 --- a/detections/cloud/azure_ad_azurehound_useragent_detected.yml +++ b/detections/cloud/azure_ad_azurehound_useragent_detected.yml @@ -1,9 +1,9 @@ name: Azure AD AzureHound UserAgent Detected id: d62852db-a1f1-40db-a7fc-c3d56fa8bda3 -version: 1 +version: 2 date: '2025-01-06' author: Dean Luxton -data_sources: +data_source: - Azure Active Directory NonInteractiveUserSignInLogs - Azure Active Directory MicrosoftGraphActivityLogs type: TTP @@ -31,40 +31,29 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: AzureHound UserAgent String $user_agent$ Detected on Tenant $tenantId$ + risk_objects: + - field: tenantId + type: other + score: 80 + threat_objects: + - field: src + type: ip_address + - field: user_agent + type: http_user_agent tags: analytic_story: - Azure Active Directory Privilege Escalation - Compromised User Account asset_type: Azure Tenant - confidence: 100 - impact: 80 - message: AzureHound UserAgent String $user_agent$ Detected on Tenant $tenantId$ mitre_attack_id: - T1087.004 - T1526 - observable: - - name: tenantId - type: User - role: - - Victim - - name: src - type: IP Address - role: - - Attacker - - name: user_agent - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - src - - category - - properties.userAgent - - tenantId - risk_score: 80 security_domain: identity tests: - name: True Positive Test diff --git a/detections/cloud/azure_ad_block_user_consent_for_risky_apps_disabled.yml b/detections/cloud/azure_ad_block_user_consent_for_risky_apps_disabled.yml index e7fed2c8eb..050ea5ab80 100644 --- a/detections/cloud/azure_ad_block_user_consent_for_risky_apps_disabled.yml +++ b/detections/cloud/azure_ad_block_user_consent_for_risky_apps_disabled.yml @@ -1,16 +1,36 @@ name: Azure AD Block User Consent For Risky Apps Disabled id: 875de3d7-09bc-4916-8c0a-0929f4ced3d8 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - Azure Active Directory Update authorization policy -description: The following analytic detects when the risk-based step-up consent security setting in Azure AD is disabled. It monitors Azure Active Directory logs for the "Update authorization policy" operation, specifically changes to the "AllowUserConsentForRiskyApps" setting. This activity is significant because disabling this feature can expose the organization to OAuth phishing threats by allowing users to grant consent to potentially malicious applications. If confirmed malicious, attackers could gain unauthorized access to user data and sensitive information, leading to data breaches and further compromise within the organization. -search: '`azure_monitor_aad` operationName="Update authorization policy" | rename properties.* as * | eval index_number = if(mvfind(''targetResources{}.modifiedProperties{}.displayName'', "AllowUserConsentForRiskyApps") >= 0, mvfind(''targetResources{}.modifiedProperties{}.displayName'', "AllowUserConsentForRiskyApps"), -1) | search index_number >= 0 | eval AllowUserConsentForRiskyApps = mvindex(''targetResources{}.modifiedProperties{}.newValue'',index_number) | search AllowUserConsentForRiskyApps = "[true]" | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, operationName, AllowUserConsentForRiskyApps | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_block_user_consent_for_risky_apps_disabled_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -known_false_positives: Legitimate changes to the 'risk-based step-up consent' setting by administrators, perhaps as part of a policy update or security assessment, may trigger this alert, necessitating verification of the change's intent and authorization +description: The following analytic detects when the risk-based step-up consent security + setting in Azure AD is disabled. It monitors Azure Active Directory logs for the + "Update authorization policy" operation, specifically changes to the "AllowUserConsentForRiskyApps" + setting. This activity is significant because disabling this feature can expose + the organization to OAuth phishing threats by allowing users to grant consent to + potentially malicious applications. If confirmed malicious, attackers could gain + unauthorized access to user data and sensitive information, leading to data breaches + and further compromise within the organization. +search: "`azure_monitor_aad` operationName=\"Update authorization policy\" | rename + properties.* as * | eval index_number = if(mvfind('targetResources{}.modifiedProperties{}.displayName', + \"AllowUserConsentForRiskyApps\") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', + \"AllowUserConsentForRiskyApps\"), -1) | search index_number >= 0 | eval AllowUserConsentForRiskyApps + = mvindex('targetResources{}.modifiedProperties{}.newValue',index_number) | search + AllowUserConsentForRiskyApps = \"[true]\" | stats count min(_time) as firstTime + max(_time) as lastTime by user, src_ip, operationName, AllowUserConsentForRiskyApps + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_block_user_consent_for_risky_apps_disabled_filter`" +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the AuditLog log category. +known_false_positives: Legitimate changes to the 'risk-based step-up consent' setting + by administrators, perhaps as part of a policy update or security assessment, may + trigger this alert, necessitating verification of the change's intent and authorization references: - https://attack.mitre.org/techniques/T1562/ - https://goodworkaround.com/2020/10/19/a-look-behind-the-azure-ad-permission-classifications-preview/ @@ -22,39 +42,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ disabled the BlockUserConsentForRiskyApps Azure AD setting. + risk_objects: + - field: user + type: user + score: 30 + threat_objects: [] tags: analytic_story: - Azure Active Directory Account Takeover asset_type: Azure Tenant - confidence: 50 - impact: 60 - message: User $user$ disabled the BlockUserConsentForRiskyApps Azure AD setting. mitre_attack_id: - T1562 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 30 - required_fields: - - _time - - operationName - - properties.targetResources{}.modifiedProperties{}.displayName - - properties.targetResources{}.modifiedProperties{}.newValue - - user - - src_ip security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/azuread_disable_blockconsent_for_riskapps/azuread_disable_blockconsent_for_riskapps.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/azuread_disable_blockconsent_for_riskapps/azuread_disable_blockconsent_for_riskapps.log source: Azure Ad sourcetype: azure:monitor:aad diff --git a/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml b/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml index 2753e73925..40df90522d 100644 --- a/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml @@ -1,16 +1,36 @@ name: Azure AD Concurrent Sessions From Different Ips id: a9126f73-9a9b-493d-96ec-0dd06695490d -version: 6 -date: '2024-09-30' +version: 7 +date: '2024-11-14' author: Mauricio Velazco, Bhavin Patel, Splunk status: production type: TTP -description: The following analytic detects an Azure AD account with concurrent sessions originating from multiple unique IP addresses within a 5-minute window. It leverages Azure Active Directory NonInteractiveUserSignInLogs to identify this behavior by analyzing successful authentication events and counting distinct source IPs. This activity is significant as it may indicate session hijacking, where an attacker uses stolen session cookies to access corporate resources from a different location. If confirmed malicious, this could lead to unauthorized access to sensitive information and potential data breaches. +description: The following analytic detects an Azure AD account with concurrent sessions + originating from multiple unique IP addresses within a 5-minute window. It leverages + Azure Active Directory NonInteractiveUserSignInLogs to identify this behavior by + analyzing successful authentication events and counting distinct source IPs. This + activity is significant as it may indicate session hijacking, where an attacker + uses stolen session cookies to access corporate resources from a different location. + If confirmed malicious, this could lead to unauthorized access to sensitive information + and potential data breaches. data_source: - Azure Active Directory -search: '`azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=NonInteractiveUserSignInLogs action=success | rename properties.* as * | bucket span=5m _time | stats count min(_time) as firstTime max(_time) as lastTime dc(src_ip) AS unique_ips dc(location.city) as dc_city values(location.city) as city values(src_ip) as src_ip values(appDisplayName) as appDisplayName values(location.countryOrRegion) by user _time | where unique_ips > 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_concurrent_sessions_from_different_ips_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -known_false_positives: A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment. Also consider the geographic location of the IP addresses and filter out IP space that belong to your organization. +search: '`azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=NonInteractiveUserSignInLogs + action=success | rename properties.* as * | bucket span=5m _time | stats count min(_time) + as firstTime max(_time) as lastTime dc(src_ip) AS unique_ips dc(location.city) as + dc_city values(location.city) as city values(src_ip) as src_ip values(appDisplayName) + as appDisplayName values(location.countryOrRegion) by user _time | where unique_ips + > 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | + `azure_ad_concurrent_sessions_from_different_ips_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the SignInLogs log category. +known_false_positives: A user with concurrent sessions from different Ips may also + represent the legitimate use of more than one device. Filter as needed and/or customize + the threshold to fit your environment. Also consider the geographic location of + the IP addresses and filter out IP space that belong to your organization. references: - https://attack.mitre.org/techniques/T1185/ - https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/ @@ -21,45 +41,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ has concurrent sessions from more than one unique IP address + in the span of 5 minutes. + risk_objects: + - field: user + type: user + score: 42 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Compromised User Account - Azure Active Directory Account Takeover asset_type: Azure Tenant - confidence: 60 - impact: 70 - message: User $user$ has concurrent sessions from more than one unique IP address in the span of 5 minutes. mitre_attack_id: - T1185 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - properties.status.errorCode - - category - - properties.authenticationDetails - - user - - src_ip - risk_score: 42 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/azure_ad_concurrent_sessions_from_different_ips/azuread.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/azure_ad_concurrent_sessions_from_different_ips/azuread.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_device_code_authentication.yml b/detections/cloud/azure_ad_device_code_authentication.yml index 87ea1fab30..dbe2c55afe 100644 --- a/detections/cloud/azure_ad_device_code_authentication.yml +++ b/detections/cloud/azure_ad_device_code_authentication.yml @@ -1,16 +1,32 @@ name: Azure AD Device Code Authentication id: d68d8732-6f7e-4ee5-a6eb-737f2b990b91 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP data_source: - Azure Active Directory -description: The following analytic identifies Azure Device Code Phishing attacks, which can lead to Azure Account Take-Over (ATO). It leverages Azure AD SignInLogs to detect suspicious authentication requests using the device code authentication protocol. This activity is significant as it indicates potential bypassing of Multi-Factor Authentication (MFA) and Conditional Access Policies (CAPs) through phishing emails. If confirmed malicious, attackers could gain unauthorized access to Azure AD, Exchange mailboxes, and Outlook Web Application (OWA), leading to potential data breaches and unauthorized data access. -search: '`azure_monitor_aad` category=SignInLogs "properties.authenticationProtocol"=deviceCode | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime by user src_ip, appDisplayName, userAgent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_device_code_authentication_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -known_false_positives: In most organizations, device code authentication will be used to access common Microsoft service but it may be legitimate for others. Filter as needed. +description: The following analytic identifies Azure Device Code Phishing attacks, + which can lead to Azure Account Take-Over (ATO). It leverages Azure AD SignInLogs + to detect suspicious authentication requests using the device code authentication + protocol. This activity is significant as it indicates potential bypassing of Multi-Factor + Authentication (MFA) and Conditional Access Policies (CAPs) through phishing emails. + If confirmed malicious, attackers could gain unauthorized access to Azure AD, Exchange + mailboxes, and Outlook Web Application (OWA), leading to potential data breaches + and unauthorized data access. +search: '`azure_monitor_aad` category=SignInLogs "properties.authenticationProtocol"=deviceCode + | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime + by user src_ip, appDisplayName, userAgent | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_device_code_authentication_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the SignInLogs log category. +known_false_positives: In most organizations, device code authentication will be used + to access common Microsoft service but it may be legitimate for others. Filter as + needed. references: - https://attack.mitre.org/techniques/T1528 - https://github.com/rvrsh3ll/TokenTactics @@ -23,47 +39,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Device code requested for $user$ from $src_ip$ + risk_objects: + - field: user + type: user + score: 35 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Azure Active Directory Account Takeover asset_type: Azure Tenant - confidence: 50 - impact: 70 - message: Device code requested for $user$ from $src_ip$ mitre_attack_id: - T1528 - T1566 - T1566.002 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 35 - required_fields: - - _time - - category - - user - - properties.authenticationProtocol - - properties.ipAddress - - properties.status.additionalDetails - - properties.appDisplayName - - properties.userAgent security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/device_code_authentication/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/device_code_authentication/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad diff --git a/detections/cloud/azure_ad_external_guest_user_invited.yml b/detections/cloud/azure_ad_external_guest_user_invited.yml index 7efe7bace2..b21df736a9 100644 --- a/detections/cloud/azure_ad_external_guest_user_invited.yml +++ b/detections/cloud/azure_ad_external_guest_user_invited.yml @@ -1,16 +1,30 @@ name: Azure AD External Guest User Invited id: c1fb4edb-cab1-4359-9b40-925ffd797fb5 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the invitation of an external guest user within Azure AD. It leverages Azure AD AuditLogs to identify events where an external user is invited, using fields such as operationName and initiatedBy. Monitoring these invitations is crucial as they can lead to unauthorized access if abused. If confirmed malicious, this activity could allow attackers to gain access to internal resources, potentially leading to data breaches or further exploitation of the environment. +description: The following analytic detects the invitation of an external guest user + within Azure AD. It leverages Azure AD AuditLogs to identify events where an external + user is invited, using fields such as operationName and initiatedBy. Monitoring + these invitations is crucial as they can lead to unauthorized access if abused. + If confirmed malicious, this activity could allow attackers to gain access to internal + resources, potentially leading to data breaches or further exploitation of the environment. data_source: - Azure Active Directory Invite external user -search: '`azure_monitor_aad` operationName="Invite external user" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.type as type | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by type, initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_external_guest_user_invited_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -known_false_positives: Administrator may legitimately invite external guest users. Filter as needed. +search: '`azure_monitor_aad` operationName="Invite external user" | rename properties.* as + * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.type + as type | stats count min(_time) as firstTime max(_time) as lastTime values(user) + as user by type, initiatedBy, result, operationName | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_external_guest_user_invited_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment. + This analytic was written to be used with the azure:monitor:aad sourcetype leveraging + the AuditLogs log category. +known_false_positives: Administrator may legitimately invite external guest users. + Filter as needed. references: - https://dirkjanm.io/assets/raw/US-22-Mollema-Backdooring-and-hijacking-Azure-AD-accounts_final.pdf - https://www.blackhat.com/us-22/briefings/schedule/#backdooring-and-hijacking-azure-ad-accounts-by-abusing-external-identities-26999 @@ -22,43 +36,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: External Guest User $user$ initiated by $initiatedBy$ + risk_objects: + - field: user + type: user + score: 45 + - field: initiatedBy + type: user + score: 45 + threat_objects: [] tags: analytic_story: - Azure Active Directory Persistence asset_type: Azure Active Directory - confidence: 90 - impact: 50 - message: External Guest User $user$ initiated by $initiatedBy$ mitre_attack_id: - T1136.003 - observable: - - name: user - type: User - role: - - Victim - - name: initiatedBy - type: User - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - user - - properties.targetResources{}.type - - properties.initiatedBy.user.userPrincipalName - - properties.result - risk_score: 45 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_external_guest_user_invited/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_external_guest_user_invited/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_fullaccessasapp_permission_assigned.yml b/detections/cloud/azure_ad_fullaccessasapp_permission_assigned.yml index 4d11032bed..25493108d5 100644 --- a/detections/cloud/azure_ad_fullaccessasapp_permission_assigned.yml +++ b/detections/cloud/azure_ad_fullaccessasapp_permission_assigned.yml @@ -1,16 +1,35 @@ name: Azure AD FullAccessAsApp Permission Assigned id: ae286126-f2ad-421c-b240-4ea83bd1c43a -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the assignment of the 'full_access_as_app' permission to an application within Office 365 Exchange Online. This is identified by the GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40' and the ResourceAppId '00000002-0000-0ff1-ce00-000000000000'. The detection leverages the azure_monitor_aad data source, focusing on AuditLogs with the operation name 'Update application'. This activity is significant as it grants broad control over Office 365 operations, including full access to all mailboxes and the ability to send emails as any user. If malicious, this could lead to unauthorized access and data exfiltration. +description: The following analytic detects the assignment of the 'full_access_as_app' + permission to an application within Office 365 Exchange Online. This is identified + by the GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40' and the ResourceAppId '00000002-0000-0ff1-ce00-000000000000'. + The detection leverages the azure_monitor_aad data source, focusing on AuditLogs + with the operation name 'Update application'. This activity is significant as it + grants broad control over Office 365 operations, including full access to all mailboxes + and the ability to send emails as any user. If malicious, this could lead to unauthorized + access and data exfiltration. data_source: - Azure Active Directory Update application -search: '`azure_monitor_aad` category=AuditLogs operationName="Update application" | eval newvalue = mvindex(''properties.targetResources{}.modifiedProperties{}.newValue'',0) | spath input=newvalue | search "{}.ResourceAppId"="00000002-0000-0ff1-ce00-000000000000" "{}.RequiredAppPermissions{}.EntitlementId"="dc890d15-9560-4a4c-9b7f-a736ec74ec40" | eval Permissions = ''{}.RequiredAppPermissions{}.EntitlementId'' | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_fullaccessasapp_permission_assigned_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -known_false_positives: The full_access_as_app API permission may be assigned to legitimate applications. Filter as needed. +search: "`azure_monitor_aad` category=AuditLogs operationName=\"Update application\"\ + \ | eval newvalue = mvindex('properties.targetResources{}.modifiedProperties{}.newValue',0) + | spath input=newvalue | search \"{}.ResourceAppId\"=\"00000002-0000-0ff1-ce00-000000000000\"\ + \ \"{}.RequiredAppPermissions{}.EntitlementId\"=\"dc890d15-9560-4a4c-9b7f-a736ec74ec40\"\ + \ | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | stats count + earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, + object, user_agent, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `azure_ad_fullaccessasapp_permission_assigned_filter`" +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the AuditLogs log category. +known_false_positives: The full_access_as_app API permission may be assigned to legitimate + applications. Filter as needed. references: - https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/ - https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ @@ -21,37 +40,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ assigned the full_access_as_app permission to the app registration + $object$ + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] tags: analytic_story: - Azure Active Directory Persistence - NOBELIUM Group asset_type: Azure Active Directory - confidence: 60 - impact: 80 - message: User $user$ assigned the full_access_as_app permission to the app registration $object$ mitre_attack_id: - T1098.002 - T1098.003 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 48 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/full_access_as_app_permission_assigned.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/full_access_as_app_permission_assigned.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_global_administrator_role_assigned.yml b/detections/cloud/azure_ad_global_administrator_role_assigned.yml index 34e0d25a4a..06b10e4d31 100644 --- a/detections/cloud/azure_ad_global_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_global_administrator_role_assigned.yml @@ -1,16 +1,32 @@ name: Azure AD Global Administrator Role Assigned id: 825fed20-309d-4fd1-8aaf-cd49c1bb093c -version: 6 -date: '2024-09-30' +version: 7 +date: '2024-11-14' author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the assignment of the Azure AD Global Administrator role to a user. It leverages Azure Active Directory AuditLogs to identify when the "Add member to role" operation includes the "Global Administrator" role. This activity is significant because the Global Administrator role grants extensive access to data, resources, and settings, similar to a Domain Administrator in traditional AD environments. If confirmed malicious, this could allow an attacker to establish persistence, escalate privileges, and potentially gain control over Azure resources, posing a severe security risk. +description: The following analytic detects the assignment of the Azure AD Global + Administrator role to a user. It leverages Azure Active Directory AuditLogs to identify + when the "Add member to role" operation includes the "Global Administrator" role. + This activity is significant because the Global Administrator role grants extensive + access to data, resources, and settings, similar to a Domain Administrator in traditional + AD environments. If confirmed malicious, this could allow an attacker to establish + persistence, escalate privileges, and potentially gain control over Azure resources, + posing a severe security risk. data_source: - Azure Active Directory Add member to role -search: '`azure_monitor_aad` operationName="Add member to role" properties.targetResources{}.modifiedProperties{}.newValue="\"Global Administrator\"" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_global_administrator_role_assigned_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -known_false_positives: Administrators may legitimately assign the Global Administrator role to a user. Filter as needed. +search: '`azure_monitor_aad` operationName="Add member to role" properties.targetResources{}.modifiedProperties{}.newValue="\"Global + Administrator\"" | rename properties.* as * | rename initiatedBy.user.userPrincipalName + as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(user) + as user by initiatedBy, result, operationName | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_global_administrator_role_assigned_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the AuditLogs log category. +known_false_positives: Administrators may legitimately assign the Global Administrator + role to a user. Filter as needed. references: - https://o365blog.com/post/admin/ - https://adsecurity.org/?p=4277 @@ -24,44 +40,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Global Administrator Role assigned for User $user$ initiated by $initiatedBy$ + risk_objects: + - field: user + type: user + score: 72 + - field: initiatedBy + type: user + score: 72 + threat_objects: [] tags: analytic_story: - Azure Active Directory Persistence - Azure Active Directory Privilege Escalation asset_type: Azure Active Directory - confidence: 90 - impact: 80 - message: Global Administrator Role assigned for User $user$ initiated by $initiatedBy$ mitre_attack_id: - T1098.003 - observable: - - name: user - type: User - role: - - Victim - - name: initiatedBy - type: User - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - user - - properties.targetResources{}.type - - properties.initiatedBy.user.userPrincipalName - - properties.result - risk_score: 72 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_global_administrator/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_global_administrator/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml b/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml index d228df26b5..2ebfe3128c 100644 --- a/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml +++ b/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml @@ -1,16 +1,32 @@ name: Azure AD High Number Of Failed Authentications For User id: 630b1694-210a-48ee-a450-6f79e7679f2c -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies an Azure AD account experiencing more than 20 failed authentication attempts within a 10-minute window. This detection leverages Azure SignInLogs data, specifically monitoring for error code 50126 and unsuccessful authentication attempts. This behavior is significant as it may indicate a brute force attack targeting the account. If confirmed malicious, an attacker could potentially gain unauthorized access, leading to data breaches or further exploitation within the environment. Security teams should adjust the threshold based on their specific environment to reduce false positives. +description: The following analytic identifies an Azure AD account experiencing more + than 20 failed authentication attempts within a 10-minute window. This detection + leverages Azure SignInLogs data, specifically monitoring for error code 50126 and + unsuccessful authentication attempts. This behavior is significant as it may indicate + a brute force attack targeting the account. If confirmed malicious, an attacker + could potentially gain unauthorized access, leading to data breaches or further + exploitation within the environment. Security teams should adjust the threshold + based on their specific environment to reduce false positives. data_source: - Azure Active Directory -search: '`azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime values(src_ip) as src_ip by user | where count > 20 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_high_number_of_failed_authentications_for_user_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -known_false_positives: A user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application. +search: '`azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 + properties.authenticationDetails{}.succeeded=false | rename properties.* as * | + bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime + values(src_ip) as src_ip by user | where count > 20 | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_high_number_of_failed_authentications_for_user_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the SignInLogs log category. +known_false_positives: A user with more than 20 failed authentication attempts in + the span of 5 minutes may also be triggered by a broken application. references: - https://attack.mitre.org/techniques/T1110/ - https://attack.mitre.org/techniques/T1110/001/ @@ -20,42 +36,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ failed to authenticate more than 20 times in the span of 5 + minutes. + risk_objects: + - field: user + type: user + score: 35 + threat_objects: [] tags: analytic_story: - Compromised User Account - Azure Active Directory Account Takeover asset_type: Azure Tenant - confidence: 70 - impact: 50 - message: User $user$ failed to authenticate more than 20 times in the span of 5 minutes. mitre_attack_id: - T1110 - T1110.001 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - properties.status.errorCode - - category - - properties.authenticationDetails - - user - - properties.ipAddress - risk_score: 35 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azuread.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azuread.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml b/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml index 81a682ea42..9829ad4b7a 100644 --- a/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml @@ -1,16 +1,32 @@ name: Azure AD High Number Of Failed Authentications From Ip id: e5ab41bf-745d-4f72-a393-2611151afd8e -version: 6 -date: '2024-09-30' +version: 7 +date: '2024-11-14' author: Mauricio Velazco, Bhavin Patel, Splunk status: production type: TTP -description: The following analytic detects an IP address with 20 or more failed authentication attempts to an Azure AD tenant within 10 minutes. It leverages Azure AD SignInLogs to identify repeated failed logins from the same IP. This behavior is significant as it may indicate a brute force attack aimed at gaining unauthorized access or escalating privileges. If confirmed malicious, the attacker could potentially compromise user accounts, leading to unauthorized access to sensitive information and resources within the Azure environment. +description: The following analytic detects an IP address with 20 or more failed authentication + attempts to an Azure AD tenant within 10 minutes. It leverages Azure AD SignInLogs + to identify repeated failed logins from the same IP. This behavior is significant + as it may indicate a brute force attack aimed at gaining unauthorized access or + escalating privileges. If confirmed malicious, the attacker could potentially compromise + user accounts, leading to unauthorized access to sensitive information and resources + within the Azure environment. data_source: - Azure Active Directory -search: '`azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime dc(user) AS unique_accounts values(user) as user by src_ip _time | where count > 20 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_high_number_of_failed_authentications_from_ip_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -known_false_positives: An Ip address with more than 20 failed authentication attempts in the span of 10 minutes may also be triggered by a broken application. +search: '`azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 + properties.authenticationDetails{}.succeeded=false | rename properties.* as * | + bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime + dc(user) AS unique_accounts values(user) as user by src_ip _time | where count > + 20 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | + `azure_ad_high_number_of_failed_authentications_from_ip_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the SignInLogs log category. +known_false_positives: An Ip address with more than 20 failed authentication attempts + in the span of 10 minutes may also be triggered by a broken application. references: - https://attack.mitre.org/techniques/T1110/ - https://attack.mitre.org/techniques/T1110/001/ @@ -21,48 +37,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $src_ip$ failed to authenticate more than 20 times in the span of 10 minutes + minutes. + risk_objects: + - field: user + type: user + score: 35 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Compromised User Account - Azure Active Directory Account Takeover - NOBELIUM Group asset_type: Azure Tenant - confidence: 70 - impact: 50 - message: $src_ip$ failed to authenticate more than 20 times in the span of 10 minutes minutes. mitre_attack_id: - T1110 - T1110.001 - T1110.003 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - properties.status.errorCode - - category - - properties.authenticationDetails - - user - - src_ip - risk_score: 35 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azuread.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azuread.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml b/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml index b731fd24d7..7e8ff92cd0 100644 --- a/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml +++ b/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml @@ -1,16 +1,31 @@ name: Azure AD Multi-Factor Authentication Disabled id: 482dd42a-acfa-486b-a0bb-d6fcda27318e -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP -description: The following analytic detects attempts to disable multi-factor authentication (MFA) for an Azure AD user. It leverages Azure Active Directory AuditLogs to identify the "Disable Strong Authentication" operation. This activity is significant because disabling MFA can allow adversaries to maintain persistence using compromised accounts without raising suspicion. If confirmed malicious, this action could enable attackers to bypass an essential security control, potentially leading to unauthorized access and prolonged undetected presence in the environment. +description: The following analytic detects attempts to disable multi-factor authentication + (MFA) for an Azure AD user. It leverages Azure Active Directory AuditLogs to identify + the "Disable Strong Authentication" operation. This activity is significant because + disabling MFA can allow adversaries to maintain persistence using compromised accounts + without raising suspicion. If confirmed malicious, this action could enable attackers + to bypass an essential security control, potentially leading to unauthorized access + and prolonged undetected presence in the environment. data_source: - Azure Active Directory Disable Strong Authentication -search: '`azure_monitor_aad` category=AuditLogs operationName="Disable Strong Authentication" | rename properties.* as * | rename targetResources{}.type as type | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime by user, type, operationName, initiatedBy, result | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multi_factor_authentication_disabled_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -known_false_positives: Legitimate use case may require for users to disable MFA. Filter as needed. +search: '`azure_monitor_aad` category=AuditLogs operationName="Disable Strong Authentication" + | rename properties.* as * | rename targetResources{}.type as type | rename initiatedBy.user.userPrincipalName + as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime by user, + type, operationName, initiatedBy, result | `security_content_ctime(firstTime)` | + `security_content_ctime(lastTime)` | `azure_ad_multi_factor_authentication_disabled_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the AuditLogs log category. +known_false_positives: Legitimate use case may require for users to disable MFA. Filter + as needed. references: - https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks - https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates @@ -22,46 +37,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: MFA disabled for User $user$ initiated by $initiatedBy$ + risk_objects: + - field: user + type: user + score: 45 + - field: initiatedBy + type: user + score: 45 + threat_objects: [] tags: analytic_story: - Azure Active Directory Account Takeover asset_type: Azure Active Directory - confidence: 90 - impact: 50 - message: MFA disabled for User $user$ initiated by $initiatedBy$ mitre_attack_id: - T1586 - T1586.003 - T1556 - T1556.006 - observable: - - name: user - type: User - role: - - Victim - - name: initiatedBy - type: User - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - user - - properties.targetResources{}.type - - properties.initiatedBy.user.userPrincipalName - - properties.result - risk_score: 45 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/azuread/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/azuread/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml b/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml index 762edbf371..01e3e46116 100644 --- a/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml +++ b/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml @@ -1,16 +1,46 @@ name: Azure AD Multi-Source Failed Authentications Spike id: 116e11a9-63ea-41eb-a66a-6a13bdc7d2c7 -version: 5 -date: '2024-10-17' +version: 6 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: Hunting data_source: - Azure Active Directory -description: The following analytic detects potential distributed password spraying attacks in an Azure AD environment. It identifies a spike in failed authentication attempts across various user-and-IP combinations from multiple source IPs and countries, using different user agents. This detection leverages Azure AD SignInLogs, focusing on error code 50126 for failed authentications. This activity is significant as it indicates an adversary's attempt to bypass security controls by distributing login attempts. If confirmed malicious, this could lead to unauthorized access, data breaches, privilege escalation, and lateral movement within the organization's infrastructure. -search: '`azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | eval uniqueIPUserCombo = src_ip . "-" . user | stats count min(_time) as firstTime max(_time) as lastTime dc(uniqueIPUserCombo) as uniqueIpUserCombinations, dc(user) as uniqueUsers, dc(src_ip) as uniqueIPs, dc(user_agent) as uniqueUserAgents, dc(location.countryOrRegion) as uniqueCountries values(user) as user, values(src_ip) as ips, values(user_agent) as user_agents, values(location.countryOrRegion) as countries | where uniqueIpUserCombinations > 20 AND uniqueUsers > 20 AND uniqueIPs > 20 AND uniqueUserAgents = 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multi_source_failed_authentications_spike_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment. -known_false_positives: This detection may yield false positives in scenarios where legitimate bulk sign-in activities occur, such as during company-wide system updates or when users are accessing resources from varying locations in a short time frame, such as in the case of VPNs or cloud services that rotate IP addresses. Filter as needed. +description: The following analytic detects potential distributed password spraying + attacks in an Azure AD environment. It identifies a spike in failed authentication + attempts across various user-and-IP combinations from multiple source IPs and countries, + using different user agents. This detection leverages Azure AD SignInLogs, focusing + on error code 50126 for failed authentications. This activity is significant as + it indicates an adversary's attempt to bypass security controls by distributing + login attempts. If confirmed malicious, this could lead to unauthorized access, + data breaches, privilege escalation, and lateral movement within the organization's + infrastructure. +search: '`azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 + properties.authenticationDetails{}.succeeded=false | rename properties.* as * | + bucket span=5m _time | eval uniqueIPUserCombo = src_ip . "-" . user | stats count + min(_time) as firstTime max(_time) as lastTime dc(uniqueIPUserCombo) as uniqueIpUserCombinations, + dc(user) as uniqueUsers, dc(src_ip) as uniqueIPs, dc(user_agent) as uniqueUserAgents, + dc(location.countryOrRegion) as uniqueCountries values(user) as user, values(src_ip) + as ips, values(user_agent) as user_agents, values(location.countryOrRegion) as countries + | where uniqueIpUserCombinations > 20 AND uniqueUsers > 20 AND uniqueIPs > 20 AND + uniqueUserAgents = 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `azure_ad_multi_source_failed_authentications_spike_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the SignInLogs log category. The thresholds set within the + analytic (such as unique IPs, unique users, etc.) are initial guidelines and should + be customized based on the organization's user behavior and risk profile. Security + teams are encouraged to adjust these thresholds to optimize the balance between + detecting genuine threats and minimizing false positives, ensuring the detection + is tailored to their specific environment. +known_false_positives: This detection may yield false positives in scenarios where + legitimate bulk sign-in activities occur, such as during company-wide system updates + or when users are accessing resources from varying locations in a short time frame, + such as in the case of VPNs or cloud services that rotate IP addresses. Filter as + needed. references: - https://attack.mitre.org/techniques/T1110/003/ - https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray @@ -22,37 +52,21 @@ tags: - NOBELIUM Group asset_type: Azure Tenant atomic_guid: [] - confidence: 60 - impact: 70 - message: An anomalous multi source authentication spike ocurred at $_time$ mitre_attack_id: - T1586 - T1586.003 - T1110 - T1110.003 - T1110.004 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 42 - required_fields: - - _time - - category - - properties.authenticationDetails{}.succeeded - - properties.location.countryOrRegion - - user_agent - - src_ip - - user security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.log source: Azure AD sourcetype: azure:monitor:aad diff --git a/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml b/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml index 5afdf5ba30..95bcb040de 100644 --- a/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml +++ b/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml @@ -1,16 +1,37 @@ name: Azure AD Multiple AppIDs and UserAgents Authentication Spike id: 5d8bb1f0-f65a-4b4e-af2e-fcdb88276314 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: Anomaly data_source: - Azure Active Directory Sign-in activity -description: The following analytic detects unusual authentication activity in Azure AD, specifically when a single user account has over 8 authentication attempts using 3+ unique application IDs and 5+ unique user agents within a short period. It leverages Azure AD audit logs, focusing on authentication events and using statistical thresholds. This behavior is significant as it may indicate an adversary probing for MFA requirements. If confirmed malicious, it suggests a compromised account, potentially leading to further exploitation, lateral movement, and data exfiltration. Early detection is crucial to prevent substantial harm. -search: '`azure_monitor_aad` category=SignInLogs operationName="Sign-in activity" (properties.authenticationRequirement="multiFactorAuthentication" AND properties.status.additionalDetails="MFA required in Azure AD") OR (properties.authenticationRequirement=singleFactorAuthentication AND "properties.authenticationDetails{}.succeeded"=true) | bucket span=5m _time | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime dc(appId) as unique_app_ids dc(userAgent) as unique_user_agents values(appDisplayName) values(deviceDetail.operatingSystem) by user, src_ip | where count > 5 and unique_app_ids > 2 and unique_user_agents > 5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_appids_and_useragents_authentication_spike_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -known_false_positives: Rapid authentication from the same user using more than 5 different user agents and 3 application IDs is highly unlikely under normal circumstances. However, there are potential scenarios that could lead to false positives. +description: The following analytic detects unusual authentication activity in Azure + AD, specifically when a single user account has over 8 authentication attempts using + 3+ unique application IDs and 5+ unique user agents within a short period. It leverages + Azure AD audit logs, focusing on authentication events and using statistical thresholds. + This behavior is significant as it may indicate an adversary probing for MFA requirements. + If confirmed malicious, it suggests a compromised account, potentially leading to + further exploitation, lateral movement, and data exfiltration. Early detection is + crucial to prevent substantial harm. +search: '`azure_monitor_aad` category=SignInLogs operationName="Sign-in activity" + (properties.authenticationRequirement="multiFactorAuthentication" AND properties.status.additionalDetails="MFA + required in Azure AD") OR (properties.authenticationRequirement=singleFactorAuthentication + AND "properties.authenticationDetails{}.succeeded"=true) | bucket span=5m _time + | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime + dc(appId) as unique_app_ids dc(userAgent) as unique_user_agents values(appDisplayName) + values(deviceDetail.operatingSystem) by user, src_ip | where count > 5 and unique_app_ids + > 2 and unique_user_agents > 5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `azure_ad_multiple_appids_and_useragents_authentication_spike_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the SignInLogs log category. +known_false_positives: Rapid authentication from the same user using more than 5 different + user agents and 3 application IDs is highly unlikely under normal circumstances. + However, there are potential scenarios that could lead to false positives. references: - https://attack.mitre.org/techniques/T1078/ - https://www.blackhillsinfosec.com/exploiting-mfa-inconsistencies-on-microsoft-services/ @@ -22,43 +43,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $user$ authenticated in a short periof of time with more than 5 different + user agents across 3 or more unique application ids. + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] tags: analytic_story: - Azure Active Directory Account Takeover asset_type: Azure Tenant - confidence: 80 - impact: 60 - message: $user$ authenticated in a short periof of time with more than 5 different user agents across 3 or more unique application ids. mitre_attack_id: - T1078 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 48 - required_fields: - - _time - - category - - user - - src_ip - - operationName - - properties.authenticationRequirement - - properties.status.additionalDetails - - properties.authenticationDetails{}.succeeded - - properties.userAgent - - properties.appDisplayName security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/azure_ad_multiple_appids_and_useragents_auth/azure_ad_multiple_appids_and_useragents_auth.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/azure_ad_multiple_appids_and_useragents_auth/azure_ad_multiple_appids_and_useragents_auth.log source: Azure AD sourcetype: azure:monitor:aad diff --git a/detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml b/detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml index fdabbd592b..43ac84dbf7 100644 --- a/detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml +++ b/detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml @@ -1,16 +1,33 @@ name: Azure AD Multiple Denied MFA Requests For User id: d0895c20-de71-4fd2-b56c-3fcdb888eba1 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - Azure Active Directory Sign-in activity -description: The following analytic detects an unusually high number of denied Multi-Factor Authentication (MFA) requests for a single user within a 10-minute window, specifically when more than nine MFA prompts are declined. It leverages Azure Active Directory (Azure AD) sign-in logs, focusing on "Sign-in activity" events with error code 500121 and additional details indicating "MFA denied; user declined the authentication." This behavior is significant as it may indicate a targeted attack or account compromise attempt, with the user actively declining unauthorized access. If confirmed malicious, it could lead to data exfiltration, lateral movement, or further malicious activities. -search: '`azure_monitor_aad` category=SignInLogs operationName="Sign-in activity" | rename properties.* as * | search status.errorCode=500121 status.additionalDetails="MFA denied; user declined the authentication" | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime by user, status.additionalDetails, appDisplayName, user_agent | where count > 9 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_denied_mfa_requests_for_user_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -known_false_positives: Multiple denifed MFA requests in a short period of span may also be a sign of authentication errors. Investigate and filter as needed. +description: The following analytic detects an unusually high number of denied Multi-Factor + Authentication (MFA) requests for a single user within a 10-minute window, specifically + when more than nine MFA prompts are declined. It leverages Azure Active Directory + (Azure AD) sign-in logs, focusing on "Sign-in activity" events with error code 500121 + and additional details indicating "MFA denied; user declined the authentication." + This behavior is significant as it may indicate a targeted attack or account compromise + attempt, with the user actively declining unauthorized access. If confirmed malicious, + it could lead to data exfiltration, lateral movement, or further malicious activities. +search: '`azure_monitor_aad` category=SignInLogs operationName="Sign-in activity" + | rename properties.* as * | search status.errorCode=500121 status.additionalDetails="MFA + denied; user declined the authentication" | bucket span=10m _time | stats count + min(_time) as firstTime max(_time) as lastTime by user, status.additionalDetails, + appDisplayName, user_agent | where count > 9 | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_multiple_denied_mfa_requests_for_user_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the Signin log category. +known_false_positives: Multiple denifed MFA requests in a short period of span may + also be a sign of authentication errors. Investigate and filter as needed. references: - https://www.mandiant.com/resources/blog/russian-targeting-gov-business - https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/ @@ -24,41 +41,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ denied more than 9 MFA requests in a timespan of 10 minutes. + risk_objects: + - field: user + type: user + score: 54 + threat_objects: [] tags: analytic_story: - Azure Active Directory Account Takeover asset_type: Azure Active Directory - confidence: 90 - impact: 60 atomic_guid: [] - message: User $user$ denied more than 9 MFA requests in a timespan of 10 minutes. mitre_attack_id: - T1621 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 54 - required_fields: - - _time - - category - - properties.status.errorCode - - properties.status.additionalDetails - - user - - properties.appDisplayName - - user_agent security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/azure_ad_multiple_denied_mfa_requests/azure_ad_multiple_denied_mfa_requests.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/azure_ad_multiple_denied_mfa_requests/azure_ad_multiple_denied_mfa_requests.log source: Azure AD sourcetype: azure:monitor:aad diff --git a/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml index cedeef1f6f..c132716d7b 100644 --- a/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml @@ -1,16 +1,33 @@ name: Azure AD Multiple Failed MFA Requests For User id: 264ea131-ab1f-41b8-90e0-33ad1a1888ea -version: 6 -date: '2024-09-30' +version: 7 +date: '2024-11-14' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP -description: The following analytic identifies multiple failed multi-factor authentication (MFA) requests for a single user within an Azure AD tenant. It leverages Azure AD Sign-in Logs, specifically error code 500121, to detect more than 10 failed MFA attempts within 10 minutes. This behavior is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication prompts. If confirmed malicious, this activity could lead to unauthorized access, allowing attackers to compromise user accounts and potentially escalate their privileges within the environment. +description: The following analytic identifies multiple failed multi-factor authentication + (MFA) requests for a single user within an Azure AD tenant. It leverages Azure AD + Sign-in Logs, specifically error code 500121, to detect more than 10 failed MFA + attempts within 10 minutes. This behavior is significant as it may indicate an adversary + attempting to bypass MFA by bombarding the user with repeated authentication prompts. + If confirmed malicious, this activity could lead to unauthorized access, allowing + attackers to compromise user accounts and potentially escalate their privileges + within the environment. data_source: - Azure Active Directory Sign-in activity -search: '`azure_monitor_aad` category=SignInLogs operationName="Sign-in activity" properties.status.errorCode=500121 properties.status.additionalDetails!="MFA denied; user declined the authentication" | rename properties.* as * | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime by user, status.additionalDetails, appDisplayName, user_agent | where count > 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_failed_mfa_requests_for_user_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -known_false_positives: Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed. +search: '`azure_monitor_aad` category=SignInLogs operationName="Sign-in activity" + properties.status.errorCode=500121 properties.status.additionalDetails!="MFA denied; + user declined the authentication" | rename properties.* as * | bucket span=10m _time + | stats count min(_time) as firstTime max(_time) as lastTime by user, status.additionalDetails, + appDisplayName, user_agent | where count > 10 | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_multiple_failed_mfa_requests_for_user_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the Signin log category. +known_false_positives: Multiple Failed MFA requests may also be a sign of authentication + or application issues. Filter as needed. references: - https://www.mandiant.com/resources/blog/russian-targeting-gov-business - https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/ @@ -24,45 +41,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ failed to complete MFA authentication more than 9 times in + a timespan of 10 minutes. + risk_objects: + - field: user + type: user + score: 54 + threat_objects: [] tags: analytic_story: - Azure Active Directory Account Takeover asset_type: Azure Active Directory - confidence: 90 - impact: 60 - message: User $user$ failed to complete MFA authentication more than 9 times in a timespan of 10 minutes. mitre_attack_id: - T1586 - T1586.003 - T1621 - T1078 - T1078.004 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - properties.status.errorCode - - category - - properties.authenticationDetails - - user - - user_agent - - operationName - risk_score: 54 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/multiple_failed_mfa_requests/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/multiple_failed_mfa_requests/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml b/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml index 1b5a88d8d8..074a1da503 100644 --- a/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml +++ b/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml @@ -1,16 +1,33 @@ name: Azure AD Multiple Service Principals Created by SP id: 66cb378f-234d-4fe1-bb4c-e7878ff6b017 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Mauricio Velazco, Splunk data_source: - Azure Active Directory Add service principal type: Anomaly status: production -description: The following analytic detects when a single service principal in Azure AD creates more than three unique OAuth applications within a 10-minute span. It leverages Azure AD audit logs, specifically monitoring the 'Add service principal' operation initiated by service principals. This behavior is significant as it may indicate an attacker using a compromised or malicious service principal to rapidly establish multiple service principals, potentially staging an attack. If confirmed malicious, this activity could facilitate network infiltration or expansion, allowing the attacker to gain unauthorized access and persist within the environment. -search: '`azure_monitor_aad` operationName="Add service principal" properties.initiatedBy.app.appId=* | rename properties.* as * | bucket span=10m _time | rename targetResources{}.displayName as displayName | rename targetResources{}.type as type | rename initiatedBy.app.displayName as src_user | stats min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_service_principals_created_by_sp_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -known_false_positives: Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed. +description: The following analytic detects when a single service principal in Azure + AD creates more than three unique OAuth applications within a 10-minute span. It + leverages Azure AD audit logs, specifically monitoring the 'Add service principal' + operation initiated by service principals. This behavior is significant as it may + indicate an attacker using a compromised or malicious service principal to rapidly + establish multiple service principals, potentially staging an attack. If confirmed + malicious, this activity could facilitate network infiltration or expansion, allowing + the attacker to gain unauthorized access and persist within the environment. +search: '`azure_monitor_aad` operationName="Add service principal" properties.initiatedBy.app.appId=* + | rename properties.* as * | bucket span=10m _time | rename targetResources{}.displayName + as displayName | rename targetResources{}.type as type | rename initiatedBy.app.displayName + as src_user | stats min(_time) as firstTime max(_time) as lastTime values(displayName) + as displayName dc(displayName) as unique_apps by src_user | where unique_apps > + 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_service_principals_created_by_sp_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the AuditLogs log category. +known_false_positives: Certain users or applications may create multiple service principals + in a short period of time for legitimate purposes. Filter as needed. references: - https://attack.mitre.org/techniques/T1136/003/ - https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ @@ -20,36 +37,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Multiple OAuth applications were created by $src_user$ in a short period + of time + risk_objects: + - field: src_user + type: user + score: 42 + threat_objects: [] tags: analytic_story: - Azure Active Directory Persistence - NOBELIUM Group asset_type: Azure Active Directory - confidence: 60 - impact: 70 - message: Multiple OAuth applications were created by $src_user$ in a short period of time mitre_attack_id: - T1136.003 - observable: - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 42 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/azure_ad_multiple_service_principals_created.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/azure_ad_multiple_service_principals_created.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml b/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml index 0e32c6949f..71106557e4 100644 --- a/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml +++ b/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml @@ -1,16 +1,32 @@ name: Azure AD Multiple Service Principals Created by User id: 32880707-f512-414e-bd7f-204c0c85b758 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Mauricio Velazco, Splunk data_source: - Azure Active Directory Add service principal type: Anomaly status: production -description: The following analytic identifies instances where a single user creates more than three unique OAuth applications within a 10-minute timeframe in Azure AD. It detects this activity by monitoring the 'Add service principal' operation and aggregating data in 10-minute intervals. This behavior is significant as it may indicate an adversary rapidly creating multiple service principals to stage an attack or expand their foothold within the network. If confirmed malicious, this activity could allow attackers to establish persistence, escalate privileges, or access sensitive information within the Azure environment. -search: '`azure_monitor_aad` operationName="Add service principal" properties.initiatedBy.user.id=* | rename properties.* as * | bucket span=10m _time | rename targetResources{}.displayName as displayName | stats min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_service_principals_created_by_user_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -known_false_positives: Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed. +description: The following analytic identifies instances where a single user creates + more than three unique OAuth applications within a 10-minute timeframe in Azure + AD. It detects this activity by monitoring the 'Add service principal' operation + and aggregating data in 10-minute intervals. This behavior is significant as it + may indicate an adversary rapidly creating multiple service principals to stage + an attack or expand their foothold within the network. If confirmed malicious, this + activity could allow attackers to establish persistence, escalate privileges, or + access sensitive information within the Azure environment. +search: '`azure_monitor_aad` operationName="Add service principal" properties.initiatedBy.user.id=* + | rename properties.* as * | bucket span=10m _time | rename targetResources{}.displayName + as displayName | stats min(_time) as firstTime max(_time) as lastTime values(displayName) + as displayName dc(displayName) as unique_apps by src_user | where unique_apps > + 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_service_principals_created_by_user_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the AuditLogs log category. +known_false_positives: Certain users or applications may create multiple service principals + in a short period of time for legitimate purposes. Filter as needed. references: - https://attack.mitre.org/techniques/T1136/003/ - https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ @@ -20,40 +36,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Multiple OAuth applications were created by $src_user$ in a short period + of time + risk_objects: + - field: src_user + type: user + score: 42 + threat_objects: [] tags: analytic_story: - Azure Active Directory Persistence - NOBELIUM Group asset_type: Azure Active Directory - confidence: 60 - impact: 70 - message: Multiple OAuth applications were created by $src_user$ in a short period of time mitre_attack_id: - T1136.003 - observable: - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - operationName - - properties.initiatedBy.user.id - - targetResources{}.displayName - - src_user - risk_score: 42 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/azure_ad_multiple_service_principals_created.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/azure_ad_multiple_service_principals_created.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml index 140fa49f80..db156f8d6c 100644 --- a/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml @@ -1,16 +1,32 @@ name: Azure AD Multiple Users Failing To Authenticate From Ip id: 94481a6a-8f59-4c86-957f-55a71e3612a6 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: The following analytic detects a single source IP failing to authenticate with 30 unique valid users within 5 minutes in Azure Active Directory. It leverages Azure AD SignInLogs with error code 50126, indicating invalid passwords. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges by trying common passwords across many accounts. If confirmed malicious, this activity could lead to unauthorized access, data breaches, or privilege escalation within the Azure AD environment. +description: The following analytic detects a single source IP failing to authenticate + with 30 unique valid users within 5 minutes in Azure Active Directory. It leverages + Azure AD SignInLogs with error code 50126, indicating invalid passwords. This behavior + is significant as it may indicate a Password Spraying attack, where an adversary + attempts to gain initial access or elevate privileges by trying common passwords + across many accounts. If confirmed malicious, this activity could lead to unauthorized + access, data breaches, or privilege escalation within the Azure AD environment. data_source: - Azure Active Directory -search: '`azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats count min(_time) as firstTime max(_time) as lastTime dc(user) AS unique_accounts values(user) as user by src_ip | where unique_accounts > 30 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_users_failing_to_authenticate_from_ip_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -known_false_positives: A source Ip failing to authenticate with multiple users is not a common for legitimate behavior. +search: '`azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 + properties.authenticationDetails{}.succeeded=false | rename properties.* as * | + bucket span=5m _time | stats count min(_time) as firstTime max(_time) as lastTime + dc(user) AS unique_accounts values(user) as user by src_ip | where unique_accounts + > 30 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `azure_ad_multiple_users_failing_to_authenticate_from_ip_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the Signin log category. +known_false_positives: A source Ip failing to authenticate with multiple users is + not a common for legitimate behavior. references: - https://attack.mitre.org/techniques/T1110/003/ - https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray @@ -22,48 +38,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Source Ip $src_ip$ failed to authenticate with 30 users within 5 minutes. + risk_objects: + - field: user + type: user + score: 63 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Azure Active Directory Account Takeover asset_type: Azure Active Directory - confidence: 90 - impact: 70 - message: Source Ip $src_ip$ failed to authenticate with 30 users within 5 minutes. mitre_attack_id: - T1586 - T1586.003 - T1110 - T1110.003 - T1110.004 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - properties.status.errorCode - - category - - properties.authenticationDetails - - user - - user_agent - risk_score: 63 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/password_spraying_azuread/azuread_signin.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/password_spraying_azuread/azuread_signin.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_new_custom_domain_added.yml b/detections/cloud/azure_ad_new_custom_domain_added.yml index a882652264..9e8a4514bd 100644 --- a/detections/cloud/azure_ad_new_custom_domain_added.yml +++ b/detections/cloud/azure_ad_new_custom_domain_added.yml @@ -1,16 +1,32 @@ name: Azure AD New Custom Domain Added id: 30c47f45-dd6a-4720-9963-0bca6c8686ef -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP -description: The following analytic detects the addition of a new custom domain within an Azure Active Directory (AD) tenant. It leverages Azure AD AuditLogs to identify successful "Add unverified domain" operations. This activity is significant as it may indicate an adversary attempting to establish persistence by setting up identity federation backdoors, allowing them to impersonate users and bypass authentication mechanisms. If confirmed malicious, this could enable attackers to gain unauthorized access, escalate privileges, and maintain long-term access to the Azure AD environment, posing a severe security risk. +description: The following analytic detects the addition of a new custom domain within + an Azure Active Directory (AD) tenant. It leverages Azure AD AuditLogs to identify + successful "Add unverified domain" operations. This activity is significant as it + may indicate an adversary attempting to establish persistence by setting up identity + federation backdoors, allowing them to impersonate users and bypass authentication + mechanisms. If confirmed malicious, this could enable attackers to gain unauthorized + access, escalate privileges, and maintain long-term access to the Azure AD environment, + posing a severe security risk. data_source: - Azure Active Directory Add unverified domain -search: '`azure_monitor_aad` operationName="Add unverified domain" properties.result=success | rename properties.* as * | rename targetResources{}.displayName as domain | stats count min(_time) as firstTime max(_time) as lastTime by user, domain, result, operationName, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_new_custom_domain_added_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -known_false_positives: In most organizations, new customm domains will be updated infrequently. Filter as needed. +search: '`azure_monitor_aad` operationName="Add unverified domain" properties.result=success + | rename properties.* as * | rename targetResources{}.displayName as domain | stats + count min(_time) as firstTime max(_time) as lastTime by user, domain, result, operationName, + src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `azure_ad_new_custom_domain_added_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment. + This analytic was written to be used with the azure:monitor:aad sourcetype leveraging + the AuditLogs log category. +known_false_positives: In most organizations, new customm domains will be updated + infrequently. Filter as needed. references: - https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/domains-manage - https://www.mandiant.com/resources/remediation-and-hardening-strategies-microsoft-365-defend-against-apt29-v13 @@ -24,41 +40,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A new custom domain, $domain$ , was added by $user$ + risk_objects: + - field: user + type: user + score: 54 + threat_objects: [] tags: analytic_story: - Azure Active Directory Persistence asset_type: Azure Active Directory - confidence: 90 - impact: 60 - message: A new custom domain, $domain$ , was added by $user$ mitre_attack_id: - T1484 - T1484.002 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - operationName - - properties.result - - src_ip - - properties.targetResources{}.displayName - - user - risk_score: 54 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.002/new_federated_domain/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.002/new_federated_domain/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_new_federated_domain_added.yml b/detections/cloud/azure_ad_new_federated_domain_added.yml index 4ed7fcabff..18765ab8c2 100644 --- a/detections/cloud/azure_ad_new_federated_domain_added.yml +++ b/detections/cloud/azure_ad_new_federated_domain_added.yml @@ -1,16 +1,31 @@ name: Azure AD New Federated Domain Added id: a87cd633-076d-4ab2-9047-977751a3c1a0 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP -description: The following analytic detects the addition of a new federated domain within an Azure Active Directory tenant. It leverages Azure AD AuditLogs to identify successful "Set domain authentication" operations. This activity is significant as it may indicate the use of the Azure AD identity federation backdoor technique, allowing an adversary to establish persistence. If confirmed malicious, the attacker could impersonate any user, bypassing password and MFA requirements, potentially leading to unauthorized access and control over the Azure AD environment. +description: The following analytic detects the addition of a new federated domain + within an Azure Active Directory tenant. It leverages Azure AD AuditLogs to identify + successful "Set domain authentication" operations. This activity is significant + as it may indicate the use of the Azure AD identity federation backdoor technique, + allowing an adversary to establish persistence. If confirmed malicious, the attacker + could impersonate any user, bypassing password and MFA requirements, potentially + leading to unauthorized access and control over the Azure AD environment. data_source: - Azure Active Directory Set domain authentication -search: '`azure_monitor_aad` operationName="Set domain authentication" "properties.result"=success | rename properties.* as * | rename targetResources{}.displayName as domain | stats count min(_time) as firstTime max(_time) as lastTime by user, domain, result, operationName, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_new_federated_domain_added_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -known_false_positives: In most organizations, domain federation settings will be updated infrequently. Filter as needed. +search: '`azure_monitor_aad` operationName="Set domain authentication" "properties.result"=success + | rename properties.* as * | rename targetResources{}.displayName as domain | stats + count min(_time) as firstTime max(_time) as lastTime by user, domain, result, operationName, + src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `azure_ad_new_federated_domain_added_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment. + This analytic was written to be used with the azure:monitor:aad sourcetype leveraging + the AuditLogs log category. +known_false_positives: In most organizations, domain federation settings will be updated + infrequently. Filter as needed. references: - https://www.mandiant.com/resources/remediation-and-hardening-strategies-microsoft-365-defend-against-apt29-v13 - https://o365blog.com/post/federation-vulnerability/ @@ -23,41 +38,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A new federated domain, $domain$ , was added by $user$ + risk_objects: + - field: user + type: user + score: 81 + threat_objects: [] tags: analytic_story: - Azure Active Directory Persistence asset_type: Azure Active Directory - confidence: 90 - impact: 90 - message: A new federated domain, $domain$ , was added by $user$ mitre_attack_id: - T1484 - T1484.002 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - operationName - - properties.result - - src_ip - - properties.targetResources{}.displayName - - user - risk_score: 81 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.002/new_federated_domain/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.002/new_federated_domain/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_new_mfa_method_registered.yml b/detections/cloud/azure_ad_new_mfa_method_registered.yml index 01c60a3fa0..548366097d 100644 --- a/detections/cloud/azure_ad_new_mfa_method_registered.yml +++ b/detections/cloud/azure_ad_new_mfa_method_registered.yml @@ -1,16 +1,37 @@ name: Azure AD New MFA Method Registered id: 0488e814-eb81-42c3-9f1f-b2244973e3a3 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - Azure Active Directory Update user -description: The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for a user account in Azure Active Directory. It leverages Azure AD audit logs to identify changes in MFA configurations. This activity is significant because adding a new MFA method can indicate an attacker's attempt to maintain persistence on a compromised account. If confirmed malicious, the attacker could bypass existing security measures, solidify their access, and potentially escalate privileges, access sensitive data, or make unauthorized changes. Immediate verification and remediation are required to secure the affected account. -search: '`azure_monitor_aad` operationName="Update user" | rename properties.* as * | eval propertyName = mvindex(''targetResources{}.modifiedProperties{}.displayName'', 0) | search propertyName = StrongAuthenticationMethod | eval oldvalue = mvindex(''targetResources{}.modifiedProperties{}.oldValue'',0) | eval newvalue = mvindex(''targetResources{}.modifiedProperties{}.newValue'',0) | rex field=newvalue max_match=0 "(?i)(?\"MethodType\")" | rex field=oldvalue max_match=0 "(?i)(?\"MethodType\")" | eval count_new_method_type = coalesce(mvcount(new_method_type), 0) | eval count_old_method_type = coalesce(mvcount(old_method_type), 0) | stats earliest(_time) as firstTime latest(_time) as lastTime values(propertyName) by user newvalue oldvalue | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_new_mfa_method_registered_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -known_false_positives: Users may register MFA methods legitimally, investigate and filter as needed. +description: The following analytic detects the registration of a new Multi-Factor + Authentication (MFA) method for a user account in Azure Active Directory. It leverages + Azure AD audit logs to identify changes in MFA configurations. This activity is + significant because adding a new MFA method can indicate an attacker's attempt to + maintain persistence on a compromised account. If confirmed malicious, the attacker + could bypass existing security measures, solidify their access, and potentially + escalate privileges, access sensitive data, or make unauthorized changes. Immediate + verification and remediation are required to secure the affected account. +search: "`azure_monitor_aad` operationName=\"Update user\" | rename properties.* + as * | eval propertyName = mvindex('targetResources{}.modifiedProperties{}.displayName', + 0) | search propertyName = StrongAuthenticationMethod | eval oldvalue = mvindex('targetResources{}.modifiedProperties{}.oldValue',0) + | eval newvalue = mvindex('targetResources{}.modifiedProperties{}.newValue',0) | + rex field=newvalue max_match=0 \"(?i)(?\\\"MethodType\\\")\" | + rex field=oldvalue max_match=0 \"(?i)(?\\\"MethodType\\\")\" | + eval count_new_method_type = coalesce(mvcount(new_method_type), 0) | eval count_old_method_type + = coalesce(mvcount(old_method_type), 0) | stats earliest(_time) as firstTime latest(_time) + as lastTime values(propertyName) by user newvalue oldvalue | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_new_mfa_method_registered_filter`" +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the AuditLog log category. +known_false_positives: Users may register MFA methods legitimally, investigate and + filter as needed. references: - https://attack.mitre.org/techniques/T1098/005/ - https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/ @@ -21,40 +42,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A new MFA method was registered for user $user$ + risk_objects: + - field: user + type: user + score: 30 + threat_objects: [] tags: analytic_story: - Azure Active Directory Persistence asset_type: Azure Tenant - confidence: 50 - impact: 60 - message: A new MFA method was registered for user $user$ mitre_attack_id: - T1098 - T1098.005 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 30 - required_fields: - - _time - - operationName - - properties.targetResources{}.modifiedProperties{}.displayName - - properties.targetResources{}.modifiedProperties{}.oldValue - - properties.targetResources{}.modifiedProperties{}.newValue - - user security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.005/azure_ad_register_new_mfa_method/azure_ad_register_new_mfa_method.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.005/azure_ad_register_new_mfa_method/azure_ad_register_new_mfa_method.log source: Azure AD sourcetype: azure:monitor:aad diff --git a/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml b/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml index 787f7c5816..aa0fd57ecc 100644 --- a/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml @@ -1,16 +1,31 @@ name: Azure AD New MFA Method Registered For User id: 2628b087-4189-403f-9044-87403f777a1b -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for an Azure AD account. It leverages Azure AD AuditLogs to identify when a user registers new security information. This activity is significant because adversaries who gain unauthorized access to an account may add their own MFA method to maintain persistence. If confirmed malicious, this could allow attackers to bypass existing security controls, maintain long-term access, and potentially escalate their privileges within the environment. +description: The following analytic detects the registration of a new Multi-Factor + Authentication (MFA) method for an Azure AD account. It leverages Azure AD AuditLogs + to identify when a user registers new security information. This activity is significant + because adversaries who gain unauthorized access to an account may add their own + MFA method to maintain persistence. If confirmed malicious, this could allow attackers + to bypass existing security controls, maintain long-term access, and potentially + escalate their privileges within the environment. data_source: - Azure Active Directory User registered security info -search: '`azure_monitor_aad` category=AuditLogs operationName="User registered security info" properties.operationType=Add | rename properties.* as * | rename targetResources{}.* as * | stats count min(_time) as firstTime max(_time) as lastTime by user, resultDescription, result, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_new_mfa_method_registered_for_user_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -known_false_positives: Newly onboarded users who are registering an MFA method for the first time will also trigger this detection. +search: '`azure_monitor_aad` category=AuditLogs operationName="User registered security + info" properties.operationType=Add | rename properties.* as * | rename targetResources{}.* + as * | stats count min(_time) as firstTime max(_time) as lastTime by user, resultDescription, + result, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `azure_ad_new_mfa_method_registered_for_user_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the AuditLogs log category. +known_false_positives: Newly onboarded users who are registering an MFA method for + the first time will also trigger this detection. references: - https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks - https://attack.mitre.org/techniques/T1556/ @@ -22,48 +37,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A new MFA method was registered for user $user$ + risk_objects: + - field: user + type: user + score: 64 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Compromised User Account - Azure Active Directory Account Takeover asset_type: Azure Active Directory - confidence: 80 - impact: 80 - message: A new MFA method was registered for user $user$ mitre_attack_id: - T1556 - T1556.006 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - category - - operationName - - properties.operationType - - user - - resultDescription - - result - - src_ip - risk_score: 64 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/azure_ad_new_mfa_method_registered_for_user/azuread.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/azure_ad_new_mfa_method_registered_for_user/azuread.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_oauth_application_consent_granted_by_user.yml b/detections/cloud/azure_ad_oauth_application_consent_granted_by_user.yml index 9b370e317d..e407487b6b 100644 --- a/detections/cloud/azure_ad_oauth_application_consent_granted_by_user.yml +++ b/detections/cloud/azure_ad_oauth_application_consent_granted_by_user.yml @@ -1,16 +1,36 @@ name: Azure AD OAuth Application Consent Granted By User id: 10ec9031-015b-4617-b453-c0c1ab729007 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - Azure Active Directory Consent to application -description: The following analytic detects when a user in an Azure AD environment grants consent to an OAuth application. It leverages Azure AD audit logs to identify events where users approve application consents. This activity is significant as it can expose organizational data to third-party applications, a common tactic used by malicious actors to gain unauthorized access. If confirmed malicious, this could lead to unauthorized access to sensitive information and resources. Immediate investigation is required to validate the application's legitimacy, review permissions, and mitigate potential risks. -search: '`azure_monitor_aad` operationName="Consent to application" properties.result=success | rename properties.* as * | eval permissions_index = if(mvfind(''targetResources{}.modifiedProperties{}.displayName'', "ConsentAction.Permissions") >= 0, mvfind(''targetResources{}.modifiedProperties{}.displayName'', "ConsentAction.Permissions"), -1) | eval permissions = mvindex(''targetResources{}.modifiedProperties{}.newValue'',permissions_index) | rex field=permissions "Scope: (?[^,]+)" | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_oauth_application_consent_granted_by_user_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -known_false_positives: False positives may occur if users are granting consents as part of legitimate application integrations or setups. It is crucial to review the application and the permissions it requests to ensure they align with organizational policies and security best practices. +description: The following analytic detects when a user in an Azure AD environment + grants consent to an OAuth application. It leverages Azure AD audit logs to identify + events where users approve application consents. This activity is significant as + it can expose organizational data to third-party applications, a common tactic used + by malicious actors to gain unauthorized access. If confirmed malicious, this could + lead to unauthorized access to sensitive information and resources. Immediate investigation + is required to validate the application's legitimacy, review permissions, and mitigate + potential risks. +search: "`azure_monitor_aad` operationName=\"Consent to application\" properties.result=success + | rename properties.* as * | eval permissions_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', + \"ConsentAction.Permissions\") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', + \"ConsentAction.Permissions\"), -1) | eval permissions = mvindex('targetResources{}.modifiedProperties{}.newValue',permissions_index) + | rex field=permissions \"Scope: (?[^,]+)\" | stats count min(_time) as firstTime + max(_time) as lastTime by operationName, user, Scope | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_oauth_application_consent_granted_by_user_filter`" +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the AuditLog log category. +known_false_positives: False positives may occur if users are granting consents as + part of legitimate application integrations or setups. It is crucial to review the + application and the permissions it requests to ensure they align with organizational + policies and security best practices. references: - https://attack.mitre.org/techniques/T1528/ - https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/ @@ -24,38 +44,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ consented an OAuth application. + risk_objects: + - field: user + type: user + score: 36 + threat_objects: [] tags: analytic_story: - Azure Active Directory Account Takeover asset_type: Azure Tenant - confidence: 60 - impact: 60 - message: User $user$ consented an OAuth application. mitre_attack_id: - T1528 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 36 - required_fields: - - _time - - operationName - - properties.targetResources{}.modifiedProperties{}.displayName - - properties.targetResources{}.modifiedProperties{}.newValue - - user security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/azure_ad_user_consent_granted/azure_ad_user_consent_granted.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/azure_ad_user_consent_granted/azure_ad_user_consent_granted.log source: Azure AD sourcetype: azure:monitor:aad diff --git a/detections/cloud/azure_ad_pim_role_assigned.yml b/detections/cloud/azure_ad_pim_role_assigned.yml index 3c10452668..62cf108b66 100644 --- a/detections/cloud/azure_ad_pim_role_assigned.yml +++ b/detections/cloud/azure_ad_pim_role_assigned.yml @@ -1,16 +1,31 @@ name: Azure AD PIM Role Assigned id: fcd6dfeb-191c-46a0-a29c-c306382145ab -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - Azure Active Directory -description: The following analytic detects the assignment of an Azure AD Privileged Identity Management (PIM) role. It leverages Azure Active Directory events to identify when a user is added as an eligible member to a PIM role. This activity is significant because PIM roles grant elevated privileges, and their assignment should be closely monitored to prevent unauthorized access. If confirmed malicious, an attacker could exploit this to gain privileged access, potentially leading to unauthorized actions, data breaches, or further compromise of the environment. -search: '`azure_monitor_aad` operationName="Add eligible member to role in PIM completed*" | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user values(targetResources{}.displayName) as displayName by result, operationName, initiatedBy.user.displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_pim_role_assigned_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -known_false_positives: As part of legitimate administrative behavior, users may be assigned PIM roles. Filter as needed +description: The following analytic detects the assignment of an Azure AD Privileged + Identity Management (PIM) role. It leverages Azure Active Directory events to identify + when a user is added as an eligible member to a PIM role. This activity is significant + because PIM roles grant elevated privileges, and their assignment should be closely + monitored to prevent unauthorized access. If confirmed malicious, an attacker could + exploit this to gain privileged access, potentially leading to unauthorized actions, + data breaches, or further compromise of the environment. +search: '`azure_monitor_aad` operationName="Add eligible member to role in PIM completed*" + | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime + values(user) as user values(targetResources{}.displayName) as displayName by result, + operationName, initiatedBy.user.displayName | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_pim_role_assigned_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment. + This analytic was written to be used with the azure:monitor:aad sourcetype leveraging + the AuditLog log category. +known_false_positives: As part of legitimate administrative behavior, users may be + assigned PIM roles. Filter as needed references: - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role @@ -21,41 +36,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An Azure AD PIM role assignment was assiged to $user$ + risk_objects: + - field: user + type: user + score: 35 + threat_objects: [] tags: analytic_story: - Azure Active Directory Privilege Escalation - Azure Active Directory Persistence asset_type: Azure Active Directory - confidence: 50 - impact: 70 - message: An Azure AD PIM role assignment was assiged to $user$ mitre_attack_id: - T1098 - T1098.003 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 35 - required_fields: - - _time - - properties - - operationName - - user - - initiatedBy.user.userPrincipalName - - result security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad diff --git a/detections/cloud/azure_ad_pim_role_assignment_activated.yml b/detections/cloud/azure_ad_pim_role_assignment_activated.yml index b3ef1f5dc4..7904b536f7 100644 --- a/detections/cloud/azure_ad_pim_role_assignment_activated.yml +++ b/detections/cloud/azure_ad_pim_role_assignment_activated.yml @@ -1,16 +1,32 @@ name: Azure AD PIM Role Assignment Activated id: 952e80d0-e343-439b-83f4-808c3e6fbf2e -version: 6 -date: '2024-09-30' +version: 7 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - Azure Active Directory -description: The following analytic detects the activation of an Azure AD Privileged Identity Management (PIM) role. It leverages Azure Active Directory events to identify when a user activates a PIM role assignment, indicated by the "Add member to role completed (PIM activation)" operation. Monitoring this activity is crucial as PIM roles grant elevated privileges, and unauthorized activation could indicate an adversary attempting to gain privileged access. If confirmed malicious, this could lead to unauthorized administrative actions, data breaches, or further compromise of the Azure environment. -search: '`azure_monitor_aad` operationName="Add member to role completed (PIM activation)" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user values(targetResources{}.displayName) as displayName by initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_pim_role_assignment_activated_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -known_false_positives: As part of legitimate administrative behavior, users may activate PIM roles. Filter as needed +description: The following analytic detects the activation of an Azure AD Privileged + Identity Management (PIM) role. It leverages Azure Active Directory events to identify + when a user activates a PIM role assignment, indicated by the "Add member to role + completed (PIM activation)" operation. Monitoring this activity is crucial as PIM + roles grant elevated privileges, and unauthorized activation could indicate an adversary + attempting to gain privileged access. If confirmed malicious, this could lead to + unauthorized administrative actions, data breaches, or further compromise of the + Azure environment. +search: '`azure_monitor_aad` operationName="Add member to role completed (PIM activation)" + | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy + | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user + values(targetResources{}.displayName) as displayName by initiatedBy, result, operationName + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_pim_role_assignment_activated_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment. + This analytic was written to be used with the azure:monitor:aad sourcetype leveraging + the AuditLog log category. +known_false_positives: As part of legitimate administrative behavior, users may activate + PIM roles. Filter as needed references: - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role @@ -21,41 +37,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An Azure AD PIM role assignment was activated by $initiatedBy$ by $user$ + risk_objects: + - field: user + type: user + score: 35 + threat_objects: [] tags: analytic_story: - Azure Active Directory Privilege Escalation - Azure Active Directory Persistence asset_type: Azure Active Directory - confidence: 50 - impact: 70 - message: An Azure AD PIM role assignment was activated by $initiatedBy$ by $user$ mitre_attack_id: - T1098 - T1098.003 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - properties - - operationName - - user - - initiatedBy.user.userPrincipalName - - result - risk_score: 35 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/azure-audit.log source: eventhub://researchhub1.servicebus.windows.net/azureadhub; sourcetype: azure:monitor:aad diff --git a/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml b/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml index 84ff7183e3..0126f433e3 100644 --- a/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml @@ -1,16 +1,32 @@ name: Azure AD Privileged Authentication Administrator Role Assigned id: a7da845d-6fae-41cf-b823-6c0b8c55814a -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP data_source: - Azure Active Directory Add member to role -description: The following analytic detects the assignment of the Privileged Authentication Administrator role to an Azure AD user. It leverages Azure Active Directory audit logs to identify when this specific role is assigned. This activity is significant because users in this role can set or reset authentication methods for any user, including those in privileged roles like Global Administrators. If confirmed malicious, an attacker could change credentials and assume the identity and permissions of high-privilege users, potentially leading to unauthorized access to sensitive information and critical configurations. -search: '`azure_monitor_aad` "operationName"="Add member to role" "properties.targetResources{}.modifiedProperties{}.newValue"="\"Privileged Authentication Administrator\"" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_authentication_administrator_role_assigned_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -known_false_positives: Administrators may legitimately assign the Privileged Authentication Administrator role as part of administrative tasks. Filter as needed. +description: The following analytic detects the assignment of the Privileged Authentication + Administrator role to an Azure AD user. It leverages Azure Active Directory audit + logs to identify when this specific role is assigned. This activity is significant + because users in this role can set or reset authentication methods for any user, + including those in privileged roles like Global Administrators. If confirmed malicious, + an attacker could change credentials and assume the identity and permissions of + high-privilege users, potentially leading to unauthorized access to sensitive information + and critical configurations. +search: '`azure_monitor_aad` "operationName"="Add member to role" "properties.targetResources{}.modifiedProperties{}.newValue"="\"Privileged + Authentication Administrator\"" | rename properties.* as * | rename initiatedBy.user.userPrincipalName + as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(user) + as user by initiatedBy, result, operationName | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_privileged_authentication_administrator_role_assigned_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment. + This analytic was written to be used with the azure:monitor:aad sourcetype leveraging + the AuditLog log category. +known_false_positives: Administrators may legitimately assign the Privileged Authentication + Administrator role as part of administrative tasks. Filter as needed. references: - https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#privileged-authentication-administrator - https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48 @@ -21,43 +37,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The privileged Azure AD role Privileged Authentication Administrator was + assigned for User $user$ initiated by $initiatedBy$ + risk_objects: + - field: user + type: user + score: 50 + - field: initiatedBy + type: user + score: 50 + threat_objects: [] tags: analytic_story: - Azure Active Directory Privilege Escalation asset_type: Azure Active Directory - confidence: 50 - impact: 100 - message: The privileged Azure AD role Privileged Authentication Administrator was assigned for User $user$ initiated by $initiatedBy$ mitre_attack_id: - T1003.002 - observable: - - name: user - type: User - role: - - Victim - - name: initiatedBy - type: User - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - user - - properties.targetResources{}.type - - properties.initiatedBy.user.userPrincipalName - - properties.result - risk_score: 50 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_privileged_graph_api_permission_assigned.yml b/detections/cloud/azure_ad_privileged_graph_api_permission_assigned.yml index e7ca09a520..35bdc39cf8 100644 --- a/detections/cloud/azure_ad_privileged_graph_api_permission_assigned.yml +++ b/detections/cloud/azure_ad_privileged_graph_api_permission_assigned.yml @@ -1,16 +1,36 @@ name: Azure AD Privileged Graph API Permission Assigned id: 5521f8c5-1aa3-473c-9eb7-853701924a06 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - Azure Active Directory Update application -description: The following analytic detects the assignment of high-risk Graph API permissions in Azure AD, specifically Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, and RoleManagement.ReadWrite.Directory. It uses azure_monitor_aad data to scan AuditLogs for 'Update application' operations, identifying when these permissions are assigned. This activity is significant as it grants broad control over Azure AD, including application and directory settings. If confirmed malicious, it could lead to unauthorized modifications and potential security breaches, compromising the integrity and security of the Azure AD environment. Immediate investigation is required. -search: '`azure_monitor_aad` category=AuditLogs operationName="Update application" | eval newvalue = mvindex(''properties.targetResources{}.modifiedProperties{}.newValue'',0) | spath input=newvalue | search "{}.RequiredAppPermissions{}.EntitlementId"="1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9" OR "{}.RequiredAppPermissions{}.EntitlementId"="06b708a9-e830-4db3-a914-8e69da51d44f" OR "{}.RequiredAppPermissions{}.EntitlementId"="9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8" | eval Permissions = ''{}.RequiredAppPermissions{}.EntitlementId'' | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_graph_api_permission_assigned_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -known_false_positives: Privileged Graph API permissions may be assigned for legitimate purposes. Filter as needed. +description: The following analytic detects the assignment of high-risk Graph API + permissions in Azure AD, specifically Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, + and RoleManagement.ReadWrite.Directory. It uses azure_monitor_aad data to scan AuditLogs + for 'Update application' operations, identifying when these permissions are assigned. + This activity is significant as it grants broad control over Azure AD, including + application and directory settings. If confirmed malicious, it could lead to unauthorized + modifications and potential security breaches, compromising the integrity and security + of the Azure AD environment. Immediate investigation is required. +search: "`azure_monitor_aad` category=AuditLogs operationName=\"Update application\"\ + \ | eval newvalue = mvindex('properties.targetResources{}.modifiedProperties{}.newValue',0) + | spath input=newvalue | search \"{}.RequiredAppPermissions{}.EntitlementId\"=\"\ + 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9\" OR \"{}.RequiredAppPermissions{}.EntitlementId\"\ + =\"06b708a9-e830-4db3-a914-8e69da51d44f\" OR \"{}.RequiredAppPermissions{}.EntitlementId\"\ + =\"9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8\" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' + | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) + by user, object, user_agent, operationName | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_privileged_graph_api_permission_assigned_filter`" +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment. + This analytic was written to be used with the azure:monitor:aad sourcetype leveraging + the AuditLog log category. +known_false_positives: Privileged Graph API permissions may be assigned for legitimate + purposes. Filter as needed. references: - https://cloudbrothers.info/en/azure-attack-paths/ - https://github.com/mandiant/Mandiant-Azure-AD-Investigator/blob/master/MandiantAzureADInvestigator.json @@ -23,42 +43,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ assigned privileged Graph API permissions to $object$ + risk_objects: + - field: user + type: user + score: 54 + threat_objects: [] tags: analytic_story: - Azure Active Directory Persistence - NOBELIUM Group asset_type: Azure Active Directory - confidence: 60 - impact: 90 - message: User $user$ assigned privileged Graph API permissions to $object$ mitre_attack_id: - T1003.002 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 54 - required_fields: - - _time - - category - - operationName - - properties.targetResources{}.modifiedProperties{}.newValue - - user - - object - - user_agent security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_privileged_graph_perm_assigned/azure_ad_privileged_graph_perm_assigned.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_privileged_graph_perm_assigned/azure_ad_privileged_graph_perm_assigned.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_privileged_role_assigned.yml b/detections/cloud/azure_ad_privileged_role_assigned.yml index 8f3e9b1cd3..1bdea42857 100644 --- a/detections/cloud/azure_ad_privileged_role_assigned.yml +++ b/detections/cloud/azure_ad_privileged_role_assigned.yml @@ -1,16 +1,33 @@ name: Azure AD Privileged Role Assigned id: a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a -version: 5 -date: '2024-09-30' +version: 7 +date: '2024-11-14' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP -description: The following analytic detects the assignment of privileged Azure Active Directory roles to a user. It leverages Azure AD audit logs, specifically monitoring the "Add member to role" operation. This activity is significant as adversaries may assign privileged roles to compromised accounts to maintain persistence within the Azure AD environment. If confirmed malicious, this could allow attackers to escalate privileges, access sensitive information, and maintain long-term control over the Azure AD infrastructure. +description: The following analytic detects the assignment of privileged Azure Active + Directory roles to a user. It leverages Azure AD audit logs, specifically monitoring + the "Add member to role" operation. This activity is significant as adversaries + may assign privileged roles to compromised accounts to maintain persistence within + the Azure AD environment. If confirmed malicious, this could allow attackers to + escalate privileges, access sensitive information, and maintain long-term control + over the Azure AD infrastructure. data_source: - Azure Active Directory Add member to role -search: '`azure_monitor_aad` "operationName"="Add member to role" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as roles | eval role=mvindex(roles,1) | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName, role | lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description | search isprvilegedadrole = True | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_role_assigned_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -known_false_positives: Administrators will legitimately assign the privileged roles users as part of administrative tasks. Filter as needed. +search: '`azure_monitor_aad` "operationName"="Add member to role" | rename properties.* as + * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as + roles | eval role=mvindex(roles,1) | stats count min(_time) as firstTime max(_time) + as lastTime values(user) as user by initiatedBy, result, operationName, role | lookup + privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description + | search isprvilegedadrole = True | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `azure_ad_privileged_role_assigned_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment. + This analytic was written to be used with the azure:monitor:aad sourcetype leveraging + the AuditLog log category. +known_false_positives: Administrators will legitimately assign the privileged roles + users as part of administrative tasks. Filter as needed. references: - https://docs.microsoft.com/en-us/azure/active-directory/roles/concept-understand-roles - https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference @@ -24,45 +41,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A privileged Azure AD role was assigned for User $user$ initiated by $initiatedBy$ + risk_objects: + - field: user + type: user + score: 63 + - field: initiatedBy + type: user + score: 63 + threat_objects: [] tags: analytic_story: - Azure Active Directory Persistence - NOBELIUM Group asset_type: Azure Active Directory - confidence: 90 - impact: 70 - message: A privileged Azure AD role was assigned for User $user$ initiated by $initiatedBy$ mitre_attack_id: - T1098 - T1098.003 - observable: - - name: user - type: User - role: - - Victim - - name: initiatedBy - type: User - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - user - - properties.targetResources{}.type - - properties.initiatedBy.user.userPrincipalName - - properties.result - risk_score: 63 security_domain: audit tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml b/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml index 1a4892d35f..5cc46e6989 100644 --- a/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml +++ b/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml @@ -1,16 +1,36 @@ name: Azure AD Privileged Role Assigned to Service Principal id: 5dfaa3d3-e2e4-4053-8252-16d9ee528c41 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the assignment of privileged roles to service principals in Azure Active Directory (AD). It leverages the AuditLogs log category from ingested Azure AD events. This activity is significant because assigning elevated permissions to non-human entities can lead to unauthorized access or malicious activities. If confirmed malicious, attackers could exploit these service principals to gain elevated access to Azure resources, potentially compromising sensitive data and critical infrastructure. Monitoring this behavior helps prevent privilege escalation and ensures the security of Azure environments. +description: The following analytic detects the assignment of privileged roles to + service principals in Azure Active Directory (AD). It leverages the AuditLogs log + category from ingested Azure AD events. This activity is significant because assigning + elevated permissions to non-human entities can lead to unauthorized access or malicious + activities. If confirmed malicious, attackers could exploit these service principals + to gain elevated access to Azure resources, potentially compromising sensitive data + and critical infrastructure. Monitoring this behavior helps prevent privilege escalation + and ensures the security of Azure environments. data_source: - Azure Active Directory Add member to role -search: '`azure_monitor_aad` operationName="Add member to role" | rename properties.* as * | search "targetResources{}.type"=ServicePrincipal | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as roles | eval role=mvindex(roles,1) | rename targetResources{}.displayName as apps | eval displayName=mvindex(apps,0) | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by initiatedBy, result, operationName, role | lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description | search isprvilegedadrole = True | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_role_assigned_to_service_principal_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -known_false_positives: Administrators may legitimately assign the privileged roles to Service Principals as part of administrative tasks. Filter as needed. +search: '`azure_monitor_aad` operationName="Add member to role" | rename properties.* + as * | search "targetResources{}.type"=ServicePrincipal | rename initiatedBy.user.userPrincipalName + as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as roles + | eval role=mvindex(roles,1) | rename targetResources{}.displayName as apps | eval + displayName=mvindex(apps,0) | stats count min(_time) as firstTime max(_time) as + lastTime values(displayName) as displayName by initiatedBy, result, operationName, + role | lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole + description | search isprvilegedadrole = True | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_privileged_role_assigned_to_service_principal_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment. + This analytic was written to be used with the azure:monitor:aad sourcetype leveraging + the AuditLog log category. +known_false_positives: Administrators may legitimately assign the privileged roles + to Service Principals as part of administrative tasks. Filter as needed. references: - https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5 drilldown_searches: @@ -19,40 +39,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$initiatedBy$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$initiatedBy$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$initiatedBy$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A privileged Azure AD role was assigned to the Service Principal $displayName$ + initiated by $initiatedBy$ + risk_objects: + - field: initiatedBy + type: user + score: 35 + threat_objects: [] tags: analytic_story: - Azure Active Directory Privilege Escalation - NOBELIUM Group asset_type: Azure Active Directory - confidence: 50 - impact: 70 - message: A privileged Azure AD role was assigned to the Service Principal $displayName$ initiated by $initiatedBy$ mitre_attack_id: - T1098 - T1098.003 - observable: - - name: initiatedBy - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 35 - required_fields: - - _time - - properties.targetResources{}.type - - properties.initiatedBy.user.userPrincipalName - - properties.result security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_privileged_role_serviceprincipal/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_privileged_role_serviceprincipal/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_service_principal_authentication.yml b/detections/cloud/azure_ad_service_principal_authentication.yml index 525fd071cb..578184516d 100644 --- a/detections/cloud/azure_ad_service_principal_authentication.yml +++ b/detections/cloud/azure_ad_service_principal_authentication.yml @@ -1,16 +1,34 @@ name: Azure AD Service Principal Authentication id: 5a2ec401-60bb-474e-b936-1e66e7aa4060 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Mauricio Velazco, Splunk data_source: - Azure Active Directory Sign-in activity type: TTP status: production -description: The following analytic identifies authentication events of service principals in Azure Active Directory. It leverages the `azure_monitor_aad` data source, specifically targeting "Sign-in activity" within ServicePrincipalSignInLogs. This detection gathers details such as sign-in frequency, timing, source IPs, and accessed resources. Monitoring these events is significant for SOC teams to distinguish between normal application authentication and potential anomalies, which could indicate compromised credentials or malicious activities. If confirmed malicious, attackers could gain unauthorized access to resources, leading to data breaches or further exploitation within the environment. -search: '`azure_monitor_aad` operationName="Sign-in activity" category=ServicePrincipalSignInLogs | rename properties.* as * | stats count earliest(_time) as firstTime latest(_time) as lastTime by user, user_id, src_ip, resourceDisplayName, resourceId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_authentication_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -known_false_positives: Service Principals will legitimally authenticate remotely to your tenant. Implementing this detection after establishing a baseline enables a more accurate identification of security threats, ensuring proactive and informed responses to safeguard the Azure AD environment. source ips. +description: The following analytic identifies authentication events of service principals + in Azure Active Directory. It leverages the `azure_monitor_aad` data source, specifically + targeting "Sign-in activity" within ServicePrincipalSignInLogs. This detection gathers + details such as sign-in frequency, timing, source IPs, and accessed resources. Monitoring + these events is significant for SOC teams to distinguish between normal application + authentication and potential anomalies, which could indicate compromised credentials + or malicious activities. If confirmed malicious, attackers could gain unauthorized + access to resources, leading to data breaches or further exploitation within the + environment. +search: '`azure_monitor_aad` operationName="Sign-in activity" category=ServicePrincipalSignInLogs + | rename properties.* as * | stats count earliest(_time) as firstTime latest(_time) + as lastTime by user, user_id, src_ip, resourceDisplayName, resourceId | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_service_principal_authentication_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the SignInLogs log category. +known_false_positives: Service Principals will legitimally authenticate remotely to + your tenant. Implementing this detection after establishing a baseline enables a + more accurate identification of security threats, ensuring proactive and informed + responses to safeguard the Azure AD environment. source ips. references: - https://attack.mitre.org/techniques/T1078/004/ - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins#service-principal-sign-ins @@ -20,47 +38,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Service Principal $user$ authenticated from $src_ip$ + risk_objects: + - field: user + type: user + score: 25 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Azure Active Directory Account Takeover - NOBELIUM Group asset_type: Azure Active Directory - confidence: 50 - impact: 50 - message: Service Principal $user$ authenticated from $src_ip$ mitre_attack_id: - T1078.004 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - operationName - - category - - properties.resourceDisplayName - - properties.resourceId - - user - - src_ip - - user_id - risk_score: 25 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azure_ad_service_principal_authentication/azure_ad_service_principal_authentication.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azure_ad_service_principal_authentication/azure_ad_service_principal_authentication.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_service_principal_created.yml b/detections/cloud/azure_ad_service_principal_created.yml index 00c27e728c..760bfc299c 100644 --- a/detections/cloud/azure_ad_service_principal_created.yml +++ b/detections/cloud/azure_ad_service_principal_created.yml @@ -1,16 +1,32 @@ name: Azure AD Service Principal Created id: f8ba49e7-ffd3-4b53-8f61-e73974583c5d -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the creation of a Service Principal in an Azure AD environment. It leverages Azure Active Directory events ingested through EventHub, specifically monitoring the "Add service principal" operation. This activity is significant because Service Principals can be used by adversaries to establish persistence and bypass multi-factor authentication and conditional access policies. If confirmed malicious, this could allow attackers to maintain single-factor access to the Azure AD environment, potentially leading to unauthorized access to resources and prolonged undetected activity. +description: The following analytic detects the creation of a Service Principal in + an Azure AD environment. It leverages Azure Active Directory events ingested through + EventHub, specifically monitoring the "Add service principal" operation. This activity + is significant because Service Principals can be used by adversaries to establish + persistence and bypass multi-factor authentication and conditional access policies. + If confirmed malicious, this could allow attackers to maintain single-factor access + to the Azure AD environment, potentially leading to unauthorized access to resources + and prolonged undetected activity. data_source: - Azure Active Directory Add service principal -search: '`azure_monitor_aad` operationName="Add service principal" properties.initiatedBy.user.id=* | rename properties.* as * | rename targetResources{}.displayName as displayName | rename targetResources{}.type as type | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by type, user, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_created_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment thorough an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -known_false_positives: Administrator may legitimately create Service Principal. Filter as needed. +search: '`azure_monitor_aad` operationName="Add service principal" properties.initiatedBy.user.id=* + | rename properties.* as * | rename targetResources{}.displayName as displayName + | rename targetResources{}.type as type | stats count min(_time) as firstTime max(_time) + as lastTime values(displayName) as displayName by type, user, result, operationName + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_created_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + thorough an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the AuditLog log category. +known_false_positives: Administrator may legitimately create Service Principal. Filter + as needed. references: - https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals - https://docs.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-8.2.0 @@ -23,40 +39,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$displayName$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$displayName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$displayName$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Service Principal named $displayName$ created by $user$ + risk_objects: + - field: displayName + type: user + score: 45 + threat_objects: [] tags: analytic_story: - Azure Active Directory Persistence - NOBELIUM Group asset_type: Azure Active Directory - confidence: 90 - impact: 50 - message: Service Principal named $displayName$ created by $user$ mitre_attack_id: - T1136.003 - observable: - - name: displayName - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - properties.targetResources{}.displayName - - properties.targetResources{}.type - - user - - properties.result - risk_score: 45 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_add_service_principal/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_add_service_principal/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_service_principal_enumeration.yml b/detections/cloud/azure_ad_service_principal_enumeration.yml index ec27ce7b0c..67efb06d67 100644 --- a/detections/cloud/azure_ad_service_principal_enumeration.yml +++ b/detections/cloud/azure_ad_service_principal_enumeration.yml @@ -1,20 +1,20 @@ name: Azure AD Service Principal Enumeration id: 3f0647ce-add5-4436-8039-cbd1abe74563 -version: 1 +version: 2 date: '2025-01-06' author: Dean Luxton data_source: - Azure Active Directory MicrosoftGraphActivityLogs type: TTP -status: production +status: production description: >- This detection leverages azure graph activity logs to identify when graph APIs have been used to identify 10 or more service principals. This type of behaviour is associated with tools such as Azure enumberation tools such as AzureHound or ROADtools. search: >- - `azure_monitor_aad` category IN (MicrosoftGraphActivityLogs) TERM(servicePrincipals) + `azure_monitor_aad` category IN (MicrosoftGraphActivityLogs) TERM(servicePrincipals) | fillnull | rex field="properties.requestUri" "https\:\/\/graph.microsoft.com\/beta\/servicePrincipals\/(?P.*?)\/" | rex field="properties.requestUri" "https\:\/\/graph.microsoft.com\/v1.0\/servicePrincipals\/(?P.*?)\/" - | eval spn=coalesce(servicePrincipalb,servicePrincipalv1) | stats min(_time) as _time dc(spn) as spn_count values(user) as user values(user_category) as user_category values(src_category) as src_category count by src tenantId properties.userAgent + | eval spn=coalesce(servicePrincipalb,servicePrincipalv1) | stats count min(_time) as _time dc(spn) as spn_count values(user_id) as user_id by src tenantId properties.userAgent | rename properties.userAgent as user_agent | where spn_count>9 | `azure_ad_service_principal_enumeration_filter` how_to_implement: >- @@ -27,48 +27,37 @@ references: - https://splunkbase.splunk.com/app/3110 - https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Install drilldown_searches: -- name: View the detection results for - "$user$" - search: '%original_detection_search% | search user = "$user$"' +- name: View the detection results for - "$user_id$" + search: '%original_detection_search% | search user_id = "$user_id$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user_id$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $spn_count$ Service Principals have been enumerated by $user_id$ from IP $src$ + risk_objects: + - field: tenantId + type: other + score: 80 + threat_objects: + - field: src + type: ip_address + - field: user_agent + type: http_user_agent tags: analytic_story: - Azure Active Directory Privilege Escalation - Compromised User Account asset_type: Azure Tenant - confidence: 100 - impact: 80 - message: $spn_count$ Service Principals have been enumerated by $user$ from IP $src$ mitre_attack_id: - T1087.004 - T1526 - observable: - - name: src - type: IP Address - role: - - Attacker - - name: tenantId - type: User - role: - - Victim - - name: user_agent - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - category - - properties.requestUri - - src - - user - risk_score: 80 security_domain: identity tests: - name: True Positive Test diff --git a/detections/cloud/azure_ad_service_principal_new_client_credentials.yml b/detections/cloud/azure_ad_service_principal_new_client_credentials.yml index dbcc94eb53..c737df98b8 100644 --- a/detections/cloud/azure_ad_service_principal_new_client_credentials.yml +++ b/detections/cloud/azure_ad_service_principal_new_client_credentials.yml @@ -1,16 +1,32 @@ name: Azure AD Service Principal New Client Credentials id: e3adc0d3-9e4b-4b5d-b662-12cec1adff2a -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP -description: The following analytic detects the addition of new credentials to Service Principals and Applications in Azure AD. It leverages Azure AD AuditLogs, specifically monitoring the "Update application*Certificates and secrets management" operation. This activity is significant as it may indicate an adversary attempting to maintain persistent access or escalate privileges within the Azure environment. If confirmed malicious, attackers could use these new credentials to log in as the service principal, potentially compromising sensitive accounts and resources, leading to unauthorized access and control over the Azure environment. +description: The following analytic detects the addition of new credentials to Service + Principals and Applications in Azure AD. It leverages Azure AD AuditLogs, specifically + monitoring the "Update application*Certificates and secrets management" operation. + This activity is significant as it may indicate an adversary attempting to maintain + persistent access or escalate privileges within the Azure environment. If confirmed + malicious, attackers could use these new credentials to log in as the service principal, + potentially compromising sensitive accounts and resources, leading to unauthorized + access and control over the Azure environment. data_source: - Azure Active Directory -search: '`azure_monitor_aad` category=AuditLogs operationName="Update application*Certificates and secrets management " | rename properties.* as * | rename targetResources{}.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by user, modifiedProperties{}.newValue, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_new_client_credentials_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -known_false_positives: Service Principal client credential modifications may be part of legitimate administrative operations. Filter as needed. +search: '`azure_monitor_aad` category=AuditLogs operationName="Update application*Certificates + and secrets management " | rename properties.* as * | rename targetResources{}.* + as * | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) + as displayName by user, modifiedProperties{}.newValue, src_ip | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_service_principal_new_client_credentials_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment. + This analytic was written to be used with the azure:monitor:aad sourcetype leveraging + the Signin log category. +known_false_positives: Service Principal client credential modifications may be part + of legitimate administrative operations. Filter as needed. references: - https://attack.mitre.org/techniques/T1098/001/ - https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/ @@ -24,44 +40,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: New credentials added for Service Principal by $user$ + risk_objects: + - field: user + type: user + score: 35 + threat_objects: [] tags: analytic_story: - Azure Active Directory Persistence - Azure Active Directory Privilege Escalation - NOBELIUM Group asset_type: Azure Active Directory - confidence: 50 - impact: 70 - message: New credentials added for Service Principal by $user$ mitre_attack_id: - T1098 - T1098.001 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - category - - operationName - - user - - properties.targetResources{}.displayName - - properties.targetResources{}.modifiedProperties{}.newValue - - src_ip - risk_score: 35 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.001/azure_ad_service_principal_credentials/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.001/azure_ad_service_principal_credentials/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_service_principal_owner_added.yml b/detections/cloud/azure_ad_service_principal_owner_added.yml index ebe9073415..70759d0bbc 100644 --- a/detections/cloud/azure_ad_service_principal_owner_added.yml +++ b/detections/cloud/azure_ad_service_principal_owner_added.yml @@ -1,16 +1,34 @@ name: Azure AD Service Principal Owner Added id: 7ddf2084-6cf3-4a44-be83-474f7b73c701 -version: 6 -date: '2024-09-30' +version: 8 +date: '2024-11-14' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP -description: The following analytic detects the addition of a new owner to a Service Principal within an Azure AD tenant. It leverages Azure Active Directory events from the AuditLog log category to identify this activity. This behavior is significant because Service Principals do not support multi-factor authentication or conditional access policies, making them a target for adversaries seeking persistence or privilege escalation. If confirmed malicious, this activity could allow attackers to maintain access to the Azure AD environment with single-factor authentication, potentially leading to unauthorized access and control over critical resources. +description: The following analytic detects the addition of a new owner to a Service + Principal within an Azure AD tenant. It leverages Azure Active Directory events + from the AuditLog log category to identify this activity. This behavior is significant + because Service Principals do not support multi-factor authentication or conditional + access policies, making them a target for adversaries seeking persistence or privilege + escalation. If confirmed malicious, this activity could allow attackers to maintain + access to the Azure AD environment with single-factor authentication, potentially + leading to unauthorized access and control over critical resources. data_source: - Azure Active Directory Add owner to application -search: '`azure_monitor_aad` operationName="Add owner to application" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.userPrincipalName as newOwner | rename targetResources{}.modifiedProperties{}.newValue as displayName | eval displayName = mvindex(displayName,1) | where initiatedBy!=newOwner | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by initiatedBy, result, operationName, newOwner | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_owner_added_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -known_false_positives: Administrator may legitimately add new owners for Service Principals. Filter as needed. +search: '`azure_monitor_aad` operationName="Add owner to application" | rename properties.* + as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.userPrincipalName + as newOwner | rename targetResources{}.modifiedProperties{}.newValue as displayName + | eval displayName = mvindex(displayName,1) | where initiatedBy!=newOwner | stats + count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName + by initiatedBy, result, operationName, newOwner | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_service_principal_owner_added_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the AuditLog log category. +known_false_positives: Administrator may legitimately add new owners for Service Principals. + Filter as needed. references: - https://attack.mitre.org/techniques/T1098/ drilldown_searches: @@ -19,46 +37,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$displayName$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$displayName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$displayName$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A new owner was added for service principal $displayName$ by $initiatedBy$ + risk_objects: + - field: displayName + type: user + score: 54 + - field: initiatedBy + type: user + score: 54 + threat_objects: [] tags: analytic_story: - Azure Active Directory Persistence - Azure Active Directory Privilege Escalation - NOBELIUM Group asset_type: Azure Active Directory - confidence: 90 - impact: 60 - message: A new owner was added for service principal $displayName$ by $initiatedBy$ mitre_attack_id: - T1098 - observable: - - name: displayName - type: User - role: - - Victim - - name: initiatedBy - type: User - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - operationName - - properties.initiatedBy.user.userPrincipalName - - properties.targetResources{}.userPrincipalName - - properties.targetResources{}.modifiedProperties{}.newValue - - properties.result - risk_score: 54 security_domain: audit tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_add_serviceprincipal_owner/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_add_serviceprincipal_owner/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_service_principal_privilege_escalation.yml b/detections/cloud/azure_ad_service_principal_privilege_escalation.yml index 76e2a13097..29720e929f 100644 --- a/detections/cloud/azure_ad_service_principal_privilege_escalation.yml +++ b/detections/cloud/azure_ad_service_principal_privilege_escalation.yml @@ -3,7 +3,7 @@ id: 29eb39d3-2bc8-49cc-99b3-35593191a588 version: 1 date: '2025-01-06' author: Dean Luxton -data_sources: +data_source: - Azure Active Directory Add app role assignment to service principal type: TTP status: production @@ -35,42 +35,26 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$servicePrincipal$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Service Principal $servicePrincipal$ has elevated privileges by adding themself to app role $appRole$ + risk_objects: + - field: servicePrincipal + type: user + score: 100 + threat_objects: + - field: user_agent + type: http_user_agent tags: analytic_story: - Azure Active Directory Privilege Escalation asset_type: Azure Tenant - confidence: 100 - impact: 100 - message: Service Principal $servicePrincipal$ has elevated privileges by adding themself to app role $appRole$ mitre_attack_id: - T1098.003 - T1098 - observable: - - name: servicePrincipal - type: User - role: - - Victim - - name: user_agent - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - user_agent - - identity - - properties.initiatedBy.app.servicePrincipalId - - operationName - - tenantId - - correlationId - - category - - properties.initiatedBy.app.displayName - - properties.result - - properties{}.targetResources{}.modifiedProperties{} - - properties.targetResources{}.displayName - risk_score: 100 security_domain: identity tests: - name: True Positive Test diff --git a/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml b/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml index 68c04f310c..84f19bd9f2 100644 --- a/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml +++ b/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml @@ -1,16 +1,32 @@ name: Azure AD Successful Authentication From Different Ips id: be6d868d-33b6-4aaa-912e-724fb555b11a -version: 6 -date: '2024-09-30' +version: 7 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects an Azure AD account successfully authenticating from multiple unique IP addresses within a 30-minute window. It leverages Azure AD SignInLogs to identify instances where the same user logs in from different IPs in a short time frame. This behavior is significant as it may indicate compromised credentials being used by an adversary, potentially following a phishing attack. If confirmed malicious, this activity could allow unauthorized access to corporate resources, leading to data breaches or further exploitation within the network. +description: The following analytic detects an Azure AD account successfully authenticating + from multiple unique IP addresses within a 30-minute window. It leverages Azure + AD SignInLogs to identify instances where the same user logs in from different IPs + in a short time frame. This behavior is significant as it may indicate compromised + credentials being used by an adversary, potentially following a phishing attack. + If confirmed malicious, this activity could allow unauthorized access to corporate + resources, leading to data breaches or further exploitation within the network. data_source: - Azure Active Directory -search: '`azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=SignInLogs | rename properties.* as * | bucket span=30m _time | stats count min(_time) as firstTime max(_time) as lastTime dc(src_ip) AS unique_ips values(src_ip) as src_ip values(appDisplayName) as appDisplayName by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where unique_ips > 1 | `azure_ad_successful_authentication_from_different_ips_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -known_false_positives: A user with successful authentication events from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment. +search: '`azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=SignInLogs + | rename properties.* as * | bucket span=30m _time | stats count min(_time) as firstTime + max(_time) as lastTime dc(src_ip) AS unique_ips values(src_ip) as src_ip values(appDisplayName) + as appDisplayName by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | where unique_ips > 1 | `azure_ad_successful_authentication_from_different_ips_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the Signin log category. +known_false_positives: A user with successful authentication events from different + Ips may also represent the legitimate use of more than one device. Filter as needed + and/or customize the threshold to fit your environment. references: - https://attack.mitre.org/techniques/T1110 - https://attack.mitre.org/techniques/T1110.001 @@ -21,48 +37,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ has had successful authentication events from more than one + unique IP address in the span of 30 minutes. + risk_objects: + - field: user + type: user + score: 56 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Compromised User Account - Azure Active Directory Account Takeover asset_type: Azure Tenant - confidence: 80 - impact: 70 - message: User $user$ has had successful authentication events from more than one unique IP address in the span of 30 minutes. mitre_attack_id: - T1110 - T1110.001 - T1110.003 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - properties.status.errorCode - - category - - properties.authenticationDetails - - user - - src_ip - - properties.appDisplayName - risk_score: 56 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/azure_ad_successful_authentication_from_different_ips/azuread.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/azure_ad_successful_authentication_from_different_ips/azuread.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_successful_powershell_authentication.yml b/detections/cloud/azure_ad_successful_powershell_authentication.yml index 08479340be..40fc93f31e 100644 --- a/detections/cloud/azure_ad_successful_powershell_authentication.yml +++ b/detections/cloud/azure_ad_successful_powershell_authentication.yml @@ -1,16 +1,32 @@ name: Azure AD Successful PowerShell Authentication id: 62f10052-d7b3-4e48-b57b-56f8e3ac7ceb -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP -description: The following analytic identifies a successful authentication event against an Azure AD tenant using PowerShell cmdlets. This detection leverages Azure AD SignInLogs to identify successful logins where the appDisplayName is "Microsoft Azure PowerShell." This activity is significant because it is uncommon for regular, non-administrative users to authenticate using PowerShell, and it may indicate enumeration and discovery techniques by an attacker. If confirmed malicious, this activity could allow attackers to perform extensive reconnaissance, potentially leading to privilege escalation or further exploitation within the Azure environment. +description: The following analytic identifies a successful authentication event against + an Azure AD tenant using PowerShell cmdlets. This detection leverages Azure AD SignInLogs + to identify successful logins where the appDisplayName is "Microsoft Azure PowerShell." + This activity is significant because it is uncommon for regular, non-administrative + users to authenticate using PowerShell, and it may indicate enumeration and discovery + techniques by an attacker. If confirmed malicious, this activity could allow attackers + to perform extensive reconnaissance, potentially leading to privilege escalation + or further exploitation within the Azure environment. data_source: - Azure Active Directory -search: '`azure_monitor_aad` category=SignInLogs properties.authenticationDetails{}.succeeded=true properties.appDisplayName="Microsoft Azure PowerShell" | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, appDisplayName, user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_successful_powershell_authentication_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -known_false_positives: Administrative users will likely use PowerShell commandlets to troubleshoot and maintain the environment. Filter as needed. +search: '`azure_monitor_aad` category=SignInLogs properties.authenticationDetails{}.succeeded=true + properties.appDisplayName="Microsoft Azure PowerShell" | rename properties.* as + * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user + by src_ip, appDisplayName, user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `azure_ad_successful_powershell_authentication_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the Signin log category. +known_false_positives: Administrative users will likely use PowerShell commandlets + to troubleshoot and maintain the environment. Filter as needed. references: - https://attack.mitre.org/techniques/T1078/004/ - https://docs.microsoft.com/en-us/powershell/module/azuread/connect-azuread?view=azureadps-2.0 @@ -22,48 +38,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Successful authentication for user $user$ using PowerShell. + risk_objects: + - field: user + type: user + score: 54 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Azure Active Directory Account Takeover asset_type: Azure Active Directory - confidence: 90 - impact: 60 - message: Successful authentication for user $user$ using PowerShell. mitre_attack_id: - T1586 - T1586.003 - T1078 - T1078.004 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - properties.appDisplayName - - category - - user - - src_ip - - properties.appDisplayName - - properties.userAgent - risk_score: 54 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azuread_pws/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azuread_pws/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_successful_single_factor_authentication.yml b/detections/cloud/azure_ad_successful_single_factor_authentication.yml index 1c582dd9e2..08b55c21be 100644 --- a/detections/cloud/azure_ad_successful_single_factor_authentication.yml +++ b/detections/cloud/azure_ad_successful_single_factor_authentication.yml @@ -1,16 +1,30 @@ name: Azure AD Successful Single-Factor Authentication id: a560e7f6-1711-4353-885b-40be53101fcd -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP -description: The following analytic identifies a successful single-factor authentication event against Azure Active Directory. It leverages Azure SignInLogs data, specifically focusing on events where single-factor authentication succeeded. This activity is significant as it may indicate a misconfiguration, policy violation, or potential account takeover attempt. If confirmed malicious, an attacker could gain unauthorized access to the account, potentially leading to data breaches, privilege escalation, or further exploitation within the environment. +description: The following analytic identifies a successful single-factor authentication + event against Azure Active Directory. It leverages Azure SignInLogs data, specifically + focusing on events where single-factor authentication succeeded. This activity is + significant as it may indicate a misconfiguration, policy violation, or potential + account takeover attempt. If confirmed malicious, an attacker could gain unauthorized + access to the account, potentially leading to data breaches, privilege escalation, + or further exploitation within the environment. data_source: - Azure Active Directory -search: '`azure_monitor_aad` category=SignInLogs properties.authenticationRequirement=singleFactorAuthentication properties.authenticationDetails{}.succeeded=true | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, appDisplayName, authenticationRequirement | `azure_ad_successful_single_factor_authentication_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -known_false_positives: Although not recommended, certain users may be required without multi-factor authentication. Filter as needed +search: '`azure_monitor_aad` category=SignInLogs properties.authenticationRequirement=singleFactorAuthentication + properties.authenticationDetails{}.succeeded=true | rename properties.* as * | stats + count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, + appDisplayName, authenticationRequirement | `azure_ad_successful_single_factor_authentication_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the Signin log category. +known_false_positives: Although not recommended, certain users may be required without + multi-factor authentication. Filter as needed references: - https://attack.mitre.org/techniques/T1078/004/ - https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks* @@ -21,48 +35,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Successful authentication for user $user$ without MFA + risk_objects: + - field: user + type: user + score: 45 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Azure Active Directory Account Takeover asset_type: Azure Active Directory - confidence: 90 - impact: 50 - message: Successful authentication for user $user$ without MFA mitre_attack_id: - T1586 - T1586.003 - T1078 - T1078.004 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - category - - properties.authenticationRequirement - - properties.authenticationDetails - - user - - src_ip - - properties.appDisplayName - risk_score: 45 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azuread/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azuread/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_tenant_wide_admin_consent_granted.yml b/detections/cloud/azure_ad_tenant_wide_admin_consent_granted.yml index b1fb8df1a2..af3e2f430f 100644 --- a/detections/cloud/azure_ad_tenant_wide_admin_consent_granted.yml +++ b/detections/cloud/azure_ad_tenant_wide_admin_consent_granted.yml @@ -1,16 +1,34 @@ name: Azure AD Tenant Wide Admin Consent Granted id: dc02c0ee-6ac0-4c7f-87ba-8ce43a4e4418 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - Azure Active Directory Consent to application -description: The following analytic identifies instances where admin consent is granted to an application within an Azure AD tenant. It leverages Azure AD audit logs, specifically events related to the admin consent action within the ApplicationManagement category. This activity is significant because admin consent allows applications to access data across the entire tenant, potentially exposing vast amounts of organizational data. If confirmed malicious, an attacker could gain extensive and persistent access to sensitive data, leading to data exfiltration, espionage, further malicious activities, and potential compliance violations. -search: '`azure_monitor_aad` operationName="Consent to application" | eval new_field=mvindex(''properties.targetResources{}.modifiedProperties{}.newValue'', 4) | rename properties.* as * | rex field=new_field "ConsentType: (?[^\,]+)" | rex field=new_field "Scope: (?[^\,]+)" | search ConsentType = "AllPrincipals" | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, targetResources{}.displayName, targetResources{}.id, ConsentType, Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_tenant_wide_admin_consent_granted_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlogs log category. -known_false_positives: Legitimate applications may be granted tenant wide consent, filter as needed. +description: The following analytic identifies instances where admin consent is granted + to an application within an Azure AD tenant. It leverages Azure AD audit logs, specifically + events related to the admin consent action within the ApplicationManagement category. + This activity is significant because admin consent allows applications to access + data across the entire tenant, potentially exposing vast amounts of organizational + data. If confirmed malicious, an attacker could gain extensive and persistent access + to sensitive data, leading to data exfiltration, espionage, further malicious activities, + and potential compliance violations. +search: "`azure_monitor_aad` operationName=\"Consent to application\" | eval new_field=mvindex('properties.targetResources{}.modifiedProperties{}.newValue', + 4) | rename properties.* as * | rex field=new_field \"ConsentType: (?[^\\\ + ,]+)\" | rex field=new_field \"Scope: (?[^\\,]+)\" | search ConsentType + = \"AllPrincipals\" | stats count min(_time) as firstTime max(_time) as lastTime + by operationName, user, targetResources{}.displayName, targetResources{}.id, ConsentType, + Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `azure_ad_tenant_wide_admin_consent_granted_filter`" +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the Auditlogs log category. +known_false_positives: Legitimate applications may be granted tenant wide consent, + filter as needed. references: - https://attack.mitre.org/techniques/T1098/003/ - https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452 @@ -23,41 +41,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Administrator $user$ consented an OAuth application for the tenant. + risk_objects: + - field: user + type: user + score: 45 + threat_objects: [] tags: analytic_story: - Azure Active Directory Persistence - NOBELIUM Group asset_type: Azure Tenant - confidence: 50 - impact: 90 - message: Administrator $user$ consented an OAuth application for the tenant. mitre_attack_id: - T1098 - T1098.003 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 45 - required_fields: - - _time - - operationName - - user - - properties.targetResources{}.modifiedProperties{}.newValue - - properties.targetResources{}.displayName - - properties.targetResources{}.id security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_admin_consent/azure_ad_admin_consent.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_admin_consent/azure_ad_admin_consent.log source: Azure AD sourcetype: azure:monitor:aad diff --git a/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml index bbcfbd47b4..24fdfff29f 100644 --- a/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml @@ -1,16 +1,34 @@ name: Azure AD Unusual Number of Failed Authentications From Ip id: 3d8d3a36-93b8-42d7-8d91-c5f24cec223d -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: The following analytic identifies a single source IP failing to authenticate with multiple valid users, potentially indicating a Password Spraying attack against an Azure Active Directory tenant. It uses Azure SignInLogs data and calculates the standard deviation for source IPs, applying the 3-sigma rule to detect unusual numbers of failed authentication attempts. This activity is significant as it may signal an adversary attempting to gain initial access or elevate privileges. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information. +description: The following analytic identifies a single source IP failing to authenticate + with multiple valid users, potentially indicating a Password Spraying attack against + an Azure Active Directory tenant. It uses Azure SignInLogs data and calculates the + standard deviation for source IPs, applying the 3-sigma rule to detect unusual numbers + of failed authentication attempts. This activity is significant as it may signal + an adversary attempting to gain initial access or elevate privileges. If confirmed + malicious, this could lead to unauthorized access, privilege escalation, and potential + compromise of sensitive information. data_source: - Azure Active Directory -search: '`azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as userPrincipalName by _time, ipAddress | eventstats avg(unique_accounts) as ip_avg, stdev(unique_accounts) as ip_std by ipAddress | eval upperBound=(ip_avg+ip_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1,0) | where isOutlier = 1 | `azure_ad_unusual_number_of_failed_authentications_from_ip_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -known_false_positives: A source Ip failing to authenticate with multiple users is not a common for legitimate behavior. +search: '`azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 + properties.authenticationDetails{}.succeeded=false | rename properties.* as * | + bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) + as userPrincipalName by _time, ipAddress | eventstats avg(unique_accounts) as ip_avg, + stdev(unique_accounts) as ip_std by ipAddress | eval upperBound=(ip_avg+ip_std*3) + | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1,0) + | where isOutlier = 1 | `azure_ad_unusual_number_of_failed_authentications_from_ip_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the Signin log category. +known_false_positives: A source Ip failing to authenticate with multiple users is + not a common for legitimate behavior. references: - https://attack.mitre.org/techniques/T1110/003/ - https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray @@ -22,48 +40,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$userPrincipalName$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$userPrincipalName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$userPrincipalName$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Possible Password Spraying attack against Azure AD from source ip $ipAddress$ + risk_objects: + - field: userPrincipalName + type: user + score: 54 + threat_objects: + - field: ipAddress + type: ip_address tags: analytic_story: - Azure Active Directory Account Takeover asset_type: Azure Active Directory - confidence: 90 - impact: 60 - message: Possible Password Spraying attack against Azure AD from source ip $ipAddress$ mitre_attack_id: - T1586 - T1586.003 - T1110 - T1110.003 - T1110.004 - observable: - - name: userPrincipalName - type: User - role: - - Victim - - name: ipAddress - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - properties.status.errorCode - - category - - properties.authenticationDetails - - properties.userPrincipalName - - properties.ipAddress - risk_score: 54 security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/password_spraying_azuread/azuread_signin.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/password_spraying_azuread/azuread_signin.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_user_consent_blocked_for_risky_application.yml b/detections/cloud/azure_ad_user_consent_blocked_for_risky_application.yml index 126bfeabc6..82ac6af232 100644 --- a/detections/cloud/azure_ad_user_consent_blocked_for_risky_application.yml +++ b/detections/cloud/azure_ad_user_consent_blocked_for_risky_application.yml @@ -1,15 +1,38 @@ name: Azure AD User Consent Blocked for Risky Application id: 06b8ec9a-d3b5-4882-8f16-04b4d10f5eab -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - Azure Active Directory Consent to application -description: The following analytic detects instances where Azure AD has blocked a user's attempt to grant consent to a risky or potentially malicious application. This detection leverages Azure AD audit logs, focusing on user consent actions and system-driven blocks. Monitoring these blocked consent attempts is crucial as it highlights potential threats early on, indicating that a user might be targeted or that malicious applications are attempting to infiltrate the organization. If confirmed malicious, this activity suggests that Azure's security measures successfully prevented a harmful application from accessing organizational data, warranting immediate investigation to understand the context and take preventive measures. -search: '`azure_monitor_aad` operationName="Consent to application" properties.result=failure | rename properties.* as * | eval reason_index = if(mvfind(''targetResources{}.modifiedProperties{}.displayName'', "ConsentAction.Reason") >= 0, mvfind(''targetResources{}.modifiedProperties{}.displayName'', "ConsentAction.Reason"), -1) | eval permissions_index = if(mvfind(''targetResources{}.modifiedProperties{}.displayName'', "ConsentAction.Permissions") >= 0, mvfind(''targetResources{}.modifiedProperties{}.displayName'', "ConsentAction.Permissions"), -1) | search reason_index >= 0 | eval reason = mvindex(''targetResources{}.modifiedProperties{}.newValue'',reason_index) | eval permissions = mvindex(''targetResources{}.modifiedProperties{}.newValue'',permissions_index) | search reason = "\"Risky application detected\"" | rex field=permissions "Scope: (?[^,]+)" | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, reason, Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_consent_blocked_for_risky_application_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. +description: The following analytic detects instances where Azure AD has blocked a + user's attempt to grant consent to a risky or potentially malicious application. + This detection leverages Azure AD audit logs, focusing on user consent actions and + system-driven blocks. Monitoring these blocked consent attempts is crucial as it + highlights potential threats early on, indicating that a user might be targeted + or that malicious applications are attempting to infiltrate the organization. If + confirmed malicious, this activity suggests that Azure's security measures successfully + prevented a harmful application from accessing organizational data, warranting immediate + investigation to understand the context and take preventive measures. +search: "`azure_monitor_aad` operationName=\"Consent to application\" properties.result=failure + | rename properties.* as * | eval reason_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', + \"ConsentAction.Reason\") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', + \"ConsentAction.Reason\"), -1) | eval permissions_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', + \"ConsentAction.Permissions\") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', + \"ConsentAction.Permissions\"), -1) | search reason_index >= 0 | eval reason = + mvindex('targetResources{}.modifiedProperties{}.newValue',reason_index) | eval permissions + = mvindex('targetResources{}.modifiedProperties{}.newValue',permissions_index) | + search reason = \"\\\"Risky application detected\\\"\" | rex field=permissions \"\ + Scope: (?[^,]+)\" | stats count min(_time) as firstTime max(_time) as lastTime + by operationName, user, reason, Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `azure_ad_user_consent_blocked_for_risky_application_filter`" +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the AuditLog log category. known_false_positives: UPDATE_KNOWN_FALSE_POSITIVES references: - https://attack.mitre.org/techniques/T1528/ @@ -24,38 +47,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Azure AD has blocked $user$ attempt to grant to consent to an application + deemed risky. + risk_objects: + - field: user + type: user + score: 30 + threat_objects: [] tags: analytic_story: - Azure Active Directory Account Takeover asset_type: Azure Tenant - confidence: 100 - impact: 30 - message: Azure AD has blocked $user$ attempt to grant to consent to an application deemed risky. mitre_attack_id: - T1528 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 30 - required_fields: - - _time - - operationName - - properties.result - - properties.targetResources{}.modifiedProperties{}.displayName - - properties.targetResources{}.modifiedProperties{}.newValue security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/azure_ad_user_consent_blocked/azure_ad_user_consent_blocked.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/azure_ad_user_consent_blocked/azure_ad_user_consent_blocked.log source: Azure AD sourcetype: azure:monitor:aad diff --git a/detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml b/detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml index 2588633b87..a0b600a60e 100644 --- a/detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml +++ b/detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml @@ -1,16 +1,32 @@ name: Azure AD User Consent Denied for OAuth Application id: bb093c30-d860-4858-a56e-cd0895d5b49c -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - Azure Active Directory Sign-in activity -description: The following analytic identifies instances where a user has denied consent to an OAuth application seeking permissions within the Azure AD environment. This detection leverages Azure AD's audit logs, specifically focusing on user consent actions with error code 65004. Monitoring denied consent actions is significant as it can indicate users recognizing potentially suspicious or untrusted applications. If confirmed malicious, this activity could suggest attempts by unauthorized applications to gain access, potentially leading to data breaches or unauthorized actions within the environment. Understanding these denials helps refine security policies and enhance user awareness. -search: '`azure_monitor_aad` operationName="Sign-in activity" properties.status.errorCode=65004 | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, appDisplayName, status.failureReason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_consent_denied_for_oauth_application_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -known_false_positives: Users may deny consent for legitimate applications by mistake, filter as needed. +description: The following analytic identifies instances where a user has denied consent + to an OAuth application seeking permissions within the Azure AD environment. This + detection leverages Azure AD's audit logs, specifically focusing on user consent + actions with error code 65004. Monitoring denied consent actions is significant + as it can indicate users recognizing potentially suspicious or untrusted applications. + If confirmed malicious, this activity could suggest attempts by unauthorized applications + to gain access, potentially leading to data breaches or unauthorized actions within + the environment. Understanding these denials helps refine security policies and + enhance user awareness. +search: '`azure_monitor_aad` operationName="Sign-in activity" properties.status.errorCode=65004 + | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime + by operationName, user, appDisplayName, status.failureReason | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_user_consent_denied_for_oauth_application_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the SignInLogs log category. +known_false_positives: Users may deny consent for legitimate applications by mistake, + filter as needed. references: - https://attack.mitre.org/techniques/T1528/ - https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/ @@ -24,39 +40,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ denied consent for an OAuth application. + risk_objects: + - field: user + type: user + score: 36 + threat_objects: [] tags: analytic_story: - Azure Active Directory Account Takeover asset_type: Azure Tenant - confidence: 60 - impact: 60 - message: User $user$ denied consent for an OAuth application. mitre_attack_id: - T1528 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 36 - required_fields: - - _time - - operationName - - properties.status.errorCode - - user - - properties.appDisplayName - - status.failureReason security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/azure_ad_user_consent_declined/azure_ad_user_consent_declined.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/azure_ad_user_consent_declined/azure_ad_user_consent_declined.log source: Azure AD sourcetype: azure:monitor:aad diff --git a/detections/cloud/azure_ad_user_enabled_and_password_reset.yml b/detections/cloud/azure_ad_user_enabled_and_password_reset.yml index 96eebea8e4..f3601f5b68 100644 --- a/detections/cloud/azure_ad_user_enabled_and_password_reset.yml +++ b/detections/cloud/azure_ad_user_enabled_and_password_reset.yml @@ -1,18 +1,35 @@ name: Azure AD User Enabled And Password Reset id: 1347b9e8-2daa-4a6f-be73-b421d3d9e268 -version: 5 -date: '2024-09-30' +version: 7 +date: '2024-11-14' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP -description: The following analytic detects an Azure AD user enabling a previously disabled account and resetting its password within 2 minutes. It uses Azure Active Directory events to identify this sequence of actions. This activity is significant because it may indicate an adversary with administrative access attempting to establish a backdoor identity within the Azure AD tenant. If confirmed malicious, this could allow the attacker to maintain persistent access, escalate privileges, and potentially exfiltrate sensitive information from the environment. +description: The following analytic detects an Azure AD user enabling a previously + disabled account and resetting its password within 2 minutes. It uses Azure Active + Directory events to identify this sequence of actions. This activity is significant + because it may indicate an adversary with administrative access attempting to establish + a backdoor identity within the Azure AD tenant. If confirmed malicious, this could + allow the attacker to maintain persistent access, escalate privileges, and potentially + exfiltrate sensitive information from the environment. data_source: - Azure Active Directory Enable account - Azure Active Directory Reset password (by admin) - Azure Active Directory Update user -search: '`azure_monitor_aad` (operationName="Enable account" OR operationName="Reset password (by admin)" OR operationName="Update user") | transaction user startsWith=(operationName="Enable account") endsWith=(operationName="Reset password (by admin)") maxspan=2m | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(operationName) as operationName values(initiatedBy) as initiatedBy by user, result | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_enabled_and_password_reset_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -known_false_positives: While not common, Administrators may enable accounts and reset their passwords for legitimate reasons. Filter as needed. +search: '`azure_monitor_aad` (operationName="Enable account" OR operationName="Reset + password (by admin)" OR operationName="Update user") | transaction user startsWith=(operationName="Enable + account") endsWith=(operationName="Reset password (by admin)") maxspan=2m | rename + properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats + count min(_time) as firstTime max(_time) as lastTime values(operationName) as operationName + values(initiatedBy) as initiatedBy by user, result | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_user_enabled_and_password_reset_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment. + This analytic was written to be used with the azure:monitor:aad sourcetype leveraging + the AuditLog log category. +known_false_positives: While not common, Administrators may enable accounts and reset + their passwords for legitimate reasons. Filter as needed. references: - https://attack.mitre.org/techniques/T1098/ drilldown_searches: @@ -21,43 +38,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A user account, $user$, was enabled and its password reset within 2 minutes + by $initiatedBy$ + risk_objects: + - field: user + type: user + score: 45 + - field: initiatedBy + type: user + score: 45 + threat_objects: [] tags: analytic_story: - Azure Active Directory Persistence asset_type: Azure Active Directory - confidence: 90 - impact: 50 - message: A user account, $user$, was enabled and its password reset within 2 minutes by $initiatedBy$ mitre_attack_id: - T1098 - observable: - - name: user - type: User - role: - - Victim - - name: initiatedBy - type: User - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - operationName - - user - - properties.initiatedBy.user.userPrincipalName - - properties.result - risk_score: 45 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_enable_and_reset/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_enable_and_reset/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml b/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml index e1ed90fbe5..bb46d01420 100644 --- a/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml +++ b/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml @@ -1,16 +1,34 @@ name: Azure AD User ImmutableId Attribute Updated id: 0c0badad-4536-4a84-a561-5ff760f3c00e -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP -description: The following analytic identifies the modification of the SourceAnchor (ImmutableId) attribute for an Azure Active Directory user. This detection leverages Azure AD audit logs, specifically monitoring the "Update user" operation and changes to the SourceAnchor attribute. This activity is significant as it is a step in setting up an Azure AD identity federation backdoor, allowing an adversary to establish persistence. If confirmed malicious, the attacker could impersonate any user, bypassing password and MFA requirements, leading to unauthorized access and potential data breaches. +description: The following analytic identifies the modification of the SourceAnchor + (ImmutableId) attribute for an Azure Active Directory user. This detection leverages + Azure AD audit logs, specifically monitoring the "Update user" operation and changes + to the SourceAnchor attribute. This activity is significant as it is a step in setting + up an Azure AD identity federation backdoor, allowing an adversary to establish + persistence. If confirmed malicious, the attacker could impersonate any user, bypassing + password and MFA requirements, leading to unauthorized access and potential data + breaches. data_source: - Azure Active Directory Update user -search: '`azure_monitor_aad` operationName="Update user" properties.targetResources{}.modifiedProperties{}.displayName=SourceAnchor | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as modifiedProperties | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user values(modifiedProperties) as modifiedProperties by initiatedBy, src_ip, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_immutableid_attribute_updated_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -known_false_positives: The SourceAnchor (also called ImmutableId) Azure AD attribute has legitimate uses for directory synchronization. Investigate and filter as needed. +search: '`azure_monitor_aad` operationName="Update user" properties.targetResources{}.modifiedProperties{}.displayName=SourceAnchor + | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy + | rename targetResources{}.modifiedProperties{}.newValue as modifiedProperties | + stats count min(_time) as firstTime max(_time) as lastTime values(user) as user + values(modifiedProperties) as modifiedProperties by initiatedBy, src_ip, result, + operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `azure_ad_user_immutableid_attribute_updated_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment. + This analytic was written to be used with the azure:monitor:aad sourcetype leveraging + the AuditLog log category. +known_false_positives: The SourceAnchor (also called ImmutableId) Azure AD attribute + has legitimate uses for directory synchronization. Investigate and filter as needed. references: - https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts - https://www.mandiant.com/resources/remediation-and-hardening-strategies-microsoft-365-defend-against-apt29-v13 @@ -24,39 +42,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The SourceAnchor or ImmutableID attribute has been modified for user $user$ + by $initiatedBy$ + risk_objects: + - field: user + type: user + score: 45 + - field: initiatedBy + type: user + score: 45 + threat_objects: [] tags: analytic_story: - Azure Active Directory Persistence asset_type: Azure Active Directory - confidence: 90 - impact: 50 - message: The SourceAnchor or ImmutableID attribute has been modified for user $user$ by $initiatedBy$ mitre_attack_id: - T1098 - observable: - - name: user - type: User - role: - - Victim - - name: initiatedBy - type: User - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 45 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_set_immutableid/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_set_immutableid/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true diff --git a/detections/cloud/azure_automation_account_created.yml b/detections/cloud/azure_automation_account_created.yml index 067f10815d..61c90cb7d6 100644 --- a/detections/cloud/azure_automation_account_created.yml +++ b/detections/cloud/azure_automation_account_created.yml @@ -1,16 +1,31 @@ name: Azure Automation Account Created id: 860902fd-2e76-46b3-b050-ba548dab576c -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the creation of a new Azure Automation account within an Azure tenant. It leverages Azure Audit events, specifically the Azure Activity log category, to identify when an account is created or updated. This activity is significant because Azure Automation accounts can be used to automate tasks and orchestrate actions across Azure and on-premise environments. If an attacker creates an Automation account with elevated privileges, they could maintain persistence, execute malicious runbooks, and potentially escalate privileges or execute code on virtual machines, posing a significant security risk. +description: The following analytic detects the creation of a new Azure Automation + account within an Azure tenant. It leverages Azure Audit events, specifically the + Azure Activity log category, to identify when an account is created or updated. + This activity is significant because Azure Automation accounts can be used to automate + tasks and orchestrate actions across Azure and on-premise environments. If an attacker + creates an Automation account with elevated privileges, they could maintain persistence, + execute malicious runbooks, and potentially escalate privileges or execute code + on virtual machines, posing a significant security risk. data_source: - Azure Audit Create or Update an Azure Automation account -search: '`azure_audit` operationName.localizedValue="Create or Update an Azure Automation account" status.value=Succeeded | dedup object | rename claims.ipaddr as src_ip | rename caller as user | stats count min(_time) as firstTime max(_time) as lastTime values(object) as object by user, src_ip, resourceGroupName, object_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_automation_account_created_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category. -known_false_positives: Administrators may legitimately create Azure Automation accounts. Filter as needed. +search: '`azure_audit` operationName.localizedValue="Create or Update an Azure Automation + account" status.value=Succeeded | dedup object | rename claims.ipaddr as src_ip + | rename caller as user | stats count min(_time) as firstTime max(_time) as lastTime + values(object) as object by user, src_ip, resourceGroupName, object_path | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_automation_account_created_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Audit events into your Splunk environment. Specifically, + this analytic leverages the Azure Activity log category. +known_false_positives: Administrators may legitimately create Azure Automation accounts. + Filter as needed. references: - https://docs.microsoft.com/en-us/azure/automation/overview - https://docs.microsoft.com/en-us/azure/automation/automation-create-standalone-account?tabs=azureportal @@ -25,43 +40,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A new Azure Automation account $object$ was created by $user$ + risk_objects: + - field: user + type: user + score: 63 + threat_objects: [] tags: analytic_story: - Azure Active Directory Persistence asset_type: Azure Tenant - confidence: 90 - impact: 70 - message: A new Azure Automation account $object$ was created by $user$ mitre_attack_id: - T1136 - T1136.003 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - operationName.localizedValue - - status.value - - object - - caller - - claims.ipaddr - - resourceGroupName - - object_path - risk_score: 63 security_domain: audit tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_automation_account/azure-activity.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_automation_account/azure-activity.log source: mscs:azure:audit sourcetype: mscs:azure:audit - update_timestamp: true diff --git a/detections/cloud/azure_automation_runbook_created.yml b/detections/cloud/azure_automation_runbook_created.yml index 9439a062c0..30cd14ac36 100644 --- a/detections/cloud/azure_automation_runbook_created.yml +++ b/detections/cloud/azure_automation_runbook_created.yml @@ -1,16 +1,31 @@ name: Azure Automation Runbook Created id: 178d696d-6dc6-4ee8-9d25-93fee34eaf5b -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the creation of a new Azure Automation Runbook within an Azure tenant. It leverages Azure Audit events, specifically the Azure Activity log category, to identify when a new Runbook is created or updated. This activity is significant because adversaries with privileged access can use Runbooks to maintain persistence, escalate privileges, or execute malicious code. If confirmed malicious, this could lead to unauthorized actions such as creating Global Administrators, executing code on VMs, and compromising the entire Azure environment. +description: The following analytic detects the creation of a new Azure Automation + Runbook within an Azure tenant. It leverages Azure Audit events, specifically the + Azure Activity log category, to identify when a new Runbook is created or updated. + This activity is significant because adversaries with privileged access can use + Runbooks to maintain persistence, escalate privileges, or execute malicious code. + If confirmed malicious, this could lead to unauthorized actions such as creating + Global Administrators, executing code on VMs, and compromising the entire Azure + environment. data_source: - Azure Audit Create or Update an Azure Automation Runbook -search: '`azure_audit` operationName.localizedValue="Create or Update an Azure Automation Runbook" object!=AzureAutomationTutorial* status.value=Succeeded | dedup object | rename claims.ipaddr as src_ip | rename caller as user | stats count min(_time) as firstTime max(_time) as lastTime by object user, src_ip, resourceGroupName, object_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_automation_runbook_created_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category. -known_false_positives: Administrators may legitimately create Azure Automation Runbooks. Filter as needed. +search: '`azure_audit` operationName.localizedValue="Create or Update an Azure Automation + Runbook" object!=AzureAutomationTutorial* status.value=Succeeded | dedup object + | rename claims.ipaddr as src_ip | rename caller as user | stats count min(_time) + as firstTime max(_time) as lastTime by object user, src_ip, resourceGroupName, object_path + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_automation_runbook_created_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Audit events into your Splunk environment. Specifically, + this analytic leverages the Azure Activity log category. +known_false_positives: Administrators may legitimately create Azure Automation Runbooks. + Filter as needed. references: - https://docs.microsoft.com/en-us/azure/automation/overview - https://docs.microsoft.com/en-us/azure/automation/automation-runbook-types @@ -25,43 +40,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A new Azure Automation Runbook $object$ was created by $user$ + risk_objects: + - field: user + type: user + score: 63 + threat_objects: [] tags: analytic_story: - Azure Active Directory Persistence asset_type: Azure Tenant - confidence: 90 - impact: 70 - message: A new Azure Automation Runbook $object$ was created by $user$ mitre_attack_id: - T1136 - T1136.003 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - operationName.localizedValue - - status.value - - object - - caller - - claims.ipaddr - - resourceGroupName - - object_path - risk_score: 63 security_domain: audit tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azure_automation_runbook/azure-activity.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azure_automation_runbook/azure-activity.log source: mscs:azure:audit sourcetype: mscs:azure:audit - update_timestamp: true diff --git a/detections/cloud/azure_runbook_webhook_created.yml b/detections/cloud/azure_runbook_webhook_created.yml index bbc6b93cb8..f380d8cff2 100644 --- a/detections/cloud/azure_runbook_webhook_created.yml +++ b/detections/cloud/azure_runbook_webhook_created.yml @@ -1,16 +1,31 @@ name: Azure Runbook Webhook Created id: e98944a9-92e4-443c-81b8-a322e33ce75a -version: 6 -date: '2024-09-30' +version: 7 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the creation of a new Automation Runbook Webhook within an Azure tenant. It leverages Azure Audit events, specifically the "Create or Update an Azure Automation webhook" operation, to identify this activity. This behavior is significant because Webhooks can trigger Automation Runbooks via unauthenticated URLs exposed to the Internet, posing a security risk. If confirmed malicious, an attacker could use this to execute code, create users, or maintain persistence within the environment, potentially leading to unauthorized access and control over Azure resources. +description: The following analytic detects the creation of a new Automation Runbook + Webhook within an Azure tenant. It leverages Azure Audit events, specifically the + "Create or Update an Azure Automation webhook" operation, to identify this activity. + This behavior is significant because Webhooks can trigger Automation Runbooks via + unauthenticated URLs exposed to the Internet, posing a security risk. If confirmed + malicious, an attacker could use this to execute code, create users, or maintain + persistence within the environment, potentially leading to unauthorized access and + control over Azure resources. data_source: - Azure Audit Create or Update an Azure Automation webhook -search: '`azure_audit` operationName.localizedValue="Create or Update an Azure Automation webhook" status.value=Succeeded | dedup object | rename claims.ipaddr as src_ip | rename caller as user | stats count min(_time) as firstTime max(_time) as lastTime by object user, src_ip, resourceGroupName, object_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_runbook_webhook_created_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category. -known_false_positives: Administrators may legitimately create Azure Runbook Webhooks. Filter as needed. +search: '`azure_audit` operationName.localizedValue="Create or Update an Azure Automation + webhook" status.value=Succeeded | dedup object | rename claims.ipaddr as src_ip + | rename caller as user | stats count min(_time) as firstTime max(_time) as lastTime + by object user, src_ip, resourceGroupName, object_path | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_runbook_webhook_created_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Audit events into your Splunk environment. Specifically, + this analytic leverages the Azure Activity log category. +known_false_positives: Administrators may legitimately create Azure Runbook Webhooks. + Filter as needed. references: - https://docs.microsoft.com/en-us/azure/automation/overview - https://docs.microsoft.com/en-us/azure/automation/automation-runbook-types @@ -25,43 +40,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A new Azure Runbook Webhook $object$ was created by $user$ + risk_objects: + - field: user + type: user + score: 63 + threat_objects: [] tags: analytic_story: - Azure Active Directory Persistence asset_type: Azure Tenant - confidence: 90 - impact: 70 - message: A new Azure Runbook Webhook $object$ was created by $user$ mitre_attack_id: - T1078 - T1078.004 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - operationName.localizedValue - - status.value - - object - - caller - - claims.ipaddr - - resourceGroupName - - object_path - risk_score: 63 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azure_runbook_webhook/azure-activity.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azure_runbook_webhook/azure-activity.log source: mscs:azure:audit sourcetype: mscs:azure:audit - update_timestamp: true diff --git a/detections/cloud/circle_ci_disable_security_job.yml b/detections/cloud/circle_ci_disable_security_job.yml index 391ff4983d..94550f371d 100644 --- a/detections/cloud/circle_ci_disable_security_job.yml +++ b/detections/cloud/circle_ci_disable_security_job.yml @@ -1,14 +1,27 @@ name: Circle CI Disable Security Job id: 4a2fdd41-c578-4cd4-9ef7-980e352517f2 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: The following analytic detects the disabling of security jobs in CircleCI pipelines. It leverages CircleCI log data, renaming and extracting fields such as job names, workflow IDs, user information, commit messages, URLs, and branches. The detection identifies mandatory jobs for each workflow and checks if they were executed. This activity is significant because disabling security jobs can allow malicious code to bypass security checks, leading to potential data breaches, system downtime, and reputational damage. If confirmed malicious, this could result in unauthorized code execution and compromised pipeline integrity. +description: The following analytic detects the disabling of security jobs in CircleCI + pipelines. It leverages CircleCI log data, renaming and extracting fields such as + job names, workflow IDs, user information, commit messages, URLs, and branches. + The detection identifies mandatory jobs for each workflow and checks if they were + executed. This activity is significant because disabling security jobs can allow + malicious code to bypass security checks, leading to potential data breaches, system + downtime, and reputational damage. If confirmed malicious, this could result in + unauthorized code execution and compromised pipeline integrity. data_source: - CircleCI -search: '`circleci` | rename vcs.committer_name as user vcs.subject as commit_message vcs.url as url workflows.* as * | stats values(job_name) as job_names by workflow_id workflow_name user commit_message url branch | lookup mandatory_job_for_workflow workflow_name OUTPUTNEW job_name AS mandatory_job | search mandatory_job=* | eval mandatory_job_executed=if(like(job_names, "%".mandatory_job."%"), 1, 0) | where mandatory_job_executed=0 | eval phase="build" | rex field=url "(?[^\/]*\/[^\/]*)$" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `circle_ci_disable_security_job_filter`' +search: '`circleci` | rename vcs.committer_name as user vcs.subject as commit_message + vcs.url as url workflows.* as * | stats values(job_name) as job_names by workflow_id + workflow_name user commit_message url branch | lookup mandatory_job_for_workflow + workflow_name OUTPUTNEW job_name AS mandatory_job | search mandatory_job=* | eval + mandatory_job_executed=if(like(job_names, "%".mandatory_job."%"), 1, 0) | where + mandatory_job_executed=0 | eval phase="build" | rex field=url "(?[^\/]*\/[^\/]*)$" + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `circle_ci_disable_security_job_filter`' how_to_implement: You must index CircleCI logs. known_false_positives: unknown references: [] @@ -18,34 +31,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Disable security job $mandatory_job$ in workflow $workflow_name$ from user + $user$ + risk_objects: + - field: user + type: user + score: 72 + threat_objects: [] tags: analytic_story: - Dev Sec Ops asset_type: CircleCI - confidence: 90 - impact: 80 - message: Disable security job $mandatory_job$ in workflow $workflow_name$ from user $user$ mitre_attack_id: - T1554 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _times - risk_score: 72 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1554/circle_ci_disable_security_job/circle_ci_disable_security_job.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1554/circle_ci_disable_security_job/circle_ci_disable_security_job.json sourcetype: circleci source: circleci diff --git a/detections/cloud/circle_ci_disable_security_step.yml b/detections/cloud/circle_ci_disable_security_step.yml index aeb0ac9fd1..8e6270b71e 100644 --- a/detections/cloud/circle_ci_disable_security_step.yml +++ b/detections/cloud/circle_ci_disable_security_step.yml @@ -1,42 +1,53 @@ name: Circle CI Disable Security Step id: 72cb9de9-e98b-4ac9-80b2-5331bba6ea97 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: experimental type: Anomaly -description: The following analytic detects the disablement of security steps in a CircleCI pipeline. It leverages CircleCI logs, using field renaming, joining, and statistical analysis to identify instances where mandatory security steps are not executed. This activity is significant because disabling security steps can introduce vulnerabilities, unauthorized changes, or malicious code into the pipeline. If confirmed malicious, this could lead to potential attacks, data breaches, or compromised infrastructure. Investigate by reviewing job names, commit details, and user information associated with the disablement, and examine any relevant artifacts and concurrent processes. +description: The following analytic detects the disablement of security steps in a + CircleCI pipeline. It leverages CircleCI logs, using field renaming, joining, and + statistical analysis to identify instances where mandatory security steps are not + executed. This activity is significant because disabling security steps can introduce + vulnerabilities, unauthorized changes, or malicious code into the pipeline. If confirmed + malicious, this could lead to potential attacks, data breaches, or compromised infrastructure. + Investigate by reviewing job names, commit details, and user information associated + with the disablement, and examine any relevant artifacts and concurrent processes. data_source: - CircleCI -search: '`circleci` | rename workflows.job_id AS job_id | join job_id [ | search `circleci` | stats values(name) as step_names count by job_id job_name ] | stats count by step_names job_id job_name vcs.committer_name vcs.subject vcs.url owners{} | rename vcs.* as * , owners{} as user | lookup mandatory_step_for_job job_name OUTPUTNEW step_name AS mandatory_step | search mandatory_step=* | eval mandatory_step_executed=if(like(step_names, "%".mandatory_step."%"), 1, 0) | where mandatory_step_executed=0 | rex field=url "(?[^\/]*\/[^\/]*)$" | eval phase="build" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `circle_ci_disable_security_step_filter`' +search: '`circleci` | rename workflows.job_id AS job_id | join job_id [ | search `circleci` + | stats values(name) as step_names count by job_id job_name ] | stats count by step_names + job_id job_name vcs.committer_name vcs.subject vcs.url owners{} | rename vcs.* as + * , owners{} as user | lookup mandatory_step_for_job job_name OUTPUTNEW step_name + AS mandatory_step | search mandatory_step=* | eval mandatory_step_executed=if(like(step_names, + "%".mandatory_step."%"), 1, 0) | where mandatory_step_executed=0 | rex field=url + "(?[^\/]*\/[^\/]*)$" | eval phase="build" | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `circle_ci_disable_security_step_filter`' how_to_implement: You must index CircleCI logs. known_false_positives: unknown references: [] +rba: + message: Disable security step $mandatory_step$ in job $job_name$ from user $user$ + risk_objects: + - field: user + type: user + score: 72 + threat_objects: [] tags: analytic_story: - Dev Sec Ops asset_type: CircleCI - confidence: 90 - impact: 80 - message: Disable security step $mandatory_step$ in job $job_name$ from user $user$ mitre_attack_id: - T1554 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _times - risk_score: 72 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1554/circle_ci_disable_security_step/circle_ci_disable_security_step.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1554/circle_ci_disable_security_step/circle_ci_disable_security_step.json sourcetype: circleci source: circleci diff --git a/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml b/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml index b7e7408bbe..8f06d84364 100644 --- a/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml +++ b/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml @@ -1,48 +1,62 @@ name: Cloud API Calls From Previously Unseen User Roles id: 2181ad1f-1e73-4d0c-9780-e8880482a08f -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: David Dorsey, Splunk status: experimental type: Anomaly -description: The following analytic detects cloud API calls executed by user roles that have not previously run these commands. It leverages the Change data model in Splunk to identify commands executed by users with the user_type of AssumedRole and a status of success. This activity is significant because new commands from different user roles can indicate potential malicious activity or unauthorized actions. If confirmed malicious, this behavior could lead to unauthorized access, data breaches, or other damaging outcomes by exploiting new or unmonitored commands within the cloud environment. +description: The following analytic detects cloud API calls executed by user roles + that have not previously run these commands. It leverages the Change data model + in Splunk to identify commands executed by users with the user_type of AssumedRole + and a status of success. This activity is significant because new commands from + different user roles can indicate potential malicious activity or unauthorized actions. + If confirmed malicious, this behavior could lead to unauthorized access, data breaches, + or other damaging outcomes by exploiting new or unmonitored commands within the + cloud environment. data_source: - AWS CloudTrail -search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where All_Changes.user_type=AssumedRole AND All_Changes.status=success by All_Changes.user, All_Changes.command All_Changes.object | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_api_calls_per_user_role user as user, command as command OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUserApiCall=min(firstTimeSeen) | where isnull(firstTimeSeenUserApiCall) OR firstTimeSeenUserApiCall > relative_time(now(),"-24h@h") | table firstTime, user, object, command |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `cloud_api_calls_from_previously_unseen_user_roles_filter`' -how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud API Calls Per User Role - Initial` to build the initial table of user roles, commands, and times. You must also enable the second baseline search `Previously Seen Cloud API Calls Per User Role - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `cloud_api_calls_from_previously_unseen_user_roles_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_api_calls_from_previously_unseen_user_roles_filter` +search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change + where All_Changes.user_type=AssumedRole AND All_Changes.status=success by All_Changes.user, + All_Changes.command All_Changes.object | `drop_dm_object_name("All_Changes")` | + lookup previously_seen_cloud_api_calls_per_user_role user as user, command as command + OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | + where enough_data=1 | eval firstTimeSeenUserApiCall=min(firstTimeSeen) | where isnull(firstTimeSeenUserApiCall) + OR firstTimeSeenUserApiCall > relative_time(now(),"-24h@h") | table firstTime, user, + object, command |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `cloud_api_calls_from_previously_unseen_user_roles_filter`' +how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud + provider. You should run the baseline search `Previously Seen Cloud API Calls Per + User Role - Initial` to build the initial table of user roles, commands, and times. + You must also enable the second baseline search `Previously Seen Cloud API Calls + Per User Role - Update` to keep this table up to date and to age out old data. You + can adjust the time window for this search by updating the `cloud_api_calls_from_previously_unseen_user_roles_activity_window` + macro. You can also provide additional filtering for this search by customizing + the `cloud_api_calls_from_previously_unseen_user_roles_filter` known_false_positives: None. references: [] +rba: + message: User $user$ of type AssumedRole attempting to execute new API calls $command$ + that have not been seen before + risk_objects: + - field: user + type: user + score: 36 + threat_objects: [] tags: analytic_story: - Suspicious Cloud User Activities asset_type: AWS Instance - confidence: 60 - impact: 60 - message: User $user$ of type AssumedRole attempting to execute new API calls $command$ that have not been seen before mitre_attack_id: - T1078 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.user - - All_Changes.user_type - - All_Changes.status - - All_Changes.command - - All_Changes.object - risk_score: 36 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml b/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml index 47503c9cdd..4608e0889a 100644 --- a/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml +++ b/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml @@ -1,52 +1,61 @@ name: Cloud Compute Instance Created By Previously Unseen User id: 37a0ec8d-827e-4d6d-8025-cedf31f3a149 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Rico Valdez, Splunk status: experimental type: Anomaly -description: The following analytic identifies the creation of cloud compute instances by users who have not previously created them. It leverages data from the Change data model, focusing on 'create' actions by users, and cross-references with a baseline of known user activities. This activity is significant as it may indicate unauthorized access or misuse of cloud resources by new or compromised accounts. If confirmed malicious, attackers could deploy unauthorized compute instances, leading to potential data exfiltration, increased costs, or further exploitation within the cloud environment. +description: The following analytic identifies the creation of cloud compute instances + by users who have not previously created them. It leverages data from the Change + data model, focusing on 'create' actions by users, and cross-references with a baseline + of known user activities. This activity is significant as it may indicate unauthorized + access or misuse of cloud resources by new or compromised accounts. If confirmed + malicious, attackers could deploy unauthorized compute instances, leading to potential + data exfiltration, increased costs, or further exploitation within the cloud environment. data_source: - AWS CloudTrail -search: '| tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object) as dest from datamodel=Change where All_Changes.action=created by All_Changes.user All_Changes.vendor_region | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_compute_creations_by_user user as user OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUser=min(firstTimeSeen) | where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), "-24h@h") | table firstTime, user, dest, count vendor_region | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_by_previously_unseen_user_filter`' -how_to_implement: You must be ingesting the appropriate cloud-infrastructure logs Run the "Previously Seen Cloud Compute Creations By User" support search to create of baseline of previously seen users. -known_false_positives: It's possible that a user will start to create compute instances for the first time, for any number of reasons. Verify with the user launching instances that this is the intended behavior. +search: '| tstats `security_content_summariesonly` count earliest(_time) as firstTime, + latest(_time) as lastTime values(All_Changes.object) as dest from datamodel=Change + where All_Changes.action=created by All_Changes.user All_Changes.vendor_region | + `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_compute_creations_by_user + user as user OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) + as enough_data | where enough_data=1 | eval firstTimeSeenUser=min(firstTimeSeen) + | where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), "-24h@h") + | table firstTime, user, dest, count vendor_region | `security_content_ctime(firstTime)` + | `cloud_compute_instance_created_by_previously_unseen_user_filter`' +how_to_implement: You must be ingesting the appropriate cloud-infrastructure logs + Run the "Previously Seen Cloud Compute Creations By User" support search to create + of baseline of previously seen users. +known_false_positives: It's possible that a user will start to create compute instances + for the first time, for any number of reasons. Verify with the user launching instances + that this is the intended behavior. references: [] +rba: + message: User $user$ is creating a new instance $dest$ for the first time + risk_objects: + - field: dest + type: system + score: 18 + - field: user + type: user + score: 18 + threat_objects: [] tags: analytic_story: - Cloud Cryptomining asset_type: Cloud Compute Instance - confidence: 60 - impact: 30 - message: User $user$ is creating a new instance $dest$ for the first time mitre_attack_id: - T1078.004 - T1078 - observable: - - name: user - type: User - role: - - Attacker - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.object - - All_Changes.action - - All_Changes.user - - All_Changes.vendor_region - risk_score: 18 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml b/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml index f82159d345..253542b0e7 100644 --- a/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml +++ b/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml @@ -1,51 +1,64 @@ name: Cloud Compute Instance Created In Previously Unused Region id: fa4089e2-50e3-40f7-8469-d2cc1564ca59 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: David Dorsey, Splunk status: experimental type: Anomaly -description: The following analytic detects the creation of a cloud compute instance in a region that has not been previously used within the last hour. It leverages cloud infrastructure logs and compares the regions of newly created instances against a lookup file of historically used regions. This activity is significant because the creation of instances in new regions can indicate unauthorized or suspicious activity, such as an attacker attempting to evade detection or establish a foothold in a less monitored area. If confirmed malicious, this could lead to unauthorized resource usage, data exfiltration, or further compromise of the cloud environment. +description: The following analytic detects the creation of a cloud compute instance + in a region that has not been previously used within the last hour. It leverages + cloud infrastructure logs and compares the regions of newly created instances against + a lookup file of historically used regions. This activity is significant because + the creation of instances in new regions can indicate unauthorized or suspicious + activity, such as an attacker attempting to evade detection or establish a foothold + in a less monitored area. If confirmed malicious, this could lead to unauthorized + resource usage, data exfiltration, or further compromise of the cloud environment. data_source: - AWS CloudTrail -search: '| tstats earliest(_time) as firstTime latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.vendor_region, All_Changes.user | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_regions vendor_region as vendor_region OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenRegion=min(firstTimeSeen) | where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), "-24h@h") | table firstTime, user, dest, count , vendor_region | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_in_previously_unused_region_filter`' -how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Regions - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Regions - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_in_previously_unused_region_filter` macro. -known_false_positives: It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate. +search: '| tstats earliest(_time) as firstTime latest(_time) as lastTime values(All_Changes.object_id) + as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.vendor_region, + All_Changes.user | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_regions + vendor_region as vendor_region OUTPUTNEW firstTimeSeen, enough_data | eventstats + max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenRegion=min(firstTimeSeen) + | where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), + "-24h@h") | table firstTime, user, dest, count , vendor_region | `security_content_ctime(firstTime)` + | `cloud_compute_instance_created_in_previously_unused_region_filter`' +how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud + provider. You should run the baseline search `Previously Seen Cloud Regions - Initial` + to build the initial table of images observed and times. You must also enable the + second baseline search `Previously Seen Cloud Regions - Update` to keep this table + up to date and to age out old data. You can also provide additional filtering for + this search by customizing the `cloud_compute_instance_created_in_previously_unused_region_filter` + macro. +known_false_positives: It's possible that a user has unknowingly started an instance + in a new region. Please verify that this activity is legitimate. references: [] +rba: + message: User $user$ is creating an instance $dest$ in a new region for the first + time + risk_objects: + - field: dest + type: system + score: 42 + - field: user + type: user + score: 42 + threat_objects: [] tags: analytic_story: - Cloud Cryptomining asset_type: Cloud Compute Instance - confidence: 60 - impact: 70 - message: User $user$ is creating an instance $dest$ in a new region for the first time mitre_attack_id: - T1535 - observable: - - name: user - type: User - role: - - Attacker - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.object_id - - All_Changes.action - - All_Changes.vendor_region - - All_Changes.user - risk_score: 42 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml index 89e00c36b8..7ec7ee2a3f 100644 --- a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml +++ b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml @@ -1,49 +1,63 @@ name: Cloud Compute Instance Created With Previously Unseen Image id: bc24922d-987c-4645-b288-f8c73ec194c4 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: David Dorsey, Splunk status: experimental type: Anomaly -description: The following analytic detects the creation of cloud compute instances using previously unseen image IDs. It leverages cloud infrastructure logs to identify new image IDs that have not been observed before. This activity is significant because it may indicate unauthorized or suspicious activity, such as the deployment of malicious payloads or unauthorized access to sensitive information. If confirmed malicious, this could lead to data breaches, unauthorized access, or further compromise of the cloud environment. Immediate investigation is required to determine the legitimacy of the instance creation and to mitigate potential threats. +description: The following analytic detects the creation of cloud compute instances + using previously unseen image IDs. It leverages cloud infrastructure logs to identify + new image IDs that have not been observed before. This activity is significant because + it may indicate unauthorized or suspicious activity, such as the deployment of malicious + payloads or unauthorized access to sensitive information. If confirmed malicious, + this could lead to data breaches, unauthorized access, or further compromise of + the cloud environment. Immediate investigation is required to determine the legitimacy + of the instance creation and to mitigate potential threats. data_source: - AWS CloudTrail -search: '| tstats count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.image_id, All_Changes.user | `drop_dm_object_name("All_Changes")` | `drop_dm_object_name("Instance_Changes")` | where image_id != "unknown" | lookup previously_seen_cloud_compute_images image_id as image_id OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenImage=min(firstTimeSeen) | where isnull(firstTimeSeenImage) OR firstTimeSeenImage > relative_time(now(), "-24h@h") | table firstTime, user, image_id, count, dest | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_with_previously_unseen_image_filter`' -how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Images - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Images - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_image_filter` macro. -known_false_positives: After a new image is created, the first systems created with that image will cause this alert to fire. Verify that the image being used was created by a legitimate user. +search: '| tstats count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) + as dest from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.image_id, + All_Changes.user | `drop_dm_object_name("All_Changes")` | `drop_dm_object_name("Instance_Changes")` + | where image_id != "unknown" | lookup previously_seen_cloud_compute_images image_id + as image_id OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data + | where enough_data=1 | eval firstTimeSeenImage=min(firstTimeSeen) | where isnull(firstTimeSeenImage) + OR firstTimeSeenImage > relative_time(now(), "-24h@h") | table firstTime, user, + image_id, count, dest | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_with_previously_unseen_image_filter`' +how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud + provider. You should run the baseline search `Previously Seen Cloud Compute Images + - Initial` to build the initial table of images observed and times. You must also + enable the second baseline search `Previously Seen Cloud Compute Images - Update` + to keep this table up to date and to age out old data. You can also provide additional + filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_image_filter` + macro. +known_false_positives: After a new image is created, the first systems created with + that image will cause this alert to fire. Verify that the image being used was + created by a legitimate user. references: [] +rba: + message: User $user$ is creating an instance $dest$ with an image that has not been + previously seen. + risk_objects: + - field: dest + type: system + score: 36 + - field: user + type: user + score: 36 + threat_objects: [] tags: analytic_story: - Cloud Cryptomining asset_type: Cloud Compute Instance - confidence: 60 - impact: 60 - message: User $user$ is creating an instance $dest$ with an image that has not been previously seen. - observable: - - name: user - type: User - role: - - Attacker - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.object_id - - All_Changes.action - - All_Changes.Instance_Changes.image_id - - All_Changes.user - risk_score: 36 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml index 6f8e8887c2..011eeb6a29 100644 --- a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml +++ b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml @@ -1,49 +1,64 @@ name: Cloud Compute Instance Created With Previously Unseen Instance Type id: c6ddbf53-9715-49f3-bb4c-fb2e8a309cda -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: David Dorsey, Splunk status: experimental type: Anomaly -description: The following analytic detects the creation of EC2 instances with previously unseen instance types. It leverages Splunk's tstats command to analyze data from the Change data model, identifying instance types that have not been previously recorded. This activity is significant for a SOC because it may indicate unauthorized or suspicious activity, such as an attacker attempting to create instances for malicious purposes. If confirmed malicious, this could lead to unauthorized access, data exfiltration, system compromise, or service disruption. Immediate investigation is required to determine the legitimacy of the instance creation. +description: The following analytic detects the creation of EC2 instances with previously + unseen instance types. It leverages Splunk's tstats command to analyze data from + the Change data model, identifying instance types that have not been previously + recorded. This activity is significant for a SOC because it may indicate unauthorized + or suspicious activity, such as an attacker attempting to create instances for malicious + purposes. If confirmed malicious, this could lead to unauthorized access, data exfiltration, + system compromise, or service disruption. Immediate investigation is required to + determine the legitimacy of the instance creation. data_source: - AWS CloudTrail -search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.instance_type, All_Changes.user | `drop_dm_object_name("All_Changes")` | `drop_dm_object_name("Instance_Changes")` | where instance_type != "unknown" | lookup previously_seen_cloud_compute_instance_types instance_type as instance_type OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenInstanceType=min(firstTimeSeen) | where isnull(firstTimeSeenInstanceType) OR firstTimeSeenInstanceType > relative_time(now(), "-24h@h") | table firstTime, user, dest, count, instance_type | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_with_previously_unseen_instance_type_filter`' -how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Instance Types - Initial` to build the initial table of instance types observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Instance Types - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_instance_type_filter` macro. -known_false_positives: It is possible that an admin will create a new system using a new instance type that has never been used before. Verify with the creator that they intended to create the system with the new instance type. +search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) + as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.instance_type, + All_Changes.user | `drop_dm_object_name("All_Changes")` | `drop_dm_object_name("Instance_Changes")` + | where instance_type != "unknown" | lookup previously_seen_cloud_compute_instance_types + instance_type as instance_type OUTPUTNEW firstTimeSeen, enough_data | eventstats + max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenInstanceType=min(firstTimeSeen) + | where isnull(firstTimeSeenInstanceType) OR firstTimeSeenInstanceType > relative_time(now(), + "-24h@h") | table firstTime, user, dest, count, instance_type | `security_content_ctime(firstTime)` + | `cloud_compute_instance_created_with_previously_unseen_instance_type_filter`' +how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud + provider. You should run the baseline search `Previously Seen Cloud Compute Instance + Types - Initial` to build the initial table of instance types observed and times. + You must also enable the second baseline search `Previously Seen Cloud Compute Instance + Types - Update` to keep this table up to date and to age out old data. You can also + provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_instance_type_filter` + macro. +known_false_positives: It is possible that an admin will create a new system using + a new instance type that has never been used before. Verify with the creator that + they intended to create the system with the new instance type. references: [] +rba: + message: User $user$ is creating an instance $dest$ with an instance type $instance_type$ + that has not been previously seen. + risk_objects: + - field: dest + type: system + score: 30 + - field: user + type: user + score: 30 + threat_objects: [] tags: analytic_story: - Cloud Cryptomining asset_type: Cloud Compute Instance - confidence: 60 - impact: 50 - message: User $user$ is creating an instance $dest$ with an instance type $instance_type$ that has not been previously seen. - observable: - - name: user - type: User - role: - - Attacker - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.object_id - - All_Changes.action - - All_Changes.Instance_Changes.instance_type - - All_Changes.user - risk_score: 30 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml b/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml index 960bb0459d..d3189b230e 100644 --- a/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml +++ b/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml @@ -1,50 +1,59 @@ name: Cloud Instance Modified By Previously Unseen User id: 7fb15084-b14e-405a-bd61-a6de15a40722 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Rico Valdez, Splunk status: experimental type: Anomaly -description: The following analytic identifies cloud instances being modified by users who have not previously modified them. It leverages data from the Change data model, focusing on successful modifications of EC2 instances. This activity is significant because it can indicate unauthorized or suspicious changes by potentially compromised or malicious users. If confirmed malicious, this could lead to unauthorized access, configuration changes, or potential disruption of cloud services, posing a significant risk to the organization's cloud infrastructure. +description: The following analytic identifies cloud instances being modified by users + who have not previously modified them. It leverages data from the Change data model, + focusing on successful modifications of EC2 instances. This activity is significant + because it can indicate unauthorized or suspicious changes by potentially compromised + or malicious users. If confirmed malicious, this could lead to unauthorized access, + configuration changes, or potential disruption of cloud services, posing a significant + risk to the organization's cloud infrastructure. data_source: - AWS CloudTrail -search: '| tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as object_id values(All_Changes.command) as command from datamodel=Change where All_Changes.action=modified All_Changes.change_type=EC2 All_Changes.status=success by All_Changes.user | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_instance_modifications_by_user user as user OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUser=min(firstTimeSeen) | where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), "-24h@h") | table firstTime user command object_id count | `security_content_ctime(firstTime)` | `cloud_instance_modified_by_previously_unseen_user_filter`' -how_to_implement: This search has a dependency on other searches to create and update a baseline of users observed to be associated with this activity. The search "Previously Seen Cloud Instance Modifications By User - Update" should be enabled for this detection to properly work. -known_false_positives: It's possible that a new user will start to modify EC2 instances when they haven't before for any number of reasons. Verify with the user that is modifying instances that this is the intended behavior. +search: '| tstats `security_content_summariesonly` count earliest(_time) as firstTime, + latest(_time) as lastTime values(All_Changes.object_id) as object_id values(All_Changes.command) + as command from datamodel=Change where All_Changes.action=modified All_Changes.change_type=EC2 + All_Changes.status=success by All_Changes.user | `drop_dm_object_name("All_Changes")` + | lookup previously_seen_cloud_instance_modifications_by_user user as user OUTPUTNEW + firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where + enough_data=1 | eval firstTimeSeenUser=min(firstTimeSeen) | where isnull(firstTimeSeenUser) + OR firstTimeSeenUser > relative_time(now(), "-24h@h") | table firstTime user command + object_id count | `security_content_ctime(firstTime)` | `cloud_instance_modified_by_previously_unseen_user_filter`' +how_to_implement: This search has a dependency on other searches to create and update + a baseline of users observed to be associated with this activity. The search "Previously + Seen Cloud Instance Modifications By User - Update" should be enabled for this detection + to properly work. +known_false_positives: It's possible that a new user will start to modify EC2 instances + when they haven't before for any number of reasons. Verify with the user that is + modifying instances that this is the intended behavior. references: [] +rba: + message: User $user$ is modifying an instance $object_id$ for the first time. + risk_objects: + - field: user + type: user + score: 42 + threat_objects: [] tags: analytic_story: - Suspicious Cloud Instance Activities asset_type: AWS Instance - confidence: 60 - impact: 70 - message: User $user$ is modifying an instance $object_id$ for the first time. mitre_attack_id: - T1078.004 - T1078 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.object_id - - All_Changes.command - - All_Changes.action - - All_Changes.change_type - - All_Changes.status - - All_Changes.user - risk_score: 42 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml index 13374f7dd0..d4d135b466 100644 --- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml +++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml @@ -1,18 +1,49 @@ name: Cloud Provisioning Activity From Previously Unseen City id: e7ecc5e0-88df-48b9-91af-51104c68f02f -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Rico Valdez, Bhavin Patel, Splunk status: production type: Anomaly -description: The following analytic detects cloud provisioning activities originating from previously unseen cities. It leverages cloud infrastructure logs and compares the geographic location of the source IP address against a baseline of known locations. This activity is significant as it may indicate unauthorized access or misuse of cloud resources from an unexpected location. If confirmed malicious, this could lead to unauthorized resource creation, potential data exfiltration, or further compromise of cloud infrastructure. +description: The following analytic detects cloud provisioning activities originating + from previously unseen cities. It leverages cloud infrastructure logs and compares + the geographic location of the source IP address against a baseline of known locations. + This activity is significant as it may indicate unauthorized access or misuse of + cloud resources from an unexpected location. If confirmed malicious, this could + lead to unauthorized resource creation, potential data exfiltration, or further + compromise of cloud infrastructure. data_source: - AWS CloudTrail -search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name("All_Changes")` | iplocation src | where isnotnull(City) | lookup previously_seen_cloud_provisioning_activity_sources City as City OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenCity=min(firstTimeSeen) | where isnull(firstTimeSeenCity) OR firstTimeSeenCity > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | `security_content_ctime(firstTime)` | table firstTime, src, City, user, object, command | `cloud_provisioning_activity_from_previously_unseen_city_filter`' -how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_city_filter` macro. -known_false_positives: 'This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you''re searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise. - - This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.' +search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change + where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success + by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | + `drop_dm_object_name("All_Changes")` | iplocation src | where isnotnull(City) | + lookup previously_seen_cloud_provisioning_activity_sources City as City OUTPUT firstTimeSeen, + enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | + eval firstTimeSeenCity=min(firstTimeSeen) | where isnull(firstTimeSeenCity) OR firstTimeSeenCity + > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | + `security_content_ctime(firstTime)` | table firstTime, src, City, user, object, + command | `cloud_provisioning_activity_from_previously_unseen_city_filter`' +how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud + provider. You should run the baseline search `Previously Seen Cloud Provisioning + Activity Sources - Initial` to build the initial table of source IP address, geographic + locations, and times. You must also enable the second baseline search `Previously + Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date + and to age out old data. You can adjust the time window for this search by updating + the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide + additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_city_filter` + macro. +known_false_positives: "This is a strictly behavioral search, so we define \"false + positive\" slightly differently. Every time this fires, it will accurately reflect + the first occurrence in the time period you're searching within, plus what is stored + in the cache feature. But while there are really no \"false positives\" in a traditional + sense, there is definitely lots of noise.\nThis search will fire any time a new + IP address is seen in the **GeoIP** database for any kind of provisioning activity. + If you typically do all provisioning from tools inside of your country, there should + be few false positives. If you are located in countries where the free version of + **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly + small countries in less economically powerful regions), this may be much less valuable + to you." references: [] drilldown_searches: - name: View the detection results for - "$user$" and "$object$" @@ -20,50 +51,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$object$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ is starting or creating an instance $object$ for the first + time in City $City$ from IP address $src$ + risk_objects: + - field: user + type: user + score: 18 + - field: object + type: system + score: 18 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - Suspicious Cloud Provisioning Activities asset_type: AWS Instance - confidence: 60 - impact: 30 - message: User $user$ is starting or creating an instance $object$ for the first time in City $City$ from IP address $src$ mitre_attack_id: - T1078 - observable: - - name: user - type: User - role: - - Victim - - name: src - type: IP Address - role: - - Attacker - - name: object - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.action - - All_Changes.status - - All_Changes.src - - All_Changes.user - - All_Changes.object - - All_Changes.command - risk_score: 18 security_domain: threat manual_test: This search needs the baseline to be run first to create a lookup tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml index 35b73ffa52..ce1258983e 100644 --- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml +++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml @@ -1,18 +1,48 @@ name: Cloud Provisioning Activity From Previously Unseen Country id: 94994255-3acf-4213-9b3f-0494df03bb31 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Rico Valdez, Bhavin Patel, Splunk status: production type: Anomaly -description: The following analytic detects cloud provisioning activities originating from previously unseen countries. It leverages cloud infrastructure logs and compares the geographic location of the source IP address against a baseline of known locations. This activity is significant as it may indicate unauthorized access or potential compromise of cloud resources. If confirmed malicious, an attacker could gain control over cloud assets, leading to data breaches, service disruptions, or further infiltration into the network. +description: The following analytic detects cloud provisioning activities originating + from previously unseen countries. It leverages cloud infrastructure logs and compares + the geographic location of the source IP address against a baseline of known locations. + This activity is significant as it may indicate unauthorized access or potential + compromise of cloud resources. If confirmed malicious, an attacker could gain control + over cloud assets, leading to data breaches, service disruptions, or further infiltration + into the network. data_source: - AWS CloudTrail -search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name("All_Changes")` | iplocation src | where isnotnull(Country) | lookup previously_seen_cloud_provisioning_activity_sources Country as Country OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenCountry=min(firstTimeSeen) | where isnull(firstTimeSeenCountry) OR firstTimeSeenCountry > relative_time(now(), "-24h@h") | `security_content_ctime(firstTime)` | table firstTime, src, Country, user, object, command | `cloud_provisioning_activity_from_previously_unseen_country_filter`' -how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_country_filter` macro. -known_false_positives: 'This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you''re searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise. - - This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.' +search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change + where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success + by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | + `drop_dm_object_name("All_Changes")` | iplocation src | where isnotnull(Country) + | lookup previously_seen_cloud_provisioning_activity_sources Country as Country + OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | + where enough_data=1 | eval firstTimeSeenCountry=min(firstTimeSeen) | where isnull(firstTimeSeenCountry) + OR firstTimeSeenCountry > relative_time(now(), "-24h@h") | `security_content_ctime(firstTime)` + | table firstTime, src, Country, user, object, command | `cloud_provisioning_activity_from_previously_unseen_country_filter`' +how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud + provider. You should run the baseline search `Previously Seen Cloud Provisioning + Activity Sources - Initial` to build the initial table of source IP address, geographic + locations, and times. You must also enable the second baseline search `Previously + Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date + and to age out old data. You can adjust the time window for this search by updating + the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide + additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_country_filter` + macro. +known_false_positives: "This is a strictly behavioral search, so we define \"false + positive\" slightly differently. Every time this fires, it will accurately reflect + the first occurrence in the time period you're searching within, plus what is stored + in the cache feature. But while there are really no \"false positives\" in a traditional + sense, there is definitely lots of noise.\nThis search will fire any time a new + IP address is seen in the **GeoIP** database for any kind of provisioning activity. + If you typically do all provisioning from tools inside of your country, there should + be few false positives. If you are located in countries where the free version of + **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly + small countries in less economically powerful regions), this may be much less valuable + to you." references: [] drilldown_searches: - name: View the detection results for - "$object$" @@ -20,50 +50,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$object$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$object$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ is starting or creating an instance $object$ for the first + time in Country $Country$ from IP address $src$ + risk_objects: + - field: object + type: system + score: 42 + - field: user + type: user + score: 42 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - Suspicious Cloud Provisioning Activities asset_type: AWS Instance - confidence: 60 - impact: 70 - message: User $user$ is starting or creating an instance $object$ for the first time in Country $Country$ from IP address $src$ mitre_attack_id: - T1078 - observable: - - name: user - type: User - role: - - Attacker - - name: src - type: IP Address - role: - - Attacker - - name: object - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.action - - All_Changes.status - - All_Changes.src - - All_Changes.user - - All_Changes.object - - All_Changes.command - risk_score: 42 security_domain: threat manual_test: This search needs the baseline to be run first to create a lookup tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml index d49109dfd1..a8abf1856b 100644 --- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml +++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml @@ -1,18 +1,48 @@ name: Cloud Provisioning Activity From Previously Unseen IP Address id: f86a8ec9-b042-45eb-92f4-e9ed1d781078 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Rico Valdez, Splunk status: production type: Anomaly -description: The following analytic detects cloud provisioning activities originating from previously unseen IP addresses. It leverages cloud infrastructure logs to identify events where resources are created or started, and cross-references these with a baseline of known IP addresses. This activity is significant as it may indicate unauthorized access or potential misuse of cloud resources. If confirmed malicious, an attacker could gain unauthorized control over cloud resources, leading to data breaches, service disruptions, or increased operational costs. +description: The following analytic detects cloud provisioning activities originating + from previously unseen IP addresses. It leverages cloud infrastructure logs to identify + events where resources are created or started, and cross-references these with a + baseline of known IP addresses. This activity is significant as it may indicate + unauthorized access or potential misuse of cloud resources. If confirmed malicious, + an attacker could gain unauthorized control over cloud resources, leading to data + breaches, service disruptions, or increased operational costs. data_source: - AWS CloudTrail -search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime, values(All_Changes.object_id) as object_id from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.command | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_provisioning_activity_sources src as src OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenSrc=min(firstTimeSeen) | where isnull(firstTimeSeenSrc) OR firstTimeSeenSrc > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | `security_content_ctime(firstTime)` | table firstTime, src, user, object_id, command | `cloud_provisioning_activity_from_previously_unseen_ip_address_filter`' -how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_ip_address_filter` macro. -known_false_positives: 'This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you''re searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise. - - This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.' +search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime, values(All_Changes.object_id) + as object_id from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) + All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.command + | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_provisioning_activity_sources + src as src OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data + | where enough_data=1 | eval firstTimeSeenSrc=min(firstTimeSeen) | where isnull(firstTimeSeenSrc) + OR firstTimeSeenSrc > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) + | `security_content_ctime(firstTime)` | table firstTime, src, user, object_id, command + | `cloud_provisioning_activity_from_previously_unseen_ip_address_filter`' +how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud + provider. You should run the baseline search `Previously Seen Cloud Provisioning + Activity Sources - Initial` to build the initial table of source IP address, geographic + locations, and times. You must also enable the second baseline search `Previously + Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date + and to age out old data. You can adjust the time window for this search by updating + the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide + additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_ip_address_filter` + macro. +known_false_positives: "This is a strictly behavioral search, so we define \"false + positive\" slightly differently. Every time this fires, it will accurately reflect + the first occurrence in the time period you're searching within, plus what is stored + in the cache feature. But while there are really no \"false positives\" in a traditional + sense, there is definitely lots of noise.\nThis search will fire any time a new + IP address is seen in the **GeoIP** database for any kind of provisioning activity. + If you typically do all provisioning from tools inside of your country, there should + be few false positives. If you are located in countries where the free version of + **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly + small countries in less economically powerful regions), this may be much less valuable + to you." references: [] drilldown_searches: - name: View the detection results for - "$object_id$" @@ -20,50 +50,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$object_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$object_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$object_id$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ is starting or creating an instance $object_id$ for the first + time from IP address $src$ + risk_objects: + - field: object_id + type: system + score: 42 + - field: user + type: user + score: 42 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - Suspicious Cloud Provisioning Activities asset_type: AWS Instance - confidence: 60 - impact: 70 - message: User $user$ is starting or creating an instance $object_id$ for the first time from IP address $src$ mitre_attack_id: - T1078 - observable: - - name: user - type: User - role: - - Attacker - - name: src - type: IP Address - role: - - Attacker - - name: object_id - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.object_id - - All_Changes.action - - All_Changes.status - - All_Changes.src - - All_Changes.user - - All_Changes.command - risk_score: 42 security_domain: threat manual_test: This search needs the baseline to be run first to create a lookup tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml index f712bd6c58..cfa4bfdf65 100644 --- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml +++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml @@ -1,18 +1,49 @@ name: Cloud Provisioning Activity From Previously Unseen Region id: 5aba1860-9617-4af9-b19d-aecac16fe4f2 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Rico Valdez, Bhavin Patel, Splunk status: production type: Anomaly -description: The following analytic detects cloud provisioning activities originating from previously unseen regions. It leverages cloud infrastructure logs to identify events where resources are started or created, and cross-references these with a baseline of known regions. This activity is significant as it may indicate unauthorized access or misuse of cloud resources from unfamiliar locations. If confirmed malicious, this could lead to unauthorized resource creation, potential data exfiltration, or further compromise of cloud infrastructure. +description: The following analytic detects cloud provisioning activities originating + from previously unseen regions. It leverages cloud infrastructure logs to identify + events where resources are started or created, and cross-references these with a + baseline of known regions. This activity is significant as it may indicate unauthorized + access or misuse of cloud resources from unfamiliar locations. If confirmed malicious, + this could lead to unauthorized resource creation, potential data exfiltration, + or further compromise of cloud infrastructure. data_source: - AWS CloudTrail -search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name("All_Changes")` | iplocation src | where isnotnull(Region) | lookup previously_seen_cloud_provisioning_activity_sources Region as Region OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenRegion=min(firstTimeSeen) | where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | `security_content_ctime(firstTime)` | table firstTime, src, Region, user, object, command | `cloud_provisioning_activity_from_previously_unseen_region_filter`' -how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_region_filter` macro. -known_false_positives: 'This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you''re searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise. - - This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.' +search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change + where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success + by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | + `drop_dm_object_name("All_Changes")` | iplocation src | where isnotnull(Region) + | lookup previously_seen_cloud_provisioning_activity_sources Region as Region OUTPUT + firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where + enough_data=1 | eval firstTimeSeenRegion=min(firstTimeSeen) | where isnull(firstTimeSeenRegion) + OR firstTimeSeenRegion > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) + | `security_content_ctime(firstTime)` | table firstTime, src, Region, user, object, + command | `cloud_provisioning_activity_from_previously_unseen_region_filter`' +how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud + provider. You should run the baseline search `Previously Seen Cloud Provisioning + Activity Sources - Initial` to build the initial table of source IP address, geographic + locations, and times. You must also enable the second baseline search `Previously + Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date + and to age out old data. You can adjust the time window for this search by updating + the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide + additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_region_filter` + macro. +known_false_positives: "This is a strictly behavioral search, so we define \"false + positive\" slightly differently. Every time this fires, it will accurately reflect + the first occurrence in the time period you're searching within, plus what is stored + in the cache feature. But while there are really no \"false positives\" in a traditional + sense, there is definitely lots of noise.\nThis search will fire any time a new + IP address is seen in the **GeoIP** database for any kind of provisioning activity. + If you typically do all provisioning from tools inside of your country, there should + be few false positives. If you are located in countries where the free version of + **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly + small countries in less economically powerful regions), this may be much less valuable + to you." references: [] drilldown_searches: - name: View the detection results for - "$object$" @@ -20,50 +51,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$object$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$object$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ is starting or creating an instance $object$ for the first + time in region $Region$ from IP address $src$ + risk_objects: + - field: object + type: system + score: 42 + - field: user + type: user + score: 42 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - Suspicious Cloud Provisioning Activities asset_type: AWS Instance - confidence: 60 - impact: 70 - message: User $user$ is starting or creating an instance $object$ for the first time in region $Region$ from IP address $src$ mitre_attack_id: - T1078 - observable: - - name: user - type: User - role: - - Attacker - - name: src - type: IP Address - role: - - Attacker - - name: object - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.action - - All_Changes.status - - All_Changes.src - - All_Changes.user - - All_Changes.object - - All_Changes.command - risk_score: 42 security_domain: threat manual_test: This search needs the baseline to be run first to create a lookup tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/cloud_security_groups_modifications_by_user.yml b/detections/cloud/cloud_security_groups_modifications_by_user.yml index c7d6fe6905..0f94dcf4fc 100644 --- a/detections/cloud/cloud_security_groups_modifications_by_user.yml +++ b/detections/cloud/cloud_security_groups_modifications_by_user.yml @@ -1,16 +1,35 @@ name: Cloud Security Groups Modifications by User id: cfe7cca7-2746-4bdf-b712-b01ed819b9de -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Bhavin Patel, Splunk data_source: - AWS CloudTrail type: Anomaly status: production -description: The following analytic identifies unusual modifications to security groups in your cloud environment by users, focusing on actions such as modifications, deletions, or creations over 30-minute intervals. It leverages cloud infrastructure logs and calculates the standard deviation for each user, using the 3-sigma rule to detect anomalies. This activity is significant as it may indicate a compromised account or insider threat. If confirmed malicious, attackers could alter security group configurations, potentially exposing sensitive resources or disrupting services. -search: '| tstats dc(All_Changes.object) as unique_security_groups values(All_Changes.src) as src values(All_Changes.user_type) as user_type values(All_Changes.object_category) as object_category values(All_Changes.object) as objects values(All_Changes.action) as action values(All_Changes.user_agent) as user_agent values(All_Changes.command) as command from datamodel=Change WHERE All_Changes.object_category = "security_group" (All_Changes.action = modified OR All_Changes.action = deleted OR All_Changes.action = created) by All_Changes.user _time span=30m | `drop_dm_object_name("All_Changes")` | eventstats avg(unique_security_groups) as avg_changes , stdev(unique_security_groups) as std_changes by user | eval upperBound=(avg_changes+std_changes*3) | eval isOutlier=if(unique_security_groups > 2 and unique_security_groups >= upperBound, 1, 0) | where isOutlier=1| `cloud_security_groups_modifications_by_user_filter`' -how_to_implement: This search requries the Cloud infrastructure logs such as AWS Cloudtrail, GCP Pubsub Message logs, Azure Audit logs to be ingested into an accelerated Change datamodel. It is also recommended that users can try different combinations of the `bucket` span time and outlier conditions to better suit with their environment. -known_false_positives: It is possible that legitimate user/admin may modify a number of security groups +description: The following analytic identifies unusual modifications to security groups + in your cloud environment by users, focusing on actions such as modifications, deletions, + or creations over 30-minute intervals. It leverages cloud infrastructure logs and + calculates the standard deviation for each user, using the 3-sigma rule to detect + anomalies. This activity is significant as it may indicate a compromised account + or insider threat. If confirmed malicious, attackers could alter security group + configurations, potentially exposing sensitive resources or disrupting services. +search: '| tstats dc(All_Changes.object) as unique_security_groups values(All_Changes.src) + as src values(All_Changes.user_type) as user_type values(All_Changes.object_category) + as object_category values(All_Changes.object) as objects values(All_Changes.action) + as action values(All_Changes.user_agent) as user_agent values(All_Changes.command) + as command from datamodel=Change WHERE All_Changes.object_category = "security_group" + (All_Changes.action = modified OR All_Changes.action = deleted OR All_Changes.action + = created) by All_Changes.user _time span=30m | `drop_dm_object_name("All_Changes")` + | eventstats avg(unique_security_groups) as avg_changes , stdev(unique_security_groups) + as std_changes by user | eval upperBound=(avg_changes+std_changes*3) | eval isOutlier=if(unique_security_groups + > 2 and unique_security_groups >= upperBound, 1, 0) | where isOutlier=1| `cloud_security_groups_modifications_by_user_filter`' +how_to_implement: This search requries the Cloud infrastructure logs such as AWS Cloudtrail, + GCP Pubsub Message logs, Azure Audit logs to be ingested into an accelerated Change + datamodel. It is also recommended that users can try different combinations of the + `bucket` span time and outlier conditions to better suit with their environment. +known_false_positives: It is possible that legitimate user/admin may modify a number + of security groups references: - https://attack.mitre.org/techniques/T1578/005/ drilldown_searches: @@ -19,39 +38,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Unsual number cloud security group modifications detected by user - $user$ + risk_objects: + - field: user + type: user + score: 35 + threat_objects: [] tags: analytic_story: - Suspicious Cloud User Activities asset_type: Cloud Instance - confidence: 50 - impact: 70 - message: Unsual number cloud security group modifications detected by user - $user$ mitre_attack_id: - T1578.005 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.object_id - - All_Changes.action - - All_Changes.status - - All_Changes.object_category - - All_Changes.user - risk_score: 35 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1578.005/aws_authorize_security_group/aws_authorize_security_group.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1578.005/aws_authorize_security_group/aws_authorize_security_group.json sourcetype: aws:cloudtrail source: aws_cloudtrail diff --git a/detections/cloud/detect_aws_console_login_by_new_user.yml b/detections/cloud/detect_aws_console_login_by_new_user.yml index a96fcb94aa..ac6587474d 100644 --- a/detections/cloud/detect_aws_console_login_by_new_user.yml +++ b/detections/cloud/detect_aws_console_login_by_new_user.yml @@ -1,48 +1,55 @@ name: Detect AWS Console Login by New User id: bc91a8cd-35e7-4bb2-6140-e756cc46fd71 -version: 5 -date: '2024-10-17' +version: 6 +date: '2024-11-14' author: Rico Valdez, Splunk status: experimental type: Hunting -description: The following analytic detects AWS console login events by new users. It leverages AWS CloudTrail events and compares them against a lookup file of previously seen users based on ARN values. This detection is significant because a new user logging into the AWS console could indicate the creation of new accounts or potential unauthorized access. If confirmed malicious, this activity could lead to unauthorized access to AWS resources, data exfiltration, or further exploitation within the cloud environment. +description: The following analytic detects AWS console login events by new users. + It leverages AWS CloudTrail events and compares them against a lookup file of previously + seen users based on ARN values. This detection is significant because a new user + logging into the AWS console could indicate the creation of new accounts or potential + unauthorized access. If confirmed malicious, this activity could lead to unauthorized + access to AWS resources, data exfiltration, or further exploitation within the cloud + environment. data_source: - AWS CloudTrail -search: '| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user | `drop_dm_object_name(Authentication)` | join user type=outer [ | inputlookup previously_seen_users_console_logins | stats min(firstTime) as earliestseen by user] | eval userStatus=if(earliestseen >= relative_time(now(), "-24h@h") OR isnull(earliestseen), "First Time Logging into AWS Console", "Previously Seen User") | where userStatus="First Time Logging into AWS Console" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_aws_console_login_by_new_user_filter`' -how_to_implement: You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. -known_false_positives: When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate. +search: '| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication + where Authentication.signature=ConsoleLogin by Authentication.user | `drop_dm_object_name(Authentication)` + | join user type=outer [ | inputlookup previously_seen_users_console_logins | stats + min(firstTime) as earliestseen by user] | eval userStatus=if(earliestseen >= relative_time(now(), + "-24h@h") OR isnull(earliestseen), "First Time Logging into AWS Console", "Previously + Seen User") | where userStatus="First Time Logging into AWS Console" | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `detect_aws_console_login_by_new_user_filter`' +how_to_implement: You must install and configure the Splunk Add-on for AWS (version + 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates + to the Authentication data model for cloud use cases. Run the `Previously Seen Users + in CloudTrail - Initial` support search only once to create a baseline of previously + seen IAM users within the last 30 days. Run `Previously Seen Users in CloudTrail + - Update` hourly (or more frequently depending on how often you run the detection + searches) to refresh the baselines. +known_false_positives: When a legitimate new user logins for the first time, this + activity will be detected. Check how old the account is and verify that the user + activity is legitimate. references: [] tags: analytic_story: - Suspicious Cloud Authentication Activities - AWS Identity and Access Management Account Takeover asset_type: AWS Instance - confidence: 60 - impact: 50 - message: User $user$ is logging into the AWS console for the first time mitre_attack_id: - T1586 - T1586.003 - T1552 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Authentication.signature - - Authentication.user - risk_score: 30 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/detect_aws_console_login_by_user_from_new_city.yml b/detections/cloud/detect_aws_console_login_by_user_from_new_city.yml index 5ed4a0207d..2fea4b9d13 100644 --- a/detections/cloud/detect_aws_console_login_by_user_from_new_city.yml +++ b/detections/cloud/detect_aws_console_login_by_user_from_new_city.yml @@ -1,16 +1,41 @@ name: Detect AWS Console Login by User from New City id: 121b0b11-f8ac-4ed6-a132-3800ca4fc07a -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Bhavin Patel, Eric McGinnis Splunk status: production type: Hunting -description: The following analytic identifies AWS console login events by users from a new city within the last hour. It leverages AWS CloudTrail events and compares them against a lookup file of previously seen user locations. This activity is significant for a SOC as it may indicate unauthorized access or credential compromise, especially if the login originates from an unusual location. If confirmed malicious, this could lead to unauthorized access to AWS resources, data exfiltration, or further exploitation within the cloud environment. +description: The following analytic identifies AWS console login events by users from + a new city within the last hour. It leverages AWS CloudTrail events and compares + them against a lookup file of previously seen user locations. This activity is significant + for a SOC as it may indicate unauthorized access or credential compromise, especially + if the login originates from an unusual location. If confirmed malicious, this could + lead to unauthorized access to AWS resources, data exfiltration, or further exploitation + within the cloud environment. data_source: - AWS CloudTrail -search: '| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename City as justSeenCity | table firstTime lastTime user justSeenCity | join user type=outer [| inputlookup previously_seen_users_console_logins | rename City as previouslySeenCity | stats min(firstTime) AS earliestseen by user previouslySeenCity | fields earliestseen user previouslySeenCity] | eval userCity=if(firstTime >= relative_time(now(), "-24h@h"), "New City","Previously Seen City") | where userCity = "New City" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user previouslySeenCity justSeenCity userCity | `detect_aws_console_login_by_user_from_new_city_filter`' -how_to_implement: You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_city_filter` macro. -known_false_positives: When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate. +search: '| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication + where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src + | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename + City as justSeenCity | table firstTime lastTime user justSeenCity | join user type=outer + [| inputlookup previously_seen_users_console_logins | rename City as previouslySeenCity + | stats min(firstTime) AS earliestseen by user previouslySeenCity | fields earliestseen + user previouslySeenCity] | eval userCity=if(firstTime >= relative_time(now(), "-24h@h"), + "New City","Previously Seen City") | where userCity = "New City" | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | table firstTime lastTime user previouslySeenCity + justSeenCity userCity | `detect_aws_console_login_by_user_from_new_city_filter`' +how_to_implement: You must install and configure the Splunk Add-on for AWS (version + 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates + to the Authentication data model for cloud use cases. Run the `Previously Seen Users + in AWS CloudTrail - Initial` support search only once to create a baseline of previously + seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail + - Update` hourly (or more frequently depending on how often you run the detection + searches) to refresh the baselines. You can also provide additional filtering for + this search by customizing the `detect_aws_console_login_by_user_from_new_city_filter` + macro. +known_false_positives: When a legitimate new user logins for the first time, this + activity will be detected. Check how old the account is and verify that the user + activity is legitimate. references: [] tags: analytic_story: @@ -19,34 +44,21 @@ tags: - AWS Identity and Access Management Account Takeover - Compromised User Account asset_type: AWS Instance - confidence: 60 - impact: 30 - message: User $user$ is logging into the AWS console from City $City$ for the first time mitre_attack_id: - T1586 - T1586.003 - T1535 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Authentication.signature - - Authentication.user - - Authentication.src - risk_score: 18 security_domain: threat - manual_test: This search needs the baseline to be run first to create a lookup. It also requires that the timestamps in the dataset be updated. + manual_test: This search needs the baseline to be run first to create a lookup. + It also requires that the timestamps in the dataset be updated. tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/detect_aws_console_login_by_user_from_new_country.yml b/detections/cloud/detect_aws_console_login_by_user_from_new_country.yml index 8466e0d5ae..afbc290db7 100644 --- a/detections/cloud/detect_aws_console_login_by_user_from_new_country.yml +++ b/detections/cloud/detect_aws_console_login_by_user_from_new_country.yml @@ -1,16 +1,41 @@ name: Detect AWS Console Login by User from New Country id: 67bd3def-c41c-4bf6-837b-ae196b4257c6 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Bhavin Patel, Eric McGinnis Splunk status: production type: Hunting -description: The following analytic identifies AWS console login events by users from a new country. It leverages AWS CloudTrail events and compares them against a lookup file of previously seen users and their login locations. This activity is significant because logins from new countries can indicate potential unauthorized access or compromised accounts. If confirmed malicious, this could lead to unauthorized access to AWS resources, data exfiltration, or further exploitation within the AWS environment. +description: The following analytic identifies AWS console login events by users from + a new country. It leverages AWS CloudTrail events and compares them against a lookup + file of previously seen users and their login locations. This activity is significant + because logins from new countries can indicate potential unauthorized access or + compromised accounts. If confirmed malicious, this could lead to unauthorized access + to AWS resources, data exfiltration, or further exploitation within the AWS environment. data_source: - AWS CloudTrail -search: '| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename Country as justSeenCountry | table firstTime lastTime user justSeenCountry | join user type=outer [| inputlookup previously_seen_users_console_logins | rename Country as previouslySeenCountry | stats min(firstTime) AS earliestseen by user previouslySeenCountry | fields earliestseen user previouslySeenCountry] | eval userCountry=if(firstTime >= relative_time(now(), "-24h@h"), "New Country","Previously Seen Country") | where userCountry = "New Country" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user previouslySeenCountry justSeenCountry userCountry | `detect_aws_console_login_by_user_from_new_country_filter`' -how_to_implement: You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_country_filter` macro. -known_false_positives: When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate. +search: '| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication + where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src + | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename + Country as justSeenCountry | table firstTime lastTime user justSeenCountry | join + user type=outer [| inputlookup previously_seen_users_console_logins | rename Country + as previouslySeenCountry | stats min(firstTime) AS earliestseen by user previouslySeenCountry + | fields earliestseen user previouslySeenCountry] | eval userCountry=if(firstTime + >= relative_time(now(), "-24h@h"), "New Country","Previously Seen Country") | where + userCountry = "New Country" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | table firstTime lastTime user previouslySeenCountry justSeenCountry userCountry + | `detect_aws_console_login_by_user_from_new_country_filter`' +how_to_implement: You must install and configure the Splunk Add-on for AWS (version + 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates + to the Authentication data model for cloud use cases. Run the `Previously Seen Users + in AWS CloudTrail - Initial` support search only once to create a baseline of previously + seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail + - Update` hourly (or more frequently depending on how often you run the detection + searches) to refresh the baselines. You can also provide additional filtering for + this search by customizing the `detect_aws_console_login_by_user_from_new_country_filter` + macro. +known_false_positives: When a legitimate new user logins for the first time, this + activity will be detected. Check how old the account is and verify that the user + activity is legitimate. references: [] tags: analytic_story: @@ -19,34 +44,21 @@ tags: - AWS Identity and Access Management Account Takeover - Compromised User Account asset_type: AWS Instance - confidence: 60 - impact: 70 - message: User $user$ is logging into the AWS console from Country $Country$ for the first time mitre_attack_id: - T1586 - T1586.003 - T1535 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Authentication.signature - - Authentication.user - - Authentication.src - risk_score: 42 security_domain: threat - manual_test: This search needs the baseline to be run first to create a lookup. It also requires that the timestamps in the dataset be updated. + manual_test: This search needs the baseline to be run first to create a lookup. + It also requires that the timestamps in the dataset be updated. tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/detect_aws_console_login_by_user_from_new_region.yml b/detections/cloud/detect_aws_console_login_by_user_from_new_region.yml index 4a894e1c9f..8c47e6e6a9 100644 --- a/detections/cloud/detect_aws_console_login_by_user_from_new_region.yml +++ b/detections/cloud/detect_aws_console_login_by_user_from_new_region.yml @@ -1,16 +1,42 @@ name: Detect AWS Console Login by User from New Region id: 9f31aa8e-e37c-46bc-bce1-8b3be646d026 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Bhavin Patel, Eric McGinnis Splunk status: production type: Hunting -description: The following analytic identifies AWS console login attempts by users from a new region. It leverages AWS CloudTrail events and compares current login regions against a baseline of previously seen regions for each user. This activity is significant as it may indicate unauthorized access attempts or compromised credentials. If confirmed malicious, an attacker could gain unauthorized access to AWS resources, potentially leading to data breaches, resource manipulation, or further lateral movement within the cloud environment. +description: The following analytic identifies AWS console login attempts by users + from a new region. It leverages AWS CloudTrail events and compares current login + regions against a baseline of previously seen regions for each user. This activity + is significant as it may indicate unauthorized access attempts or compromised credentials. + If confirmed malicious, an attacker could gain unauthorized access to AWS resources, + potentially leading to data breaches, resource manipulation, or further lateral + movement within the cloud environment. data_source: - AWS CloudTrail -search: '| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename Region as justSeenRegion | table firstTime lastTime user justSeenRegion | join user type=outer [| inputlookup previously_seen_users_console_logins | rename Region as previouslySeenRegion | stats min(firstTime) AS earliestseen by user previouslySeenRegion | fields earliestseen user previouslySeenRegion] | eval userRegion=if(firstTime >= relative_time(now(), "-24h@h"), "New Region","Previously Seen Region") | where userRegion= "New Region" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user previouslySeenRegion justSeenRegion userRegion | `detect_aws_console_login_by_user_from_new_region_filter`' -how_to_implement: You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_region_filter` macro. -known_false_positives: When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate. +search: '| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication + where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src + | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename + Region as justSeenRegion | table firstTime lastTime user justSeenRegion | join user + type=outer [| inputlookup previously_seen_users_console_logins | rename Region as + previouslySeenRegion | stats min(firstTime) AS earliestseen by user previouslySeenRegion + | fields earliestseen user previouslySeenRegion] | eval userRegion=if(firstTime + >= relative_time(now(), "-24h@h"), "New Region","Previously Seen Region") | where + userRegion= "New Region" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | table firstTime lastTime user previouslySeenRegion justSeenRegion userRegion | + `detect_aws_console_login_by_user_from_new_region_filter`' +how_to_implement: You must install and configure the Splunk Add-on for AWS (version + 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates + to the Authentication data model for cloud use cases. Run the `Previously Seen Users + in AWS CloudTrail - Initial` support search only once to create a baseline of previously + seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail + - Update` hourly (or more frequently depending on how often you run the detection + searches) to refresh the baselines. You can also provide additional filtering for + this search by customizing the `detect_aws_console_login_by_user_from_new_region_filter` + macro. +known_false_positives: When a legitimate new user logins for the first time, this + activity will be detected. Check how old the account is and verify that the user + activity is legitimate. references: [] tags: analytic_story: @@ -19,34 +45,21 @@ tags: - AWS Identity and Access Management Account Takeover - Compromised User Account asset_type: AWS Instance - confidence: 60 - impact: 60 - message: User $user$ is logging into the AWS console from Region $Region$ for the first time mitre_attack_id: - T1586 - T1586.003 - T1535 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Authentication.signature - - Authentication.user - - Authentication.src - risk_score: 36 security_domain: threat - manual_test: This search needs the baseline to be run first to create a lookup. It also requires that the timestamps in the dataset be updated. + manual_test: This search needs the baseline to be run first to create a lookup. + It also requires that the timestamps in the dataset be updated. tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/detect_gcp_storage_access_from_a_new_ip.yml b/detections/cloud/detect_gcp_storage_access_from_a_new_ip.yml index 4b2339b3b9..52db64a537 100644 --- a/detections/cloud/detect_gcp_storage_access_from_a_new_ip.yml +++ b/detections/cloud/detect_gcp_storage_access_from_a_new_ip.yml @@ -1,40 +1,62 @@ name: Detect GCP Storage access from a new IP id: ccc3246a-daa1-11ea-87d0-0242ac130022 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Shannon Davis, Splunk status: experimental type: Anomaly -description: The following analytic identifies access to GCP Storage buckets from new or previously unseen remote IP addresses. It leverages GCP Storage bucket-access logs ingested via Cloud Pub/Sub and compares current access events against a lookup table of previously seen IP addresses. This activity is significant as it may indicate unauthorized access or potential reconnaissance by an attacker. If confirmed malicious, this could lead to data exfiltration, unauthorized data manipulation, or further compromise of the GCP environment. +description: The following analytic identifies access to GCP Storage buckets from + new or previously unseen remote IP addresses. It leverages GCP Storage bucket-access + logs ingested via Cloud Pub/Sub and compares current access events against a lookup + table of previously seen IP addresses. This activity is significant as it may indicate + unauthorized access or potential reconnaissance by an attacker. If confirmed malicious, + this could lead to data exfiltration, unauthorized data manipulation, or further + compromise of the GCP environment. data_source: [] -search: '`google_gcp_pubsub_message` | multikv | rename sc_status_ as status | rename cs_object_ as bucket_name | rename c_ip_ as remote_ip | rename cs_uri_ as request_uri | rename cs_method_ as operation | search status="\"200\"" | stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip operation request_uri | table firstTime, lastTime, bucket_name, remote_ip, operation, request_uri | inputlookup append=t previously_seen_gcp_storage_access_from_remote_ip | stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip operation request_uri | outputlookup previously_seen_gcp_storage_access_from_remote_ip | eval newIP=if(firstTime >= relative_time(now(),"-70m@m"), 1, 0) | where newIP=1 | eval first_time=strftime(firstTime,"%m/%d/%y %H:%M:%S") | eval last_time=strftime(lastTime,"%m/%d/%y %H:%M:%S") | table first_time last_time bucket_name remote_ip operation request_uri | `detect_gcp_storage_access_from_a_new_ip_filter`' -how_to_implement: This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview). In order to capture public GCP Storage Bucket access logs, you must also enable storage bucket logging to your PubSub Topic as per https://cloud.google.com/storage/docs/access-logs. These logs are deposited into the nominated Storage Bucket on an hourly basis and typically show up by 15 minutes past the hour. It is recommended to configure any saved searches or correlation searches in Enterprise Security to run on an hourly basis at 30 minutes past the hour (cron definition of 30 * * * *). A lookup table (previously_seen_gcp_storage_access_from_remote_ip.csv) stores the previously seen access requests, and is used by this search to determine any newly seen IP addresses accessing the Storage Buckets. -known_false_positives: GCP Storage buckets can be accessed from any IP (if the ACLs are open to allow it), as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past two hours. +search: '`google_gcp_pubsub_message` | multikv | rename sc_status_ as status | rename + cs_object_ as bucket_name | rename c_ip_ as remote_ip | rename cs_uri_ as request_uri + | rename cs_method_ as operation | search status="\"200\"" | stats earliest(_time) + as firstTime latest(_time) as lastTime by bucket_name remote_ip operation request_uri + | table firstTime, lastTime, bucket_name, remote_ip, operation, request_uri | inputlookup + append=t previously_seen_gcp_storage_access_from_remote_ip | stats min(firstTime) + as firstTime, max(lastTime) as lastTime by bucket_name remote_ip operation request_uri + | outputlookup previously_seen_gcp_storage_access_from_remote_ip | eval newIP=if(firstTime + >= relative_time(now(),"-70m@m"), 1, 0) | where newIP=1 | eval first_time=strftime(firstTime,"%m/%d/%y + %H:%M:%S") | eval last_time=strftime(lastTime,"%m/%d/%y %H:%M:%S") | table first_time + last_time bucket_name remote_ip operation request_uri | `detect_gcp_storage_access_from_a_new_ip_filter`' +how_to_implement: This search relies on the Splunk Add-on for Google Cloud Platform, + setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and + logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview). + In order to capture public GCP Storage Bucket access logs, you must also enable + storage bucket logging to your PubSub Topic as per https://cloud.google.com/storage/docs/access-logs. These + logs are deposited into the nominated Storage Bucket on an hourly basis and typically + show up by 15 minutes past the hour. It is recommended to configure any saved searches + or correlation searches in Enterprise Security to run on an hourly basis at 30 minutes + past the hour (cron definition of 30 * * * *). A lookup table (previously_seen_gcp_storage_access_from_remote_ip.csv) + stores the previously seen access requests, and is used by this search to determine + any newly seen IP addresses accessing the Storage Buckets. +known_false_positives: GCP Storage buckets can be accessed from any IP (if the ACLs + are open to allow it), as long as it can make a successful connection. This will + be a false postive, since the search is looking for a new IP within the past two + hours. references: [] +rba: + message: GCP Bucket $bucket_name$ accessed from a new IP ($remote_ip$) + risk_objects: + - field: bucket_name + type: system + score: 25 + threat_objects: + - field: remote_ip + type: ip_address tags: analytic_story: - Suspicious GCP Storage Activities asset_type: GCP Storage Bucket - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1530 - observable: - - name: remote_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - sc_status_ - - cs_object_ - - c_ip_ - - cs_uri_ - - cs_method_ - risk_score: 25 security_domain: network diff --git a/detections/cloud/detect_new_open_gcp_storage_buckets.yml b/detections/cloud/detect_new_open_gcp_storage_buckets.yml index a1c5254caf..5e131f80a9 100644 --- a/detections/cloud/detect_new_open_gcp_storage_buckets.yml +++ b/detections/cloud/detect_new_open_gcp_storage_buckets.yml @@ -1,44 +1,50 @@ name: Detect New Open GCP Storage Buckets id: f6ea3466-d6bb-11ea-87d0-0242ac130003 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Shannon Davis, Splunk status: experimental type: TTP -description: The following analytic identifies the creation of new open/public GCP Storage buckets. It leverages GCP PubSub events, specifically monitoring for the `storage.setIamPermissions` method and checks if the `allUsers` member is added. This activity is significant because open storage buckets can expose sensitive data to the public, posing a severe security risk. If confirmed malicious, an attacker could access, modify, or delete data within the bucket, leading to data breaches and potential compliance violations. +description: The following analytic identifies the creation of new open/public GCP + Storage buckets. It leverages GCP PubSub events, specifically monitoring for the + `storage.setIamPermissions` method and checks if the `allUsers` member is added. + This activity is significant because open storage buckets can expose sensitive data + to the public, posing a severe security risk. If confirmed malicious, an attacker + could access, modify, or delete data within the bucket, leading to data breaches + and potential compliance violations. data_source: [] -search: '`google_gcp_pubsub_message` data.resource.type=gcs_bucket data.protoPayload.methodName=storage.setIamPermissions | spath output=action path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.action | spath output=user path=data.protoPayload.authenticationInfo.principalEmail | spath output=location path=data.protoPayload.resourceLocation.currentLocations{} | spath output=src path=data.protoPayload.requestMetadata.callerIp | spath output=bucketName path=data.protoPayload.resourceName | spath output=role path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.role | spath output=member path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.member | search (member=allUsers AND action=ADD) | table _time, bucketName, src, user, location, action, role, member | search `detect_new_open_gcp_storage_buckets_filter`' -how_to_implement: This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview). -known_false_positives: While this search has no known false positives, it is possible that a GCP admin has legitimately created a public bucket for a specific purpose. That said, GCP strongly advises against granting full control to the "allUsers" group. +search: '`google_gcp_pubsub_message` data.resource.type=gcs_bucket data.protoPayload.methodName=storage.setIamPermissions + | spath output=action path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.action + | spath output=user path=data.protoPayload.authenticationInfo.principalEmail | spath + output=location path=data.protoPayload.resourceLocation.currentLocations{} | spath + output=src path=data.protoPayload.requestMetadata.callerIp | spath output=bucketName + path=data.protoPayload.resourceName | spath output=role path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.role + | spath output=member path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.member + | search (member=allUsers AND action=ADD) | table _time, bucketName, src, user, + location, action, role, member | search `detect_new_open_gcp_storage_buckets_filter`' +how_to_implement: This search relies on the Splunk Add-on for Google Cloud Platform, + setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and + logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview). +known_false_positives: While this search has no known false positives, it is possible + that a GCP admin has legitimately created a public bucket for a specific purpose. + That said, GCP strongly advises against granting full control to the "allUsers" + group. references: [] +rba: + message: New Public GCP Storage Bucket Detected + risk_objects: + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Suspicious GCP Storage Activities asset_type: GCP Storage Bucket - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1530 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - data.resource.type - - data.protoPayload.methodName - - data.protoPayload.serviceData.policyDelta.bindingDeltas{}.action - - data.protoPayload.authenticationInfo.principalEmail - - data.protoPayload.resourceLocation.currentLocations{} - - data.protoPayload.requestMetadata.callerIp - - data.protoPayload.resourceName - - data.protoPayload.serviceData.policyDelta.bindingDeltas{}.role - - data.protoPayload.serviceData.policyDelta.bindingDeltas{}.member - risk_score: 25 security_domain: network diff --git a/detections/cloud/detect_new_open_s3_buckets.yml b/detections/cloud/detect_new_open_s3_buckets.yml index 4b9ade8b3b..bb7d4f8d9d 100644 --- a/detections/cloud/detect_new_open_s3_buckets.yml +++ b/detections/cloud/detect_new_open_s3_buckets.yml @@ -1,64 +1,72 @@ name: Detect New Open S3 buckets id: 2a9b80d3-6340-4345-b5ad-290bf3d0dac4 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Bhavin Patel, Patrick Bareiss, Splunk status: production type: TTP -description: The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for `PutBucketAcl` actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering. +description: The following analytic identifies the creation of open/public S3 buckets + in AWS. It detects this activity by analyzing AWS CloudTrail events for `PutBucketAcl` + actions where the access control list (ACL) grants permissions to all users or authenticated + users. This activity is significant because open S3 buckets can expose sensitive + data to unauthorized access, leading to data breaches. If confirmed malicious, an + attacker could read, write, or fully control the contents of the bucket, potentially + leading to data exfiltration or tampering. data_source: - AWS CloudTrail -search: '`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl | rex field=_raw "(?{.+})" | spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} | search grantees=* | mvexpand grantees | spath input=grantees output=uri path=Grantee.URI | spath input=grantees output=permission path=Permission | search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") | search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") | rename requestParameters.bucketName AS bucketName | stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_open_s3_buckets_filter`' +search: '`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl | rex field=_raw + "(?{.+})" | spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} + | search grantees=* | mvexpand grantees | spath input=grantees output=uri path=Grantee.URI + | spath input=grantees output=permission path=Permission | search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") + | search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") | + rename requestParameters.bucketName AS bucketName | stats count min(_time) as firstTime + max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission + bucketName | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `detect_new_open_s3_buckets_filter`' how_to_implement: You must install the AWS App for Splunk. -known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. That said, AWS strongly advises against granting full control to the "All Users" group. +known_false_positives: While this search has no known false positives, it is possible + that an AWS admin has legitimately created a public bucket for a specific purpose. + That said, AWS strongly advises against granting full control to the "All Users" + group. references: [] drilldown_searches: - name: View the detection results for - "$user_arn$" and "$bucketName$" - search: '%original_detection_search% | search user_arn = "$user_arn$" bucketName = "$bucketName$"' + search: '%original_detection_search% | search user_arn = "$user_arn$" bucketName + = "$bucketName$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user_arn$" and "$bucketName$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$", "$bucketName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$", + "$bucketName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user_arn$ has created an open/public bucket $bucketName$ with the + following permissions $permission$ + risk_objects: + - field: user_arn + type: user + score: 48 + threat_objects: [] tags: analytic_story: - Suspicious AWS S3 Activities asset_type: S3 Bucket - confidence: 80 - impact: 60 - message: User $user_arn$ has created an open/public bucket $bucketName$ with the following permissions $permission$ mitre_attack_id: - T1530 - observable: - - name: user_arn - type: User - role: - - Victim - - name: bucketName - type: Other - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventSource - - eventName - - requestParameters.bucketName - - user_arn - - userIdentity.principalId - - userAgent - - uri - - permission - risk_score: 48 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1530/aws_s3_public_bucket/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1530/aws_s3_public_bucket/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml b/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml index 475d944eea..809b7631c1 100644 --- a/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml +++ b/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml @@ -1,63 +1,77 @@ name: Detect New Open S3 Buckets over AWS CLI id: 39c61d09-8b30-4154-922b-2d0a694ecc22 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: TTP -description: The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to "AuthenticatedUsers" or "AllUsers." This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk. +description: The following analytic detects the creation of open/public S3 buckets + via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user + has set bucket permissions to allow access to "AuthenticatedUsers" or "AllUsers." + This activity is significant because open S3 buckets can expose sensitive data to + unauthorized users, leading to data breaches. If confirmed malicious, an attacker + could gain unauthorized access to potentially sensitive information stored in the + S3 bucket, posing a significant security risk. data_source: - AWS CloudTrail -search: '`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") | rename requestParameters.bucketName AS bucketName | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_open_s3_buckets_over_aws_cli_filter`' -how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs. -known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. That said, AWS strongly advises against granting full control to the "All Users" group. +search: '`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* + ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp + IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write + IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp + IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control + IN ("*AuthenticatedUsers","*AllUsers") | rename requestParameters.bucketName AS + bucketName | fillnull | stats count min(_time) as firstTime max(_time) as lastTime + by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read + requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write + requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control + | rename userIdentity.userName as user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `detect_new_open_s3_buckets_over_aws_cli_filter`' +how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize + this data. The search requires AWS Cloudtrail logs. +known_false_positives: While this search has no known false positives, it is possible + that an AWS admin has legitimately created a public bucket for a specific purpose. + That said, AWS strongly advises against granting full control to the "All Users" + group. references: [] drilldown_searches: -- name: View the detection results for - "$userIdentity.userName$" - search: '%original_detection_search% | search userIdentity.userName = "$userIdentity.userName$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$userIdentity.userName$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$userIdentity.userName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ has created an open/public bucket $bucketName$ using AWS CLI + with the following permissions - $requestParameters.accessControlList.x-amz-grant-read$ + $requestParameters.accessControlList.x-amz-grant-read-acp$ $requestParameters.accessControlList.x-amz-grant-write$ + $requestParameters.accessControlList.x-amz-grant-write-acp$ $requestParameters.accessControlList.x-amz-grant-full-control$ + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] tags: analytic_story: - Suspicious AWS S3 Activities asset_type: S3 Bucket - confidence: 80 - impact: 60 - message: User $userIdentity.userName$ has created an open/public bucket $bucketName$ using AWS CLI with the following permissions - $requestParameters.accessControlList.x-amz-grant-read$ $requestParameters.accessControlList.x-amz-grant-read-acp$ $requestParameters.accessControlList.x-amz-grant-write$ $requestParameters.accessControlList.x-amz-grant-write-acp$ $requestParameters.accessControlList.x-amz-grant-full-control$ mitre_attack_id: - T1530 - observable: - - name: userIdentity.userName - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventSource - - eventName - - requestParameters.accessControlList.x-amz-grant-read-acp - - requestParameters.accessControlList.x-amz-grant-write - - requestParameters.accessControlList.x-amz-grant-write-acp - - requestParameters.accessControlList.x-amz-grant-full-control - - requestParameters.bucketName - - userIdentity.userName - - userIdentity.principalId - - userAgent - - bucketName - risk_score: 48 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1530/aws_s3_public_bucket/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1530/aws_s3_public_bucket/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true diff --git a/detections/cloud/detect_s3_access_from_a_new_ip.yml b/detections/cloud/detect_s3_access_from_a_new_ip.yml index 81938ba49f..7bde386ddb 100644 --- a/detections/cloud/detect_s3_access_from_a_new_ip.yml +++ b/detections/cloud/detect_s3_access_from_a_new_ip.yml @@ -1,42 +1,53 @@ name: Detect S3 access from a new IP id: e6f1bb1b-f441-492b-9126-902acda217da -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Bhavin Patel, Splunk status: experimental type: Anomaly -description: The following analytic identifies access to an S3 bucket from a new or previously unseen remote IP address. It leverages S3 bucket-access logs, specifically focusing on successful access events (http_status=200). This activity is significant because access from unfamiliar IP addresses could indicate unauthorized access or potential data exfiltration attempts. If confirmed malicious, this activity could lead to unauthorized data access, data theft, or further exploitation of the compromised S3 bucket, posing a significant risk to sensitive information stored within the bucket. +description: The following analytic identifies access to an S3 bucket from a new or + previously unseen remote IP address. It leverages S3 bucket-access logs, specifically + focusing on successful access events (http_status=200). This activity is significant + because access from unfamiliar IP addresses could indicate unauthorized access or + potential data exfiltration attempts. If confirmed malicious, this activity could + lead to unauthorized data access, data theft, or further exploitation of the compromised + S3 bucket, posing a significant risk to sensitive information stored within the + bucket. data_source: [] -search: '`aws_s3_accesslogs` http_status=200 [search `aws_s3_accesslogs` http_status=200 | stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip | inputlookup append=t previously_seen_S3_access_from_remote_ip | stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip | outputlookup previously_seen_S3_access_from_remote_ip| eval newIP=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newIP=1 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | table bucket_name remote_ip]| iplocation remote_ip |rename remote_ip as src_ip | table _time bucket_name src_ip City Country operation request_uri | `detect_s3_access_from_a_new_ip_filter`' -how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your S3 access logs' inputs. This search works best when you run the "Previously Seen S3 Bucket Access by Remote IP" support search once to create a history of previously seen remote IPs and bucket names. -known_false_positives: S3 buckets can be accessed from any IP, as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past hour +search: '`aws_s3_accesslogs` http_status=200 [search `aws_s3_accesslogs` http_status=200 + | stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip + | inputlookup append=t previously_seen_S3_access_from_remote_ip | stats min(firstTime) + as firstTime, max(lastTime) as lastTime by bucket_name remote_ip | outputlookup + previously_seen_S3_access_from_remote_ip | eval newIP=if(firstTime >= relative_time(now(), + "-70m@m"), 1, 0) | where newIP=1 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | table bucket_name remote_ip]| iplocation remote_ip |rename remote_ip as src_ip + | table _time bucket_name src_ip City Country operation request_uri | `detect_s3_access_from_a_new_ip_filter`' +how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) + and Splunk Add-on for AWS (version 4.4.0 or later), then configure your S3 access + logs' inputs. This search works best when you run the "Previously Seen S3 Bucket + Access by Remote IP" support search once to create a history of previously seen + remote IPs and bucket names. +known_false_positives: S3 buckets can be accessed from any IP, as long as it can make + a successful connection. This will be a false postive, since the search is looking + for a new IP within the past hour references: [] +rba: + message: New S3 access from a new IP - $src_ip$ + risk_objects: + - field: bucketName + type: other + score: 25 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Suspicious AWS S3 Activities asset_type: S3 Bucket - confidence: 50 - impact: 50 - message: New S3 access from a new IP - $src_ip$ mitre_attack_id: - T1530 - observable: - - name: bucketName - type: Other - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - http_status - - bucket_name - - remote_ip - risk_score: 25.0 security_domain: network diff --git a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml index bccbc3af83..1772e2c65c 100644 --- a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml +++ b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml @@ -1,15 +1,31 @@ name: Detect Spike in AWS Security Hub Alerts for EC2 Instance id: 2a9b80d3-6340-4345-b5ad-290bf5d0d222 -version: 5 -date: '2024-10-09' +version: 6 +date: '2024-11-14' author: Bhavin Patel, Splunk status: production type: Anomaly -description: The following analytic identifies a spike in the number of AWS Security Hub alerts for an EC2 instance within a 4-hour interval. It leverages AWS Security Hub findings data, calculating the average and standard deviation of alerts to detect anomalies. This activity is significant for a SOC as a sudden increase in alerts may indicate potential security incidents or misconfigurations requiring immediate attention. If confirmed malicious, this could signify an ongoing attack, leading to unauthorized access, data exfiltration, or disruption of services on the affected EC2 instance. +description: The following analytic identifies a spike in the number of AWS Security + Hub alerts for an EC2 instance within a 4-hour interval. It leverages AWS Security + Hub findings data, calculating the average and standard deviation of alerts to detect + anomalies. This activity is significant for a SOC as a sudden increase in alerts + may indicate potential security incidents or misconfigurations requiring immediate + attention. If confirmed malicious, this could signify an ongoing attack, leading + to unauthorized access, data exfiltration, or disruption of services on the affected + EC2 instance. data_source: - AWS Security Hub -search: '`aws_securityhub_finding` "Resources{}.Type"=AWSEC2Instance | bucket span=4h _time | stats count AS alerts values(Title) as Title values(Types{}) as Types values(vendor_account) as vendor_account values(vendor_region) as vendor_region values(severity) as severity by _time dest | eventstats avg(alerts) as total_alerts_avg, stdev(alerts) as total_alerts_stdev | eval threshold_value = 3 | eval isOutlier=if(alerts > total_alerts_avg+(total_alerts_stdev * threshold_value), 1, 0) | search isOutlier=1 | table _time dest alerts Title Types vendor_account vendor_region severity isOutlier total_alerts_avg | `detect_spike_in_aws_security_hub_alerts_for_ec2_instance_filter`' -how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval. +search: '`aws_securityhub_finding` "Resources{}.Type"=AWSEC2Instance | bucket span=4h + _time | stats count AS alerts values(Title) as Title values(Types{}) as Types values(vendor_account) + as vendor_account values(vendor_region) as vendor_region values(severity) as severity + by _time dest | eventstats avg(alerts) as total_alerts_avg, stdev(alerts) as total_alerts_stdev + | eval threshold_value = 3 | eval isOutlier=if(alerts > total_alerts_avg+(total_alerts_stdev + * threshold_value), 1, 0) | search isOutlier=1 | table _time dest alerts Title Types + vendor_account vendor_region severity isOutlier total_alerts_avg | `detect_spike_in_aws_security_hub_alerts_for_ec2_instance_filter`' +how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) + and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security + Hub inputs. The threshold_value should be tuned to your environment and schedule + these searches according to the bucket span interval. known_false_positives: None references: [] drilldown_searches: @@ -18,40 +34,35 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Spike in AWS security Hub alerts with title $Title$ for EC2 instance $dest$ + risk_objects: + - field: dest + type: system + score: 15 + threat_objects: [] tags: analytic_story: - AWS Security Hub Alerts - Critical Alerts asset_type: AWS Instance - confidence: 50 - impact: 30 - message: Spike in AWS security Hub alerts with title $Title$ for EC2 instance $dest$ - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Resources{}.Type - - Title - - Types{} - - vendor_account - - vendor_region - - severity - - dest - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/security_hub_ec2_spike/security_hub_ec2_spike.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/security_hub_ec2_spike/security_hub_ec2_spike.json sourcetype: aws:securityhub:finding source: aws_securityhub_finding diff --git a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml index 5d7abde51e..8a73d68bdb 100644 --- a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml +++ b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml @@ -1,38 +1,44 @@ name: Detect Spike in AWS Security Hub Alerts for User id: 2a9b80d3-6220-4345-b5ad-290bf5d0d222 -version: 5 -date: '2024-10-09' +version: 6 +date: '2024-11-14' author: Bhavin Patel, Splunk status: experimental type: Anomaly -description: The following analytic identifies a spike in the number of AWS Security Hub alerts for an AWS IAM User within a 4-hour interval. It leverages AWS Security Hub findings data, calculating the average and standard deviation of alerts to detect significant deviations. This activity is significant as a sudden increase in alerts for a specific user may indicate suspicious behavior or a potential security incident. If confirmed malicious, this could signify an ongoing attack, unauthorized access, or misuse of IAM credentials, potentially leading to data breaches or further exploitation. +description: The following analytic identifies a spike in the number of AWS Security + Hub alerts for an AWS IAM User within a 4-hour interval. It leverages AWS Security + Hub findings data, calculating the average and standard deviation of alerts to detect + significant deviations. This activity is significant as a sudden increase in alerts + for a specific user may indicate suspicious behavior or a potential security incident. + If confirmed malicious, this could signify an ongoing attack, unauthorized access, + or misuse of IAM credentials, potentially leading to data breaches or further exploitation. data_source: - AWS Security Hub -search: '`aws_securityhub_finding` "findings{}.Resources{}.Type"= AwsIamUser | rename findings{}.Resources{}.Id as user | bucket span=4h _time | stats count AS alerts by _time user | eventstats avg(alerts) as total_launched_avg, stdev(alerts) as total_launched_stdev | eval threshold_value = 2 | eval isOutlier=if(alerts > total_launched_avg+(total_launched_stdev * threshold_value), 1, 0) | search isOutlier=1 | table _time user alerts |`detect_spike_in_aws_security_hub_alerts_for_user_filter`' -how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval. +search: '`aws_securityhub_finding` "findings{}.Resources{}.Type"= AwsIamUser | rename + findings{}.Resources{}.Id as user | bucket span=4h _time | stats count AS alerts + by _time user | eventstats avg(alerts) as total_launched_avg, stdev(alerts) as total_launched_stdev + | eval threshold_value = 2 | eval isOutlier=if(alerts > total_launched_avg+(total_launched_stdev + * threshold_value), 1, 0) | search isOutlier=1 | table _time user alerts |`detect_spike_in_aws_security_hub_alerts_for_user_filter`' +how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) + and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security + Hub inputs. The threshold_value should be tuned to your environment and schedule + these searches according to the bucket span interval. known_false_positives: None references: [] +rba: + message: Spike in AWS Security Hub alerts for user - $user$ + risk_objects: + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - AWS Security Hub Alerts - Critical Alerts asset_type: AWS Instance - confidence: 50 - impact: 50 - message: Spike in AWS Security Hub alerts for user - $user$ - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - findings{}.Resources{}.Type - - indings{}.Resources{}.Id - - user - risk_score: 25 security_domain: network diff --git a/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml b/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml index 60daa229eb..9421b46f24 100644 --- a/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml +++ b/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml @@ -1,38 +1,64 @@ name: Detect Spike in blocked Outbound Traffic from your AWS id: d3fffa37-492f-487b-a35d-c60fcb2acf01 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Bhavin Patel, Splunk status: experimental type: Anomaly -description: The following analytic identifies spikes in blocked outbound network connections originating from within your AWS environment. It leverages VPC Flow Logs data from CloudWatch, focusing on blocked actions from internal IP ranges to external destinations. This detection is significant as it can indicate potential exfiltration attempts or misconfigurations leading to data leakage. If confirmed malicious, such activity could allow attackers to bypass network defenses, leading to unauthorized data transfer or communication with malicious external entities. +description: The following analytic identifies spikes in blocked outbound network + connections originating from within your AWS environment. It leverages VPC Flow + Logs data from CloudWatch, focusing on blocked actions from internal IP ranges to + external destinations. This detection is significant as it can indicate potential + exfiltration attempts or misconfigurations leading to data leakage. If confirmed + malicious, such activity could allow attackers to bypass network defenses, leading + to unauthorized data transfer or communication with malicious external entities. data_source: [] -search: '`cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) [search `cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | stats count as numberOfBlockedConnections by src_ip | inputlookup baseline_blocked_outbound_connections append=t | fields - latestCount | stats values(*) as * by src_ip | rename numberOfBlockedConnections as latestCount | eval newAvgBlockedConnections=avgBlockedConnections + (latestCount-avgBlockedConnections)/720 | eval newStdevBlockedConnections=sqrt(((pow(stdevBlockedConnections, 2)*719 + (latestCount-newAvgBlockedConnections)*(latestCount-avgBlockedConnections))/720)) | eval avgBlockedConnections=coalesce(newAvgBlockedConnections, avgBlockedConnections), stdevBlockedConnections=coalesce(newStdevBlockedConnections, stdevBlockedConnections), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table src_ip, latestCount, numDataPoints, avgBlockedConnections, stdevBlockedConnections | outputlookup baseline_blocked_outbound_connections | eval dataPointThreshold = 5, deviationThreshold = 3 | eval isSpike=if((latestCount > avgBlockedConnections+deviationThreshold*stdevBlockedConnections) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | table src_ip] | stats values(dest_ip) as dest_ip, values(interface_id) as "resourceId" count as numberOfBlockedConnections, dc(dest_ip) as uniqueDestConnections by src_ip | `detect_spike_in_blocked_outbound_traffic_from_your_aws_filter`' -how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your VPC Flow logs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the number of data points required to meet the definition of "spike." The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the "Baseline of Blocked Outbound Connection" support search once to create a history of previously seen blocked outbound connections. -known_false_positives: The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Additionally, false positives may result when AWS administrators roll out policies enforcing network blocks, causing sudden increases in the number of blocked outbound connections. +search: '`cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 + OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) [search `cloudwatchlogs_vpcflow` + action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) + ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | + stats count as numberOfBlockedConnections by src_ip | inputlookup baseline_blocked_outbound_connections + append=t | fields - latestCount | stats values(*) as * by src_ip | rename numberOfBlockedConnections + as latestCount | eval newAvgBlockedConnections=avgBlockedConnections + (latestCount-avgBlockedConnections)/720 + | eval newStdevBlockedConnections=sqrt(((pow(stdevBlockedConnections, 2)*719 + (latestCount-newAvgBlockedConnections)*(latestCount-avgBlockedConnections))/720)) + | eval avgBlockedConnections=coalesce(newAvgBlockedConnections, avgBlockedConnections), + stdevBlockedConnections=coalesce(newStdevBlockedConnections, stdevBlockedConnections), + numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table src_ip, + latestCount, numDataPoints, avgBlockedConnections, stdevBlockedConnections | outputlookup + baseline_blocked_outbound_connections | eval dataPointThreshold = 5, deviationThreshold + = 3 | eval isSpike=if((latestCount > avgBlockedConnections+deviationThreshold*stdevBlockedConnections) + AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | table src_ip] + | stats values(dest_ip) as dest_ip, values(interface_id) as "resourceId" count as + numberOfBlockedConnections, dc(dest_ip) as uniqueDestConnections by src_ip | `detect_spike_in_blocked_outbound_traffic_from_your_aws_filter`' +how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) + and Splunk Add-on for AWS (version 4.4.0 or later), then configure your VPC Flow + logs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit + your environment. The `dataPointThreshold` variable is the number of data points + required to meet the definition of "spike." The `deviationThreshold` variable is + the number of standard deviations away from the mean that the value must be to be + considered a spike. This search works best when you run the "Baseline of Blocked + Outbound Connection" support search once to create a history of previously seen + blocked outbound connections. +known_false_positives: The false-positive rate may vary based on the values of`dataPointThreshold` + and `deviationThreshold`. Additionally, false positives may result when AWS administrators + roll out policies enforcing network blocks, causing sudden increases in the number + of blocked outbound connections. references: [] +rba: + message: Blocked outbound traffic from your AWS VPC + risk_objects: + - field: src_ip + type: system + score: 25 + threat_objects: [] tags: analytic_story: - AWS Network ACL Activity - Suspicious AWS Traffic - Command And Control asset_type: AWS Instance - confidence: 50 - impact: 50 - message: Blocked outbound traffic from your AWS - observable: - - name: resourceId - type: Other - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - action - - src_ip - - dest_ip - risk_score: 25.0 security_domain: network diff --git a/detections/cloud/detect_spike_in_s3_bucket_deletion.yml b/detections/cloud/detect_spike_in_s3_bucket_deletion.yml index 606d5295f5..c85b9a241f 100644 --- a/detections/cloud/detect_spike_in_s3_bucket_deletion.yml +++ b/detections/cloud/detect_spike_in_s3_bucket_deletion.yml @@ -1,38 +1,61 @@ name: Detect Spike in S3 Bucket deletion id: e733a326-59d2-446d-b8db-14a17151aa68 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Bhavin Patel, Splunk status: experimental type: Anomaly -description: The following analytic identifies a spike in API activity related to the deletion of S3 buckets in your AWS environment. It leverages AWS CloudTrail logs to detect anomalies by comparing current deletion activity against a historical baseline. This activity is significant as unusual spikes in S3 bucket deletions could indicate malicious actions such as data exfiltration or unauthorized data destruction. If confirmed malicious, this could lead to significant data loss, disruption of services, and potential exposure of sensitive information. Immediate investigation is required to determine the legitimacy of the activity. +description: The following analytic identifies a spike in API activity related to + the deletion of S3 buckets in your AWS environment. It leverages AWS CloudTrail + logs to detect anomalies by comparing current deletion activity against a historical + baseline. This activity is significant as unusual spikes in S3 bucket deletions + could indicate malicious actions such as data exfiltration or unauthorized data + destruction. If confirmed malicious, this could lead to significant data loss, disruption + of services, and potential exposure of sensitive information. Immediate investigation + is required to determine the legitimacy of the activity. data_source: - AWS CloudTrail -search: '`cloudtrail` eventName=DeleteBucket [search `cloudtrail` eventName=DeleteBucket | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup s3_deletion_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup s3_deletion_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | spath output=bucketName path=requestParameters.bucketName | stats values(bucketName) as bucketName, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_s3_bucket_deletion_filter`' -how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the "Baseline of S3 Bucket deletion activity by ARN" support search once to create a baseline of previously seen S3 bucket-deletion activity. -known_false_positives: Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment. +search: '`cloudtrail` eventName=DeleteBucket [search `cloudtrail` eventName=DeleteBucket + | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup + s3_deletion_baseline append=t | fields - latestCount | stats values(*) as * by arn + | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 + | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) + | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, + stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) + | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup + s3_deletion_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval + isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints + > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | + table userIdentity.arn] | spath output=user userIdentity.arn | spath output=bucketName + path=requestParameters.bucketName | stats values(bucketName) as bucketName, count + as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_s3_bucket_deletion_filter`' +how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) + and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail + inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit + your environment. The `dataPointThreshold` variable is the minimum number of data + points required to have a statistically significant amount of data to determine. + The `deviationThreshold` variable is the number of standard deviations away from + the mean that the value must be to be considered a spike. This search works best + when you run the "Baseline of S3 Bucket deletion activity by ARN" support search + once to create a baseline of previously seen S3 bucket-deletion activity. +known_false_positives: Based on the values of`dataPointThreshold` and `deviationThreshold`, + the false positive rate may vary. Please modify this according the your environment. references: [] +rba: + message: Spike in AWS S3 Bucket Deletion from $user$ + risk_objects: + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Suspicious AWS S3 Activities asset_type: S3 Bucket - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1530 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - userIdentity.arn - risk_score: 25 security_domain: network diff --git a/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml b/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml index ce94457b13..86cae6e982 100644 --- a/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml +++ b/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml @@ -1,16 +1,29 @@ name: GCP Authentication Failed During MFA Challenge id: 345f7e1d-a3fe-4158-abd8-e630f9878323 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Bhavin Patel, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects failed authentication attempts during the Multi-Factor Authentication (MFA) challenge on a Google Cloud Platform (GCP) tenant. It uses Google Workspace login failure events to identify instances where MFA methods were challenged but not successfully completed. This activity is significant as it may indicate an adversary attempting to access an account with compromised credentials despite MFA protection. If confirmed malicious, this could lead to unauthorized access attempts, potentially compromising sensitive data and resources within the GCP environment. +description: The following analytic detects failed authentication attempts during + the Multi-Factor Authentication (MFA) challenge on a Google Cloud Platform (GCP) + tenant. It uses Google Workspace login failure events to identify instances where + MFA methods were challenged but not successfully completed. This activity is significant + as it may indicate an adversary attempting to access an account with compromised + credentials despite MFA protection. If confirmed malicious, this could lead to unauthorized + access attempts, potentially compromising sensitive data and resources within the + GCP environment. data_source: - Google Workspace login_failure -search: '`gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, login_challenge_method | `gcp_authentication_failed_during_mfa_challenge_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the User log events. -known_false_positives: Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake. +search: '`gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | stats + count min(_time) as firstTime max(_time) as lastTime by user, src_ip, login_challenge_method + | `gcp_authentication_failed_during_mfa_challenge_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Google + Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows + Splunk administrators to collect Google Workspace event data in Splunk using Google + Workspace APIs. Specifically, this analytic leverages the User log events. +known_false_positives: Legitimate users may miss to reply the MFA challenge within + the time window or deny it by mistake. references: - https://attack.mitre.org/techniques/T1621/ - https://attack.mitre.org/techniques/T1078/004/ @@ -20,47 +33,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ failed to pass MFA challenge + risk_objects: + - field: user + type: user + score: 54 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - GCP Account Takeover asset_type: Google Cloud Platform tenant - confidence: 90 - impact: 60 - message: User $user$ failed to pass MFA challenge mitre_attack_id: - T1586 - T1586.003 - T1078 - T1078.004 - T1621 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - user - - src_ip - - login_challenge_method - - event.parameters{}.multiValue{} - risk_score: 54 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/gcp_failed_mfa/gws_login.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/gcp_failed_mfa/gws_login.log source: gws:reports:login sourcetype: gws:reports:login - update_timestamp: true diff --git a/detections/cloud/gcp_detect_gcploit_framework.yml b/detections/cloud/gcp_detect_gcploit_framework.yml index 30946b5976..f7ec51e659 100644 --- a/detections/cloud/gcp_detect_gcploit_framework.yml +++ b/detections/cloud/gcp_detect_gcploit_framework.yml @@ -1,45 +1,46 @@ name: GCP Detect gcploit framework id: a1c5a85e-a162-410c-a5d9-99ff639e5a52 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rod Soto, Splunk status: experimental type: TTP -description: The following analytic identifies the use of the GCPloit exploitation framework within Google Cloud Platform (GCP). It detects specific GCP Pub/Sub messages with a function timeout of 539 seconds, which is indicative of GCPloit activity. This detection is significant as GCPloit can be used to escalate privileges and facilitate lateral movement from compromised high-privilege accounts. If confirmed malicious, this activity could allow attackers to gain unauthorized access, escalate their privileges, and move laterally within the GCP environment, potentially compromising sensitive data and critical resources. +description: The following analytic identifies the use of the GCPloit exploitation + framework within Google Cloud Platform (GCP). It detects specific GCP Pub/Sub messages + with a function timeout of 539 seconds, which is indicative of GCPloit activity. + This detection is significant as GCPloit can be used to escalate privileges and + facilitate lateral movement from compromised high-privilege accounts. If confirmed + malicious, this activity could allow attackers to gain unauthorized access, escalate + their privileges, and move laterally within the GCP environment, potentially compromising + sensitive data and critical resources. data_source: [] -search: '`google_gcp_pubsub_message` data.protoPayload.request.function.timeout=539s | table src src_user data.resource.labels.project_id data.protoPayload.request.function.serviceAccountEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.request.location http_user_agent | `gcp_detect_gcploit_framework_filter`' -how_to_implement: You must install splunk GCP add-on. This search works with gcp:pubsub:message logs -known_false_positives: Payload.request.function.timeout value can possibly be match with other functions or requests however the source user and target request account may indicate an attempt to move laterally accross acounts or projects +search: '`google_gcp_pubsub_message` data.protoPayload.request.function.timeout=539s + | table src src_user data.resource.labels.project_id data.protoPayload.request.function.serviceAccountEmail + data.protoPayload.authorizationInfo{}.permission data.protoPayload.request.location + http_user_agent | `gcp_detect_gcploit_framework_filter`' +how_to_implement: You must install splunk GCP add-on. This search works with gcp:pubsub:message + logs +known_false_positives: Payload.request.function.timeout value can possibly be match + with other functions or requests however the source user and target request account + may indicate an attempt to move laterally accross acounts or projects references: - https://github.com/dxa4481/gcploit - https://www.youtube.com/watch?v=Ml09R38jpok +rba: + message: Possible use of gcploit framework + risk_objects: + - field: src_user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - GCP Cross Account Activity asset_type: GCP Account - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1078 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - data.protoPayload.request.function.timeout - - src - - src_user - - data.resource.labels.project_id - - data.protoPayload.request.function.serviceAccountEmail - - data.protoPayload.authorizationInfo{}.permission - - data.protoPayload.request.location - - http_user_agent - risk_score: 25 security_domain: threat diff --git a/detections/cloud/gcp_kubernetes_cluster_pod_scan_detection.yml b/detections/cloud/gcp_kubernetes_cluster_pod_scan_detection.yml index 5109661316..703798c90b 100644 --- a/detections/cloud/gcp_kubernetes_cluster_pod_scan_detection.yml +++ b/detections/cloud/gcp_kubernetes_cluster_pod_scan_detection.yml @@ -1,43 +1,35 @@ name: GCP Kubernetes cluster pod scan detection id: 19b53215-4a16-405b-8087-9e6acf619842 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rod Soto, Splunk status: experimental type: Hunting -description: The following analytic identifies unauthenticated requests to Kubernetes cluster pods. It detects this activity by analyzing GCP Pub/Sub messages for audit logs where the response status code is 401, indicating unauthorized access attempts. This activity is significant for a SOC because it may indicate reconnaissance or scanning attempts by an attacker trying to identify vulnerable pods. If confirmed malicious, this activity could lead to unauthorized access, allowing the attacker to exploit vulnerabilities within the cluster, potentially compromising sensitive data or gaining control over the Kubernetes environment. +description: The following analytic identifies unauthenticated requests to Kubernetes + cluster pods. It detects this activity by analyzing GCP Pub/Sub messages for audit + logs where the response status code is 401, indicating unauthorized access attempts. + This activity is significant for a SOC because it may indicate reconnaissance or + scanning attempts by an attacker trying to identify vulnerable pods. If confirmed + malicious, this activity could lead to unauthorized access, allowing the attacker + to exploit vulnerabilities within the cluster, potentially compromising sensitive + data or gaining control over the Kubernetes environment. data_source: [] -search: '`google_gcp_pubsub_message` category=kube-audit |spath input=properties.log |search responseStatus.code=401 |table sourceIPs{} userAgent verb requestURI responseStatus.reason properties.pod | `gcp_kubernetes_cluster_pod_scan_detection_filter`' -how_to_implement: You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk. -known_false_positives: Not all unauthenticated requests are malicious, but frequency, User Agent, source IPs and pods will provide context. +search: '`google_gcp_pubsub_message` category=kube-audit |spath input=properties.log + |search responseStatus.code=401 |table sourceIPs{} userAgent verb requestURI responseStatus.reason + properties.pod | `gcp_kubernetes_cluster_pod_scan_detection_filter`' +how_to_implement: You must install the GCP App for Splunk (version 2.0.0 or later), + then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk. +known_false_positives: Not all unauthenticated requests are malicious, but frequency, + User Agent, source IPs and pods will provide context. references: [] tags: analytic_story: - Kubernetes Scanning Activity asset_type: GCP Kubernetes cluster - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1526 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - category - - responseStatus.code - - sourceIPs{} - - userAgent - - verb - - requestURI - - responseStatus.reason - - properties.pod - risk_score: 25 security_domain: threat diff --git a/detections/cloud/gcp_multi_factor_authentication_disabled.yml b/detections/cloud/gcp_multi_factor_authentication_disabled.yml index 1620bdefa7..411d36c82b 100644 --- a/detections/cloud/gcp_multi_factor_authentication_disabled.yml +++ b/detections/cloud/gcp_multi_factor_authentication_disabled.yml @@ -1,16 +1,30 @@ name: GCP Multi-Factor Authentication Disabled id: b9bc5513-6fc1-4821-85a3-e1d81e451c83 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Bhavin Patel, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects an attempt to disable multi-factor authentication (MFA) for a Google Cloud Platform (GCP) user. It leverages Google Workspace Admin log events, specifically the `UNENROLL_USER_FROM_STRONG_AUTH` command. This activity is significant because disabling MFA can allow an adversary to maintain persistence within the environment using a compromised account without raising suspicion. If confirmed malicious, this action could enable attackers to bypass additional security layers, potentially leading to unauthorized access, data exfiltration, or further exploitation of the compromised account. +description: The following analytic detects an attempt to disable multi-factor authentication + (MFA) for a Google Cloud Platform (GCP) user. It leverages Google Workspace Admin + log events, specifically the `UNENROLL_USER_FROM_STRONG_AUTH` command. This activity + is significant because disabling MFA can allow an adversary to maintain persistence + within the environment using a compromised account without raising suspicion. If + confirmed malicious, this action could enable attackers to bypass additional security + layers, potentially leading to unauthorized access, data exfiltration, or further + exploitation of the compromised account. data_source: - Google Workspace -search: '`gws_reports_admin` command=UNENROLL_USER_FROM_STRONG_AUTH | stats count min(_time) as firstTime max(_time) as lastTime by user, command, actor.email, status, id.applicationName, event.name, vendor_account, action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `gcp_multi_factor_authentication_disabled_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the Admin log events. -known_false_positives: Legitimate use case may require for users to disable MFA. Filter as needed. +search: '`gws_reports_admin` command=UNENROLL_USER_FROM_STRONG_AUTH | stats count + min(_time) as firstTime max(_time) as lastTime by user, command, actor.email, status, + id.applicationName, event.name, vendor_account, action | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `gcp_multi_factor_authentication_disabled_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Google + Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows + Splunk administrators to collect Google Workspace event data in Splunk using Google + Workspace APIs. Specifically, this analytic leverages the Admin log events. +known_false_positives: Legitimate use case may require for users to disable MFA. Filter + as needed. references: - https://support.google.com/cloudidentity/answer/2537800?hl=en - https://attack.mitre.org/tactics/TA0005/ @@ -21,46 +35,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: MFA disabled for User $user$ initiated by $actor.email$ + risk_objects: + - field: user + type: user + score: 45 + - field: actor.email + type: user + score: 45 + threat_objects: [] tags: analytic_story: - GCP Account Takeover asset_type: GCP - confidence: 90 - impact: 50 - message: MFA disabled for User $user$ initiated by $actor.email$ mitre_attack_id: - T1586 - T1586.003 - T1556 - T1556.006 - observable: - - name: user - type: User - role: - - Victim - - name: actor.email - type: User - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - actor.email - - user - - command - - status - risk_score: 45 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/gcp_disable_mfa/gws_admin.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/gcp_disable_mfa/gws_admin.log source: gws:reports:admin sourcetype: gws:reports:admin - update_timestamp: true diff --git a/detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml index 5bc9eec942..613b536a54 100644 --- a/detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml @@ -1,16 +1,31 @@ name: GCP Multiple Failed MFA Requests For User id: cbb3cb84-c06f-4393-adcc-5cb6195621f1 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects multiple failed multi-factor authentication (MFA) requests for a single user within a Google Cloud Platform (GCP) tenant. It triggers when 10 or more MFA prompts fail within a 5-minute window, using Google Workspace login failure events. This behavior is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication requests. If confirmed malicious, this activity could lead to unauthorized access, allowing attackers to compromise accounts and potentially escalate privileges within the GCP environment. +description: The following analytic detects multiple failed multi-factor authentication + (MFA) requests for a single user within a Google Cloud Platform (GCP) tenant. It + triggers when 10 or more MFA prompts fail within a 5-minute window, using Google + Workspace login failure events. This behavior is significant as it may indicate + an adversary attempting to bypass MFA by bombarding the user with repeated authentication + requests. If confirmed malicious, this activity could lead to unauthorized access, + allowing attackers to compromise accounts and potentially escalate privileges within + the GCP environment. data_source: - Google Workspace login_failure -search: '`gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | bucket span=5m _time | stats dc(_raw) AS mfa_prompts values(user) AS user by src_ip, login_challenge_method, _time | where mfa_prompts >= 10 | `gcp_multiple_failed_mfa_requests_for_user_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `mfa_prompts` threshold values according to your environment. Specifically, this analytic leverages the User log events. -known_false_positives: Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed. +search: '`gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | bucket + span=5m _time | stats dc(_raw) AS mfa_prompts values(user) AS user by src_ip, login_challenge_method, _time + | where mfa_prompts >= 10 | `gcp_multiple_failed_mfa_requests_for_user_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Google + Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows + Splunk administrators to collect Google Workspace event data in Splunk using Google + Workspace APIs. We would also recommend tuning the detection by adjusting the window + `span` and `mfa_prompts` threshold values according to your environment. Specifically, + this analytic leverages the User log events. +known_false_positives: Multiple Failed MFA requests may also be a sign of authentication + or application issues. Filter as needed. references: - https://www.mandiant.com/resources/blog/russian-targeting-gov-business - https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/ @@ -23,43 +38,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Multiple Failed MFA requests for user $user$ + risk_objects: + - field: user + type: user + score: 54 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - GCP Account Takeover asset_type: Google Cloud Platform tenant - confidence: 90 - impact: 60 - message: Multiple Failed MFA requests for user $user$ mitre_attack_id: - T1586 - T1586.003 - T1621 - T1078 - T1078.004 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 54 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/multiple_failed_mfa_gws/gws_login.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/multiple_failed_mfa_gws/gws_login.log source: gws:reports:login sourcetype: gws:reports:login - update_timestamp: true diff --git a/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml index 63db748127..e5b02c1c25 100644 --- a/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml @@ -1,16 +1,32 @@ name: GCP Multiple Users Failing To Authenticate From Ip id: da20828e-d6fb-4ee5-afb7-d0ac200923d5 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Bhavin Patel, Splunk status: production type: Anomaly -description: The following analytic detects a single source IP address failing to authenticate into more than 20 unique Google Workspace user accounts within a 5-minute window. It leverages Google Workspace login failure events to identify potential password spraying attacks. This activity is significant as it may indicate an adversary attempting to gain unauthorized access or elevate privileges within the Google Cloud Platform. If confirmed malicious, this behavior could lead to unauthorized access to sensitive resources, data breaches, or further exploitation within the environment. +description: The following analytic detects a single source IP address failing to + authenticate into more than 20 unique Google Workspace user accounts within a 5-minute + window. It leverages Google Workspace login failure events to identify potential + password spraying attacks. This activity is significant as it may indicate an adversary + attempting to gain unauthorized access or elevate privileges within the Google Cloud + Platform. If confirmed malicious, this behavior could lead to unauthorized access + to sensitive resources, data breaches, or further exploitation within the environment. data_source: - Google Workspace login_failure -search: '`gws_reports_login` event.type = login event.name = login_failure | bucket span=5m _time | stats count dc(user) AS unique_accounts values(user) as tried_accounts values(authentication_method) AS authentication_method earliest(_time) as firstTime latest(_time) as lastTime by _time event.name src app id.applicationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where unique_accounts > 20 | `gcp_multiple_users_failing_to_authenticate_from_ip_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `unique_accounts` threshold values according to your environment. Specifically, this analytic leverages the User log events. -known_false_positives: No known false postives for this detection. Please review this alert. +search: '`gws_reports_login` event.type = login event.name = login_failure | bucket + span=5m _time | stats count dc(user) AS unique_accounts values(user) as tried_accounts + values(authentication_method) AS authentication_method earliest(_time) as firstTime + latest(_time) as lastTime by _time event.name src app id.applicationName | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | where unique_accounts > 20 | `gcp_multiple_users_failing_to_authenticate_from_ip_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Google + Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows + Splunk administrators to collect Google Workspace event data in Splunk using Google + Workspace APIs. We would also recommend tuning the detection by adjusting the window + `span` and `unique_accounts` threshold values according to your environment. Specifically, + this analytic leverages the User log events. +known_false_positives: No known false postives for this detection. Please review this + alert. references: - https://cloud.google.com/blog/products/identity-security/how-google-cloud-can-help-stop-credential-stuffing-attacks - https://www.slideshare.net/dafthack/ok-google-how-do-i-red-team-gsuite @@ -22,49 +38,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$tried_accounts$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$tried_accounts$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$tried_accounts$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: 'Multiple failed login attempts (Count: $unique_accounts$) against users + seen from $src$' + risk_objects: + - field: tried_accounts + type: user + score: 54 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - GCP Account Takeover asset_type: Google Cloud Platform tenant - confidence: 90 - impact: 60 - message: 'Multiple failed login attempts (Count: $unique_accounts$) against users seen from $src$' mitre_attack_id: - T1586 - T1586.003 - T1110 - T1110.003 - T1110.004 - observable: - - name: tried_accounts - type: User - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - event.name - - event.type - - authentication_method - - app - - id.applicationName - - src - risk_score: 54 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/gws_login.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/gws_login.json source: gws_login sourcetype: gws:reports:login - update_timestamp: true diff --git a/detections/cloud/gcp_successful_single_factor_authentication.yml b/detections/cloud/gcp_successful_single_factor_authentication.yml index a3ad84eaea..3f13fa8928 100644 --- a/detections/cloud/gcp_successful_single_factor_authentication.yml +++ b/detections/cloud/gcp_successful_single_factor_authentication.yml @@ -1,16 +1,30 @@ name: GCP Successful Single-Factor Authentication id: 40e17d88-87da-414e-b253-8dc1e4f9555b -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Bhavin Patel, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies a successful single-factor authentication event against Google Cloud Platform (GCP) for an account without Multi-Factor Authentication (MFA) enabled. It uses Google Workspace login event data to detect instances where MFA is not utilized. This activity is significant as it may indicate a misconfiguration, policy violation, or potential account takeover attempt. If confirmed malicious, an attacker could gain unauthorized access to GCP resources, potentially leading to data breaches, service disruptions, or further exploitation within the cloud environment. +description: The following analytic identifies a successful single-factor authentication + event against Google Cloud Platform (GCP) for an account without Multi-Factor Authentication + (MFA) enabled. It uses Google Workspace login event data to detect instances where + MFA is not utilized. This activity is significant as it may indicate a misconfiguration, + policy violation, or potential account takeover attempt. If confirmed malicious, + an attacker could gain unauthorized access to GCP resources, potentially leading + to data breaches, service disruptions, or further exploitation within the cloud + environment. data_source: - Google Workspace login_success -search: '`gws_reports_login` event.name=login_success NOT `gws_login_mfa_methods` | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, login_challenge_method, app, event.name, vendor_account, action |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `gcp_successful_single_factor_authentication_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the User log events. -known_false_positives: Although not recommended, certain users may be required without multi-factor authentication. Filter as needed +search: '`gws_reports_login` event.name=login_success NOT `gws_login_mfa_methods` + | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, login_challenge_method, + app, event.name, vendor_account, action |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `gcp_successful_single_factor_authentication_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Google + Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows + Splunk administrators to collect Google Workspace event data in Splunk using Google + Workspace APIs. Specifically, this analytic leverages the User log events. +known_false_positives: Although not recommended, certain users may be required without + multi-factor authentication. Filter as needed references: - https://attack.mitre.org/techniques/T1078/004/ - https://support.google.com/a/answer/175197?hl=en @@ -21,47 +35,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Successful authentication for user $user$ without MFA + risk_objects: + - field: user + type: user + score: 45 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - GCP Account Takeover asset_type: Google Cloud Platform tenant - confidence: 90 - impact: 50 - message: Successful authentication for user $user$ without MFA mitre_attack_id: - T1586 - T1586.003 - T1078 - T1078.004 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - event.name - - event.parameters{}.multiValue{} - - user - - src_ip - - login_challenge_method - risk_score: 45 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/gcp_single_factor_auth/gws_login.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/gcp_single_factor_auth/gws_login.log source: gws:reports:login sourcetype: gws:reports:login - update_timestamp: true diff --git a/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml index f2cbee410e..7e59b0346a 100644 --- a/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml @@ -1,16 +1,34 @@ name: GCP Unusual Number of Failed Authentications From Ip id: bd8097ed-958a-4873-87d9-44f2b4d85705 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Bhavin Patel, Splunk status: production type: Anomaly -description: The following analytic identifies a single source IP failing to authenticate into Google Workspace with multiple valid users, potentially indicating a Password Spraying attack. It uses Google Workspace login failure events and calculates the standard deviation for source IPs, applying the 3-sigma rule to detect unusual failed authentication attempts. This activity is significant as it may signal an adversary attempting to gain initial access or elevate privileges. If confirmed malicious, this could lead to unauthorized access, data breaches, or further exploitation within the environment. +description: The following analytic identifies a single source IP failing to authenticate + into Google Workspace with multiple valid users, potentially indicating a Password + Spraying attack. It uses Google Workspace login failure events and calculates the + standard deviation for source IPs, applying the 3-sigma rule to detect unusual failed + authentication attempts. This activity is significant as it may signal an adversary + attempting to gain initial access or elevate privileges. If confirmed malicious, + this could lead to unauthorized access, data breaches, or further exploitation within + the environment. data_source: - Google Workspace login_failure -search: '`gws_reports_login` event.type = login event.name = login_failure| bucket span=5m _time | stats dc(user_name) AS unique_accounts values(user_name) as tried_accounts values(authentication_method) AS authentication_method by _time, src | eventstats avg(unique_accounts) as ip_avg , stdev(unique_accounts) as ip_std by _time | eval upperBound=(ip_avg+ip_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | where isOutlier =1| `gcp_unusual_number_of_failed_authentications_from_ip_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `unique_accounts` threshold values according to your environment. Specifically, this analytic leverages the User log events. -known_false_positives: No known false positives for this detection. Please review this alert +search: '`gws_reports_login` event.type = login event.name = login_failure| bucket + span=5m _time | stats dc(user_name) AS unique_accounts values(user_name) as tried_accounts + values(authentication_method) AS authentication_method by _time, src | eventstats avg(unique_accounts) + as ip_avg , stdev(unique_accounts) as ip_std by _time | eval upperBound=(ip_avg+ip_std*3) + | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, + 0) | where isOutlier =1| `gcp_unusual_number_of_failed_authentications_from_ip_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Google + Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows + Splunk administrators to collect Google Workspace event data in Splunk using Google + Workspace APIs. We would also recommend tuning the detection by adjusting the window + `span` and `unique_accounts` threshold values according to your environment. Specifically, + this analytic leverages the User log events. +known_false_positives: No known false positives for this detection. Please review + this alert references: - https://cloud.google.com/blog/products/identity-security/how-google-cloud-can-help-stop-credential-stuffing-attacks - https://www.slideshare.net/dafthack/ok-google-how-do-i-red-team-gsuite @@ -22,47 +40,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$tried_accounts$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$tried_accounts$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$tried_accounts$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: 'Unusual number of failed console login attempts (Count: $unique_accounts$) + against users from IP Address - $src$' + risk_objects: + - field: tried_accounts + type: user + score: 54 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - GCP Account Takeover asset_type: Google Cloud Platform tenant - confidence: 90 - impact: 60 - message: 'Unusual number of failed console login attempts (Count: $unique_accounts$) against users from IP Address - $src$' mitre_attack_id: - T1586 - T1586.003 - T1110 - T1110.003 - T1110.004 - observable: - - name: src - type: IP Address - role: - - Attacker - - name: tried_accounts - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - event.name - - src - - event.type - - user_name - risk_score: 54 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/gws_login.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/gws_login.json source: gws_login sourcetype: gws:reports:login - update_timestamp: true diff --git a/detections/cloud/gdrive_suspicious_file_sharing.yml b/detections/cloud/gdrive_suspicious_file_sharing.yml index 7474c49123..028c0bee24 100644 --- a/detections/cloud/gdrive_suspicious_file_sharing.yml +++ b/detections/cloud/gdrive_suspicious_file_sharing.yml @@ -1,15 +1,31 @@ name: Gdrive suspicious file sharing id: a7131dae-34e3-11ec-a2de-acde48001122 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rod Soto, Teoderick Contreras status: experimental type: Hunting -description: The following analytic identifies suspicious file-sharing activity on Google Drive, where internal users share documents with more than 50 external recipients. It leverages GSuite Drive logs, focusing on changes in user access and filtering for emails outside the organization's domain. This activity is significant as it may indicate compromised accounts or intentional data exfiltration. If confirmed malicious, this behavior could lead to unauthorized access to sensitive information, data leaks, and potential compliance violations. +description: The following analytic identifies suspicious file-sharing activity on + Google Drive, where internal users share documents with more than 50 external recipients. + It leverages GSuite Drive logs, focusing on changes in user access and filtering + for emails outside the organization's domain. This activity is significant as it + may indicate compromised accounts or intentional data exfiltration. If confirmed + malicious, this behavior could lead to unauthorized access to sensitive information, + data leaks, and potential compliance violations. data_source: [] -search: '`gsuite_drive` name=change_user_access | rename parameters.* as * | search email = "*@yourdomain.com" target_user != "*@yourdomain.com" | stats count values(owner) as owner values(target_user) as target values(doc_type) as doc_type values(doc_title) as doc_title dc(target_user) as distinct_target by src_ip email | where distinct_target > 50 | `gdrive_suspicious_file_sharing_filter`' -how_to_implement: Need to implement Gsuite logging targeting Google suite drive activity. In order for the search to work for your environment please update `yourdomain.com` value in the query with the domain relavant for your organization. -known_false_positives: This is an anomaly search, you must specify your domain in the parameters so it either filters outside domains or focus on internal domains. This search may also help investigate compromise of accounts. By looking at for example source ip addresses, document titles and abnormal number of shares and shared target users. +search: '`gsuite_drive` name=change_user_access | rename parameters.* as * | search + email = "*@yourdomain.com" target_user != "*@yourdomain.com" | stats count values(owner) + as owner values(target_user) as target values(doc_type) as doc_type values(doc_title) + as doc_title dc(target_user) as distinct_target by src_ip email | where distinct_target + > 50 | `gdrive_suspicious_file_sharing_filter`' +how_to_implement: Need to implement Gsuite logging targeting Google suite drive activity. + In order for the search to work for your environment please update `yourdomain.com` + value in the query with the domain relavant for your organization. +known_false_positives: This is an anomaly search, you must specify your domain in + the parameters so it either filters outside domains or focus on internal domains. + This search may also help investigate compromise of accounts. By looking at for + example source ip addresses, document titles and abnormal number of shares and shared + target users. references: - https://www.splunk.com/en_us/blog/security/investigating-gsuite-phishing-attacks-with-splunk.html tags: @@ -17,26 +33,10 @@ tags: - Spearphishing Attachments - Data Exfiltration asset_type: GDrive - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1566 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - src_ip - - parameters.owner - - parameters.target_user - - parameters.doc_title - - parameters.doc_type - risk_score: 25 security_domain: threat diff --git a/detections/cloud/github_actions_disable_security_workflow.yml b/detections/cloud/github_actions_disable_security_workflow.yml index 8b78e52e92..8d8f8d8c2a 100644 --- a/detections/cloud/github_actions_disable_security_workflow.yml +++ b/detections/cloud/github_actions_disable_security_workflow.yml @@ -1,15 +1,32 @@ name: GitHub Actions Disable Security Workflow id: 0459f1a5-c0ac-4987-82d6-65081209f854 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: The following analytic detects the disabling of a security workflow in GitHub Actions. It leverages GitHub logs to identify when a workflow, excluding those named *security-testing*, is disabled following a push or pull request event. This activity is significant as it may indicate an attempt by an attacker to conceal malicious code by disabling security checks. If confirmed malicious, this could allow the attacker to introduce and persist undetected malicious code within the repository, potentially compromising the integrity and security of the codebase. +description: The following analytic detects the disabling of a security workflow in + GitHub Actions. It leverages GitHub logs to identify when a workflow, excluding + those named *security-testing*, is disabled following a push or pull request event. + This activity is significant as it may indicate an attempt by an attacker to conceal + malicious code by disabling security checks. If confirmed malicious, this could + allow the attacker to introduce and persist undetected malicious code within the + repository, potentially compromising the integrity and security of the codebase. data_source: - GitHub -search: '`github` workflow_run.event=push OR workflow_run.event=pull_request | stats values(workflow_run.name) as workflow_run.name by workflow_run.head_commit.id workflow_run.event workflow_run.head_branch workflow_run.head_commit.author.email workflow_run.head_commit.author.name workflow_run.head_commit.message workflow_run.head_commit.timestamp workflow_run.head_repository.full_name workflow_run.head_repository.owner.id workflow_run.head_repository.owner.login workflow_run.head_repository.owner.type | rename workflow_run.head_commit.author.name as user, workflow_run.head_commit.author.email as user_email, workflow_run.head_repository.full_name as repository, workflow_run.head_branch as branch | search NOT workflow_run.name=*security-testing* | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_actions_disable_security_workflow_filter`' -how_to_implement: You must index GitHub logs. You can follow the url in reference to onboard GitHub logs. Sometimes GitHub logs are truncated, make sure to disable it in props.conf. Replace *security-testing* with the name of your security testing workflow in GitHub Actions. +search: '`github` workflow_run.event=push OR workflow_run.event=pull_request | stats + values(workflow_run.name) as workflow_run.name by workflow_run.head_commit.id workflow_run.event + workflow_run.head_branch workflow_run.head_commit.author.email workflow_run.head_commit.author.name + workflow_run.head_commit.message workflow_run.head_commit.timestamp workflow_run.head_repository.full_name + workflow_run.head_repository.owner.id workflow_run.head_repository.owner.login workflow_run.head_repository.owner.type + | rename workflow_run.head_commit.author.name as user, workflow_run.head_commit.author.email + as user_email, workflow_run.head_repository.full_name as repository, workflow_run.head_branch + as branch | search NOT workflow_run.name=*security-testing* | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `github_actions_disable_security_workflow_filter`' +how_to_implement: You must index GitHub logs. You can follow the url in reference + to onboard GitHub logs. Sometimes GitHub logs are truncated, make sure to disable + it in props.conf. Replace *security-testing* with the name of your security testing + workflow in GitHub Actions. known_false_positives: unknown references: - https://www.splunk.com/en_us/blog/tips-and-tricks/getting-github-data-with-webhooks.html @@ -19,46 +36,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$repository$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$repository$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$repository$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Security Workflow is disabled in branch $branch$ for repository $repository$ + risk_objects: + - field: repository + type: other + score: 27 + threat_objects: [] tags: analytic_story: - Dev Sec Ops asset_type: GitHub - confidence: 90 - impact: 30 - message: Security Workflow is disabled in branch $branch$ for repository $repository$ mitre_attack_id: - T1195.002 - T1195 - observable: - - name: repository - type: Other - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - workflow_run.event - - workflow_run.name - - workflow_run.head_commit.id - - workflow_run.event workflow_run.head_branch - - workflow_run.head_commit.author.email - - workflow_run.head_commit.author.name - - workflow_run.head_commit.message - - workflow_run.head_commit.timestamp - - workflow_run.head_repository.full_name - - workflow_run.head_repository.owner.id - - workflow_run.head_repository.owner.login - - workflow_run.head_repository.owner.type - risk_score: 27 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/github_actions_disable_security_workflow/github_actions_disable_security_workflow.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/github_actions_disable_security_workflow/github_actions_disable_security_workflow.log source: github sourcetype: aws:firehose:json diff --git a/detections/cloud/github_commit_changes_in_master.yml b/detections/cloud/github_commit_changes_in_master.yml index 0b4dfdad1e..e1c2f6383a 100644 --- a/detections/cloud/github_commit_changes_in_master.yml +++ b/detections/cloud/github_commit_changes_in_master.yml @@ -1,15 +1,27 @@ name: Github Commit Changes In Master id: c9d2bfe2-019f-11ec-a8eb-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects direct commits or pushes to the master or main branch in a GitHub repository. It leverages GitHub logs to identify events where changes are made directly to these critical branches. This activity is significant because direct modifications to the master or main branch bypass the standard review process, potentially introducing unreviewed and harmful changes. If confirmed malicious, this could lead to unauthorized code execution, security vulnerabilities, or compromised project integrity. +description: The following analytic detects direct commits or pushes to the master + or main branch in a GitHub repository. It leverages GitHub logs to identify events + where changes are made directly to these critical branches. This activity is significant + because direct modifications to the master or main branch bypass the standard review + process, potentially introducing unreviewed and harmful changes. If confirmed malicious, + this could lead to unauthorized code execution, security vulnerabilities, or compromised + project integrity. data_source: - GitHub -search: '`github` branches{}.name = main OR branches{}.name = master | stats count min(_time) as firstTime max(_time) as lastTime by commit.commit.author.email commit.author.login commit.commit.message repository.pushed_at commit.commit.committer.date repository.full_name | rename commit.author.login as user, repository.full_name as repository | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_commit_changes_in_master_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs related to github logs having the fork, commit, push metadata that can be use to monitor the changes in a github project. +search: '`github` branches{}.name = main OR branches{}.name = master | stats count + min(_time) as firstTime max(_time) as lastTime by commit.commit.author.email commit.author.login + commit.commit.message repository.pushed_at commit.commit.committer.date repository.full_name + | rename commit.author.login as user, repository.full_name as repository | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `github_commit_changes_in_master_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs related to github logs having the fork, commit, push metadata that can be use + to monitor the changes in a github project. known_false_positives: Admin can do changes directly to master branch references: - https://www.redhat.com/en/topics/devops/what-is-devsecops @@ -19,34 +31,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$commit.commit.author.email$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$commit.commit.author.email$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$commit.commit.author.email$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious commit by $commit.commit.author.email$ to main branch + risk_objects: + - field: commit.commit.author.email + type: user + score: 9 + threat_objects: [] tags: analytic_story: - Dev Sec Ops asset_type: GitHub - confidence: 30 - impact: 30 - message: Suspicious commit by $commit.commit.author.email$ to main branch mitre_attack_id: - T1199 - observable: - - name: commit.commit.author.email - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1199/github_push_master/github_push_master.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1199/github_push_master/github_push_master.log source: github sourcetype: aws:firehose:json diff --git a/detections/cloud/github_commit_in_develop.yml b/detections/cloud/github_commit_in_develop.yml index 7e50ba10a1..82ca6e17bc 100644 --- a/detections/cloud/github_commit_in_develop.yml +++ b/detections/cloud/github_commit_in_develop.yml @@ -1,15 +1,27 @@ name: Github Commit In Develop id: f3030cb6-0b02-11ec-8f22-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects commits pushed directly to the 'develop' or 'main' branches in a GitHub repository. It leverages GitHub logs, focusing on commit metadata such as author details, commit messages, and timestamps. This activity is significant as direct commits to these branches can bypass the review process, potentially introducing unvetted changes. If confirmed malicious, this could lead to unauthorized code modifications, introducing vulnerabilities or backdoors into the codebase, and compromising the integrity of the development lifecycle. +description: The following analytic detects commits pushed directly to the 'develop' + or 'main' branches in a GitHub repository. It leverages GitHub logs, focusing on + commit metadata such as author details, commit messages, and timestamps. This activity + is significant as direct commits to these branches can bypass the review process, + potentially introducing unvetted changes. If confirmed malicious, this could lead + to unauthorized code modifications, introducing vulnerabilities or backdoors into + the codebase, and compromising the integrity of the development lifecycle. data_source: - GitHub -search: '`github` branches{}.name = main OR branches{}.name = develop | stats count min(_time) as firstTime max(_time) as lastTime by commit.author.html_url commit.commit.author.email commit.author.login commit.commit.message repository.pushed_at commit.commit.committer.date | eval phase="code" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_commit_in_develop_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs related to github logs having the fork, commit, push metadata that can be use to monitor the changes in a github project. +search: '`github` branches{}.name = main OR branches{}.name = develop | stats count + min(_time) as firstTime max(_time) as lastTime by commit.author.html_url commit.commit.author.email + commit.author.login commit.commit.message repository.pushed_at commit.commit.committer.date + | eval phase="code" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `github_commit_in_develop_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs related to github logs having the fork, commit, push metadata that can be use + to monitor the changes in a github project. known_false_positives: admin can do changes directly to develop branch references: - https://www.redhat.com/en/topics/devops/what-is-devsecops @@ -19,34 +31,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$commit.commit.author.email$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$commit.commit.author.email$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$commit.commit.author.email$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious commit by $commit.commit.author.email$ to develop branch + risk_objects: + - field: commit.commit.author.email + type: user + score: 9 + threat_objects: [] tags: analytic_story: - Dev Sec Ops asset_type: GitHub - confidence: 30 - impact: 30 - message: Suspicious commit by $commit.commit.author.email$ to develop branch mitre_attack_id: - T1199 - observable: - - name: commit.commit.author.email - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1199/github_push_master/github_push_develop.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1199/github_push_master/github_push_develop.json source: github sourcetype: aws:firehose:json diff --git a/detections/cloud/github_dependabot_alert.yml b/detections/cloud/github_dependabot_alert.yml index e8e0626850..0e93d69aae 100644 --- a/detections/cloud/github_dependabot_alert.yml +++ b/detections/cloud/github_dependabot_alert.yml @@ -1,15 +1,27 @@ name: GitHub Dependabot Alert id: 05032b04-4469-4034-9df7-05f607d75cba -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: The following analytic identifies the creation of GitHub Dependabot alerts, which indicate potential vulnerabilities in the codebase. It detects this activity by searching for logs with the "create" action and analyzing fields such as affected package, severity, and fixed version. This detection is significant for a SOC because it helps identify and address security risks in the codebase proactively. If confirmed malicious, these vulnerabilities could be exploited by attackers to gain unauthorized access or cause breaches, leading to potential data loss or system compromise. +description: The following analytic identifies the creation of GitHub Dependabot alerts, + which indicate potential vulnerabilities in the codebase. It detects this activity + by searching for logs with the "create" action and analyzing fields such as affected + package, severity, and fixed version. This detection is significant for a SOC because + it helps identify and address security risks in the codebase proactively. If confirmed + malicious, these vulnerabilities could be exploited by attackers to gain unauthorized + access or cause breaches, leading to potential data loss or system compromise. data_source: - GitHub -search: '`github` alert.id=* action=create | rename repository.full_name as repository, repository.html_url as repository_url sender.login as user | stats min(_time) as firstTime max(_time) as lastTime by action alert.affected_package_name alert.affected_range alert.created_at alert.external_identifier alert.external_reference alert.fixed_in alert.severity repository repository_url user | eval phase="code" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_dependabot_alert_filter`' -how_to_implement: You must index GitHub logs. You can follow the url in reference to onboard GitHub logs. +search: '`github` alert.id=* action=create | rename repository.full_name as repository, + repository.html_url as repository_url sender.login as user | stats min(_time) as + firstTime max(_time) as lastTime by action alert.affected_package_name alert.affected_range + alert.created_at alert.external_identifier alert.external_reference alert.fixed_in + alert.severity repository repository_url user | eval phase="code" | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `github_dependabot_alert_filter`' +how_to_implement: You must index GitHub logs. You can follow the url in reference + to onboard GitHub logs. known_false_positives: unknown references: - https://www.splunk.com/en_us/blog/tips-and-tricks/getting-github-data-with-webhooks.html @@ -19,46 +31,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$repository$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$repository$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$repository$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Vulnerabilities found in packages used by GitHub repository $repository$ + risk_objects: + - field: repository + type: other + score: 27 + threat_objects: [] tags: analytic_story: - Dev Sec Ops asset_type: GitHub - confidence: 90 - impact: 30 - message: Vulnerabilities found in packages used by GitHub repository $repository$ mitre_attack_id: - T1195.001 - T1195 - observable: - - name: repository - type: Other - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - alert.id - - repository.full_name - - repository.html_url - - action - - alert.affected_package_name - - alert.affected_range - - alert.created_at - - alert.external_identifier - - alert.external_reference - - alert.fixed_in - - alert.severity - risk_score: 27 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.001/github_security_advisor_alert/github_security_advisor_alert.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.001/github_security_advisor_alert/github_security_advisor_alert.json sourcetype: aws:firehose:json source: github diff --git a/detections/cloud/github_pull_request_from_unknown_user.yml b/detections/cloud/github_pull_request_from_unknown_user.yml index fceb64ab77..8cfcb7f5fc 100644 --- a/detections/cloud/github_pull_request_from_unknown_user.yml +++ b/detections/cloud/github_pull_request_from_unknown_user.yml @@ -1,15 +1,28 @@ name: GitHub Pull Request from Unknown User id: 9d7b9100-8878-4404-914e-ca5e551a641e -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: The following analytic detects pull requests from unknown users on GitHub. It uses a Splunk query to identify pull requests where the user ID is not specified and cross-references these with a known users lookup table. This activity is significant because pull requests from unknown users can introduce malicious code or unauthorized changes to repositories. If confirmed malicious, this could lead to unauthorized code changes, data breaches, or other security incidents. Immediate steps include reviewing the author's name, repository, head reference, and commit message, and investigating any related artifacts and processes. +description: The following analytic detects pull requests from unknown users on GitHub. + It uses a Splunk query to identify pull requests where the user ID is not specified + and cross-references these with a known users lookup table. This activity is significant + because pull requests from unknown users can introduce malicious code or unauthorized + changes to repositories. If confirmed malicious, this could lead to unauthorized + code changes, data breaches, or other security incidents. Immediate steps include + reviewing the author's name, repository, head reference, and commit message, and + investigating any related artifacts and processes. data_source: - GitHub -search: '`github` check_suite.pull_requests{}.id=* | stats count by check_suite.head_commit.author.name repository.full_name check_suite.pull_requests{}.head.ref check_suite.head_commit.message | rename check_suite.head_commit.author.name as user repository.full_name as repository check_suite.pull_requests{}.head.ref as ref_head check_suite.head_commit.message as commit_message | search NOT `github_known_users` | eval phase="code" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_pull_request_from_unknown_user_filter`' -how_to_implement: You must index GitHub logs. You can follow the url in reference to onboard GitHub logs. +search: '`github` check_suite.pull_requests{}.id=* | stats count by check_suite.head_commit.author.name + repository.full_name check_suite.pull_requests{}.head.ref check_suite.head_commit.message + | rename check_suite.head_commit.author.name as user repository.full_name as repository + check_suite.pull_requests{}.head.ref as ref_head check_suite.head_commit.message + as commit_message | search NOT `github_known_users` | eval phase="code" | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `github_pull_request_from_unknown_user_filter`' +how_to_implement: You must index GitHub logs. You can follow the url in reference + to onboard GitHub logs. known_false_positives: unknown references: - https://www.splunk.com/en_us/blog/tips-and-tricks/getting-github-data-with-webhooks.html @@ -19,46 +32,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$repository$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$repository$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$repository$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Vulnerabilities found in packages used by GitHub repository $repository$ + risk_objects: + - field: repository + type: other + score: 27 + threat_objects: [] tags: analytic_story: - Dev Sec Ops asset_type: GitHub - confidence: 90 - impact: 30 - message: Vulnerabilities found in packages used by GitHub repository $repository$ mitre_attack_id: - T1195.001 - T1195 - observable: - - name: repository - type: Other - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - alert.id - - repository.full_name - - repository.html_url - - action - - alert.affected_package_name - - alert.affected_range - - alert.created_at - - alert.external_identifier - - alert.external_reference - - alert.fixed_in - - alert.severity - risk_score: 27 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.001/github_pull_request/github_pull_request.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.001/github_pull_request/github_pull_request.json sourcetype: aws:firehose:json source: github diff --git a/detections/cloud/gsuite_drive_share_in_external_email.yml b/detections/cloud/gsuite_drive_share_in_external_email.yml index 3e317d4b19..cda144c5d9 100644 --- a/detections/cloud/gsuite_drive_share_in_external_email.yml +++ b/detections/cloud/gsuite_drive_share_in_external_email.yml @@ -1,56 +1,64 @@ name: Gsuite Drive Share In External Email id: f6ee02d6-fea0-11eb-b2c2-acde48001122 -version: 3 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Teoderick Contreras, Splunk status: experimental type: Anomaly -description: The following analytic detects Google Drive or Google Docs files shared externally from an internal domain. It leverages GSuite Drive logs, extracting and comparing the source and destination email domains to identify external sharing. This activity is significant as it may indicate potential data exfiltration by an attacker or insider. If confirmed malicious, this could lead to unauthorized access to sensitive information, data leakage, and potential compliance violations. Monitoring this behavior helps in early detection and mitigation of data breaches. +description: The following analytic detects Google Drive or Google Docs files shared + externally from an internal domain. It leverages GSuite Drive logs, extracting and + comparing the source and destination email domains to identify external sharing. + This activity is significant as it may indicate potential data exfiltration by an + attacker or insider. If confirmed malicious, this could lead to unauthorized access + to sensitive information, data leakage, and potential compliance violations. Monitoring + this behavior helps in early detection and mitigation of data breaches. data_source: - G Suite Drive -search: '`gsuite_drive` NOT (email IN("", "null")) | rex field=parameters.owner "[^@]+@(?[^@]+)" | rex field=email "[^@]+@(?[^@]+)" | where src_domain = "internal_test_email.com" and not dest_domain = "internal_test_email.com" | eval phase="plan" | eval severity="low" | stats values(parameters.doc_title) as doc_title, values(parameters.doc_type) as doc_types, values(email) as dst_email_list, values(parameters.visibility) as visibility, values(parameters.doc_id) as doc_id, count min(_time) as firstTime max(_time) as lastTime by parameters.owner ip_address phase severity | rename parameters.owner as user ip_address as src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_drive_share_in_external_email_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. In order for the search to work for your environment, please edit the query to use your company specific email domain instead of `internal_test_email.com`. -known_false_positives: network admin or normal user may share files to customer and external team. +search: '`gsuite_drive` NOT (email IN("", "null")) | rex field=parameters.owner "[^@]+@(?[^@]+)" + | rex field=email "[^@]+@(?[^@]+)" | where src_domain = "internal_test_email.com" + and not dest_domain = "internal_test_email.com" | eval phase="plan" | eval severity="low" + | stats values(parameters.doc_title) as doc_title, values(parameters.doc_type) as + doc_types, values(email) as dst_email_list, values(parameters.visibility) as visibility, + values(parameters.doc_id) as doc_id, count min(_time) as firstTime max(_time) as + lastTime by parameters.owner ip_address phase severity | rename parameters.owner + as user ip_address as src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `gsuite_drive_share_in_external_email_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs related to gsuite having the file attachment metadata like file type, file + extension, source email, destination email, num of attachment and etc. In order + for the search to work for your environment, please edit the query to use your company + specific email domain instead of `internal_test_email.com`. +known_false_positives: network admin or normal user may share files to customer and + external team. references: - https://www.redhat.com/en/topics/devops/what-is-devsecops +rba: + message: suspicious share gdrive from $parameters.owner$ to $email$ namely as $parameters.doc_title$ + risk_objects: + - field: email + type: user + score: 72 + - field: parameters.owner + type: user + score: 72 + threat_objects: [] tags: analytic_story: - Dev Sec Ops - Insider Threat asset_type: GSuite - confidence: 90 - impact: 80 - message: suspicious share gdrive from $parameters.owner$ to $email$ namely as $parameters.doc_title$ mitre_attack_id: - T1567.002 - T1567 - observable: - - name: parameters.owner - type: User - role: - - Attacker - - name: email - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - parameters.doc_title - - src_domain - - dest_domain - - email - - parameters.visibility - - parameters.owner - - parameters.doc_type - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567.002/gsuite_share_drive/gdrive_share_external.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567.002/gsuite_share_drive/gdrive_share_external.log source: http:gsuite sourcetype: gsuite:drive:json diff --git a/detections/cloud/gsuite_email_suspicious_attachment.yml b/detections/cloud/gsuite_email_suspicious_attachment.yml index 363b494a92..7c29d2848b 100644 --- a/detections/cloud/gsuite_email_suspicious_attachment.yml +++ b/detections/cloud/gsuite_email_suspicious_attachment.yml @@ -1,16 +1,33 @@ name: GSuite Email Suspicious Attachment id: 6d663014-fe92-11eb-ab07-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects suspicious attachment file extensions in GSuite emails, potentially indicating a spear-phishing attack. It leverages GSuite Gmail logs to identify emails with attachments having file extensions commonly associated with malware, such as .exe, .bat, and .js. This activity is significant as these file types are often used to deliver malicious payloads, posing a risk of compromising targeted machines. If confirmed malicious, this could lead to unauthorized code execution, data breaches, or further network infiltration. +description: The following analytic detects suspicious attachment file extensions + in GSuite emails, potentially indicating a spear-phishing attack. It leverages GSuite + Gmail logs to identify emails with attachments having file extensions commonly associated + with malware, such as .exe, .bat, and .js. This activity is significant as these + file types are often used to deliver malicious payloads, posing a risk of compromising + targeted machines. If confirmed malicious, this could lead to unauthorized code + execution, data breaches, or further network infiltration. data_source: - G Suite Gmail -search: '`gsuite_gmail` "attachment{}.file_extension_type" IN ("pl", "py", "rb", "sh", "bat", "exe", "dll", "cpl", "com", "js", "vbs", "ps1", "reg","swf", "cmd", "go") | eval phase="plan" | eval severity="medium" | stats count min(_time) as firstTime max(_time) as lastTime values(attachment{}.file_extension_type) as email_attachments, values(attachment{}.sha256) as attachment_sha256, values(payload_size) as payload_size by destination{}.service num_message_attachments subject destination{}.address source.address phase severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_email_suspicious_attachment_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. -known_false_positives: network admin and normal user may send this file attachment as part of their day to day work. having a good protocol in attaching this file type to an e-mail may reduce the risk of having a spear phishing attack. +search: '`gsuite_gmail` "attachment{}.file_extension_type" IN ("pl", "py", "rb", "sh", + "bat", "exe", "dll", "cpl", "com", "js", "vbs", "ps1", "reg","swf", "cmd", "go") + | eval phase="plan" | eval severity="medium" | stats count min(_time) as firstTime + max(_time) as lastTime values(attachment{}.file_extension_type) as email_attachments, + values(attachment{}.sha256) as attachment_sha256, values(payload_size) as payload_size + by destination{}.service num_message_attachments subject destination{}.address + source.address phase severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `gsuite_email_suspicious_attachment_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs related to gsuite having the file attachment metadata like file type, file + extension, source email, destination email, num of attachment and etc. +known_false_positives: network admin and normal user may send this file attachment + as part of their day to day work. having a good protocol in attaching this file + type to an e-mail may reduce the risk of having a spear phishing attack. references: - https://www.redhat.com/en/topics/devops/what-is-devsecops drilldown_searches: @@ -19,47 +36,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$destination{}.address$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$destination{}.address$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$destination{}.address$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious email from $source.address$ to $destination{}.address$ + risk_objects: + - field: destination{}.address + type: user + score: 49 + threat_objects: + - field: source.address + type: email_address tags: analytic_story: - Dev Sec Ops asset_type: GSuite - confidence: 70 - impact: 70 - message: Suspicious email from $source.address$ to $destination{}.address$ mitre_attack_id: - T1566.001 - T1566 - observable: - - name: source.address - type: Email Address - role: - - Attacker - - name: destination{}.address - type: Email Address - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - attachment{}.file_extension_type - - attachment{}.sha256 - - destination{}.service - - num_message_attachments - - payload_size - - subject - - destination{}.address - - source.address - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gsuite_susp_attachment_ext/gsuite_gmail_file_ext.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gsuite_susp_attachment_ext/gsuite_gmail_file_ext.log source: http:gsuite sourcetype: gsuite:gmail:bigquery diff --git a/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml b/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml index 3576d818d8..9a0e32f6bd 100644 --- a/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml +++ b/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml @@ -1,16 +1,37 @@ name: Gsuite Email Suspicious Subject With Attachment id: 8ef3971e-00f2-11ec-b54f-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies Gsuite emails with suspicious subjects and attachments commonly used in spear phishing attacks. It leverages Gsuite email logs, focusing on specific keywords in the subject line and known malicious file types in attachments. This activity is significant for a SOC as spear phishing is a prevalent method for initial compromise, often leading to further malicious actions. If confirmed malicious, this activity could result in unauthorized access, data exfiltration, or further malware deployment, posing a significant risk to the organization's security. +description: The following analytic identifies Gsuite emails with suspicious subjects + and attachments commonly used in spear phishing attacks. It leverages Gsuite email + logs, focusing on specific keywords in the subject line and known malicious file + types in attachments. This activity is significant for a SOC as spear phishing is + a prevalent method for initial compromise, often leading to further malicious actions. + If confirmed malicious, this activity could result in unauthorized access, data + exfiltration, or further malware deployment, posing a significant risk to the organization's + security. data_source: - G Suite Gmail -search: '`gsuite_gmail` num_message_attachments > 0 subject IN ("*dhl*", "* ups *", "*delivery*", "*parcel*", "*label*", "*invoice*", "*postal*", "* fedex *", "* usps *", "* express *", "*shipment*", "*Banking/Tax*","*shipment*", "*new order*") attachment{}.file_extension_type IN ("doc", "docx", "xls", "xlsx", "ppt", "pptx", "pdf", "zip", "rar", "html","htm","hta") | rex field=source.from_header_address "[^@]+@(?[^@]+)" | rex field=destination{}.address "[^@]+@(?[^@]+)" | where not source_domain="internal_test_email.com" and dest_domain="internal_test_email.com" | eval phase="plan" | eval severity="medium" | stats count min(_time) as firstTime max(_time) as lastTime values(attachment{}.file_extension_type) as email_attachments, values(attachment{}.sha256) as attachment_sha256, values(payload_size) as payload_size by destination{}.service num_message_attachments subject destination{}.address source.address phase severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_email_suspicious_subject_with_attachment_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. -known_false_positives: normal user or normal transaction may contain the subject and file type attachment that this detection try to search. +search: '`gsuite_gmail` num_message_attachments > 0 subject IN ("*dhl*", "* ups *", + "*delivery*", "*parcel*", "*label*", "*invoice*", "*postal*", "* fedex *", "* usps + *", "* express *", "*shipment*", "*Banking/Tax*","*shipment*", "*new order*") attachment{}.file_extension_type + IN ("doc", "docx", "xls", "xlsx", "ppt", "pptx", "pdf", "zip", "rar", "html","htm","hta") + | rex field=source.from_header_address "[^@]+@(?[^@]+)" | rex field=destination{}.address + "[^@]+@(?[^@]+)" | where not source_domain="internal_test_email.com" + and dest_domain="internal_test_email.com" | eval phase="plan" | eval severity="medium" + | stats count min(_time) as firstTime max(_time) as lastTime values(attachment{}.file_extension_type) + as email_attachments, values(attachment{}.sha256) as attachment_sha256, values(payload_size) + as payload_size by destination{}.service num_message_attachments subject destination{}.address + source.address phase severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `gsuite_email_suspicious_subject_with_attachment_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs related to gsuite having the file attachment metadata like file type, file + extension, source email, destination email, num of attachment and etc. +known_false_positives: normal user or normal transaction may contain the subject and + file type attachment that this detection try to search. references: - https://www.redhat.com/en/topics/devops/what-is-devsecops - https://www.mandiant.com/resources/top-words-used-in-spear-phishing-attacks @@ -20,39 +41,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$destination{}.address$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$destination{}.address$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$destination{}.address$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious email from $source.address$ to $destination{}.address$ + risk_objects: + - field: destination{}.address + type: user + score: 25 + threat_objects: + - field: source.address + type: email_address tags: analytic_story: - Dev Sec Ops asset_type: GSuite - confidence: 50 - impact: 50 - message: Suspicious email from $source.address$ to $destination{}.address$ mitre_attack_id: - T1566.001 - T1566 - observable: - - name: destination{}.address - type: Email Address - role: - - Victim - - name: source.address - type: Email Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gsuite_susp_subj/gsuite_susp_subj_attach.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gsuite_susp_subj/gsuite_susp_subj_attach.log source: http:gsuite sourcetype: gsuite:gmail:bigquery diff --git a/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml b/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml index c46a891b53..cc41adee08 100644 --- a/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml +++ b/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml @@ -1,16 +1,32 @@ name: Gsuite Email With Known Abuse Web Service Link id: 8630aa22-042b-11ec-af39-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects emails in Gsuite containing links to known abuse web services such as Pastebin, Telegram, and Discord. It leverages Gsuite Gmail logs to identify emails with these specific domains in their links. This activity is significant because these services are commonly used by attackers to deliver malicious payloads. If confirmed malicious, this could lead to the delivery of malware, phishing attacks, or other harmful activities, potentially compromising sensitive information or systems within the organization. +description: The following analytic detects emails in Gsuite containing links to known + abuse web services such as Pastebin, Telegram, and Discord. It leverages Gsuite + Gmail logs to identify emails with these specific domains in their links. This activity + is significant because these services are commonly used by attackers to deliver + malicious payloads. If confirmed malicious, this could lead to the delivery of malware, + phishing attacks, or other harmful activities, potentially compromising sensitive + information or systems within the organization. data_source: - G Suite Gmail -search: '`gsuite_gmail` "link_domain{}" IN ("*pastebin.com*", "*discord*", "*telegram*","t.me") | rex field=source.from_header_address "[^@]+@(?[^@]+)" | rex field=destination{}.address "[^@]+@(?[^@]+)" | where not source_domain="internal_test_email.com" and dest_domain="internal_test_email.com" | eval phase="plan" | eval severity="low" |stats values(link_domain{}) as link_domains min(_time) as firstTime max(_time) as lastTime count by is_spam source.address source.from_header_address subject destination{}.address phase severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_email_with_known_abuse_web_service_link_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. -known_false_positives: normal email contains this link that are known application within the organization or network can be catched by this detection. +search: '`gsuite_gmail` "link_domain{}" IN ("*pastebin.com*", "*discord*", "*telegram*","t.me") + | rex field=source.from_header_address "[^@]+@(?[^@]+)" | rex field=destination{}.address + "[^@]+@(?[^@]+)" | where not source_domain="internal_test_email.com" + and dest_domain="internal_test_email.com" | eval phase="plan" | eval severity="low" + |stats values(link_domain{}) as link_domains min(_time) as firstTime max(_time) + as lastTime count by is_spam source.address source.from_header_address subject destination{}.address + phase severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `gsuite_email_with_known_abuse_web_service_link_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs related to gsuite having the file attachment metadata like file type, file + extension, source email, destination email, num of attachment and etc. +known_false_positives: normal email contains this link that are known application + within the organization or network can be catched by this detection. references: - https://news.sophos.com/en-us/2021/07/22/malware-increasingly-targets-discord-for-abuse/ drilldown_searches: @@ -19,39 +35,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$destination{}.address$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$destination{}.address$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$destination{}.address$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious email from $source.address$ to $destination{}.address$ + risk_objects: + - field: destination{}.address + type: user + score: 25 + threat_objects: + - field: source.address + type: email_address tags: analytic_story: - Dev Sec Ops asset_type: GSuite - confidence: 50 - impact: 50 - message: Suspicious email from $source.address$ to $destination{}.address$ mitre_attack_id: - T1566.001 - T1566 - observable: - - name: destination{}.address - type: Email Address - role: - - Victim - - name: source.address - type: Email Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gsuite_susp_url/gsuite_susp_url.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gsuite_susp_url/gsuite_susp_url.log source: http:gsuite sourcetype: gsuite:gmail:bigquery diff --git a/detections/cloud/gsuite_outbound_email_with_attachment_to_external_domain.yml b/detections/cloud/gsuite_outbound_email_with_attachment_to_external_domain.yml index 18550c4d68..e154a605f3 100644 --- a/detections/cloud/gsuite_outbound_email_with_attachment_to_external_domain.yml +++ b/detections/cloud/gsuite_outbound_email_with_attachment_to_external_domain.yml @@ -1,16 +1,33 @@ name: Gsuite Outbound Email With Attachment To External Domain id: dc4dc3a8-ff54-11eb-8bf7-acde48001122 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Teoderick Contreras, Stanislav Miskovic, Splunk status: production type: Hunting -description: The following analytic detects outbound emails with attachments sent from an internal email domain to an external domain. It leverages Gsuite Gmail logs, parsing the source and destination email domains, and flags emails with fewer than 20 outbound instances. This activity is significant as it may indicate potential data exfiltration or insider threats. If confirmed malicious, an attacker could use this method to exfiltrate sensitive information, leading to data breaches and compliance violations. +description: The following analytic detects outbound emails with attachments sent + from an internal email domain to an external domain. It leverages Gsuite Gmail logs, + parsing the source and destination email domains, and flags emails with fewer than + 20 outbound instances. This activity is significant as it may indicate potential + data exfiltration or insider threats. If confirmed malicious, an attacker could + use this method to exfiltrate sensitive information, leading to data breaches and + compliance violations. data_source: - G Suite Gmail -search: '`gsuite_gmail` num_message_attachments > 0 | rex field=source.from_header_address "[^@]+@(?[^@]+)" | rex field=destination{}.address "[^@]+@(?[^@]+)" | where source_domain="internal_test_email.com" and not dest_domain="internal_test_email.com" | eval phase="plan" | eval severity="low" | stats values(subject) as subject, values(source.from_header_address) as src_domain_list, count as numEvents, dc(source.from_header_address) as numSrcAddresses, min(_time) as firstTime max(_time) as lastTime by dest_domain phase severity | where numSrcAddresses < 20 |sort - numSrcAddresses | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_outbound_email_with_attachment_to_external_domain_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. -known_false_positives: network admin and normal user may send this file attachment as part of their day to day work. having a good protocol in attaching this file type to an e-mail may reduce the risk of having a spear phishing attack. +search: '`gsuite_gmail` num_message_attachments > 0 | rex field=source.from_header_address + "[^@]+@(?[^@]+)" | rex field=destination{}.address "[^@]+@(?[^@]+)" + | where source_domain="internal_test_email.com" and not dest_domain="internal_test_email.com" + | eval phase="plan" | eval severity="low" | stats values(subject) as subject, values(source.from_header_address) + as src_domain_list, count as numEvents, dc(source.from_header_address) as numSrcAddresses, + min(_time) as firstTime max(_time) as lastTime by dest_domain phase severity | where + numSrcAddresses < 20 |sort - numSrcAddresses | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `gsuite_outbound_email_with_attachment_to_external_domain_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs related to gsuite having the file attachment metadata like file type, file + extension, source email, destination email, num of attachment and etc. +known_false_positives: network admin and normal user may send this file attachment + as part of their day to day work. having a good protocol in attaching this file + type to an e-mail may reduce the risk of having a spear phishing attack. references: - https://www.redhat.com/en/topics/devops/what-is-devsecops tags: @@ -18,38 +35,18 @@ tags: - Dev Sec Ops - Insider Threat asset_type: GSuite - confidence: 30 - impact: 30 - message: Suspicious email from $src_domain_list$ to $dest_domain$ mitre_attack_id: - T1048.003 - T1048 - observable: - - name: src_domain_list - type: Email Address - role: - - Victim - - name: dest_domain - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - source.from_header_address - - destination.address - - num_message_attachments - - dest_domain - - phase - - severity - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gsuite_outbound_email_to_external/gsuite_external_domain.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gsuite_outbound_email_to_external/gsuite_external_domain.log source: http:gsuite sourcetype: gsuite:gmail:bigquery diff --git a/detections/cloud/gsuite_suspicious_calendar_invite.yml b/detections/cloud/gsuite_suspicious_calendar_invite.yml index 7cdf511a80..07a34f409a 100644 --- a/detections/cloud/gsuite_suspicious_calendar_invite.yml +++ b/detections/cloud/gsuite_suspicious_calendar_invite.yml @@ -1,15 +1,32 @@ name: Gsuite suspicious calendar invite id: 03cdd68a-34fb-11ec-9bd3-acde48001122 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rod Soto, Teoderick Contreras status: experimental type: Hunting -description: The following analytic detects suspicious calendar invites sent via GSuite, potentially indicating compromised accounts or malicious internal activity. It leverages GSuite calendar logs, focusing on events where a high volume of invites (over 100) is sent within a 5-minute window. This behavior is significant as it may involve the distribution of malicious links or attachments, posing a security risk. If confirmed malicious, this activity could lead to widespread phishing attacks, unauthorized access, or malware distribution within the organization. +description: The following analytic detects suspicious calendar invites sent via GSuite, + potentially indicating compromised accounts or malicious internal activity. It leverages + GSuite calendar logs, focusing on events where a high volume of invites (over 100) + is sent within a 5-minute window. This behavior is significant as it may involve + the distribution of malicious links or attachments, posing a security risk. If confirmed + malicious, this activity could lead to widespread phishing attacks, unauthorized + access, or malware distribution within the organization. data_source: [] -search: '`gsuite_calendar` |bin span=5m _time |rename parameters.* as * |search target_calendar_id!=null email="*yourdomain.com"| stats count values(target_calendar_id) values(event_title) values(event_guest) by email _time | where count >100| `gsuite_suspicious_calendar_invite_filter`' -how_to_implement: In order to successfully implement this search, you need to be ingesting logs related to gsuite (gsuite:calendar:json) having the file sharing metadata like file type, source owner, destination target user, description, etc. This search can also be made more specific by selecting specific emails, subdomains timeframe, organizational units, targeted user, etc. In order for the search to work for your environment please update `yourdomain.com` value in the query with the domain relavant for your organization. -known_false_positives: This search will also produce normal activity statistics. Fields such as email, ip address, name, parameters.organizer_calendar_id, parameters.target_calendar_id and parameters.event_title may give away phishing intent.For more specific results use email parameter. +search: '`gsuite_calendar` |bin span=5m _time |rename parameters.* as * |search target_calendar_id!=null + email="*yourdomain.com"| stats count values(target_calendar_id) values(event_title) + values(event_guest) by email _time | where count >100| `gsuite_suspicious_calendar_invite_filter`' +how_to_implement: In order to successfully implement this search, you need to be ingesting + logs related to gsuite (gsuite:calendar:json) having the file sharing metadata like + file type, source owner, destination target user, description, etc. This search + can also be made more specific by selecting specific emails, subdomains timeframe, + organizational units, targeted user, etc. In order for the search to work for your + environment please update `yourdomain.com` value in the query with the domain relavant + for your organization. +known_false_positives: This search will also produce normal activity statistics. Fields + such as email, ip address, name, parameters.organizer_calendar_id, parameters.target_calendar_id + and parameters.event_title may give away phishing intent.For more specific results + use email parameter. references: - https://www.techrepublic.com/article/how-to-avoid-the-dreaded-google-calendar-malicious-invite-issue/ - https://gcn.com/cybersecurity/2012/09/the-20-most-common-words-in-phishing-attacks/280956/ @@ -17,25 +34,10 @@ tags: analytic_story: - Spearphishing Attachments asset_type: GSuite - confidence: 50 - impact: 50 - message: Gsuite suspicious calendar invite sent by $email$ mitre_attack_id: - T1566 - observable: - - name: email - type: Email Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - email - - parameters.event_title - - parameters.target_calendar_id - - parameters.event_title - risk_score: 25 security_domain: threat diff --git a/detections/cloud/gsuite_suspicious_shared_file_name.yml b/detections/cloud/gsuite_suspicious_shared_file_name.yml index dab42e8b75..1081e01e57 100644 --- a/detections/cloud/gsuite_suspicious_shared_file_name.yml +++ b/detections/cloud/gsuite_suspicious_shared_file_name.yml @@ -1,16 +1,37 @@ name: Gsuite Suspicious Shared File Name id: 07eed200-03f5-11ec-98fb-acde48001122 -version: 3 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects shared files in Google Drive with suspicious filenames commonly used in spear phishing campaigns. It leverages GSuite Drive logs to identify documents with titles that include keywords like "dhl," "ups," "invoice," and "shipment." This activity is significant because such filenames are often used to lure users into opening malicious documents or clicking harmful links. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further compromise of the user's system. +description: The following analytic detects shared files in Google Drive with suspicious + filenames commonly used in spear phishing campaigns. It leverages GSuite Drive logs + to identify documents with titles that include keywords like "dhl," "ups," "invoice," + and "shipment." This activity is significant because such filenames are often used + to lure users into opening malicious documents or clicking harmful links. If confirmed + malicious, this activity could lead to unauthorized access, data theft, or further + compromise of the user's system. data_source: - G Suite Drive -search: '`gsuite_drive` parameters.owner_is_team_drive=false "parameters.doc_title" IN ("*dhl*", "* ups *", "*delivery*", "*parcel*", "*label*", "*invoice*", "*postal*", "*fedex*", "* usps *", "* express *", "*shipment*", "*Banking/Tax*","*shipment*", "*new order*") parameters.doc_type IN ("document","pdf", "msexcel", "msword", "spreadsheet", "presentation") | rex field=parameters.owner "[^@]+@(?[^@]+)" | rex field=parameters.target_user "[^@]+@(?[^@]+)" | where not source_domain="internal_test_email.com" and dest_domain="internal_test_email.com" | eval phase="plan" | eval severity="low" | stats count min(_time) as firstTime max(_time) as lastTime by email parameters.owner parameters.target_user parameters.doc_title parameters.doc_type phase severity | rename parameters.target_user AS user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_suspicious_shared_file_name_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. In order for the search to work for your environment, please edit the query to use your company specific email domain instead of `internal_test_email.com`. -known_false_positives: normal user or normal transaction may contain the subject and file type attachment that this detection try to search +search: '`gsuite_drive` parameters.owner_is_team_drive=false "parameters.doc_title" + IN ("*dhl*", "* ups *", "*delivery*", "*parcel*", "*label*", "*invoice*", "*postal*", + "*fedex*", "* usps *", "* express *", "*shipment*", "*Banking/Tax*","*shipment*", + "*new order*") parameters.doc_type IN ("document","pdf", "msexcel", "msword", "spreadsheet", + "presentation") | rex field=parameters.owner "[^@]+@(?[^@]+)" | rex + field=parameters.target_user "[^@]+@(?[^@]+)" | where not source_domain="internal_test_email.com" + and dest_domain="internal_test_email.com" | eval phase="plan" | eval severity="low" + | stats count min(_time) as firstTime max(_time) as lastTime by email parameters.owner + parameters.target_user parameters.doc_title parameters.doc_type phase severity | + rename parameters.target_user AS user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `gsuite_suspicious_shared_file_name_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs related to gsuite having the file attachment metadata like file type, file + extension, source email, destination email, num of attachment and etc. In order + for the search to work for your environment, please edit the query to use your company + specific email domain instead of `internal_test_email.com`. +known_false_positives: normal user or normal transaction may contain the subject and + file type attachment that this detection try to search references: - https://www.redhat.com/en/topics/devops/what-is-devsecops - https://www.mandiant.com/resources/top-words-used-in-spear-phishing-attacks @@ -20,46 +41,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$email$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$email$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$email$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: suspicious share gdrive from $parameters.owner$ to $email$ namely as $parameters.doc_title$ + risk_objects: + - field: email + type: user + score: 21 + - field: parameters.owner + type: user + score: 21 + threat_objects: [] tags: analytic_story: - Dev Sec Ops asset_type: GSuite - confidence: 70 - impact: 30 - message: suspicious share gdrive from $parameters.owner$ to $email$ namely as $parameters.doc_title$ mitre_attack_id: - T1566.001 - T1566 - observable: - - name: parameters.owner - type: User - role: - - Attacker - - name: email - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - parameters.doc_title - - src_domain - - dest_domain - - email - - parameters.visibility - - parameters.owner - - parameters.doc_type - risk_score: 21 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gdrive_susp_file_share/gdrive_susp_attach.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gdrive_susp_file_share/gdrive_susp_attach.log source: http:gsuite sourcetype: gsuite:drive:json diff --git a/detections/cloud/high_number_of_login_failures_from_a_single_source.yml b/detections/cloud/high_number_of_login_failures_from_a_single_source.yml index 60042df478..a42e10bb7f 100644 --- a/detections/cloud/high_number_of_login_failures_from_a_single_source.yml +++ b/detections/cloud/high_number_of_login_failures_from_a_single_source.yml @@ -1,16 +1,31 @@ name: High Number of Login Failures from a single source id: 7f398cfb-918d-41f4-8db8-2e2474e02222 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Bhavin Patel, Mauricio Velazco, Splunk status: production type: Anomaly -description: The following analytic detects multiple failed login attempts in Office365 Azure Active Directory from a single source IP address. It leverages Office365 management activity logs, specifically AzureActiveDirectoryStsLogon records, aggregating these logs in 5-minute intervals to count failed login attempts. This activity is significant as it may indicate brute-force attacks or password spraying, which are critical to monitor. If confirmed malicious, an attacker could gain unauthorized access to Office365 accounts, leading to potential data breaches, lateral movement within the organization, or further malicious activities using the compromised account. +description: The following analytic detects multiple failed login attempts in Office365 + Azure Active Directory from a single source IP address. It leverages Office365 management + activity logs, specifically AzureActiveDirectoryStsLogon records, aggregating these + logs in 5-minute intervals to count failed login attempts. This activity is significant + as it may indicate brute-force attacks or password spraying, which are critical + to monitor. If confirmed malicious, an attacker could gain unauthorized access to + Office365 accounts, leading to potential data breaches, lateral movement within + the organization, or further malicious activities using the compromised account. data_source: - O365 UserLoginFailed -search: '`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(user) as user values(LogonError) as LogonError values(signature) as signature values(UserAgent) as UserAgent by _time, src_ip | where failed_attempts > 10 | `high_number_of_login_failures_from_a_single_source_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. Adjust the threshold value to suit the specific environment, as environments with naturally higher login failures might generate false positives at a lower threshold. -known_false_positives: An Ip address with more than 10 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application. +search: '`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed + record_type=AzureActiveDirectoryStsLogon | bucket span=5m _time | stats dc(_raw) + AS failed_attempts values(user) as user values(LogonError) as LogonError values(signature) + as signature values(UserAgent) as UserAgent by _time, src_ip | where failed_attempts + > 10 | `high_number_of_login_failures_from_a_single_source_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. Adjust the threshold value to suit the specific + environment, as environments with naturally higher login failures might generate + false positives at a lower threshold. +known_false_positives: An Ip address with more than 10 failed authentication attempts + in the span of 5 minutes may also be triggered by a broken application. references: - https://attack.mitre.org/techniques/T1110/001/ - https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray @@ -22,49 +37,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Ip address $src_ip$ failed to authenticate more than 10 times in a 5 minute + risk_objects: + - field: user + type: user + score: 25 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Office 365 Account Takeover asset_type: O365 Tenant - confidence: 50 - impact: 50 - message: Ip address $src_ip$ failed to authenticate more than 10 times in a 5 minute mitre_attack_id: - T1110.001 - T1110 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Operation - - record_type - - app - - user - - LogonError - - authentication_method - - signature - - UserAgent - - src_ip - - record_type - risk_score: 25 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/o365_high_number_authentications_for_user.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/o365_high_number_authentications_for_user.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml index 690001002c..39721c6b12 100644 --- a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml +++ b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml @@ -1,15 +1,37 @@ name: Kubernetes Abuse of Secret by Unusual Location id: 40a064c1-4ec1-4381-9e35-61192ba8ef82 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: The following analytic detects unauthorized access or misuse of Kubernetes Secrets from unusual locations. It leverages Kubernetes Audit logs to identify anomalies in access patterns by analyzing the source of requests by country. This activity is significant for a SOC as Kubernetes Secrets store sensitive information like passwords, OAuth tokens, and SSH keys, making them critical assets. If confirmed malicious, this behavior could indicate an attacker attempting to exfiltrate or misuse these secrets, potentially leading to unauthorized access to sensitive systems or data. +description: The following analytic detects unauthorized access or misuse of Kubernetes + Secrets from unusual locations. It leverages Kubernetes Audit logs to identify anomalies + in access patterns by analyzing the source of requests by country. This activity + is significant for a SOC as Kubernetes Secrets store sensitive information like + passwords, OAuth tokens, and SSH keys, making them critical assets. If confirmed + malicious, this behavior could indicate an attacker attempting to exfiltrate or + misuse these secrets, potentially leading to unauthorized access to sensitive systems + or data. data_source: - Kubernetes Audit -search: '`kube_audit` objectRef.resource=secrets verb=get | iplocation sourceIPs{} | fillnull | search NOT `kube_allowed_locations` | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb City Country | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_abuse_of_secret_by_unusual_location_filter`' -how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. When you want to use this detection with AWS EKS, you need to enable EKS control plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. +search: '`kube_audit` objectRef.resource=secrets verb=get | iplocation sourceIPs{} + | fillnull | search NOT `kube_allowed_locations` | stats count by objectRef.name + objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code + sourceIPs{} stage user.groups{} user.uid user.username userAgent verb City Country + | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_abuse_of_secret_by_unusual_location_filter`' +how_to_implement: The detection is based on data that originates from Kubernetes Audit + logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes + audit logs provide a record of the requests made to the Kubernetes API server, which + is crucial for monitoring and detecting suspicious activities. Configure the audit + policy in Kubernetes to determine what kind of activities are logged. This is done + by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry + Collector for Kubernetes to collect the logs. This doc will describe how to collect + the audit log file + https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. + When you want to use this detection with AWS EKS, you need to enable EKS control + plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. + Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. known_false_positives: unknown references: - https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ @@ -19,51 +41,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Access of Kubernetes secret $objectRef.name$ from unusual location $Country$ + by $user$ + risk_objects: + - field: user + type: user + score: 49 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Kubernetes Security asset_type: Kubernetes - confidence: 70 - impact: 70 - message: Access of Kubernetes secret $objectRef.name$ from unusual location $Country$ by $user$ mitre_attack_id: - T1552.007 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - objectRef.resource - - verb - - objectRef.name - - objectRef.namespace - - requestReceivedTimestamp - - requestURI - - responseStatus.code - - sourceIPs{} - - stage - - user.groups{} - - user.uid - - user.username - - userAgent - - verb - risk_score: 49 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.007/kube_audit_get_secret/kube_audit_get_secret.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.007/kube_audit_get_secret/kube_audit_get_secret.json sourcetype: _json source: kubernetes diff --git a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml index 2708207fdf..78129f9a70 100644 --- a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml +++ b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml @@ -1,15 +1,37 @@ name: Kubernetes Abuse of Secret by Unusual User Agent id: 096ab390-05ca-462c-884e-343acd5b9240 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user agents. It leverages Kubernetes Audit logs to identify anomalies in access patterns by analyzing the source of requests based on user agents. This activity is significant for a SOC because Kubernetes Secrets store sensitive information like passwords, OAuth tokens, and SSH keys, making them critical assets. If confirmed malicious, this activity could lead to unauthorized access to sensitive systems or data, potentially resulting in significant security breaches and exfiltration of critical information. +description: The following analytic detects unauthorized access or misuse of Kubernetes + Secrets by unusual user agents. It leverages Kubernetes Audit logs to identify anomalies + in access patterns by analyzing the source of requests based on user agents. This + activity is significant for a SOC because Kubernetes Secrets store sensitive information + like passwords, OAuth tokens, and SSH keys, making them critical assets. If confirmed + malicious, this activity could lead to unauthorized access to sensitive systems + or data, potentially resulting in significant security breaches and exfiltration + of critical information. data_source: - Kubernetes Audit -search: '`kube_audit` objectRef.resource=secrets verb=get | search NOT `kube_allowed_user_agents` | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_abuse_of_secret_by_unusual_user_agent_filter`' -how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. When you want to use this detection with AWS EKS, you need to enable EKS control plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. +search: '`kube_audit` objectRef.resource=secrets verb=get | search NOT `kube_allowed_user_agents` + | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource + requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} + user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username + as user | `kubernetes_abuse_of_secret_by_unusual_user_agent_filter`' +how_to_implement: The detection is based on data that originates from Kubernetes Audit + logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes + audit logs provide a record of the requests made to the Kubernetes API server, which + is crucial for monitoring and detecting suspicious activities. Configure the audit + policy in Kubernetes to determine what kind of activities are logged. This is done + by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry + Collector for Kubernetes to collect the logs. This doc will describe how to collect + the audit log file + https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. + When you want to use this detection with AWS EKS, you need to enable EKS control + plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. + Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. known_false_positives: unknown references: - https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ @@ -19,51 +41,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Access of Kubernetes secret $objectRef.name$ from unusual user agent $userAgent$ + by $user$ + risk_objects: + - field: user + type: user + score: 49 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Kubernetes Security asset_type: Kubernetes - confidence: 70 - impact: 70 - message: Access of Kubernetes secret $objectRef.name$ from unusual user agent $userAgent$ by $user$ mitre_attack_id: - T1552.007 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - objectRef.resource - - verb - - objectRef.name - - objectRef.namespace - - requestReceivedTimestamp - - requestURI - - responseStatus.code - - sourceIPs{} - - stage - - user.groups{} - - user.uid - - user.username - - userAgent - - verb - risk_score: 49 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.007/kube_audit_get_secret/kube_audit_get_secret.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.007/kube_audit_get_secret/kube_audit_get_secret.json sourcetype: _json source: kubernetes diff --git a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml index 2bea11aa69..012d36f2bd 100644 --- a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml +++ b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml @@ -1,15 +1,36 @@ name: Kubernetes Abuse of Secret by Unusual User Group id: b6f45bbc-4ea9-4068-b3bc-0477f6997ae2 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user groups. It leverages Kubernetes Audit logs to identify anomalies in access patterns by analyzing the source of requests and user groups. This activity is significant for a SOC as Kubernetes Secrets store sensitive information like passwords, OAuth tokens, and SSH keys. If confirmed malicious, this behavior could indicate an attacker attempting to exfiltrate or misuse these secrets, potentially leading to unauthorized access to sensitive systems or data. +description: The following analytic detects unauthorized access or misuse of Kubernetes + Secrets by unusual user groups. It leverages Kubernetes Audit logs to identify anomalies + in access patterns by analyzing the source of requests and user groups. This activity + is significant for a SOC as Kubernetes Secrets store sensitive information like + passwords, OAuth tokens, and SSH keys. If confirmed malicious, this behavior could + indicate an attacker attempting to exfiltrate or misuse these secrets, potentially + leading to unauthorized access to sensitive systems or data. data_source: - Kubernetes Audit -search: '`kube_audit` objectRef.resource=secrets verb=get | search NOT `kube_allowed_user_groups` | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_abuse_of_secret_by_unusual_user_group_filter`' -how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. When you want to use this detection with AWS EKS, you need to enable EKS control plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. +search: '`kube_audit` objectRef.resource=secrets verb=get | search NOT `kube_allowed_user_groups` + | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource + requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} + user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username + as user | `kubernetes_abuse_of_secret_by_unusual_user_group_filter`' +how_to_implement: The detection is based on data that originates from Kubernetes Audit + logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes + audit logs provide a record of the requests made to the Kubernetes API server, which + is crucial for monitoring and detecting suspicious activities. Configure the audit + policy in Kubernetes to determine what kind of activities are logged. This is done + by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry + Collector for Kubernetes to collect the logs. This doc will describe how to collect + the audit log file + https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. + When you want to use this detection with AWS EKS, you need to enable EKS control + plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. + Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. known_false_positives: unknown references: - https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ @@ -19,51 +40,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Access of Kubernetes secret $objectRef.name$ from unusual user group $user.groups{}$ + by user name $user$ + risk_objects: + - field: user + type: user + score: 49 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Kubernetes Security asset_type: Kubernetes - confidence: 70 - impact: 70 - message: Access of Kubernetes secret $objectRef.name$ from unusual user group $user.groups{}$ by user name $user$ mitre_attack_id: - T1552.007 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - objectRef.resource - - verb - - objectRef.name - - objectRef.namespace - - requestReceivedTimestamp - - requestURI - - responseStatus.code - - sourceIPs{} - - stage - - user.groups{} - - user.uid - - user.username - - userAgent - - verb - risk_score: 49 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.007/kube_audit_get_secret/kube_audit_get_secret.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.007/kube_audit_get_secret/kube_audit_get_secret.json sourcetype: _json source: kubernetes diff --git a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml index 19d9174b1a..942b5cccdd 100644 --- a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml +++ b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml @@ -1,15 +1,37 @@ name: Kubernetes Abuse of Secret by Unusual User Name id: df6e9cae-5257-4a34-8f3a-df49fa0f5c46 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user names. It leverages Kubernetes Audit logs to identify anomalies in access patterns by analyzing the source of requests based on user names. This activity is significant for a SOC as Kubernetes Secrets store sensitive information like passwords, OAuth tokens, and SSH keys, making them critical assets. If confirmed malicious, this activity could lead to unauthorized access to sensitive systems or data, potentially resulting in significant security breaches and exfiltration of sensitive information. +description: The following analytic detects unauthorized access or misuse of Kubernetes + Secrets by unusual user names. It leverages Kubernetes Audit logs to identify anomalies + in access patterns by analyzing the source of requests based on user names. This + activity is significant for a SOC as Kubernetes Secrets store sensitive information + like passwords, OAuth tokens, and SSH keys, making them critical assets. If confirmed + malicious, this activity could lead to unauthorized access to sensitive systems + or data, potentially resulting in significant security breaches and exfiltration + of sensitive information. data_source: - Kubernetes Audit -search: '`kube_audit` objectRef.resource=secrets verb=get | search NOT `kube_allowed_user_names` | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_abuse_of_secret_by_unusual_user_name_filter`' -how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. When you want to use this detection with AWS EKS, you need to enable EKS control plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. +search: '`kube_audit` objectRef.resource=secrets verb=get | search NOT `kube_allowed_user_names` + | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource + requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} + user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username + as user | `kubernetes_abuse_of_secret_by_unusual_user_name_filter`' +how_to_implement: The detection is based on data that originates from Kubernetes Audit + logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes + audit logs provide a record of the requests made to the Kubernetes API server, which + is crucial for monitoring and detecting suspicious activities. Configure the audit + policy in Kubernetes to determine what kind of activities are logged. This is done + by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry + Collector for Kubernetes to collect the logs. This doc will describe how to collect + the audit log file + https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. + When you want to use this detection with AWS EKS, you need to enable EKS control + plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. + Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. known_false_positives: unknown references: - https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ @@ -19,51 +41,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Access of Kubernetes secret $objectRef.name$ from unusual user name $user$ + risk_objects: + - field: user + type: user + score: 49 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Kubernetes Security asset_type: Kubernetes - confidence: 70 - impact: 70 - message: Access of Kubernetes secret $objectRef.name$ from unusual user name $user$ mitre_attack_id: - T1552.007 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - objectRef.resource - - verb - - objectRef.name - - objectRef.namespace - - requestReceivedTimestamp - - requestURI - - responseStatus.code - - sourceIPs{} - - stage - - user.groups{} - - user.uid - - user.username - - userAgent - - verb - risk_score: 49 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.007/kube_audit_get_secret/kube_audit_get_secret.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.007/kube_audit_get_secret/kube_audit_get_secret.json sourcetype: _json source: kubernetes diff --git a/detections/cloud/kubernetes_access_scanning.yml b/detections/cloud/kubernetes_access_scanning.yml index 9a518a2606..bea29f7af3 100644 --- a/detections/cloud/kubernetes_access_scanning.yml +++ b/detections/cloud/kubernetes_access_scanning.yml @@ -1,15 +1,39 @@ name: Kubernetes Access Scanning id: 2f4abe6d-5991-464d-8216-f90f42999764 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: The following analytic detects potential scanning activities within a Kubernetes environment. It identifies unauthorized access attempts, probing of public APIs, or attempts to exploit known vulnerabilities by monitoring Kubernetes audit logs for repeated failed access attempts or unusual API requests. This activity is significant for a SOC as it may indicate an attacker's preliminary reconnaissance to gather information about the system. If confirmed malicious, this activity could lead to unauthorized access to sensitive systems or data, posing a severe security risk. +description: The following analytic detects potential scanning activities within a + Kubernetes environment. It identifies unauthorized access attempts, probing of public + APIs, or attempts to exploit known vulnerabilities by monitoring Kubernetes audit + logs for repeated failed access attempts or unusual API requests. This activity + is significant for a SOC as it may indicate an attacker's preliminary reconnaissance + to gather information about the system. If confirmed malicious, this activity could + lead to unauthorized access to sensitive systems or data, posing a severe security + risk. data_source: - Kubernetes Audit -search: '`kube_audit` "user.groups{}"="system:unauthenticated" "responseStatus.code"=403 | iplocation sourceIPs{} | stats count values(userAgent) as userAgent values(user.username) as user.username values(user.groups{}) as user.groups{} values(verb) as verb values(requestURI) as requestURI values(responseStatus.code) as responseStatus.code values(responseStatus.message) as responseStatus.message values(responseStatus.reason) as responseStatus.reason values(responseStatus.status) as responseStatus.status by sourceIPs{} Country City | where count > 5 | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_access_scanning_filter`' -how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. When you want to use this detection with AWS EKS, you need to enable EKS control plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. +search: '`kube_audit` "user.groups{}"="system:unauthenticated" "responseStatus.code"=403 + | iplocation sourceIPs{} | stats count values(userAgent) as userAgent values(user.username) + as user.username values(user.groups{}) as user.groups{} values(verb) as verb values(requestURI) + as requestURI values(responseStatus.code) as responseStatus.code values(responseStatus.message) + as responseStatus.message values(responseStatus.reason) as responseStatus.reason + values(responseStatus.status) as responseStatus.status by sourceIPs{} Country City + | where count > 5 | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_access_scanning_filter`' +how_to_implement: The detection is based on data that originates from Kubernetes Audit + logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes + audit logs provide a record of the requests made to the Kubernetes API server, which + is crucial for monitoring and detecting suspicious activities. Configure the audit + policy in Kubernetes to determine what kind of activities are logged. This is done + by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry + Collector for Kubernetes to collect the logs. This doc will describe how to collect + the audit log file + https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. + When you want to use this detection with AWS EKS, you need to enable EKS control + plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. + Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. known_false_positives: unknown references: - https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ @@ -19,48 +43,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Kubernetes scanning from ip $src_ip$ + risk_objects: + - field: user + type: user + score: 49 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Kubernetes Security asset_type: Kubernetes - confidence: 70 - impact: 70 - message: Kubernetes scanning from ip $src_ip$ mitre_attack_id: - T1046 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - verb - - requestReceivedTimestamp - - requestURI - - responseStatus.code - - sourceIPs{} - - user.groups{} - - user.username - - userAgent - - verb - - responseStatus.reason - - responseStatus.status - risk_score: 49 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.json sourcetype: _json source: kubernetes diff --git a/detections/cloud/kubernetes_anomalous_inbound_network_activity_from_process.yml b/detections/cloud/kubernetes_anomalous_inbound_network_activity_from_process.yml index 47a0a09794..8f317e2b2a 100644 --- a/detections/cloud/kubernetes_anomalous_inbound_network_activity_from_process.yml +++ b/detections/cloud/kubernetes_anomalous_inbound_network_activity_from_process.yml @@ -1,44 +1,63 @@ name: Kubernetes Anomalous Inbound Network Activity from Process id: 10442d8b-0701-4c25-911d-d67b906e713c -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: The following analytic identifies anomalous inbound network traffic volumes from processes within containerized workloads. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. The detection compares recent metrics (tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets) over the last hour with the average over the past 30 days. This activity is significant as it may indicate unauthorized data reception, potential breaches, vulnerability exploitation, or malware propagation. If confirmed malicious, it could lead to command and control installation, data integrity damage, container escape, and further environment compromise. +description: The following analytic identifies anomalous inbound network traffic volumes + from processes within containerized workloads. It leverages Network Performance + Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability + Cloud. The detection compares recent metrics (tcp.bytes, tcp.new_sockets, tcp.packets, + udp.bytes, udp.packets) over the last hour with the average over the past 30 days. + This activity is significant as it may indicate unauthorized data reception, potential + breaches, vulnerability exploitation, or malware propagation. If confirmed malicious, + it could lead to command and control installation, data integrity damage, container + escape, and further environment compromise. data_source: [] -search: '| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name dest.workload.name dest.process.name span=10s | eval key=''dest.workload.name'' + ":" + ''dest.process.name'' | join type=left key [ mstats avg(tcp.*) as avg_tcp.* avg(udp.*) as avg_udp.* stdev(tcp.*) as stdev_tcp.* avg(udp.*) as stdev_udp.* where `kubernetes_metrics` AND earliest=-30d latest=-1h by dest.workload.name dest.process.name | eval key=''dest.workload.name'' + ":" + ''dest.process.name'' ] | eval anomalies = "" | foreach stdev_* [ eval anomalies =if( ''<>'' > (''avg_<>'' + 3 * ''stdev_<>''), anomalies + "<> higher than average by " + tostring(round((''<>'' - ''avg_<>'')/''stdev_<>'' ,2)) + " Standard Deviations. <>=" + tostring(''<>'') + " avg_<>=" + tostring(''avg_<>'') + " ''stdev_<>''=" + tostring(''stdev_<>'') + ", " , anomalies) ] | fillnull | eval anomalies = split(replace(anomalies, ",\s$$$$", "") ,", ") | where anomalies!="" | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name dest.workload.name dest.process.name | where count > 5 | rename k8s.cluster.name as host | `kubernetes_anomalous_inbound_network_activity_from_process_filter`' -how_to_implement: 'To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default: - - * Name sim_npm_metrics_to_metrics_index - - * Metric Resolution 10000' +search: "| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` + AND earliest=-1h by k8s.cluster.name dest.workload.name dest.process.name span=10s + | eval key='dest.workload.name' + \":\" + 'dest.process.name' | join type=left key + [ mstats avg(tcp.*) as avg_tcp.* avg(udp.*) as avg_udp.* stdev(tcp.*) as stdev_tcp.* + avg(udp.*) as stdev_udp.* where `kubernetes_metrics` AND earliest=-30d latest=-1h + by dest.workload.name dest.process.name | eval key='dest.workload.name' + \":\" + + 'dest.process.name' ] | eval anomalies = \"\" | foreach stdev_* [ eval anomalies + =if( '<>' > ('avg_<>' + 3 * 'stdev_<>'), anomalies + + \"<> higher than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' + ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\"\ + \ + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + + \", \" , anomalies) ] | fillnull | eval anomalies = split(replace(anomalies, \"\ + ,\\s$$$$\", \"\") ,\", \") | where anomalies!=\"\" | stats count(anomalies) as count + values(anomalies) as anomalies by k8s.cluster.name dest.workload.name dest.process.name + | where count > 5 | rename k8s.cluster.name as host | `kubernetes_anomalous_inbound_network_activity_from_process_filter`" +how_to_implement: "To gather NPM metrics the Open Telemetry to the Kubernetes Cluster + and enable Network Performance Monitoring according to instructions found in Splunk + Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup + In order to access those metrics from within Splunk Enterprise and ES, the Splunk + Infrastructure Monitoring add-on must be installed and configured on a Splunk Search + Head. Once installed, first configure the add-on with your O11y Cloud Org ID and + Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the + following settings, and any other settings left at default:\n* Name sim_npm_metrics_to_metrics_index\n + * Metric Resolution 10000" known_false_positives: unknown references: - https://github.com/signalfx/splunk-otel-collector-chart +rba: + message: Kubernetes Anomalous Inbound Network Activity from Process in kubernetes + cluster $host$ + risk_objects: + - field: host + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring asset_type: Kubernetes - confidence: 50 - impact: 50 - message: Kubernetes Anomalous Inbound Network Activity from Process in kubernetes cluster $host$ mitre_attack_id: - T1204 - observable: - - name: host - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - tcp.* - - udp.* - - k8s.cluster.name - - dest.process.name - - dest.workload.name - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml b/detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml index 4abba838f5..ea8dec6fb9 100644 --- a/detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml +++ b/detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml @@ -1,62 +1,70 @@ name: Kubernetes Anomalous Inbound Outbound Network IO id: 4f3b0c97-657e-4547-a89a-9a50c656e3cd -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: The following analytic identifies high inbound or outbound network I/O anomalies in Kubernetes containers. It leverages process metrics from an OTEL collector and Kubelet Stats Receiver, along with data from Splunk Observability Cloud. A lookup table with average and standard deviation values for network I/O is used to detect anomalies persisting over a 1-hour period. This activity is significant as it may indicate data exfiltration, command and control communication, or unauthorized data transfers. If confirmed malicious, it could lead to data breaches, service outages, financial losses, and reputational damage. +description: The following analytic identifies high inbound or outbound network I/O + anomalies in Kubernetes containers. It leverages process metrics from an OTEL collector + and Kubelet Stats Receiver, along with data from Splunk Observability Cloud. A lookup + table with average and standard deviation values for network I/O is used to detect + anomalies persisting over a 1-hour period. This activity is significant as it may + indicate data exfiltration, command and control communication, or unauthorized data + transfers. If confirmed malicious, it could lead to data breaches, service outages, + financial losses, and reputational damage. data_source: [] -search: '| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8s.cluster.name k8s.pod.name k8s.node.name direction span=10s | eval service = replace(''k8s.pod.name'', "-\w{5}$$|-[abcdef0-9]{8,10}-\w{5}$$", "") | stats avg(eval(if(direction="transmit", io,null()))) as outbound_network_io avg(eval(if(direction="receive", io,null()))) as inbound_network_io by k8s.cluster.name k8s.node.name k8s.pod.name service _time | eval key = ''k8s.cluster.name'' + ":" + ''service'' | lookup k8s_container_network_io_baseline key | eval anomalies = "" | foreach stdev_* [ eval anomalies =if( ''<>'' > (''avg_<>'' + 4 * ''stdev_<>''), anomalies + "<> higher than average by " + tostring(round((''<>'' - ''avg_<>'')/''stdev_<>'' ,2)) + " Standard Deviations. <>=" + tostring(''<>'') + " avg_<>=" + tostring(''avg_<>'') + " ''stdev_<>''=" + tostring(''stdev_<>'') + ", " , anomalies) ] | eval anomalies = replace(anomalies, ",\s$$", "") | where anomalies!="" | stats count values(anomalies) as anomalies by k8s.cluster.name k8s.node.name k8s.pod.name service | rename service as k8s.service | where count > 5 | rename k8s.node.name as host | `kubernetes_anomalous_inbound_outbound_network_io_filter`' -how_to_implement: 'To implement this detection, follow these steps: - - * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. - - * Enable the hostmetrics/process receiver in the OTEL configuration. - - * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. - - * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) - - * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. - - * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". - - * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. - - * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') - - * Set the Metric Resolution to 10000. - - * Leave all other settings at their default values. - - * Run the Search Baseline Of Kubernetes Container Network IO Ratio' +search: "| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8s.cluster.name + k8s.pod.name k8s.node.name direction span=10s | eval service = replace('k8s.pod.name', + \"-\\w{5}$$|-[abcdef0-9]{8,10}-\\w{5}$$\", \"\") | stats avg(eval(if(direction=\"\ + transmit\", io,null()))) as outbound_network_io avg(eval(if(direction=\"receive\"\ + , io,null()))) as inbound_network_io by k8s.cluster.name k8s.node.name k8s.pod.name + service _time | eval key = 'k8s.cluster.name' + \":\" + 'service' | lookup k8s_container_network_io_baseline + key | eval anomalies = \"\" | foreach stdev_* [ eval anomalies =if( '<>' + > ('avg_<>' + 4 * 'stdev_<>'), anomalies + \"<> higher + than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' + ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\"\ + \ + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + + \", \" , anomalies) ] | eval anomalies = replace(anomalies, \",\\s$$\", \"\") + | where anomalies!=\"\" | stats count values(anomalies) as anomalies by k8s.cluster.name + k8s.node.name k8s.pod.name service | rename service as k8s.service | where count + > 5 | rename k8s.node.name as host | `kubernetes_anomalous_inbound_outbound_network_io_filter`" +how_to_implement: "To implement this detection, follow these steps:\n* Deploy the + OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process + receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically + Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install + the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n + * Configure the SIM add-on with your Observability Cloud Organization ID and Access + Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input + \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization + ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to + the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); + data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); + data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); + data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); + data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); + data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n + * Leave all other settings at their default values.\n* Run the Search Baseline Of + Kubernetes Container Network IO Ratio" known_false_positives: unknown references: - https://github.com/signalfx/splunk-otel-collector-chart +rba: + message: Kubernetes Anomalous Inbound Outbound Network IO from container on host + $host$ + risk_objects: + - field: host + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring asset_type: Kubernetes - confidence: 50 - impact: 50 - message: Kubernetes Anomalous Inbound Outbound Network IO from container on host $host$ mitre_attack_id: - T1204 - observable: - - name: host - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - k8s.pod.network.io - - direction - - k8s.cluster.name - - k8s.node.name - - k8s.pod.name - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml b/detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml index 27a409f186..a599e3bc87 100644 --- a/detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml +++ b/detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml @@ -1,62 +1,73 @@ name: Kubernetes Anomalous Inbound to Outbound Network IO Ratio id: 9d8f6e3f-39df-46d8-a9d4-96173edc501f -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: The following analytic identifies significant changes in network communication behavior within Kubernetes containers by examining the inbound to outbound network IO ratios. It leverages process metrics from an OTEL collector and Kubelet Stats Receiver, along with data from Splunk Observability Cloud. Anomalies are detected using a lookup table containing average and standard deviation values for network IO, triggering an event if the anomaly persists for over an hour. This activity is significant as it may indicate data exfiltration, command and control communication, or compromised container behavior. If confirmed malicious, it could lead to data breaches, service outages, and unauthorized access within the Kubernetes cluster. +description: The following analytic identifies significant changes in network communication + behavior within Kubernetes containers by examining the inbound to outbound network + IO ratios. It leverages process metrics from an OTEL collector and Kubelet Stats + Receiver, along with data from Splunk Observability Cloud. Anomalies are detected + using a lookup table containing average and standard deviation values for network + IO, triggering an event if the anomaly persists for over an hour. This activity + is significant as it may indicate data exfiltration, command and control communication, + or compromised container behavior. If confirmed malicious, it could lead to data + breaches, service outages, and unauthorized access within the Kubernetes cluster. data_source: [] -search: '| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8s.cluster.name k8s.pod.name k8s.node.name direction span=10s | eval service = replace(''k8s.pod.name'', "-\w{5}$|-[abcdef0-9]{8,10}-\w{5}$", "") | eval key = ''k8s.cluster.name'' + ":" + ''service'' | stats avg(eval(if(direction="transmit", io,null()))) as outbound_network_io avg(eval(if(direction="receive", io,null()))) as inbound_network_io by key service k8s.cluster.name k8s.pod.name k8s.node.name _time | eval inbound:outbound = inbound_network_io/outbound_network_io | eval outbound:inbound = outbound_network_io/inbound_network_io | fields - *network_io | lookup k8s_container_network_io_ratio_baseline key | eval anomalies = "" | foreach stdev_* [ eval anomalies =if( ''<>'' > (''avg_<>'' + 4 * ''stdev_<>''), anomalies + "<> ratio higher than average by " + tostring(round((''<>'' - ''avg_<>'')/''stdev_<>'' ,2)) + " Standard Deviations. <>=" + tostring(''<>'') + " avg_<>=" + tostring(''avg_<>'') + " ''stdev_<>''=" + tostring(''stdev_<>'') + ", " , anomalies) ] | eval anomalies = replace(anomalies, ",\s$", "") | where anomalies!="" | stats count values(anomalies) as anomalies by k8s.cluster.name k8s.node.name k8s.pod.name service | rename service as k8s.service | where count > 5 | rename k8s.node.name as host | `kubernetes_anomalous_inbound_to_outbound_network_io_ratio_filter`' -how_to_implement: 'To implement this detection, follow these steps: - - * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. - - * Enable the hostmetrics/process receiver in the OTEL configuration. - - * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. - - * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) - - * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. - - * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". - - * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. - - * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') - - * Set the Metric Resolution to 10000. - - * Leave all other settings at their default values. - - * Run the Search Baseline Of Kubernetes Container Network IO Ratio' +search: "| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8s.cluster.name + k8s.pod.name k8s.node.name direction span=10s | eval service = replace('k8s.pod.name', + \"-\\w{5}$|-[abcdef0-9]{8,10}-\\w{5}$\", \"\") | eval key = 'k8s.cluster.name' + + \":\" + 'service' | stats avg(eval(if(direction=\"transmit\", io,null()))) as outbound_network_io + avg(eval(if(direction=\"receive\", io,null()))) as inbound_network_io by key service + k8s.cluster.name k8s.pod.name k8s.node.name _time | eval inbound:outbound = inbound_network_io/outbound_network_io + | eval outbound:inbound = outbound_network_io/inbound_network_io | fields - *network_io + | lookup k8s_container_network_io_ratio_baseline key | eval anomalies = \"\" | foreach + stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 4 * 'stdev_<>'), + anomalies + \"<> ratio higher than average by \" + tostring(round(('<>' + - 'avg_<>')/'stdev_<>' ,2)) + \" Standard Deviations. <>=\"\ + \ + tostring('<>') + \" avg_<>=\" + tostring('avg_<>') + + \" 'stdev_<>'=\" + tostring('stdev_<>') + \", \" , anomalies) + ] | eval anomalies = replace(anomalies, \",\\s$\", \"\") | where anomalies!=\"\"\ + \ | stats count values(anomalies) as anomalies by k8s.cluster.name k8s.node.name + k8s.pod.name service | rename service as k8s.service | where count > 5 | rename + k8s.node.name as host | `kubernetes_anomalous_inbound_to_outbound_network_io_ratio_filter`" +how_to_implement: "To implement this detection, follow these steps:\n* Deploy the + OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process + receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically + Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install + the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n + * Configure the SIM add-on with your Observability Cloud Organization ID and Access + Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input + \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization + ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to + the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); + data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); + data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); + data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); + data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); + data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n + * Leave all other settings at their default values.\n* Run the Search Baseline Of + Kubernetes Container Network IO Ratio" known_false_positives: unknown references: - https://github.com/signalfx/splunk-otel-collector-chart +rba: + message: Kubernetes Anomalous Inbound to Outbound Network IO Ratio from Container + on host $host$ + risk_objects: + - field: host + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring asset_type: Kubernetes - confidence: 50 - impact: 50 - message: Kubernetes Anomalous Inbound to Outbound Network IO Ratio from Container on host $host$ mitre_attack_id: - T1204 - observable: - - name: host - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - k8s.pod.network.io - - direction - - k8s.cluster.name - - k8s.node.name - - k8s.pod.name - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_anomalous_outbound_network_activity_from_process.yml b/detections/cloud/kubernetes_anomalous_outbound_network_activity_from_process.yml index 73183c00cc..68a3d00d76 100644 --- a/detections/cloud/kubernetes_anomalous_outbound_network_activity_from_process.yml +++ b/detections/cloud/kubernetes_anomalous_outbound_network_activity_from_process.yml @@ -1,45 +1,64 @@ name: Kubernetes Anomalous Outbound Network Activity from Process id: dd6afee6-e0a3-4028-a089-f47dd2842c22 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: The following analytic identifies anomalously high outbound network activity from processes running within containerized workloads in a Kubernetes environment. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. The detection compares recent network metrics (tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets) over the last hour with the average metrics over the past 30 days. This activity is significant as it may indicate data exfiltration, process modification, or container compromise. If confirmed malicious, it could lead to unauthorized data exfiltration, communication with malicious entities, or further attacks within the containerized environment. +description: The following analytic identifies anomalously high outbound network activity + from processes running within containerized workloads in a Kubernetes environment. + It leverages Network Performance Monitoring metrics collected via an OTEL collector + and pulled from Splunk Observability Cloud. The detection compares recent network + metrics (tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets) over the + last hour with the average metrics over the past 30 days. This activity is significant + as it may indicate data exfiltration, process modification, or container compromise. + If confirmed malicious, it could lead to unauthorized data exfiltration, communication + with malicious entities, or further attacks within the containerized environment. data_source: [] -search: '| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name source.process.name span=10s | eval key=''source.workload.name'' + ":" + ''source.process.name'' | join type=left key [ mstats avg(tcp.*) as avg_tcp.* avg(udp.*) as avg_udp.* stdev(tcp.*) as stdev_tcp.* avg(udp.*) as stdev_udp.* where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name source.process.name | eval key=''source.workload.name'' + ":" + ''source.process.name'' ] | eval anomalies = "" | foreach stdev_* [ eval anomalies =if( ''<>'' > (''avg_<>'' + 3 * ''stdev_<>''), anomalies + "<> higher than average by " + tostring(round((''<>'' - ''avg_<>'')/''stdev_<>'' ,2)) + " Standard Deviations. <>=" + tostring(''<>'') + " avg_<>=" + tostring(''avg_<>'') + " ''stdev_<>''=" + tostring(''stdev_<>'') + ", " , anomalies) ] | fillnull | eval anomalies = split(replace(anomalies, ",\s$$$$", "") ,", ") | where anomalies!="" | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name source.workload.name source.process.name | where count > 5 | rename k8s.cluster.name as host | `kubernetes_anomalous_outbound_network_activity_from_process_filter`' -how_to_implement: 'To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default: - - * Name sim_npm_metrics_to_metrics_index - - * Metric Resolution 10000' +search: "| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` + AND earliest=-1h by k8s.cluster.name source.workload.name source.process.name span=10s + | eval key='source.workload.name' + \":\" + 'source.process.name' | join type=left + key [ mstats avg(tcp.*) as avg_tcp.* avg(udp.*) as avg_udp.* stdev(tcp.*) as stdev_tcp.* + avg(udp.*) as stdev_udp.* where `kubernetes_metrics` AND earliest=-30d latest=-1h + by source.workload.name source.process.name | eval key='source.workload.name' + + \":\" + 'source.process.name' ] | eval anomalies = \"\" | foreach stdev_* [ eval + anomalies =if( '<>' > ('avg_<>' + 3 * 'stdev_<>'), + anomalies + \"<> higher than average by \" + tostring(round(('<>' + - 'avg_<>')/'stdev_<>' ,2)) + \" Standard Deviations. <>=\"\ + \ + tostring('<>') + \" avg_<>=\" + tostring('avg_<>') + + \" 'stdev_<>'=\" + tostring('stdev_<>') + \", \" , anomalies) + ] | fillnull | eval anomalies = split(replace(anomalies, \",\\s$$$$\", \"\") ,\"\ + , \") | where anomalies!=\"\" | stats count(anomalies) as count values(anomalies) + as anomalies by k8s.cluster.name source.workload.name source.process.name | where + count > 5 | rename k8s.cluster.name as host | `kubernetes_anomalous_outbound_network_activity_from_process_filter`" +how_to_implement: "To gather NPM metrics the Open Telemetry to the Kubernetes Cluster + and enable Network Performance Monitoring according to instructions found in Splunk + Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup + In order to access those metrics from within Splunk Enterprise and ES, the Splunk + Infrastructure Monitoring add-on must be installed and configured on a Splunk Search + Head. Once installed, first configure the add-on with your O11y Cloud Org ID and + Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the + following settings, and any other settings left at default:\n* Name sim_npm_metrics_to_metrics_index\n + * Metric Resolution 10000" known_false_positives: unknown references: - https://github.com/signalfx/splunk-otel-collector-chart +rba: + message: Kubernetes Anomalous Outbound Network Activity from Process in kubernetes + cluster $host$ + risk_objects: + - field: host + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring asset_type: Kubernetes - confidence: 50 - impact: 50 - message: Kubernetes Anomalous Outbound Network Activity from Process in kubernetes cluster $host$ mitre_attack_id: - T1204 - observable: - - name: host - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - tcp.* - - udp.* - - k8s.cluster.name - - source.workload.name - - dest.workload.name - - udp.packets - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_anomalous_traffic_on_network_edge.yml b/detections/cloud/kubernetes_anomalous_traffic_on_network_edge.yml index 0e0076f2f3..866e0d177b 100644 --- a/detections/cloud/kubernetes_anomalous_traffic_on_network_edge.yml +++ b/detections/cloud/kubernetes_anomalous_traffic_on_network_edge.yml @@ -1,45 +1,63 @@ name: Kubernetes Anomalous Traffic on Network Edge id: 886c7e51-2ea1-425d-8705-faaca5a64cc6 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: The following analytic identifies anomalous network traffic volumes between Kubernetes workloads or between a workload and external sources. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. The detection compares recent network metrics (tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets) over the last hour with the average over the past 30 days to identify significant deviations. This activity is significant as unexpected spikes may indicate unauthorized data transfers or lateral movement. If confirmed malicious, it could lead to data exfiltration or compromise of additional services, potentially resulting in data breaches. +description: The following analytic identifies anomalous network traffic volumes between + Kubernetes workloads or between a workload and external sources. It leverages Network + Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk + Observability Cloud. The detection compares recent network metrics (tcp.bytes, tcp.new_sockets, + tcp.packets, udp.bytes, udp.packets) over the last hour with the average over the + past 30 days to identify significant deviations. This activity is significant as + unexpected spikes may indicate unauthorized data transfers or lateral movement. + If confirmed malicious, it could lead to data exfiltration or compromise of additional + services, potentially resulting in data breaches. data_source: [] -search: '| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name span=10s | eval key=''source.workload.name'' + ":" + ''dest.workload.name'' | join type=left key [ mstats avg(tcp.*) as avg_tcp.* avg(udp.*) as avg_udp.* stdev(tcp.*) as stdev_tcp.* avg(udp.*) as stdev_udp.* where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name dest.workload.name | eval key=''source.workload.name'' + ":" + ''dest.workload.name'' ] | eval anomalies = "" | foreach stdev_* [ eval anomalies =if( ''<>'' > (''avg_<>'' + 3 * ''stdev_<>''), anomalies + "<> higher than average by " + tostring(round((''<>'' - ''avg_<>'')/''stdev_<>'' ,2)) + " Standard Deviations. <>=" + tostring(''<>'') + " avg_<>=" + tostring(''avg_<>'') + " ''stdev_<>''=" + tostring(''stdev_<>'') + ", " , anomalies) ] | fillnull | eval anomalies = split(replace(anomalies, ",\s$$$$", "") ,", ") | where anomalies!="" | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name source.workload.name dest.workload.name | rename service as k8s.service | where count > 5 | rename k8s.cluster.name as host | `kubernetes_anomalous_traffic_on_network_edge_filter`' -how_to_implement: 'To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default: - - * Name sim_npm_metrics_to_metrics_index - - * Metric Resolution 10000' +search: "| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` + AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name span=10s + | eval key='source.workload.name' + \":\" + 'dest.workload.name' | join type=left + key [ mstats avg(tcp.*) as avg_tcp.* avg(udp.*) as avg_udp.* stdev(tcp.*) as stdev_tcp.* + avg(udp.*) as stdev_udp.* where `kubernetes_metrics` AND earliest=-30d latest=-1h + by source.workload.name dest.workload.name | eval key='source.workload.name' + \"\ + :\" + 'dest.workload.name' ] | eval anomalies = \"\" | foreach stdev_* [ eval anomalies + =if( '<>' > ('avg_<>' + 3 * 'stdev_<>'), anomalies + + \"<> higher than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' + ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\"\ + \ + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + + \", \" , anomalies) ] | fillnull | eval anomalies = split(replace(anomalies, \"\ + ,\\s$$$$\", \"\") ,\", \") | where anomalies!=\"\" | stats count(anomalies) as count + values(anomalies) as anomalies by k8s.cluster.name source.workload.name dest.workload.name + | rename service as k8s.service | where count > 5 | rename k8s.cluster.name as host + | `kubernetes_anomalous_traffic_on_network_edge_filter`" +how_to_implement: "To gather NPM metrics the Open Telemetry to the Kubernetes Cluster + and enable Network Performance Monitoring according to instructions found in Splunk + Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup + In order to access those metrics from within Splunk Enterprise and ES, the Splunk + Infrastructure Monitoring add-on must be installed and configured on a Splunk Search + Head. Once installed, first configure the add-on with your O11y Cloud Org ID and + Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the + following settings, and any other settings left at default:\n* Name sim_npm_metrics_to_metrics_index\n + * Metric Resolution 10000" known_false_positives: unknown references: - https://github.com/signalfx/splunk-otel-collector-chart +rba: + message: Kubernetes Anomalous Traffic on Network Edge in kubernetes cluster $host$ + risk_objects: + - field: host + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring asset_type: Kubernetes - confidence: 50 - impact: 50 - message: Kubernetes Anomalous Traffic on Network Edge in kubernetes cluster $host$ mitre_attack_id: - T1204 - observable: - - name: host - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - tcp.* - - udp.* - - k8s.cluster.name - - source.workload.name - - dest.workload.name - - udp.packets - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_aws_detect_suspicious_kubectl_calls.yml b/detections/cloud/kubernetes_aws_detect_suspicious_kubectl_calls.yml index 857ba3304f..b7e9367380 100644 --- a/detections/cloud/kubernetes_aws_detect_suspicious_kubectl_calls.yml +++ b/detections/cloud/kubernetes_aws_detect_suspicious_kubectl_calls.yml @@ -1,47 +1,53 @@ name: Kubernetes AWS detect suspicious kubectl calls id: 042a3d32-8318-4763-9679-09db2644a8f2 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Rod Soto, Patrick Bareiss, Splunk status: experimental type: Anomaly -description: The following analytic detects anonymous and unauthenticated requests to a Kubernetes cluster. It identifies this behavior by monitoring API calls from users who have not provided any token or password in their request, using data from `kube_audit` logs. This activity is significant for a SOC as it indicates a severe misconfiguration, allowing unfettered access to the cluster with no traceability. If confirmed malicious, an attacker could gain access to sensitive data or control over the cluster, posing a substantial security risk. +description: The following analytic detects anonymous and unauthenticated requests + to a Kubernetes cluster. It identifies this behavior by monitoring API calls from + users who have not provided any token or password in their request, using data from + `kube_audit` logs. This activity is significant for a SOC as it indicates a severe + misconfiguration, allowing unfettered access to the cluster with no traceability. + If confirmed malicious, an attacker could gain access to sensitive data or control + over the cluster, posing a substantial security risk. data_source: - Kubernetes Audit -search: '`kube_audit` user.username="system:anonymous" user.groups{} IN ("system:unauthenticated") | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user |`kubernetes_aws_detect_suspicious_kubectl_calls_filter`' -how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. When you want to use this detection with AWS EKS, you need to enable EKS control plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. -known_false_positives: Kubectl calls are not malicious by nature. However source IP, verb and Object can reveal potential malicious activity, specially anonymous suspicious IPs and sensitive objects such as configmaps or secrets +search: '`kube_audit` user.username="system:anonymous" user.groups{} IN ("system:unauthenticated") + | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource + requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} + user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username + as user |`kubernetes_aws_detect_suspicious_kubectl_calls_filter`' +how_to_implement: The detection is based on data that originates from Kubernetes Audit + logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes + audit logs provide a record of the requests made to the Kubernetes API server, which + is crucial for monitoring and detecting suspicious activities. Configure the audit + policy in Kubernetes to determine what kind of activities are logged. This is done + by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry + Collector for Kubernetes to collect the logs. This doc will describe how to collect + the audit log file + https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. + When you want to use this detection with AWS EKS, you need to enable EKS control + plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. + Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. +known_false_positives: Kubectl calls are not malicious by nature. However source IP, + verb and Object can reveal potential malicious activity, specially anonymous suspicious + IPs and sensitive objects such as configmaps or secrets references: [] +rba: + message: Suspicious kubectl API calls from $user$ + risk_objects: + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Kubernetes Security asset_type: Kubernetes - confidence: 50 - impact: 50 - message: tbd - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - objectRef.resource - - verb - - objectRef.name - - objectRef.namespace - - requestReceivedTimestamp - - requestURI - - responseStatus.code - - sourceIPs{} - - stage - - user.groups{} - - user.uid - - user.username - - userAgent - - verb - risk_score: 25 security_domain: threat diff --git a/detections/cloud/kubernetes_create_or_update_privileged_pod.yml b/detections/cloud/kubernetes_create_or_update_privileged_pod.yml index 5ce9e74632..84dc9bb782 100644 --- a/detections/cloud/kubernetes_create_or_update_privileged_pod.yml +++ b/detections/cloud/kubernetes_create_or_update_privileged_pod.yml @@ -1,15 +1,36 @@ name: Kubernetes Create or Update Privileged Pod id: 3c6bd734-334d-4818-ae7c-5234313fc5da -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: The following analytic detects the creation or update of privileged pods in Kubernetes. It identifies this activity by monitoring Kubernetes Audit logs for pod configurations that include root privileges. This behavior is significant for a SOC as it could indicate an attempt to escalate privileges, exploit the kernel, and gain full access to the host's namespace and devices. If confirmed malicious, this activity could lead to unauthorized access to sensitive information, data breaches, and service disruptions, posing a severe threat to the environment. +description: The following analytic detects the creation or update of privileged pods + in Kubernetes. It identifies this activity by monitoring Kubernetes Audit logs for + pod configurations that include root privileges. This behavior is significant for + a SOC as it could indicate an attempt to escalate privileges, exploit the kernel, + and gain full access to the host's namespace and devices. If confirmed malicious, + this activity could lead to unauthorized access to sensitive information, data breaches, + and service disruptions, posing a severe threat to the environment. data_source: - Kubernetes Audit -search: '`kube_audit` objectRef.resource=pods verb=create OR verb=update requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration=*\"privileged\":true* | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind responseStatus.code sourceIPs{} stage user.username userAgent verb requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_create_or_update_privileged_pod_filter`' -how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. When you want to use this detection with AWS EKS, you need to enable EKS control plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. +search: '`kube_audit` objectRef.resource=pods verb=create OR verb=update requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration=*\"privileged\":true* + | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name + objectRef.namespace objectRef.resource requestObject.kind responseStatus.code sourceIPs{} + stage user.username userAgent verb requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration + | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_create_or_update_privileged_pod_filter`' +how_to_implement: The detection is based on data that originates from Kubernetes Audit + logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes + audit logs provide a record of the requests made to the Kubernetes API server, which + is crucial for monitoring and detecting suspicious activities. Configure the audit + policy in Kubernetes to determine what kind of activities are logged. This is done + by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry + Collector for Kubernetes to collect the logs. This doc will describe how to collect + the audit log file + https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. + When you want to use this detection with AWS EKS, you need to enable EKS control + plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. + Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. known_false_positives: unknown references: - https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ @@ -19,51 +40,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Kubernetes privileged pod created by user $user$. + risk_objects: + - field: user + type: user + score: 49 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Kubernetes Security asset_type: Kubernetes - confidence: 70 - impact: 70 - message: Kubernetes privileged pod created by user $user$. mitre_attack_id: - T1204 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - user.groups{} - - kind - - objectRef.name - - objectRef.namespace - - objectRef.resource - - requestObject.kind - - requestObject.spec.type - - responseStatus.code - - sourceIPs{} - - stage - - user.username - - userAgent - - verb - - requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration - risk_score: 49 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.json sourcetype: _json source: kubernetes diff --git a/detections/cloud/kubernetes_cron_job_creation.yml b/detections/cloud/kubernetes_cron_job_creation.yml index 178ab06275..c1e6ebd4dd 100644 --- a/detections/cloud/kubernetes_cron_job_creation.yml +++ b/detections/cloud/kubernetes_cron_job_creation.yml @@ -1,15 +1,36 @@ name: Kubernetes Cron Job Creation id: 5984dbe8-572f-47d7-9251-3dff6c3f0c0d -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: The following analytic detects the creation of a Kubernetes cron job, which is a task scheduled to run automatically at specified intervals. It identifies this activity by monitoring Kubernetes Audit logs for the creation events of cron jobs. This behavior is significant for a SOC as it could allow an attacker to execute malicious tasks repeatedly and automatically, posing a threat to the Kubernetes infrastructure. If confirmed malicious, this activity could lead to persistent attacks, service disruptions, or unauthorized access to sensitive information. +description: The following analytic detects the creation of a Kubernetes cron job, + which is a task scheduled to run automatically at specified intervals. It identifies + this activity by monitoring Kubernetes Audit logs for the creation events of cron + jobs. This behavior is significant for a SOC as it could allow an attacker to execute + malicious tasks repeatedly and automatically, posing a threat to the Kubernetes + infrastructure. If confirmed malicious, this activity could lead to persistent attacks, + service disruptions, or unauthorized access to sensitive information. data_source: - Kubernetes Audit -search: '`kube_audit` verb=create "objectRef.resource"=cronjobs | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind requestObject.spec.schedule requestObject.spec.jobTemplate.spec.template.spec.containers{}.image responseStatus.code sourceIPs{} stage user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_cron_job_creation_filter`' -how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. When you want to use this detection with AWS EKS, you need to enable EKS control plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. +search: '`kube_audit` verb=create "objectRef.resource"=cronjobs | fillnull | stats + count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace + objectRef.resource requestObject.kind requestObject.spec.schedule requestObject.spec.jobTemplate.spec.template.spec.containers{}.image + responseStatus.code sourceIPs{} stage user.username userAgent verb | rename sourceIPs{} + as src_ip, user.username as user | `kubernetes_cron_job_creation_filter`' +how_to_implement: The detection is based on data that originates from Kubernetes Audit + logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes + audit logs provide a record of the requests made to the Kubernetes API server, which + is crucial for monitoring and detecting suspicious activities. Configure the audit + policy in Kubernetes to determine what kind of activities are logged. This is done + by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry + Collector for Kubernetes to collect the logs. This doc will describe how to collect + the audit log file + https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. + When you want to use this detection with AWS EKS, you need to enable EKS control + plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. + Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. known_false_positives: unknown references: - https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ @@ -19,51 +40,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Kubernetes cron job creation from user $user$ + risk_objects: + - field: user + type: user + score: 49 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Kubernetes Security asset_type: Kubernetes - confidence: 70 - impact: 70 - message: Kubernetes cron job creation from user $user$ mitre_attack_id: - T1053.007 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - user.groups{} - - kind - - objectRef.name - - objectRef.namespace - - objectRef.resource - - requestObject.kind - - requestObject.spec.schedule - - requestObject.spec.jobTemplate.spec.template.spec.containers{}.image - - responseStatus.code - - sourceIPs{} - - stage - - user.username - - userAgent - - verb - risk_score: 49 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.007/kubernetes_audit_cron_job_creation/kubernetes_audit_cron_job_creation.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.007/kubernetes_audit_cron_job_creation/kubernetes_audit_cron_job_creation.json sourcetype: _json source: kubernetes diff --git a/detections/cloud/kubernetes_daemonset_deployed.yml b/detections/cloud/kubernetes_daemonset_deployed.yml index 4e9384e1b1..306972a79a 100644 --- a/detections/cloud/kubernetes_daemonset_deployed.yml +++ b/detections/cloud/kubernetes_daemonset_deployed.yml @@ -1,15 +1,35 @@ name: Kubernetes DaemonSet Deployed id: bf39c3a3-b191-4d42-8738-9d9797bd0c3a -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: The following analytic detects the creation of a DaemonSet in a Kubernetes cluster. This behavior is identified by monitoring Kubernetes Audit logs for the creation event of a DaemonSet. DaemonSets ensure a specific pod runs on every node, making them a potential vector for persistent access. This activity is significant for a SOC as it could indicate an attempt to maintain persistent access to the Kubernetes infrastructure. If confirmed malicious, it could lead to persistent attacks, service disruptions, or unauthorized access to sensitive information. +description: The following analytic detects the creation of a DaemonSet in a Kubernetes + cluster. This behavior is identified by monitoring Kubernetes Audit logs for the + creation event of a DaemonSet. DaemonSets ensure a specific pod runs on every node, + making them a potential vector for persistent access. This activity is significant + for a SOC as it could indicate an attempt to maintain persistent access to the Kubernetes + infrastructure. If confirmed malicious, it could lead to persistent attacks, service + disruptions, or unauthorized access to sensitive information. data_source: - Kubernetes Audit -search: '`kube_audit` "objectRef.resource"=daemonsets verb=create | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind responseStatus.code sourceIPs{} stage user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_daemonset_deployed_filter`' -how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. When you want to use this detection with AWS EKS, you need to enable EKS control plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. +search: '`kube_audit` "objectRef.resource"=daemonsets verb=create | fillnull | stats + count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace + objectRef.resource requestObject.kind responseStatus.code sourceIPs{} stage user.username + userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_daemonset_deployed_filter`' +how_to_implement: The detection is based on data that originates from Kubernetes Audit + logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes + audit logs provide a record of the requests made to the Kubernetes API server, which + is crucial for monitoring and detecting suspicious activities. Configure the audit + policy in Kubernetes to determine what kind of activities are logged. This is done + by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry + Collector for Kubernetes to collect the logs. This doc will describe how to collect + the audit log file + https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. + When you want to use this detection with AWS EKS, you need to enable EKS control + plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. + Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. known_false_positives: unknown references: - https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ @@ -19,49 +39,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: DaemonSet deployed to Kubernetes by user $user$ + risk_objects: + - field: user + type: user + score: 49 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Kubernetes Security asset_type: Kubernetes - confidence: 70 - impact: 70 - message: DaemonSet deployed to Kubernetes by user $user$ mitre_attack_id: - T1204 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - user.groups{} - - kind - - objectRef.name - - objectRef.namespace - - objectRef.resource - - requestObject.kind - - responseStatus.code - - sourceIPs{} - - stage - - user.username - - userAgent - - verb - risk_score: 49 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_audit_daemonset_created/kubernetes_audit_daemonset_created.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_audit_daemonset_created/kubernetes_audit_daemonset_created.json sourcetype: _json source: kubernetes diff --git a/detections/cloud/kubernetes_falco_shell_spawned.yml b/detections/cloud/kubernetes_falco_shell_spawned.yml index 6f1f7714bc..f8bb7f8eda 100644 --- a/detections/cloud/kubernetes_falco_shell_spawned.yml +++ b/detections/cloud/kubernetes_falco_shell_spawned.yml @@ -1,15 +1,35 @@ name: Kubernetes Falco Shell Spawned id: d2feef92-d54a-4a19-8306-b47c6ceba5b2 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: The following analytic detects instances where a shell is spawned within a Kubernetes container. Leveraging Falco, a cloud-native runtime security tool, this analytic monitors system calls within the Kubernetes environment and flags when a shell is spawned. This activity is significant for a SOC as it may indicate unauthorized access, allowing an attacker to execute arbitrary commands, manipulate container processes, or escalate privileges. If confirmed malicious, this could lead to data breaches, service disruptions, or unauthorized access to sensitive information, severely impacting the Kubernetes infrastructure's integrity and security. +description: The following analytic detects instances where a shell is spawned within + a Kubernetes container. Leveraging Falco, a cloud-native runtime security tool, + this analytic monitors system calls within the Kubernetes environment and flags + when a shell is spawned. This activity is significant for a SOC as it may indicate + unauthorized access, allowing an attacker to execute arbitrary commands, manipulate + container processes, or escalate privileges. If confirmed malicious, this could + lead to data breaches, service disruptions, or unauthorized access to sensitive + information, severely impacting the Kubernetes infrastructure's integrity and security. data_source: - Kubernetes Falco -search: '`kube_container_falco` "A shell was spawned in a container" | fillnull | stats count by container_image container_image_tag container_name parent proc_exepath process user | `kubernetes_falco_shell_spawned_filter`' -how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. When you want to use this detection with AWS EKS, you need to enable EKS control plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. +search: '`kube_container_falco` "A shell was spawned in a container" | fillnull | + stats count by container_image container_image_tag container_name parent proc_exepath + process user | `kubernetes_falco_shell_spawned_filter`' +how_to_implement: The detection is based on data that originates from Kubernetes Audit + logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes + audit logs provide a record of the requests made to the Kubernetes API server, which + is crucial for monitoring and detecting suspicious activities. Configure the audit + policy in Kubernetes to determine what kind of activities are logged. This is done + by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry + Collector for Kubernetes to collect the logs. This doc will describe how to collect + the audit log file + https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. + When you want to use this detection with AWS EKS, you need to enable EKS control + plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. + Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. known_false_positives: unknown references: - https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ @@ -19,40 +39,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A shell is spawned in the container $container_name$ by user $user$. + risk_objects: + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - Kubernetes Security asset_type: Kubernetes - confidence: 70 - impact: 70 - message: A shell is spawned in the container $container_name$ by user $user$. mitre_attack_id: - T1204 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - container_image - - container_image_tag - - container_name - - parent - - proc_exepath - - process - - user - risk_score: 49 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_falco_shell_spawned/kubernetes_falco_shell_spawned.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_falco_shell_spawned/kubernetes_falco_shell_spawned.log sourcetype: kube:container:falco source: kubernetes diff --git a/detections/cloud/kubernetes_newly_seen_tcp_edge.yml b/detections/cloud/kubernetes_newly_seen_tcp_edge.yml index 13fce7809a..35973950d4 100644 --- a/detections/cloud/kubernetes_newly_seen_tcp_edge.yml +++ b/detections/cloud/kubernetes_newly_seen_tcp_edge.yml @@ -1,43 +1,53 @@ name: Kubernetes newly seen TCP edge id: 13f081d6-7052-428a-bbb0-892c79ca7c65 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: The following analytic identifies newly seen TCP communication between source and destination workload pairs within a Kubernetes cluster. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. The detection compares network activity over the last hour with the past 30 days to spot new inter-workload communications. This is significant as new connections can indicate changes in application behavior or potential security threats. If malicious, unauthorized connections could lead to data breaches, privilege escalation, lateral movement, or disruption of critical services, compromising the application's integrity, availability, and confidentiality. +description: The following analytic identifies newly seen TCP communication between + source and destination workload pairs within a Kubernetes cluster. It leverages + Network Performance Monitoring metrics collected via an OTEL collector and pulled + from Splunk Observability Cloud. The detection compares network activity over the + last hour with the past 30 days to spot new inter-workload communications. This + is significant as new connections can indicate changes in application behavior or + potential security threats. If malicious, unauthorized connections could lead to + data breaches, privilege escalation, lateral movement, or disruption of critical + services, compromising the application's integrity, availability, and confidentiality. data_source: [] -search: '| mstats count(tcp.packets) as tcp.packets_count where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name | eval current="True" | append [ mstats count(tcp.packets) as tcp.packets_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name dest.workload.name | eval current="false" ] | eventstats values(current) as current by source.workload.name dest.workload.name | search current="true" current!="false" | rename k8s.cluster.name as host | `kubernetes_newly_seen_tcp_edge_filter`' -how_to_implement: 'To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default: - - * Name sim_npm_metrics_to_metrics_index - - * Metric Resolution 10000' +search: '| mstats count(tcp.packets) as tcp.packets_count where `kubernetes_metrics` + AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name | eval + current="True" | append [ mstats count(tcp.packets) as tcp.packets_count where `kubernetes_metrics` + AND earliest=-30d latest=-1h by source.workload.name dest.workload.name | eval current="false" + ] | eventstats values(current) as current by source.workload.name dest.workload.name + | search current="true" current!="false" | rename k8s.cluster.name as host | `kubernetes_newly_seen_tcp_edge_filter`' +how_to_implement: "To gather NPM metrics the Open Telemetry to the Kubernetes Cluster + and enable Network Performance Monitoring according to instructions found in Splunk + Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup + In order to access those metrics from within Splunk Enterprise and ES, the Splunk + Infrastructure Monitoring add-on must be installed and configured on a Splunk Search + Head. Once installed, first configure the add-on with your O11y Cloud Org ID and + Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the + following settings, and any other settings left at default:\n* Name sim_npm_metrics_to_metrics_index\n + * Metric Resolution 10000" known_false_positives: unknown references: - https://github.com/signalfx/splunk-otel-collector-chart +rba: + message: Kubernetes newly seen TCP edge in kubernetes cluster $host$ + risk_objects: + - field: host + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring asset_type: Kubernetes - confidence: 50 - impact: 50 - message: Kubernetes newly seen TCP edge in kubernetes cluster $host$ mitre_attack_id: - T1204 - observable: - - name: host - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - k8s.cluster.name - - source.workload.name - - dest.workload.name - - tcp.packets - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_newly_seen_udp_edge.yml b/detections/cloud/kubernetes_newly_seen_udp_edge.yml index ca3826ab0f..f8a84004f6 100644 --- a/detections/cloud/kubernetes_newly_seen_udp_edge.yml +++ b/detections/cloud/kubernetes_newly_seen_udp_edge.yml @@ -1,43 +1,53 @@ name: Kubernetes newly seen UDP edge id: 49b7daca-4e3c-4899-ba15-9a175e056fa9 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: The following analytic detects UDP communication between a newly seen source and destination workload pair within a Kubernetes cluster. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. This detection compares network activity over the last hour with the past 30 days to identify new inter-workload communication. Such changes in network behavior can indicate potential security threats or anomalies. If confirmed malicious, unauthorized connections may enable attackers to infiltrate the application ecosystem, leading to data breaches, privilege escalation, lateral movement, or disruption of critical services. +description: The following analytic detects UDP communication between a newly seen + source and destination workload pair within a Kubernetes cluster. It leverages Network + Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk + Observability Cloud. This detection compares network activity over the last hour + with the past 30 days to identify new inter-workload communication. Such changes + in network behavior can indicate potential security threats or anomalies. If confirmed + malicious, unauthorized connections may enable attackers to infiltrate the application + ecosystem, leading to data breaches, privilege escalation, lateral movement, or + disruption of critical services. data_source: [] -search: '| mstats count(udp.packets) as udp.packets_count where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name | eval current="True" | append [ mstats count(udp.packets) as udp.packets_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name dest.workload.name | eval current="false" ] | eventstats values(current) as current by source.workload.name dest.workload.name | search current="true" current!="false" | rename k8s.cluster.name as host | `kubernetes_newly_seen_udp_edge_filter`' -how_to_implement: 'To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default: - - * Name sim_npm_metrics_to_metrics_index - - * Metric Resolution 10000' +search: '| mstats count(udp.packets) as udp.packets_count where `kubernetes_metrics` + AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name | eval + current="True" | append [ mstats count(udp.packets) as udp.packets_count where `kubernetes_metrics` + AND earliest=-30d latest=-1h by source.workload.name dest.workload.name | eval current="false" + ] | eventstats values(current) as current by source.workload.name dest.workload.name + | search current="true" current!="false" | rename k8s.cluster.name as host | `kubernetes_newly_seen_udp_edge_filter`' +how_to_implement: "To gather NPM metrics the Open Telemetry to the Kubernetes Cluster + and enable Network Performance Monitoring according to instructions found in Splunk + Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup + In order to access those metrics from within Splunk Enterprise and ES, the Splunk + Infrastructure Monitoring add-on must be installed and configured on a Splunk Search + Head. Once installed, first configure the add-on with your O11y Cloud Org ID and + Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the + following settings, and any other settings left at default:\n* Name sim_npm_metrics_to_metrics_index\n + * Metric Resolution 10000" known_false_positives: unknown references: - https://github.com/signalfx/splunk-otel-collector-chart +rba: + message: Kubernetes newly seen UDP edge in kubernetes cluster $host$ + risk_objects: + - field: host + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring asset_type: Kubernetes - confidence: 50 - impact: 50 - message: Kubernetes newly seen UDP edge in kubernetes cluster $host$ mitre_attack_id: - T1204 - observable: - - name: host - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - k8s.cluster.name - - source.workload.name - - dest.workload.name - - udp.packets - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_nginx_ingress_lfi.yml b/detections/cloud/kubernetes_nginx_ingress_lfi.yml index 52b172d819..ab82e870f5 100644 --- a/detections/cloud/kubernetes_nginx_ingress_lfi.yml +++ b/detections/cloud/kubernetes_nginx_ingress_lfi.yml @@ -1,13 +1,26 @@ name: Kubernetes Nginx Ingress LFI id: 0f83244b-425b-4528-83db-7a88c5f66e48 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: TTP -description: The following analytic detects local file inclusion (LFI) attacks targeting Kubernetes Nginx ingress controllers. It leverages Kubernetes logs, parsing fields such as `request` and `status` to identify suspicious patterns indicative of LFI attempts. This activity is significant because LFI attacks can allow attackers to read sensitive files from the server, potentially exposing critical information. If confirmed malicious, this could lead to unauthorized access to sensitive data, further exploitation, and potential compromise of the Kubernetes environment. +description: The following analytic detects local file inclusion (LFI) attacks targeting + Kubernetes Nginx ingress controllers. It leverages Kubernetes logs, parsing fields + such as `request` and `status` to identify suspicious patterns indicative of LFI + attempts. This activity is significant because LFI attacks can allow attackers to + read sensitive files from the server, potentially exposing critical information. + If confirmed malicious, this could lead to unauthorized access to sensitive data, + further exploitation, and potential compromise of the Kubernetes environment. data_source: [] -search: '`kubernetes_container_controller` | rex field=_raw "^(?\S+)\s+-\s+-\s+\[(?[^\]]*)\]\s\"(?[^\"]*)\"\s(?\S*)\s(?\S*)\s\"(?[^\"]*)\"\s\"(?[^\"]*)\"\s(?\S*)\s(?\S*)\s\[(?[^\]]*)\]\s\[(?[^\]]*)\]\s(?\S*)\s(?\S*)\s(?\S*)\s(?\S*)\s(?\S*)" | rename remote_addr AS src_ip, upstream_status as status, proxy_upstream_name as proxy | rex field=request "^(?\S+)\s(?\S+)\s" | eval phase="operate" | eval severity="high" | stats count min(_time) as firstTime max(_time) as lastTime by src_ip, status, url, http_method, host, http_user_agent, proxy, phase, severity, request | lookup local_file_inclusion_paths local_file_inclusion_paths AS request OUTPUT lfi_path | search lfi_path=yes | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kubernetes_nginx_ingress_lfi_filter`' +search: '`kubernetes_container_controller` | rex field=_raw "^(?\S+)\s+-\s+-\s+\[(?[^\]]*)\]\s\"(?[^\"]*)\"\s(?\S*)\s(?\S*)\s\"(?[^\"]*)\"\s\"(?[^\"]*)\"\s(?\S*)\s(?\S*)\s\[(?[^\]]*)\]\s\[(?[^\]]*)\]\s(?\S*)\s(?\S*)\s(?\S*)\s(?\S*)\s(?\S*)" + | rename remote_addr AS src_ip, upstream_status as status, proxy_upstream_name as + proxy | rex field=request "^(?\S+)\s(?\S+)\s" | eval phase="operate" + | eval severity="high" | stats count min(_time) as firstTime max(_time) as lastTime + by src_ip, status, url, http_method, host, http_user_agent, proxy, phase, severity, + request | lookup local_file_inclusion_paths local_file_inclusion_paths AS request + OUTPUT lfi_path | search lfi_path=yes | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `kubernetes_nginx_ingress_lfi_filter`' how_to_implement: You must ingest Kubernetes logs through Splunk Connect for Kubernetes. known_false_positives: unknown references: @@ -19,38 +32,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$host$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Local File Inclusion Attack detected on $host$ + risk_objects: + - field: host + type: system + score: 49 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Dev Sec Ops asset_type: Kubernetes - confidence: 70 - impact: 70 - message: Local File Inclusion Attack detected on $host$ mitre_attack_id: - T1212 - observable: - - name: host - type: Hostname - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - raw - risk_score: 49 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1212/kubernetes_nginx_lfi_attack/kubernetes_nginx_lfi_attack.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1212/kubernetes_nginx_lfi_attack/kubernetes_nginx_lfi_attack.log sourcetype: kube:container:controller source: kubernetes diff --git a/detections/cloud/kubernetes_nginx_ingress_rfi.yml b/detections/cloud/kubernetes_nginx_ingress_rfi.yml index 4e908f9bcf..262d24b178 100644 --- a/detections/cloud/kubernetes_nginx_ingress_rfi.yml +++ b/detections/cloud/kubernetes_nginx_ingress_rfi.yml @@ -1,13 +1,25 @@ name: Kubernetes Nginx Ingress RFI id: fc5531ae-62fd-4de6-9c36-b4afdae8ca95 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: TTP -description: The following analytic detects remote file inclusion (RFI) attacks targeting Kubernetes Nginx ingress controllers. It leverages Kubernetes logs from the Nginx ingress controller, parsing fields such as `remote_addr`, `request`, and `url` to identify suspicious activity. This activity is significant because RFI attacks can allow attackers to execute arbitrary code or access sensitive files on the server. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further compromise of the Kubernetes environment. +description: The following analytic detects remote file inclusion (RFI) attacks targeting + Kubernetes Nginx ingress controllers. It leverages Kubernetes logs from the Nginx + ingress controller, parsing fields such as `remote_addr`, `request`, and `url` to + identify suspicious activity. This activity is significant because RFI attacks can + allow attackers to execute arbitrary code or access sensitive files on the server. + If confirmed malicious, this could lead to unauthorized access, data exfiltration, + or further compromise of the Kubernetes environment. data_source: [] -search: '`kubernetes_container_controller` | rex field=_raw "^(?\S+)\s+-\s+-\s+\[(?[^\]]*)\]\s\"(?[^\"]*)\"\s(?\S*)\s(?\S*)\s\"(?[^\"]*)\"\s\"(?[^\"]*)\"\s(?\S*)\s(?\S*)\s\[(?[^\]]*)\]\s\[(?[^\]]*)\]\s(?\S*)\s(?\S*)\s(?\S*)\s(?\S*)\s(?\S*)" | rex field=request "^(?\S+)?\s(?\S+)\s" | rex field=url "(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | search dest_ip=* | rename remote_addr AS src_ip, upstream_status as status, proxy_upstream_name as proxy | eval phase="operate" | eval severity="medium" | stats count min(_time) as firstTime max(_time) as lastTime by src_ip, dest_ip status, url, http_method, host, http_user_agent, proxy, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kubernetes_nginx_ingress_rfi_filter`' +search: '`kubernetes_container_controller` | rex field=_raw "^(?\S+)\s+-\s+-\s+\[(?[^\]]*)\]\s\"(?[^\"]*)\"\s(?\S*)\s(?\S*)\s\"(?[^\"]*)\"\s\"(?[^\"]*)\"\s(?\S*)\s(?\S*)\s\[(?[^\]]*)\]\s\[(?[^\]]*)\]\s(?\S*)\s(?\S*)\s(?\S*)\s(?\S*)\s(?\S*)" + | rex field=request "^(?\S+)?\s(?\S+)\s" | rex field=url "(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" + | search dest_ip=* | rename remote_addr AS src_ip, upstream_status as status, proxy_upstream_name + as proxy | eval phase="operate" | eval severity="medium" | stats count min(_time) + as firstTime max(_time) as lastTime by src_ip, dest_ip status, url, http_method, + host, http_user_agent, proxy, phase, severity | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `kubernetes_nginx_ingress_rfi_filter`' how_to_implement: You must ingest Kubernetes logs through Splunk Connect for Kubernetes. known_false_positives: unknown references: @@ -19,38 +31,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$host$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Remote File Inclusion Attack detected on $host$ + risk_objects: + - field: host + type: system + score: 49 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Dev Sec Ops asset_type: Kubernetes - confidence: 70 - impact: 70 - message: Remote File Inclusion Attack detected on $host$ mitre_attack_id: - T1212 - observable: - - name: host - type: Hostname - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - raw - risk_score: 49 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/kubernetes_nginx_rfi_attack.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/kubernetes_nginx_rfi_attack.log sourcetype: kube:container:controller source: kubernetes diff --git a/detections/cloud/kubernetes_node_port_creation.yml b/detections/cloud/kubernetes_node_port_creation.yml index c9e3f04320..ae8cfb1471 100644 --- a/detections/cloud/kubernetes_node_port_creation.yml +++ b/detections/cloud/kubernetes_node_port_creation.yml @@ -1,15 +1,36 @@ name: Kubernetes Node Port Creation id: d7fc865e-b8a1-4029-a960-cf4403b821b6 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: The following analytic detects the creation of a Kubernetes NodePort service, which exposes a service to the external network. It identifies this activity by monitoring Kubernetes Audit logs for the creation of NodePort services. This behavior is significant for a SOC as it could allow an attacker to access internal services, posing a threat to the Kubernetes infrastructure's integrity and security. If confirmed malicious, this activity could lead to data breaches, service disruptions, or unauthorized access to sensitive information. +description: The following analytic detects the creation of a Kubernetes NodePort + service, which exposes a service to the external network. It identifies this activity + by monitoring Kubernetes Audit logs for the creation of NodePort services. This + behavior is significant for a SOC as it could allow an attacker to access internal + services, posing a threat to the Kubernetes infrastructure's integrity and security. + If confirmed malicious, this activity could lead to data breaches, service disruptions, + or unauthorized access to sensitive information. data_source: - Kubernetes Audit -search: '`kube_audit` "objectRef.resource"=services verb=create requestObject.spec.type=NodePort | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind requestObject.spec.type responseStatus.code sourceIPs{} stage user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_node_port_creation_filter`' -how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. When you want to use this detection with AWS EKS, you need to enable EKS control plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. +search: '`kube_audit` "objectRef.resource"=services verb=create requestObject.spec.type=NodePort + | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name + objectRef.namespace objectRef.resource requestObject.kind requestObject.spec.type + responseStatus.code sourceIPs{} stage user.username userAgent verb | rename sourceIPs{} + as src_ip, user.username as user | `kubernetes_node_port_creation_filter`' +how_to_implement: The detection is based on data that originates from Kubernetes Audit + logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes + audit logs provide a record of the requests made to the Kubernetes API server, which + is crucial for monitoring and detecting suspicious activities. Configure the audit + policy in Kubernetes to determine what kind of activities are logged. This is done + by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry + Collector for Kubernetes to collect the logs. This doc will describe how to collect + the audit log file + https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. + When you want to use this detection with AWS EKS, you need to enable EKS control + plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. + Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. known_false_positives: unknown references: - https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ @@ -19,50 +40,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Kubernetes node port creation from user $user$ + risk_objects: + - field: user + type: user + score: 49 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Kubernetes Security asset_type: Kubernetes - confidence: 70 - impact: 70 - message: Kubernetes node port creation from user $user$ mitre_attack_id: - T1204 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - user.groups{} - - kind - - objectRef.name - - objectRef.namespace - - objectRef.resource - - requestObject.kind - - requestObject.spec.type - - responseStatus.code - - sourceIPs{} - - stage - - user.username - - userAgent - - verb - risk_score: 49 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kube_audit_create_node_port_service/kube_audit_create_node_port_service.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kube_audit_create_node_port_service/kube_audit_create_node_port_service.json sourcetype: _json source: kubernetes diff --git a/detections/cloud/kubernetes_pod_created_in_default_namespace.yml b/detections/cloud/kubernetes_pod_created_in_default_namespace.yml index b494872b13..568f222e74 100644 --- a/detections/cloud/kubernetes_pod_created_in_default_namespace.yml +++ b/detections/cloud/kubernetes_pod_created_in_default_namespace.yml @@ -1,15 +1,36 @@ name: Kubernetes Pod Created in Default Namespace id: 3d6b1a81-367b-42d5-a925-6ef90b6b9f1e -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: The following analytic detects the creation of Kubernetes pods in the default, kube-system, or kube-public namespaces. It leverages Kubernetes audit logs to identify pod creation events within these specific namespaces. This activity is significant for a SOC as it may indicate an attacker attempting to hide their presence or evade defenses. Unauthorized pod creation in these namespaces can suggest a successful cluster breach, potentially leading to privilege escalation, persistent access, or further malicious activities within the cluster. +description: The following analytic detects the creation of Kubernetes pods in the + default, kube-system, or kube-public namespaces. It leverages Kubernetes audit logs + to identify pod creation events within these specific namespaces. This activity + is significant for a SOC as it may indicate an attacker attempting to hide their + presence or evade defenses. Unauthorized pod creation in these namespaces can suggest + a successful cluster breach, potentially leading to privilege escalation, persistent + access, or further malicious activities within the cluster. data_source: - Kubernetes Audit -search: '`kube_audit` objectRef.resource=pods verb=create objectRef.namespace IN ("default", "kube-system", "kube-public") | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_pod_created_in_default_namespace_filter`' -how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. When you want to use this detection with AWS EKS, you need to enable EKS control plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. +search: '`kube_audit` objectRef.resource=pods verb=create objectRef.namespace IN ("default", + "kube-system", "kube-public") | fillnull | stats count by objectRef.name objectRef.namespace + objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} + stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as + src_ip, user.username as user | `kubernetes_pod_created_in_default_namespace_filter`' +how_to_implement: The detection is based on data that originates from Kubernetes Audit + logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes + audit logs provide a record of the requests made to the Kubernetes API server, which + is crucial for monitoring and detecting suspicious activities. Configure the audit + policy in Kubernetes to determine what kind of activities are logged. This is done + by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry + Collector for Kubernetes to collect the logs. This doc will describe how to collect + the audit log file + https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. + When you want to use this detection with AWS EKS, you need to enable EKS control + plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. + Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. known_false_positives: unknown references: - https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ @@ -19,51 +40,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Kubernetes Pod Created in Default Namespace by $user$ + risk_objects: + - field: user + type: user + score: 49 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Kubernetes Security asset_type: Kubernetes - confidence: 70 - impact: 70 - message: Kubernetes Pod Created in Default Namespace by $user$ mitre_attack_id: - T1204 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - objectRef.resource - - verb - - objectRef.name - - objectRef.namespace - - requestReceivedTimestamp - - requestURI - - responseStatus.code - - sourceIPs{} - - stage - - user.groups{} - - user.uid - - user.username - - userAgent - - verb - risk_score: 49 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.json sourcetype: _json source: kubernetes diff --git a/detections/cloud/kubernetes_pod_with_host_network_attachment.yml b/detections/cloud/kubernetes_pod_with_host_network_attachment.yml index 925c8e0244..00d8ea9856 100644 --- a/detections/cloud/kubernetes_pod_with_host_network_attachment.yml +++ b/detections/cloud/kubernetes_pod_with_host_network_attachment.yml @@ -1,15 +1,36 @@ name: Kubernetes Pod With Host Network Attachment id: cce357cf-43a4-494a-814b-67cea90fe990 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: The following analytic detects the creation or update of a Kubernetes pod with host network attachment. It leverages Kubernetes Audit logs to identify pods configured with host network settings. This activity is significant for a SOC as it could allow an attacker to monitor all network traffic on the node, potentially capturing sensitive information and escalating privileges. If confirmed malicious, this could lead to unauthorized access, data breaches, and service disruptions, severely impacting the security and integrity of the Kubernetes environment. +description: The following analytic detects the creation or update of a Kubernetes + pod with host network attachment. It leverages Kubernetes Audit logs to identify + pods configured with host network settings. This activity is significant for a SOC + as it could allow an attacker to monitor all network traffic on the node, potentially + capturing sensitive information and escalating privileges. If confirmed malicious, + this could lead to unauthorized access, data breaches, and service disruptions, + severely impacting the security and integrity of the Kubernetes environment. data_source: - Kubernetes Audit -search: '`kube_audit` objectRef.resource=pods verb=create OR verb=update requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration=*\"hostNetwork\":true* | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind responseStatus.code sourceIPs{} stage user.username userAgent verb requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_pod_with_host_network_attachment_filter`' -how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. When you want to use this detection with AWS EKS, you need to enable EKS control plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. +search: '`kube_audit` objectRef.resource=pods verb=create OR verb=update requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration=*\"hostNetwork\":true* + | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name + objectRef.namespace objectRef.resource requestObject.kind responseStatus.code sourceIPs{} + stage user.username userAgent verb requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration + | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_pod_with_host_network_attachment_filter`' +how_to_implement: The detection is based on data that originates from Kubernetes Audit + logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes + audit logs provide a record of the requests made to the Kubernetes API server, which + is crucial for monitoring and detecting suspicious activities. Configure the audit + policy in Kubernetes to determine what kind of activities are logged. This is done + by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry + Collector for Kubernetes to collect the logs. This doc will describe how to collect + the audit log file + https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. + When you want to use this detection with AWS EKS, you need to enable EKS control + plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. + Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. known_false_positives: unknown references: - https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ @@ -19,51 +40,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Kubernetes pod with host network attachment from user $user$. + risk_objects: + - field: user + type: user + score: 49 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Kubernetes Security asset_type: Kubernetes - confidence: 70 - impact: 70 - message: Kubernetes pod with host network attachment from user $user$. mitre_attack_id: - T1204 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - user.groups{} - - kind - - objectRef.name - - objectRef.namespace - - objectRef.resource - - requestObject.kind - - requestObject.spec.type - - responseStatus.code - - sourceIPs{} - - stage - - user.username - - userAgent - - verb - - requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration - risk_score: 49 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.json sourcetype: _json source: kubernetes diff --git a/detections/cloud/kubernetes_previously_unseen_container_image_name.yml b/detections/cloud/kubernetes_previously_unseen_container_image_name.yml index de747c5918..31f9462fcb 100644 --- a/detections/cloud/kubernetes_previously_unseen_container_image_name.yml +++ b/detections/cloud/kubernetes_previously_unseen_container_image_name.yml @@ -1,61 +1,62 @@ name: Kubernetes Previously Unseen Container Image Name id: fea515a4-b1d8-4cd6-80d6-e0d71397b891 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: The following analytic identifies the creation of containerized workloads using previously unseen images in a Kubernetes cluster. It leverages process metrics from an OTEL collector and Kubernetes cluster receiver, pulled from Splunk Observability Cloud. The detection compares container image names seen in the last hour with those from the previous 30 days. This activity is significant as unfamiliar container images may introduce vulnerabilities, malware, or misconfigurations, posing threats to the cluster's integrity. If confirmed malicious, compromised images can lead to data breaches, service disruptions, unauthorized access, and potential lateral movement within the cluster. +description: The following analytic identifies the creation of containerized workloads + using previously unseen images in a Kubernetes cluster. It leverages process metrics + from an OTEL collector and Kubernetes cluster receiver, pulled from Splunk Observability + Cloud. The detection compares container image names seen in the last hour with those + from the previous 30 days. This activity is significant as unfamiliar container + images may introduce vulnerabilities, malware, or misconfigurations, posing threats + to the cluster's integrity. If confirmed malicious, compromised images can lead + to data breaches, service disruptions, unauthorized access, and potential lateral + movement within the cluster. data_source: [] -search: '| mstats count(k8s.container.ready) as k8s.container.ready_count where `kubernetes_metrics` AND earliest=-24h by host.name k8s.cluster.name k8s.node.name container.image.name | eval current="True" | append [mstats count(k8s.container.ready) as k8s.container.ready_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by host.name k8s.cluster.name k8s.node.name container.image.name | eval current="false" ] | stats values(current) as current by host.name k8s.cluster.name k8s.node.name container.image.name | search current="true" AND current!="false" | rename host.name as host | `kubernetes_previously_unseen_container_image_name_filter`' -how_to_implement: 'To implement this detection, follow these steps: - - * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. - - * Enable the hostmetrics/process receiver in the OTEL configuration. - - * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. - - * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) - - * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. - - * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". - - * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. - - * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') - - * Set the Metric Resolution to 10000. - - * Leave all other settings at their default values. - - * Run the Search Baseline Of Kubernetes Container Network IO Ratio' +search: '| mstats count(k8s.container.ready) as k8s.container.ready_count where `kubernetes_metrics` + AND earliest=-24h by host.name k8s.cluster.name k8s.node.name container.image.name + | eval current="True" | append [mstats count(k8s.container.ready) as k8s.container.ready_count + where `kubernetes_metrics` AND earliest=-30d latest=-1h by host.name k8s.cluster.name + k8s.node.name container.image.name | eval current="false" ] | stats values(current) + as current by host.name k8s.cluster.name k8s.node.name container.image.name | search + current="true" AND current!="false" | rename host.name as host | `kubernetes_previously_unseen_container_image_name_filter`' +how_to_implement: "To implement this detection, follow these steps:\n* Deploy the + OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process + receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically + Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install + the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n + * Configure the SIM add-on with your Observability Cloud Organization ID and Access + Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input + \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization + ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to + the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); + data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); + data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); + data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); + data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); + data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n + * Leave all other settings at their default values.\n* Run the Search Baseline Of + Kubernetes Container Network IO Ratio" known_false_positives: unknown references: - https://github.com/signalfx/splunk-otel-collector-chart +rba: + message: Kubernetes Previously Unseen Container Image Name on host $host$ + risk_objects: + - field: host + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring asset_type: Kubernetes - confidence: 50 - impact: 50 - message: Kubernetes Previously Unseen Container Image Name on host $host$ mitre_attack_id: - T1204 - observable: - - name: host - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - k8s.container.ready_count - - host.name - - k8s.cluster.name - - k8s.node.name - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_previously_unseen_process.yml b/detections/cloud/kubernetes_previously_unseen_process.yml index e135818a44..2c15a3ef5a 100644 --- a/detections/cloud/kubernetes_previously_unseen_process.yml +++ b/detections/cloud/kubernetes_previously_unseen_process.yml @@ -1,62 +1,63 @@ name: Kubernetes Previously Unseen Process id: c8119b2f-d7f7-40be-940a-1c582870e8e2 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: The following analytic detects previously unseen processes within the Kubernetes environment on master or worker nodes. It leverages process metrics collected via an OTEL collector and hostmetrics receiver, and data is pulled from Splunk Observability Cloud. This detection compares processes observed in the last hour against those seen in the previous 30 days. Identifying new processes is crucial as they may indicate unauthorized activity or attempts to compromise the node. If confirmed malicious, these processes could lead to data exfiltration, privilege escalation, denial-of-service attacks, or the introduction of malware, posing significant risks to the Kubernetes cluster. +description: The following analytic detects previously unseen processes within the + Kubernetes environment on master or worker nodes. It leverages process metrics collected + via an OTEL collector and hostmetrics receiver, and data is pulled from Splunk Observability + Cloud. This detection compares processes observed in the last hour against those + seen in the previous 30 days. Identifying new processes is crucial as they may indicate + unauthorized activity or attempts to compromise the node. If confirmed malicious, + these processes could lead to data exfiltration, privilege escalation, denial-of-service + attacks, or the introduction of malware, posing significant risks to the Kubernetes + cluster. data_source: [] -search: '| mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-1h by host.name k8s.cluster.name k8s.node.name process.executable.name | eval current="True" | append [mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by host.name k8s.cluster.name k8s.node.name process.executable.name ] | stats count values(current) as current by host.name k8s.cluster.name k8s.node.name process.executable.name | where count=1 and current="True" | rename host.name as host | `kubernetes_previously_unseen_process_filter`' -how_to_implement: 'To implement this detection, follow these steps: - - * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. - - * Enable the hostmetrics/process receiver in the OTEL configuration. - - * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. - - * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) - - * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. - - * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". - - * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. - - * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') - - * Set the Metric Resolution to 10000. - - * Leave all other settings at their default values. - - * Run the Search Baseline Of Kubernetes Container Network IO Ratio' +search: '| mstats count(process.memory.utilization) as process.memory.utilization_count + where `kubernetes_metrics` AND earliest=-1h by host.name k8s.cluster.name k8s.node.name + process.executable.name | eval current="True" | append [mstats count(process.memory.utilization) + as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-30d + latest=-1h by host.name k8s.cluster.name k8s.node.name process.executable.name ] + | stats count values(current) as current by host.name k8s.cluster.name k8s.node.name + process.executable.name | where count=1 and current="True" | rename host.name as + host | `kubernetes_previously_unseen_process_filter`' +how_to_implement: "To implement this detection, follow these steps:\n* Deploy the + OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process + receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically + Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install + the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n + * Configure the SIM add-on with your Observability Cloud Organization ID and Access + Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input + \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization + ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to + the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); + data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); + data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); + data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); + data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); + data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n + * Leave all other settings at their default values.\n* Run the Search Baseline Of + Kubernetes Container Network IO Ratio" known_false_positives: unknown references: - https://github.com/signalfx/splunk-otel-collector-chart +rba: + message: Kubernetes Previously Unseen Process on host $host$ + risk_objects: + - field: host + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring asset_type: Kubernetes - confidence: 50 - impact: 50 - message: Kubernetes Previously Unseen Process on host $host$ mitre_attack_id: - T1204 - observable: - - name: host - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - process.memory.utilization - - host.name - - k8s.cluster.name - - k8s.node.name - - process.executable.name - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_process_running_from_new_path.yml b/detections/cloud/kubernetes_process_running_from_new_path.yml index b38bdbae28..efaabebe09 100644 --- a/detections/cloud/kubernetes_process_running_from_new_path.yml +++ b/detections/cloud/kubernetes_process_running_from_new_path.yml @@ -1,62 +1,64 @@ name: Kubernetes Process Running From New Path id: 454076fb-0e9e-4adf-b93a-da132621c5e6 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: The following analytic identifies processes running from newly seen paths within a Kubernetes environment. It leverages process metrics collected via an OTEL collector and hostmetrics receiver, and data is pulled from Splunk Observability Cloud using the Splunk Infrastructure Monitoring Add-on. This detection compares processes observed in the last hour with those seen over the previous 30 days. This activity is significant as it may indicate unauthorized changes, compromised nodes, or the introduction of malicious software. If confirmed malicious, it could lead to unauthorized process execution, control over critical resources, data exfiltration, privilege escalation, or malware introduction within the Kubernetes cluster. +description: The following analytic identifies processes running from newly seen paths + within a Kubernetes environment. It leverages process metrics collected via an OTEL + collector and hostmetrics receiver, and data is pulled from Splunk Observability + Cloud using the Splunk Infrastructure Monitoring Add-on. This detection compares + processes observed in the last hour with those seen over the previous 30 days. This + activity is significant as it may indicate unauthorized changes, compromised nodes, + or the introduction of malicious software. If confirmed malicious, it could lead + to unauthorized process execution, control over critical resources, data exfiltration, + privilege escalation, or malware introduction within the Kubernetes cluster. data_source: [] -search: '| mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-1h by host.name k8s.cluster.name k8s.node.name process.pid process.executable.path process.executable.name | eval current="True" | append [ mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by host.name k8s.cluster.name k8s.node.name process.pid process.executable.path process.executable.name ] | stats count values(current) as current by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name process.executable.path | where count=1 and current="True" | rename host.name as host | `kubernetes_process_running_from_new_path_filter`' -how_to_implement: 'To implement this detection, follow these steps: - - * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. - - * Enable the hostmetrics/process receiver in the OTEL configuration. - - * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. - - * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) - - * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. - - * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". - - * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. - - * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') - - * Set the Metric Resolution to 10000. - - * Leave all other settings at their default values. - - * Run the Search Baseline Of Kubernetes Container Network IO Ratio' +search: '| mstats count(process.memory.utilization) as process.memory.utilization_count + where `kubernetes_metrics` AND earliest=-1h by host.name k8s.cluster.name k8s.node.name + process.pid process.executable.path process.executable.name | eval current="True" + | append [ mstats count(process.memory.utilization) as process.memory.utilization_count + where `kubernetes_metrics` AND earliest=-30d latest=-1h by host.name k8s.cluster.name + k8s.node.name process.pid process.executable.path process.executable.name ] | stats + count values(current) as current by host.name k8s.cluster.name k8s.node.name process.pid + process.executable.name process.executable.path | where count=1 and current="True" + | rename host.name as host | `kubernetes_process_running_from_new_path_filter`' +how_to_implement: "To implement this detection, follow these steps:\n* Deploy the + OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process + receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically + Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install + the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n + * Configure the SIM add-on with your Observability Cloud Organization ID and Access + Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input + \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization + ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to + the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); + data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); + data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); + data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); + data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); + data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n + * Leave all other settings at their default values.\n* Run the Search Baseline Of + Kubernetes Container Network IO Ratio" known_false_positives: unknown references: - https://github.com/signalfx/splunk-otel-collector-chart +rba: + message: Kubernetes Process Running From New Path on host $host$ + risk_objects: + - field: host + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring asset_type: Kubernetes - confidence: 50 - impact: 50 - message: Kubernetes Process Running From New Path on host $host$ mitre_attack_id: - T1204 - observable: - - name: host - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - process.memory.utilization - - host.name - - k8s.cluster.name - - k8s.node.name - - process.executable.name - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml b/detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml index 4c91315a64..9aeec13966 100644 --- a/detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml +++ b/detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml @@ -1,62 +1,66 @@ name: Kubernetes Process with Anomalous Resource Utilisation id: 25ca9594-7a0d-4a95-a5e5-3228d7398ec8 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: The following analytic identifies high resource utilization anomalies in Kubernetes processes. It leverages process metrics from an OTEL collector and hostmetrics receiver, fetched via the Splunk Infrastructure Monitoring Add-on. The detection uses a lookup table with average and standard deviation values to spot anomalies. This activity is significant as high resource utilization can indicate security threats like cryptojacking, unauthorized data exfiltration, or compromised containers. If confirmed malicious, such anomalies can disrupt services, exhaust resources, increase costs, and allow attackers to evade detection or maintain access. +description: The following analytic identifies high resource utilization anomalies + in Kubernetes processes. It leverages process metrics from an OTEL collector and + hostmetrics receiver, fetched via the Splunk Infrastructure Monitoring Add-on. The + detection uses a lookup table with average and standard deviation values to spot + anomalies. This activity is significant as high resource utilization can indicate + security threats like cryptojacking, unauthorized data exfiltration, or compromised + containers. If confirmed malicious, such anomalies can disrupt services, exhaust + resources, increase costs, and allow attackers to evade detection or maintain access. data_source: [] -search: '| mstats avg(process.*) as process.* where `kubernetes_metrics` by host.name k8s.cluster.name k8s.node.name process.executable.name span=10s | eval key = ''k8s.cluster.name'' + ":" + ''host.name'' + ":" + ''process.executable.name'' | lookup k8s_process_resource_baseline key | fillnull | eval anomalies = "" | foreach stdev_* [ eval anomalies =if( ''<>'' > (''avg_<>'' + 4 * ''stdev_<>''), anomalies + "<> higher than average by " + tostring(round((''<>'' - ''avg_<>'')/''stdev_<>'' ,2)) + " Standard Deviations. <>=" + tostring(''<>'') + " avg_<>=" + tostring(''avg_<>'') + " ''stdev_<>''=" + tostring(''stdev_<>'') + ", " , anomalies) ] | eval anomalies = replace(anomalies, ",\s$", "") | where anomalies!="" | stats count values(anomalies) as anomalies by host.name k8s.cluster.name k8s.node.name process.executable.name | sort - count | where count > 5 | rename host.name as host | `kubernetes_process_with_anomalous_resource_utilisation_filter`' -how_to_implement: 'To implement this detection, follow these steps: - - * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. - - * Enable the hostmetrics/process receiver in the OTEL configuration. - - * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. - - * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) - - * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. - - * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". - - * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. - - * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') - - * Set the Metric Resolution to 10000. - - * Leave all other settings at their default values. - - * Run the Search Baseline Of Kubernetes Container Network IO Ratio' +search: "| mstats avg(process.*) as process.* where `kubernetes_metrics` by host.name + k8s.cluster.name k8s.node.name process.executable.name span=10s | eval key = 'k8s.cluster.name' + + \":\" + 'host.name' + \":\" + 'process.executable.name' | lookup k8s_process_resource_baseline + key | fillnull | eval anomalies = \"\" | foreach stdev_* [ eval anomalies =if( '<>' + > ('avg_<>' + 4 * 'stdev_<>'), anomalies + \"<> higher + than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' + ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\"\ + \ + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + + \", \" , anomalies) ] | eval anomalies = replace(anomalies, \",\\s$\", \"\") | + where anomalies!=\"\" | stats count values(anomalies) as anomalies by host.name + k8s.cluster.name k8s.node.name process.executable.name | sort - count | where count + > 5 | rename host.name as host | `kubernetes_process_with_anomalous_resource_utilisation_filter`" +how_to_implement: "To implement this detection, follow these steps:\n* Deploy the + OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process + receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically + Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install + the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n + * Configure the SIM add-on with your Observability Cloud Organization ID and Access + Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input + \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization + ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to + the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); + data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); + data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); + data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); + data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); + data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n + * Leave all other settings at their default values.\n* Run the Search Baseline Of + Kubernetes Container Network IO Ratio" known_false_positives: unknown references: - https://github.com/signalfx/splunk-otel-collector-chart +rba: + message: Kubernetes Process with Anomalous Resource Utilisation on host $host$ + risk_objects: + - field: host + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring asset_type: Kubernetes - confidence: 50 - impact: 50 - message: Kubernetes Process with Anomalous Resource Utilisation on host $host$ mitre_attack_id: - T1204 - observable: - - name: host - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - process.* - - host.name - - k8s.cluster.name - - k8s.node.name - - process.executable.name - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml b/detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml index a17505403f..8c0b0f808b 100644 --- a/detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml +++ b/detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml @@ -1,62 +1,71 @@ name: Kubernetes Process with Resource Ratio Anomalies id: 0d42b295-0f1f-4183-b75e-377975f47c65 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: The following analytic detects anomalous changes in resource utilization ratios for processes running on a Kubernetes node. It leverages process metrics collected via an OTEL collector and hostmetrics receiver, analyzed through Splunk Observability Cloud. The detection uses a lookup table containing average and standard deviation values for various resource ratios (e.g., CPU:memory, CPU:disk operations). Significant deviations from these baselines may indicate compromised processes, malicious activity, or misconfigurations. If confirmed malicious, this could signify a security breach, allowing attackers to manipulate workloads, potentially leading to data exfiltration or service disruption. +description: The following analytic detects anomalous changes in resource utilization + ratios for processes running on a Kubernetes node. It leverages process metrics + collected via an OTEL collector and hostmetrics receiver, analyzed through Splunk + Observability Cloud. The detection uses a lookup table containing average and standard + deviation values for various resource ratios (e.g., CPU:memory, CPU:disk operations). + Significant deviations from these baselines may indicate compromised processes, + malicious activity, or misconfigurations. If confirmed malicious, this could signify + a security breach, allowing attackers to manipulate workloads, potentially leading + to data exfiltration or service disruption. data_source: [] -search: '| mstats avg(process.*) as process.* where `kubernetes_metrics` by host.name k8s.cluster.name k8s.node.name process.executable.name span=10s | eval cpu:mem = ''process.cpu.utilization''/''process.memory.utilization'' | eval cpu:disk = ''process.cpu.utilization''/''process.disk.operations'' | eval mem:disk = ''process.memory.utilization''/''process.disk.operations'' | eval cpu:threads = ''process.cpu.utilization''/''process.threads'' | eval disk:threads = ''process.disk.operations''/''process.threads'' | eval key = ''k8s.cluster.name'' + ":" + ''host.name'' + ":" + ''process.executable.name'' | lookup k8s_process_resource_ratio_baseline key | fillnull | eval anomalies = "" | foreach stdev_* [ eval anomalies =if( ''<>'' > (''avg_<>'' + 4 * ''stdev_<>''), anomalies + "<> ratio higher than average by " + tostring(round((''<>'' - ''avg_<>'')/''stdev_<>'' ,2)) + " Standard Deviations. <>=" + tostring(''<>'') + " avg_<>=" + tostring(''avg_<>'') + " ''stdev_<>''=" + tostring(''stdev_<>'') + ", " , anomalies) ] | eval anomalies = replace(anomalies, ",\s$", "") | where anomalies!="" | stats count values(anomalies) as anomalies by host.name k8s.cluster.name k8s.node.name process.executable.name | where count > 5 | rename host.name as host | `kubernetes_process_with_resource_ratio_anomalies_filter`' -how_to_implement: 'To implement this detection, follow these steps: - - * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. - - * Enable the hostmetrics/process receiver in the OTEL configuration. - - * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. - - * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) - - * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. - - * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". - - * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. - - * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') - - * Set the Metric Resolution to 10000. - - * Leave all other settings at their default values. - - * Run the Search Baseline Of Kubernetes Container Network IO Ratio' +search: "| mstats avg(process.*) as process.* where `kubernetes_metrics` by host.name + k8s.cluster.name k8s.node.name process.executable.name span=10s | eval cpu:mem = + 'process.cpu.utilization'/'process.memory.utilization' | eval cpu:disk = 'process.cpu.utilization'/'process.disk.operations' + | eval mem:disk = 'process.memory.utilization'/'process.disk.operations' | eval + cpu:threads = 'process.cpu.utilization'/'process.threads' | eval disk:threads = + 'process.disk.operations'/'process.threads' | eval key = 'k8s.cluster.name' + \"\ + :\" + 'host.name' + \":\" + 'process.executable.name' | lookup k8s_process_resource_ratio_baseline + key | fillnull | eval anomalies = \"\" | foreach stdev_* [ eval anomalies =if( '<>' + > ('avg_<>' + 4 * 'stdev_<>'), anomalies + \"<> ratio + higher than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' + ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\"\ + \ + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + + \", \" , anomalies) ] | eval anomalies = replace(anomalies, \",\\s$\", \"\") | + where anomalies!=\"\" | stats count values(anomalies) as anomalies by host.name + k8s.cluster.name k8s.node.name process.executable.name | where count > 5 | rename + host.name as host | `kubernetes_process_with_resource_ratio_anomalies_filter`" +how_to_implement: "To implement this detection, follow these steps:\n* Deploy the + OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process + receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically + Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install + the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n + * Configure the SIM add-on with your Observability Cloud Organization ID and Access + Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input + \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization + ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to + the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); + data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); + data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); + data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); + data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); + data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n + * Leave all other settings at their default values.\n* Run the Search Baseline Of + Kubernetes Container Network IO Ratio" known_false_positives: unknown references: - https://github.com/signalfx/splunk-otel-collector-chart +rba: + message: Kubernetes Process with Resource Ratio Anomalies on host $host$ + risk_objects: + - field: host + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring asset_type: Kubernetes - confidence: 50 - impact: 50 - message: Kubernetes Process with Resource Ratio Anomalies on host $host$ mitre_attack_id: - T1204 - observable: - - name: host - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - process.* - - host.name - - k8s.cluster.name - - k8s.node.name - - process.executable.name - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_scanner_image_pulling.yml b/detections/cloud/kubernetes_scanner_image_pulling.yml index f3f167b7cd..4a13f7d3ae 100644 --- a/detections/cloud/kubernetes_scanner_image_pulling.yml +++ b/detections/cloud/kubernetes_scanner_image_pulling.yml @@ -1,13 +1,25 @@ name: Kubernetes Scanner Image Pulling id: 4890cd6b-0112-4974-a272-c5c153aee551 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: TTP -description: The following analytic detects the pulling of known Kubernetes security scanner images such as kube-hunter, kube-bench, and kube-recon. It leverages Kubernetes logs ingested through Splunk Connect for Kubernetes, specifically monitoring for messages indicating the pulling of these images. This activity is significant because the use of security scanners can indicate an attempt to identify vulnerabilities within the Kubernetes environment. If confirmed malicious, this could lead to the discovery and exploitation of security weaknesses, potentially compromising the entire Kubernetes cluster. +description: The following analytic detects the pulling of known Kubernetes security + scanner images such as kube-hunter, kube-bench, and kube-recon. It leverages Kubernetes + logs ingested through Splunk Connect for Kubernetes, specifically monitoring for + messages indicating the pulling of these images. This activity is significant because + the use of security scanners can indicate an attempt to identify vulnerabilities + within the Kubernetes environment. If confirmed malicious, this could lead to the + discovery and exploitation of security weaknesses, potentially compromising the + entire Kubernetes cluster. data_source: [] -search: '`kube_objects_events` object.message IN ("Pulling image *kube-hunter*", "Pulling image *kube-bench*", "Pulling image *kube-recon*", "Pulling image *kube-recon*") | rename object.* AS * | rename involvedObject.* AS * | rename source.host AS host | eval phase="operate" | eval severity="high" | stats min(_time) as firstTime max(_time) as lastTime count by host, name, namespace, kind, reason, message, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kubernetes_scanner_image_pulling_filter`' +search: '`kube_objects_events` object.message IN ("Pulling image *kube-hunter*", "Pulling + image *kube-bench*", "Pulling image *kube-recon*", "Pulling image *kube-recon*") + | rename object.* AS * | rename involvedObject.* AS * | rename source.host AS host + | eval phase="operate" | eval severity="high" | stats min(_time) as firstTime max(_time) + as lastTime count by host, name, namespace, kind, reason, message, phase, severity + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kubernetes_scanner_image_pulling_filter`' how_to_implement: You must ingest Kubernetes logs through Splunk Connect for Kubernetes. known_false_positives: unknown references: @@ -18,40 +30,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$host$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Kubernetes Scanner image pulled on host $host$ + risk_objects: + - field: host + type: system + score: 81 + threat_objects: [] tags: analytic_story: - Dev Sec Ops asset_type: Kubernetes - confidence: 90 - impact: 90 - message: Kubernetes Scanner image pulled on host $host$ mitre_attack_id: - T1526 - observable: - - name: host - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - object.message - - source.host - - object.involvedObject.name - - object.involvedObject.namespace - - object.involvedObject.kind - - object.message - - object.reason - risk_score: 81 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1526/kubernetes_kube_hunter/kubernetes_kube_hunter.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1526/kubernetes_kube_hunter/kubernetes_kube_hunter.json sourcetype: kube:objects:events source: kubernetes diff --git a/detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml b/detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml index 125dc24ea3..96670070b9 100644 --- a/detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml +++ b/detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml @@ -1,15 +1,39 @@ name: Kubernetes Scanning by Unauthenticated IP Address id: f9cadf4e-df22-4f4e-a08f-9d3344c2165d -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: The following analytic identifies potential scanning activities within a Kubernetes environment by unauthenticated IP addresses. It leverages Kubernetes audit logs to detect multiple unauthorized access attempts (HTTP 403 responses) from the same source IP. This activity is significant as it may indicate an attacker probing for vulnerabilities or attempting to exploit known issues. If confirmed malicious, such scanning could lead to unauthorized access, data breaches, or further exploitation of the Kubernetes infrastructure, compromising the security and integrity of the environment. +description: The following analytic identifies potential scanning activities within + a Kubernetes environment by unauthenticated IP addresses. It leverages Kubernetes + audit logs to detect multiple unauthorized access attempts (HTTP 403 responses) + from the same source IP. This activity is significant as it may indicate an attacker + probing for vulnerabilities or attempting to exploit known issues. If confirmed + malicious, such scanning could lead to unauthorized access, data breaches, or further + exploitation of the Kubernetes infrastructure, compromising the security and integrity + of the environment. data_source: - Kubernetes Audit -search: '`kube_audit` "user.groups{}"="system:unauthenticated" "responseStatus.code"=403 | iplocation sourceIPs{} | stats count values(userAgent) as userAgent values(user.username) as user.username values(user.groups{}) as user.groups{} values(verb) as verb values(requestURI) as requestURI values(responseStatus.code) as responseStatus.code values(responseStatus.message) as responseStatus.message values(responseStatus.reason) as responseStatus.reason values(responseStatus.status) as responseStatus.status by sourceIPs{} Country City | where count > 5 | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_scanning_by_unauthenticated_ip_address_filter`' -how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. When you want to use this detection with AWS EKS, you need to enable EKS control plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. +search: '`kube_audit` "user.groups{}"="system:unauthenticated" "responseStatus.code"=403 + | iplocation sourceIPs{} | stats count values(userAgent) as userAgent values(user.username) + as user.username values(user.groups{}) as user.groups{} values(verb) as verb values(requestURI) + as requestURI values(responseStatus.code) as responseStatus.code values(responseStatus.message) + as responseStatus.message values(responseStatus.reason) as responseStatus.reason + values(responseStatus.status) as responseStatus.status by sourceIPs{} Country City + | where count > 5 | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_scanning_by_unauthenticated_ip_address_filter`' +how_to_implement: The detection is based on data that originates from Kubernetes Audit + logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes + audit logs provide a record of the requests made to the Kubernetes API server, which + is crucial for monitoring and detecting suspicious activities. Configure the audit + policy in Kubernetes to determine what kind of activities are logged. This is done + by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry + Collector for Kubernetes to collect the logs. This doc will describe how to collect + the audit log file + https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. + When you want to use this detection with AWS EKS, you need to enable EKS control + plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. + Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. known_false_positives: unknown references: - https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ @@ -19,48 +43,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Kubernetes scanning from ip $src_ip$ + risk_objects: + - field: user + type: user + score: 49 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Kubernetes Security asset_type: Kubernetes - confidence: 70 - impact: 70 - message: Kubernetes scanning from ip $src_ip$ mitre_attack_id: - T1046 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - verb - - requestReceivedTimestamp - - requestURI - - responseStatus.code - - sourceIPs{} - - user.groups{} - - user.username - - userAgent - - verb - - responseStatus.reason - - responseStatus.status - risk_score: 49 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.json sourcetype: _json source: kubernetes diff --git a/detections/cloud/kubernetes_shell_running_on_worker_node.yml b/detections/cloud/kubernetes_shell_running_on_worker_node.yml index b3892a118e..2eace1935d 100644 --- a/detections/cloud/kubernetes_shell_running_on_worker_node.yml +++ b/detections/cloud/kubernetes_shell_running_on_worker_node.yml @@ -1,64 +1,62 @@ name: Kubernetes Shell Running on Worker Node id: efebf0c4-dcf4-496f-85a2-5ab7ad8fa876 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: The following analytic identifies shell activity within the Kubernetes privilege scope on a worker node. It leverages process metrics from an OTEL collector hostmetrics receiver, specifically process.cpu.utilization and process.memory.utilization, pulled from Splunk Observability Cloud. This activity is significant as unauthorized shell processes can indicate potential security threats, providing attackers an entry point to compromise the node and the entire Kubernetes cluster. If confirmed malicious, this activity could lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks, severely compromising the cluster's security and integrity. +description: The following analytic identifies shell activity within the Kubernetes + privilege scope on a worker node. It leverages process metrics from an OTEL collector + hostmetrics receiver, specifically process.cpu.utilization and process.memory.utilization, + pulled from Splunk Observability Cloud. This activity is significant as unauthorized + shell processes can indicate potential security threats, providing attackers an + entry point to compromise the node and the entire Kubernetes cluster. If confirmed + malicious, this activity could lead to data theft, service disruption, privilege + escalation, lateral movement, and further attacks, severely compromising the cluster's + security and integrity. data_source: [] -search: '| mstats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization where `kubernetes_metrics` AND process.executable.name IN ("sh","bash","csh", "tcsh") by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name span=10s | search process.cpu.utilization>0 OR process.memory.utilization>0 | stats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name | rename host.name as host | `kubernetes_shell_running_on_worker_node_filter`' -how_to_implement: 'To implement this detection, follow these steps: - - * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. - - * Enable the hostmetrics/process receiver in the OTEL configuration. - - * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. - - * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) - - * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. - - * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". - - * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. - - * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') - - * Set the Metric Resolution to 10000. - - * Leave all other settings at their default values. - - * Run the Search Baseline Of Kubernetes Container Network IO Ratio' +search: '| mstats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) + as process.memory.utilization where `kubernetes_metrics` AND process.executable.name + IN ("sh","bash","csh", "tcsh") by host.name k8s.cluster.name k8s.node.name process.pid + process.executable.name span=10s | search process.cpu.utilization>0 OR process.memory.utilization>0 + | stats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) + as process.memory.utilization by host.name k8s.cluster.name k8s.node.name process.pid + process.executable.name | rename host.name as host | `kubernetes_shell_running_on_worker_node_filter`' +how_to_implement: "To implement this detection, follow these steps:\n* Deploy the + OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process + receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically + Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install + the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n + * Configure the SIM add-on with your Observability Cloud Organization ID and Access + Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input + \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization + ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to + the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); + data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); + data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); + data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); + data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); + data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n + * Leave all other settings at their default values.\n* Run the Search Baseline Of + Kubernetes Container Network IO Ratio" known_false_positives: unknown references: - https://github.com/signalfx/splunk-otel-collector-chart/tree/main +rba: + message: Kubernetes shell running on worker node on host $host$ + risk_objects: + - field: host + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring asset_type: Kubernetes - confidence: 50 - impact: 50 - message: Kubernetes shell running on worker node on host $host$ mitre_attack_id: - T1204 - observable: - - name: host - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - process.cpu.utilization - - process.memory.utilization - - process.executable.name - - host.name - - k8s.cluster.name - - k8s.node.name - - process.pid - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml b/detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml index c99c2d7139..9fc02d8dba 100644 --- a/detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml +++ b/detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml @@ -1,64 +1,63 @@ name: Kubernetes Shell Running on Worker Node with CPU Activity id: cc1448e3-cc7a-4518-bc9f-2fa48f61a22b -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: The following analytic identifies shell activity within the Kubernetes privilege scope on a worker node, specifically when shell processes are consuming CPU resources. It leverages process metrics from an OTEL collector hostmetrics receiver, pulled from Splunk Observability Cloud via the Splunk Infrastructure Monitoring Add-on, focusing on process.cpu.utilization and process.memory.utilization. This activity is significant as unauthorized shell processes can indicate a security threat, potentially compromising the node and the entire Kubernetes cluster. If confirmed malicious, attackers could gain full control over the host's resources, leading to data theft, service disruption, privilege escalation, and further attacks within the cluster. +description: The following analytic identifies shell activity within the Kubernetes + privilege scope on a worker node, specifically when shell processes are consuming + CPU resources. It leverages process metrics from an OTEL collector hostmetrics receiver, + pulled from Splunk Observability Cloud via the Splunk Infrastructure Monitoring + Add-on, focusing on process.cpu.utilization and process.memory.utilization. This + activity is significant as unauthorized shell processes can indicate a security + threat, potentially compromising the node and the entire Kubernetes cluster. If + confirmed malicious, attackers could gain full control over the host's resources, + leading to data theft, service disruption, privilege escalation, and further attacks + within the cluster. data_source: [] -search: '| mstats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization where `kubernetes_metrics` AND process.executable.name IN ("sh","bash","csh", "tcsh") by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name span=10s | search process.cpu.utilization>0 | stats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name | rename host.name as host | `kubernetes_shell_running_on_worker_node_with_cpu_activity_filter`' -how_to_implement: 'To implement this detection, follow these steps: - - * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. - - * Enable the hostmetrics/process receiver in the OTEL configuration. - - * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. - - * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) - - * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. - - * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". - - * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. - - * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') - - * Set the Metric Resolution to 10000. - - * Leave all other settings at their default values. - - * Run the Search Baseline Of Kubernetes Container Network IO Ratio' +search: '| mstats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) + as process.memory.utilization where `kubernetes_metrics` AND process.executable.name + IN ("sh","bash","csh", "tcsh") by host.name k8s.cluster.name k8s.node.name process.pid + process.executable.name span=10s | search process.cpu.utilization>0 | stats avg(process.cpu.utilization) + as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization + by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name + | rename host.name as host | `kubernetes_shell_running_on_worker_node_with_cpu_activity_filter`' +how_to_implement: "To implement this detection, follow these steps:\n* Deploy the + OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process + receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically + Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install + the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n + * Configure the SIM add-on with your Observability Cloud Organization ID and Access + Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input + \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization + ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to + the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); + data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); + data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); + data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); + data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); + data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n + * Leave all other settings at their default values.\n* Run the Search Baseline Of + Kubernetes Container Network IO Ratio" known_false_positives: unknown references: - https://github.com/signalfx/splunk-otel-collector-chart/tree/main +rba: + message: Kubernetes shell with cpu activity running on worker node on host $host$ + risk_objects: + - field: host + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring asset_type: Kubernetes - confidence: 50 - impact: 50 - message: Kubernetes shell with cpu activity running on worker node on host $host$ mitre_attack_id: - T1204 - observable: - - name: host - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - process.cpu.utilization - - process.memory.utilization - - process.executable.name - - host.name - - k8s.cluster.name - - k8s.node.name - - process.pid - risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_suspicious_image_pulling.yml b/detections/cloud/kubernetes_suspicious_image_pulling.yml index 0788cc43cd..aecafbb426 100644 --- a/detections/cloud/kubernetes_suspicious_image_pulling.yml +++ b/detections/cloud/kubernetes_suspicious_image_pulling.yml @@ -1,15 +1,36 @@ name: Kubernetes Suspicious Image Pulling id: 4d3a17b3-0a6d-4ae0-9421-46623a69c122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: The following analytic detects suspicious image pulling in Kubernetes environments. It identifies this activity by monitoring Kubernetes audit logs for image pull requests that do not match a predefined list of allowed images. This behavior is significant for a SOC as it may indicate an attacker attempting to deploy malicious software or infiltrate the system. If confirmed malicious, the impact could be severe, potentially leading to unauthorized access to sensitive systems or data, and enabling further malicious activities within the cluster. +description: The following analytic detects suspicious image pulling in Kubernetes + environments. It identifies this activity by monitoring Kubernetes audit logs for + image pull requests that do not match a predefined list of allowed images. This + behavior is significant for a SOC as it may indicate an attacker attempting to deploy + malicious software or infiltrate the system. If confirmed malicious, the impact + could be severe, potentially leading to unauthorized access to sensitive systems + or data, and enabling further malicious activities within the cluster. data_source: - Kubernetes Audit -search: '`kube_audit` requestObject.message="Pulling image*" | search NOT `kube_allowed_images` | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_suspicious_image_pulling_filter`' -how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. When you want to use this detection with AWS EKS, you need to enable EKS control plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. +search: '`kube_audit` requestObject.message="Pulling image*" | search NOT `kube_allowed_images` + | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource + requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} + user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username + as user | `kubernetes_suspicious_image_pulling_filter`' +how_to_implement: The detection is based on data that originates from Kubernetes Audit + logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes + audit logs provide a record of the requests made to the Kubernetes API server, which + is crucial for monitoring and detecting suspicious activities. Configure the audit + policy in Kubernetes to determine what kind of activities are logged. This is done + by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry + Collector for Kubernetes to collect the logs. This doc will describe how to collect + the audit log file + https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. + When you want to use this detection with AWS EKS, you need to enable EKS control + plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. + Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. known_false_positives: unknown references: - https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ @@ -19,48 +40,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious image $objectRef.name$ pulled in Kubernetes from ip $src_ip$ + by user $user$ + risk_objects: + - field: user + type: user + score: 49 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Kubernetes Security asset_type: Kubernetes - confidence: 70 - impact: 70 - message: Suspicious image $objectRef.name$ pulled in Kubernetes from ip $src_ip$ by user $user$ mitre_attack_id: - T1526 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - verb - - requestReceivedTimestamp - - requestURI - - responseStatus.code - - sourceIPs{} - - user.groups{} - - user.username - - userAgent - - verb - - responseStatus.reason - - responseStatus.status - risk_score: 49 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.json sourcetype: _json source: kubernetes diff --git a/detections/cloud/kubernetes_unauthorized_access.yml b/detections/cloud/kubernetes_unauthorized_access.yml index 823255c842..4028bac07e 100644 --- a/detections/cloud/kubernetes_unauthorized_access.yml +++ b/detections/cloud/kubernetes_unauthorized_access.yml @@ -1,15 +1,36 @@ name: Kubernetes Unauthorized Access id: 9b5f1832-e8b9-453f-93df-07a3d6a72a45 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: The following analytic detects unauthorized access attempts to Kubernetes by analyzing Kubernetes audit logs. It identifies anomalies in access patterns by examining the source of requests and their response statuses. This activity is significant for a SOC as it may indicate an attacker attempting to infiltrate the Kubernetes environment. If confirmed malicious, such access could lead to unauthorized control over Kubernetes resources, potentially compromising sensitive systems or data within the cluster. +description: The following analytic detects unauthorized access attempts to Kubernetes + by analyzing Kubernetes audit logs. It identifies anomalies in access patterns by + examining the source of requests and their response statuses. This activity is significant + for a SOC as it may indicate an attacker attempting to infiltrate the Kubernetes + environment. If confirmed malicious, such access could lead to unauthorized control + over Kubernetes resources, potentially compromising sensitive systems or data within + the cluster. data_source: - Kubernetes Audit -search: '`kube_audit` verb=create responseStatus.reason=Forbidden | fillnull | stats count by objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code responseStatus.message sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_unauthorized_access_filter`' -how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. When you want to use this detection with AWS EKS, you need to enable EKS control plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. +search: '`kube_audit` verb=create responseStatus.reason=Forbidden | fillnull | stats + count by objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI + responseStatus.code responseStatus.message sourceIPs{} stage user.groups{} user.uid + user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user + | `kubernetes_unauthorized_access_filter`' +how_to_implement: The detection is based on data that originates from Kubernetes Audit + logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes + audit logs provide a record of the requests made to the Kubernetes API server, which + is crucial for monitoring and detecting suspicious activities. Configure the audit + policy in Kubernetes to determine what kind of activities are logged. This is done + by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry + Collector for Kubernetes to collect the logs. This doc will describe how to collect + the audit log file + https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. + When you want to use this detection with AWS EKS, you need to enable EKS control + plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. + Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. known_false_positives: unknown references: - https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ @@ -19,48 +40,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Unauthorized access to Kubernetes from user $user$ + risk_objects: + - field: user + type: user + score: 49 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Kubernetes Security asset_type: Kubernetes - confidence: 70 - impact: 70 - message: Unauthorized access to Kubernetes from user $user$ mitre_attack_id: - T1204 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - verb - - requestReceivedTimestamp - - requestURI - - responseStatus.code - - sourceIPs{} - - user.groups{} - - user.username - - userAgent - - verb - - responseStatus.reason - - responseStatus.status - risk_score: 49 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_unauthorized_access/kubernetes_unauthorized_access.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_unauthorized_access/kubernetes_unauthorized_access.json sourcetype: _json source: kubernetes diff --git a/detections/cloud/microsoft_intune_device_health_scripts.yml b/detections/cloud/microsoft_intune_device_health_scripts.yml index 0ded33699f..26a8429bfa 100644 --- a/detections/cloud/microsoft_intune_device_health_scripts.yml +++ b/detections/cloud/microsoft_intune_device_health_scripts.yml @@ -3,7 +3,7 @@ id: 6fe42e07-15b1-4caa-b547-7885666cb1bd version: 1 date: '2025-01-06' author: Dean Luxton -data_sources: +data_source: - Azure Monitor Activity type: Hunting status: production @@ -29,32 +29,15 @@ tags: analytic_story: - Azure Active Directory Account Takeover asset_type: Azure Tenant - confidence: 40 - impact: 100 - message: Intune device health script $TargetObjectId$ was $action$ by user $user$ mitre_attack_id: - T1072 - T1021.007 - T1202 - T1105 - observable: - - name: user - type: User - role: - - Victim - - name: TargetObjectId - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - operationName - - identity - - properties.TargetObjectIds{} - risk_score: 40 security_domain: audit tests: - name: True Positive Test diff --git a/detections/cloud/microsoft_intune_devicemanagementconfigurationpolicies.yml b/detections/cloud/microsoft_intune_devicemanagementconfigurationpolicies.yml index 5d4fff9411..4e8114911d 100644 --- a/detections/cloud/microsoft_intune_devicemanagementconfigurationpolicies.yml +++ b/detections/cloud/microsoft_intune_devicemanagementconfigurationpolicies.yml @@ -3,7 +3,7 @@ id: 3c49e5ed-625c-408c-a2c7-8e2b524efb2c version: 1 date: '2025-01-07' author: Dean Luxton -data_sources: +data_source: - Azure Monitor Activity type: Hunting status: production @@ -31,33 +31,16 @@ tags: analytic_story: - Azure Active Directory Account Takeover asset_type: Azure Tenant - confidence: 40 - impact: 100 - message: Intune device management policy $TargetObjectId$ has been $action$ by user $user$ mitre_attack_id: - T1072 - T1484 - T1021.007 - T1562.001 - T1562.004 - observable: - - name: user - type: User - role: - - Victim - - name: TargetObjectId - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - operationName - - identity - - properties.TargetObjectIds{} - risk_score: 40 security_domain: audit tests: - name: True Positive Test diff --git a/detections/cloud/microsoft_intune_manual_device_management.yml b/detections/cloud/microsoft_intune_manual_device_management.yml index 567d368706..d152bb5d9d 100644 --- a/detections/cloud/microsoft_intune_manual_device_management.yml +++ b/detections/cloud/microsoft_intune_manual_device_management.yml @@ -3,7 +3,7 @@ id: 5ca7ebee-4ee7-4cf2-b3be-0ea26a00d822 version: 1 date: '2025-01-07' author: Dean Luxton -data_sources: +data_source: - Azure Monitor Activity type: Hunting status: production @@ -31,31 +31,14 @@ tags: analytic_story: - Azure Active Directory Account Takeover asset_type: Azure Tenant - confidence: 70 - impact: 20 - message: Microsoft Intune device management configuration policy action $action$ was performed on $TargetObjectId$ by user $user$ mitre_attack_id: - T1021.007 - T1072 - T1529 - observable: - - name: user - type: User - role: - - Victim - - name: TargetObjectId - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - operationName - - identity - - properties.TargetObjectIds{} - risk_score: 14 security_domain: audit tests: - name: True Positive Test diff --git a/detections/cloud/microsoft_intune_mobile_apps.yml b/detections/cloud/microsoft_intune_mobile_apps.yml index f1da77ec86..807c515f26 100644 --- a/detections/cloud/microsoft_intune_mobile_apps.yml +++ b/detections/cloud/microsoft_intune_mobile_apps.yml @@ -3,7 +3,7 @@ id: 98e6b389-2806-4426-a580-8a92cb0d9710 version: 1 date: '2025-01-07' author: Dean Luxton -data_sources: +data_source: - Azure Monitor Activity type: Hunting status: experimental @@ -29,32 +29,15 @@ tags: analytic_story: - Azure Active Directory Account Takeover asset_type: Azure Tenant - confidence: 40 - impact: 100 - message: Intune packed application $TargetDisplayName$ $TargetObjectId$ was $action$ by user $user$ mitre_attack_id: - T1072 - T1021.007 - T1202 - T1105 - observable: - - name: user - type: User - role: - - Attacker - - name: TargetObjectId - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - operationName - - identity - - properties.TargetObjectIds{} - risk_score: 40 security_domain: audit tests: - name: True Positive Test diff --git a/detections/cloud/o365_add_app_role_assignment_grant_user.yml b/detections/cloud/o365_add_app_role_assignment_grant_user.yml index 447d408f9c..40dbc0137d 100644 --- a/detections/cloud/o365_add_app_role_assignment_grant_user.yml +++ b/detections/cloud/o365_add_app_role_assignment_grant_user.yml @@ -1,16 +1,29 @@ name: O365 Add App Role Assignment Grant User id: b2c81cc6-6040-11eb-ae93-0242ac130002 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Rod Soto, Splunk status: production type: TTP -description: The following analytic detects the addition of an application role assignment grant to a user in Office 365. It leverages data from the `o365_management_activity` dataset, specifically monitoring the "Add app role assignment grant to user" operation. This activity is significant as it can indicate unauthorized privilege escalation or the assignment of sensitive roles to users. If confirmed malicious, this could allow an attacker to gain elevated permissions, potentially leading to unauthorized access to critical resources and data within the Office 365 environment. +description: The following analytic detects the addition of an application role assignment + grant to a user in Office 365. It leverages data from the `o365_management_activity` + dataset, specifically monitoring the "Add app role assignment grant to user" operation. + This activity is significant as it can indicate unauthorized privilege escalation + or the assignment of sensitive roles to users. If confirmed malicious, this could + allow an attacker to gain elevated permissions, potentially leading to unauthorized + access to critical resources and data within the Office 365 environment. data_source: - O365 Add app role assignment grant to user. -search: '`o365_management_activity` Workload=AzureActiveDirectory Operation="Add app role assignment grant to user." | stats count min(_time) as firstTime max(_time) as lastTime values(Actor{}.ID) as Actor.ID values(Actor{}.Type) as Actor.Type values(ModifiedProperties{}.Name) as modified_properties_name by user dest ResultStatus Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_add_app_role_assignment_grant_user_filter`' -how_to_implement: You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity -known_false_positives: The creation of a new Federation is not necessarily malicious, however this events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider. +search: '`o365_management_activity` Workload=AzureActiveDirectory Operation="Add app + role assignment grant to user." | stats count min(_time) as firstTime max(_time) + as lastTime values(Actor{}.ID) as Actor.ID values(Actor{}.Type) as Actor.Type values(ModifiedProperties{}.Name) + as modified_properties_name by user dest ResultStatus Operation | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `o365_add_app_role_assignment_grant_user_filter`' +how_to_implement: You must install splunk Microsoft Office 365 add-on. This search + works with o365:management:activity +known_false_positives: The creation of a new Federation is not necessarily malicious, + however this events need to be followed closely, as it may indicate federated credential + abuse or backdoor via federated identities at a different cloud provider. references: - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf - https://www.cisa.gov/uscert/ncas/alerts/aa21-008a @@ -20,47 +33,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ has created a new federation setting $modified_properties_name$ + on $dest$ + risk_objects: + - field: user + type: user + score: 18 + - field: dest + type: system + score: 18 + threat_objects: [] tags: analytic_story: - Office 365 Persistence Mechanisms - Cloud Federated Credential Abuse asset_type: O365 Tenant - confidence: 60 - impact: 30 - message: User $user$ has created a new federation setting $modified_properties_name$ on $dest$ mitre_attack_id: - T1136.003 - T1136 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Workload - - Operation - - Actor{}.ID - - Actor{}.Type - - UserId - - dest - - ResultStatus - risk_score: 18 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_new_federation/o365_new_federation.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_new_federation/o365_new_federation.json sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_added_service_principal.yml b/detections/cloud/o365_added_service_principal.yml index 75ecee1d77..239d6317b9 100644 --- a/detections/cloud/o365_added_service_principal.yml +++ b/detections/cloud/o365_added_service_principal.yml @@ -1,16 +1,30 @@ name: O365 Added Service Principal id: 1668812a-6047-11eb-ae93-0242ac130002 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Rod Soto, Splunk status: production type: TTP -description: The following analytic detects the addition of new service principal accounts in O365 tenants. It leverages data from the `o365_management_activity` dataset, specifically monitoring for operations related to adding or creating service principals. This activity is significant because attackers can exploit service principals to gain unauthorized access and perform malicious actions within an organization's environment. If confirmed malicious, this could allow attackers to interact with APIs, access resources, and execute operations on behalf of the organization, potentially leading to data breaches or further compromise. +description: The following analytic detects the addition of new service principal + accounts in O365 tenants. It leverages data from the `o365_management_activity` + dataset, specifically monitoring for operations related to adding or creating service + principals. This activity is significant because attackers can exploit service principals + to gain unauthorized access and perform malicious actions within an organization's + environment. If confirmed malicious, this could allow attackers to interact with + APIs, access resources, and execute operations on behalf of the organization, potentially + leading to data breaches or further compromise. data_source: - O365 -search: '`o365_management_activity` Workload=AzureActiveDirectory Operation="*Add service principal*" OR (Operation = "*principal*" AND action = "created") | stats count values(ModifiedProperties{}.NewValue) as new_value by src_user src_user_type action Operation authentication_service Workload | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_added_service_principal_filter`' -how_to_implement: You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity -known_false_positives: The creation of a new Federation is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider. +search: '`o365_management_activity` Workload=AzureActiveDirectory Operation="*Add + service principal*" OR (Operation = "*principal*" AND action = "created") | stats + count values(ModifiedProperties{}.NewValue) as new_value by src_user src_user_type + action Operation authentication_service Workload | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `o365_added_service_principal_filter`' +how_to_implement: You must install splunk Microsoft Office 365 add-on. This search + works with o365:management:activity +known_false_positives: The creation of a new Federation is not necessarily malicious, + however these events need to be followed closely, as it may indicate federated credential + abuse or backdoor via federated identities at a different cloud provider. references: - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf - https://www.cisa.gov/uscert/ncas/alerts/aa21-008a @@ -22,44 +36,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $src_user$ has created new service principal $new_value$ in AzureActiveDirectory + risk_objects: + - field: src_user + type: user + score: 42 + threat_objects: [] tags: analytic_story: - Office 365 Persistence Mechanisms - Cloud Federated Credential Abuse - NOBELIUM Group asset_type: O365 Tenant - confidence: 60 - impact: 70 - message: User $src_user$ has created new service principal $new_value$ in AzureActiveDirectory mitre_attack_id: - T1136.003 - T1136 - observable: - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Workload - - signature - - src_user - - src_user_type - - action - - Operation - - authentication_service - risk_score: 42 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_added_service_principal/o365_add_service_principal.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_added_service_principal/o365_add_service_principal.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_admin_consent_bypassed_by_service_principal.yml b/detections/cloud/o365_admin_consent_bypassed_by_service_principal.yml index ae7dba3eb8..5ab812b900 100644 --- a/detections/cloud/o365_admin_consent_bypassed_by_service_principal.yml +++ b/detections/cloud/o365_admin_consent_bypassed_by_service_principal.yml @@ -1,16 +1,33 @@ name: O365 Admin Consent Bypassed by Service Principal id: 8a1b22eb-50ce-4e26-a691-97ff52349569 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Mauricio Velazco, Splunk data_source: - O365 Add app role assignment to service principal. type: TTP status: production -description: The following analytic identifies instances where a service principal in Office 365 Azure Active Directory assigns app roles without standard admin consent. It leverages `o365_management_activity` logs, specifically focusing on the 'Add app role assignment to service principal' operation. This activity is significant for SOCs as it may indicate a bypass of critical administrative controls, potentially leading to unauthorized access or privilege escalation. If confirmed malicious, this could allow an attacker to misuse automated processes to assign sensitive permissions, compromising the security of the environment. -search: '`o365_management_activity` Workload=AzureActiveDirectory Operation="Add app role assignment to service principal." | eval len=mvcount(''Actor{}.ID'') | eval userType = mvindex(''Actor{}.ID'',len-1) | eval roleId = mvindex(''ModifiedProperties{}.NewValue'', 0) | eval roleValue = mvindex(''ModifiedProperties{}.NewValue'', 1) | eval roleDescription = mvindex(''ModifiedProperties{}.NewValue'', 2) | eval dest_user = mvindex(''Target{}.ID'', 0) | search userType = "ServicePrincipal" | eval src_user = user | stats count earliest(_time) as firstTime latest(_time) as lastTime by src_user dest_user roleId roleValue roleDescription | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_admin_consent_bypassed_by_service_principal_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Service Principals are sometimes configured to legitimately bypass the consent process for purposes of automation. Filter as needed. +description: The following analytic identifies instances where a service principal + in Office 365 Azure Active Directory assigns app roles without standard admin consent. + It leverages `o365_management_activity` logs, specifically focusing on the 'Add + app role assignment to service principal' operation. This activity is significant + for SOCs as it may indicate a bypass of critical administrative controls, potentially + leading to unauthorized access or privilege escalation. If confirmed malicious, + this could allow an attacker to misuse automated processes to assign sensitive permissions, + compromising the security of the environment. +search: "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Add + app role assignment to service principal.\" | eval len=mvcount('Actor{}.ID') | eval + userType = mvindex('Actor{}.ID',len-1) | eval roleId = mvindex('ModifiedProperties{}.NewValue', + 0) | eval roleValue = mvindex('ModifiedProperties{}.NewValue', 1) | eval roleDescription + = mvindex('ModifiedProperties{}.NewValue', 2) | eval dest_user = mvindex('Target{}.ID', + 0) | search userType = \"ServicePrincipal\" | eval src_user = user | stats count + earliest(_time) as firstTime latest(_time) as lastTime by src_user dest_user roleId + roleValue roleDescription | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`\ + \ | `o365_admin_consent_bypassed_by_service_principal_filter`" +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Service Principals are sometimes configured to legitimately + bypass the consent process for purposes of automation. Filter as needed. references: - https://attack.mitre.org/techniques/T1098/003/ - https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/ @@ -24,40 +41,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Service principal $src_user$ bypassed the admin consent process and granted + permissions to $dest_user$ + risk_objects: + - field: dest_user + type: user + score: 54 + threat_objects: [] tags: analytic_story: - Office 365 Persistence Mechanisms asset_type: O365 Tenant - confidence: 60 - impact: 90 - message: Service principal $src_user$ bypassed the admin consent process and granted permissions to $dest_user$ mitre_attack_id: - T1098.003 - observable: - - name: dest_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Workload - - Operation - - Actor{}.ID - - ModifiedProperties{}.NewValue - - src_user - - dest_user - risk_score: 54 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_bypass_admin_consent/o365_bypass_admin_consent.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_bypass_admin_consent/o365_bypass_admin_consent.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_advanced_audit_disabled.yml b/detections/cloud/o365_advanced_audit_disabled.yml index e46058734e..fde6c3a0f8 100644 --- a/detections/cloud/o365_advanced_audit_disabled.yml +++ b/detections/cloud/o365_advanced_audit_disabled.yml @@ -1,16 +1,33 @@ name: O365 Advanced Audit Disabled id: 49862dd4-9cb2-4c48-a542-8c8a588d9361 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Mauricio Velazco, Michael Haag, Splunk status: production type: TTP data_source: - O365 Change user license. -description: The following analytic detects instances where the O365 advanced audit is disabled for a specific user within the Office 365 tenant. It uses O365 audit logs, focusing on events related to audit license changes in AzureActiveDirectory workloads. This activity is significant because the O365 advanced audit provides critical logging and insights into user and administrator activities. Disabling it can blind security teams to potential malicious actions. If confirmed malicious, attackers could operate within the user's mailbox or account with reduced risk of detection, leading to unauthorized data access, data exfiltration, or account compromise. -search: '`o365_management_activity` Operation="Change user license." | eval property_name = mvindex (''ExtendedProperties{}.Name'', 1) | search property_name = "extendedAuditEventCategory" | eval additionalDetails = mvindex(''ExtendedProperties{}.Value'',0) | eval split_value=split(additionalDetails, "NewValue") | eval possible_plan=mvindex(split_value, 1) | rex field="possible_plan" "DisabledPlans=\[(?P[^\]]+)\]" | search DisabledPlans IN ("*M365_ADVANCED_AUDITING*") | stats min(_time) as firstTime max(_time) as lastTime by Operation user object DisabledPlans | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_advanced_audit_disabled_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Administrators might temporarily disable the advanced audit for troubleshooting, performance reasons, or other administrative tasks. Filter as needed. +description: The following analytic detects instances where the O365 advanced audit + is disabled for a specific user within the Office 365 tenant. It uses O365 audit + logs, focusing on events related to audit license changes in AzureActiveDirectory + workloads. This activity is significant because the O365 advanced audit provides + critical logging and insights into user and administrator activities. Disabling + it can blind security teams to potential malicious actions. If confirmed malicious, + attackers could operate within the user's mailbox or account with reduced risk of + detection, leading to unauthorized data access, data exfiltration, or account compromise. +search: "`o365_management_activity` Operation=\"Change user license.\" | eval property_name + = mvindex ('ExtendedProperties{}.Name', 1) | search property_name = \"extendedAuditEventCategory\"\ + \ | eval additionalDetails = mvindex('ExtendedProperties{}.Value',0) | eval split_value=split(additionalDetails, + \"NewValue\") | eval possible_plan=mvindex(split_value, 1) | rex field=\"possible_plan\"\ + \ \"DisabledPlans=\\[(?P[^\\]]+)\\]\" | search DisabledPlans IN (\"\ + *M365_ADVANCED_AUDITING*\") | stats min(_time) as firstTime max(_time) as lastTime + by Operation user object DisabledPlans | `security_content_ctime(firstTime)` | + `security_content_ctime(lastTime)` | `o365_advanced_audit_disabled_filter`" +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Administrators might temporarily disable the advanced audit + for troubleshooting, performance reasons, or other administrative tasks. Filter + as needed. references: - https://attack.mitre.org/techniques/T1562/008/ - https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf @@ -21,40 +38,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Advanced auditing for user $object$ was disabled by $user$ + risk_objects: + - field: user + type: user + score: 32 + threat_objects: [] tags: analytic_story: - Office 365 Persistence Mechanisms asset_type: O365 Tenant - confidence: 80 - impact: 40 - message: Advanced auditing for user $object$ was disabled by $user$ mitre_attack_id: - T1562 - T1562.008 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 32 - required_fields: - - _time - - Operation - - ExtendedProperties{}.Name - - ExtendedProperties{}.Value - - user - - object security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/o365_advanced_audit_disabled/o365_advanced_audit_disabled.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/o365_advanced_audit_disabled/o365_advanced_audit_disabled.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_application_available_to_other_tenants.yml b/detections/cloud/o365_application_available_to_other_tenants.yml index 5eec413e79..0ecc7bab04 100644 --- a/detections/cloud/o365_application_available_to_other_tenants.yml +++ b/detections/cloud/o365_application_available_to_other_tenants.yml @@ -1,15 +1,29 @@ name: O365 Application Available To Other Tenants id: 942548a3-0273-47a4-8dbd-e5202437395c -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Steven Dick status: production type: TTP -description: The following analytic identifies the configuration of Azure Active Directory Applications in a manner that allows authentication from external tenants or personal accounts. This configuration can lead to inappropriate or malicious access of any data or capabilities the application is allowed to access. This detection leverages the O365 Universal Audit Log data source. +description: The following analytic identifies the configuration of Azure Active Directory + Applications in a manner that allows authentication from external tenants or personal + accounts. This configuration can lead to inappropriate or malicious access of any + data or capabilities the application is allowed to access. This detection leverages + the O365 Universal Audit Log data source. data_source: - Office 365 Universal Audit Log -search: '`o365_management_activity` Workload=AzureActiveDirectory Operation IN ("Add application.","Update application.") ModifiedProperties{}.Name=AvailableToOtherTenants | eval result = case(match(mvindex(''ModifiedProperties{}.NewValue'',mvfind(''ModifiedProperties{}.Name'',"AvailableToOtherTenants")),"false"),"removed",true(),"added"), object_name=mvindex(''Target{}.ID'', 3), signature=Operation, object_attrs = "AvailableToOtherTenants", user = case(match(mvindex(''Actor{}.ID'',-1),"User"),mvindex(''Actor{}.ID'',0),match(mvindex(''Actor{}.ID'',-1),"ServicePrincipal"),mvindex(''Actor{}.ID'',3),true(),mvindex(''Actor{}.ID'',0)) | search result = "added" | stats values(ActorIpAddress) as src, count, min(_time) as firstTime, max(_time) as lastTime by signature, user, object, object_name, object_attrs, result | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_application_available_to_other_tenants_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +search: "`o365_management_activity` Workload=AzureActiveDirectory Operation IN (\"\ + Add application.\",\"Update application.\") ModifiedProperties{}.Name=AvailableToOtherTenants + | eval result = case(match(mvindex('ModifiedProperties{}.NewValue',mvfind('ModifiedProperties{}.Name',\"\ + AvailableToOtherTenants\")),\"false\"),\"removed\",true(),\"added\"), object_name=mvindex('Target{}.ID', + 3), signature=Operation, object_attrs = \"AvailableToOtherTenants\", user = case(match(mvindex('Actor{}.ID',-1),\"\ + User\"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),\"ServicePrincipal\"\ + ),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0)) | search result = \"added\"\ + \ | stats values(ActorIpAddress) as src, count, min(_time) as firstTime, max(_time) + as lastTime by signature, user, object, object_name, object_attrs, result | `security_content_ctime(firstTime)`\ + \ | `security_content_ctime(lastTime)` | `o365_application_available_to_other_tenants_filter`" +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. known_false_positives: Business approved changes by known administrators. references: - https://attack.mitre.org/techniques/T1098/ @@ -21,47 +35,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An Azure Application [$object_name$] was configured by [$user$] as accessible + to external tenants. + risk_objects: + - field: user + type: user + score: 50 + threat_objects: + - field: object_name + type: service tags: analytic_story: - Azure Active Directory Persistence - Azure Active Directory Account Takeover - Data Exfiltration asset_type: O365 Tenant - confidence: 100 - impact: 50 - message: An Azure Application [$object_name$] was configured by [$user$] as accessible to external tenants. mitre_attack_id: - T1098.003 - T1098 - observable: - - name: user - type: User - role: - - Victim - - name: object_name - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Operation - - ModifiedProperties{}.NewValue - - ModifiedProperties{}.Name - - UserId - - Workload - - Target{}.ID - risk_score: 50 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_application_registration_owner_added.yml b/detections/cloud/o365_application_registration_owner_added.yml index a3051338f4..2dc6d1d411 100644 --- a/detections/cloud/o365_application_registration_owner_added.yml +++ b/detections/cloud/o365_application_registration_owner_added.yml @@ -1,16 +1,30 @@ name: O365 Application Registration Owner Added id: c068d53f-6aaa-4558-8011-3734df878266 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - O365 Add owner to application. -description: The following analytic identifies instances where a new owner is assigned to an application registration within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in owner assignments within the AzureActiveDirectory workload. This activity is significant because assigning a new owner to an application registration can grant significant control over the application's configuration, permissions, and behavior. If confirmed malicious, an attacker could modify the application's settings, permissions, and behavior, leading to unauthorized data access, privilege escalation, or the introduction of malicious behavior within the application's operations. -search: '`o365_management_activity` Workload=AzureActiveDirectory Operation="Add owner to application." | eval app_id=mvindex(''ModifiedProperties{}.NewValue'', 0) | eval app_displayName=mvindex(''ModifiedProperties{}.NewValue'', 1) | stats max(_time) as lastTime values(ModifiedProperties{}.NewValue) by Operation, user, app_displayName, object | `security_content_ctime(lastTime)` | `o365_application_registration_owner_added_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Application owners may be added for legitimate reasons, filter as needed. +description: The following analytic identifies instances where a new owner is assigned + to an application registration within an Azure AD and Office 365 tenant. It leverages + O365 audit logs, specifically events related to changes in owner assignments within + the AzureActiveDirectory workload. This activity is significant because assigning + a new owner to an application registration can grant significant control over the + application's configuration, permissions, and behavior. If confirmed malicious, + an attacker could modify the application's settings, permissions, and behavior, + leading to unauthorized data access, privilege escalation, or the introduction of + malicious behavior within the application's operations. +search: "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Add + owner to application.\" | eval app_id=mvindex('ModifiedProperties{}.NewValue', 0) + | eval app_displayName=mvindex('ModifiedProperties{}.NewValue', 1) | stats max(_time) + as lastTime values(ModifiedProperties{}.NewValue) by Operation, user, app_displayName, + object | `security_content_ctime(lastTime)` | `o365_application_registration_owner_added_filter`" +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Application owners may be added for legitimate reasons, filter + as needed. references: - https://attack.mitre.org/techniques/T1098/ - https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/overview-assign-app-owners @@ -20,40 +34,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Application registration $app_displayName$ was assigned a new owner $object$ + risk_objects: + - field: user + type: user + score: 30 + threat_objects: [] tags: analytic_story: - Office 365 Persistence Mechanisms - NOBELIUM Group asset_type: O365 Tenant atomic_guid: [] - confidence: 50 - impact: 60 - message: Application registration $app_displayName$ was assigned a new owner $object$ mitre_attack_id: - T1098 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 30 - required_fields: - - time - - Workload - - Operation - - ModifiedProperties{}.NewValue - - user security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_add_app_registration_owner/o365_add_app_registration_owner.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_add_app_registration_owner/o365_add_app_registration_owner.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_applicationimpersonation_role_assigned.yml b/detections/cloud/o365_applicationimpersonation_role_assigned.yml index 752dae0b2b..777f8755aa 100644 --- a/detections/cloud/o365_applicationimpersonation_role_assigned.yml +++ b/detections/cloud/o365_applicationimpersonation_role_assigned.yml @@ -1,68 +1,74 @@ name: O365 ApplicationImpersonation Role Assigned id: 49cdce75-f814-4d56-a7a4-c64ec3a481f2 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - O365 -description: The following analytic detects the assignment of the ApplicationImpersonation role in Office 365 to a user or application. It uses the Office 365 Management Activity API to monitor Azure Active Directory audit logs for role assignment events. This activity is significant because the ApplicationImpersonation role allows impersonation of any user, enabling access to and modification of their mailbox. If confirmed malicious, an attacker could gain unauthorized access to sensitive information, manipulate mailbox data, and perform actions as a legitimate user, posing a severe security risk to the organization. -search: '`o365_management_activity` Workload=Exchange Operation="New-ManagementRoleAssignment" Role=ApplicationImpersonation | rename User as target_user | stats max(_time) as lastTime by Operation, user, object, ObjectId, Role, target_user | `security_content_ctime(lastTime)` | `o365_applicationimpersonation_role_assigned_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: While infrequent, the ApplicationImpersonation role may be granted for leigimate reasons, filter as needed. +description: The following analytic detects the assignment of the ApplicationImpersonation + role in Office 365 to a user or application. It uses the Office 365 Management Activity + API to monitor Azure Active Directory audit logs for role assignment events. This + activity is significant because the ApplicationImpersonation role allows impersonation + of any user, enabling access to and modification of their mailbox. If confirmed + malicious, an attacker could gain unauthorized access to sensitive information, + manipulate mailbox data, and perform actions as a legitimate user, posing a severe + security risk to the organization. +search: '`o365_management_activity` Workload=Exchange Operation="New-ManagementRoleAssignment" Role=ApplicationImpersonation + | rename User as target_user | stats max(_time) as lastTime by Operation, user, + object, ObjectId, Role, target_user | `security_content_ctime(lastTime)` | `o365_applicationimpersonation_role_assigned_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: While infrequent, the ApplicationImpersonation role may be + granted for leigimate reasons, filter as needed. references: - https://attack.mitre.org/techniques/T1098/002/ - https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452 - https://www.mandiant.com/media/17656 drilldown_searches: - name: View the detection results for - "$target_user$" and "$user$" - search: '%original_detection_search% | search target_user = "$target_user$" user = "$user$"' + search: '%original_detection_search% | search target_user = "$target_user$" user + = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$target_user$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$target_user$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$target_user$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $user$ granted the ApplicationImpersonation role to $target_user$ + risk_objects: + - field: target_user + type: user + score: 56 + - field: user + type: user + score: 56 + threat_objects: [] tags: analytic_story: - Office 365 Persistence Mechanisms - Office 365 Collection Techniques - NOBELIUM Group asset_type: O365 Tenant - confidence: 70 - impact: 80 - message: $user$ granted the ApplicationImpersonation role to $target_user$ mitre_attack_id: - T1098 - T1098.002 - observable: - - name: target_user - type: User - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 56 - required_fields: - - _time - - Workload - - Operation - - Role - - user - - User - - object - - ObjectId security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.002/application_impersonation_role_assigned/application_impersonation_role_assigned.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.002/application_impersonation_role_assigned/application_impersonation_role_assigned.log source: O365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml b/detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml index 950904c721..2adc72537f 100644 --- a/detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml +++ b/detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml @@ -1,16 +1,33 @@ name: O365 Block User Consent For Risky Apps Disabled id: 12a23592-e3da-4344-8545-205d3290647c -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - O365 Update authorization policy. -description: The following analytic detects when the "risk-based step-up consent" security setting in Microsoft 365 is disabled. It monitors Azure Active Directory logs for the "Update authorization policy" operation, specifically changes to the "AllowUserConsentForRiskyApps" setting. This activity is significant because disabling this feature can expose the organization to OAuth phishing threats, allowing users to grant consent to malicious applications. If confirmed malicious, attackers could gain unauthorized access to user data and sensitive information, leading to data breaches and further compromise within the organization. -search: '`o365_management_activity` Workload=AzureActiveDirectory Operation="Update authorization policy." | eval index_number = if(mvfind(''ModifiedProperties{}.Name'', "AllowUserConsentForRiskyApps") >= 0, mvfind(''ModifiedProperties{}.Name'', "AllowUserConsentForRiskyApps"), -1) | search index_number >= 0 | eval AllowUserConsentForRiskyApps = mvindex(''ModifiedProperties{}.NewValue'',index_number) | where AllowUserConsentForRiskyApps like "%true%" | stats count min(_time) as firstTime max(_time) as lastTime by user, Operation, AllowUserConsentForRiskyApps, user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_block_user_consent_for_risky_apps_disabled_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Legitimate changes to the 'risk-based step-up consent' setting by administrators, perhaps as part of a policy update or security assessment, may trigger this alert, necessitating verification of the change's intent and authorization. +description: The following analytic detects when the "risk-based step-up consent" + security setting in Microsoft 365 is disabled. It monitors Azure Active Directory + logs for the "Update authorization policy" operation, specifically changes to the + "AllowUserConsentForRiskyApps" setting. This activity is significant because disabling + this feature can expose the organization to OAuth phishing threats, allowing users + to grant consent to malicious applications. If confirmed malicious, attackers could + gain unauthorized access to user data and sensitive information, leading to data + breaches and further compromise within the organization. +search: "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Update + authorization policy.\" | eval index_number = if(mvfind('ModifiedProperties{}.Name', + \"AllowUserConsentForRiskyApps\") >= 0, mvfind('ModifiedProperties{}.Name', \"AllowUserConsentForRiskyApps\"\ + ), -1) | search index_number >= 0 | eval AllowUserConsentForRiskyApps = mvindex('ModifiedProperties{}.NewValue',index_number) + | where AllowUserConsentForRiskyApps like \"%true%\" | stats count min(_time) as + firstTime max(_time) as lastTime by user, Operation, AllowUserConsentForRiskyApps, + user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `o365_block_user_consent_for_risky_apps_disabled_filter`" +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Legitimate changes to the 'risk-based step-up consent' setting + by administrators, perhaps as part of a policy update or security assessment, may + trigger this alert, necessitating verification of the change's intent and authorization. references: - https://attack.mitre.org/techniques/T1562/ - https://goodworkaround.com/2020/10/19/a-look-behind-the-azure-ad-permission-classifications-preview/ @@ -22,41 +39,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Risk-based step-up consent security setting was disabled by $user$ + risk_objects: + - field: user + type: user + score: 30 + threat_objects: [] tags: analytic_story: - Office 365 Account Takeover asset_type: O365 Tenant atomic_guid: [] - confidence: 50 - impact: 60 - message: Risk-based step-up consent security setting was disabled by $user$ mitre_attack_id: - T1562 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 30 - required_fields: - - _time - - Workload - - Operation - - ModifiedProperties{}.Name - - ModifiedProperties{}.NewValue - - user - - user_agent security_domain: audit tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/o365_disable_blockconsent_for_riskapps/o365_disable_blockconsent_for_riskapps.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/o365_disable_blockconsent_for_riskapps/o365_disable_blockconsent_for_riskapps.log source: O365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml b/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml index a299a27eab..6ad687a266 100644 --- a/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml +++ b/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml @@ -1,16 +1,34 @@ name: O365 Bypass MFA via Trusted IP id: c783dd98-c703-4252-9e8a-f19d9f66949e -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Bhavin Patel, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies instances where new IP addresses are added to the trusted IPs list in Office 365, potentially allowing users from these IPs to bypass Multi-Factor Authentication (MFA) during login. It leverages O365 audit logs, specifically focusing on events related to the modification of trusted IP settings. This activity is significant because adding trusted IPs can weaken the security posture by bypassing MFA, which is a critical security control. If confirmed malicious, this could lead to unauthorized access, compromising sensitive information and systems. Immediate investigation is required to validate the legitimacy of the IP addition. +description: The following analytic identifies instances where new IP addresses are + added to the trusted IPs list in Office 365, potentially allowing users from these + IPs to bypass Multi-Factor Authentication (MFA) during login. It leverages O365 + audit logs, specifically focusing on events related to the modification of trusted + IP settings. This activity is significant because adding trusted IPs can weaken + the security posture by bypassing MFA, which is a critical security control. If + confirmed malicious, this could lead to unauthorized access, compromising sensitive + information and systems. Immediate investigation is required to validate the legitimacy + of the IP addition. data_source: - O365 Set Company Information. -search: '`o365_management_activity` Operation="Set Company Information." ModifiedProperties{}.Name=StrongAuthenticationPolicy | rex max_match=100 field=ModifiedProperties{}.NewValue "(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2})" | rex max_match=100 field=ModifiedProperties{}.OldValue "(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2})" | eval ip_addresses_old=if(isnotnull(ip_addresses_old),ip_addresses_old,"0") | mvexpand ip_addresses_new_added | where isnull(mvfind(ip_addresses_old,ip_addresses_new_added)) |stats count min(_time) as firstTime max(_time) as lastTime values(ip_addresses_old) as ip_addresses_old by user ip_addresses_new_added Operation Workload vendor_account status user_id action | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `o365_bypass_mfa_via_trusted_ip_filter`' -how_to_implement: You must install Splunk Microsoft Office 365 add-on. This search works with o365:management:activity -known_false_positives: Unless it is a special case, it is uncommon to continually update Trusted IPs to MFA configuration. +search: '`o365_management_activity` Operation="Set Company Information." ModifiedProperties{}.Name=StrongAuthenticationPolicy + | rex max_match=100 field=ModifiedProperties{}.NewValue "(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2})" + | rex max_match=100 field=ModifiedProperties{}.OldValue "(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2})" + | eval ip_addresses_old=if(isnotnull(ip_addresses_old),ip_addresses_old,"0") | mvexpand + ip_addresses_new_added | where isnull(mvfind(ip_addresses_old,ip_addresses_new_added)) + |stats count min(_time) as firstTime max(_time) as lastTime values(ip_addresses_old) + as ip_addresses_old by user ip_addresses_new_added Operation Workload vendor_account + status user_id action | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `o365_bypass_mfa_via_trusted_ip_filter`' +how_to_implement: You must install Splunk Microsoft Office 365 add-on. This search + works with o365:management:activity +known_false_positives: Unless it is a special case, it is uncommon to continually + update Trusted IPs to MFA configuration. references: - https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf - https://attack.mitre.org/techniques/T1562/007/ @@ -21,48 +39,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user_id$ has added new IP addresses $ip_addresses_new_added$ to a + list of trusted IPs to bypass MFA + risk_objects: + - field: user_id + type: user + score: 42 + threat_objects: + - field: ip_addresses_new_added + type: ip_address tags: analytic_story: - Office 365 Persistence Mechanisms asset_type: O365 Tenant - confidence: 60 - impact: 70 - message: User $user_id$ has added new IP addresses $ip_addresses_new_added$ to a list of trusted IPs to bypass MFA mitre_attack_id: - T1562.007 - T1562 - observable: - - name: ip_addresses_new_added - type: IP Address - role: - - Attacker - - name: user_id - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - signature - - ModifiedProperties{}.Name - - ModifiedProperties{}.NewValue - - ModifiedProperties{}.OldValue - - user - - vendor_account - - status - - user_id - - action - risk_score: 42 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.007/o365_bypass_mfa_via_trusted_ip/o365_bypass_mfa_via_trusted_ip.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.007/o365_bypass_mfa_via_trusted_ip/o365_bypass_mfa_via_trusted_ip.json sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_compliance_content_search_exported.yml b/detections/cloud/o365_compliance_content_search_exported.yml index a574fb11a8..74ff0f6355 100644 --- a/detections/cloud/o365_compliance_content_search_exported.yml +++ b/detections/cloud/o365_compliance_content_search_exported.yml @@ -1,15 +1,27 @@ name: O365 Compliance Content Search Exported id: 2ce9f31d-ab4f-4179-b2b7-c77a9652e1d8 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Mauricio Velazco, Splunk data_source: [] type: TTP status: production -description: The following analytic identifies when the results of a content search within the Office 365 Security and Compliance Center are exported. It uses the SearchExported operation from the SecurityComplianceCenter workload in the o365_management_activity data source. This activity is significant because exporting search results can involve sensitive or critical organizational data, potentially leading to data exfiltration. If confirmed malicious, an attacker could gain access to and exfiltrate sensitive information, posing a severe risk to the organization's data security and compliance posture. -search: '`o365_management_activity` Workload=SecurityComplianceCenter Operation="SearchExported" | rename user_id as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, ObjectId, ExchangeLocations, user, Query |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_compliance_content_search_exported_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Compliance content searche exports may be executed for legitimate purposes, filter as needed. +description: The following analytic identifies when the results of a content search + within the Office 365 Security and Compliance Center are exported. It uses the SearchExported + operation from the SecurityComplianceCenter workload in the o365_management_activity + data source. This activity is significant because exporting search results can involve + sensitive or critical organizational data, potentially leading to data exfiltration. + If confirmed malicious, an attacker could gain access to and exfiltrate sensitive + information, posing a severe risk to the organization's data security and compliance + posture. +search: '`o365_management_activity` Workload=SecurityComplianceCenter Operation="SearchExported" + | rename user_id as user | stats count earliest(_time) as firstTime latest(_time) + as lastTime by Operation, ObjectId, ExchangeLocations, user, Query |`security_content_ctime(firstTime)` + |`security_content_ctime(lastTime)` | `o365_compliance_content_search_exported_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Compliance content searche exports may be executed for legitimate + purposes, filter as needed. references: - https://attack.mitre.org/techniques/T1114/002/ - https://learn.microsoft.com/en-us/purview/ediscovery-content-search-overview @@ -21,41 +33,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A new compliance content search export was started by $user$ + risk_objects: + - field: user + type: user + score: 42 + threat_objects: [] tags: analytic_story: - Office 365 Collection Techniques asset_type: O365 Tenant - confidence: 70 - impact: 60 - message: A new compliance content search export was started by $user$ mitre_attack_id: - T1114 - T1114.002 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Workload - - Operation - - ObjectId - - ExchangeLocations - - Query - - user_id - risk_score: 42 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_compliance_content_search_exported/o365_compliance_content_search_exported.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_compliance_content_search_exported/o365_compliance_content_search_exported.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_compliance_content_search_started.yml b/detections/cloud/o365_compliance_content_search_started.yml index 664bb9390a..2b4440c1d1 100644 --- a/detections/cloud/o365_compliance_content_search_started.yml +++ b/detections/cloud/o365_compliance_content_search_started.yml @@ -1,15 +1,27 @@ name: O365 Compliance Content Search Started id: f4cabbc7-c19a-4e41-8be5-98daeaccbb50 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Mauricio Velazco, Splunk data_source: [] type: TTP status: production -description: The following analytic detects when a content search is initiated within the Office 365 Security and Compliance Center. It leverages the SearchCreated operation from the o365_management_activity logs under the SecurityComplianceCenter workload. This activity is significant as it may indicate an attempt to access sensitive organizational data, including emails and documents. If confirmed malicious, this could lead to unauthorized data access, potential data exfiltration, and compliance violations. Monitoring this behavior helps ensure the integrity and security of organizational data. -search: '`o365_management_activity` Workload=SecurityComplianceCenter Operation=SearchCreated | rename user_id as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, ObjectId, ExchangeLocations, user, Query |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_compliance_content_search_started_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Compliance content searches may be executed for legitimate purposes, filter as needed. +description: The following analytic detects when a content search is initiated within + the Office 365 Security and Compliance Center. It leverages the SearchCreated operation + from the o365_management_activity logs under the SecurityComplianceCenter workload. + This activity is significant as it may indicate an attempt to access sensitive organizational + data, including emails and documents. If confirmed malicious, this could lead to + unauthorized data access, potential data exfiltration, and compliance violations. + Monitoring this behavior helps ensure the integrity and security of organizational + data. +search: '`o365_management_activity` Workload=SecurityComplianceCenter Operation=SearchCreated + | rename user_id as user | stats count earliest(_time) as firstTime latest(_time) + as lastTime by Operation, ObjectId, ExchangeLocations, user, Query |`security_content_ctime(firstTime)` + |`security_content_ctime(lastTime)` | `o365_compliance_content_search_started_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Compliance content searches may be executed for legitimate + purposes, filter as needed. references: - https://attack.mitre.org/techniques/T1114/002/ - https://learn.microsoft.com/en-us/purview/ediscovery-content-search-overview @@ -21,41 +33,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A new compliance content search was started by $user$ + risk_objects: + - field: user + type: user + score: 42 + threat_objects: [] tags: analytic_story: - Office 365 Collection Techniques asset_type: O365 Tenant - confidence: 70 - impact: 60 - message: A new compliance content search was started by $user$ mitre_attack_id: - T1114 - T1114.002 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Workload - - Operation - - ObjectId - - ExchangeLocations - - Query - - user_id - risk_score: 42 security_domain: audit tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_compliance_content_search_started/o365_compliance_content_search_started.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_compliance_content_search_started/o365_compliance_content_search_started.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_concurrent_sessions_from_different_ips.yml b/detections/cloud/o365_concurrent_sessions_from_different_ips.yml index ed89c8268f..ba6d73effc 100644 --- a/detections/cloud/o365_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/o365_concurrent_sessions_from_different_ips.yml @@ -1,15 +1,26 @@ name: O365 Concurrent Sessions From Different Ips id: 58e034de-1f87-4812-9dc3-a4f68c7db930 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies user sessions in Office 365 accessed from multiple IP addresses, indicating potential adversary-in-the-middle (AiTM) phishing attacks. It detects this activity by analyzing Azure Active Directory logs for 'UserLoggedIn' operations and flags sessions with more than one associated IP address. This behavior is significant as it suggests unauthorized concurrent access, which is uncommon in normal usage. If confirmed malicious, the impact could include data theft, account takeover, and the launching of internal phishing campaigns, posing severe risks to organizational security. +description: The following analytic identifies user sessions in Office 365 accessed + from multiple IP addresses, indicating potential adversary-in-the-middle (AiTM) + phishing attacks. It detects this activity by analyzing Azure Active Directory logs + for 'UserLoggedIn' operations and flags sessions with more than one associated IP + address. This behavior is significant as it suggests unauthorized concurrent access, + which is uncommon in normal usage. If confirmed malicious, the impact could include + data theft, account takeover, and the launching of internal phishing campaigns, + posing severe risks to organizational security. data_source: - O365 UserLoggedIn -search: '`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoggedIn | stats min(_time) as firstTime max(_time) as lastTime values(src_ip) as ips values(user_agent) as user_agents by Operation, user, SessionId | where mvcount(ips) > 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_concurrent_sessions_from_different_ips_filter`' -how_to_implement: You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity +search: '`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoggedIn + | stats min(_time) as firstTime max(_time) as lastTime values(src_ip) as ips values(user_agent) + as user_agents by Operation, user, SessionId | where mvcount(ips) > 1 | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `o365_concurrent_sessions_from_different_ips_filter`' +how_to_implement: You must install splunk Microsoft Office 365 add-on. This search + works with o365:management:activity known_false_positives: Unknown references: - https://attack.mitre.org/techniques/T1185/ @@ -21,44 +32,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ has logged in with the same session id from more than one unique + IP address + risk_objects: + - field: user + type: user + score: 42 + threat_objects: + - field: ips + type: ip_address tags: analytic_story: - Office 365 Account Takeover asset_type: O365 Tenant - confidence: 60 - impact: 70 - message: User $user$ has logged in with the same session id from more than one unique IP address mitre_attack_id: - T1185 - observable: - - name: user - type: User - role: - - Victim - - name: ips - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Operation - - Workload - - src_ip - - user - - user_agent - risk_score: 42 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/o365_concurrent_sessions_from_different_ips/o365_concurrent_sessions_from_different_ips.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/o365_concurrent_sessions_from_different_ips/o365_concurrent_sessions_from_different_ips.log sourcetype: o365:management:activity source: o365 - update_timestamp: true diff --git a/detections/cloud/o365_cross_tenant_access_change.yml b/detections/cloud/o365_cross_tenant_access_change.yml index 3cf427f322..5b893b95eb 100644 --- a/detections/cloud/o365_cross_tenant_access_change.yml +++ b/detections/cloud/o365_cross_tenant_access_change.yml @@ -1,15 +1,28 @@ name: O365 Cross-Tenant Access Change id: 7c0fa490-12b0-4d0b-b9f5-e101d1e0e06f -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Steven Dick status: production type: TTP -description: The following analytic identifies when cross-tenant access/synchronization policies are changed in an Azure tenant. Adversaries have been observed altering victim cross-tenant policies as a method of lateral movement or maintaining persistent access to compromised environments. These policies should be considered sensitive and monitored for changes and/or loose configuration. +description: The following analytic identifies when cross-tenant access/synchronization + policies are changed in an Azure tenant. Adversaries have been observed altering + victim cross-tenant policies as a method of lateral movement or maintaining persistent + access to compromised environments. These policies should be considered sensitive + and monitored for changes and/or loose configuration. data_source: - Office 365 Universal Audit Log -search: '`o365_management_activity` Workload=AzureActiveDirectory Operation IN ("Add a partner to cross-tenant access setting.","Delete partner specific cross-tenant access setting.") | eval user = case(match(mvindex(''Actor{}.ID'',-1),"User"),mvindex(''Actor{}.ID'',0),match(mvindex(''Actor{}.ID'',-1),"ServicePrincipal"),mvindex(''Actor{}.ID'',3),true(),mvindex(''Actor{}.ID'',0)) | stats values(Workload) as category, values(ClientIP) as src, values(ModifiedProperties{}.Name) as object_name, values(ModifiedProperties{}.NewValue) as object_attrs, count, min(_time) as firstTime, max(_time) as lastTime by Id,user,Operation | rename Operation as signature, Id as signature_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_cross_tenant_access_change_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +search: "`o365_management_activity` Workload=AzureActiveDirectory Operation IN (\"\ + Add a partner to cross-tenant access setting.\",\"Delete partner specific cross-tenant + access setting.\") | eval user = case(match(mvindex('Actor{}.ID',-1),\"User\"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),\"\ + ServicePrincipal\"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0)) | stats + values(Workload) as category, values(ClientIP) as src, values(ModifiedProperties{}.Name) + as object_name, values(ModifiedProperties{}.NewValue) as object_attrs, count, min(_time) + as firstTime, max(_time) as lastTime by Id,user,Operation | rename Operation as + signature, Id as signature_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `o365_cross_tenant_access_change_filter`" +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. known_false_positives: Business approved changes by known administrators. references: - https://attack.mitre.org/techniques/T1484/002/ @@ -22,43 +35,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The user [$user$] changed the Azure cross-tenant access settings for $object_name$ + $object_attrs$ [$signature$] + risk_objects: + - field: user + type: user + score: 56 + threat_objects: [] tags: analytic_story: - Azure Active Directory Persistence asset_type: O365 Tenant - confidence: 75 - impact: 75 - message: The user [$user$] changed the Azure cross-tenant access settings for $object_name$ $object_attrs$ [$signature$] mitre_attack_id: - T1484.002 - observable: - - name: user - type: User - role: - - Victim - - name: object_attrs - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Operation - - ModifiedProperties{}.NewValue - - ModifiedProperties{}.Name - - UserId - - Workload - risk_score: 75 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_disable_mfa.yml b/detections/cloud/o365_disable_mfa.yml index 0def1549eb..94f658103a 100644 --- a/detections/cloud/o365_disable_mfa.yml +++ b/detections/cloud/o365_disable_mfa.yml @@ -1,16 +1,30 @@ name: O365 Disable MFA id: c783dd98-c703-4252-9e8a-f19d9f5c949e -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Rod Soto, Splunk status: production type: TTP -description: The following analytic identifies instances where Multi-Factor Authentication (MFA) is disabled for a user within the Office 365 environment. It leverages O365 audit logs, specifically focusing on events related to MFA settings. Disabling MFA removes a critical security layer, making accounts more vulnerable to unauthorized access. If confirmed malicious, this activity could indicate an attacker attempting to maintain persistence or an insider threat, significantly increasing the risk of unauthorized access. Immediate investigation is required to validate the reason for disabling MFA, potentially re-enable it, and assess any other suspicious activities related to the affected account. +description: The following analytic identifies instances where Multi-Factor Authentication + (MFA) is disabled for a user within the Office 365 environment. It leverages O365 + audit logs, specifically focusing on events related to MFA settings. Disabling MFA + removes a critical security layer, making accounts more vulnerable to unauthorized + access. If confirmed malicious, this activity could indicate an attacker attempting + to maintain persistence or an insider threat, significantly increasing the risk + of unauthorized access. Immediate investigation is required to validate the reason + for disabling MFA, potentially re-enable it, and assess any other suspicious activities + related to the affected account. data_source: - O365 Disable Strong Authentication. -search: '`o365_management_activity` Operation="Disable Strong Authentication." | stats count earliest(_time) as firstTime latest(_time) as lastTime by UserType Operation UserId ResultStatus object | rename UserType AS user_type, Operation AS action, UserId AS src_user, object AS user, ResultStatus AS result | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_disable_mfa_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 add-on. This search works with o365:management:activity -known_false_positives: Unless it is a special case, it is uncommon to disable MFA or Strong Authentication +search: '`o365_management_activity` Operation="Disable Strong Authentication." | stats + count earliest(_time) as firstTime latest(_time) as lastTime by UserType Operation + UserId ResultStatus object | rename UserType AS user_type, Operation AS action, + UserId AS src_user, object AS user, ResultStatus AS result | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `o365_disable_mfa_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 add-on. This search + works with o365:management:activity +known_false_positives: Unless it is a special case, it is uncommon to disable MFA + or Strong Authentication references: - https://attack.mitre.org/techniques/T1556/ drilldown_searches: @@ -19,41 +33,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $src_user$ has executed an operation $action$ for user $user$ + risk_objects: + - field: user + type: user + score: 64 + threat_objects: [] tags: analytic_story: - Office 365 Persistence Mechanisms asset_type: O365 Tenant - confidence: 80 - impact: 80 - message: User $src_user$ has executed an operation $action$ for user $user$ mitre_attack_id: - T1556 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Operation - - UserType - - user - - status - - signature - - dest - - ResultStatus - risk_score: 64 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/o365_disable_mfa/o365_disable_mfa.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/o365_disable_mfa/o365_disable_mfa.json sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_dlp_rule_triggered.yml b/detections/cloud/o365_dlp_rule_triggered.yml index bcb32a9ba3..16fcaaf2ee 100644 --- a/detections/cloud/o365_dlp_rule_triggered.yml +++ b/detections/cloud/o365_dlp_rule_triggered.yml @@ -1,16 +1,35 @@ name: O365 DLP Rule Triggered id: 63a8a537-36fd-4aac-a3ea-1a96afd2c871 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Steven Dick status: production type: Anomaly -description: The following analytic detects when Microsoft Office 365 Data Loss Prevention (DLP) rules have been triggered. DLP rules can be configured for any number of security, regulatory, or business compliance reasons, as such this analytic will only be as accurate as the upstream DLP configuration. Detections from this analytic should be evaluated thoroughly to determine what, if any, security relevance the underlying DLP events contain. +description: The following analytic detects when Microsoft Office 365 Data Loss Prevention + (DLP) rules have been triggered. DLP rules can be configured for any number of security, + regulatory, or business compliance reasons, as such this analytic will only be as + accurate as the upstream DLP configuration. Detections from this analytic should + be evaluated thoroughly to determine what, if any, security relevance the underlying + DLP events contain. data_source: - O365 Universal Audit Log -search: '`o365_management_activity` Operation=DLPRuleMatch | eval recipient = ''ExchangeMetaData.To{}'', signature_id = ''ExchangeMetaData.UniqueID'', signature = ''PolicyDetails{}.Rules{}.RuleName'' , src_user = UserId, reason =''PolicyDetails{}.Rules{}.ConditionsMatched.SensitiveInformation{}.SensitiveInformationTypeName'', result=''PolicyDetails{}.Rules{}.Actions{}'', file_name=case(NOT match(''PolicyDetails{}.Rules{}.ConditionsMatched.SensitiveInformation{}.Location'',"Message Body"),''PolicyDetails{}.Rules{}.ConditionsMatched.SensitiveInformation{}.Location'') | stats min(_time) as firstTime max(_time) as lastTime values(signature) as signature values(file_name) as file_name values(ExchangeMetaData.Subject) AS subject values(Workload) as app values(result) as result by src_user,recipient,signature_id,reason | `o365_dlp_rule_triggered_filter` | stats count min(firstTime) as firstTime max(lastTime) as lastTime values(*) AS * by src_user,signature_id | eval action = CASE(match(result,"Halt"),"blocked",isnotnull(result),"alert",true(),"allow") |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. You must deploy DLP rules through O365 security and compliance functions. -known_false_positives: WIll depending on accuracy of DLP rules, these can be noisy so tune appropriately. +search: "`o365_management_activity` Operation=DLPRuleMatch | eval recipient = 'ExchangeMetaData.To{}', + signature_id = 'ExchangeMetaData.UniqueID', signature = 'PolicyDetails{}.Rules{}.RuleName' + , src_user = UserId, reason ='PolicyDetails{}.Rules{}.ConditionsMatched.SensitiveInformation{}.SensitiveInformationTypeName', + result='PolicyDetails{}.Rules{}.Actions{}', file_name=case(NOT match('PolicyDetails{}.Rules{}.ConditionsMatched.SensitiveInformation{}.Location',\"\ + Message Body\"),'PolicyDetails{}.Rules{}.ConditionsMatched.SensitiveInformation{}.Location') + | stats min(_time) as firstTime max(_time) as lastTime values(signature) as signature + values(file_name) as file_name values(ExchangeMetaData.Subject) AS subject values(Workload) + as app values(result) as result by src_user,recipient,signature_id,reason | `o365_dlp_rule_triggered_filter` + | stats count min(firstTime) as firstTime max(lastTime) as lastTime values(*) AS + * by src_user,signature_id | eval action = CASE(match(result,\"Halt\"),\"blocked\"\ + ,isnotnull(result),\"alert\",true(),\"allow\") |`security_content_ctime(firstTime)`\ + \ |`security_content_ctime(lastTime)`" +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. You must deploy DLP rules through O365 security + and compliance functions. +known_false_positives: WIll depending on accuracy of DLP rules, these can be noisy + so tune appropriately. references: - https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp drilldown_searches: @@ -19,47 +38,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $src_user$ triggered a Microsoft Office DLP rule. + risk_objects: + - field: src_user + type: user + score: 20 + threat_objects: + - field: recipient + type: email_address tags: analytic_story: - Data Exfiltration asset_type: O365 Tenant - confidence: 50 - impact: 40 - message: User $src_user$ triggered a Microsoft Office DLP rule. mitre_attack_id: - T1048 - T1567 - observable: - - name: src_user - type: User - role: - - Victim - - name: recipient - type: User - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Operation - - ExchangeMetaData.To{} - - ExchangeMetaData.UniqueID - - PolicyDetails{}.Rules{}.RuleName - - UserId - - PolicyDetails{}.Rules{}.ConditionsMatched.SensitiveInformation{}.SensitiveInformationTypeName - - PolicyDetails{}.Rules{}.Actions{} - - PolicyDetails{}.Rules{}.ConditionsMatched.SensitiveInformation{}.Location - risk_score: 20 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_elevated_mailbox_permission_assigned.yml b/detections/cloud/o365_elevated_mailbox_permission_assigned.yml index acf769c285..361a0b8cf7 100644 --- a/detections/cloud/o365_elevated_mailbox_permission_assigned.yml +++ b/detections/cloud/o365_elevated_mailbox_permission_assigned.yml @@ -1,15 +1,28 @@ name: O365 Elevated Mailbox Permission Assigned id: 2246c142-a678-45f8-8546-aaed7e0efd30 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Patrick Bareiss, Mauricio Velazco, Splunk data_source: [] type: TTP status: production -description: The following analytic identifies the assignment of elevated mailbox permissions in an Office 365 environment via the Add-MailboxPermission operation. It leverages logs from the Exchange workload in the o365_management_activity data source, focusing on permissions such as FullAccess, ChangePermission, or ChangeOwner. This activity is significant as it indicates potential unauthorized access or control over mailboxes, which could lead to data exfiltration or privilege escalation. If confirmed malicious, attackers could gain extensive access to sensitive email data and potentially manipulate mailbox settings, posing a severe security risk. -search: '`o365_management_activity` Workload=Exchange Operation=Add-MailboxPermission | search (AccessRights=FullAccess OR AccessRights=ChangePermission OR AccessRights=ChangeOwner) | rename Identity AS dest_user | stats count earliest(_time) as firstTime latest(_time) as lastTime by user dest_user Operation AccessRights |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_elevated_mailbox_permission_assigned_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: FullAccess mailbox delegation may be assigned for legitimate purposes, filter as needed. +description: The following analytic identifies the assignment of elevated mailbox + permissions in an Office 365 environment via the Add-MailboxPermission operation. + It leverages logs from the Exchange workload in the o365_management_activity data + source, focusing on permissions such as FullAccess, ChangePermission, or ChangeOwner. + This activity is significant as it indicates potential unauthorized access or control + over mailboxes, which could lead to data exfiltration or privilege escalation. If + confirmed malicious, attackers could gain extensive access to sensitive email data + and potentially manipulate mailbox settings, posing a severe security risk. +search: '`o365_management_activity` Workload=Exchange Operation=Add-MailboxPermission + | search (AccessRights=FullAccess OR AccessRights=ChangePermission OR AccessRights=ChangeOwner) + | rename Identity AS dest_user | stats count earliest(_time) as firstTime latest(_time) + as lastTime by user dest_user Operation AccessRights |`security_content_ctime(firstTime)` + |`security_content_ctime(lastTime)` | `o365_elevated_mailbox_permission_assigned_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: FullAccess mailbox delegation may be assigned for legitimate + purposes, filter as needed. references: - https://attack.mitre.org/techniques/T1098/002/ - https://learn.microsoft.com/en-us/powershell/module/exchange/add-mailboxpermission @@ -20,41 +33,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Elevated mailbox permissions were assigned on $dest_user$ + risk_objects: + - field: dest_user + type: user + score: 42 + threat_objects: [] tags: analytic_story: - Office 365 Collection Techniques asset_type: O365 Tenant - confidence: 70 - impact: 60 - message: Elevated mailbox permissions were assigned on $dest_user$ mitre_attack_id: - T1098 - T1098.002 - observable: - - name: dest_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Workload - - Operation - - AccessRights - - user - - src_user - - dest_user - risk_score: 42 security_domain: audit tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/suspicious_rights_delegation/suspicious_rights_delegation.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/suspicious_rights_delegation/suspicious_rights_delegation.json source: o365:management:activity sourcetype: o365:management:activity diff --git a/detections/cloud/o365_email_access_by_security_administrator.yml b/detections/cloud/o365_email_access_by_security_administrator.yml index ef2bfd498a..99d7b99204 100644 --- a/detections/cloud/o365_email_access_by_security_administrator.yml +++ b/detections/cloud/o365_email_access_by_security_administrator.yml @@ -1,16 +1,26 @@ name: O365 Email Access By Security Administrator id: c6998a30-fef4-4e89-97ac-3bb0123719b4 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-14' author: Steven Dick status: production type: TTP -description: The following analytic identifies when a user with sufficient access to O365 Security & Compliance portal uses premium investigation features (Threat Explorer) to directly view email. Adversaries may exploit privileged access with this premium feature to enumerate or exfiltrate sensitive data. +description: The following analytic identifies when a user with sufficient access + to O365 Security & Compliance portal uses premium investigation features (Threat + Explorer) to directly view email. Adversaries may exploit privileged access with + this premium feature to enumerate or exfiltrate sensitive data. data_source: - O365 Universal Audit Log -search: '`o365_management_activity` Workload=SecurityComplianceCenter Operation=AdminMailAccess | stats values(Workload) as category, values(MailboxId) as user, values(Operation) as signature, count, min(_time) as firstTime, max(_time) as lastTime by InternetMessageId, UserId | rename InternetMessageId as signature_id, UserId as src_user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_email_access_by_security_administrator_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. Threat Explorer is a premium feature with o365, logging may not be available with proper license. -known_false_positives: Legitamate access by security administators for incident response measures. +search: '`o365_management_activity` Workload=SecurityComplianceCenter Operation=AdminMailAccess + | stats values(Workload) as category, values(MailboxId) as user, values(Operation) + as signature, count, min(_time) as firstTime, max(_time) as lastTime by InternetMessageId, + UserId | rename InternetMessageId as signature_id, UserId as src_user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `o365_email_access_by_security_administrator_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. Threat Explorer is a premium feature with + o365, logging may not be available with proper license. +known_false_positives: Legitamate access by security administators for incident response + measures. references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-investigate-delivered-malicious-email?view=o365-worldwide drilldown_searches: @@ -19,51 +29,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A security administrator $src_user$ accessed email messages for $user$ + risk_objects: + - field: user + type: user + score: 25 + - field: src_user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Data Exfiltration - Azure Active Directory Account Takeover - Office 365 Account Takeover asset_type: O365 Tenant - confidence: 50 - impact: 50 - message: A security administrator $src_user$ accessed email messages for $user$ mitre_attack_id: - T1567 - T1114 - T1114.002 - observable: - - name: user - type: User - role: - - Victim - - name: src_user - type: User - role: - - Victim - - name: signature_id - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Workload - - Operation - - MailboxId - - InternetMessageId - - UserId - risk_score: 25 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_email_reported_by_admin_found_malicious.yml b/detections/cloud/o365_email_reported_by_admin_found_malicious.yml index 91581c52fe..0a5d4aa0fa 100644 --- a/detections/cloud/o365_email_reported_by_admin_found_malicious.yml +++ b/detections/cloud/o365_email_reported_by_admin_found_malicious.yml @@ -1,15 +1,26 @@ name: O365 Email Reported By Admin Found Malicious id: 94396c3e-7728-422a-9956-e4b77b53dbdf -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-14' author: Steven Dick status: production type: TTP -description: The following analytic detects when an email manually submitted to Microsoft through the Security & Compliance portal is found to be malicious. This capability is an enhanced protection feature that can be used within o365 tenants by administrative users to report potentially malicious emails. This correlation looks for any submission that returns a Phish or Malware verdict upon submission. +description: The following analytic detects when an email manually submitted to Microsoft + through the Security & Compliance portal is found to be malicious. This capability + is an enhanced protection feature that can be used within o365 tenants by administrative + users to report potentially malicious emails. This correlation looks for any submission + that returns a Phish or Malware verdict upon submission. data_source: - O365 Universal Audit Log -search: '`o365_management_activity` Workload=SecurityComplianceCenter Operation=AdminSubmission | search RescanVerdict IN (Phish,Malware) | stats values(Subject) as subject, values(RescanVerdict) as result, values(SenderIP) as src, values(P2Sender) as sender, values(P1Sender) as src_user, values(Recipients{}) as user, count min(_time) as firstTime, max(_time) as lastTime, by Id,Operation,UserId | rename Name as signature, Id as signature_id, UserId as o365_adminuser | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_email_reported_by_admin_found_malicious_filter`' -how_to_implement: You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity +search: '`o365_management_activity` Workload=SecurityComplianceCenter Operation=AdminSubmission + | search RescanVerdict IN (Phish,Malware) | stats values(Subject) as subject, values(RescanVerdict) + as result, values(SenderIP) as src, values(P2Sender) as sender, values(P1Sender) + as src_user, values(Recipients{}) as user, count min(_time) as firstTime, max(_time) + as lastTime, by Id,Operation,UserId | rename Name as signature, Id as signature_id, + UserId as o365_adminuser | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `o365_email_reported_by_admin_found_malicious_filter`' +how_to_implement: You must install splunk Microsoft Office 365 add-on. This search + works with o365:management:activity known_false_positives: Administrators that submit known phishing training exercises. references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/submissions-outlook-report-messages?view=o365-worldwide @@ -19,48 +30,45 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src_user$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: O365 security admin $o365_adminuser$ manually reported a suspicious email + from $src_user$ + risk_objects: + - field: src_user + type: user + score: 50 + - field: user + type: user + score: 50 + threat_objects: + - field: subject + type: email_subject tags: analytic_story: - Spearphishing Attachments - Suspicious Emails asset_type: O365 Tenant - confidence: 100 - impact: 50 - message: O365 security admin $o365_adminuser$ manually reported a suspicious email from $src_user$ mitre_attack_id: - T1566 - T1566.001 - T1566.002 - observable: - - name: src_user - type: User - role: - - Victim - - name: user - type: User - role: - - Victim - - name: subject - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Id - - Operation - - UserId - risk_score: 50 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_email_reported_by_user_found_malicious.yml b/detections/cloud/o365_email_reported_by_user_found_malicious.yml index 5028496a5a..edbf3a10b7 100644 --- a/detections/cloud/o365_email_reported_by_user_found_malicious.yml +++ b/detections/cloud/o365_email_reported_by_user_found_malicious.yml @@ -1,15 +1,29 @@ name: O365 Email Reported By User Found Malicious id: 7698b945-238e-4bb9-b172-81f5ca1685a1 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-14' author: Steven Dick status: production type: TTP -description: The following analytic detects when an email submitted to Microsoft using the built-in report button in Outlook is found to be malicious. This capability is an enhanced protection feature that can be used within o365 tenants by users to report potentially malicious emails. This correlation looks for any submission that returns a Phish or Malware verdict upon submission. +description: The following analytic detects when an email submitted to Microsoft using + the built-in report button in Outlook is found to be malicious. This capability + is an enhanced protection feature that can be used within o365 tenants by users + to report potentially malicious emails. This correlation looks for any submission + that returns a Phish or Malware verdict upon submission. data_source: - O365 Universal Audit Log -search: '`o365_management_activity` Workload=SecurityComplianceCenter Operation=AlertEntityGenerated Name="Email reported by user as*" | fromjson Data | rename _raw AS temp etps AS _raw | extract pairdelim=";" kvdelim=":" | rename _raw AS etps temp AS _raw | search RescanVerdict IN (Phish,Malware) | rex field=tsd "\<(?.+)\>" | eval src_user = case(isnull(src_user),tsd,true(),src_user) | stats count min(_time) as firstTime max(_time) as lastTime values(ms) as subject values(RescanVerdict) as result values(tsd) as sender values(src_user) as src_user by AlertId,AlertEntityId,Operation,Name | rename Name as signature, AlertId as signature_id, AlertEntityId as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_email_reported_by_user_found_malicious_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. You must deploy/allow the usage of the Microsoft Office Report A Message function. +search: '`o365_management_activity` Workload=SecurityComplianceCenter Operation=AlertEntityGenerated + Name="Email reported by user as*" | fromjson Data | rename _raw AS temp etps AS + _raw | extract pairdelim=";" kvdelim=":" | rename _raw AS etps temp AS _raw | search + RescanVerdict IN (Phish,Malware) | rex field=tsd "\<(?.+)\>" | eval src_user + = case(isnull(src_user),tsd,true(),src_user) | stats count min(_time) as firstTime + max(_time) as lastTime values(ms) as subject values(RescanVerdict) as result values(tsd) + as sender values(src_user) as src_user by AlertId,AlertEntityId,Operation,Name | + rename Name as signature, AlertId as signature_id, AlertEntityId as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `o365_email_reported_by_user_found_malicious_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. You must deploy/allow the usage of the Microsoft + Office Report A Message function. known_false_positives: unknown references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/submissions-outlook-report-messages?view=o365-worldwide @@ -19,53 +33,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src_user$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The user $user$ reported an email classified as $result$ from $src_user$ + risk_objects: + - field: src_user + type: user + score: 75 + - field: user + type: user + score: 75 + threat_objects: + - field: subject + type: email_subject tags: analytic_story: - Spearphishing Attachments - Suspicious Emails asset_type: O365 Tenant - confidence: 100 - impact: 75 - message: The user $user$ reported an email classified as $result$ from $src_user$ mitre_attack_id: - T1566 - T1566.001 - T1566.002 - observable: - - name: src_user - type: User - role: - - Victim - - name: user - type: User - role: - - Victim - - name: subject - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Workload - - Operation - - Name - - Data - - AlertId - - AlertEntityId - - tsd - - etps - risk_score: 75 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_email_security_feature_changed.yml b/detections/cloud/o365_email_security_feature_changed.yml index ef1b501212..9afe560662 100644 --- a/detections/cloud/o365_email_security_feature_changed.yml +++ b/detections/cloud/o365_email_security_feature_changed.yml @@ -1,16 +1,26 @@ name: O365 Email Security Feature Changed id: 4d28013d-3a0f-4d65-a33f-4e8009fee0ae -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-14' author: Steven Dick status: production type: TTP -description: The following analytic identifies when specific O365 advanced security settings are altered within the Office 365 tenant. If an attacker successfully disables O365 security settings, they can operate within the tenant with reduced risk of detection. This can lead to unauthorized data access, data exfiltration, account compromise, or other malicious activities without leaving a detailed audit trail. +description: The following analytic identifies when specific O365 advanced security + settings are altered within the Office 365 tenant. If an attacker successfully disables + O365 security settings, they can operate within the tenant with reduced risk of + detection. This can lead to unauthorized data access, data exfiltration, account + compromise, or other malicious activities without leaving a detailed audit trail. data_source: - O365 Universal Audit Log -search: '`o365_management_activity` Workload=Exchange AND Operation IN ("Set-*","Disable-*","New-*","Remove-*") Operation IN ("*AntiPhish*","*SafeLink*","*SafeAttachment*","*Malware*") | stats values(ObjectId) as object, min(_time) as firstTime, max(_time) as lastTime, count by Id, UserId, Operation | rename Id as object_id, UserId as user, Operation as signature | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_email_security_feature_changed_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Administrators might alter features for troubleshooting, performance reasons, or other administrative tasks. Filter as needed. +search: '`o365_management_activity` Workload=Exchange AND Operation IN ("Set-*","Disable-*","New-*","Remove-*") + Operation IN ("*AntiPhish*","*SafeLink*","*SafeAttachment*","*Malware*") | stats + values(ObjectId) as object, min(_time) as firstTime, max(_time) as lastTime, count by + Id, UserId, Operation | rename Id as object_id, UserId as user, Operation as signature + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_email_security_feature_changed_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Administrators might alter features for troubleshooting, performance + reasons, or other administrative tasks. Filter as needed. references: - https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults - https://attack.mitre.org/techniques/T1562/008/ @@ -20,41 +30,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An O365 security object [$object$] was altered by user $user$ using $signature$ + risk_objects: + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Office 365 Persistence Mechanisms - Office 365 Account Takeover asset_type: O365 Tenant - confidence: 25 - impact: 100 - message: An O365 security object [$object$] was altered by user $user$ using $signature$ mitre_attack_id: - T1562 - T1562.008 - T1562.001 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Id - - UserId - - Operation - - Workload - risk_score: 25 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_email_suspicious_behavior_alert.yml b/detections/cloud/o365_email_suspicious_behavior_alert.yml index f6040c0403..f6770028e1 100644 --- a/detections/cloud/o365_email_suspicious_behavior_alert.yml +++ b/detections/cloud/o365_email_suspicious_behavior_alert.yml @@ -1,16 +1,29 @@ name: O365 Email Suspicious Behavior Alert id: 85c7555a-05af-4322-81aa-76b4ddf52baa -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-14' author: Steven Dick status: production type: TTP -description: The following analytic identifies when one of O365 the built-in security detections for suspicious email behaviors are triggered. These alerts often indicate that an attacker may have compromised a mailbox within the environment. Any detections from built-in Office 365 capabilities should be monitored and responded to appropriately. Certain premium Office 365 capabilities further enhance these detection and response functions. +description: The following analytic identifies when one of O365 the built-in security + detections for suspicious email behaviors are triggered. These alerts often indicate + that an attacker may have compromised a mailbox within the environment. Any detections + from built-in Office 365 capabilities should be monitored and responded to appropriately. + Certain premium Office 365 capabilities further enhance these detection and response + functions. data_source: - O365 Universal Audit Log -search: '`o365_management_activity` Workload=SecurityComplianceCenter Operation=AlertEntityGenerated Name IN ("Suspicious email sending patterns detected","User restricted from sending email","Suspicious Email Forwarding Activity","Email sending limit exceeded") | fromjson Data | stats count min(_time) as firstTime max(_time) as lastTime by AlertId,ObjectId,Operation,Name | rename Name as signature, AlertId as signature_id, ObjectId as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_email_suspicious_behavior_alert_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. The alerts must be enabled in the o365 security portal. -known_false_positives: Users emailing for legitimate business purposes that appear suspicious. +search: '`o365_management_activity` Workload=SecurityComplianceCenter Operation=AlertEntityGenerated + Name IN ("Suspicious email sending patterns detected","User restricted from sending + email","Suspicious Email Forwarding Activity","Email sending limit exceeded") | + fromjson Data | stats count min(_time) as firstTime max(_time) as lastTime by AlertId,ObjectId,Operation,Name + | rename Name as signature, AlertId as signature_id, ObjectId as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `o365_email_suspicious_behavior_alert_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. The alerts must be enabled in the o365 security + portal. +known_false_positives: Users emailing for legitimate business purposes that appear + suspicious. references: - https://learn.microsoft.com/en-us/purview/alert-policies drilldown_searches: @@ -19,42 +32,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The user $user$ triggered the O365 security alert [$signature$] + risk_objects: + - field: user + type: user + score: 90 + threat_objects: [] tags: analytic_story: - Suspicious Emails - Office 365 Collection Techniques - Office 365 Account Takeover asset_type: O365 Tenant - confidence: 100 - impact: 90 - message: The user $user$ triggered the O365 security alert [$signature$] mitre_attack_id: - T1114 - T1114.003 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - AlertId - - ObjectId - - Operation - - Name - - Workload - risk_score: 90 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_excessive_authentication_failures_alert.yml b/detections/cloud/o365_excessive_authentication_failures_alert.yml index e54e26d134..1d5109fda8 100644 --- a/detections/cloud/o365_excessive_authentication_failures_alert.yml +++ b/detections/cloud/o365_excessive_authentication_failures_alert.yml @@ -1,15 +1,28 @@ name: O365 Excessive Authentication Failures Alert id: d441364c-349c-453b-b55f-12eccab67cf9 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Rod Soto, Splunk status: production type: Anomaly -description: The following analytic identifies an excessive number of authentication failures, including failed attempts against MFA prompt codes. It uses data from the `o365_management_activity` dataset, focusing on events where the authentication status is marked as failure. This behavior is significant as it may indicate a brute force attack or an attempt to compromise user accounts. If confirmed malicious, this activity could lead to unauthorized access, data breaches, or further exploitation within the environment. +description: The following analytic identifies an excessive number of authentication + failures, including failed attempts against MFA prompt codes. It uses data from + the `o365_management_activity` dataset, focusing on events where the authentication + status is marked as failure. This behavior is significant as it may indicate a brute + force attack or an attempt to compromise user accounts. If confirmed malicious, + this activity could lead to unauthorized access, data breaches, or further exploitation + within the environment. data_source: [] -search: '`o365_management_activity` Workload=AzureActiveDirectory UserAuthenticationMethod=* status=failure | stats count earliest(_time) AS firstTime latest(_time) AS lastTime values(UserAuthenticationMethod) AS UserAuthenticationMethod values(UserAgent) AS UserAgent values(status) AS status values(src_ip) AS src_ip by user | where count > 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_excessive_authentication_failures_alert_filter`' -how_to_implement: You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity -known_false_positives: The threshold for alert is above 10 attempts and this should reduce the number of false positives. +search: '`o365_management_activity` Workload=AzureActiveDirectory UserAuthenticationMethod=* + status=failure | stats count earliest(_time) AS firstTime latest(_time) AS lastTime + values(UserAuthenticationMethod) AS UserAuthenticationMethod values(UserAgent) AS + UserAgent values(status) AS status values(src_ip) AS src_ip by user | where count + > 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `o365_excessive_authentication_failures_alert_filter`' +how_to_implement: You must install splunk Microsoft Office 365 add-on. This search + works with o365:management:activity +known_false_positives: The threshold for alert is above 10 attempts and this should + reduce the number of false positives. references: - https://attack.mitre.org/techniques/T1110/ drilldown_searches: @@ -18,44 +31,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ has caused excessive number of authentication failures from + $src_ip$ using UserAgent $UserAgent$. + risk_objects: + - field: user + type: user + score: 64 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Office 365 Account Takeover asset_type: O365 Tenant - confidence: 80 - impact: 80 - message: User $user$ has caused excessive number of authentication failures from $src_ip$ using UserAgent $UserAgent$. mitre_attack_id: - T1110 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Workload - - UserAuthenticationMethod - - status - - UserAgent - - src_ip - - user - risk_score: 64 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/o365_brute_force_login/o365_brute_force_login.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/o365_brute_force_login/o365_brute_force_login.json sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_excessive_sso_logon_errors.yml b/detections/cloud/o365_excessive_sso_logon_errors.yml index 16596fc2bf..0d47e6d383 100644 --- a/detections/cloud/o365_excessive_sso_logon_errors.yml +++ b/detections/cloud/o365_excessive_sso_logon_errors.yml @@ -1,16 +1,28 @@ name: O365 Excessive SSO logon errors id: 8158ccc4-6038-11eb-ae93-0242ac130002 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Rod Soto, Splunk status: production type: Anomaly -description: The following analytic detects accounts experiencing a high number of Single Sign-On (SSO) logon errors. It leverages data from the `o365_management_activity` dataset, focusing on failed user login attempts with SSO errors. This activity is significant as it may indicate brute-force attempts or the hijacking/reuse of SSO tokens. If confirmed malicious, attackers could potentially gain unauthorized access to user accounts, leading to data breaches, privilege escalation, or further lateral movement within the organization. +description: The following analytic detects accounts experiencing a high number of + Single Sign-On (SSO) logon errors. It leverages data from the `o365_management_activity` + dataset, focusing on failed user login attempts with SSO errors. This activity is + significant as it may indicate brute-force attempts or the hijacking/reuse of SSO + tokens. If confirmed malicious, attackers could potentially gain unauthorized access + to user accounts, leading to data breaches, privilege escalation, or further lateral + movement within the organization. data_source: - O365 UserLoginFailed -search: '`o365_management_activity` Workload=AzureActiveDirectory LogonError=*Sso* Operation=UserLoginFailed | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip signature user_agent authentication_service action| where count >= 5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_excessive_sso_logon_errors_filter`' -how_to_implement: You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity -known_false_positives: Logon errors may not be malicious in nature however it may indicate attempts to reuse a token or password obtained via credential access attack. +search: '`o365_management_activity` Workload=AzureActiveDirectory LogonError=*Sso* + Operation=UserLoginFailed | stats count min(_time) as firstTime max(_time) as lastTime + values(user) as user by src_ip signature user_agent authentication_service action| + where count >= 5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `o365_excessive_sso_logon_errors_filter`' +how_to_implement: You must install splunk Microsoft Office 365 add-on. This search + works with o365:management:activity +known_false_positives: Logon errors may not be malicious in nature however it may + indicate attempts to reuse a token or password obtained via credential access attack. references: - https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/ drilldown_searches: @@ -19,49 +31,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Excessive number of SSO logon errors from $src_ip$ using UserAgent $user_agent$. + risk_objects: + - field: user + type: user + score: 64 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Office 365 Account Takeover - Cloud Federated Credential Abuse asset_type: O365 Tenant - confidence: 80 - impact: 80 - message: Excessive number of SSO logon errors from $src_ip$ using UserAgent $user_agent$. mitre_attack_id: - T1556 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - user - - src_ip - - Workload - - LogonError - - ActorIpAddress - - UserAgent - - UserId - - authentication_service - - authentication_method - - Operation - risk_score: 64 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/o365_sso_logon_errors/o365_sso_logon_errors2.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/o365_sso_logon_errors/o365_sso_logon_errors2.json sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_external_guest_user_invited.yml b/detections/cloud/o365_external_guest_user_invited.yml index bf5f60864d..91b1363e09 100644 --- a/detections/cloud/o365_external_guest_user_invited.yml +++ b/detections/cloud/o365_external_guest_user_invited.yml @@ -1,16 +1,34 @@ name: O365 External Guest User Invited id: 8c6d52ec-d5f2-4b2f-8ba1-f32c047a71fa -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Steven Dick status: production type: TTP -description: The following analytic identifies the invitation of an external guest user within Azure AD. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. External guest account invitations should be monitored by security teams as they could potentially lead to unauthorized access. An example of this attack vector was described at BlackHat 2022 by security researcher Dirk-Jan during his tall `Backdooring and Hijacking Azure AD Accounts by Abusing External Identities`. This detection leverages the Universal Audit Log (UAL)/o365:management:activity sourcetype as a detection data source. +description: The following analytic identifies the invitation of an external guest + user within Azure AD. With Azure AD B2B collaboration, users and administrators + can invite external users to collaborate with internal users. External guest account + invitations should be monitored by security teams as they could potentially lead + to unauthorized access. An example of this attack vector was described at BlackHat + 2022 by security researcher Dirk-Jan during his tall `Backdooring and Hijacking + Azure AD Accounts by Abusing External Identities`. This detection leverages the + Universal Audit Log (UAL)/o365:management:activity sourcetype as a detection data + source. data_source: - Office 365 Universal Audit Log -search: '`o365_management_activity` Workload=AzureActiveDirectory AND Operation="Add user*" AND ModifiedProperties{}.NewValue="[*Guest*]" AND ModifiedProperties{}.NewValue="[*Invitation*]" | eval user = (mvindex(''ModifiedProperties{}.NewValue'',5)), src_user = case(match(mvindex(''Actor{}.ID'',-1),"User"),mvindex(''Actor{}.ID'',0),match(mvindex(''Actor{}.ID'',-1),"ServicePrincipal"),mvindex(''Actor{}.ID'',3),true(),mvindex(''Actor{}.ID'',0)) | rex field=user "(?[\\w\\.-]+@[\\w-]+\\.[\\w-]{2,4})" | stats values(user) as user, min(_time) as firstTime, max(_time) as lastTime, count by Operation,Id,src_user | rename Operation as signature, Id as signature_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_external_guest_user_invited_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Administrator may legitimately invite external guest users. Filter as needed. +search: "`o365_management_activity` Workload=AzureActiveDirectory AND Operation=\"\ + Add user*\" AND ModifiedProperties{}.NewValue=\"[*Guest*]\" AND ModifiedProperties{}.NewValue=\"\ + [*Invitation*]\" | eval user = (mvindex('ModifiedProperties{}.NewValue',5)), src_user + = case(match(mvindex('Actor{}.ID',-1),\"User\"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),\"\ + ServicePrincipal\"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0)) | rex + field=user \"(?[\\\\w\\\\.-]+@[\\\\w-]+\\\\.[\\\\w-]{2,4})\" | stats values(user) + as user, min(_time) as firstTime, max(_time) as lastTime, count by Operation,Id,src_user + | rename Operation as signature, Id as signature_id | `security_content_ctime(firstTime)`\ + \ | `security_content_ctime(lastTime)` | `o365_external_guest_user_invited_filter`" +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Administrator may legitimately invite external guest users. + Filter as needed. references: - https://dirkjanm.io/assets/raw/US-22-Mollema-Backdooring-and-hijacking-Azure-AD-accounts_final.pdf - https://www.blackhat.com/us-22/briefings/schedule/#backdooring-and-hijacking-azure-ad-accounts-by-abusing-external-identities-26999 @@ -22,44 +40,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Azure Guest User $user$ invited by $src_user$ + risk_objects: + - field: user + type: user + score: 25 + - field: src_user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Azure Active Directory Persistence asset_type: O365 Tenant - confidence: 50 - impact: 50 - message: Azure Guest User $user$ invited by $src_user$ mitre_attack_id: - T1136.003 - observable: - - name: user - type: User - role: - - Victim - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Operation - - ModifiedProperties{}.NewValue - - ModifiedProperties{}.Name - - UserId - - Id - - Workload - risk_score: 25 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_external_identity_policy_changed.yml b/detections/cloud/o365_external_identity_policy_changed.yml index 068b20814a..8e0c76ddf5 100644 --- a/detections/cloud/o365_external_identity_policy_changed.yml +++ b/detections/cloud/o365_external_identity_policy_changed.yml @@ -1,15 +1,40 @@ name: O365 External Identity Policy Changed id: 29af1725-7a72-4d2d-8a18-e697e79a62d3 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Steven Dick status: production type: TTP -description: The following analytic identifies when changes are made to the external guest policies within Azure AD. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. This detection also attempts to highlight what may have changed. External guest account invitations should be monitored by security teams as they could potentially lead to unauthorized access. An example of this attack vector was described at BlackHat 2022 by security researcher Dirk-Jan during his tall `Backdooring and Hijacking Azure AD Accounts by Abusing External Identities`. +description: The following analytic identifies when changes are made to the external + guest policies within Azure AD. With Azure AD B2B collaboration, users and administrators + can invite external users to collaborate with internal users. This detection also + attempts to highlight what may have changed. External guest account invitations + should be monitored by security teams as they could potentially lead to unauthorized + access. An example of this attack vector was described at BlackHat 2022 by security + researcher Dirk-Jan during his tall `Backdooring and Hijacking Azure AD Accounts + by Abusing External Identities`. data_source: - Office 365 Universal Audit Log -search: '`o365_management_activity` Workload=AzureActiveDirectory Operation="Update policy." Target{}.ID="B2BManagementPolicy" | eval object_attrs = mvindex(''ModifiedProperties{}.NewValue'',0), object_attrs_old = mvindex(''ModifiedProperties{}.OldValue'',0), object_name = mvindex(''Target{}.ID'',3), signature=Operation, user = case(match(mvindex(''Actor{}.ID'',-1),"User"),mvindex(''Actor{}.ID'',0),match(mvindex(''Actor{}.ID'',-1),"ServicePrincipal"),mvindex(''Actor{}.ID'',3),true(),mvindex(''Actor{}.ID'',0)) | spath input=object_attrs_old output=B2BOld path={} | spath input=B2BOld | rename B2BManagementPolicy.* as B2BManagementPolicyOld.* | spath input=object_attrs output=B2BNew path={} | spath input=B2BNew | eval object_attrs = ''B2BManagementPolicy.InvitationsAllowedAndBlockedDomainsPolicy.AllowedDomains{}'' , object_attrs_old = ''B2BManagementPolicyOld.InvitationsAllowedAndBlockedDomainsPolicy.AllowedDomains{}'' | eval diff_add=mvmap(object_attrs,if(isnull(mvfind(object_attrs_old,object_attrs)),object_attrs,null)) | eval diff_remove=mvmap(object_attrs_old,if(isnull(mvfind(object_attrs,object_attrs_old)),object_attrs_old,null)) | eval result = case(isnotnull(diff_add),"Added ".mvjoin(diff_add,","),isnotnull(diff_remove),"Removed ".mvjoin(diff_remove,",")), action = case(isnotnull(diff_add),"created",isnotnull(diff_remove),"deleted") | stats values(object_attrs) as object_attrs, values(action) as action, values(result) as result, values(B2BManagementPolicy*) as B2BManagementPolicy*, count, min(_time) as firstTime, max(_time) as lastTime by user,signature,object_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_external_identity_policy_changed_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +search: "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Update + policy.\" Target{}.ID=\"B2BManagementPolicy\" | eval object_attrs = mvindex('ModifiedProperties{}.NewValue',0), + object_attrs_old = mvindex('ModifiedProperties{}.OldValue',0), object_name = mvindex('Target{}.ID',3), + signature=Operation, user = case(match(mvindex('Actor{}.ID',-1),\"User\"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),\"\ + ServicePrincipal\"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0)) | spath + input=object_attrs_old output=B2BOld path={} | spath input=B2BOld | rename B2BManagementPolicy.* + as B2BManagementPolicyOld.* | spath input=object_attrs output=B2BNew path={} | spath + input=B2BNew | eval object_attrs = 'B2BManagementPolicy.InvitationsAllowedAndBlockedDomainsPolicy.AllowedDomains{}' + , object_attrs_old = 'B2BManagementPolicyOld.InvitationsAllowedAndBlockedDomainsPolicy.AllowedDomains{}' + | eval diff_add=mvmap(object_attrs,if(isnull(mvfind(object_attrs_old,object_attrs)),object_attrs,null)) + | eval diff_remove=mvmap(object_attrs_old,if(isnull(mvfind(object_attrs,object_attrs_old)),object_attrs_old,null)) + | eval result = case(isnotnull(diff_add),\"Added \".mvjoin(diff_add,\",\"),isnotnull(diff_remove),\"\ + Removed \".mvjoin(diff_remove,\",\")), action = case(isnotnull(diff_add),\"created\"\ + ,isnotnull(diff_remove),\"deleted\") | stats values(object_attrs) as object_attrs, + values(action) as action, values(result) as result, values(B2BManagementPolicy*) + as B2BManagementPolicy*, count, min(_time) as firstTime, max(_time) as lastTime + by user,signature,object_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `o365_external_identity_policy_changed_filter`" +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. known_false_positives: Business approved changes by known administrators. references: - https://medium.com/tenable-techblog/roles-allowing-to-abuse-entra-id-federation-for-persistence-and-privilege-escalation-df9ca6e58360 @@ -20,39 +45,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ changed the external identity [$object_name$] policy - $result$ + risk_objects: + - field: user + type: user + score: 75 + threat_objects: [] tags: analytic_story: - Azure Active Directory Persistence asset_type: O365 Tenant - confidence: 100 - impact: 75 - message: User $user$ changed the external identity [$object_name$] policy - $result$ mitre_attack_id: - T1136.003 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Operation - - ModifiedProperties{}.NewValue - - ModifiedProperties{}.Name - - UserId - - Workload - risk_score: 75 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml b/detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml index a0cd7652b3..006d23cf9b 100644 --- a/detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml +++ b/detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml @@ -1,16 +1,31 @@ name: O365 File Permissioned Application Consent Granted by User id: 6c382336-22b8-4023-9b80-1689e799f21f -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - O365 Consent to application. -description: The following analytic identifies instances where a user in the Office 365 environment grants consent to an application requesting file permissions for OneDrive or SharePoint. It leverages O365 audit logs, focusing on OAuth application consent events. This activity is significant because granting such permissions can allow applications to access, modify, or delete files, posing a risk if the application is malicious or overly permissive. If confirmed malicious, this could lead to data breaches, data loss, or unauthorized data manipulation, necessitating immediate investigation to validate the application's legitimacy and assess potential risks. -search: '`o365_management_activity` Workload=AzureActiveDirectory Operation="Consent to application." ResultStatus=Success | eval admin_consent =mvindex(''ModifiedProperties{}.NewValue'', 0) | search admin_consent=False | eval permissions =mvindex(''ModifiedProperties{}.NewValue'', 4) | rex field=permissions "Scope: (?[^,]+)" | makemv delim=" " Scope | search Scope IN ("Files.Read", "Files.Read.All", "Files.ReadWrite", "Files.ReadWrite.All", "Files.ReadWrite.AppFolder") | stats max(_time) as lastTime values(Scope) by Operation, user, object, ObjectId | `security_content_ctime(lastTime)` | `o365_file_permissioned_application_consent_granted_by_user_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: OAuth applications that require file permissions may be legitimate, investigate and filter as needed. +description: The following analytic identifies instances where a user in the Office + 365 environment grants consent to an application requesting file permissions for + OneDrive or SharePoint. It leverages O365 audit logs, focusing on OAuth application + consent events. This activity is significant because granting such permissions can + allow applications to access, modify, or delete files, posing a risk if the application + is malicious or overly permissive. If confirmed malicious, this could lead to data + breaches, data loss, or unauthorized data manipulation, necessitating immediate + investigation to validate the application's legitimacy and assess potential risks. +search: "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Consent + to application.\" ResultStatus=Success | eval admin_consent =mvindex('ModifiedProperties{}.NewValue', + 0) | search admin_consent=False | eval permissions =mvindex('ModifiedProperties{}.NewValue', + 4) | rex field=permissions \"Scope: (?[^,]+)\" | makemv delim=\" \" Scope + | search Scope IN (\"Files.Read\", \"Files.Read.All\", \"Files.ReadWrite\", \"Files.ReadWrite.All\"\ + , \"Files.ReadWrite.AppFolder\") | stats max(_time) as lastTime values(Scope) by + Operation, user, object, ObjectId | `security_content_ctime(lastTime)` | `o365_file_permissioned_application_consent_granted_by_user_filter`" +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: OAuth applications that require file permissions may be legitimate, + investigate and filter as needed. references: - https://attack.mitre.org/techniques/T1528/ - https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/ @@ -23,40 +38,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ consented an OAuth application that requests file-related permissions. + risk_objects: + - field: user + type: user + score: 40 + threat_objects: [] tags: analytic_story: - Office 365 Account Takeover asset_type: O365 Tenant - confidence: 50 - impact: 80 - message: User $user$ consented an OAuth application that requests file-related permissions. mitre_attack_id: - T1528 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 40 - required_fields: - - _time - - Workload - - Operation - - ResultStatus - - ModifiedProperties{}.NewValue - - object - - ObjectId security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/o365_user_consent_file_permissions/o365_user_consent_file_permissions.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/o365_user_consent_file_permissions/o365_user_consent_file_permissions.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_fullaccessasapp_permission_assigned.yml b/detections/cloud/o365_fullaccessasapp_permission_assigned.yml index 325050edd8..35a366d9f8 100644 --- a/detections/cloud/o365_fullaccessasapp_permission_assigned.yml +++ b/detections/cloud/o365_fullaccessasapp_permission_assigned.yml @@ -1,16 +1,32 @@ name: O365 FullAccessAsApp Permission Assigned id: 01a510b3-a6ac-4d50-8812-7e8a3cde3d79 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - O365 Update application. -description: The following analytic detects the assignment of the 'full_access_as_app' permission to an application registration in Office 365 Exchange Online. This detection leverages Office 365 management activity logs and filters Azure Active Directory workload events to identify when the specific permission, identified by GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', is granted. This activity is significant because it provides extensive control over Office 365 operations, including access to all mailboxes and the ability to send mail as any user. If confirmed malicious, this could lead to unauthorized data access, exfiltration, or account compromise. Immediate investigation is required. -search: '`o365_management_activity` Workload=AzureActiveDirectory Operation="Update application." | eval newvalue = mvindex(''ModifiedProperties{}.NewValue'',0) | spath input=newvalue | search "{}.ResourceAppId"="00000002-0000-0ff1-ce00-000000000000" "{}.RequiredAppPermissions{}.EntitlementId"="dc890d15-9560-4a4c-9b7f-a736ec74ec40" | eval Permissions = ''{}.RequiredAppPermissions{}.EntitlementId'' | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_fullaccessasapp_permission_assigned_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: The full_access_as_app API permission may be assigned to legitimate applications. Filter as needed. +description: The following analytic detects the assignment of the 'full_access_as_app' + permission to an application registration in Office 365 Exchange Online. This detection + leverages Office 365 management activity logs and filters Azure Active Directory + workload events to identify when the specific permission, identified by GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', + is granted. This activity is significant because it provides extensive control over + Office 365 operations, including access to all mailboxes and the ability to send + mail as any user. If confirmed malicious, this could lead to unauthorized data access, + exfiltration, or account compromise. Immediate investigation is required. +search: "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Update + application.\" | eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) | spath + input=newvalue | search \"{}.ResourceAppId\"=\"00000002-0000-0ff1-ce00-000000000000\"\ + \ \"{}.RequiredAppPermissions{}.EntitlementId\"=\"dc890d15-9560-4a4c-9b7f-a736ec74ec40\"\ + \ | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | stats count + earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, + object, user_agent, Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `o365_fullaccessasapp_permission_assigned_filter`" +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: The full_access_as_app API permission may be assigned to legitimate + applications. Filter as needed. references: - https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/ - https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ @@ -21,42 +37,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ assigned the full_access_as_app permission to the app registration + $object$ + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] tags: analytic_story: - Office 365 Persistence Mechanisms - NOBELIUM Group asset_type: O365 Tenant - confidence: 60 - impact: 80 - message: User $user$ assigned the full_access_as_app permission to the app registration $object$ mitre_attack_id: - T1098.002 - T1098.003 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 48 - required_fields: - - _time - - Workload - - Operation - - ModifiedProperties{}.NewValue - - object - - user - - user_agent security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.002/o365_full_access_as_app_permission_assigned/o365_full_access_as_app_permission_assigned.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.002/o365_full_access_as_app_permission_assigned/o365_full_access_as_app_permission_assigned.log source: o365:management:activity sourcetype: o365:management:activity diff --git a/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml b/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml index a4a8b48347..41d867d860 100644 --- a/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml +++ b/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml @@ -1,16 +1,27 @@ name: O365 High Number Of Failed Authentications for User id: 31641378-2fa9-42b1-948e-25e281cb98f7 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - O365 UserLoginFailed -description: The following analytic identifies an O365 account experiencing more than 20 failed authentication attempts within 5 minutes. It uses O365 Unified Audit Logs, specifically "UserLoginFailed" events, to monitor and flag accounts exceeding this threshold. This activity is significant as it may indicate a brute force attack or password guessing attempt. If confirmed malicious, an attacker could gain unauthorized access to the O365 environment, potentially compromising sensitive emails, documents, and other data. Prompt investigation and action are crucial to prevent unauthorized access and data breaches. -search: '`o365_management_activity` Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon Workload=AzureActiveDirectory | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(src_ip) as src_ip by user, _time | where failed_attempts > 10 | `o365_high_number_of_failed_authentications_for_user_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Although unusual, users who have lost their passwords may trigger this detection. Filter as needed. +description: The following analytic identifies an O365 account experiencing more than + 20 failed authentication attempts within 5 minutes. It uses O365 Unified Audit Logs, + specifically "UserLoginFailed" events, to monitor and flag accounts exceeding this + threshold. This activity is significant as it may indicate a brute force attack + or password guessing attempt. If confirmed malicious, an attacker could gain unauthorized + access to the O365 environment, potentially compromising sensitive emails, documents, + and other data. Prompt investigation and action are crucial to prevent unauthorized + access and data breaches. +search: '`o365_management_activity` Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon + Workload=AzureActiveDirectory | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(src_ip) + as src_ip by user, _time | where failed_attempts > 10 | `o365_high_number_of_failed_authentications_for_user_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Although unusual, users who have lost their passwords may trigger + this detection. Filter as needed. references: - https://attack.mitre.org/techniques/T1110/ - https://attack.mitre.org/techniques/T1110/001/ @@ -20,44 +31,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ failed to authenticate more than 10 times in the span of 5 + minutes. + risk_objects: + - field: user + type: user + score: 35 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Office 365 Account Takeover asset_type: O365 Tenant - confidence: 70 - impact: 50 - message: User $user$ failed to authenticate more than 10 times in the span of 5 minutes. mitre_attack_id: - T1110 - T1110.001 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 35 - required_fields: - - _time - - src_ip - - user - - Operation - - record_type - - Workload security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/o365_high_number_authentications_for_user.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/o365_high_number_authentications_for_user.log source: o365:management:activity sourcetype: o365:management:activity diff --git a/detections/cloud/o365_high_privilege_role_granted.yml b/detections/cloud/o365_high_privilege_role_granted.yml index df073ddb0a..bbe4d281d2 100644 --- a/detections/cloud/o365_high_privilege_role_granted.yml +++ b/detections/cloud/o365_high_privilege_role_granted.yml @@ -1,16 +1,30 @@ name: O365 High Privilege Role Granted id: e78a1037-4548-4072-bb1b-ad99ae416426 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - O365 Add member to role. -description: The following analytic detects when high-privilege roles such as "Exchange Administrator," "SharePoint Administrator," or "Global Administrator" are granted within Office 365. It leverages O365 audit logs to identify events where these roles are assigned to any user or service account. This activity is significant for SOCs as these roles provide extensive permissions, allowing broad access and control over critical resources and data. If confirmed malicious, this could enable attackers to gain significant control over O365 resources, access, modify, or delete critical data, and compromise the overall security and functionality of the O365 environment. -search: '`o365_management_activity` Operation="Add member to role." Workload=AzureActiveDirectory | eval role_id = mvindex(''ModifiedProperties{}.NewValue'',2) | eval role_name = mvindex(''ModifiedProperties{}.NewValue'',1) | where role_id IN ("29232cdf-9323-42fd-ade2-1d097af3e4de", "f28a1f50-f6e7-4571-818b-6a12f2af6b6c", "62e90394-69f5-4237-9190-012177145e10") | stats earliest(_time) as firstTime latest(_time) as lastTime by user Operation ObjectId role_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_high_privilege_role_granted_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Privilege roles may be assigned for legitimate purposes, filter as needed. +description: The following analytic detects when high-privilege roles such as "Exchange + Administrator," "SharePoint Administrator," or "Global Administrator" are granted + within Office 365. It leverages O365 audit logs to identify events where these roles + are assigned to any user or service account. This activity is significant for SOCs + as these roles provide extensive permissions, allowing broad access and control + over critical resources and data. If confirmed malicious, this could enable attackers + to gain significant control over O365 resources, access, modify, or delete critical + data, and compromise the overall security and functionality of the O365 environment. +search: "`o365_management_activity` Operation=\"Add member to role.\" Workload=AzureActiveDirectory + | eval role_id = mvindex('ModifiedProperties{}.NewValue',2) | eval role_name = mvindex('ModifiedProperties{}.NewValue',1) + | where role_id IN (\"29232cdf-9323-42fd-ade2-1d097af3e4de\", \"f28a1f50-f6e7-4571-818b-6a12f2af6b6c\"\ + , \"62e90394-69f5-4237-9190-012177145e10\") | stats earliest(_time) as firstTime + latest(_time) as lastTime by user Operation ObjectId role_name | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `o365_high_privilege_role_granted_filter`" +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Privilege roles may be assigned for legitimate purposes, filter + as needed. references: - https://attack.mitre.org/techniques/T1098/003/ - https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference @@ -22,40 +36,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $user$ granted high privilege roles to $ObjectId$ + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] tags: analytic_story: - Office 365 Persistence Mechanisms asset_type: O365 Tenant - confidence: 60 - impact: 80 - message: $user$ granted high privilege roles to $ObjectId$ mitre_attack_id: - T1098 - T1098.003 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 48 - required_fields: - - _time - - Operation - - Workload - - ModifiedProperties{}.NewValue - - user - - ObjectId security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_high_priv_role_assigned/o365_high_priv_role_assigned.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_high_priv_role_assigned/o365_high_priv_role_assigned.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml b/detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml index 594c9a1248..6ebb47a835 100644 --- a/detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml +++ b/detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml @@ -1,16 +1,33 @@ name: O365 Mail Permissioned Application Consent Granted by User id: fddad083-cdf5-419d-83c6-baa85e329595 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - O365 Consent to application. -description: The following analytic identifies instances where a user grants consent to an application requesting mail-related permissions within the Office 365 environment. It leverages O365 audit logs, specifically focusing on events related to application permissions and user consent actions. This activity is significant as it can indicate potential security risks, such as data exfiltration or spear phishing, if malicious applications gain access. If confirmed malicious, this could lead to unauthorized data access, email forwarding, or sending malicious emails from the compromised account. Validating the legitimacy of the application and consent context is crucial to prevent data breaches. -search: '`o365_management_activity` Workload=AzureActiveDirectory Operation="Consent to application." ResultStatus=Success | eval admin_consent =mvindex(''ModifiedProperties{}.NewValue'', 0) | search admin_consent=False | eval permissions =mvindex(''ModifiedProperties{}.NewValue'', 4) | rex field=permissions "Scope: (?[^,]+)" | makemv delim=" " Scope | search Scope IN ("Mail.Read", "Mail.ReadBasic", "Mail.ReadWrite", "Mail.Read.Shared", "Mail.ReadWrite.Shared", "Mail.Send", "Mail.Send.Shared") | stats max(_time) as lastTime values(Scope) by Operation, user, object, ObjectId | `security_content_ctime(lastTime)` | `o365_mail_permissioned_application_consent_granted_by_user_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: OAuth applications that require mail permissions may be legitimate, investigate and filter as needed. +description: The following analytic identifies instances where a user grants consent + to an application requesting mail-related permissions within the Office 365 environment. + It leverages O365 audit logs, specifically focusing on events related to application + permissions and user consent actions. This activity is significant as it can indicate + potential security risks, such as data exfiltration or spear phishing, if malicious + applications gain access. If confirmed malicious, this could lead to unauthorized + data access, email forwarding, or sending malicious emails from the compromised + account. Validating the legitimacy of the application and consent context is crucial + to prevent data breaches. +search: "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Consent + to application.\" ResultStatus=Success | eval admin_consent =mvindex('ModifiedProperties{}.NewValue', + 0) | search admin_consent=False | eval permissions =mvindex('ModifiedProperties{}.NewValue', + 4) | rex field=permissions \"Scope: (?[^,]+)\" | makemv delim=\" \" Scope + | search Scope IN (\"Mail.Read\", \"Mail.ReadBasic\", \"Mail.ReadWrite\", \"Mail.Read.Shared\"\ + , \"Mail.ReadWrite.Shared\", \"Mail.Send\", \"Mail.Send.Shared\") | stats max(_time) + as lastTime values(Scope) by Operation, user, object, ObjectId | `security_content_ctime(lastTime)` + | `o365_mail_permissioned_application_consent_granted_by_user_filter`" +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: OAuth applications that require mail permissions may be legitimate, + investigate and filter as needed. references: - https://attack.mitre.org/techniques/T1528/ - https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/ @@ -24,40 +41,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ consented an OAuth application that requests mail-related permissions. + risk_objects: + - field: user + type: user + score: 40 + threat_objects: [] tags: analytic_story: - Office 365 Account Takeover asset_type: O365 Tenant - confidence: 50 - impact: 80 - message: User $user$ consented an OAuth application that requests mail-related permissions. mitre_attack_id: - T1528 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 40 - required_fields: - - _time - - Workload - - Operation - - ResultStatus - - ModifiedProperties{}.NewValue - - object - - ObjectId security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/o365_user_consent_mail_permissions/o365_user_consent_mail_permissions.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/o365_user_consent_mail_permissions/o365_user_consent_mail_permissions.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_mailbox_email_forwarding_enabled.yml b/detections/cloud/o365_mailbox_email_forwarding_enabled.yml index 30b0618fee..28c3e91e3f 100644 --- a/detections/cloud/o365_mailbox_email_forwarding_enabled.yml +++ b/detections/cloud/o365_mailbox_email_forwarding_enabled.yml @@ -1,15 +1,30 @@ name: O365 Mailbox Email Forwarding Enabled id: 0b6bc75c-05d1-4101-9fc3-97e706168f24 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Patrick Bareiss, Mauricio Velazco, Splunk data_source: [] type: TTP status: production -description: The following analytic identifies instances where email forwarding has been enabled on mailboxes within an Office 365 environment. It detects this activity by monitoring the Set-Mailbox operation within the o365_management_activity logs, specifically looking for changes to the ForwardingAddress or ForwardingSmtpAddress parameters. This activity is significant as unauthorized email forwarding can lead to data exfiltration and unauthorized access to sensitive information. If confirmed malicious, attackers could intercept and redirect emails, potentially compromising confidential communications and leading to data breaches. -search: '`o365_management_activity` Operation=Set-Mailbox | eval match1=mvfind(''Parameters{}.Name'', "ForwardingAddress") | eval match2=mvfind(''Parameters{}.Name'', "ForwardingSmtpAddress") | where match1>= 0 OR match2>= 0 | eval ForwardTo=coalesce(ForwardingAddress, ForwardingSmtpAddress) | search ForwardTo!="" | rename user_id as user | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ForwardTo) as ForwardTo by user ObjectId |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_mailbox_email_forwarding_enabled_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Email forwarding may be configured for legitimate purposes, filter as needed. +description: The following analytic identifies instances where email forwarding has + been enabled on mailboxes within an Office 365 environment. It detects this activity + by monitoring the Set-Mailbox operation within the o365_management_activity logs, + specifically looking for changes to the ForwardingAddress or ForwardingSmtpAddress + parameters. This activity is significant as unauthorized email forwarding can lead + to data exfiltration and unauthorized access to sensitive information. If confirmed + malicious, attackers could intercept and redirect emails, potentially compromising + confidential communications and leading to data breaches. +search: "`o365_management_activity` Operation=Set-Mailbox | eval match1=mvfind('Parameters{}.Name', + \"ForwardingAddress\") | eval match2=mvfind('Parameters{}.Name', \"ForwardingSmtpAddress\"\ + ) | where match1>= 0 OR match2>= 0 | eval ForwardTo=coalesce(ForwardingAddress, + ForwardingSmtpAddress) | search ForwardTo!=\"\" | rename user_id as user | stats + count earliest(_time) as firstTime latest(_time) as lastTime values(ForwardTo) as + ForwardTo by user ObjectId |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` + | `o365_mailbox_email_forwarding_enabled_filter`" +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Email forwarding may be configured for legitimate purposes, + filter as needed. references: - https://attack.mitre.org/techniques/T1114/003/ - https://learn.microsoft.com/en-us/exchange/recipients/user-mailboxes/email-forwarding?view=exchserver-2019 @@ -19,40 +34,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Email forwarding configured by $user$ on mailbox $ObjectId$ + risk_objects: + - field: user + type: user + score: 42 + threat_objects: [] tags: analytic_story: - Office 365 Collection Techniques asset_type: O365 Tenant - confidence: 60 - impact: 70 - message: Email forwarding configured by $user$ on mailbox $ObjectId$ mitre_attack_id: - T1114 - T1114.003 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Operation - - Parameters{}.Name - - src_user - - DeliverToMailboxAndForward - - ObjectId - risk_score: 42 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/o365_mailbox_forwarding_enabled.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/o365_mailbox_forwarding_enabled.json sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_mailbox_folder_read_permission_assigned.yml b/detections/cloud/o365_mailbox_folder_read_permission_assigned.yml index 67172ac2aa..e3f85487ae 100644 --- a/detections/cloud/o365_mailbox_folder_read_permission_assigned.yml +++ b/detections/cloud/o365_mailbox_folder_read_permission_assigned.yml @@ -1,15 +1,30 @@ name: O365 Mailbox Folder Read Permission Assigned id: 1435475e-2128-4417-a34f-59770733b0d5 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Mauricio Velazco, Splunk data_source: [] type: TTP status: production -description: The following analytic identifies instances where read permissions are assigned to mailbox folders within an Office 365 environment. It leverages the `o365_management_activity` data source, specifically monitoring the `ModifyFolderPermissions` and `AddFolderPermissions` operations, while excluding Calendar, Contacts, and PersonMetadata objects. This activity is significant as unauthorized read permissions can lead to data exposure and potential information leakage. If confirmed malicious, an attacker could gain unauthorized access to sensitive emails, leading to data breaches and compromising the confidentiality of organizational communications. -search: '`o365_management_activity` Workload=Exchange (Operation=ModifyFolderPermissions OR Operation=AddFolderPermissions) Workload=Exchange object!=Calendar object!=Contacts object!=PersonMetadata | eval isReadRole=if(match(''Item.ParentFolder.MemberRights'', "(ReadAny)"), "true", "false") | rename UserId as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, user, object, Item.ParentFolder.MemberUpn, Item.ParentFolder.MemberRights | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_mailbox_folder_read_permission_assigned_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Mailbox folder permissions may be configured for legitimate purposes, filter as needed. +description: The following analytic identifies instances where read permissions are + assigned to mailbox folders within an Office 365 environment. It leverages the `o365_management_activity` + data source, specifically monitoring the `ModifyFolderPermissions` and `AddFolderPermissions` + operations, while excluding Calendar, Contacts, and PersonMetadata objects. This + activity is significant as unauthorized read permissions can lead to data exposure + and potential information leakage. If confirmed malicious, an attacker could gain + unauthorized access to sensitive emails, leading to data breaches and compromising + the confidentiality of organizational communications. +search: "`o365_management_activity` Workload=Exchange (Operation=ModifyFolderPermissions + OR Operation=AddFolderPermissions) Workload=Exchange object!=Calendar object!=Contacts + object!=PersonMetadata | eval isReadRole=if(match('Item.ParentFolder.MemberRights', + \"(ReadAny)\"), \"true\", \"false\") | rename UserId as user | stats count earliest(_time) + as firstTime latest(_time) as lastTime by Operation, user, object, Item.ParentFolder.MemberUpn, + Item.ParentFolder.MemberRights | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `o365_mailbox_folder_read_permission_assigned_filter`" +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Mailbox folder permissions may be configured for legitimate + purposes, filter as needed. references: - https://attack.mitre.org/techniques/T1098/002/ - https://learn.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxodlgt/5610c6e6-3268-44e3-adff-8804f5315946 @@ -20,40 +35,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A folder was granted read permission by $user$ + risk_objects: + - field: user + type: user + score: 42 + threat_objects: [] tags: analytic_story: - Office 365 Collection Techniques asset_type: O365 Tenant - confidence: 60 - impact: 70 - message: A folder was granted read permission by $user$ mitre_attack_id: - T1098 - T1098.002 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Operation - - Workload - - UserId - - object - - Item.ParentFolder.MemberRights - risk_score: 42 security_domain: audit tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.002/o365_mailbox_folder_read_granted/o365_mailbox_folder_read_granted.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.002/o365_mailbox_folder_read_granted/o365_mailbox_folder_read_granted.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_mailbox_folder_read_permission_granted.yml b/detections/cloud/o365_mailbox_folder_read_permission_granted.yml index 79288005d8..6b0939ee72 100644 --- a/detections/cloud/o365_mailbox_folder_read_permission_granted.yml +++ b/detections/cloud/o365_mailbox_folder_read_permission_granted.yml @@ -1,15 +1,29 @@ name: O365 Mailbox Folder Read Permission Granted id: cd15c0a8-470e-4b12-9517-046e4927db30 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Mauricio Velazco, Splunk data_source: [] type: TTP status: production -description: The following analytic identifies instances where read permissions are granted to mailbox folders within an Office 365 environment. It detects this activity by monitoring the `o365_management_activity` data source for the `Set-MailboxFolderPermission` and `Add-MailboxFolderPermission` operations. This behavior is significant as it may indicate unauthorized access or changes to mailbox folder permissions, potentially exposing sensitive email content. If confirmed malicious, an attacker could gain unauthorized access to read email communications, leading to data breaches or information leakage. -search: '`o365_management_activity` Workload=Exchange (Operation="Set-MailboxFolderPermission" OR Operation="Add-MailboxFolderPermission" ) | eval isReadRole=if(match(AccessRights, "^(ReadItems|Author|NonEditingAuthor|Owner|PublishingAuthor|Reviewer)$"), "true", "false") | search isReadRole="true" | rename UserId as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, user, Identity, AccessRights | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_mailbox_folder_read_permission_granted_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Mailbox folder permissions may be configured for legitimate purposes, filter as needed. +description: The following analytic identifies instances where read permissions are + granted to mailbox folders within an Office 365 environment. It detects this activity + by monitoring the `o365_management_activity` data source for the `Set-MailboxFolderPermission` + and `Add-MailboxFolderPermission` operations. This behavior is significant as it + may indicate unauthorized access or changes to mailbox folder permissions, potentially + exposing sensitive email content. If confirmed malicious, an attacker could gain + unauthorized access to read email communications, leading to data breaches or information + leakage. +search: '`o365_management_activity` Workload=Exchange (Operation="Set-MailboxFolderPermission" + OR Operation="Add-MailboxFolderPermission" ) | eval isReadRole=if(match(AccessRights, + "^(ReadItems|Author|NonEditingAuthor|Owner|PublishingAuthor|Reviewer)$"), "true", + "false") | search isReadRole="true" | rename UserId as user | stats count earliest(_time) + as firstTime latest(_time) as lastTime by Operation, user, Identity, AccessRights + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_mailbox_folder_read_permission_granted_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Mailbox folder permissions may be configured for legitimate + purposes, filter as needed. references: - https://attack.mitre.org/techniques/T1098/002/ - https://learn.microsoft.com/en-us/powershell/module/exchange/add-mailboxfolderpermission?view=exchange-ps @@ -20,40 +34,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A folder was granted read permission by $user$ + risk_objects: + - field: user + type: user + score: 42 + threat_objects: [] tags: analytic_story: - Office 365 Collection Techniques asset_type: O365 Tenant - confidence: 60 - impact: 70 - message: A folder was granted read permission by $user$ mitre_attack_id: - T1098 - T1098.002 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Operation - - AccessRights - - UserId - - Identity - - User - risk_score: 42 security_domain: audit tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.002/o365_mailbox_folder_read_granted/o365_mailbox_folder_read_granted.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.002/o365_mailbox_folder_read_granted/o365_mailbox_folder_read_granted.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml b/detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml index ea56897f58..253de4acee 100644 --- a/detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml +++ b/detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml @@ -1,16 +1,32 @@ name: O365 Mailbox Inbox Folder Shared with All Users id: 21421896-a692-4594-9888-5faeb8a53106 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - O365 ModifyFolderPermissions -description: The following analytic detects instances where the inbox folder of an Office 365 mailbox is shared with all users within the tenant. It leverages Office 365 management activity events to identify when the 'Inbox' folder permissions are modified to include 'Everyone' with read rights. This activity is significant as it represents a potential security risk, allowing unauthorized access to sensitive emails. If confirmed malicious, this could lead to data breaches, exfiltration of confidential information, and further compromise through spear-phishing or other malicious activities based on the accessed email content. -search: '`o365_management_activity` Operation=ModifyFolderPermissions Workload=Exchange object=Inbox Item.ParentFolder.MemberUpn=Everyone | eval isReadRole=if(match(''Item.ParentFolder.MemberRights'', "(ReadAny)"), "true", "false") | search isReadRole = "true" | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, UserId, object, MailboxOwnerUPN, Item.ParentFolder.MemberUpn, Item.ParentFolder.MemberRights | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_mailbox_inbox_folder_shared_with_all_users_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Administrators might temporarily share a mailbox with all users for legitimate reasons, such as troubleshooting, migrations, or other administrative tasks. Some organizations use shared mailboxes for teams or departments where multiple users need access to the same mailbox. Filter as needed. +description: The following analytic detects instances where the inbox folder of an + Office 365 mailbox is shared with all users within the tenant. It leverages Office + 365 management activity events to identify when the 'Inbox' folder permissions are + modified to include 'Everyone' with read rights. This activity is significant as + it represents a potential security risk, allowing unauthorized access to sensitive + emails. If confirmed malicious, this could lead to data breaches, exfiltration of + confidential information, and further compromise through spear-phishing or other + malicious activities based on the accessed email content. +search: "`o365_management_activity` Operation=ModifyFolderPermissions Workload=Exchange + object=Inbox Item.ParentFolder.MemberUpn=Everyone | eval isReadRole=if(match('Item.ParentFolder.MemberRights', + \"(ReadAny)\"), \"true\", \"false\") | search isReadRole = \"true\" | stats count + earliest(_time) as firstTime latest(_time) as lastTime by Operation, UserId, object, + MailboxOwnerUPN, Item.ParentFolder.MemberUpn, Item.ParentFolder.MemberRights | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `o365_mailbox_inbox_folder_shared_with_all_users_filter`" +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Administrators might temporarily share a mailbox with all users + for legitimate reasons, such as troubleshooting, migrations, or other administrative + tasks. Some organizations use shared mailboxes for teams or departments where multiple + users need access to the same mailbox. Filter as needed. references: - https://attack.mitre.org/techniques/T1114/002/ - https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf @@ -23,42 +39,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$MailboxOwnerUPN$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$MailboxOwnerUPN$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$MailboxOwnerUPN$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Inbox folder for the $MailboxOwnerUPN$ mailbox was shared with all users. + risk_objects: + - field: MailboxOwnerUPN + type: user + score: 56 + threat_objects: [] tags: analytic_story: - Office 365 Persistence Mechanisms asset_type: O365 Tenant - confidence: 70 - impact: 80 - message: Inbox folder for the $MailboxOwnerUPN$ mailbox was shared with all users. mitre_attack_id: - T1114 - T1114.002 - observable: - - name: MailboxOwnerUPN - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 56 - required_fields: - - _time - - Operation - - Workload - - object - - Item.ParentFolder.MemberUpn - - Item.ParentFolder.MemberRights - - UserId - - MailboxOwnerUPN security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_inbox_shared_with_all_users/o365_inbox_shared_with_all_users.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_inbox_shared_with_all_users/o365_inbox_shared_with_all_users.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_mailbox_read_access_granted_to_application.yml b/detections/cloud/o365_mailbox_read_access_granted_to_application.yml index 1259e0e4d7..73b115897f 100644 --- a/detections/cloud/o365_mailbox_read_access_granted_to_application.yml +++ b/detections/cloud/o365_mailbox_read_access_granted_to_application.yml @@ -1,16 +1,31 @@ name: O365 Mailbox Read Access Granted to Application id: 27ab61c5-f08a-438a-b4d3-325e666490b3 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - O365 Update application. -description: The following analytic identifies instances where the Mail.Read Graph API permissions are granted to an application registration within an Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in application permissions within the AzureActiveDirectory workload. This activity is significant because the Mail.Read permission allows applications to access and read all emails within a user's mailbox, which often contain sensitive or confidential information. If confirmed malicious, this could lead to data exfiltration, spear-phishing attacks, or further compromise based on the information gathered from the emails. -search: '`o365_management_activity` Operation="Update application." | eval json_data=mvindex(''ModifiedProperties{}.NewValue'', 0) | eval json_data=replace(json_data, "^\[\s*", "") | eval json_data=replace(json_data, "\s*\]$", "") | spath input=json_data path=RequiredAppPermissions{}.EntitlementId output=EntitlementIds | eval match_found=mvfind(EntitlementIds, "810c84a8-4a9e-49e6-bf7d-12d183f40d01") | where isnotnull(match_found) | stats max(_time) as lastTime values(EntitlementIds) as EntitlementIds by Operation, user, object | `security_content_ctime(lastTime)` | `o365_mailbox_read_access_granted_to_application_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: There are legitimate scenarios in wich an Application registrations requires Mailbox read access. Filter as needed. +description: The following analytic identifies instances where the Mail.Read Graph + API permissions are granted to an application registration within an Office 365 + tenant. It leverages O365 audit logs, specifically events related to changes in + application permissions within the AzureActiveDirectory workload. This activity + is significant because the Mail.Read permission allows applications to access and + read all emails within a user's mailbox, which often contain sensitive or confidential + information. If confirmed malicious, this could lead to data exfiltration, spear-phishing + attacks, or further compromise based on the information gathered from the emails. +search: "`o365_management_activity` Operation=\"Update application.\" | eval json_data=mvindex('ModifiedProperties{}.NewValue', + 0) | eval json_data=replace(json_data, \"^\\[\\s*\", \"\") | eval json_data=replace(json_data, + \"\\s*\\]$\", \"\") | spath input=json_data path=RequiredAppPermissions{}.EntitlementId + output=EntitlementIds | eval match_found=mvfind(EntitlementIds, \"810c84a8-4a9e-49e6-bf7d-12d183f40d01\"\ + ) | where isnotnull(match_found) | stats max(_time) as lastTime values(EntitlementIds) + as EntitlementIds by Operation, user, object | `security_content_ctime(lastTime)` + | `o365_mailbox_read_access_granted_to_application_filter`" +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: There are legitimate scenarios in wich an Application registrations + requires Mailbox read access. Filter as needed. references: - https://attack.mitre.org/techniques/T1098/003/ - https://attack.mitre.org/techniques/T1114/002/ @@ -24,39 +39,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Application registration $object$ was grandes mailbox read access by $user$ + risk_objects: + - field: user + type: user + score: 45 + threat_objects: [] tags: analytic_story: - Office 365 Persistence Mechanisms asset_type: O365 Tenant - confidence: 50 - impact: 90 - message: Application registration $object$ was grandes mailbox read access by $user$ mitre_attack_id: - T1114.002 - T1114 - T1098 - T1098.003 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 45 - required_fields: - - Operation - - _time - - ModifiedProperties{}.NewValue security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_grant_mail_read/o365_grant_mail_read.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_grant_mail_read/o365_grant_mail_read.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_multi_source_failed_authentications_spike.yml b/detections/cloud/o365_multi_source_failed_authentications_spike.yml index fb433e0003..3c21195c01 100644 --- a/detections/cloud/o365_multi_source_failed_authentications_spike.yml +++ b/detections/cloud/o365_multi_source_failed_authentications_spike.yml @@ -1,16 +1,38 @@ name: O365 Multi-Source Failed Authentications Spike id: ea4e2c41-dbfb-4f5f-a7b6-9ac1b7f104aa -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: Hunting data_source: - O365 UserLoginFailed -description: The following analytic identifies a spike in failed authentication attempts within an Office 365 environment, indicative of a potential distributed password spraying attack. It leverages UserLoginFailed events from O365 Management Activity logs, focusing on ErrorNumber 50126. This detection is significant as it highlights attempts to bypass security controls using multiple IP addresses and user agents. If confirmed malicious, this activity could lead to unauthorized access, data breaches, privilege escalation, and lateral movement within the organization. Early detection is crucial to prevent account takeovers and mitigate subsequent threats. -search: '`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ErrorNumber=50126 | bucket span=5m _time | eval uniqueIPUserCombo = src_ip . "-" . user | stats dc(uniqueIPUserCombo) as uniqueIpUserCombinations, dc(user) as uniqueUsers, dc(src_ip) as uniqueIPs, values(user) as user, values(src_ip) as ips, values(user_agent) as user_agents by _time | where uniqueIpUserCombinations > 20 AND uniqueUsers > 20 AND uniqueIPs > 20 | `o365_multi_source_failed_authentications_spike_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment. -known_false_positives: This detection may yield false positives in scenarios where legitimate bulk sign-in activities occur, such as during company-wide system updates or when users are accessing resources from varying locations in a short time frame, such as in the case of VPNs or cloud services that rotate IP addresses. Filter as needed. +description: The following analytic identifies a spike in failed authentication attempts + within an Office 365 environment, indicative of a potential distributed password + spraying attack. It leverages UserLoginFailed events from O365 Management Activity + logs, focusing on ErrorNumber 50126. This detection is significant as it highlights + attempts to bypass security controls using multiple IP addresses and user agents. + If confirmed malicious, this activity could lead to unauthorized access, data breaches, + privilege escalation, and lateral movement within the organization. Early detection + is crucial to prevent account takeovers and mitigate subsequent threats. +search: '`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed + ErrorNumber=50126 | bucket span=5m _time | eval uniqueIPUserCombo = src_ip . "-" + . user | stats dc(uniqueIPUserCombo) as uniqueIpUserCombinations, dc(user) as uniqueUsers, + dc(src_ip) as uniqueIPs, values(user) as user, values(src_ip) as ips, values(user_agent) + as user_agents by _time | where uniqueIpUserCombinations > 20 AND uniqueUsers > + 20 AND uniqueIPs > 20 | `o365_multi_source_failed_authentications_spike_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. The thresholds set within the analytic (such + as unique IPs, unique users, etc.) are initial guidelines and should be customized + based on the organization's user behavior and risk profile. Security teams are encouraged + to adjust these thresholds to optimize the balance between detecting genuine threats + and minimizing false positives, ensuring the detection is tailored to their specific + environment. +known_false_positives: This detection may yield false positives in scenarios where + legitimate bulk sign-in activities occur, such as during company-wide system updates + or when users are accessing resources from varying locations in a short time frame, + such as in the case of VPNs or cloud services that rotate IP addresses. Filter as + needed. references: - https://attack.mitre.org/techniques/T1110/003/ - https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray @@ -22,37 +44,21 @@ tags: - NOBELIUM Group asset_type: O365 Tenant atomic_guid: [] - confidence: 60 - impact: 70 - message: An anomalous multi source authentication spike ocurred at $_time$ mitre_attack_id: - T1586 - T1586.003 - T1110 - T1110.003 - T1110.004 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 42 - required_fields: - - _time - - Workload - - Operation - - ErrorNumber - - user - - src_ip - - user_agent security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/o365_distributed_spray/o365_distributed_spray.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/o365_distributed_spray/o365_distributed_spray.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml b/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml index 304455b896..5efc86483e 100644 --- a/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml +++ b/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml @@ -1,17 +1,32 @@ name: O365 Multiple AppIDs and UserAgents Authentication Spike id: 66adc486-224d-45c1-8e4d-9e7eeaba988f -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: Anomaly data_source: - O365 UserLoggedIn - O365 UserLoginFailed -description: The following analytic identifies unusual authentication activity in an O365 environment, where a single user account experiences more than 8 authentication attempts using 3 or more unique application IDs and over 5 unique user agents within a short timeframe. It leverages O365 audit logs, focusing on authentication events and applying statistical thresholds. This behavior is significant as it may indicate an adversary probing for multi-factor authentication weaknesses. If confirmed malicious, it suggests a compromised account, potentially leading to unauthorized access, privilege escalation, and data exfiltration. Early detection is crucial to prevent further exploitation. -search: '`o365_management_activity` Workload=AzureActiveDirectory (Operation=UserLoggedIn OR Operation=UserLoginFailed) | bucket span=5m _time | stats dc(_raw) as failed_attempts dc(ApplicationId) as unique_app_ids dc(UserAgent) as unique_user_agents values(ApplicationId) values(OS) by _time user src_ip | where failed_attempts > 5 and unique_user_agents > 5 and unique_app_ids > 2 | `o365_multiple_appids_and_useragents_authentication_spike_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Rapid authentication from the same user using more than 5 different user agents and 3 application IDs is highly unlikely under normal circumstances. However, there are potential scenarios that could lead to false positives. +description: The following analytic identifies unusual authentication activity in + an O365 environment, where a single user account experiences more than 8 authentication + attempts using 3 or more unique application IDs and over 5 unique user agents within + a short timeframe. It leverages O365 audit logs, focusing on authentication events + and applying statistical thresholds. This behavior is significant as it may indicate + an adversary probing for multi-factor authentication weaknesses. If confirmed malicious, + it suggests a compromised account, potentially leading to unauthorized access, privilege + escalation, and data exfiltration. Early detection is crucial to prevent further + exploitation. +search: '`o365_management_activity` Workload=AzureActiveDirectory (Operation=UserLoggedIn + OR Operation=UserLoginFailed) | bucket span=5m _time | stats dc(_raw) as failed_attempts + dc(ApplicationId) as unique_app_ids dc(UserAgent) as unique_user_agents values(ApplicationId) + values(OS) by _time user src_ip | where failed_attempts > 5 and unique_user_agents + > 5 and unique_app_ids > 2 | `o365_multiple_appids_and_useragents_authentication_spike_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Rapid authentication from the same user using more than 5 different + user agents and 3 application IDs is highly unlikely under normal circumstances. + However, there are potential scenarios that could lead to false positives. references: - https://attack.mitre.org/techniques/T1078/ - https://www.blackhillsinfosec.com/exploiting-mfa-inconsistencies-on-microsoft-services/ @@ -23,43 +38,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $user$ authenticated in a short period of time with more than 5 different + user agents across 3 or more unique application ids. + risk_objects: + - field: user + type: user + score: 48 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Office 365 Account Takeover asset_type: O365 Tenant - confidence: 80 - impact: 60 - message: $user$ authenticated in a short period of time with more than 5 different user agents across 3 or more unique application ids. mitre_attack_id: - T1078 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 48 - required_fields: - - _time - - Workload - - Operation - - ApplicationId - - UserAgent - - OS security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/o365_multiple_appids_and_useragents_auth/o365_multiple_appids_and_useragents_auth.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/o365_multiple_appids_and_useragents_auth/o365_multiple_appids_and_useragents_auth.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml index bf554c3746..838942b528 100644 --- a/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml @@ -1,16 +1,29 @@ name: O365 Multiple Failed MFA Requests For User id: fd22124e-dbac-4744-a8ce-be10d8ec3e26 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - O365 UserLoginFailed -description: The following analytic identifies potential "MFA fatigue" attacks targeting Office 365 users by detecting more than nine Multi-Factor Authentication (MFA) prompts within a 10-minute timeframe. It leverages O365 management activity logs, focusing on Azure Active Directory events with the UserLoginFailed operation, a Success ResultStatus, and an ErrorNumber of 500121. This activity is significant as attackers may exploit MFA fatigue to gain unauthorized access by overwhelming users with repeated MFA requests. If confirmed malicious, this could lead to data breaches, unauthorized data access, or further compromise within the O365 environment. Immediate investigation is crucial. -search: '`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ResultStatus=Success ErrorNumber=500121 | bucket span=10m _time | stats dc(_raw) as mfa_prompts values(LogonError) as LogonError values(signature) as signature by user, _time | where mfa_prompts > 9 | `o365_multiple_failed_mfa_requests_for_user_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed. +description: The following analytic identifies potential "MFA fatigue" attacks targeting + Office 365 users by detecting more than nine Multi-Factor Authentication (MFA) prompts + within a 10-minute timeframe. It leverages O365 management activity logs, focusing + on Azure Active Directory events with the UserLoginFailed operation, a Success ResultStatus, + and an ErrorNumber of 500121. This activity is significant as attackers may exploit + MFA fatigue to gain unauthorized access by overwhelming users with repeated MFA + requests. If confirmed malicious, this could lead to data breaches, unauthorized + data access, or further compromise within the O365 environment. Immediate investigation + is crucial. +search: '`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed + ResultStatus=Success ErrorNumber=500121 | bucket span=10m _time | stats dc(_raw) + as mfa_prompts values(LogonError) as LogonError values(signature) as signature by + user, _time | where mfa_prompts > 9 | `o365_multiple_failed_mfa_requests_for_user_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Multiple Failed MFA requests may also be a sign of authentication + or application issues. Filter as needed. references: - https://attack.mitre.org/techniques/T1621/ drilldown_searches: @@ -19,41 +32,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Multiple failed MFA requestes for $user$ + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] tags: analytic_story: - Office 365 Account Takeover asset_type: O365 Tenant - confidence: 80 - impact: 60 - message: Multiple failed MFA requestes for $user$ mitre_attack_id: - T1621 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 48 - required_fields: - - _time - - Workload - - Operation - - ResultStatus - - ErrorNumber - - user - - LogonError - - signature security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/o365_multiple_failed_mfa_requests/o365_multiple_failed_mfa_requests.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/o365_multiple_failed_mfa_requests/o365_multiple_failed_mfa_requests.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml b/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml index 9bef583fad..5bc7b90235 100644 --- a/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml +++ b/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml @@ -1,16 +1,31 @@ name: O365 Multiple Mailboxes Accessed via API id: 7cd853e9-d370-412f-965d-a2bcff2a2908 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Mauricio Velazco, Splunk data_source: - O365 MailItemsAccessed type: TTP status: production -description: The following analytic detects when a high number of Office 365 Exchange mailboxes are accessed via API (Microsoft Graph API or Exchange Web Services) within a short timeframe. It leverages 'MailItemsAccessed' operations in Exchange, using AppId and regex to identify API interactions. This activity is significant as it may indicate unauthorized mass email access, potentially signaling data exfiltration or account compromise. If confirmed malicious, attackers could gain access to sensitive information, leading to data breaches and further exploitation of compromised accounts. The threshold is set to flag over five unique mailboxes accessed within 10 minutes, but should be tailored to your environment. -search: '`o365_management_activity` Workload=Exchange Operation=MailItemsAccessed AppId=* ClientAppId=* | bucket span=10m _time | eval matchRegex=if(match(ClientInfoString, "^Client=WebServices;ExchangeWebServices"), 1, 0) | search (AppId="00000003-0000-0000-c000-000000000000" OR matchRegex=1) | stats values(ClientIPAddress) as src_ip dc(user) as unique_mailboxes values(user) as user by _time ClientAppId ClientInfoString | where unique_mailboxes > 5 | `o365_multiple_mailboxes_accessed_via_api_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Legitimate applications may access multiple mailboxes via an API. You can filter by the ClientAppId or the CLientIpAddress fields. +description: The following analytic detects when a high number of Office 365 Exchange + mailboxes are accessed via API (Microsoft Graph API or Exchange Web Services) within + a short timeframe. It leverages 'MailItemsAccessed' operations in Exchange, using + AppId and regex to identify API interactions. This activity is significant as it + may indicate unauthorized mass email access, potentially signaling data exfiltration + or account compromise. If confirmed malicious, attackers could gain access to sensitive + information, leading to data breaches and further exploitation of compromised accounts. + The threshold is set to flag over five unique mailboxes accessed within 10 minutes, + but should be tailored to your environment. +search: '`o365_management_activity` Workload=Exchange Operation=MailItemsAccessed + AppId=* ClientAppId=* | bucket span=10m _time | eval matchRegex=if(match(ClientInfoString, + "^Client=WebServices;ExchangeWebServices"), 1, 0) | search (AppId="00000003-0000-0000-c000-000000000000" + OR matchRegex=1) | stats values(ClientIPAddress) as src_ip dc(user) as unique_mailboxes + values(user) as user by _time ClientAppId ClientInfoString | where unique_mailboxes + > 5 | `o365_multiple_mailboxes_accessed_via_api_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Legitimate applications may access multiple mailboxes via an + API. You can filter by the ClientAppId or the CLientIpAddress fields. references: - https://attack.mitre.org/techniques/T1114/002/ - https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in @@ -24,42 +39,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An Oauth application identified with id $ClientAppId$ accessed multiple + mailboxes in a short period of time via an API. + risk_objects: + - field: user + type: user + score: 42 + threat_objects: [] tags: analytic_story: - Office 365 Collection Techniques - NOBELIUM Group asset_type: O365 Tenant - confidence: 60 - impact: 70 - message: An Oauth application identified with id $ClientAppId$ accessed multiple mailboxes in a short period of time via an API. mitre_attack_id: - T1114.002 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Workload - - Operation - - AppId - - ClientAppId - - ClientInfoString - - ClientIPAddress - - user - risk_score: 42 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/o365_multiple_mailboxes_accessed_via_api.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/o365_multiple_mailboxes_accessed_via_api.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_multiple_os_vendors_authenticating_from_user.yml b/detections/cloud/o365_multiple_os_vendors_authenticating_from_user.yml new file mode 100644 index 0000000000..743aca09e9 --- /dev/null +++ b/detections/cloud/o365_multiple_os_vendors_authenticating_from_user.yml @@ -0,0 +1,66 @@ +name: O365 Multiple OS Vendors Authenticating From User +id: 3451e58a-9457-4985-a600-b616b0cbfda1 +version: 1 +date: '2024-12-19' +author: Steven Dick +status: production +type: TTP +description: The following analytic identifies when multiple operating systems are used to authenticate to Azure/EntraID/Office 365 by the same user account over a short period of time. This activity could be indicative of attackers enumerating various logon capabilities of Azure/EntraID/Office 365 and attempting to discover weaknesses in the organizational MFA or conditional access configurations. Usage of the tools like "MFASweep" will trigger this detection. +data_source: +- Office 365 Universal Audit Log +search: |- + `o365_management_activity` Operation IN (UserLoginFailed,UserLoggedIn) + | eval -time = _time + | bin _time span=15m + | stats values(Operation) as signature, values(ErrorNumber) as signature_id, values(OS) as os_name, dc(OS) as os_count, count, min(-time) as firstTime, max(-time) as lastTime by ClientIP, UserId, _time + | where os_count >= 4 + | eval src = ClientIP, user = UserId + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_multiple_os_vendors_authenticating_from_user_filter` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. The thresholds set within the analytic (such as unique OS) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment. +known_false_positives: IP or users where the usage of multiple Operating systems is expected, filter accordingly. +references: +- https://attack.mitre.org/techniques/T1110 +- https://www.blackhillsinfosec.com/exploiting-mfa-inconsistencies-on-microsoft-services/ +- https://sra.io/blog/msspray-wait-how-many-endpoints-dont-have-mfa/ +- https://github.com/dafthack/MFASweep/tree/master +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate logons from $user$ + search: '`o365_management_activity` Operation IN (UserLoginFailed,UserLoggedIn) "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: The user account $user$ authenticated with $os_count$ unique operating system types over a short period from $src$. + risk_objects: + - field: user + type: user + score: 60 + threat_objects: + - field: src + type: ip_address +tags: + analytic_story: + - Office 365 Account Takeover + asset_type: O365 Tenant + mitre_attack_id: + - T1110 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.log + source: o365 + sourcetype: o365:management:activity diff --git a/detections/cloud/o365_multiple_service_principals_created_by_sp.yml b/detections/cloud/o365_multiple_service_principals_created_by_sp.yml index 58f45dcc87..f23966ec6c 100644 --- a/detections/cloud/o365_multiple_service_principals_created_by_sp.yml +++ b/detections/cloud/o365_multiple_service_principals_created_by_sp.yml @@ -1,16 +1,31 @@ name: O365 Multiple Service Principals Created by SP id: ef4c3f20-d1ad-4ad1-a3f4-d5f391c005fe -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Mauricio Velazco, Splunk data_source: - O365 Add service principal. type: Anomaly status: production -description: The following analytic identifies instances where a single service principal creates more than three unique OAuth applications within a 10-minute timeframe. It leverages O365 logs from the Unified Audit Log, focusing on the 'Add service principal' operation in the Office 365 Azure Active Directory environment. This activity is significant as it may indicate a compromised or malicious service principal attempting to expand control or access within the network. If confirmed malicious, this could lead to unauthorized access and potential lateral movement within the environment, posing a significant security risk. -search: '`o365_management_activity` Workload=AzureActiveDirectory Operation="Add service principal." | bucket span=10m _time | eval len=mvcount(''Actor{}.ID'') | eval userType = mvindex(''Actor{}.ID'',len-1) | search userType = "ServicePrincipal" | eval displayName = object | stats count earliest(_time) as firstTime latest(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_multiple_service_principals_created_by_sp_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed. +description: The following analytic identifies instances where a single service principal + creates more than three unique OAuth applications within a 10-minute timeframe. + It leverages O365 logs from the Unified Audit Log, focusing on the 'Add service + principal' operation in the Office 365 Azure Active Directory environment. This + activity is significant as it may indicate a compromised or malicious service principal + attempting to expand control or access within the network. If confirmed malicious, + this could lead to unauthorized access and potential lateral movement within the + environment, posing a significant security risk. +search: "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Add + service principal.\" | bucket span=10m _time | eval len=mvcount('Actor{}.ID') | + eval userType = mvindex('Actor{}.ID',len-1) | search userType = \"ServicePrincipal\"\ + \ | eval displayName = object | stats count earliest(_time) as firstTime latest(_time) + as lastTime values(displayName) as displayName dc(displayName) as unique_apps by + src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `o365_multiple_service_principals_created_by_sp_filter`" +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Certain users or applications may create multiple service principals + in a short period of time for legitimate purposes. Filter as needed. references: - https://attack.mitre.org/techniques/T1136/003/ - https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ @@ -20,40 +35,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Multiple OAuth applications were created by $src_user$ in a short period + of time + risk_objects: + - field: src_user + type: user + score: 42 + threat_objects: [] tags: analytic_story: - Office 365 Persistence Mechanisms - NOBELIUM Group asset_type: O365 Tenant - confidence: 60 - impact: 70 - message: Multiple OAuth applications were created by $src_user$ in a short period of time mitre_attack_id: - T1136.003 - observable: - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Workload - - Operation - - Actor{}.ID - - src_user - - object - risk_score: 42 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/o365_multiple_service_principals_created.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/o365_multiple_service_principals_created.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_multiple_service_principals_created_by_user.yml b/detections/cloud/o365_multiple_service_principals_created_by_user.yml index f4dbd4ac6c..1ecd0908e9 100644 --- a/detections/cloud/o365_multiple_service_principals_created_by_user.yml +++ b/detections/cloud/o365_multiple_service_principals_created_by_user.yml @@ -1,16 +1,31 @@ name: O365 Multiple Service Principals Created by User id: a34e65d0-54de-4b02-9db8-5a04522067f6 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Mauricio Velazco, Splunk data_source: - O365 Add service principal. type: Anomaly status: production -description: The following analytic identifies instances where a single user creates more than three unique OAuth applications within a 10-minute window in the Office 365 environment. It leverages O365 logs from the Unified Audit Log, focusing on the 'Add service principal' operation in Azure Active Directory. This activity is significant as it may indicate a compromised user account or unauthorized actions, potentially leading to broader network infiltration or privilege escalation. If confirmed malicious, this behavior could allow attackers to gain persistent access, escalate privileges, or exfiltrate sensitive information. -search: '`o365_management_activity` Workload=AzureActiveDirectory Operation="Add service principal." | bucket span=10m _time | eval len=mvcount(''Actor{}.ID'') | eval userType = mvindex(''Actor{}.ID'',len-1) | search userType = "User" | eval displayName = object | stats count earliest(_time) as firstTime latest(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_multiple_service_principals_created_by_user_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed. +description: The following analytic identifies instances where a single user creates + more than three unique OAuth applications within a 10-minute window in the Office + 365 environment. It leverages O365 logs from the Unified Audit Log, focusing on + the 'Add service principal' operation in Azure Active Directory. This activity is + significant as it may indicate a compromised user account or unauthorized actions, + potentially leading to broader network infiltration or privilege escalation. If + confirmed malicious, this behavior could allow attackers to gain persistent access, + escalate privileges, or exfiltrate sensitive information. +search: "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Add + service principal.\" | bucket span=10m _time | eval len=mvcount('Actor{}.ID') | + eval userType = mvindex('Actor{}.ID',len-1) | search userType = \"User\" | eval + displayName = object | stats count earliest(_time) as firstTime latest(_time) as + lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user + | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `o365_multiple_service_principals_created_by_user_filter`" +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Certain users or applications may create multiple service principals + in a short period of time for legitimate purposes. Filter as needed. references: - https://attack.mitre.org/techniques/T1136/003/ - https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ @@ -20,40 +35,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Multiple OAuth applications were created by $src_user$ in a short period + of time + risk_objects: + - field: src_user + type: user + score: 42 + threat_objects: [] tags: analytic_story: - Office 365 Persistence Mechanisms - NOBELIUM Group asset_type: O365 Tenant - confidence: 60 - impact: 70 - message: Multiple OAuth applications were created by $src_user$ in a short period of time mitre_attack_id: - T1136.003 - observable: - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Workload - - Operation - - Actor{}.ID - - src_user - - object - risk_score: 42 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/o365_multiple_service_principals_created.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/o365_multiple_service_principals_created.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml index 2e405cbcb8..24496ddc87 100644 --- a/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml @@ -1,16 +1,29 @@ name: O365 Multiple Users Failing To Authenticate From Ip id: 8d486e2e-3235-4cfe-ac35-0d042e24ecb4 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - O365 UserLoginFailed -description: The following analytic identifies instances where more than 10 unique user accounts fail to authenticate from a single IP address within a 5-minute window. This detection leverages O365 audit logs, specifically Azure Active Directory login failures (AzureActiveDirectoryStsLogon). Such activity is significant as it may indicate brute-force attacks or password spraying attempts. If confirmed malicious, this behavior suggests an external entity is attempting to breach security by targeting multiple accounts, potentially leading to unauthorized access. Immediate action is required to block or monitor the suspicious IP and notify affected users to enhance their security measures. -search: '`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ErrorNumber=50126 | bucket span=5m _time | stats dc(user) as unique_accounts values(user) as user values(LogonError) as LogonError values(signature) as signature values(UserAgent) as UserAgent by _time, src_ip | where unique_accounts > 10 | `o365_multiple_users_failing_to_authenticate_from_ip_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: A source Ip failing to authenticate with multiple users in a short period of time is not common legitimate behavior. +description: The following analytic identifies instances where more than 10 unique + user accounts fail to authenticate from a single IP address within a 5-minute window. + This detection leverages O365 audit logs, specifically Azure Active Directory login + failures (AzureActiveDirectoryStsLogon). Such activity is significant as it may + indicate brute-force attacks or password spraying attempts. If confirmed malicious, + this behavior suggests an external entity is attempting to breach security by targeting + multiple accounts, potentially leading to unauthorized access. Immediate action + is required to block or monitor the suspicious IP and notify affected users to enhance + their security measures. +search: '`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed + ErrorNumber=50126 | bucket span=5m _time | stats dc(user) as unique_accounts values(user) + as user values(LogonError) as LogonError values(signature) as signature values(UserAgent) + as UserAgent by _time, src_ip | where unique_accounts > 10 | `o365_multiple_users_failing_to_authenticate_from_ip_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: A source Ip failing to authenticate with multiple users in + a short period of time is not common legitimate behavior. references: - https://attack.mitre.org/techniques/T1110/003/ - https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray @@ -22,51 +35,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Source Ip $src_ip$ failed to authenticate with 20 users within 5 minutes. + risk_objects: + - field: user + type: user + score: 63 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Office 365 Account Takeover - NOBELIUM Group asset_type: O365 Tenant - confidence: 90 - impact: 70 - message: Source Ip $src_ip$ failed to authenticate with 20 users within 5 minutes. mitre_attack_id: - T1586 - T1586.003 - T1110 - T1110.003 - T1110.004 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 63 - required_fields: - - _time - - Workload - - Operation - - record_type - - user - - LogonError - - signature - - UserAgent - - ErrorNumber security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/o365_multiple_users_from_ip/o365_multiple_users_from_ip.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/o365_multiple_users_from_ip/o365_multiple_users_from_ip.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_new_email_forwarding_rule_created.yml b/detections/cloud/o365_new_email_forwarding_rule_created.yml index 5f08054421..cee90dcbdc 100644 --- a/detections/cloud/o365_new_email_forwarding_rule_created.yml +++ b/detections/cloud/o365_new_email_forwarding_rule_created.yml @@ -1,15 +1,30 @@ name: O365 New Email Forwarding Rule Created id: 68469fd0-1315-44ba-b7e4-e92847bb76d6 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Mauricio Velazco, Splunk data_source: [] type: TTP status: production -description: The following analytic identifies the creation of new email forwarding rules in an Office 365 environment. It detects events logged under New-InboxRule and Set-InboxRule operations within the o365_management_activity data source, focusing on parameters like ForwardTo, ForwardAsAttachmentTo, and RedirectTo. This activity is significant as unauthorized email forwarding can lead to data exfiltration and unauthorized access to sensitive information. If confirmed malicious, attackers could intercept and redirect emails, potentially compromising confidential communications and leading to data breaches. -search: '`o365_management_activity` (Operation=New-InboxRule OR Operation=set-InboxRule) | eval match1=mvfind(''Parameters{}.Name'', "ForwardTo") | eval match2=mvfind(''Parameters{}.Name'', "ForwardAsAttachmentTo") | eval match3=mvfind(''Parameters{}.Name'', "RedirectTo") | where match1>= 0 OR match2>= 0 OR match3>= 0 | eval ForwardTo=coalesce(ForwardTo, ForwardAsAttachmentTo, RedirectTo) | stats count min(_time) as firstTime max(_time) as lastTime values(Name) as Name by user Operation ForwardTo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_email_forwarding_rule_created_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Users may create email forwarding rules for legitimate purposes. Filter as needed. +description: The following analytic identifies the creation of new email forwarding + rules in an Office 365 environment. It detects events logged under New-InboxRule + and Set-InboxRule operations within the o365_management_activity data source, focusing + on parameters like ForwardTo, ForwardAsAttachmentTo, and RedirectTo. This activity + is significant as unauthorized email forwarding can lead to data exfiltration and + unauthorized access to sensitive information. If confirmed malicious, attackers + could intercept and redirect emails, potentially compromising confidential communications + and leading to data breaches. +search: "`o365_management_activity` (Operation=New-InboxRule OR Operation=set-InboxRule) + | eval match1=mvfind('Parameters{}.Name', \"ForwardTo\") | eval match2=mvfind('Parameters{}.Name', + \"ForwardAsAttachmentTo\") | eval match3=mvfind('Parameters{}.Name', \"RedirectTo\"\ + ) | where match1>= 0 OR match2>= 0 OR match3>= 0 | eval ForwardTo=coalesce(ForwardTo, + ForwardAsAttachmentTo, RedirectTo) | stats count min(_time) as firstTime max(_time) + as lastTime values(Name) as Name by user Operation ForwardTo | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `o365_new_email_forwarding_rule_created_filter`" +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Users may create email forwarding rules for legitimate purposes. + Filter as needed. references: - https://attack.mitre.org/techniques/T1114/003/ drilldown_searches: @@ -18,40 +33,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A forwarding email inbox rule was created for $user$ + risk_objects: + - field: user + type: user + score: 42 + threat_objects: [] tags: analytic_story: - Office 365 Collection Techniques asset_type: O365 Tenant - confidence: 60 - impact: 70 - message: A forwarding email inbox rule was created for $user$ mitre_attack_id: - T1114 - T1114.003 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Operation - - Parameters{}.Name - - Name - - user - - UserId - risk_score: 42 security_domain: audit tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.003/o365_email_forwarding_rule_created/o365_email_forwarding_rule_created.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.003/o365_email_forwarding_rule_created/o365_email_forwarding_rule_created.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_new_email_forwarding_rule_enabled.yml b/detections/cloud/o365_new_email_forwarding_rule_enabled.yml index 1697760b48..dcc6b1b909 100644 --- a/detections/cloud/o365_new_email_forwarding_rule_enabled.yml +++ b/detections/cloud/o365_new_email_forwarding_rule_enabled.yml @@ -1,15 +1,34 @@ name: O365 New Email Forwarding Rule Enabled id: ac7c4d0a-06a3-4278-aa59-88a5e537f981 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Mauricio Velazco, Splunk data_source: [] type: TTP status: production -description: The following analytic identifies the creation of new email forwarding rules in an Office 365 environment via the UpdateInboxRules operation. It leverages Office 365 management activity events to detect rules that forward emails to external recipients by examining the OperationProperties for specific forwarding actions. This activity is significant as it may indicate unauthorized email redirection, potentially leading to data exfiltration. If confirmed malicious, attackers could intercept sensitive communications, leading to data breaches and information leakage. -search: '`o365_management_activity` Workload=Exchange Operation=UpdateInboxRules | eval match1=mvfind(''OperationProperties{}.Value'', "ForwardToRecipientsAction") | eval match2=mvfind(''OperationProperties{}.Value'', "ForwardAsAttachmentToRecipientsAction") | eval match3=mvfind(''OperationProperties{}.Value'', "RedirectToRecipientsAction") | eval index = mvfind(''OperationProperties{}.Name'', "ServerRule") | where match1>= 0 OR match2>= 0 OR match3>= 0 | eval ServerRule = mvindex(''OperationProperties{}.Value'', index-1) | spath input=ServerRule path=Actions{}.Recipients{}.Values{}.Value output=valueExtracted | mvexpand valueExtracted | search valueExtracted="*@*.*" | eval ForwardTo=if(match(valueExtracted, "^[^@]+@[^@]+\\.[^@]+$"), valueExtracted, null) | dedup ForwardTo | where isnotnull(ForwardTo) | stats count min(_time) as firstTime max(_time) as lastTime values(Name) as Name by user Operation ForwardTo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_email_forwarding_rule_enabled_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Users may create email forwarding rules for legitimate purposes. Filter as needed. +description: The following analytic identifies the creation of new email forwarding + rules in an Office 365 environment via the UpdateInboxRules operation. It leverages + Office 365 management activity events to detect rules that forward emails to external + recipients by examining the OperationProperties for specific forwarding actions. + This activity is significant as it may indicate unauthorized email redirection, + potentially leading to data exfiltration. If confirmed malicious, attackers could + intercept sensitive communications, leading to data breaches and information leakage. +search: "`o365_management_activity` Workload=Exchange Operation=UpdateInboxRules \ + \ | eval match1=mvfind('OperationProperties{}.Value', \"ForwardToRecipientsAction\"\ + ) | eval match2=mvfind('OperationProperties{}.Value', \"ForwardAsAttachmentToRecipientsAction\"\ + ) | eval match3=mvfind('OperationProperties{}.Value', \"RedirectToRecipientsAction\"\ + ) | eval index = mvfind('OperationProperties{}.Name', \"ServerRule\") | where match1>= + 0 OR match2>= 0 OR match3>= 0 | eval ServerRule = mvindex('OperationProperties{}.Value', + index-1) | spath input=ServerRule path=Actions{}.Recipients{}.Values{}.Value output=valueExtracted + | mvexpand valueExtracted | search valueExtracted=\"*@*.*\" | eval ForwardTo=if(match(valueExtracted, + \"^[^@]+@[^@]+\\\\.[^@]+$\"), valueExtracted, null) | dedup ForwardTo | where isnotnull(ForwardTo) + | stats count min(_time) as firstTime max(_time) as lastTime values(Name) as Name + by user Operation ForwardTo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `o365_new_email_forwarding_rule_enabled_filter`" +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Users may create email forwarding rules for legitimate purposes. + Filter as needed. references: - https://attack.mitre.org/techniques/T1114/003/ drilldown_searches: @@ -18,39 +37,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A forwarding email inbox rule was created for $user$ + risk_objects: + - field: user + type: user + score: 42 + threat_objects: [] tags: analytic_story: - Office 365 Collection Techniques asset_type: O365 Tenant - confidence: 60 - impact: 70 - message: A forwarding email inbox rule was created for $user$ mitre_attack_id: - T1114 - T1114.003 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Operation - - Actions - - Name - - user - risk_score: 42 security_domain: audit tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.003/o365_email_forwarding_rule_created/o365_email_forwarding_rule_created.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.003/o365_email_forwarding_rule_created/o365_email_forwarding_rule_created.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_new_federated_domain_added.yml b/detections/cloud/o365_new_federated_domain_added.yml index 429a39b7ea..6dcebc1fbe 100644 --- a/detections/cloud/o365_new_federated_domain_added.yml +++ b/detections/cloud/o365_new_federated_domain_added.yml @@ -1,16 +1,29 @@ name: O365 New Federated Domain Added id: e155876a-6048-11eb-ae93-0242ac130002 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Rod Soto, Mauricio Velazco Splunk status: production type: TTP -description: The following analytic identifies the addition of a new federated domain in an Office 365 environment. This behavior is detected by analyzing Office 365 management activity logs, specifically filtering for Workload=Exchange and Operation="Add-FederatedDomain". The addition of a new federated domain is significant as it may indicate unauthorized changes or potential compromises. If confirmed malicious, attackers could establish a backdoor, bypass security measures, or exfiltrate data, leading to data breaches and unauthorized access to sensitive information. Immediate investigation is required to review the details of the added domain and any concurrent suspicious activities. +description: The following analytic identifies the addition of a new federated domain + in an Office 365 environment. This behavior is detected by analyzing Office 365 + management activity logs, specifically filtering for Workload=Exchange and Operation="Add-FederatedDomain". + The addition of a new federated domain is significant as it may indicate unauthorized + changes or potential compromises. If confirmed malicious, attackers could establish + a backdoor, bypass security measures, or exfiltrate data, leading to data breaches + and unauthorized access to sensitive information. Immediate investigation is required + to review the details of the added domain and any concurrent suspicious activities. data_source: - O365 -search: '`o365_management_activity` Operation IN ("*add*", "*new*") AND Operation="*domain*" | stats count values(ModifiedProperties{}.NewValue) as new_value by user user_agent authentication_service action Workload Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_federated_domain_added_filter`' -how_to_implement: You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity. -known_false_positives: The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider. +search: '`o365_management_activity` Operation IN ("*add*", "*new*") AND Operation="*domain*" + | stats count values(ModifiedProperties{}.NewValue) as new_value by user user_agent + authentication_service action Workload Operation | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `o365_new_federated_domain_added_filter`' +how_to_implement: You must install splunk Microsoft Office 365 add-on. This search + works with o365:management:activity. +known_false_positives: The creation of a new Federated domain is not necessarily malicious, + however these events need to be followed closely, as it may indicate federated credential + abuse or backdoor via federated identities at a similar or different cloud provider. references: - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf - https://www.cisa.gov/uscert/ncas/alerts/aa21-008a @@ -23,44 +36,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ has added a new federated domain $new_value$ + risk_objects: + - field: user + type: user + score: 64 + threat_objects: [] tags: analytic_story: - Office 365 Persistence Mechanisms - Cloud Federated Credential Abuse asset_type: O365 Tenant - confidence: 80 - impact: 80 - message: User $user$ has added a new federated domain $new_value$ mitre_attack_id: - T1136.003 - T1136 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Workload - - Operation - - ModifiedProperties{}.NewValue - - authentication_service - - user - - user_agent - - action - risk_score: 64 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_new_federated_domain_added/o365_add_federated_domain.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_new_federated_domain_added/o365_add_federated_domain.log sourcetype: o365:management:activity source: o365 - update_timestamp: true diff --git a/detections/cloud/o365_new_forwarding_mailflow_rule_created.yml b/detections/cloud/o365_new_forwarding_mailflow_rule_created.yml index 85ed1f33d3..c97bba78de 100644 --- a/detections/cloud/o365_new_forwarding_mailflow_rule_created.yml +++ b/detections/cloud/o365_new_forwarding_mailflow_rule_created.yml @@ -1,15 +1,30 @@ name: O365 New Forwarding Mailflow Rule Created id: 289ed0a1-4c78-4a43-9321-44ea2e089c14 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Mauricio Velazco, Splunk data_source: [] type: TTP status: production -description: The following analytic detects the creation of new mail flow rules in Office 365 that may redirect or copy emails to unauthorized or external addresses. It leverages Office 365 Management Activity logs, specifically querying for the "New-TransportRule" operation and parameters like "BlindCopyTo", "CopyTo", and "RedirectMessageTo". This activity is significant as it can indicate potential data exfiltration or unauthorized access to sensitive information. If confirmed malicious, attackers could intercept or redirect email communications, leading to data breaches or information leakage. -search: '`o365_management_activity` Workload=Exchange Operation="New-TransportRule" | eval match1=mvfind(''Parameters{}.Name'', "BlindCopyTo") | eval match2=mvfind(''Parameters{}.Name'', "CopyTo") | eval match3=mvfind(''Parameters{}.Name'', "RedirectMessageTo") | where match1>= 0 OR match2>= 0 OR match3>=0 | eval ForwardTo=coalesce(BlindCopyTo, CopyTo, RedirectMessageTo) | search ForwardTo!="" | rename UserId as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, user, Name, ForwardTo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_forwarding_mailflow_rule_created_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Forwarding mail flow rules may be created for legitimate reasons, filter as needed. +description: The following analytic detects the creation of new mail flow rules in + Office 365 that may redirect or copy emails to unauthorized or external addresses. + It leverages Office 365 Management Activity logs, specifically querying for the + "New-TransportRule" operation and parameters like "BlindCopyTo", "CopyTo", and "RedirectMessageTo". + This activity is significant as it can indicate potential data exfiltration or unauthorized + access to sensitive information. If confirmed malicious, attackers could intercept + or redirect email communications, leading to data breaches or information leakage. +search: "`o365_management_activity` Workload=Exchange Operation=\"New-TransportRule\"\ + \ | eval match1=mvfind('Parameters{}.Name', \"BlindCopyTo\") | eval match2=mvfind('Parameters{}.Name', + \"CopyTo\") | eval match3=mvfind('Parameters{}.Name', \"RedirectMessageTo\") | where + match1>= 0 OR match2>= 0 OR match3>=0 | eval ForwardTo=coalesce(BlindCopyTo, CopyTo, + RedirectMessageTo) | search ForwardTo!=\"\" | rename UserId as user | stats count + earliest(_time) as firstTime latest(_time) as lastTime by Operation, user, Name, + ForwardTo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`\ + \ | `o365_new_forwarding_mailflow_rule_created_filter`" +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Forwarding mail flow rules may be created for legitimate reasons, + filter as needed. references: - https://attack.mitre.org/techniques/T1114/ - https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules @@ -20,38 +35,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A new forwarding mailflow rule was created by $user$ + risk_objects: + - field: user + type: user + score: 42 + threat_objects: [] tags: analytic_story: - Office 365 Collection Techniques asset_type: O365 Tenant - confidence: 60 - impact: 70 - message: A new forwarding mailflow rule was created by $user$ mitre_attack_id: - T1114 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Operation - - Parameters{}.Name - - user - - Name - risk_score: 42 security_domain: audit tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_new_forwarding_mailflow_rule_created/o365_new_forwarding_mailflow_rule_created.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_new_forwarding_mailflow_rule_created/o365_new_forwarding_mailflow_rule_created.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_new_mfa_method_registered.yml b/detections/cloud/o365_new_mfa_method_registered.yml index d048cad3cf..f5278b8e52 100644 --- a/detections/cloud/o365_new_mfa_method_registered.yml +++ b/detections/cloud/o365_new_mfa_method_registered.yml @@ -1,16 +1,33 @@ name: O365 New MFA Method Registered id: 4e12db1f-f7c7-486d-8152-a221cad6ac2b -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - O365 Update user. -description: The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for a user account within Office 365. It leverages O365 audit logs to identify changes in MFA configurations. This activity is significant as it may indicate an attacker's attempt to maintain persistence on a compromised account. If confirmed malicious, the attacker could bypass existing security measures, solidify their access, and potentially escalate privileges or access sensitive data. Immediate verification and remediation are required to secure the affected account. -search: '`o365_management_activity` Workload=AzureActiveDirectory Operation="Update user." | eval propertyName = mvindex(''ModifiedProperties{}.Name'', 0) | search propertyName = StrongAuthenticationMethod | eval oldvalue = mvindex(''ModifiedProperties{}.OldValue'',0) | eval newvalue = mvindex(''ModifiedProperties{}.NewValue'',0) | rex field=newvalue max_match=0 "(?i)(?\"MethodType\")" | rex field=oldvalue max_match=0 "(?i)(?\"MethodType\")" | eval count_new_method_type = coalesce(mvcount(new_method_type), 0) | eval count_old_method_type = coalesce(mvcount(old_method_type), 0) | where count_new_method_type > count_old_method_type | stats earliest(_time) as firstTime latest(_time) as lastTime values(propertyName) by user newvalue oldvalue | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_mfa_method_registered_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Users may register MFA methods legitimally, investigate and filter as needed. +description: The following analytic detects the registration of a new Multi-Factor + Authentication (MFA) method for a user account within Office 365. It leverages O365 + audit logs to identify changes in MFA configurations. This activity is significant + as it may indicate an attacker's attempt to maintain persistence on a compromised + account. If confirmed malicious, the attacker could bypass existing security measures, + solidify their access, and potentially escalate privileges or access sensitive data. + Immediate verification and remediation are required to secure the affected account. +search: "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Update + user.\" | eval propertyName = mvindex('ModifiedProperties{}.Name', 0) | search + propertyName = StrongAuthenticationMethod | eval oldvalue = mvindex('ModifiedProperties{}.OldValue',0) + | eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) | rex field=newvalue + max_match=0 \"(?i)(?\\\"MethodType\\\")\" | rex field=oldvalue + max_match=0 \"(?i)(?\\\"MethodType\\\")\" | eval count_new_method_type + = coalesce(mvcount(new_method_type), 0) | eval count_old_method_type = coalesce(mvcount(old_method_type), + 0) | where count_new_method_type > count_old_method_type | stats earliest(_time) + as firstTime latest(_time) as lastTime values(propertyName) by user newvalue oldvalue + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_mfa_method_registered_filter`" +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Users may register MFA methods legitimally, investigate and + filter as needed. references: - https://attack.mitre.org/techniques/T1098/005/ - https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/ @@ -21,40 +38,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A new MFA method was added for $user$ + risk_objects: + - field: user + type: user + score: 30 + threat_objects: [] tags: analytic_story: - Office 365 Persistence Mechanisms asset_type: O365 Tenant - confidence: 50 - impact: 60 - message: A new MFA method was added for $user$ mitre_attack_id: - T1098 - T1098.005 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 30 - required_fields: - - _time - - Workload - - Operation - - ModifiedProperties{}.Name - - ModifiedProperties{}.OldValue - - ModifiedProperties{}.NewValue security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.005/o365_register_new_mfa_method/o365_register_new_mfa_method.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.005/o365_register_new_mfa_method/o365_register_new_mfa_method.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml b/detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml index e8ffd9ae71..6d65874c2c 100644 --- a/detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml +++ b/detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml @@ -1,16 +1,29 @@ name: O365 OAuth App Mailbox Access via EWS id: e600cf1a-0bef-4426-b42e-00176d610a4d -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production data_source: - O365 MailItemsAccessed type: TTP -description: The following analytic detects when emails are accessed in Office 365 Exchange via Exchange Web Services (EWS) using OAuth-authenticated applications. It leverages the ClientInfoString field to identify EWS interactions and aggregates metrics such as access counts, timing, and client IP addresses, categorized by user, ClientAppId, OperationCount, and AppId. Monitoring OAuth applications accessing emails through EWS is crucial for identifying potential abuse or unauthorized data access. If confirmed malicious, this activity could lead to unauthorized email access, data exfiltration, or further compromise of sensitive information. -search: '`o365_management_activity` Workload=Exchange Operation=MailItemsAccessed AppId=* ClientAppId=* | regex ClientInfoString="^Client=WebServices;ExchangeWebServices" | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ClientIPAddress) as src_ip by user ClientAppId OperationCount AppId ClientInfoString | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_oauth_app_mailbox_access_via_ews_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: OAuth applications may access mailboxes for legitimate purposes, you can use the src_ip to add trusted sources to an allow list. +description: The following analytic detects when emails are accessed in Office 365 + Exchange via Exchange Web Services (EWS) using OAuth-authenticated applications. + It leverages the ClientInfoString field to identify EWS interactions and aggregates + metrics such as access counts, timing, and client IP addresses, categorized by user, + ClientAppId, OperationCount, and AppId. Monitoring OAuth applications accessing + emails through EWS is crucial for identifying potential abuse or unauthorized data + access. If confirmed malicious, this activity could lead to unauthorized email access, + data exfiltration, or further compromise of sensitive information. +search: '`o365_management_activity` Workload=Exchange Operation=MailItemsAccessed + AppId=* ClientAppId=* | regex ClientInfoString="^Client=WebServices;ExchangeWebServices" + | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ClientIPAddress) + as src_ip by user ClientAppId OperationCount AppId ClientInfoString | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `o365_oauth_app_mailbox_access_via_ews_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: OAuth applications may access mailboxes for legitimate purposes, + you can use the src_ip to add trusted sources to an allow list. references: - https://attack.mitre.org/techniques/T1114/002/ - https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ @@ -21,40 +34,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An OAuth application identified with id $ClientAppId$ accesed mailboxes + through the Graph API. + risk_objects: + - field: user + type: user + score: 42 + threat_objects: [] tags: analytic_story: - Office 365 Collection Techniques - NOBELIUM Group asset_type: O365 Tenant - confidence: 60 - impact: 70 - message: An OAuth application identified with id $ClientAppId$ accesed mailboxes through the Graph API. mitre_attack_id: - T1114.002 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Workload - - Operation - - AppId - - ClientAppId - - OperationCount - risk_score: 42 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_oauth_app_ews_mailbox_access/o365_oauth_app_ews_mailbox_access.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_oauth_app_ews_mailbox_access/o365_oauth_app_ews_mailbox_access.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml b/detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml index f4cef3f577..97b83569fd 100644 --- a/detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml +++ b/detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml @@ -1,16 +1,28 @@ name: O365 OAuth App Mailbox Access via Graph API id: 9db0d5b0-4058-4cb7-baaf-77d8143539a2 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production data_source: - O365 MailItemsAccessed type: TTP -description: "The following analytic detects when emails are accessed in Office 365 Exchange via the Microsoft Graph API using the client ID '00000003-0000-0000-c000-000000000000'. It leverages the 'MailItemsAccessed' operation within the Exchange workload, focusing on OAuth-authenticated applications. This activity is significant as unauthorized access to emails can lead to data breaches and information theft. If confirmed malicious, attackers could exfiltrate sensitive information, compromise user accounts, and further infiltrate the organization\u2019s network." -search: '`o365_management_activity` Workload=Exchange Operation=MailItemsAccessed AppId=* AppId=00000003-0000-0000-c000-000000000000 | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ClientIPAddress) by user ClientAppId OperationCount AppId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_oauth_app_mailbox_access_via_graph_api_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: OAuth applications may access mailboxes for legitimate purposes, you can use the ClientAppId to add trusted applications to an allow list. +description: The following analytic detects when emails are accessed in Office 365 + Exchange via the Microsoft Graph API using the client ID '00000003-0000-0000-c000-000000000000'. + It leverages the 'MailItemsAccessed' operation within the Exchange workload, focusing + on OAuth-authenticated applications. This activity is significant as unauthorized + access to emails can lead to data breaches and information theft. If confirmed malicious, + attackers could exfiltrate sensitive information, compromise user accounts, and + further infiltrate the organization’s network. +search: '`o365_management_activity` Workload=Exchange Operation=MailItemsAccessed + AppId=* AppId=00000003-0000-0000-c000-000000000000 | stats count earliest(_time) + as firstTime latest(_time) as lastTime values(ClientIPAddress) by user ClientAppId + OperationCount AppId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `o365_oauth_app_mailbox_access_via_graph_api_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: OAuth applications may access mailboxes for legitimate purposes, + you can use the ClientAppId to add trusted applications to an allow list. references: - https://attack.mitre.org/techniques/T1114/002/ - https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in @@ -21,40 +33,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An OAuth application identified with id $ClientAppId$ accesed mailboxes + through the Graph API. + risk_objects: + - field: user + type: user + score: 42 + threat_objects: [] tags: analytic_story: - Office 365 Collection Techniques - NOBELIUM Group asset_type: O365 Tenant - confidence: 60 - impact: 70 - message: An OAuth application identified with id $ClientAppId$ accesed mailboxes through the Graph API. mitre_attack_id: - T1114.002 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Workload - - Operation - - AppId - - ClientAppId - - OperationCount - risk_score: 42 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_oauth_app_graph_mailbox_access/o365_oauth_app_graph_mailbox_access.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_oauth_app_graph_mailbox_access/o365_oauth_app_graph_mailbox_access.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_privileged_graph_api_permission_assigned.yml b/detections/cloud/o365_privileged_graph_api_permission_assigned.yml index 82fcdc96a7..6f5a154912 100644 --- a/detections/cloud/o365_privileged_graph_api_permission_assigned.yml +++ b/detections/cloud/o365_privileged_graph_api_permission_assigned.yml @@ -1,16 +1,33 @@ name: O365 Privileged Graph API Permission Assigned id: 868f3131-d5e1-4bf1-af5b-9b0fbaaaedbb -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - O365 Update application. -description: The following analytic detects the assignment of critical Graph API permissions in Azure AD using the O365 Unified Audit Log. It focuses on permissions such as Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, and RoleManagement.ReadWrite.Directory. The detection method leverages Azure Active Directory workload events, specifically 'Update application' operations. This activity is significant as these permissions provide extensive control over Azure AD settings, posing a high risk if misused. If confirmed malicious, this could allow unauthorized modifications, leading to potential data breaches or privilege escalation. Immediate investigation is crucial. -search: '`o365_management_activity` Workload=AzureActiveDirectory Operation="Update application." | eval newvalue = mvindex(''ModifiedProperties{}.NewValue'',0) | spath input=newvalue | search "{}.RequiredAppPermissions{}.EntitlementId"="1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9" OR "{}.RequiredAppPermissions{}.EntitlementId"="06b708a9-e830-4db3-a914-8e69da51d44f" OR "{}.RequiredAppPermissions{}.EntitlementId"="9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8" | eval Permissions = ''{}.RequiredAppPermissions{}.EntitlementId'' | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_privileged_graph_api_permission_assigned_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Privileged Graph API permissions may be assigned for legitimate purposes. Filter as needed. +description: The following analytic detects the assignment of critical Graph API permissions + in Azure AD using the O365 Unified Audit Log. It focuses on permissions such as + Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, and RoleManagement.ReadWrite.Directory. + The detection method leverages Azure Active Directory workload events, specifically + 'Update application' operations. This activity is significant as these permissions + provide extensive control over Azure AD settings, posing a high risk if misused. + If confirmed malicious, this could allow unauthorized modifications, leading to + potential data breaches or privilege escalation. Immediate investigation is crucial. +search: "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Update + application.\" | eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) | spath + input=newvalue | search \"{}.RequiredAppPermissions{}.EntitlementId\"=\"1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9\"\ + \ OR \"{}.RequiredAppPermissions{}.EntitlementId\"=\"06b708a9-e830-4db3-a914-8e69da51d44f\"\ + \ OR \"{}.RequiredAppPermissions{}.EntitlementId\"=\"9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8\"\ + \ | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | stats count + earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, + object, user_agent, Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `o365_privileged_graph_api_permission_assigned_filter`" +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Privileged Graph API permissions may be assigned for legitimate + purposes. Filter as needed. references: - https://cloudbrothers.info/en/azure-attack-paths/ - https://github.com/mandiant/Mandiant-Azure-AD-Investigator/blob/master/MandiantAzureADInvestigator.json @@ -23,43 +40,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ assigned privileged Graph API permissions to $object$ + risk_objects: + - field: user + type: user + score: 54 + threat_objects: [] tags: analytic_story: - Office 365 Persistence Mechanisms - NOBELIUM Group asset_type: O365 Tenant - confidence: 60 - impact: 90 - message: User $user$ assigned privileged Graph API permissions to $object$ mitre_attack_id: - T1003.002 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 54 - required_fields: - - _time - - Workload - - Operation - - ModifiedProperties{}.NewValue - - RequiredAppPermissions{}.EntitlementId - - user - - object - - user_agent - - Operation security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_privileged_graph_perm_assigned/o365_privileged_graph_perm_assigned.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_privileged_graph_perm_assigned/o365_privileged_graph_perm_assigned.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_privileged_role_assigned.yml b/detections/cloud/o365_privileged_role_assigned.yml index ab7c208b1d..975cdaa4a0 100644 --- a/detections/cloud/o365_privileged_role_assigned.yml +++ b/detections/cloud/o365_privileged_role_assigned.yml @@ -1,16 +1,33 @@ name: O365 Privileged Role Assigned id: db435700-4ddc-4c23-892e-49e7525d7d39 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Steven Dick status: production type: TTP -description: The following analytic identifies the assignment of sensitive and privileged Azure Active Directory roles to an Azure AD user. Adversaries and red teams alike may assign these roles to a compromised account to establish Persistence in an Azure AD environment. This detection leverages the O365 Universal Audit Log data source. +description: The following analytic identifies the assignment of sensitive and privileged + Azure Active Directory roles to an Azure AD user. Adversaries and red teams alike + may assign these roles to a compromised account to establish Persistence in an Azure + AD environment. This detection leverages the O365 Universal Audit Log data source. data_source: - Office 365 Universal Audit Log -search: '`o365_management_activity` Workload=AzureActiveDirectory Operation IN ("Add member to role.","Add eligible member to role.") | eval user = ObjectId, src_user = case(match(mvindex(''Actor{}.ID'',-1),"User"),mvindex(''Actor{}.ID'',0),match(mvindex(''Actor{}.ID'',-1),"ServicePrincipal"),mvindex(''Actor{}.ID'',3),true(),mvindex(''Actor{}.ID'',0)), object_name = mvindex(''ModifiedProperties{}.NewValue'', mvfind(''ModifiedProperties{}.Name'',"Role\.DisplayName")), object_id = mvindex(''ModifiedProperties{}.NewValue'', mvfind(''ModifiedProperties{}.Name'',"Role\.TemplateId")), signature = Operation, result = ResultStatus, category = mvindex(''Target{}.ID'',2) | stats count, min(_time) as firstTime, max(_time) as lastTime by src_user, user, category, result, object_name, object_id, signature | lookup privileged_azure_ad_roles azuretemplateid as object_id OUTPUT isprvilegedadrole | search isprvilegedadrole="TRUE" category="User" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_privileged_role_assigned_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Administrators will legitimately assign the privileged roles users as part of administrative tasks. Microsoft Privileged Identity Management (PIM) may cause false positives / less accurate alerting. +search: "`o365_management_activity` Workload=AzureActiveDirectory Operation IN (\"\ + Add member to role.\",\"Add eligible member to role.\") | eval user = ObjectId, + src_user = case(match(mvindex('Actor{}.ID',-1),\"User\"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),\"\ + ServicePrincipal\"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0)), object_name + = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',\"\ + Role\\.DisplayName\")), object_id = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',\"\ + Role\\.TemplateId\")), signature = Operation, result = ResultStatus, category = + mvindex('Target{}.ID',2) | stats count, min(_time) as firstTime, max(_time) as lastTime + by src_user, user, category, result, object_name, object_id, signature | lookup + privileged_azure_ad_roles azuretemplateid as object_id OUTPUT isprvilegedadrole + | search isprvilegedadrole=\"TRUE\" category=\"User\" | `security_content_ctime(firstTime)`\ + \ | `security_content_ctime(lastTime)` | `o365_privileged_role_assigned_filter`" +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Administrators will legitimately assign the privileged roles + users as part of administrative tasks. Microsoft Privileged Identity Management + (PIM) may cause false positives / less accurate alerting. references: - https://attack.mitre.org/techniques/T1098/003/ - https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference @@ -21,45 +38,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A privileged Azure AD role [$object_name$] was assigned to user $user$ + by $src_user$ + risk_objects: + - field: user + type: user + score: 75 + - field: src_user + type: user + score: 75 + threat_objects: [] tags: analytic_story: - Azure Active Directory Persistence asset_type: O365 Tenant - confidence: 100 - impact: 75 - message: A privileged Azure AD role [$object_name$] was assigned to user $user$ by $src_user$ mitre_attack_id: - T1098 - T1098.003 - observable: - - name: user - type: User - role: - - Victim - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Operation - - ModifiedProperties{}.NewValue - - ModifiedProperties{}.Name - - UserId - - ObjectId - - Workload - risk_score: 75 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml b/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml index 23d21f6386..f984d8f1de 100644 --- a/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml +++ b/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml @@ -1,16 +1,36 @@ name: O365 Privileged Role Assigned To Service Principal id: 80f3fc1b-705f-4080-bf08-f61bf013b900 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Steven Dick status: production type: TTP -description: The following analytic detects potential privilege escalation threats in Azure Active Directory (AD). This detection is important because it identifies instances where privileged roles that hold elevated permissions are assigned to service principals. This prevents unauthorized access or malicious activities, which occur when these non-human entities access Azure resources to exploit them. False positives might occur since administrators can legitimately assign privileged roles to service principals. This detection leverages the O365 Universal Audit Log data source. +description: The following analytic detects potential privilege escalation threats + in Azure Active Directory (AD). This detection is important because it identifies + instances where privileged roles that hold elevated permissions are assigned to + service principals. This prevents unauthorized access or malicious activities, which + occur when these non-human entities access Azure resources to exploit them. False + positives might occur since administrators can legitimately assign privileged roles + to service principals. This detection leverages the O365 Universal Audit Log data + source. data_source: - Office 365 Universal Audit Log -search: '`o365_management_activity` Workload=AzureActiveDirectory Operation IN ("Add member to role.","Add eligible member to role.") | eval user = ObjectId, src_user = case(match(mvindex(''Actor{}.ID'',-1),"User"),mvindex(''Actor{}.ID'',0),match(mvindex(''Actor{}.ID'',-1),"ServicePrincipal"),mvindex(''Actor{}.ID'',3),true(),mvindex(''Actor{}.ID'',0)), object_name = mvindex(''ModifiedProperties{}.NewValue'', mvfind(''ModifiedProperties{}.Name'',"Role\.DisplayName")), object_id = mvindex(''ModifiedProperties{}.NewValue'', mvfind(''ModifiedProperties{}.Name'',"Role\.TemplateId")), signature = Operation, result = ResultStatus, category = mvindex(''Target{}.ID'',2) | stats count, min(_time) as firstTime, max(_time) as lastTime by src_user, user, category, result, object_name, object_id, signature | lookup privileged_azure_ad_roles azuretemplateid as object_id OUTPUT isprvilegedadrole | search isprvilegedadrole="TRUE" category!="User" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_privileged_role_assigned_to_service_principal_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Administrators may legitimately assign the privileged roles to Service Principals as part of administrative tasks. Filter as needed. +search: "`o365_management_activity` Workload=AzureActiveDirectory Operation IN (\"\ + Add member to role.\",\"Add eligible member to role.\") | eval user = ObjectId, + src_user = case(match(mvindex('Actor{}.ID',-1),\"User\"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),\"\ + ServicePrincipal\"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0)), object_name + = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',\"\ + Role\\.DisplayName\")), object_id = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',\"\ + Role\\.TemplateId\")), signature = Operation, result = ResultStatus, category = + mvindex('Target{}.ID',2) | stats count, min(_time) as firstTime, max(_time) as lastTime + by src_user, user, category, result, object_name, object_id, signature | lookup + privileged_azure_ad_roles azuretemplateid as object_id OUTPUT isprvilegedadrole + | search isprvilegedadrole=\"TRUE\" category!=\"User\" | `security_content_ctime(firstTime)`\ + \ | `security_content_ctime(lastTime)` | `o365_privileged_role_assigned_to_service_principal_filter`" +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Administrators may legitimately assign the privileged roles + to Service Principals as part of administrative tasks. Filter as needed. references: - https://attack.mitre.org/techniques/T1098/003/ - https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference @@ -22,45 +42,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A privileged Azure AD role [$object_name$] was assigned to the Service + Principal $user$ initiated by $src_user$ + risk_objects: + - field: user + type: user + score: 75 + - field: src_user + type: user + score: 75 + threat_objects: [] tags: analytic_story: - Azure Active Directory Privilege Escalation asset_type: O365 Tenant - confidence: 100 - impact: 75 - message: A privileged Azure AD role [$object_name$] was assigned to the Service Principal $user$ initiated by $src_user$ mitre_attack_id: - T1098 - T1098.003 - observable: - - name: user - type: User - role: - - Victim - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Operation - - ModifiedProperties{}.NewValue - - ModifiedProperties{}.Name - - UserId - - ObjectId - - Workload - risk_score: 75 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_pst_export_alert.yml b/detections/cloud/o365_pst_export_alert.yml index e6890351e9..3e936f968c 100644 --- a/detections/cloud/o365_pst_export_alert.yml +++ b/detections/cloud/o365_pst_export_alert.yml @@ -1,16 +1,29 @@ name: O365 PST export alert id: 5f694cc4-a678-4a60-9410-bffca1b647dc -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Rod Soto, Splunk status: production type: TTP -description: The following analytic detects instances where a user has initiated an eDiscovery search or exported a PST file in an Office 365 environment. It leverages Office 365 management activity logs, specifically filtering for events under ThreatManagement with the name "eDiscovery search started or exported." This activity is significant as it may indicate data exfiltration attempts or unauthorized access to sensitive information. If confirmed malicious, it suggests an attacker or insider threat is attempting to gather or exfiltrate data, potentially leading to data breaches, loss of intellectual property, or unauthorized access to confidential communications. Immediate investigation is required. +description: The following analytic detects instances where a user has initiated an + eDiscovery search or exported a PST file in an Office 365 environment. It leverages + Office 365 management activity logs, specifically filtering for events under ThreatManagement + with the name "eDiscovery search started or exported." This activity is significant + as it may indicate data exfiltration attempts or unauthorized access to sensitive + information. If confirmed malicious, it suggests an attacker or insider threat is + attempting to gather or exfiltrate data, potentially leading to data breaches, loss + of intellectual property, or unauthorized access to confidential communications. + Immediate investigation is required. data_source: - O365 -search: '`o365_management_activity` Category=ThreatManagement Name="eDiscovery search started or exported" | stats count earliest(_time) as firstTime latest(_time) as lastTime by Source Severity AlertEntityId Operation Name |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_pst_export_alert_filter`' -how_to_implement: You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity -known_false_positives: PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored. +search: '`o365_management_activity` Category=ThreatManagement Name="eDiscovery search + started or exported" | stats count earliest(_time) as firstTime latest(_time) as + lastTime by Source Severity AlertEntityId Operation Name |`security_content_ctime(firstTime)` + |`security_content_ctime(lastTime)` | `o365_pst_export_alert_filter`' +how_to_implement: You must install splunk Microsoft Office 365 add-on. This search + works with o365:management:activity +known_false_positives: PST export can be done for legitimate purposes but due to the + sensitive nature of its content it must be monitored. references: - https://attack.mitre.org/techniques/T1114/ drilldown_searches: @@ -19,41 +32,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$Source$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Source$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Source$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $Source$ has exported a PST file from the search using this operation- + $Operation$ with a severity of $Severity$ + risk_objects: + - field: Source + type: user + score: 48 + threat_objects: [] tags: analytic_story: - Office 365 Collection Techniques - Data Exfiltration asset_type: O365 Tenant - confidence: 60 - impact: 80 - message: User $Source$ has exported a PST file from the search using this operation- $Operation$ with a severity of $Severity$ mitre_attack_id: - T1114 - observable: - - name: Source - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Category - - Name - - Source - - Severity - - AlertEntityId - - Operation - risk_score: 48 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_export_pst_file/o365_export_pst_file.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_export_pst_file/o365_export_pst_file.json sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_safe_links_detection.yml b/detections/cloud/o365_safe_links_detection.yml index 977416fee7..1c85c2120c 100644 --- a/detections/cloud/o365_safe_links_detection.yml +++ b/detections/cloud/o365_safe_links_detection.yml @@ -1,15 +1,24 @@ name: O365 Safe Links Detection id: 711d9e8c-2cb0-45cf-8813-5f191ecb9b26 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-14' author: Steven Dick status: production type: TTP -description: The following analytic detects when any Microsoft Safe Links alerting is triggered. This behavior may indicate when user has interacted with a phishing or otherwise malicious link within the Microsoft Office ecosystem. +description: The following analytic detects when any Microsoft Safe Links alerting + is triggered. This behavior may indicate when user has interacted with a phishing + or otherwise malicious link within the Microsoft Office ecosystem. data_source: - O365 Universal Audit Log -search: '`o365_management_activity` Name="*a potentially malicious URL*" Operation=AlertEntityGenerated | fromjson Data | stats count min(_time) as firstTime max(_time) as lastTime values(ObjectId) as url values(od) as desc by AlertId,trc,Operation,Name,ot | rename Name as signature, AlertId as signature_id, trc as user,ot as action | eval action = CASE(action == "Allowed", "allowed", action=="BlockPageOverride", "allowed", true(),"blocked") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_safe_links_detection_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. The Safe Links capability must be configured and is typically only available to E3/E5 level customers. +search: '`o365_management_activity` Name="*a potentially malicious URL*" Operation=AlertEntityGenerated + | fromjson Data | stats count min(_time) as firstTime max(_time) as lastTime values(ObjectId) + as url values(od) as desc by AlertId,trc,Operation,Name,ot | rename Name as signature, + AlertId as signature_id, trc as user,ot as action | eval action = CASE(action == + "Allowed", "allowed", action=="BlockPageOverride", "allowed", true(),"blocked") + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_safe_links_detection_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. The Safe Links capability must be configured + and is typically only available to E3/E5 level customers. known_false_positives: Based on Safe Links policies, may vary. references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-about?view=o365-worldwide @@ -20,46 +29,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $user$ triggered a Microsoft Safe Links detection. + risk_objects: + - field: user + type: user + score: 40 + threat_objects: + - field: url + type: url tags: analytic_story: - Office 365 Account Takeover - Spearphishing Attachments asset_type: O365 Tenant - confidence: 100 - impact: 40 - message: $user$ triggered a Microsoft Safe Links detection. mitre_attack_id: - T1566 - T1566.001 - observable: - - name: user - type: User - role: - - Victim - - name: url - type: URL String - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - AlertId - - Operation - - Name - - AlertId - - trc - - ot - risk_score: 40 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_security_and_compliance_alert_triggered.yml b/detections/cloud/o365_security_and_compliance_alert_triggered.yml index 3f63413842..f7a2340203 100644 --- a/detections/cloud/o365_security_and_compliance_alert_triggered.yml +++ b/detections/cloud/o365_security_and_compliance_alert_triggered.yml @@ -1,15 +1,33 @@ name: O365 Security And Compliance Alert Triggered id: 5b367cdd-8dfc-49ac-a9b7-6406cf27f33e -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Mauricio Velazco, Splunk data_source: [] type: TTP status: production -description: The following analytic identifies alerts triggered by the Office 365 Security and Compliance Center, indicating potential threats or policy violations. It leverages data from the `o365_management_activity` dataset, focusing on events where the workload is SecurityComplianceCenter and the operation is AlertTriggered. This activity is significant as it highlights security and compliance issues within the O365 environment, which are crucial for maintaining organizational security. If confirmed malicious, these alerts could indicate attempts to breach security policies, leading to unauthorized access, data exfiltration, or other malicious activities. -search: '`o365_management_activity` Workload=SecurityComplianceCenter Category=ThreatManagement Operation=AlertTriggered | spath input=Data path=f3u output=user | spath input=Data path=op output=operation | spath input=_raw path=wl | spath input=Data path=rid output=rule_id | spath input=Data path=ad output=alert_description | spath input=Data path=lon output=operation_name | spath input=Data path=an output=alert_name | spath input=Data path=sev output=severity | stats count earliest(_time) as firstTime latest(_time) as lastTime by user, Name, operation, rule_id, alert_description, alert_name, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_security_and_compliance_alert_triggered_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: O365 Security and Compliance may also generate false positives or trigger on legitimate behavior, filter as needed. +description: The following analytic identifies alerts triggered by the Office 365 + Security and Compliance Center, indicating potential threats or policy violations. + It leverages data from the `o365_management_activity` dataset, focusing on events + where the workload is SecurityComplianceCenter and the operation is AlertTriggered. + This activity is significant as it highlights security and compliance issues within + the O365 environment, which are crucial for maintaining organizational security. + If confirmed malicious, these alerts could indicate attempts to breach security + policies, leading to unauthorized access, data exfiltration, or other malicious + activities. +search: '`o365_management_activity` Workload=SecurityComplianceCenter Category=ThreatManagement + Operation=AlertTriggered | spath input=Data path=f3u output=user | spath input=Data + path=op output=operation | spath input=_raw path=wl | spath input=Data path=rid + output=rule_id | spath input=Data path=ad output=alert_description | spath input=Data + path=lon output=operation_name | spath input=Data path=an output=alert_name | spath + input=Data path=sev output=severity | stats count earliest(_time) as firstTime + latest(_time) as lastTime by user, Name, operation, rule_id, alert_description, + alert_name, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `o365_security_and_compliance_alert_triggered_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: O365 Security and Compliance may also generate false positives + or trigger on legitimate behavior, filter as needed. references: - https://attack.mitre.org/techniques/T1078/004/ - https://learn.microsoft.com/en-us/purview/alert-policies?view=o365-worldwide @@ -20,40 +38,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Security and Compliance triggered an alert for $user$ + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] tags: analytic_story: - Office 365 Account Takeover asset_type: O365 Tenant - confidence: 80 - impact: 60 - message: Security and Compliance triggered an alert for $user$ mitre_attack_id: - T1078 - T1078.004 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Workload - - Category - - Operation - - Name - - Data - risk_score: 48 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/o365_security_and_compliance_alert_triggered/o365_security_and_compliance_alert_triggered.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/o365_security_and_compliance_alert_triggered/o365_security_and_compliance_alert_triggered.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_service_principal_new_client_credentials.yml b/detections/cloud/o365_service_principal_new_client_credentials.yml index 4adc23b23f..4748ee38f9 100644 --- a/detections/cloud/o365_service_principal_new_client_credentials.yml +++ b/detections/cloud/o365_service_principal_new_client_credentials.yml @@ -1,16 +1,28 @@ name: O365 Service Principal New Client Credentials id: a1b229e9-d962-4222-8c62-905a8a010453 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the addition of new credentials for Service Principals within an Office 365 tenant. It uses O365 audit logs, focusing on events related to credential modifications or additions in the AzureActiveDirectory workload. This activity is significant because Service Principals represent application identities, and their credentials allow applications to authenticate and access resources. If an attacker successfully adds or modifies these credentials, they can impersonate the application, leading to unauthorized data access, data exfiltration, or malicious operations under the application's identity. +description: The following analytic detects the addition of new credentials for Service + Principals within an Office 365 tenant. It uses O365 audit logs, focusing on events + related to credential modifications or additions in the AzureActiveDirectory workload. + This activity is significant because Service Principals represent application identities, + and their credentials allow applications to authenticate and access resources. If + an attacker successfully adds or modifies these credentials, they can impersonate + the application, leading to unauthorized data access, data exfiltration, or malicious + operations under the application's identity. data_source: - O365 -search: '`o365_management_activity` Workload=AzureActiveDirectory Operation="Update application*Certificates and secrets management " | stats earliest(_time) as firstTime latest(_time) as lastTime by user ModifiedProperties{}.NewValue object ObjectId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_service_principal_new_client_credentials_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Service Principal client credential modifications may be part of legitimate administrative operations. Filter as needed. +search: '`o365_management_activity` Workload=AzureActiveDirectory Operation="Update + application*Certificates and secrets management " | stats earliest(_time) as firstTime + latest(_time) as lastTime by user ModifiedProperties{}.NewValue object ObjectId + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_service_principal_new_client_credentials_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Service Principal client credential modifications may be part + of legitimate administrative operations. Filter as needed. references: - https://attack.mitre.org/techniques/T1098/001/ - https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452 @@ -22,44 +34,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$object$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$object$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: New credentials added for Service Principal $object$ + risk_objects: + - field: object + type: user + score: 35 + - field: user + type: user + score: 35 + threat_objects: [] tags: analytic_story: - Office 365 Persistence Mechanisms - NOBELIUM Group asset_type: O365 Tenant - confidence: 50 - impact: 70 - message: New credentials added for Service Principal $object$ mitre_attack_id: - T1098 - T1098.001 - observable: - - name: object - type: User - role: - - Victim - - name: user - type: User - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 35 - required_fields: - - _time - - Workload - - Operation - - object - - user security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.001/o365_service_principal_credentials/o365_service_principal_credentials.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.001/o365_service_principal_credentials/o365_service_principal_credentials.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_service_principal_privilege_escalation.yml b/detections/cloud/o365_service_principal_privilege_escalation.yml index 85576e00a7..ee93c75401 100644 --- a/detections/cloud/o365_service_principal_privilege_escalation.yml +++ b/detections/cloud/o365_service_principal_privilege_escalation.yml @@ -3,7 +3,7 @@ id: b686d0bd-cca7-44ca-ae07-87f6465131d9 version: 1 date: '2025-01-06' author: Dean Luxton -data_sources: +data_source: - O365 Add app role assignment grant to user type: TTP status: production @@ -33,40 +33,27 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$servicePrincipal$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Service Principal $servicePrincipal$ has elevated privileges by adding themself to app role $appRole$ + risk_objects: + - field: servicePrincipal + type: user + score: 100 + threat_objects: + - field: user_agent + type: http_user_agent tags: analytic_story: - Azure Active Directory Privilege Escalation - Office 365 Account Takeover asset_type: Azure Tenant - confidence: 100 - impact: 100 - message: Service Principal $servicePrincipal$ has elevated privileges by adding themself to app role $appRole$ mitre_attack_id: - T1098.003 - T1098 - observable: - - name: servicePrincipal - type: User - role: - - Victim - - name: user_agent - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - user_agent - - Actor{}.ID - - ResultStatus - - Operation - - ModifiedProperties{} - - user - - InterSystemsId - - tenant_id - risk_score: 100 security_domain: identity tests: - name: True Positive Test diff --git a/detections/cloud/o365_sharepoint_allowed_domains_policy_changed.yml b/detections/cloud/o365_sharepoint_allowed_domains_policy_changed.yml index 1a5827709f..8cbdd85c92 100644 --- a/detections/cloud/o365_sharepoint_allowed_domains_policy_changed.yml +++ b/detections/cloud/o365_sharepoint_allowed_domains_policy_changed.yml @@ -1,15 +1,33 @@ name: O365 SharePoint Allowed Domains Policy Changed id: b0cc6fa8-39b1-49ac-a4fe-f2f2a668e06c -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Steven Dick status: production type: TTP -description: The following analytic identifies when the allowed domain settings for O365 SharePoint have been changed. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. External guest account invitations may also need access to OneDrive/SharePoint resources. These changed should be monitored by security teams as they could potentially lead to unauthorized access. +description: The following analytic identifies when the allowed domain settings for + O365 SharePoint have been changed. With Azure AD B2B collaboration, users and administrators + can invite external users to collaborate with internal users. External guest account + invitations may also need access to OneDrive/SharePoint resources. These changed + should be monitored by security teams as they could potentially lead to unauthorized + access. data_source: - O365 Universal Audit Log -search: '`o365_management_activity` Workload=SharePoint Operation=SharingPolicyChanged "ModifiedProperties{}.Name"=AllowDomainList | eval signature_id = CorrelationId, signature=Operation, src = ClientIP, user = UserId, object_name=''ModifiedProperties{}.Name'', object_attrs_new = split(replace(''ModifiedProperties{}.NewValue'',"\.\.\.",""),","), object_attrs_old = split(replace(''ModifiedProperties{}.OldValue'',"\.\.\.",""),",") | stats values(object_attrs_new) as object_attrs_new, values(object_attrs_old) as object_attrs_old, values(src) as src, count, min(_time) as firstTime, max(_time) as lastTime by user,signature,signature_id,object_name | eval diff_add=mvmap(object_attrs_new,if(isnull(mvfind(object_attrs_old,object_attrs_new)),object_attrs_new,null)) | eval diff_remove=mvmap(object_attrs_old,if(isnull(mvfind(object_attrs_new,object_attrs_old)),object_attrs_old,null)) | eval result = case(isnotnull(diff_add),"Added ".mvjoin(diff_add,","),isnotnull(diff_remove),"Removed ".mvjoin(diff_remove,",")), action = case(isnotnull(diff_add),"created",isnotnull(diff_remove),"deleted") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_sharepoint_allowed_domains_policy_changed_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +search: "`o365_management_activity` Workload=SharePoint Operation=SharingPolicyChanged + \"ModifiedProperties{}.Name\"=AllowDomainList | eval signature_id = CorrelationId, + signature=Operation, src = ClientIP, user = UserId, object_name='ModifiedProperties{}.Name', + object_attrs_new = split(replace('ModifiedProperties{}.NewValue',\"\\.\\.\\.\",\"\ + \"),\",\"), object_attrs_old = split(replace('ModifiedProperties{}.OldValue',\"\\\ + .\\.\\.\",\"\"),\",\") | stats values(object_attrs_new) as object_attrs_new, values(object_attrs_old) + as object_attrs_old, values(src) as src, count, min(_time) as firstTime, max(_time) + as lastTime by user,signature,signature_id,object_name | eval diff_add=mvmap(object_attrs_new,if(isnull(mvfind(object_attrs_old,object_attrs_new)),object_attrs_new,null)) + | eval diff_remove=mvmap(object_attrs_old,if(isnull(mvfind(object_attrs_new,object_attrs_old)),object_attrs_old,null)) + | eval result = case(isnotnull(diff_add),\"Added \".mvjoin(diff_add,\",\"),isnotnull(diff_remove),\"\ + Removed \".mvjoin(diff_remove,\",\")), action = case(isnotnull(diff_add),\"created\"\ + ,isnotnull(diff_remove),\"deleted\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `o365_sharepoint_allowed_domains_policy_changed_filter`" +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. known_false_positives: Business approved changes by known administrators. references: - https://learn.microsoft.com/en-us/sharepoint/external-sharing-overview @@ -19,42 +37,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The SharePoint Online domain allowlist was changed by $user$, $result$ + risk_objects: + - field: user + type: user + score: 75 + threat_objects: [] tags: analytic_story: - Azure Active Directory Persistence asset_type: O365 Tenant - confidence: 100 - impact: 75 - message: The SharePoint Online domain allowlist was changed by $user$, $result$ mitre_attack_id: - T1136.003 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Workload - - Operation - - ModifiedProperties{}.Name - - CorrelationId - - ClientIP - - UserId - - ModifiedProperties{}.NewValue - - ModifiedProperties{}.OldValue - risk_score: 75 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_sharepoint_malware_detection.yml b/detections/cloud/o365_sharepoint_malware_detection.yml index 8f44f69423..a3136a5595 100644 --- a/detections/cloud/o365_sharepoint_malware_detection.yml +++ b/detections/cloud/o365_sharepoint_malware_detection.yml @@ -1,15 +1,24 @@ name: O365 SharePoint Malware Detection id: 583c5de3-7709-44cb-abfc-0e828d301b59 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-14' author: Steven Dick status: production type: TTP -description: The following analytic identifies when a malicious file is detected within the SharePoint Online ecosystem. Attackers may stage and execute malicious files from within the Microsoft Office 365 ecosystem. Any detections from built-in Office 365 capabilities should be monitored and responded to appropriately. Certain premium Office 365 capabilities further enhance these detection and response functions. +description: The following analytic identifies when a malicious file is detected within + the SharePoint Online ecosystem. Attackers may stage and execute malicious files + from within the Microsoft Office 365 ecosystem. Any detections from built-in Office + 365 capabilities should be monitored and responded to appropriately. Certain premium + Office 365 capabilities further enhance these detection and response functions. data_source: - O365 Universal Audit Log -search: '`o365_management_activity` Operation=FileMalwareDetected | stats values(Workload) as category, values(SourceFileName) as file_name values(ObjectId) as file_path, values(VirusInfo) as signature, count, min(_time) as firstTime, max(_time) as lastTime by Id, UserId | rename Id as signature_id, UserId as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_sharepoint_malware_detection_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +search: '`o365_management_activity` Operation=FileMalwareDetected | stats values(Workload) + as category, values(SourceFileName) as file_name values(ObjectId) as file_path, + values(VirusInfo) as signature, count, min(_time) as firstTime, max(_time) as lastTime + by Id, UserId | rename Id as signature_id, UserId as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `o365_sharepoint_malware_detection_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. known_false_positives: unknown references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-for-spo-odfb-teams-about?view=o365-worldwide @@ -19,52 +28,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: SharePoint detected a potentially malicious file $file_name$ + risk_objects: + - field: user + type: user + score: 75 + threat_objects: + - field: file_name + type: file_name tags: analytic_story: - Azure Active Directory Persistence - Office 365 Account Takeover - Ransomware Cloud asset_type: O365 Tenant - confidence: 100 - impact: 75 - message: SharePoint detected a potentially malicious file $file_name$ mitre_attack_id: - T1204.002 - T1204 - observable: - - name: user - type: User - role: - - Victim - - name: file_name - type: File Name - role: - - Victim - - name: signature - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Operation - - Workload - - SourceFileName - - ObjectId - - VirusInfo - - Id - - UserId - risk_score: 75 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_tenant_wide_admin_consent_granted.yml b/detections/cloud/o365_tenant_wide_admin_consent_granted.yml index 10626951b3..5375087924 100644 --- a/detections/cloud/o365_tenant_wide_admin_consent_granted.yml +++ b/detections/cloud/o365_tenant_wide_admin_consent_granted.yml @@ -1,16 +1,30 @@ name: O365 Tenant Wide Admin Consent Granted id: 50eaabf8-5180-4e86-bfb2-011472c359fc -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - O365 Consent to application. -description: The following analytic identifies instances where admin consent is granted to an application within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to the admin consent action within the AzureActiveDirectory workload. This activity is significant because admin consent allows applications to access data across the entire tenant, potentially exposing vast amounts of organizational data. If confirmed malicious, an attacker could gain extensive and persistent access to organizational data, leading to data exfiltration, espionage, further malicious activities, and potential compliance violations. -search: '`o365_management_activity` Operation="Consent to application." | eval new_field=mvindex(''ModifiedProperties{}.NewValue'', 4) | rex field=new_field "ConsentType: (?[^\,]+)" | rex field=new_field "Scope: (?[^\,]+)" | search ConsentType = "AllPrincipals" | stats count min(_time) as firstTime max(_time) as lastTime by Operation, user, object, ObjectId, ConsentType, Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_tenant_wide_admin_consent_granted_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Legitimate applications may be granted tenant wide consent, filter as needed. +description: The following analytic identifies instances where admin consent is granted + to an application within an Azure AD and Office 365 tenant. It leverages O365 audit + logs, specifically events related to the admin consent action within the AzureActiveDirectory + workload. This activity is significant because admin consent allows applications + to access data across the entire tenant, potentially exposing vast amounts of organizational + data. If confirmed malicious, an attacker could gain extensive and persistent access + to organizational data, leading to data exfiltration, espionage, further malicious + activities, and potential compliance violations. +search: "`o365_management_activity` Operation=\"Consent to application.\" | eval + new_field=mvindex('ModifiedProperties{}.NewValue', 4) | rex field=new_field \"ConsentType: + (?[^\\,]+)\" | rex field=new_field \"Scope: (?[^\\,]+)\" | + search ConsentType = \"AllPrincipals\" | stats count min(_time) as firstTime max(_time) + as lastTime by Operation, user, object, ObjectId, ConsentType, Scope | `security_content_ctime(firstTime)`\ + \ | `security_content_ctime(lastTime)` | `o365_tenant_wide_admin_consent_granted_filter`" +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Legitimate applications may be granted tenant wide consent, + filter as needed. references: - https://attack.mitre.org/techniques/T1098/003/ - https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452 @@ -23,41 +37,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The $object$ application registration was granted tenant wide admin consent. + risk_objects: + - field: user + type: user + score: 45 + threat_objects: [] tags: analytic_story: - Office 365 Persistence Mechanisms - NOBELIUM Group asset_type: O365 Tenant - confidence: 50 - impact: 90 - message: The $object$ application registration was granted tenant wide admin consent. mitre_attack_id: - T1098 - T1098.003 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 45 - required_fields: - - _time - - Operation - - user - - object - - ObjectId - - ModifiedProperties{}.NewValue security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_admin_consent/o365_admin_consent.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_admin_consent/o365_admin_consent.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_threat_intelligence_suspicious_email_delivered.yml b/detections/cloud/o365_threat_intelligence_suspicious_email_delivered.yml index f2ed2dcc5b..b2142169f6 100644 --- a/detections/cloud/o365_threat_intelligence_suspicious_email_delivered.yml +++ b/detections/cloud/o365_threat_intelligence_suspicious_email_delivered.yml @@ -1,15 +1,31 @@ name: O365 Threat Intelligence Suspicious Email Delivered id: 605cc93a-70e4-4ee3-9a3d-1a62e8c9b6c2 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-14' author: Steven Dick status: production type: Anomaly -description: The following analytic identifies when a suspicious email is detected within the Microsoft Office 365 ecosystem through the Advanced Threat Protection engine and delivered to an end user. Attackers may execute several attacks through email, any detections from built-in Office 365 capabilities should be monitored and responded to appropriately. Certain premium Office 365 capabilities such as Safe Attachment and Safe Links further enhance these detection and response functions. +description: The following analytic identifies when a suspicious email is detected + within the Microsoft Office 365 ecosystem through the Advanced Threat Protection + engine and delivered to an end user. Attackers may execute several attacks through + email, any detections from built-in Office 365 capabilities should be monitored + and responded to appropriately. Certain premium Office 365 capabilities such as + Safe Attachment and Safe Links further enhance these detection and response functions. data_source: - O365 Universal Audit Log -search: '`o365_management_activity` Workload=ThreatIntelligence Operation=TIMailData DeliveryAction!=Blocked Directionality=InBound | rename P2Sender as src_user, P1Sender as sender, Recipients{} as user, DeliveryAction as action | stats values(SenderIp) as src, values(Subject) as subject, values(user) as user, values(action) as action, values(SystemOverrides{}.Details) as reason, values(LatestDeliveryLocation) as result, values(ThreatsAndDetectionTech{}) as category, values(AttachmentData{}.FileName) as file_name, values(AttachmentData{}.FileType) as file_type, values(AttachmentData{}.SHA256) as file_hash values(DetectionMethod) as signature, min(_time) as firstTime max(_time) as lastTime, count by src_user,sender | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_threat_intelligence_suspicious_email_delivered_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. The threat intelligence workload is typically only visible to E3/E5 level customers. +search: '`o365_management_activity` Workload=ThreatIntelligence Operation=TIMailData + DeliveryAction!=Blocked Directionality=InBound | rename P2Sender as src_user, P1Sender + as sender, Recipients{} as user, DeliveryAction as action | stats values(SenderIp) + as src, values(Subject) as subject, values(user) as user, values(action) as action, + values(SystemOverrides{}.Details) as reason, values(LatestDeliveryLocation) as result, + values(ThreatsAndDetectionTech{}) as category, values(AttachmentData{}.FileName) + as file_name, values(AttachmentData{}.FileType) as file_type, values(AttachmentData{}.SHA256) + as file_hash values(DetectionMethod) as signature, min(_time) as firstTime max(_time) + as lastTime, count by src_user,sender | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `o365_threat_intelligence_suspicious_email_delivered_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. The threat intelligence workload is typically + only visible to E3/E5 level customers. known_false_positives: unknown references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-for-spo-odfb-teams-about?view=o365-worldwide @@ -20,51 +36,45 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A suspicious email was delivered to $user$ by $src_user$ matching the $signature$ + signature + risk_objects: + - field: user + type: user + score: 20 + - field: src_user + type: user + score: 20 + threat_objects: + - field: subject + type: email_subject tags: analytic_story: - Spearphishing Attachments - Suspicious Emails asset_type: O365 Tenant - confidence: 100 - impact: 20 - message: A suspicious email was delivered to $user$ by $src_user$ matching the $signature$ signature mitre_attack_id: - T1566 - T1566.001 - T1566.002 - observable: - - name: user - type: User - role: - - Victim - - name: src_user - type: User - role: - - Victim - - name: subject - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - P2Sender - - P1Sender - - Recipients - - DeliveryAction - - Operation - - Workload - risk_score: 20 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_threat_intelligence_suspicious_file_detected.yml b/detections/cloud/o365_threat_intelligence_suspicious_file_detected.yml index 0b74f9b17d..d7fcb9eb0a 100644 --- a/detections/cloud/o365_threat_intelligence_suspicious_file_detected.yml +++ b/detections/cloud/o365_threat_intelligence_suspicious_file_detected.yml @@ -1,15 +1,27 @@ name: O365 Threat Intelligence Suspicious File Detected id: 00958c7b-35db-4e7a-ad13-31550a7a7c64 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-14' author: Steven Dick status: production type: TTP -description: The following analytic identifies when a malicious file is detected within the Microsoft Office 365 ecosystem through the Advanced Threat Protection engine. Attackers may stage and execute malicious files from within the Microsoft Office 365 ecosystem. Any detections from built-in Office 365 capabilities should be monitored and responded to appropriately. Certain premium Office 365 capabilities such as Safe Attachment and Safe Links further enhance these detection and response functions. +description: The following analytic identifies when a malicious file is detected within + the Microsoft Office 365 ecosystem through the Advanced Threat Protection engine. + Attackers may stage and execute malicious files from within the Microsoft Office + 365 ecosystem. Any detections from built-in Office 365 capabilities should be monitored + and responded to appropriately. Certain premium Office 365 capabilities such as + Safe Attachment and Safe Links further enhance these detection and response functions. data_source: - O365 Universal Audit Log -search: '`o365_management_activity` Workload=ThreatIntelligence Operation=AtpDetection | stats values(DetectionMethod) as category values(FileData.FileName) as file_name values(FileData.FilePath) as file_path values(FileData.FileSize) as file_size values(FileData.MalwareFamily) as signature count, min(_time) as firstTime, max(_time) as lastTime by Id, UserId | rename Id as signature_id, UserId as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_threat_intelligence_suspicious_file_detected_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. The threat intelligence workload is typically only visible to E3/E5 level customers. +search: '`o365_management_activity` Workload=ThreatIntelligence Operation=AtpDetection + | stats values(DetectionMethod) as category values(FileData.FileName) as file_name + values(FileData.FilePath) as file_path values(FileData.FileSize) as file_size values(FileData.MalwareFamily) + as signature count, min(_time) as firstTime, max(_time) as lastTime by Id, UserId + | rename Id as signature_id, UserId as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `o365_threat_intelligence_suspicious_file_detected_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. The threat intelligence workload is typically + only visible to E3/E5 level customers. known_false_positives: unknown references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-real-time-detections-about?view=o365-worldwide @@ -20,49 +32,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Threat Intelligence workload detected a malicious file [$file_name$] from + user $user$ + risk_objects: + - field: user + type: user + score: 50 + threat_objects: + - field: file_name + type: file_name tags: analytic_story: - Azure Active Directory Account Takeover - Office 365 Account Takeover - Ransomware Cloud asset_type: O365 Tenant - confidence: 100 - impact: 50 - message: Threat Intelligence workload detected a malicious file [$file_name$] from user $user$ mitre_attack_id: - T1204.002 - T1204 - observable: - - name: user - type: User - role: - - Victim - - name: file_name - type: File Name - role: - - Victim - - name: signature - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Workload - - Operation - - Id - - UserId - risk_score: 50 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_user_consent_blocked_for_risky_application.yml b/detections/cloud/o365_user_consent_blocked_for_risky_application.yml index f2f14f85f0..f345c04d9e 100644 --- a/detections/cloud/o365_user_consent_blocked_for_risky_application.yml +++ b/detections/cloud/o365_user_consent_blocked_for_risky_application.yml @@ -1,16 +1,31 @@ name: O365 User Consent Blocked for Risky Application id: 242e4d30-cb59-4051-b0cf-58895e218f40 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - O365 Consent to application. -description: The following analytic identifies instances where Office 365 has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This detection leverages O365 audit logs, specifically focusing on failed user consent actions due to system-driven blocks. Monitoring these blocked consent attempts is crucial as it highlights potential threats early on, indicating that a user might be targeted or that malicious applications are attempting to infiltrate the organization. If confirmed malicious, this activity suggests that O365's security measures successfully prevented a harmful application from accessing organizational data, warranting immediate investigation. -search: '`o365_management_activity` Workload=AzureActiveDirectory Operation="Consent to application." ResultStatus=Failure | eval permissions =mvindex(''ModifiedProperties{}.NewValue'', 4) | eval reason =mvindex(''ModifiedProperties{}.NewValue'', 5) | search reason = "Risky application detected" | rex field=permissions "Scope: (?[^,]+)" | stats max(_time) as lastTime by Operation, user, reason, object, Scope | `security_content_ctime(lastTime)` | `o365_user_consent_blocked_for_risky_application_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Microsofts algorithm to identify risky applications is unknown and may flag legitimate applications. +description: The following analytic identifies instances where Office 365 has blocked + a user's attempt to grant consent to an application deemed risky or potentially + malicious. This detection leverages O365 audit logs, specifically focusing on failed + user consent actions due to system-driven blocks. Monitoring these blocked consent + attempts is crucial as it highlights potential threats early on, indicating that + a user might be targeted or that malicious applications are attempting to infiltrate + the organization. If confirmed malicious, this activity suggests that O365's security + measures successfully prevented a harmful application from accessing organizational + data, warranting immediate investigation. +search: "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Consent + to application.\" ResultStatus=Failure | eval permissions =mvindex('ModifiedProperties{}.NewValue', + 4) | eval reason =mvindex('ModifiedProperties{}.NewValue', 5) | search reason = + \"Risky application detected\" | rex field=permissions \"Scope: (?[^,]+)\"\ + \ | stats max(_time) as lastTime by Operation, user, reason, object, Scope | `security_content_ctime(lastTime)` + | `o365_user_consent_blocked_for_risky_application_filter`" +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Microsofts algorithm to identify risky applications is unknown + and may flag legitimate applications. references: - https://attack.mitre.org/techniques/T1528/ - https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/ @@ -24,40 +39,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: O365 has blocked $user$ attempt to grant to consent to an application deemed + risky. + risk_objects: + - field: user + type: user + score: 30 + threat_objects: [] tags: analytic_story: - Office 365 Account Takeover asset_type: O365 Tenant - confidence: 100 - impact: 30 - message: O365 has blocked $user$ attempt to grant to consent to an application deemed risky. mitre_attack_id: - T1528 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 30 - required_fields: - - _time - - Workload - - Operation - - ResultStatus - - ModifiedProperties{}.NewValue - - object - - ObjectId security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/o365_user_consent_blocked/o365_user_consent_blocked.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/o365_user_consent_blocked/o365_user_consent_blocked.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_user_consent_denied_for_oauth_application.yml b/detections/cloud/o365_user_consent_denied_for_oauth_application.yml index bbe450fbe9..c39c7a3140 100644 --- a/detections/cloud/o365_user_consent_denied_for_oauth_application.yml +++ b/detections/cloud/o365_user_consent_denied_for_oauth_application.yml @@ -1,16 +1,28 @@ name: O365 User Consent Denied for OAuth Application id: 2d8679ef-b075-46be-8059-c25116cb1072 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-14' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - O365 -description: The following analytic identifies instances where a user has denied consent to an OAuth application seeking permissions within the Office 365 environment. This detection leverages O365 audit logs, focusing on events related to user consent actions. By filtering for denied consent actions associated with OAuth applications, it captures instances where users have actively rejected permission requests. This activity is significant as it may indicate users spotting potentially suspicious or unfamiliar applications. If confirmed malicious, it suggests an attempt by a potentially harmful application to gain unauthorized access, which was proactively blocked by the user. -search: '`o365_graph` status.errorCode=65004 | rename userPrincipalName as user | rename ipAddress as src_ip | stats max(_time) as lastTime by user src_ip appDisplayName status.failureReason | `security_content_ctime(lastTime)` | `o365_user_consent_denied_for_oauth_application_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 events. -known_false_positives: OAuth applications that require mail permissions may be legitimate, investigate and filter as needed. +description: The following analytic identifies instances where a user has denied consent + to an OAuth application seeking permissions within the Office 365 environment. This + detection leverages O365 audit logs, focusing on events related to user consent + actions. By filtering for denied consent actions associated with OAuth applications, + it captures instances where users have actively rejected permission requests. This + activity is significant as it may indicate users spotting potentially suspicious + or unfamiliar applications. If confirmed malicious, it suggests an attempt by a + potentially harmful application to gain unauthorized access, which was proactively + blocked by the user. +search: '`o365_graph` status.errorCode=65004 | rename userPrincipalName as user | + rename ipAddress as src_ip | stats max(_time) as lastTime by user src_ip appDisplayName + status.failureReason | `security_content_ctime(lastTime)` | `o365_user_consent_denied_for_oauth_application_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 events. +known_false_positives: OAuth applications that require mail permissions may be legitimate, + investigate and filter as needed. references: - https://attack.mitre.org/techniques/T1528/ - https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/ @@ -24,42 +36,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ denifed consent for an OAuth application. + risk_objects: + - field: user + type: user + score: 30 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Office 365 Account Takeover asset_type: O365 Tenant - confidence: 100 - impact: 30 - message: User $user$ denifed consent for an OAuth application. mitre_attack_id: - T1528 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 30 - required_fields: - - _time - - status.errorCode - - userPrincipalName - - ipAddress - - status.failureReason security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/o365_user_consent_declined/o365_user_consent_declined.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/o365_user_consent_declined/o365_user_consent_declined.log source: o365 sourcetype: o365:graph:api diff --git a/detections/cloud/o365_zap_activity_detection.yml b/detections/cloud/o365_zap_activity_detection.yml index 8a676ba6d3..b16c86afb1 100644 --- a/detections/cloud/o365_zap_activity_detection.yml +++ b/detections/cloud/o365_zap_activity_detection.yml @@ -1,15 +1,27 @@ name: O365 ZAP Activity Detection id: 4df275fd-a0e5-4246-8b92-d3201edaef7a -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-14' author: Steven Dick status: production type: Anomaly -description: The following analytic detects when the Microsoft Zero-hour Automatic Purge (ZAP) capability takes action against a user's mailbox. This capability is an enhanced protection feature that retro-actively removes email with known malicious content for user inboxes. Since this is a retroactive capability, there is still a window in which the user may fall victim to the malicious content. +description: The following analytic detects when the Microsoft Zero-hour Automatic + Purge (ZAP) capability takes action against a user's mailbox. This capability is + an enhanced protection feature that retro-actively removes email with known malicious + content for user inboxes. Since this is a retroactive capability, there is still + a window in which the user may fall victim to the malicious content. data_source: - O365 Universal Audit Log -search: '`o365_management_activity` Workload=SecurityComplianceCenter Operation=AlertEntityGenerated Name="*messages containing malicious*" | fromjson Data | stats count min(_time) as firstTime max(_time) as lastTime values(zu) as url values(zfn) as file_name values(ms) as subject values(ttr) as result values(tsd) as src_user by AlertId,trc,Operation,Name | rename Name as signature, AlertId as signature_id, trc as user | eval action = CASE(match(result,"Success"), "blocked", true(),"allowed"), url = split(url,";") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_zap_activity_detection_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. Some features of Zero-hour purge are only offered within E3/E5 license level tenants, events may not be available otherwise. +search: '`o365_management_activity` Workload=SecurityComplianceCenter Operation=AlertEntityGenerated + Name="*messages containing malicious*" | fromjson Data | stats count min(_time) + as firstTime max(_time) as lastTime values(zu) as url values(zfn) as file_name values(ms) + as subject values(ttr) as result values(tsd) as src_user by AlertId,trc,Operation,Name + | rename Name as signature, AlertId as signature_id, trc as user | eval action = + CASE(match(result,"Success"), "blocked", true(),"allowed"), url = split(url,";") + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_zap_activity_detection_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. Some features of Zero-hour purge are only + offered within E3/E5 license level tenants, events may not be available otherwise. known_false_positives: unknown references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-hour-auto-purge?view=o365-worldwide @@ -19,54 +31,45 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ was included in a ZAP protection activity. + risk_objects: + - field: user + type: user + score: 10 + threat_objects: + - field: file_name + type: file_name + - field: url + type: url + - field: src_user + type: email_address tags: analytic_story: - Spearphishing Attachments - Suspicious Emails asset_type: O365 Tenant - confidence: 50 - impact: 20 - message: User $user$ was included in a ZAP protection activity. mitre_attack_id: - T1566 - T1566.001 - T1566.002 - observable: - - name: user - type: User - role: - - Victim - - name: file_name - type: File Name - role: - - Attacker - - name: url - type: URL String - role: - - Attacker - - name: src_user - type: User - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Workload - - Operation - - Name - - Data - - AlertId - risk_score: 10 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml b/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml index 48d79021a3..f1555d3ff6 100644 --- a/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml +++ b/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml @@ -1,14 +1,30 @@ name: Risk Rule for Dev Sec Ops by Repository id: 161bc0ca-4651-4c13-9c27-27770660cf67 -version: 4 -date: '2024-10-22' +version: 5 +date: '2024-11-14' author: Bhavin Patel status: production type: Correlation -description: The following analytic identifies high-risk activities within repositories by correlating repository data with risk scores. It leverages risk events from the Dev Sec Ops analytic stories, summing risk scores and capturing source and user information. The detection focuses on high-risk scores above 100 and sources with more than three occurrences. This activity is significant as it highlights repositories frequently targeted by threats, providing insights into potential vulnerabilities. If confirmed malicious, attackers could exploit these repositories, leading to data breaches or infrastructure compromise. +description: The following analytic identifies high-risk activities within repositories + by correlating repository data with risk scores. It leverages risk events from the + Dev Sec Ops analytic stories, summing risk scores and capturing source and user + information. The detection focuses on high-risk scores above 100 and sources with + more than three occurrences. This activity is significant as it highlights repositories + frequently targeted by threats, providing insights into potential vulnerabilities. + If confirmed malicious, attackers could exploit these repositories, leading to data + breaches or infrastructure compromise. data_source: [] -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as sum_risk_score, values(All_Risk.annotations.mitre_attack.mitre_tactic) as annotations.mitre_attack.mitre_tactic, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Dev Sec Ops" All_Risk.risk_object_type = "other" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count > 3 and sum_risk_score > 100 | `risk_rule_for_dev_sec_ops_by_repository_filter`' -how_to_implement: Ensure that all relevant detections in the Dev Sec Ops analytic stories are enabled and are configured to create risk events in Enterprise Security. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime sum(All_Risk.calculated_risk_score) as sum_risk_score, values(All_Risk.annotations.mitre_attack.mitre_tactic) + as annotations.mitre_attack.mitre_tactic, values(All_Risk.annotations.mitre_attack.mitre_technique_id) + as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) + as mitre_technique_id_count values(source) as source, dc(source) as source_count + from datamodel=Risk.All_Risk where All_Risk.analyticstories="Dev Sec Ops" All_Risk.risk_object_type + = "other" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic + | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | where source_count > 3 and sum_risk_score > 100 | `risk_rule_for_dev_sec_ops_by_repository_filter`' +how_to_implement: Ensure that all relevant detections in the Dev Sec Ops analytic + stories are enabled and are configured to create risk events in Enterprise Security. known_false_positives: Unknown references: [] drilldown_searches: @@ -17,35 +33,30 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$risk_object$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: analytic_story: - Dev Sec Ops asset_type: Amazon Elastic Container Registry - confidence: 100 - impact: 70 - message: Correlation triggered for repository $risk_object$ mitre_attack_id: - T1204.003 - T1204 - observable: - - name: risk_object - type: Other - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 70 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1204.003/risk_dataset/aws_ecr_risk_dataset.log + - data: + https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1204.003/risk_dataset/aws_ecr_risk_dataset.log source: aws_ecr_risk_dataset.log sourcetype: stash diff --git a/detections/deprecated/abnormally_high_aws_instances_launched_by_user.yml b/detections/deprecated/abnormally_high_aws_instances_launched_by_user.yml index 2bf544975c..e46dec6369 100644 --- a/detections/deprecated/abnormally_high_aws_instances_launched_by_user.yml +++ b/detections/deprecated/abnormally_high_aws_instances_launched_by_user.yml @@ -1,7 +1,7 @@ name: Abnormally High AWS Instances Launched by User id: 2a9b80d3-6340-4345-b5ad-290bf5d0dac4 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Bhavin Patel, Splunk status: deprecated type: Anomaly @@ -25,29 +25,22 @@ known_false_positives: Many service accounts configured within an AWS infrastruc out service accounts from the output. Always verify if this search alerted on a human user. references: [] +rba: + message: Abnormal number of instances launched by $userName$ + risk_objects: + - field: userName + type: user + score: 25 + threat_objects: [] tags: analytic_story: - AWS Cryptomining - Suspicious AWS EC2 Activities asset_type: AWS Instance - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1078.004 - observable: - - name: userName - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - errorCode - - userName - risk_score: 25.0 security_domain: network diff --git a/detections/deprecated/abnormally_high_aws_instances_launched_by_user___mltk.yml b/detections/deprecated/abnormally_high_aws_instances_launched_by_user___mltk.yml index 5e87158127..9acc4411b2 100644 --- a/detections/deprecated/abnormally_high_aws_instances_launched_by_user___mltk.yml +++ b/detections/deprecated/abnormally_high_aws_instances_launched_by_user___mltk.yml @@ -1,7 +1,7 @@ name: Abnormally High AWS Instances Launched by User - MLTK id: dec41ad5-d579-42cb-b4c6-f5dbb778bbe5 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Jason Brewer, Splunk status: deprecated type: Anomaly @@ -21,29 +21,22 @@ known_false_positives: Many service accounts configured within an AWS infrastruc out service accounts from the output. Always verify if this search alerted on a human user. references: [] +rba: + message: Abnormal number of instances launched by $src_user$ + risk_objects: + - field: src_user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - AWS Cryptomining - Suspicious AWS EC2 Activities asset_type: AWS Instance - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1078.004 - observable: - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - errorCode - - src_user - risk_score: 25.0 security_domain: network diff --git a/detections/deprecated/abnormally_high_aws_instances_terminated_by_user.yml b/detections/deprecated/abnormally_high_aws_instances_terminated_by_user.yml index 4f19cf183c..ae3c15024b 100644 --- a/detections/deprecated/abnormally_high_aws_instances_terminated_by_user.yml +++ b/detections/deprecated/abnormally_high_aws_instances_terminated_by_user.yml @@ -1,7 +1,7 @@ name: Abnormally High AWS Instances Terminated by User id: 8d301246-fccf-45e2-a8e7-3655fd14379c -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Bhavin Patel, Splunk status: deprecated type: Anomaly @@ -26,28 +26,21 @@ known_false_positives: Many service accounts configured with your AWS infrastruc out service accounts from the output. Always verify whether this search alerted on a human user. references: [] +rba: + message: Abnormal number of instances terminated by $userName$ + risk_objects: + - field: userName + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Suspicious AWS EC2 Activities asset_type: AWS Instance - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1078.004 - observable: - - name: userName - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - errorCode - - userName - risk_score: 25 security_domain: network diff --git a/detections/deprecated/abnormally_high_aws_instances_terminated_by_user___mltk.yml b/detections/deprecated/abnormally_high_aws_instances_terminated_by_user___mltk.yml index c05b11bc3f..04f88a704a 100644 --- a/detections/deprecated/abnormally_high_aws_instances_terminated_by_user___mltk.yml +++ b/detections/deprecated/abnormally_high_aws_instances_terminated_by_user___mltk.yml @@ -1,7 +1,7 @@ name: Abnormally High AWS Instances Terminated by User - MLTK id: 1c02b86a-cd85-473e-a50b-014a9ac8fe3e -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Jason Brewer, Splunk status: deprecated type: Anomaly @@ -21,28 +21,21 @@ known_false_positives: Many service accounts configured within an AWS infrastruc out service accounts from the output. Always verify if this search alerted on a human user. references: [] +rba: + message: Abnormal number of instances terminated by $src_user$ + risk_objects: + - field: src_user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Suspicious AWS EC2 Activities asset_type: AWS Instance - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1078.004 - observable: - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - errorCode - - src_user - risk_score: 25 security_domain: network diff --git a/detections/deprecated/account_discovery_with_net_app.yml b/detections/deprecated/account_discovery_with_net_app.yml new file mode 100644 index 0000000000..ce8d2fa45f --- /dev/null +++ b/detections/deprecated/account_discovery_with_net_app.yml @@ -0,0 +1,79 @@ +name: Account Discovery With Net App +id: 339805ce-ac30-11eb-b87d-acde48001122 +version: 8 +date: '2025-01-13' +author: Teoderick Contreras, Splunk, TheLawsOfChaos, Github Community +status: deprecated +type: TTP +description: The following analytic has been deprecated in favour of the more generic "45e52536-ae42-11eb-b5c6-acde48001122". The following analytic detects potential account discovery activities using the 'net' command, commonly employed by malware like Trickbot for reconnaissance. It leverages Endpoint Detection and Response (EDR) data, focusing on specific command-line patterns and process relationships. This activity is significant as it often precedes further malicious actions, such as lateral movement or privilege escalation. If confirmed malicious, attackers could gain valuable information about user accounts, enabling them to escalate privileges or move laterally within the network, posing a significant security risk. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + values(Processes.parent_process) as parent_process values(Processes.process_id) + as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where `process_net` AND (Processes.process="* user *" OR Processes.process="*config*" + OR Processes.process="*view /all*") by Processes.process_name Processes.dest Processes.user + Processes.parent_process_name | where count >=4 | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `account_discovery_with_net_app_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Admin or power user may used this series of command. +references: +- https://labs.vipre.com/trickbot-and-its-modules/ +- https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/ +- https://app.any.run/tasks/48414a33-3d66-4a46-afe5-c2003bb55ccf/ +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Suspicious $process_name$ usage detected on endpoint $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 5 + - field: dest + type: system + score: 5 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - Trickbot + - IcedID + asset_type: Endpoint + mitre_attack_id: + - T1087.002 + - T1087 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/deprecated/asl_aws_createaccesskey.yml b/detections/deprecated/asl_aws_createaccesskey.yml index 477f384c24..e7588388f6 100644 --- a/detections/deprecated/asl_aws_createaccesskey.yml +++ b/detections/deprecated/asl_aws_createaccesskey.yml @@ -1,39 +1,43 @@ name: ASL AWS CreateAccessKey id: ccb3e4af-23d6-407f-9842-a26212816c9e -version: 2 -date: '2024-10-17' +version: 3 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: deprecated type: Hunting -description: This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. - An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. - While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative - of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to - establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS - services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. - Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with - unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user - creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed - manual during threat hunting. +description: This detection rule monitors for the creation of AWS Identity and Access + Management (IAM) access keys. An IAM access key consists of an access key ID and + secret access key, which are used to sign programmatic requests to AWS services. + While IAM access keys can be legitimately used by developers and administrators + for API access, their creation can also be indicative of malicious activity. Attackers + who have gained unauthorized access to an AWS environment might create access keys + as a means to establish persistence or to exfiltrate data through the APIs. Moreover, + because access keys can be used to authenticate with AWS services without the need + for further interaction, they can be particularly appealing for bad actors looking + to operate under the radar. Consequently, it's important to vigilantly monitor and + scrutinize access key creation events, especially if they are associated with unusual + activity or are created by users who don't typically perform these actions. This + hunting query identifies when a potentially compromised user creates a IAM access + key for another user who may have higher privilleges, which can be a sign for privilege + escalation. Hunting queries are designed to be executed manual during threat hunting. data_source: [] -search: '`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null - | rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value - | eval keyjoin=mvzip(unmapped_key,unmapped_value) - | mvexpand keyjoin - | rex field=keyjoin "^(?[^,]+),(?.*)$" - | eval {key} = value - | search responseElements.accessKey.userName = * - | rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName - | eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) - | search match=0 - | rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName - | stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName - api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name - identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - |`asl_aws_createaccesskey_filter`' -how_to_implement: You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. +search: '`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com + api.response.error=null | rename unmapped{}.key as unmapped_key , unmapped{}.value + as unmapped_value | eval keyjoin=mvzip(unmapped_key,unmapped_value) | mvexpand keyjoin + | rex field=keyjoin "^(?[^,]+),(?.*)$" | eval {key} = value | search + responseElements.accessKey.userName = * | rename identity.user.name as identity_user_name, + responseElements.accessKey.userName as responseElements_accessKey_userName | eval + match=if(identity_user_name=responseElements_accessKey_userName,1,0) | search match=0 + | rename identity_user_name as identity.user.name , responseElements_accessKey_userName + as responseElements.accessKey.userName | stats count min(_time) as firstTime max(_time) + as lastTime by responseElements.accessKey.userName api.operation api.service.name + identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type + identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` |`asl_aws_createaccesskey_filter`' +how_to_implement: You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) + that includes includes a merge of all the capabilities of the Splunk Add-on for + Amazon Security Lake. This search works with Amazon Security Lake logs which are + parsed in the Open Cybersecurity Schema Framework (OCSF)format. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. references: @@ -43,45 +47,18 @@ tags: analytic_story: - AWS IAM Privilege Escalation asset_type: AWS Account - confidence: 90 - impact: 70 - message: User $responseElements.accessKey.userName$ is attempting to create access keys for $responseElements.accessKey.userName$ - from this IP $src_endpoint.ip$ mitre_attack_id: - T1078 - observable: - - name: src_endpoint.ip - type: IP Address - role: - - Attacker - - name: identity.user.name - type: User - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.service.name - - api.operation - - identity.user.account_uid - - identity.user.credential_uid - - identity.user.name - - identity.user.type - - identity.user.uid - - identity.user.uuid - - http_request.user_agent - - src_endpoint.ip - - unmapped{}.key - - unmapped{}.value - risk_score: 63 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/amazon_security_lake.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/amazon_security_lake.json sourcetype: aws:asl source: aws_asl - update_timestamp: true diff --git a/detections/deprecated/asl_aws_excessive_security_scanning.yml b/detections/deprecated/asl_aws_excessive_security_scanning.yml index fdda20b3e0..0ee3a463e3 100644 --- a/detections/deprecated/asl_aws_excessive_security_scanning.yml +++ b/detections/deprecated/asl_aws_excessive_security_scanning.yml @@ -1,7 +1,7 @@ name: ASL AWS Excessive Security Scanning id: ff2bfdbc-65b7-4434-8f08-d55761d1d446 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: deprecated type: Anomaly @@ -9,42 +9,36 @@ description: This search looks for AWS CloudTrail events and analyse the amount eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment. data_source: [] -search: '`amazon_security_lake` api.operation=Describe* OR api.operation=List* OR api.operation=Get* - | stats dc(api.operation) as dc_api_operations min(_time) as firstTime max(_time) as lastTime values(http_request.user_agent) as http_request.user_agent - values(src_endpoint.ip) as src_endpoint.ip values(cloud.region) as cloud.region values(identity.user.account_uid) as identity.user.account_uid by identity.user.name - | where dc_api_operations > 50 | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`|`asl_aws_excessive_security_scanning_filter`' -how_to_implement: You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. +search: '`amazon_security_lake` api.operation=Describe* OR api.operation=List* OR + api.operation=Get* | stats dc(api.operation) as dc_api_operations min(_time) as + firstTime max(_time) as lastTime values(http_request.user_agent) as http_request.user_agent + values(src_endpoint.ip) as src_endpoint.ip values(cloud.region) as cloud.region + values(identity.user.account_uid) as identity.user.account_uid by identity.user.name + | where dc_api_operations > 50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`asl_aws_excessive_security_scanning_filter`' +how_to_implement: You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) + that includes includes a merge of all the capabilities of the Splunk Add-on for + Amazon Security Lake. This search works with Amazon Security Lake logs which are + parsed in the Open Cybersecurity Schema Framework (OCSF)format. known_false_positives: While this search has no known false positives. references: - https://github.com/aquasecurity/cloudsploit +rba: + message: user $identity.user.name$ has excessive number of api calls. + risk_objects: + - field: identity.user.name + type: user + score: 18 + threat_objects: + - field: src_endpoint.ip + type: ip_address tags: analytic_story: - AWS User Monitoring asset_type: AWS Account - confidence: 60 - impact: 30 - message: user $identity.user.name$ has excessive number of api calls. mitre_attack_id: - T1526 - observable: - - name: src_endpoint.ip - type: IP Address - role: - - Attacker - - name: identity.user.name - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - identity.user.account_uid - - identity.user.name - - http_request.user_agent - - src_endpoint.ip - risk_score: 18 - security_domain: network \ No newline at end of file + security_domain: network diff --git a/detections/deprecated/asl_aws_password_policy_changes.yml b/detections/deprecated/asl_aws_password_policy_changes.yml index 1a66d779cf..d791f17208 100644 --- a/detections/deprecated/asl_aws_password_policy_changes.yml +++ b/detections/deprecated/asl_aws_password_policy_changes.yml @@ -1,24 +1,27 @@ name: ASL AWS Password Policy Changes id: 5ade5937-11a2-4363-ba6b-39a3ee8d5b1a -version: 2 -date: '2024-10-17' +version: 3 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: deprecated type: Hunting -description: This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful - API calls to view/update/delete the existing password policy in an AWS organization. - It is unlikely for a regular user to conduct this operation. These events may potentially - be malicious, adversaries often use this information to gain more understanding - of the password defenses in place and exploit them to increase their attack surface - when a user account is compromised. +description: This search looks for AWS CloudTrail events from Amazon Security Lake + where a user is making successful API calls to view/update/delete the existing password + policy in an AWS organization. It is unlikely for a regular user to conduct this + operation. These events may potentially be malicious, adversaries often use this + information to gain more understanding of the password defenses in place and exploit + them to increase their attack surface when a user account is compromised. data_source: [] -search: '`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null - | stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name - identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `asl_aws_password_policy_changes_filter`' -how_to_implement: You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. +search: '`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" + IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") + "api.response.error"=null | stats count min(_time) as firstTime max(_time) as lastTime + by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type + identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_password_policy_changes_filter`' +how_to_implement: You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) + that includes includes a merge of all the capabilities of the Splunk Add-on for + Amazon Security Lake. This search works with Amazon Security Lake logs which are + parsed in the Open Cybersecurity Schema Framework (OCSF)format. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately triggered an AWS audit tool activity which may trigger this event. @@ -29,41 +32,17 @@ tags: - AWS IAM Privilege Escalation - Compromised User Account asset_type: AWS Account - confidence: 80 - impact: 90 - message: User $identity.user.name$ is attempting to $api.operation$ the password policy for accounts mitre_attack_id: - T1201 - observable: - - name: src_endpoint.ip - type: IP Address - role: - - Attacker - - name: identity.user.name - type: User - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.service.name - - api.operation - - identity.user.account_uid - - identity.user.credential_uid - - identity.user.name - - identity.user.type - - identity.user.uid - - identity.user.uuid - - http_request.user_agent - - src_endpoint.ip - risk_score: 72 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/aws_password_policy/amazon_security_lake.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/aws_password_policy/amazon_security_lake.json sourcetype: aws:asl source: aws_asl - update_timestamp: true \ No newline at end of file diff --git a/detections/deprecated/attempt_to_stop_security_service.yml b/detections/deprecated/attempt_to_stop_security_service.yml new file mode 100644 index 0000000000..d3307c59bf --- /dev/null +++ b/detections/deprecated/attempt_to_stop_security_service.yml @@ -0,0 +1,96 @@ +name: Attempt To Stop Security Service +id: c8e349c6-b97c-486e-8949-bd7bcd1f3910 +version: 10 +date: '2025-01-24' +author: Rico Valdez, Splunk +status: deprecated +type: TTP +description: The following analytic has been deprecated. + The following analytic detects attempts to stop security-related services + on an endpoint, which may indicate malicious activity. It leverages data from Endpoint + Detection and Response (EDR) agents, specifically searching for processes involving + the "sc.exe" command with the "stop" parameter. This activity is significant because + disabling security services can undermine the organization's security posture, potentially + leading to unauthorized access, data exfiltration, or further attacks like malware + installation or privilege escalation. If confirmed malicious, this behavior could + compromise the endpoint and the entire network, necessitating immediate investigation + and response. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where `process_net` OR Processes.process_name = sc.exe Processes.process="* stop + *" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` |lookup security_services_lookup service as + process OUTPUTNEW category, description | search category=security | `attempt_to_stop_security_service_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: None identified. Attempts to disable security-related services + should be identified and understood. +references: +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-14---disable-arbitrary-security-windows-service +- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + attempting to disable security services on endpoint $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 20 + - field: dest + type: system + score: 20 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name +tags: + analytic_story: + - WhisperGate + - Graceful Wipe Out Attack + - Disabling Security Tools + - Data Destruction + - Azorult + - Trickbot + asset_type: Endpoint + mitre_attack_id: + - T1562.001 + - T1562 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_defend_service_stop/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml b/detections/deprecated/attempted_credential_dump_from_registry_via_reg_exe.yml similarity index 79% rename from detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml rename to detections/deprecated/attempted_credential_dump_from_registry_via_reg_exe.yml index 0c3559dd49..86d2c20c82 100644 --- a/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml +++ b/detections/deprecated/attempted_credential_dump_from_registry_via_reg_exe.yml @@ -1,11 +1,12 @@ name: Attempted Credential Dump From Registry via Reg exe id: e9fb4a59-c5fb-440a-9f24-191fbc6b2911 -version: '11' -date: '2024-11-28' +version: 13 +date: '2025-01-15' author: Patrick Bareiss, Splunk -status: production +status: deprecated type: TTP -description: The following analytic detects the execution of reg.exe with parameters +description: The following analytic has been deprecated in favour of "8bbb7d58-b360-11eb-ba21-acde48001122". + The following analytic detects the execution of reg.exe with parameters that export registry keys containing hashed credentials. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving reg.exe or cmd.exe with specific registry paths. This activity is significant @@ -52,6 +53,21 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to export the registry keys. + risk_objects: + - field: user + type: user + score: 90 + - field: dest + type: system + score: 90 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - DarkSide Ransomware @@ -62,57 +78,24 @@ tags: - Compromised Windows Host - Credential Dumping asset_type: Endpoint - confidence: 100 - impact: 90 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ attempting to export the registry keys. mitre_attack_id: - T1003.002 - T1003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/crowdstrike_falcon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/crowdstrike_falcon.log source: crowdstrike sourcetype: crowdstrike:events:sensor diff --git a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_city.yml b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_city.yml index c647d388b3..91a576d2f0 100644 --- a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_city.yml +++ b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_city.yml @@ -1,21 +1,21 @@ name: AWS Cloud Provisioning From Previously Unseen City id: 344a1778-0b25-490c-adb1-de8beddf59cd -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: David Dorsey, Splunk status: deprecated type: Anomaly -description: 'This search looks for AWS provisioning activities from previously unseen +description: This search looks for AWS provisioning activities from previously unseen cities. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the - latest Change Datamodel.' + latest Change Datamodel. data_source: [] search: '`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search City=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search City=* | stats earliest(_time) as firstTime, latest(_time) - as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv + as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, - City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv + City, Region, Country | outputlookup previously_seen_provisioning_activity_src | stats min(firstTime) as firstTime max(lastTime) as lastTime by City | eval newCity=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newCity=1 | table City] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, @@ -25,40 +25,33 @@ how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or late inputs. This search works best when you run the "Previously Seen AWS Provisioning Activity Sources" support search once to create a history of previously seen locations that have provisioned AWS resources. -known_false_positives: 'This is a strictly behavioral search, so we define "false - positive" slightly differently. Every time this fires, it will accurately reflect - the first occurrence in the time period you''re searching within, plus what is - stored in the cache feature. But while there are really no "false positives" - in a traditional sense, there is definitely lots of noise. - - This search will fire any time a new city is seen in the **GeoIP** database for any kind of provisioning - activity. If you typically do all provisioning from tools inside of your city, - there should be few false positives. If you are located in countries where the - free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution - (particularly small countries in less economically powerful regions), this may - be much less valuable to you.' +known_false_positives: "This is a strictly behavioral search, so we define \"false + positive\" slightly differently. Every time this fires, it will accurately reflect + the first occurrence in the time period you're searching within, plus what is stored + in the cache feature. But while there are really no \"false positives\" in a traditional + sense, there is definitely lots of noise.\nThis search will fire any time a new + city is seen in the **GeoIP** database for any kind of provisioning activity. If + you typically do all provisioning from tools inside of your city, there should be + few false positives. If you are located in countries where the free version of **MaxMind + GeoIP** that ships by default with Splunk has weak resolution (particularly small + countries in less economically powerful regions), this may be much less valuable + to you." references: [] +rba: + message: AWS provisioning from new city ($City$) + risk_objects: + - field: src_ip + type: system + score: 25 + threat_objects: [] tags: analytic_story: - AWS Suspicious Provisioning Activities asset_type: AWS Instance - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1535 - observable: - - name: src_ip - type: IP Address - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - sourceIPAddress - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_country.yml b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_country.yml index 7a6ad8bddf..986a31d1f0 100644 --- a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_country.yml +++ b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_country.yml @@ -1,22 +1,22 @@ name: AWS Cloud Provisioning From Previously Unseen Country id: ceb8d3d8-06cb-49eb-beaf-829526e33ff0 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: David Dorsey, Splunk status: deprecated type: Anomaly -description: 'This search looks for AWS provisioning activities from previously unseen +description: This search looks for AWS provisioning activities from previously unseen countries. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use - the latest Change Datamodel.' + the latest Change Datamodel. data_source: [] search: '`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup - append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as + append=t previously_seen_provisioning_activity_src | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | - outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) + outputlookup previously_seen_provisioning_activity_src | stats min(firstTime) as firstTime max(lastTime) as lastTime by Country | eval newCountry=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newCountry=1 | table Country] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, @@ -26,40 +26,33 @@ how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or late inputs. This search works best when you run the "Previously Seen AWS Provisioning Activity Sources" support search once to create a history of previously seen locations that have provisioned AWS resources. -known_false_positives: 'This is a strictly behavioral search, so we define "false - positive" slightly differently. Every time this fires, it will accurately reflect - the first occurrence in the time period you''re searching over plus what is stored - in the cache feature. But while there are really no \"false positives\" in a traditional - sense, there is definitely lots of noise. - - This search will fire any time a new country is seen in the **GeoIP** database for any kind of provisioning activity. - If you typically do all provisioning from tools inside of your country, there - should be few false positives. If you are located in countries where the free +known_false_positives: "This is a strictly behavioral search, so we define \"false + positive\" slightly differently. Every time this fires, it will accurately reflect + the first occurrence in the time period you're searching over plus what is stored + in the cache feature. But while there are really no \\\"false positives\\\" in a + traditional sense, there is definitely lots of noise.\nThis search will fire any + time a new country is seen in the **GeoIP** database for any kind of provisioning + activity. If you typically do all provisioning from tools inside of your country, + there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution - (particularly small countries in less economically powerful regions), this may - be much less valuable to you.' + (particularly small countries in less economically powerful regions), this may be + much less valuable to you." references: [] +rba: + message: AWS provisioning from new country ($Country$) + risk_objects: + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - AWS Suspicious Provisioning Activities asset_type: AWS Instance - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1535 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - sourceIPAddress - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_ip_address.yml b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_ip_address.yml index 145370cb23..5568175da0 100644 --- a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_ip_address.yml +++ b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_ip_address.yml @@ -1,21 +1,21 @@ name: AWS Cloud Provisioning From Previously Unseen IP Address id: 42e15012-ac14-4801-94f4-f1acbe64880b -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: David Dorsey, Splunk status: deprecated type: Anomaly -description: 'This search looks for AWS provisioning activities from previously unseen +description: This search looks for AWS provisioning activities from previously unseen IP addresses. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use - the latest Change Datamodel.' + the latest Change Datamodel. data_source: [] search: '`cloudtrail` (eventName=Run* OR eventName=Create*) [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country - | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) + | inputlookup append=t previously_seen_provisioning_activity_src | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country - | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) + | outputlookup previously_seen_provisioning_activity_src | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress | eval newIP=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newIP=1 | table sourceIPAddress] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table @@ -25,38 +25,31 @@ how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or late inputs. This search works best when you run the "Previously Seen AWS Provisioning Activity Sources" support search once to create a history of previously seen locations that have provisioned AWS resources. -known_false_positives: 'This is a strictly behavioral search, so we define "false - positive" slightly differently. Every time this fires, it will accurately reflect - the first occurrence in the time period you''re searching within, plus what is - stored in the cache feature. But while there are really no "false positives" - in a traditional sense, there is definitely lots of noise. - - This search will fire any time a new IP address is seen in the **GeoIP** database for any kind - of provisioning activity. If you typically do all provisioning from tools inside - of your country, there should be few false positives. If you are located in countries - where the free version of **MaxMind GeoIP** that ships by default with Splunk - has weak resolution (particularly small countries in less economically powerful - regions), this may be much less valuable to you.' +known_false_positives: "This is a strictly behavioral search, so we define \"false + positive\" slightly differently. Every time this fires, it will accurately reflect + the first occurrence in the time period you're searching within, plus what is stored + in the cache feature. But while there are really no \"false positives\" in a traditional + sense, there is definitely lots of noise.\nThis search will fire any time a new + IP address is seen in the **GeoIP** database for any kind of provisioning activity. + If you typically do all provisioning from tools inside of your country, there should + be few false positives. If you are located in countries where the free version of + **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly + small countries in less economically powerful regions), this may be much less valuable + to you." references: [] +rba: + message: AWS provisioning from new IP Address ($src_ip$) + risk_objects: + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - AWS Suspicious Provisioning Activities asset_type: AWS Instance - confidence: 50 - impact: 50 - message: tbd - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - sourceIPAddress - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_region.yml b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_region.yml index 9dfc9679ef..5efa68a449 100644 --- a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_region.yml +++ b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_region.yml @@ -1,7 +1,7 @@ name: AWS Cloud Provisioning From Previously Unseen Region id: 7971d3df-da82-4648-a6e5-b5637bea5253 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: David Dorsey, Splunk status: deprecated type: Anomaly @@ -13,9 +13,9 @@ data_source: [] search: '`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Region=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Region=* | stats earliest(_time) as firstTime, latest(_time) - as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv + as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, - City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv + City, Region, Country | outputlookup previously_seen_provisioning_activity_src | stats min(firstTime) as firstTime max(lastTime) as lastTime by Region | eval newRegion=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newRegion=1 | table Region] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, @@ -25,44 +25,35 @@ how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or late inputs. This search works best when you run the "Previously Seen AWS Provisioning Activity Sources" support search once to create a history of previously seen locations that have provisioned AWS resources. -known_false_positives: 'This is a strictly behavioral search, so we define "false - positive" slightly differently. Every time this fires, it will accurately reflect - the first occurrence in the time period you''re searching within, plus what is - stored in the cache feature. But while there are really no "false positives" - in a traditional sense, there is definitely lots of noise. - - This search will fire any time a new region is seen in the **GeoIP** database for any kind of provisioning - activity. If you typically do all provisioning from tools inside of your region, - there should be few false positives. If you are located in regions where the free - version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution - (particularly small countries in less economically powerful regions), this may - be much less valuable to you.' +known_false_positives: "This is a strictly behavioral search, so we define \"false + positive\" slightly differently. Every time this fires, it will accurately reflect + the first occurrence in the time period you're searching within, plus what is stored + in the cache feature. But while there are really no \"false positives\" in a traditional + sense, there is definitely lots of noise.\nThis search will fire any time a new + region is seen in the **GeoIP** database for any kind of provisioning activity. + If you typically do all provisioning from tools inside of your region, there should + be few false positives. If you are located in regions where the free version of + **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly + small countries in less economically powerful regions), this may be much less valuable + to you." references: [] +rba: + message: AWS provisioning from new Region ($Region$) + risk_objects: + - field: user + type: user + score: 25 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - AWS Suspicious Provisioning Activities asset_type: AWS Instance - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1535 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - sourceIPAddress - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/aws_eks_kubernetes_cluster_sensitive_object_access.yml b/detections/deprecated/aws_eks_kubernetes_cluster_sensitive_object_access.yml index 9383a5975a..866bca7809 100644 --- a/detections/deprecated/aws_eks_kubernetes_cluster_sensitive_object_access.yml +++ b/detections/deprecated/aws_eks_kubernetes_cluster_sensitive_object_access.yml @@ -1,7 +1,7 @@ name: AWS EKS Kubernetes cluster sensitive object access id: 7f227943-2196-4d4d-8d6a-ac8cb308e61c -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rod Soto, Splunk status: deprecated type: Hunting @@ -21,19 +21,8 @@ tags: analytic_story: - Kubernetes Sensitive Object Access Activity asset_type: AWS EKS Kubernetes cluster - confidence: 50 - impact: 50 - message: tbd - observable: - - name: user.username - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/change_default_file_association.yml b/detections/deprecated/change_default_file_association.yml new file mode 100644 index 0000000000..d552a13219 --- /dev/null +++ b/detections/deprecated/change_default_file_association.yml @@ -0,0 +1,82 @@ +name: Change Default File Association +id: 462d17d8-1f71-11ec-ad07-acde48001122 +version: 5 +date: '2025-01-24' +author: Teoderick Contreras, Splunk +status: deprecated +type: TTP +description: The following analytic has been deprecated. + The following analytic detects suspicious registry modifications that + change the default file association to execute a malicious payload. It leverages + data from the Endpoint data model, specifically monitoring registry paths under + "*\\shell\\open\\command\\*" and "*HKCR\\*". This activity is significant because + altering default file associations can allow attackers to execute arbitrary scripts + or payloads when a user opens a file, leading to potential code execution. If confirmed + malicious, this technique can enable attackers to persist on the compromised host + and execute further malicious commands, posing a severe threat to the environment. +data_source: +- Sysmon EventID 12 +- Sysmon EventID 13 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime + max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path + ="*\\shell\\open\\command\\*" Registry.registry_path = "*HKCR\\*" by Registry.dest Registry.user + Registry.registry_path Registry.registry_key_name Registry.registry_value_name | + `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` + | `change_default_file_association_filter`' +how_to_implement: To successfully implement this search, you must be ingesting data + that records registry activity from your hosts to populate the endpoint data model + in the registry node. This is typically populated via endpoint detection-and-response + product, such as Carbon Black or endpoint data sources, such as Sysmon. The data + used for this search is typically generated via logs that report reads and writes + to the registry. +known_false_positives: unknown +references: +- https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/privilege-escalation/untitled-3/accessibility-features +drilldown_searches: +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Registry path $registry_path$ was modified, added, or deleted on $dest$. + risk_objects: + - field: dest + type: system + score: 80 + - field: user + type: user + score: 80 + threat_objects: [] +tags: + analytic_story: + - Hermetic Wiper + - Windows Registry Abuse + - Prestige Ransomware + - Windows Privilege Escalation + - Windows Persistence Techniques + - Data Destruction + asset_type: Endpoint + mitre_attack_id: + - T1546.001 + - T1546 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.001/txtfile_reg/sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/deprecated/clients_connecting_to_multiple_dns_servers.yml b/detections/deprecated/clients_connecting_to_multiple_dns_servers.yml index c34d8a2bb0..eb01c32ea2 100644 --- a/detections/deprecated/clients_connecting_to_multiple_dns_servers.yml +++ b/detections/deprecated/clients_connecting_to_multiple_dns_servers.yml @@ -1,7 +1,7 @@ name: Clients Connecting to Multiple DNS Servers id: 74ec6f18-604b-4202-a567-86b2066be3ce -version: 5 -date: '2024-10-17' +version: 6 +date: '2024-11-14' author: David Dorsey, Splunk status: deprecated type: TTP @@ -12,23 +12,26 @@ search: '| tstats `security_content_summariesonly` count, values(DNS.dest) AS de dc(DNS.dest) as dest_count from datamodel=Network_Resolution where DNS.message_type=QUERY by DNS.src | `drop_dm_object_name("Network_Resolution")` |where dest_count > 5 | `clients_connecting_to_multiple_dns_servers_filter`' -how_to_implement: 'This search requires that DNS data is being ingested and populating +how_to_implement: "This search requires that DNS data is being ingested and populating the `Network_Resolution` data model. This data can come from DNS logs or from solutions - that parse network traffic for this data, such as Splunk Stream or Bro. - - This search produces fields (`dest_count`) that are not yet supported by ES Incident - Review and therefore cannot be viewed when a notable event is raised. These fields - contribute additional context to the notable. To see the additional metadata, add - the following fields, if not already present, to Incident Review - Event Attributes - (Configure > Incident Management > Incident Review Settings > Add New Entry): - - * **Label:** Distinct DNS Connections, **Field:** dest_count - - Detailed documentation on how to create a new field within Incident Review may be - found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`' + that parse network traffic for this data, such as Splunk Stream or Bro.\nThis search + produces fields (`dest_count`) that are not yet supported by ES Incident Review + and therefore cannot be viewed when a notable event is raised. These fields contribute + additional context to the notable. To see the additional metadata, add the following + fields, if not already present, to Incident Review - Event Attributes (Configure + > Incident Management > Incident Review Settings > Add New Entry):\n* **Label:** + Distinct DNS Connections, **Field:** dest_count\nDetailed documentation on how to + create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`" known_false_positives: It's possible that an enterprise has more than five DNS servers that are configured in a round-robin rotation. Please customize the search, as appropriate. references: [] +rba: + message: Device ($src$) observed utilizing multiple DNS Servers + risk_objects: + - field: src + type: system + score: 25 + threat_objects: [] tags: analytic_story: - DNS Hijacking @@ -36,24 +39,10 @@ tags: - Host Redirection - Command And Control asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1048.003 - observable: - - name: src - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - DNS.dest - - DNS.message_type - - DNS.src - risk_score: 25 security_domain: network diff --git a/detections/deprecated/cloud_network_access_control_list_deleted.yml b/detections/deprecated/cloud_network_access_control_list_deleted.yml index 37556f398f..8a9036b76a 100644 --- a/detections/deprecated/cloud_network_access_control_list_deleted.yml +++ b/detections/deprecated/cloud_network_access_control_list_deleted.yml @@ -1,7 +1,7 @@ name: Cloud Network Access Control List Deleted id: 021abc51-1862-41dd-ad43-43c739c0a983 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Peter Gael, Splunk status: deprecated type: Anomaly @@ -22,31 +22,19 @@ how_to_implement: You must be ingesting your cloud infrastructure logs from your known_false_positives: It's possible that a user has legitimately deleted a network ACL. references: [] +rba: + message: AWS Network ACL Deleted by $userName$ + risk_objects: + - field: userName + type: user + score: 25 + threat_objects: [] tags: analytic_story: - AWS Network ACL Activity asset_type: Instance - confidence: 50 - impact: 50 - message: tbd - observable: - - name: userName - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - userIdentity.arn - - errorMessage - - errorCode - - userAgent - - src - - userName - - arn - risk_score: 25 security_domain: network diff --git a/detections/deprecated/cmdline_tool_not_executed_in_cmd_shell.yml b/detections/deprecated/cmdline_tool_not_executed_in_cmd_shell.yml new file mode 100644 index 0000000000..2a47831d2c --- /dev/null +++ b/detections/deprecated/cmdline_tool_not_executed_in_cmd_shell.yml @@ -0,0 +1,102 @@ +name: Cmdline Tool Not Executed In CMD Shell +id: 6c3f7dd8-153c-11ec-ac2d-acde48001122 +version: 8 +date: '2025-01-24' +author: Teoderick Contreras, Splunk +status: deprecated +type: TTP +description: The following analytic identifies instances where `ipconfig.exe`, `systeminfo.exe`, + or similar tools are executed by a non-standard parent process, excluding CMD, PowerShell, + or Explorer. This detection leverages Endpoint Detection and Response (EDR) telemetry + to monitor process creation events. Such behavior is significant as it may indicate + adversaries using injected processes to perform system discovery, a tactic observed + in FIN7's JSSLoader. If confirmed malicious, this activity could allow attackers + to gather critical host information, aiding in further exploitation or lateral movement + within the network. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = "ipconfig.exe" + OR Processes.process_name = "systeminfo.exe" OR Processes.process_name = "net.exe" + OR Processes.process_name = "net1.exe" OR Processes.process_name = "arp.exe" OR + Processes.process_name = "nslookup.exe" OR Processes.process_name = "route.exe" + OR Processes.process_name = "netstat.exe" OR Processes.process_name = "whoami.exe") + AND NOT (Processes.parent_process_name = "cmd.exe" OR Processes.parent_process_name + = "powershell*" OR Processes.parent_process_name="pwsh.exe" OR Processes.parent_process_name + = "explorer.exe") by Processes.parent_process_name Processes.parent_process Processes.process_name + Processes.original_file_name Processes.process_id Processes.process Processes.dest + Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `cmdline_tool_not_executed_in_cmd_shell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: A network operator or systems administrator may utilize an + automated host discovery application that may generate false positives. Filter as + needed. +references: +- https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation +- https://attack.mitre.org/groups/G0046/ +- https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ +drilldown_searches: +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A non-standard parent process $parent_process_name$ spawned child process + $process_name$ to execute command-line tool on $dest$. + risk_objects: + - field: dest + type: system + score: 56 + - field: user + type: user + score: 56 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name +tags: + analytic_story: + - Volt Typhoon + - Rhysida Ransomware + - FIN7 + - DarkGate Malware + - Qakbot + - CISA AA22-277A + - CISA AA23-347A + - Gozi Malware + asset_type: Endpoint + mitre_attack_id: + - T1059 + - T1059.007 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/jssloader/sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/deprecated/correlation_by_repository_and_risk.yml b/detections/deprecated/correlation_by_repository_and_risk.yml index ef3930edee..2629b408ff 100644 --- a/detections/deprecated/correlation_by_repository_and_risk.yml +++ b/detections/deprecated/correlation_by_repository_and_risk.yml @@ -1,7 +1,7 @@ name: Correlation by Repository and Risk id: 8da9fdd9-6a1b-4ae0-8a34-8c25e6be9687 -version: 2 -date: '2024-10-17' +version: 3 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: deprecated type: Correlation @@ -18,22 +18,11 @@ tags: analytic_story: - Dev Sec Ops asset_type: AWS Account - confidence: 100 - impact: 70 - message: Correlation triggered for user $user$ mitre_attack_id: - T1204.003 - T1204 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 70 security_domain: network diff --git a/detections/deprecated/correlation_by_user_and_risk.yml b/detections/deprecated/correlation_by_user_and_risk.yml index 582d10159d..63d9c738ae 100644 --- a/detections/deprecated/correlation_by_user_and_risk.yml +++ b/detections/deprecated/correlation_by_user_and_risk.yml @@ -1,7 +1,7 @@ name: Correlation by User and Risk id: 610e12dc-b6fa-4541-825e-4a0b3b6f6773 -version: 2 -date: '2024-10-17' +version: 3 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: deprecated type: Correlation @@ -18,22 +18,11 @@ tags: analytic_story: - Dev Sec Ops asset_type: AWS Account - confidence: 100 - impact: 70 - message: Correlation triggered for user $user$ mitre_attack_id: - T1204.003 - T1204 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 70 security_domain: network diff --git a/detections/deprecated/create_local_admin_accounts_using_net_exe.yml b/detections/deprecated/create_local_admin_accounts_using_net_exe.yml new file mode 100644 index 0000000000..28560103fa --- /dev/null +++ b/detections/deprecated/create_local_admin_accounts_using_net_exe.yml @@ -0,0 +1,94 @@ +name: Create local admin accounts using net exe +id: b89919ed-fe5f-492c-b139-151bb162040e +version: 16 +date: '2025-01-24' +author: Bhavin Patel, Splunk +status: deprecated +type: TTP +description: The following analytic has been deprecated. + The following analytic detects the creation of local administrator accounts + using the net.exe command. It leverages Endpoint Detection and Response (EDR) data + to identify processes named net.exe or net1.exe with the "/add" parameter and keywords + related to administrator accounts. This activity is significant as it may indicate + an attacker attempting to gain persistent access or escalate privileges. If confirmed + malicious, this could lead to unauthorized access, data theft, or further system + compromise. Review the process details, user context, and related artifacts to determine + the legitimacy of the activity. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count values(Processes.user) as + user values(Processes.parent_process) as parent_process values(parent_process_name) + as parent_process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where `process_net` AND Processes.process=*/add* AND (Processes.process=*administrators* + OR Processes.process=*administratoren* OR Processes.process=*administrateurs* OR + Processes.process=*administrador* OR Processes.process=*amministratori* OR Processes.process=*administratorer* + OR Processes.process=*Rendszergazda* OR Processes.process=*Администратор* OR Processes.process=*Administratör*) + by Processes.process Processes.process_name Processes.parent_process_name Processes.dest + Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `create_local_admin_accounts_using_net_exe_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators often leverage net.exe to create admin accounts. +references: [] +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to add a user to the local Administrators + group. + risk_objects: + - field: user + type: user + score: 30 + - field: dest + type: system + score: 30 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name +tags: + analytic_story: + - DHS Report TA18-074A + - Azorult + - CISA AA22-257A + - DarkGate Malware + - CISA AA24-241A + asset_type: Endpoint + mitre_attack_id: + - T1136.001 + - T1136 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/deprecated/deleting_of_net_users.yml b/detections/deprecated/deleting_of_net_users.yml new file mode 100644 index 0000000000..379264584f --- /dev/null +++ b/detections/deprecated/deleting_of_net_users.yml @@ -0,0 +1,88 @@ +name: Deleting Of Net Users +id: 1c8c6f66-acce-11eb-aafb-acde48001122 +version: 8 +date: '2025-01-24' +author: Teoderick Contreras, Splunk +status: deprecated +type: TTP +description: The following analytic has been deprecated. + The following analytic detects the use of net.exe or net1.exe command-line + to delete a user account on a system. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process and command-line execution logs. + This activity is significant as it may indicate an attempt to impair user accounts + or cover tracks during lateral movement. If confirmed malicious, this could lead + to unauthorized access removal, disruption of legitimate user activities, or concealment + of adversarial actions, complicating incident response and forensic investigations. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + values(Processes.parent_process) as parent_process values(Processes.process_id) + as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where `process_net` AND Processes.process="*user*" AND Processes.process="*/delete*" + by Processes.process_name Processes.original_file_name Processes.dest Processes.user + Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `deleting_of_net_users_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: System administrators or scripts may delete user accounts via + this technique. Filter as needed. +references: +- https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to delete accounts. + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name +tags: + analytic_story: + - XMRig + - Graceful Wipe Out Attack + - DarkGate Malware + asset_type: Endpoint + mitre_attack_id: + - T1531 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/deprecated/detect_activity_related_to_pass_the_hash_attacks.yml b/detections/deprecated/detect_activity_related_to_pass_the_hash_attacks.yml index 5ee8df78d5..0c13a55b87 100644 --- a/detections/deprecated/detect_activity_related_to_pass_the_hash_attacks.yml +++ b/detections/deprecated/detect_activity_related_to_pass_the_hash_attacks.yml @@ -1,19 +1,22 @@ name: Detect Activity Related to Pass the Hash Attacks id: f5939373-8054-40ad-8c64-cec478a22a4b -version: 8 -date: '2024-10-17' +version: 9 +date: '2024-11-14' author: Bhavin Patel, Patrick Bareiss, Splunk status: deprecated type: Hunting description: This search looks for specific authentication events from the Windows - Security Event logs to detect potential attempts at using the Pass-the-Hash technique. This search is DEPRECATED as it is possible for event code 4624 to generate a high level of noise, as legitimate logon events may also trigger this event code. This can be especially true in environments with high levels of user activity, such as those with many concurrent logons or frequent logon attempts. + Security Event logs to detect potential attempts at using the Pass-the-Hash technique. + This search is DEPRECATED as it is possible for event code 4624 to generate a high + level of noise, as legitimate logon events may also trigger this event code. This + can be especially true in environments with high levels of user activity, such as + those with many concurrent logons or frequent logon attempts. data_source: - Windows Event Log Security 4624 -search: '`wineventlog_security` EventCode=4624 (Logon_Type=3 Logon_Process=NtLmSsp NOT AccountName="ANONYMOUS LOGON") OR (Logon_Type=9 Logon_Process=seclogo) - | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by EventCode, Logon_Type, WorkstationName, user, dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +search: '`wineventlog_security` EventCode=4624 (Logon_Type=3 Logon_Process=NtLmSsp + NOT AccountName="ANONYMOUS LOGON") OR (Logon_Type=9 Logon_Process=seclogo) | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode, Logon_Type, + WorkstationName, user, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_activity_related_to_pass_the_hash_attacks_filter`' how_to_implement: To successfully implement this search, you must ingest your Windows Security Event logs and leverage the latest TA for Windows. @@ -25,40 +28,18 @@ tags: - Active Directory Lateral Movement - BlackSuit Ransomware asset_type: Endpoint - confidence: 70 - impact: 70 - message: The following $EventCode$ occurred on $dest$ by $user$ with Logon Type - 3, which may be indicative of the pass the hash technique. mitre_attack_id: - T1550 - T1550.002 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Logon_Type - - Logon_Process - - WorkstationName - - user - - dest - risk_score: 49 security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.002/atomic_red_team/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.002/atomic_red_team/windows-security.log source: WinEventLog:Security sourcetype: WinEventLog - update_timestamp: true diff --git a/detections/deprecated/detect_api_activity_from_users_without_mfa.yml b/detections/deprecated/detect_api_activity_from_users_without_mfa.yml index 57163720a1..e0ad2efcfc 100644 --- a/detections/deprecated/detect_api_activity_from_users_without_mfa.yml +++ b/detections/deprecated/detect_api_activity_from_users_without_mfa.yml @@ -1,7 +1,7 @@ name: Detect API activity from users without MFA id: 4d46e8bd-4072-48e4-92db-0325889ef894 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Bhavin Patel, Splunk status: deprecated type: Hunting @@ -18,24 +18,19 @@ search: '`cloudtrail` userIdentity.sessionContext.attributes.mfaAuthenticated=fa as eventName by userIdentity.arn userIdentity.type user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_api_activity_from_users_without_mfa_filter`' -how_to_implement: 'You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS - (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Leverage the support search `Create - a list of approved AWS service accounts`: run it once every 30 days to create a list of service accounts and validate them. - +how_to_implement: "You must install the AWS App for Splunk (version 5.1.0 or later) + and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail + inputs. Leverage the support search `Create a list of approved AWS service accounts`: + run it once every 30 days to create a list of service accounts and validate them.\n This search produces fields (`eventName`,`userIdentity.type`,`userIdentity.arn`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already - present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry): - - * **Label:** AWS Event Name, **Field:** eventName - - * **Label:** AWS User ARN, **Field:** userIdentity.arn - - * **Label:** AWS User Type, **Field:** userIdentity.type - - Detailed documentation on how to create a new field within Incident Review may be - found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`' + present, to Incident Review - Event Attributes (Configure > Incident Management + > Incident Review Settings > Add New Entry):\n* **Label:** AWS Event Name, **Field:** + eventName\n* **Label:** AWS User ARN, **Field:** userIdentity.arn\n* **Label:** + AWS User Type, **Field:** userIdentity.type\nDetailed documentation on how to create + a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`" known_false_positives: Many service accounts configured within an AWS infrastructure do not have multi factor authentication enabled. Please ignore the service accounts, if triggered and instead add them to the aws_service_accounts.csv file to fine tune @@ -46,24 +41,8 @@ tags: analytic_story: - AWS User Monitoring asset_type: AWS Instance - confidence: 50 - impact: 50 - message: tbd - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - userIdentity.sessionContext.attributes.mfaAuthenticated - - eventName - - userIdentity.arn - - userIdentity.type - - user - risk_score: 25.0 security_domain: network diff --git a/detections/deprecated/detect_aws_api_activities_from_unapproved_accounts.yml b/detections/deprecated/detect_aws_api_activities_from_unapproved_accounts.yml index eadfb4cb2e..23e833aac1 100644 --- a/detections/deprecated/detect_aws_api_activities_from_unapproved_accounts.yml +++ b/detections/deprecated/detect_aws_api_activities_from_unapproved_accounts.yml @@ -1,7 +1,7 @@ name: Detect AWS API Activities From Unapproved Accounts id: ada0f478-84a8-4641-a3f1-d82362d4bd55 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Bhavin Patel, Splunk status: deprecated type: Hunting @@ -17,29 +17,21 @@ search: '`cloudtrail` errorCode=success | rename userName as identity | search N min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_aws_api_activities_from_unapproved_accounts_filter`' -how_to_implement: 'You must install the AWS App for Splunk (version 5.1.0 or later) +how_to_implement: "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You must also populate the `identity_lookup_expanded` lookup shipped with the Asset and Identity framework to be able to look up users in your identity table - in Enterprise Security (ES). Leverage the support search called "Create a list of - approved AWS service accounts": run it once every 30 days to create and validate - a list of service accounts. - - This search produces fields (`eventName`,`firstTime`,`lastTime`) that are not yet - supported by ES Incident Review and therefore cannot be viewed when a notable event - is raised. These fields contribute additional context to the notable. To see the - additional metadata, add the following fields, if not already present, to Incident - Review - Event Attributes (Configure > Incident Management > Incident Review Settings - > Add New Entry): - - * **Label:** AWS Event Name, **Field:** eventName - - * **Label:** First Time, **Field:** firstTime - - * **Label:** Last Time, **Field:** lastTime - - Detailed documentation on how to create a new field within Incident Review may be - found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`' + in Enterprise Security (ES). Leverage the support search called \"Create a list + of approved AWS service accounts\": run it once every 30 days to create and validate + a list of service accounts.\nThis search produces fields (`eventName`,`firstTime`,`lastTime`) + that are not yet supported by ES Incident Review and therefore cannot be viewed + when a notable event is raised. These fields contribute additional context to the + notable. To see the additional metadata, add the following fields, if not already + present, to Incident Review - Event Attributes (Configure > Incident Management + > Incident Review Settings > Add New Entry):\n* **Label:** AWS Event Name, **Field:** + eventName\n* **Label:** First Time, **Field:** firstTime\n* **Label:** Last Time, + **Field:** lastTime\nDetailed documentation on how to create a new field within + Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`" known_false_positives: It's likely that you'll find activity detected by users/service accounts that are not listed in the `identity_lookup_expanded` or ` aws_service_accounts.csv` file. If the user is a legitimate service account, update the `aws_service_accounts.csv` @@ -49,25 +41,10 @@ tags: analytic_story: - AWS User Monitoring asset_type: AWS Instance - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1078.004 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - errorCode - - userName - - eventName - - user - risk_score: 25.0 security_domain: access diff --git a/detections/endpoint/detect_critical_alerts_from_security_tools.yml b/detections/deprecated/detect_critical_alerts_from_security_tools.yml similarity index 59% rename from detections/endpoint/detect_critical_alerts_from_security_tools.yml rename to detections/deprecated/detect_critical_alerts_from_security_tools.yml index 1f4623df42..79ba56809d 100644 --- a/detections/endpoint/detect_critical_alerts_from_security_tools.yml +++ b/detections/deprecated/detect_critical_alerts_from_security_tools.yml @@ -1,14 +1,14 @@ name: Detect Critical Alerts from Security Tools id: 483e8a68-f2f7-45be-8fc9-bf725f0e22fd -version: 1 -date: '2024-10-09' +version: 2 +date: '2025-01-13' author: Gowthamaraj Rajendran, Patrick Bareiss, Bhavin Patel, Bryan Pluta, Splunk -status: production +status: deprecated type: TTP data_source: - Windows Defender Alerts - MS365 Defender Incident Alerts -description: The following analytics is to detect high and critical alerts from endpoint security tools such as Microsoft Defender, Carbon Black, and Crowdstrike. This query aggregates and summarizes critical severity alerts from the Alerts data model, providing details such as the alert signature, application, description, source, destination, and timestamps, while applying custom filters and formatting for enhanced analysis in a SIEM environment.This capability allows security teams to efficiently allocate resources and maintain a strong security posture, while also supporting compliance with regulatory requirements by providing a clear record of critical security events. We tested these detections with logs from Microsoft Defender, however this detection should work for any security alerts that are ingested into the alerts data model. **Note** - We are dynamically creating the risk_score field based on the severity of the alert in the SPL and that supersedes the risk score set in the detection. +description: The following analytic has been deprecated in favour of specific and dedicated product analytics such as "Microsoft Defender ATP Alerts". The following analytic is to detect high and critical alerts from endpoint security tools such as Microsoft Defender, Carbon Black, and Crowdstrike. This query aggregates and summarizes critical severity alerts from the Alerts data model, providing details such as the alert signature, application, description, source, destination, and timestamps, while applying custom filters and formatting for enhanced analysis in a SIEM environment.This capability allows security teams to efficiently allocate resources and maintain a strong security posture, while also supporting compliance with regulatory requirements by providing a clear record of critical security events. We tested these detections with logs from Microsoft Defender, however this detection should work for any security alerts that are ingested into the alerts data model. **Note** - We are dynamically creating the risk_score field based on the severity of the alert in the SPL and that supersedes the risk score set in the detection. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Alerts.description) as description values(Alerts.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id values(Alerts.severity) as severity values(Alerts.type) as type values(Alerts.severity_id) as severity_id values(Alerts.signature) as signature values(Alerts.signature_id) as signature_id values(Alerts.dest) as dest from datamodel=Alerts where Alerts.severity IN ("high","critical") by Alerts.src Alerts.user Alerts.id Alerts.vendor sourcetype | `drop_dm_object_name("Alerts")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval risk_score=case(severity="informational", 2, severity="low", 5, severity="medium", 10, severity="high", 50, severity="critical" , 100) | `detect_critical_alerts_from_security_tools_filter`' how_to_implement: In order to properly run this search, you to ingest alerts data from other security products such as Crowdstrike, Microsoft Defender, or Carbon Black using appropriate TAs for that technology. Once ingested, the fields should be mapped to the Alerts data model. Make sure to apply transformation on the data if necessary. The risk_score field is used to calculate the risk score for the alerts and the mitre_technique_id field is used to map the alerts to the MITRE ATT&CK framework is dynamically created by the detection when this is triggered. These fields need not be set in the adaptive response actions. known_false_positives: False positives may vary by endpoint protection tool; monitor and filter out the alerts that are not relevant to your environment. @@ -22,54 +22,45 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $severity$ alert for $user$ from $sourcetype$ - $signature$ + risk_objects: + - field: user + type: user + score: 50 + - field: dest + type: system + score: 50 + threat_objects: [] tags: analytic_story: - Critical Alerts asset_type: Endpoint atomic_guid: [] - confidence: 100 - impact: 50 - message: $severity$ alert for $user$ from $sourcetype$ - $signature$ mitre_attack_id: [] - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Alerts.description - - Alerts.mitre_technique_id - - Alerts.severity - - Alerts.type - - Alerts.severity_id - - Alerts.signature - - Alerts.dest - - Alerts.src - - Alerts.user - - Alerts.id - - Alerts.vendor - - sourcetype - risk_score: 50 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/alerts/AdvancedHunting.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/alerts/AdvancedHunting.log source: eventhub://windowsdefenderlogs sourcetype: mscs:azure:eventhub:defender:advancedhunting - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/alerts/defender_incident_alerts.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/alerts/defender_incident_alerts.log source: m365_defender_incident_alerts sourcetype: ms365:defender:incident:alerts diff --git a/detections/deprecated/detect_dns_requests_to_phishing_sites_leveraging_evilginx2.yml b/detections/deprecated/detect_dns_requests_to_phishing_sites_leveraging_evilginx2.yml index ed39395ce8..2d4975f3ec 100644 --- a/detections/deprecated/detect_dns_requests_to_phishing_sites_leveraging_evilginx2.yml +++ b/detections/deprecated/detect_dns_requests_to_phishing_sites_leveraging_evilginx2.yml @@ -1,7 +1,7 @@ name: Detect DNS requests to Phishing Sites leveraging EvilGinx2 id: 24dd17b1-e2fb-4c31-878c-d4f226595bfa -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Bhavin Patel, Splunk status: deprecated type: TTP @@ -14,56 +14,42 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | stats count values(query) as query by domain dest src answer| search `evilginx_phishlets_amazon` OR `evilginx_phishlets_facebook` OR `evilginx_phishlets_github` OR `evilginx_phishlets_0365` OR `evilginx_phishlets_outlook` OR `evilginx_phishlets_aws` OR `evilginx_phishlets_google` - | search NOT [ inputlookup legit_domains.csv | fields domain]| join domain type=outer + | search NOT [ inputlookup legit_domains | fields domain]| join domain type=outer [| tstats count `security_content_summariesonly` values(Web.url) as url from datamodel=Web.Web by Web.dest Web.site | rename "Web.*" as * | rex field=site ".*?(?[^./:]+\.(\S{2,3}|\S{2,3}.\S{2,3}))$" | table dest domain url] | table count src dest query answer domain url | `detect_dns_requests_to_phishing_sites_leveraging_evilginx2_filter`' -how_to_implement: 'You need to ingest data from your DNS logs in the Network_Resolution +how_to_implement: "You need to ingest data from your DNS logs in the Network_Resolution datamodel. Specifically you must ingest the domain that is being queried and the - IP of the host originating the request. Ideally, you should also be ingesting - the answer to the query and the query type. This approach allows you to also create + IP of the host originating the request. Ideally, you should also be ingesting the + answer to the query and the query type. This approach allows you to also create your own localized passive DNS capability which can aid you in future investigations. - You will have to add legitimate domain names to the `legit_domains.csv` file shipped - with the app. - - **Splunk>Phantom Playbook Integration** - - If Splunk>Phantom is also configured in your environment, a Playbook called `Lets Encrypt Domain - Investigate` can be configured to run when any results are found by this detection - search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, - add the correct hostname to the "Phantom Instance" field in the Adaptive Response + You will have to add legitimate domain names to the `legit_domains` lookup shipped + with the app.\n**Splunk>Phantom Playbook Integration**\nIf Splunk>Phantom is also + configured in your environment, a Playbook called `Lets Encrypt Domain Investigate` + can be configured to run when any results are found by this detection search. To + use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, + add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook - to active. - - (Playbook link:`https://my.phantom.us/4.2/playbook/lets-encrypt-domain-investigate/`)' -known_false_positives: If a known good domain is not listed in the legit_domains.csv - file, then the search could give you false postives. Please update that lookup file + to active.\n(Playbook link:`https://my.phantom.us/4.2/playbook/lets-encrypt-domain-investigate/`)" +known_false_positives: If a known good domain is not listed in the `legit_domains` lookup, + then the search could give you false postives. Please update that lookup file to filter out DNS requests to legitimate domains. references: [] +rba: + message: DNS Request for EvilGinx2 Phishing Site + risk_objects: + - field: src + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Common Phishing Frameworks asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1566.003 - observable: - - name: src - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - DNS.answer - - DNS.dest - - DNS.src - - DNS.query - - host - risk_score: 25 security_domain: network diff --git a/detections/deprecated/detect_long_dns_txt_record_response.yml b/detections/deprecated/detect_long_dns_txt_record_response.yml index 0ee750d14d..57a2fb80be 100644 --- a/detections/deprecated/detect_long_dns_txt_record_response.yml +++ b/detections/deprecated/detect_long_dns_txt_record_response.yml @@ -1,7 +1,7 @@ name: Detect Long DNS TXT Record Response id: 05437c07-62f5-452e-afdc-04dd44815bb9 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Rico Valdez, Splunk status: deprecated type: TTP @@ -29,31 +29,22 @@ known_false_positives: It's possible that legitimate TXT record responses can be enough to trigger this search. You can modify the packet threshold for this search to help mitigate false positives. references: [] +rba: + message: Long DNS TXT Response observed + risk_objects: + - field: Destination IP + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Suspicious DNS Traffic - Command And Control asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1048.003 - observable: - - name: Destination IP - type: IP Address - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - DNS.message_type - - DNS.record_type - - DNS.src - - DNS.dest - - DNS.answer - risk_score: 25 security_domain: network diff --git a/detections/deprecated/detect_mimikatz_using_loaded_images.yml b/detections/deprecated/detect_mimikatz_using_loaded_images.yml index 82d0f52559..b002ff2bcc 100644 --- a/detections/deprecated/detect_mimikatz_using_loaded_images.yml +++ b/detections/deprecated/detect_mimikatz_using_loaded_images.yml @@ -1,18 +1,19 @@ name: Detect Mimikatz Using Loaded Images id: 29e307ba-40af-4ab2-91b2-3c6b392bbba0 -version: 2 -date: '2024-10-17' +version: 3 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: deprecated type: TTP description: This search looks for reading loaded Images unique to credential dumping - with Mimikatz. Deprecated because mimikatz libraries changed and very noisy sysmon Event Code. + with Mimikatz. Deprecated because mimikatz libraries changed and very noisy sysmon + Event Code. data_source: - Sysmon EventID 7 search: '`sysmon` EventCode=7 | stats values(ImageLoaded) as ImageLoaded values(ProcessId) as ProcessId by dest, Image | search ImageLoaded=*WinSCard.dll ImageLoaded=*cryptdll.dll - ImageLoaded=*hid.dll ImageLoaded=*samlib.dll ImageLoaded=*vaultcli.dll | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` - | `detect_mimikatz_using_loaded_images_filter`' + ImageLoaded=*hid.dll ImageLoaded=*samlib.dll ImageLoaded=*vaultcli.dll | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)` | `detect_mimikatz_using_loaded_images_filter`' how_to_implement: This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 7 with powershell.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations @@ -24,6 +25,17 @@ known_false_positives: Other tools can import the same DLLs. These tools should or uses credentials, PowerShell included. Filter based on parent process. references: - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html +rba: + message: A process, $Image$, has loaded $ImageLoaded$ that are typically related + to credential dumping on $dest$. Review for further details. + risk_objects: + - field: user + type: user + score: 64 + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Credential Dumping @@ -35,38 +47,18 @@ tags: - CISA AA22-320A - Sandworm Tools asset_type: Windows - confidence: 80 - impact: 80 - message: A process, $Image$, has loaded $ImageLoaded$ that are typically related - to credential dumping on $dest$. Review for further details. mitre_attack_id: - T1003.001 - T1003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ImageLoaded - - ProcessId - - dest - - Image - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/deprecated/detect_mimikatz_via_powershell_and_eventcode_4703.yml b/detections/deprecated/detect_mimikatz_via_powershell_and_eventcode_4703.yml index 3ea450633d..aa9cabe8d3 100644 --- a/detections/deprecated/detect_mimikatz_via_powershell_and_eventcode_4703.yml +++ b/detections/deprecated/detect_mimikatz_via_powershell_and_eventcode_4703.yml @@ -1,7 +1,7 @@ name: Detect Mimikatz Via PowerShell And EventCode 4703 id: 98917be2-bfc8-475a-8618-a9bb06575188 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Rico Valdez, Splunk status: deprecated type: TTP @@ -26,30 +26,21 @@ known_false_positives: The activity may be legitimate. PowerShell is often used in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise. references: [] +rba: + message: Potential Mimikatz usage on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Cloud Federated Credential Abuse asset_type: Windows - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1003.001 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - signature_id - - Process_Name - - Message - - dest - - Process_ID - risk_score: 25 security_domain: access diff --git a/detections/deprecated/detect_new_api_calls_from_user_roles.yml b/detections/deprecated/detect_new_api_calls_from_user_roles.yml index 1d1e581158..5ed0943c52 100644 --- a/detections/deprecated/detect_new_api_calls_from_user_roles.yml +++ b/detections/deprecated/detect_new_api_calls_from_user_roles.yml @@ -1,7 +1,7 @@ name: Detect new API calls from user roles id: 22773e84-bac0-4595-b086-20d3f335b4f1 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Bhavin Patel, Splunk status: deprecated type: Anomaly @@ -12,7 +12,7 @@ search: '`cloudtrail` eventType=AwsApiCall errorCode=success userIdentity.type=A [search `cloudtrail` eventType=AwsApiCall errorCode=success userIdentity.type=AssumedRole | stats earliest(_time) as earliest latest(_time) as latest by userName eventName | inputlookup append=t previously_seen_api_calls_from_user_roles | stats min(earliest) - as earliest, max(latest) as latest by userName eventName | outputlookup previously_seen_api_calls_from_user_roles| + as earliest, max(latest) as latest by userName eventName | outputlookup previously_seen_api_calls_from_user_roles | eval newApiCallfromUserRole=if(earliest>=relative_time(now(), "-70m@m"), 1, 0) | where newApiCallfromUserRole=1 | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | table eventName userName] |rename userName as user| stats values(eventName) earliest(_time) @@ -27,30 +27,21 @@ known_false_positives: It is possible that there are legitimate user roles makin new or infrequently used API calls in your infrastructure, causing the search to trigger. references: [] +rba: + message: Never Before Seen API Call from $user$ + risk_objects: + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - AWS User Monitoring asset_type: AWS Instance - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1078.004 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventType - - errorCode - - userIdentity.type - - userName - - eventName - risk_score: 25.0 security_domain: endpoint diff --git a/detections/deprecated/detect_new_user_aws_console_login.yml b/detections/deprecated/detect_new_user_aws_console_login.yml index 0c539bc079..1713d3b52d 100644 --- a/detections/deprecated/detect_new_user_aws_console_login.yml +++ b/detections/deprecated/detect_new_user_aws_console_login.yml @@ -1,7 +1,7 @@ name: Detect new user AWS Console Login id: ada0f478-84a8-4641-a3f3-d82362dffd75 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Bhavin Patel, Splunk status: deprecated type: Hunting @@ -13,7 +13,7 @@ description: This search looks for AWS CloudTrail events wherein a console login data_source: [] search: '`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | stats earliest(_time) as firstTime latest(_time) as lastTime by user | inputlookup append=t - previously_seen_users_console_logins_cloudtrail | stats min(firstTime) as firstTime + previously_seen_users_console_logins | stats min(firstTime) as firstTime max(lastTime) as lastTime by user | eval userStatus=if(firstTime >= relative_time(now(), "-70m@m"), "First Time Logging into AWS Console","Previously Seen User") | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| where userStatus ="First Time Logging into AWS Console" | `detect_new_user_aws_console_login_filter`' @@ -31,23 +31,10 @@ tags: analytic_story: - Suspicious AWS Login Activities asset_type: AWS Instance - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1078.004 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - userIdentity.arn - risk_score: 25 security_domain: network diff --git a/detections/deprecated/detect_processes_used_for_system_network_configuration_discovery.yml b/detections/deprecated/detect_processes_used_for_system_network_configuration_discovery.yml new file mode 100644 index 0000000000..d0851935d2 --- /dev/null +++ b/detections/deprecated/detect_processes_used_for_system_network_configuration_discovery.yml @@ -0,0 +1,91 @@ +name: Detect processes used for System Network Configuration Discovery +id: a51bfe1a-94f0-48cc-b1e4-16ae10145893 +version: 8 +date: '2025-01-24' +author: Bhavin Patel, Splunk +status: deprecated +type: TTP +description: The following analytic has been deprecated. + The following analytic identifies the rapid execution of processes used + for system network configuration discovery on an endpoint. It leverages data from + Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, + parent processes, and command-line executions. This activity is significant as it + may indicate an attacker attempting to map the network, which is a common precursor + to lateral movement or further exploitation. If confirmed malicious, this behavior + could allow an attacker to gain insights into the network topology, identify critical + systems, and plan subsequent attacks, potentially leading to data exfiltration or + system compromise. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count values(Processes.process) + as process values(Processes.parent_process) as parent_process min(_time) as firstTime + max(_time) as lastTime from datamodel=Endpoint.Processes where NOT Processes.user + IN ("","unknown") by Processes.dest Processes.process_name Processes.parent_process_name + Processes.user _time | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `drop_dm_object_name(Processes)` | search `system_network_configuration_discovery_tools` + | transaction dest connected=false maxpause=5m |where eventcount>=5 | table firstTime + lastTime dest user process_name process parent_process parent_process_name eventcount + | `detect_processes_used_for_system_network_configuration_discovery_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: It is uncommon for normal users to execute a series of commands + used for network discovery. System administrators often use scripts to execute these + commands. These can generate false positives. +references: [] +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning multiple $process_name$ was + identified on endpoint $dest$ by user $user$ typically not a normal behavior of + the process. + risk_objects: + - field: user + type: user + score: 32 + - field: dest + type: system + score: 32 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name +tags: + analytic_story: + - Unusual Processes + asset_type: Endpoint + mitre_attack_id: + - T1016 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/discovery_commands/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/deprecated/detect_spike_in_aws_api_activity.yml b/detections/deprecated/detect_spike_in_aws_api_activity.yml index 1d4d44c736..5a7efe7007 100644 --- a/detections/deprecated/detect_spike_in_aws_api_activity.yml +++ b/detections/deprecated/detect_spike_in_aws_api_activity.yml @@ -1,7 +1,7 @@ name: Detect Spike in AWS API Activity id: ada0f478-84a8-4641-a3f1-d32362d4bd55 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: David Dorsey, Splunk status: deprecated type: Anomaly @@ -24,52 +24,39 @@ search: '`cloudtrail` eventType=AwsApiCall [search `cloudtrail` eventType=AwsApi | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventName, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_aws_api_activity_filter`' -how_to_implement: 'You must install the AWS App for Splunk (version 5.1.0 or later) +how_to_implement: "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from - the mean that the value must be to be considered a spike. - - This search produces fields (`eventName`,`numberOfApiCalls`,`uniqueApisCalled`) - that are not yet supported by ES Incident Review and therefore cannot be viewed - when a notable event is raised. These fields contribute additional context to the - notable. To see the additional metadata, add the following fields, if not already - present, to Incident Review - Event Attributes (Configure > Incident Management - > Incident Review Settings > Add New Entry): - - * **Label:** AWS Event Name, **Field:** eventName - - * **Label:** Number of API Calls, **Field:** numberOfApiCalls - - * **Label:** Unique API Calls, **Field:** uniqueApisCalled - - Detailed documentation on how to create a new field within Incident Review may be - found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`' -known_false_positives: 'None.' + the mean that the value must be to be considered a spike.\nThis search produces + fields (`eventName`,`numberOfApiCalls`,`uniqueApisCalled`) that are not yet supported + by ES Incident Review and therefore cannot be viewed when a notable event is raised. + These fields contribute additional context to the notable. To see the additional + metadata, add the following fields, if not already present, to Incident Review - + Event Attributes (Configure > Incident Management > Incident Review Settings > Add + New Entry):\n* **Label:** AWS Event Name, **Field:** eventName\n* **Label:** Number + of API Calls, **Field:** numberOfApiCalls\n* **Label:** Unique API Calls, **Field:** + uniqueApisCalled\nDetailed documentation on how to create a new field within Incident + Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`" +known_false_positives: None. references: [] +rba: + message: Spike in AWS API Activity from $user$ + risk_objects: + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - AWS User Monitoring asset_type: AWS Instance - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1078.004 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventType - - userIdentity.arn - risk_score: 25.0 security_domain: network diff --git a/detections/deprecated/detect_spike_in_network_acl_activity.yml b/detections/deprecated/detect_spike_in_network_acl_activity.yml index aad850685d..a7e693bf9e 100644 --- a/detections/deprecated/detect_spike_in_network_acl_activity.yml +++ b/detections/deprecated/detect_spike_in_network_acl_activity.yml @@ -1,7 +1,7 @@ name: Detect Spike in Network ACL Activity id: ada0f478-84a8-4641-a1f1-e32372d4bd53 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Bhavin Patel, Splunk status: deprecated type: Anomaly @@ -36,26 +36,21 @@ how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or late known_false_positives: The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Please modify this according the your environment. references: [] +rba: + message: Spike in AWS API Activity related to Network ACLs from $user$ + risk_objects: + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - AWS Network ACL Activity asset_type: AWS Instance - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1562.007 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - userIdentity.arn - risk_score: 25.0 security_domain: network diff --git a/detections/deprecated/detect_spike_in_security_group_activity.yml b/detections/deprecated/detect_spike_in_security_group_activity.yml index 83ea1712f8..de1cad3b6d 100644 --- a/detections/deprecated/detect_spike_in_security_group_activity.yml +++ b/detections/deprecated/detect_spike_in_security_group_activity.yml @@ -1,7 +1,7 @@ name: Detect Spike in Security Group Activity id: ada0f478-84a8-4641-a3f1-e32372d4bd53 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Bhavin Patel, Splunk status: deprecated type: Anomaly @@ -37,26 +37,21 @@ how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or late known_false_positives: Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment. references: [] +rba: + message: Spike in AWS API Activity related to Security Groups from $user$ + risk_objects: + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - AWS User Monitoring asset_type: AWS Instance - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1078.004 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - serIdentity.arn - risk_score: 25.0 security_domain: network diff --git a/detections/deprecated/detect_usb_device_insertion.yml b/detections/deprecated/detect_usb_device_insertion.yml index db90a65dd1..2d6dd088f5 100644 --- a/detections/deprecated/detect_usb_device_insertion.yml +++ b/detections/deprecated/detect_usb_device_insertion.yml @@ -1,7 +1,7 @@ name: Detect USB device insertion id: 104658f4-afdc-499f-9719-17a43f9826f5 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Bhavin Patel, Splunk status: deprecated type: TTP @@ -26,27 +26,19 @@ how_to_implement: To successfully implement this search, you must ingest Windows known_false_positives: Legitimate USB activity will also be detected. Please verify and investigate as appropriate. references: [] +rba: + message: USB Device Activity detected on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Data Protection asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.result - - All_Changes.result_id - - All_Changes.src_priority - - All_Changes.dest - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/detect_web_traffic_to_dynamic_domain_providers.yml b/detections/deprecated/detect_web_traffic_to_dynamic_domain_providers.yml index 3d5bb3ac88..88d75ce049 100644 --- a/detections/deprecated/detect_web_traffic_to_dynamic_domain_providers.yml +++ b/detections/deprecated/detect_web_traffic_to_dynamic_domain_providers.yml @@ -1,7 +1,7 @@ name: Detect web traffic to dynamic domain providers id: 134da869-e264-4a8f-8d7e-fcd01c18f301 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Bhavin Patel, Splunk status: deprecated type: TTP @@ -11,51 +11,37 @@ search: '| tstats `security_content_summariesonly` count values(Web.url) as url as firstTime from datamodel=Web where Web.status=200 by Web.src Web.dest Web.status | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `dynamic_dns_web_traffic` | `detect_web_traffic_to_dynamic_domain_providers_filter`' -how_to_implement: 'This search requires you to be ingesting web-traffic logs. You +how_to_implement: "This search requires you to be ingesting web-traffic logs. You can obtain these logs from indexing data from a web proxy or by using a network-traffic-analysis tool, such as Bro or Splunk Stream. The web data model must contain the URL being requested, the IP address of the host initiating the request, and the destination IP. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of dynamic DNS providers. Consider periodically - updating this local lookup file with new domains. - - This search produces fields (`isDynDNS`) that are not yet supported by ES Incident - Review and therefore cannot be viewed when a notable event is raised. These fields - contribute additional context to the notable. To see the additional metadata, add - the following fields, if not already present, to Incident Review - Event Attributes - (Configure > Incident Management > Incident Review Settings > Add New Entry): - - * **Label:** IsDynamicDNS, **Field:** isDynDNS - - Detailed documentation on how to create a new field within Incident Review may be - found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` - Deprecated because duplicate.' + updating this local lookup file with new domains.\nThis search produces fields (`isDynDNS`) + that are not yet supported by ES Incident Review and therefore cannot be viewed + when a finding event is raised. These fields contribute additional context to the + finding. To see the additional metadata, add the following fields, if not already + present, to Incident Review - Event Attributes (Configure > Incident Management + > Incident Review Settings > Add New Entry):\n* **Label:** IsDynamicDNS, **Field:** + isDynDNS\n Deprecated because duplicate." known_false_positives: It is possible that list of dynamic DNS providers is outdated and/or that the URL being requested is legitimate. references: [] +rba: + message: Web traffic to Dynamic DNS Provider detected + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Dynamic DNS asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1071.001 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Web.url - - Web.status - - Web.src - - Web.dest - risk_score: 25 security_domain: network diff --git a/detections/endpoint/detect_webshell_exploit_behavior.yml b/detections/deprecated/detect_webshell_exploit_behavior.yml similarity index 86% rename from detections/endpoint/detect_webshell_exploit_behavior.yml rename to detections/deprecated/detect_webshell_exploit_behavior.yml index 49baa8e1aa..3b28ad33f1 100644 --- a/detections/endpoint/detect_webshell_exploit_behavior.yml +++ b/detections/deprecated/detect_webshell_exploit_behavior.yml @@ -1,11 +1,12 @@ name: Detect Webshell Exploit Behavior id: 22597426-6dbd-49bd-bcdc-4ec19857192f -version: '5' -date: '2024-11-28' +version: 7 +date: '2025-01-24' author: Steven Dick -status: production +status: deprecated type: TTP -description: The following analytic identifies the execution of suspicious processes +description: The following analytic has been deprecated. + The following analytic identifies the execution of suspicious processes typically associated with webshell activity on web servers. It detects when processes like `cmd.exe`, `powershell.exe`, or `bash.exe` are spawned by web server processes such as `w3wp.exe` or `nginx.exe`. This behavior is significant as it may indicate @@ -59,6 +60,19 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Webshell Exploit Behavior - $parent_process_name$ spawned $process_name$ + on $dest$. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - ProxyNotShell @@ -73,45 +87,18 @@ tags: - WS FTP Server Critical Vulnerabilities - BlackByte Ransomware asset_type: Endpoint - confidence: 80 - impact: 100 - message: Webshell Exploit Behavior - $parent_process_name$ spawned $process_name$ - on $dest$. mitre_attack_id: - T1505 - T1505.003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.parent_process_name - - Processes.process - - Processes.process_name - risk_score: 80 security_domain: endpoint - supported_tas: - - Splunk_TA_microsoft_sysmon tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/generic_webshell_exploit/generic_webshell_exploit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/generic_webshell_exploit/generic_webshell_exploit.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/deprecated/detection_of_dns_tunnels.yml b/detections/deprecated/detection_of_dns_tunnels.yml index a892c3f878..e903bf4d9a 100644 --- a/detections/deprecated/detection_of_dns_tunnels.yml +++ b/detections/deprecated/detection_of_dns_tunnels.yml @@ -1,22 +1,20 @@ name: Detection of DNS Tunnels id: 104658f4-afdc-499f-9719-17a43f9826f4 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Bhavin Patel, Splunk status: deprecated type: TTP -description: 'This search is used to detect DNS tunneling, by calculating the sum +description: "This search is used to detect DNS tunneling, by calculating the sum of the length of DNS queries and DNS answers. The search also filters out potential false positives by filtering out queries made to internal systems and the queries originating from internal DNS, Web, and Email servers. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting an unusually large volume of DNS - traffic. - - NOTE:Deprecated because existing detection is doing the same. This detection is - replaced with two other variations, if you are using MLTK then you can use this + traffic.\nNOTE:Deprecated because existing detection is doing the same. This detection + is replaced with two other variations, if you are using MLTK then you can use this search `ESCU - DNS Query Length Outliers - MLTK - Rule` or use the standard deviation - version `ESCU - DNS Query Length With High Standard Deviation - Rule`, as an alternantive.' + version `ESCU - DNS Query Length With High Standard Deviation - Rule`, as an alternantive." data_source: [] search: '| tstats `security_content_summariesonly` dc("DNS.query") as count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" NOT @@ -44,31 +42,23 @@ known_false_positives: It's possible that normal DNS traffic will exhibit this b If an alert is generated, please investigate and validate as appropriate. The threshold can also be modified to better suit your environment. references: [] +rba: + message: Potential DNS Tunneling Detected + risk_objects: + - field: src + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Data Protection - Suspicious DNS Traffic - Command And Control asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1048.003 - observable: - - name: src - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - DNS.query - - DNS.message_type - - DNS.src_category - - DNS.src - risk_score: 25 security_domain: network diff --git a/detections/deprecated/disabling_net_user_account.yml b/detections/deprecated/disabling_net_user_account.yml new file mode 100644 index 0000000000..409e89854a --- /dev/null +++ b/detections/deprecated/disabling_net_user_account.yml @@ -0,0 +1,85 @@ +name: Disabling Net User Account +id: c0325326-acd6-11eb-98c2-acde48001122 +version: 8 +date: '2025-01-24' +author: Teoderick Contreras, Splunk +status: deprecated +type: TTP +description: The following analytic has been deprecated. + The following analytic detects the use of the `net.exe` utility to disable + a user account via the command line. It leverages data from Endpoint Detection and + Response (EDR) agents, focusing on process execution logs and command-line arguments. + This activity is significant as it may indicate an adversary's attempt to disrupt + user availability, potentially as a precursor to further malicious actions. If confirmed + malicious, this could lead to denial of service for legitimate users, aiding the + attacker in maintaining control or covering their tracks. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + values(Processes.parent_process) as parent_process values(Processes.process_id) + as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where `process_net` AND Processes.process="*user*" AND Processes.process="*/active:no*" + by Processes.process_name Processes.original_file_name Processes.dest Processes.user + Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `disabling_net_user_account_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: unknown +references: +- https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + disabling a user account on endpoint $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 42 + - field: dest + type: system + score: 42 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name +tags: + analytic_story: + - XMRig + asset_type: Endpoint + mitre_attack_id: + - T1531 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/deprecated/dns_query_requests_resolved_by_unauthorized_dns_servers.yml b/detections/deprecated/dns_query_requests_resolved_by_unauthorized_dns_servers.yml index 5e629764f5..b52f87457a 100644 --- a/detections/deprecated/dns_query_requests_resolved_by_unauthorized_dns_servers.yml +++ b/detections/deprecated/dns_query_requests_resolved_by_unauthorized_dns_servers.yml @@ -1,7 +1,7 @@ name: DNS Query Requests Resolved by Unauthorized DNS Servers id: 1a67f15a-f4ff-4170-84e9-08cf6f75d6f6 -version: 5 -date: '2024-10-17' +version: 6 +date: '2024-11-14' author: Bhavin Patel, Splunk status: deprecated type: TTP @@ -19,6 +19,13 @@ how_to_implement: To successfully implement this search you will need to ensure known_false_positives: Legitimate DNS activity can be detected in this search. Investigate, verify and update the list of authorized DNS servers as appropriate. references: [] +rba: + message: DNS Resolution from Unauthorized DNS Server + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - DNS Hijacking @@ -26,25 +33,10 @@ tags: - Host Redirection - Command And Control asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1071.004 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - DNS.dest_category - - DNS.src_category - - DNS.src - - DNS.dest - risk_score: 25 security_domain: network diff --git a/detections/deprecated/dns_record_changed.yml b/detections/deprecated/dns_record_changed.yml index 86d8f9a32d..1da12999ba 100644 --- a/detections/deprecated/dns_record_changed.yml +++ b/detections/deprecated/dns_record_changed.yml @@ -1,7 +1,7 @@ name: DNS record changed id: 44d3a43e-dcd5-49f7-8356-5209bb369065 -version: 5 -date: '2024-10-17' +version: 6 +date: '2024-11-14' author: Jose Hernandez, Splunk status: deprecated type: TTP @@ -17,51 +17,37 @@ search: '| inputlookup discovered_dns_records | rename answer as discovered_answ | makemv delim=" " answer | makemv delim=" " type | sort -count | table count,src,domain,type,query,current_answer,discovered_answer | makemv current_answer | mvexpand current_answer | makemv discovered_answer | eval n=mvfind(discovered_answer, current_answer) | where isnull(n) | `dns_record_changed_filter`' -how_to_implement: 'To successfully implement this search you will need to ensure that +how_to_implement: "To successfully implement this search you will need to ensure that DNS data is populating the `Network_Resolution` data model. It also requires that the `discover_dns_record` lookup table be populated by the included support search - "Discover DNS record". - - **Splunk>Phantom Playbook Integration** - - If Splunk>Phantom is also configured in your environment, a Playbook called "DNS Hijack Enrichment" - can be configured to run when any results are found by this detection search. - The playbook takes in the DNS record changed and uses Geoip, whois, Censys and - PassiveTotal to detect if DNS issuers changed. To use this integration, install - the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the - correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions - when configuring this detection search, and set the corresponding Playbook to - active. - - (Playbook Link:`https://my.phantom.us/4.2/playbook/dns-hijack-enrichment/`)' + \"Discover DNS record\".\n**Splunk>Phantom Playbook Integration**\nIf Splunk>Phantom + is also configured in your environment, a Playbook called \"DNS Hijack Enrichment\"\ + \ can be configured to run when any results are found by this detection search. + The playbook takes in the DNS record changed and uses Geoip, whois, Censys and PassiveTotal + to detect if DNS issuers changed. To use this integration, install the Phantom App + for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to + the \\\"Phantom Instance\\\" field in the Adaptive Response Actions when configuring + this detection search, and set the corresponding Playbook to active.\n(Playbook + Link:`https://my.phantom.us/4.2/playbook/dns-hijack-enrichment/`)" known_false_positives: Legitimate DNS changes can be detected in this search. Investigate, verify and update the list of provided current answers for the domains in question as appropriate. references: [] +rba: + message: DNS Record Changed + risk_objects: + - field: src + type: system + score: 25 + threat_objects: [] tags: analytic_story: - DNS Hijacking asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1071.004 - observable: - - name: src - type: IP Address - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - DNS.record_type - - DNS.answer - - DNS.src - - DNS.message_type - - DNS.query - risk_score: 25 security_domain: network diff --git a/detections/deprecated/domain_account_discovery_with_net_app.yml b/detections/deprecated/domain_account_discovery_with_net_app.yml new file mode 100644 index 0000000000..7299b21596 --- /dev/null +++ b/detections/deprecated/domain_account_discovery_with_net_app.yml @@ -0,0 +1,78 @@ +name: Domain Account Discovery With Net App +id: 98f6a534-04c2-11ec-96b2-acde48001122 +version: 5 +date: '2025-01-13' +author: Teoderick Contreras, Mauricio Velazco, Splunk +status: deprecated +type: TTP +description: This following analytic has been deprecated in favour of the generic version "5d0d4830-0133-11ec-bae3-acde48001122". The following analytic detects the execution of `net.exe` or `net1.exe` with command-line arguments used to query domain users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt by adversaries to enumerate domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map out user accounts, potentially leading to further exploitation or lateral movement within the network. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process + = "* user*" AND Processes.process = "*/do*" by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `domain_account_discovery_with_net_app_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators or power users may use this command for troubleshooting. +references: +- https://docs.microsoft.com/en-us/defender-for-identity/playbook-domain-dominance +- https://attack.mitre.org/techniques/T1087/002/ +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: an instance of process $process_name$ with commandline $process$ on $dest$ + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: + - field: parent_process_name + type: parent_process_name +tags: + analytic_story: + - Active Directory Discovery + - Graceful Wipe Out Attack + - Rhysida Ransomware + asset_type: Endpoint + mitre_attack_id: + - T1087.002 + - T1087 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/deprecated/domain_group_discovery_with_net.yml b/detections/deprecated/domain_group_discovery_with_net.yml new file mode 100644 index 0000000000..af3f1f4e79 --- /dev/null +++ b/detections/deprecated/domain_group_discovery_with_net.yml @@ -0,0 +1,54 @@ +name: Domain Group Discovery With Net +id: f2f14ac7-fa81-471a-80d5-7eb65c3c7349 +version: 6 +date: '2025-01-13' +author: Mauricio Velazco, Splunk +status: deprecated +type: Hunting +description: This search has been deprecated in favour of the more generic analytic "c5c8e0f3-147a-43da-bf04-4cfaec27dc44". The following analytic identifies the execution of `net.exe` with command-line arguments used to query domain groups, specifically `group /domain`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate domain groups, which is a common step in Active Directory Discovery. If confirmed malicious, this behavior could allow attackers to gain insights into the domain structure, aiding in further attacks such as privilege escalation or lateral movement. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_net` AND (Processes.process=*group* + AND Processes.process=*/do*) by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `domain_group_discovery_with_net_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators or power users may use this command for troubleshooting. +references: +- https://attack.mitre.org/techniques/T1069/002/ +tags: + analytic_story: + - Windows Post-Exploitation + - Active Directory Discovery + - Prestige Ransomware + - Graceful Wipe Out Attack + - Rhysida Ransomware + - Cleo File Transfer Software + asset_type: Endpoint + mitre_attack_id: + - T1069 + - T1069.002 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/deprecated/dump_lsass_via_procdump_rename.yml b/detections/deprecated/dump_lsass_via_procdump_rename.yml index 855f6eb447..db67928fa4 100644 --- a/detections/deprecated/dump_lsass_via_procdump_rename.yml +++ b/detections/deprecated/dump_lsass_via_procdump_rename.yml @@ -1,25 +1,24 @@ name: Dump LSASS via procdump Rename id: 21276daa-663d-11eb-ae93-0242ac130002 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Michael Haag, Splunk status: deprecated type: Hunting -description: 'Detect a renamed instance of procdump.exe dumping the lsass process. +description: "Detect a renamed instance of procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and - should be reviewed. Modify the query as needed. - - During triage, confirm this is procdump.exe executing. If it is the first time a - Sysinternals utility has been ran, it is possible there will be a -accepteula on - the command line. Review other endpoint data sources for cross process (injection) - into lsass.exe.' + should be reviewed. Modify the query as needed.\nDuring triage, confirm this is + procdump.exe executing. If it is the first time a Sysinternals utility has been + ran, it is possible there will be a -accepteula on the command line. Review other + endpoint data sources for cross process (injection) into lsass.exe." data_source: - Sysmon EventID 1 search: '`sysmon` OriginalFileName=procdump process_name!=procdump*.exe EventID=1 - (CommandLine=*-ma* OR CommandLine=*-mm*) CommandLine=*lsass* | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name, - process_name, OriginalFileName, CommandLine | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `dump_lsass_via_procdump_rename_filter`' + (CommandLine=*-ma* OR CommandLine=*-mm*) CommandLine=*lsass* | stats count min(_time) + as firstTime max(_time) as lastTime by dest, parent_process_name, process_name, + OriginalFileName, CommandLine | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `dump_lsass_via_procdump_rename_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. @@ -34,36 +33,10 @@ tags: - HAFNIUM Group - CISA AA22-257A asset_type: Endpoint - confidence: 100 - impact: 80 - message: The following $process_name$ has been identified as renamed, spawning from - $parent_process_name$ on $dest$, attempting to dump lsass.exe. mitre_attack_id: - T1003.001 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - OriginalFileName - - process_name - - EventID - - CommandLine - - dest - - parent_process_name - risk_score: 80 security_domain: endpoint diff --git a/detections/deprecated/ec2_instance_modified_with_previously_unseen_user.yml b/detections/deprecated/ec2_instance_modified_with_previously_unseen_user.yml index 57a1ffc0ed..c0dddee3ca 100644 --- a/detections/deprecated/ec2_instance_modified_with_previously_unseen_user.yml +++ b/detections/deprecated/ec2_instance_modified_with_previously_unseen_user.yml @@ -1,7 +1,7 @@ name: EC2 Instance Modified With Previously Unseen User id: 56f91724-cf3f-4666-84e1-e3712fb41e76 -version: 5 -date: '2024-10-17' +version: 6 +date: '2024-11-14' author: David Dorsey, Splunk status: deprecated type: Anomaly @@ -26,27 +26,21 @@ known_false_positives: It's possible that a new user will start to modify EC2 in when they haven't before for any number of reasons. Verify with the user that is modifying instances that this is the intended behavior. references: [] +rba: + message: EC2 Instance Modified for first time by $user$ + risk_objects: + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Unusual AWS EC2 Modifications asset_type: AWS Instance - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1078.004 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - errorCode - - userIdentity.arn - risk_score: 25.0 security_domain: endpoint diff --git a/detections/deprecated/ec2_instance_started_in_previously_unseen_region.yml b/detections/deprecated/ec2_instance_started_in_previously_unseen_region.yml index 716cabaac4..0d7e62b234 100644 --- a/detections/deprecated/ec2_instance_started_in_previously_unseen_region.yml +++ b/detections/deprecated/ec2_instance_started_in_previously_unseen_region.yml @@ -1,18 +1,18 @@ name: EC2 Instance Started In Previously Unseen Region id: ada0f478-84a8-4641-a3f3-d82362d6fd75 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Bhavin Patel, Splunk status: deprecated -type: Anomaly +type: Hunting description: This search looks for AWS CloudTrail events where an instance is started in a particular region in the last one hour and then compares it to a lookup file of previously seen regions where an instance was started data_source: [] search: '`cloudtrail` earliest=-1h StartInstances | stats earliest(_time) as earliest - latest(_time) as latest by awsRegion | inputlookup append=t previously_seen_aws_regions.csv + latest(_time) as latest by awsRegion | inputlookup append=t previously_seen_aws_regions | stats min(earliest) as earliest max(latest) as latest by awsRegion | outputlookup - previously_seen_aws_regions.csv | eval regionStatus=if(earliest >= relative_time(now(),"-1d@d"), + previously_seen_aws_regions | eval regionStatus=if(earliest >= relative_time(now(),"-1d@d"), "Instance Started in a New Region","Previously Seen Region") | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | where regionStatus="Instance Started in a New Region" | `ec2_instance_started_in_previously_unseen_region_filter`' @@ -29,22 +29,10 @@ tags: - AWS Cryptomining - Suspicious AWS EC2 Activities asset_type: AWS Instance - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1535 - observable: - - name: awsRegion - type: Geo Location - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - awsRegion - risk_score: 25.0 security_domain: network diff --git a/detections/deprecated/ec2_instance_started_with_previously_unseen_ami.yml b/detections/deprecated/ec2_instance_started_with_previously_unseen_ami.yml index 1079fb6ecd..80a929eefb 100644 --- a/detections/deprecated/ec2_instance_started_with_previously_unseen_ami.yml +++ b/detections/deprecated/ec2_instance_started_with_previously_unseen_ami.yml @@ -1,7 +1,7 @@ name: EC2 Instance Started With Previously Unseen AMI id: 347ec301-601b-48b9-81aa-9ddf9c829dd3 -version: 3 -date: '2024-10-17' +version: 5 +date: '2025-01-16' author: David Dorsey, Splunk status: deprecated type: Anomaly @@ -12,8 +12,8 @@ data_source: [] search: '`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by requestParameters.instancesSet.items{}.imageId | rename requestParameters.instancesSet.items{}.imageId - as amiID | inputlookup append=t previously_seen_ec2_amis.csv | stats min(firstTime) - as firstTime max(lastTime) as lastTime by amiID | outputlookup previously_seen_ec2_amis.csv + as amiID | inputlookup append=t previously_seen_ec2_amis_lookup | stats min(firstTime) + as firstTime max(lastTime) as lastTime by amiID | outputlookup previously_seen_ec2_amis_lookup | eval newAMI=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | where newAMI=1 | rename amiID as requestParameters.instancesSet.items{}.imageId | table requestParameters.instancesSet.items{}.imageId] | rename requestParameters.instanceType @@ -28,26 +28,19 @@ known_false_positives: After a new AMI is created, the first systems created wit that AMI will cause this alert to fire. Verify that the AMI being used was created by a legitimate user. references: [] +rba: + message: EC2 Instance $dest$ launched with new AMI + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - AWS Cryptomining asset_type: AWS Instance - confidence: 50 - impact: 50 - message: tbd - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - errorCode - - requestParameters.instancesSet.items{}.imageId - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/ec2_instance_started_with_previously_unseen_instance_type.yml b/detections/deprecated/ec2_instance_started_with_previously_unseen_instance_type.yml index cfcf851d26..e1a95404a0 100644 --- a/detections/deprecated/ec2_instance_started_with_previously_unseen_instance_type.yml +++ b/detections/deprecated/ec2_instance_started_with_previously_unseen_instance_type.yml @@ -1,7 +1,7 @@ name: EC2 Instance Started With Previously Unseen Instance Type id: 65541c80-03c7-4e05-83c8-1dcd57a2e1ad -version: 4 -date: '2024-10-17' +version: 6 +date: '2025-01-16' author: David Dorsey, Splunk status: deprecated type: Anomaly @@ -12,9 +12,9 @@ data_source: [] search: '`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | fillnull value="m1.small" requestParameters.instanceType | stats earliest(_time) as earliest latest(_time) as latest by requestParameters.instanceType - | rename requestParameters.instanceType as instanceType | inputlookup append=t previously_seen_ec2_instance_types.csv + | rename requestParameters.instanceType as instanceType | inputlookup append=t previously_seen_ec2_instance_types_lookup | stats min(earliest) as earliest max(latest) as latest by instanceType | outputlookup - previously_seen_ec2_instance_types.csv | eval newType=if(earliest >= relative_time(now(), + previously_seen_ec2_instance_types_lookup | eval newType=if(earliest >= relative_time(now(), "-70m@m"), 1, 0) | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | where newType=1 | rename instanceType as requestParameters.instanceType | table requestParameters.instanceType] | spath output=user userIdentity.arn | rename requestParameters.instanceType @@ -28,26 +28,19 @@ known_false_positives: It is possible that an admin will create a new system usi a new instance type never used before. Verify with the creator that they intended to create the system with the new instance type. references: [] +rba: + message: EC2 Instance $dest$ launched with previously unseen instance type $instanceType$ + risk_objects: + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - AWS Cryptomining asset_type: AWS Instance - confidence: 50 - impact: 50 - message: tbd - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - errorCode - - requestParameters.instanceType - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/ec2_instance_started_with_previously_unseen_user.yml b/detections/deprecated/ec2_instance_started_with_previously_unseen_user.yml index d7c889af4d..d43786da55 100644 --- a/detections/deprecated/ec2_instance_started_with_previously_unseen_user.yml +++ b/detections/deprecated/ec2_instance_started_with_previously_unseen_user.yml @@ -1,7 +1,7 @@ name: EC2 Instance Started With Previously Unseen User id: 22773e84-bac0-4595-b086-20d3f735b4f1 -version: 4 -date: '2024-10-17' +version: 6 +date: '2025-01-16' author: David Dorsey, Splunk status: deprecated type: Anomaly @@ -11,9 +11,9 @@ description: This search looks for EC2 instances being created by users who have data_source: [] search: '`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime - by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_launches_by_user.csv + by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_launches_by_user_lookup | stats min(firstTime) as firstTime, max(lastTime) as lastTime by arn | outputlookup - previously_seen_ec2_launches_by_user.csv | eval newUser=if(firstTime >= relative_time(now(), + previously_seen_ec2_launches_by_user_lookup | eval newUser=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newUser=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename arn as userIdentity.arn | table userIdentity.arn] | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest, userIdentity.arn @@ -26,29 +26,22 @@ known_false_positives: It's possible that a user will start to create EC2 instan when they haven't before for any number of reasons. Verify with the user that is launching instances that this is the intended behavior. references: [] +rba: + message: EC2 Instance $dest$ started by previously unseen user $user$ + risk_objects: + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - AWS Cryptomining - Suspicious AWS EC2 Activities asset_type: AWS Instance - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1078.004 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventName - - errorCode - - userIdentity.arn - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/elevated_group_discovery_with_net.yml b/detections/deprecated/elevated_group_discovery_with_net.yml new file mode 100644 index 0000000000..14e1b5ab5a --- /dev/null +++ b/detections/deprecated/elevated_group_discovery_with_net.yml @@ -0,0 +1,87 @@ +name: Elevated Group Discovery With Net +id: a23a0e20-0b1b-4a07-82e5-ec5f70811e7a +version: 6 +date: '2025-01-24' +author: Mauricio Velazco, Splunk +status: deprecated +type: TTP +description: The following analytic has been deprecated. + The following analytic detects the execution of `net.exe` or `net1.exe` + with command-line arguments used to query elevated domain groups. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process names and + command-line executions. This activity is significant as it indicates potential + reconnaissance efforts by adversaries to identify high-privileged users within Active + Directory. If confirmed malicious, this behavior could lead to further attacks aimed + at compromising privileged accounts, escalating privileges, or gaining unauthorized + access to sensitive systems and data. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_net` AND (Processes.process="*group*" + AND Processes.process="*/do*") (Processes.process="*Domain Admins*" OR Processes.process="*Enterprise + Admins*" OR Processes.process="*Schema Admins*" OR Processes.process="*Account Operators*" + OR Processes.process="*Server Operators*" OR Processes.process="*Protected Users*" + OR Processes.process="*Dns Admins*") by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `elevated_group_discovery_with_net_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators or power users may use this command for troubleshooting. +references: +- https://attack.mitre.org/techniques/T1069/002/ +- https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory +- https://adsecurity.org/?p=3658 +- https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Elevated domain group discovery enumeration on $dest$ by $user$ + risk_objects: + - field: dest + type: system + score: 21 + threat_objects: [] +tags: + analytic_story: + - Active Directory Discovery + - Volt Typhoon + - Rhysida Ransomware + - BlackSuit Ransomware + asset_type: Endpoint + mitre_attack_id: + - T1069 + - T1069.002 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/excel_spawning_powershell.yml b/detections/deprecated/excel_spawning_powershell.yml similarity index 80% rename from detections/endpoint/excel_spawning_powershell.yml rename to detections/deprecated/excel_spawning_powershell.yml index b5a20e1c1c..83c5d6bd07 100644 --- a/detections/endpoint/excel_spawning_powershell.yml +++ b/detections/deprecated/excel_spawning_powershell.yml @@ -1,11 +1,12 @@ name: Excel Spawning PowerShell id: 42d40a22-9be3-11eb-8f08-acde48001122 -version: '6' -date: '2024-11-28' +version: 8 +date: '2025-01-13' author: Michael Haag, Splunk -status: production +status: deprecated type: TTP -description: The following analytic detects Microsoft Excel spawning PowerShell, an +description: The following analytic has been deprecated in favour of a more generic approach in "Windows Office Product Spawned Uncommon Process". + The following analytic detects Microsoft Excel spawning PowerShell, an uncommon and suspicious behavior. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is "excel.exe" and the child process is PowerShell. This activity is significant @@ -51,56 +52,38 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$, indicating potential suspicious macro execution. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Spearphishing Attachments - Compromised Windows Host asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$, indicating potential suspicious macro execution. mitre_attack_id: - T1003.002 - T1003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/excel_spawning_windows_script_host.yml b/detections/deprecated/excel_spawning_windows_script_host.yml similarity index 87% rename from detections/endpoint/excel_spawning_windows_script_host.yml rename to detections/deprecated/excel_spawning_windows_script_host.yml index 6bf165787f..db56778daf 100644 --- a/detections/endpoint/excel_spawning_windows_script_host.yml +++ b/detections/deprecated/excel_spawning_windows_script_host.yml @@ -1,11 +1,12 @@ name: Excel Spawning Windows Script Host id: 57fe880a-9be3-11eb-9bf3-acde48001122 -version: '6' -date: '2024-11-28' +version: 9 +date: '2025-01-13' author: Michael Haag, Splunk -status: production +status: deprecated type: TTP -description: The following analytic identifies instances where Microsoft Excel spawns +description: The following analytic has been deprecated in favour of a more generic approach. + The following analytic identifies instances where Microsoft Excel spawns Windows Script Host processes (`cscript.exe` or `wscript.exe`). This behavior is detected using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the parent process is `excel.exe`. This activity is significant @@ -52,48 +53,33 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$, indicating potential suspicious macro execution. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Spearphishing Attachments - Compromised Windows Host asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$, indicating potential suspicious macro execution. mitre_attack_id: - T1003.002 - T1003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - process_name - - process_id - - parent_process_name - - dest - - user - - parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/deprecated/excessive_service_stop_attempt.yml b/detections/deprecated/excessive_service_stop_attempt.yml new file mode 100644 index 0000000000..3e27dc456b --- /dev/null +++ b/detections/deprecated/excessive_service_stop_attempt.yml @@ -0,0 +1,84 @@ +name: Excessive Service Stop Attempt +id: ae8d3f4a-acd7-11eb-8846-acde48001122 +version: 7 +date: '2025-01-24' +author: Teoderick Contreras, Splunk +status: deprecated +type: Anomaly +description: The following analytic has been deprecated. + The following analytic detects multiple attempts to stop or delete services + on a system using `net.exe`, `sc.exe`, or `net1.exe`. It leverages Endpoint Detection + and Response (EDR) telemetry, focusing on process names and command-line executions + within a one-minute window. This activity is significant as it may indicate an adversary + attempting to disable security or critical services to evade detection and further + their objectives. If confirmed malicious, this could lead to the attacker gaining + persistence, escalating privileges, or disrupting essential services, thereby compromising + the system's security posture. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name + = "sc.exe" OR Processes.process_name = "net1.exe" AND Processes.process="*stop*" + OR Processes.process="*delete*" by Processes.process_name Processes.original_file_name + Processes.parent_process_name Processes.dest Processes.user _time span=1m | where + count >=5 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `excessive_service_stop_attempt_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: unknown +references: +- https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: An excessive amount of $process_name$ was executed on $dest$ attempting + to disable services. + risk_objects: + - field: dest + type: system + score: 80 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - XMRig + - Ransomware + - BlackByte Ransomware + asset_type: Endpoint + mitre_attack_id: + - T1489 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/deprecated/excessive_usage_of_net_app.yml b/detections/deprecated/excessive_usage_of_net_app.yml new file mode 100644 index 0000000000..1b3556f57b --- /dev/null +++ b/detections/deprecated/excessive_usage_of_net_app.yml @@ -0,0 +1,89 @@ +name: Excessive Usage Of Net App +id: 45e52536-ae42-11eb-b5c6-acde48001122 +version: 7 +date: '2025-01-24' +author: Teoderick Contreras, Splunk +status: deprecated +type: Anomaly +description: The following analytic has been deprecated. + The following analytic detects excessive usage of `net.exe` or `net1.exe` + within a one-minute interval. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process names, parent processes, and command-line executions. + This behavior is significant as it may indicate an adversary attempting to create, + delete, or disable multiple user accounts rapidly, a tactic observed in Monero mining + incidents. If confirmed malicious, this activity could lead to unauthorized user + account manipulation, potentially compromising system integrity and enabling further + malicious actions. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_net` by Processes.process_name + Processes.parent_process_name Processes.original_file_name Processes.dest Processes.user + _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `excessive_usage_of_net_app_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: unknown. Filter as needed. Modify the time span as needed. +references: +- https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Excessive usage of net1.exe or net.exe within 1m, with command line $process$ + has been detected on $dest$ by $user$ + risk_objects: + - field: user + type: user + score: 28 + - field: dest + type: system + score: 28 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - Prestige Ransomware + - Graceful Wipe Out Attack + - XMRig + - Windows Post-Exploitation + - Azorult + - Ransomware + - Rhysida Ransomware + asset_type: Endpoint + mitre_attack_id: + - T1531 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/deprecated/execution_of_file_with_spaces_before_extension.yml b/detections/deprecated/execution_of_file_with_spaces_before_extension.yml index 81d0c1dfc1..6e453a7f03 100644 --- a/detections/deprecated/execution_of_file_with_spaces_before_extension.yml +++ b/detections/deprecated/execution_of_file_with_spaces_before_extension.yml @@ -1,7 +1,7 @@ name: Execution of File With Spaces Before Extension id: ab0353e6-a956-420b-b724-a8b4846d5d5a -version: 5 -date: '2024-10-17' +version: 6 +date: '2024-11-14' author: Rico Valdez, Splunk status: deprecated type: TTP @@ -26,31 +26,22 @@ how_to_implement: The detection is based on data that originates from Endpoint D names and speed up the data modeling process. known_false_positives: None identified. references: [] +rba: + message: Execution of file with spaces before the extension on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Windows File Extension and Association Abuse - Masquerading - Rename System Utilities asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1036.003 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_path - - Processes.process - - Processes.dest - - Processes.user - - Processes.process_name - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/extended_period_without_successful_netbackup_backups.yml b/detections/deprecated/extended_period_without_successful_netbackup_backups.yml index c69fd4d11c..c72e3977a2 100644 --- a/detections/deprecated/extended_period_without_successful_netbackup_backups.yml +++ b/detections/deprecated/extended_period_without_successful_netbackup_backups.yml @@ -1,7 +1,7 @@ name: Extended Period Without Successful Netbackup Backups id: a34aae96-ccf8-4aef-952c-3ea214444440 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: David Dorsey, Splunk status: deprecated type: Hunting @@ -24,21 +24,8 @@ tags: analytic_story: - Monitor Backup Solution asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - MESSAGE - - COMPUTERNAME - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/extraction_of_registry_hives.yml b/detections/deprecated/extraction_of_registry_hives.yml new file mode 100644 index 0000000000..f31196f4e5 --- /dev/null +++ b/detections/deprecated/extraction_of_registry_hives.yml @@ -0,0 +1,92 @@ +name: Extraction of Registry Hives +id: 8bbb7d58-b360-11eb-ba21-acde48001122 +version: 7 +date: '2025-01-24' +author: Michael Haag, Splunk +status: deprecated +type: TTP +description: The following analytic has been deprecated. + The following analytic detects the use of `reg.exe` to export Windows + Registry hives, which may contain sensitive credentials. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on command-line + executions involving `save` or `export` actions targeting the `sam`, `system`, or + `security` hives. This activity is significant as it indicates potential offline + credential access attacks, often executed from untrusted processes or scripts. If + confirmed malicious, attackers could gain access to credential data, enabling further + compromise and lateral movement within the network. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_reg` (Processes.process=*save* + OR Processes.process=*export*) AND (Processes.process="*\sam *" OR Processes.process="*\system + *" OR Processes.process="*\security *") by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.parent_process_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `extraction_of_registry_hives_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: It is possible some agent based products will generate false + positives. Filter as needed. +references: +- https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md +- https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Suspicious use of `reg.exe` exporting Windows Registry hives containing + credentials executed on $dest$ by user $user$, with a parent process of $parent_process_id$ + risk_objects: + - field: user + type: user + score: 56 + - field: dest + type: system + score: 56 + threat_objects: + - field: parent_process_name + type: parent_process_name +tags: + analytic_story: + - Volt Typhoon + - Credential Dumping + - CISA AA23-347A + - DarkSide Ransomware + - CISA AA22-257A + asset_type: Endpoint + mitre_attack_id: + - T1003.002 + - T1003 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/deprecated/first_time_seen_command_line_argument.yml b/detections/deprecated/first_time_seen_command_line_argument.yml index 6f2f93c141..5df827cada 100644 --- a/detections/deprecated/first_time_seen_command_line_argument.yml +++ b/detections/deprecated/first_time_seen_command_line_argument.yml @@ -1,7 +1,7 @@ name: First time seen command line argument id: a1b6e73f-98d5-470f-99ac-77aacd578473 -version: 7 -date: '2024-10-17' +version: 8 +date: '2024-11-14' author: Bhavin Patel, Splunk status: deprecated type: Hunting @@ -43,26 +43,11 @@ tags: - Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns - Hidden Cobra Malware asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1059.001 - T1059.003 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_name - - Processes.process - - Processes.parent_process_name - - Processes.dest - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/gcp_detect_accounts_with_high_risk_roles_by_project.yml b/detections/deprecated/gcp_detect_accounts_with_high_risk_roles_by_project.yml index fa2a7afa38..10a412fbc9 100644 --- a/detections/deprecated/gcp_detect_accounts_with_high_risk_roles_by_project.yml +++ b/detections/deprecated/gcp_detect_accounts_with_high_risk_roles_by_project.yml @@ -1,7 +1,7 @@ name: GCP Detect accounts with high risk roles by project id: 27af8c15-38b0-4408-b339-920170724adb -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rod Soto, Splunk status: deprecated type: Hunting @@ -29,27 +29,10 @@ tags: analytic_story: - GCP Cross Account Activity asset_type: GCP Account - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1078 - observable: - - name: data.protoPayload.authenticationInfo.principalEmail - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - data.protoPayload.request.policy.bindings{}.role - - data.resource.type data.protoPayload.authenticationInfo.principalEmail - - data.protoPayload.authorizationInfo{}.permission - - data.protoPayload.authorizationInfo{}.resource - - data.protoPayload.response.bindings{}.role - - data.protoPayload.response.bindings{}.members{} - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/gcp_detect_high_risk_permissions_by_resource_and_account.yml b/detections/deprecated/gcp_detect_high_risk_permissions_by_resource_and_account.yml index 2e08af647c..1291444493 100644 --- a/detections/deprecated/gcp_detect_high_risk_permissions_by_resource_and_account.yml +++ b/detections/deprecated/gcp_detect_high_risk_permissions_by_resource_and_account.yml @@ -1,7 +1,7 @@ name: GCP Detect high risk permissions by resource and account id: 2e70ef35-2187-431f-aedc-4503dc9b06ba -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rod Soto, Splunk status: deprecated type: Hunting @@ -28,27 +28,10 @@ tags: analytic_story: - GCP Cross Account Activity asset_type: GCP Account - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1078 - observable: - - name: data.protoPayload.authenticationInfo.principalEmail - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - data.protoPayload.authorizationInfo{}.permission - - data.protoPayload.requestMetadata.callerIp - - data.protoPayload.authenticationInfo.principalEmail - - data.protoPayload.authorizationInfo{}.permission - - data.protoPayload.response.bindings{}.members{} - - data.resource.labels.project_id - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/gcp_detect_oauth_token_abuse.yml b/detections/deprecated/gcp_detect_oauth_token_abuse.yml index 6571a5fe9e..25144dd436 100644 --- a/detections/deprecated/gcp_detect_oauth_token_abuse.yml +++ b/detections/deprecated/gcp_detect_oauth_token_abuse.yml @@ -1,7 +1,7 @@ name: gcp detect oauth token abuse id: a7e9f7bb-8901-4ad0-8d88-0a4ab07b1972 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rod Soto, Splunk status: deprecated type: Hunting @@ -24,21 +24,10 @@ tags: analytic_story: - GCP Cross Account Activity asset_type: GCP Account - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1078 - observable: - - name: protoPayload.status.details{}.violations{}.callerIp - type: IP Address - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/gcp_kubernetes_cluster_scan_detection.yml b/detections/deprecated/gcp_kubernetes_cluster_scan_detection.yml index 82b0c7452c..f8fabad5ff 100644 --- a/detections/deprecated/gcp_kubernetes_cluster_scan_detection.yml +++ b/detections/deprecated/gcp_kubernetes_cluster_scan_detection.yml @@ -1,7 +1,7 @@ name: GCP Kubernetes cluster scan detection id: db5957ec-0144-4c56-b512-9dccbe7a2d26 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rod Soto, Splunk status: deprecated type: TTP @@ -24,25 +24,21 @@ how_to_implement: You must install the GCP App for Splunk (version 2.0.0 or late known_false_positives: Not all unauthenticated requests are malicious, but frequency, User Agent and source IPs will provide context. references: [] +rba: + message: Possible GKE Cluster Scan + risk_objects: + - field: src_ip + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Kubernetes Scanning Activity asset_type: GCP Kubernetes cluster - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1526 - observable: - - name: src_ip - type: IP Address - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/identify_new_user_accounts.yml b/detections/deprecated/identify_new_user_accounts.yml index 751871c2a8..55b528d72a 100644 --- a/detections/deprecated/identify_new_user_accounts.yml +++ b/detections/deprecated/identify_new_user_accounts.yml @@ -1,7 +1,7 @@ name: Identify New User Accounts id: 475b9e27-17e4-46e2-b7e2-648221be3b89 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Bhavin Patel, Splunk status: deprecated type: Hunting @@ -23,21 +23,10 @@ references: [] tags: analytic_story: [] asset_type: Domain Server - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1078.002 - observable: - - name: identity - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: access diff --git a/detections/deprecated/kubernetes_aws_detect_most_active_service_accounts_by_pod.yml b/detections/deprecated/kubernetes_aws_detect_most_active_service_accounts_by_pod.yml index 96583b21a3..8aed9288a5 100644 --- a/detections/deprecated/kubernetes_aws_detect_most_active_service_accounts_by_pod.yml +++ b/detections/deprecated/kubernetes_aws_detect_most_active_service_accounts_by_pod.yml @@ -1,7 +1,7 @@ name: Kubernetes AWS detect most active service accounts by pod id: 5b30b25d-7d32-42d8-95ca-64dfcd9076e6 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rod Soto, Splunk status: deprecated type: Hunting @@ -20,19 +20,8 @@ tags: analytic_story: - Kubernetes Sensitive Role Activity asset_type: AWS EKS Kubernetes cluster - confidence: 50 - impact: 50 - message: tbd - observable: - - name: sourceIPs{} - type: IP Address - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_aws_detect_rbac_authorization_by_account.yml b/detections/deprecated/kubernetes_aws_detect_rbac_authorization_by_account.yml index 00ddb8c2c3..6d04bf8d94 100644 --- a/detections/deprecated/kubernetes_aws_detect_rbac_authorization_by_account.yml +++ b/detections/deprecated/kubernetes_aws_detect_rbac_authorization_by_account.yml @@ -1,7 +1,7 @@ name: Kubernetes AWS detect RBAC authorization by account id: de7264ed-3ed9-4fef-bb01-6eefc87cefe8 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rod Soto, Splunk status: deprecated type: Hunting @@ -22,19 +22,8 @@ tags: analytic_story: - Kubernetes Sensitive Role Activity asset_type: AWS EKS Kubernetes cluster - confidence: 50 - impact: 50 - message: tbd - observable: - - name: user.username - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 - security_domain: threat \ No newline at end of file + security_domain: threat diff --git a/detections/deprecated/kubernetes_aws_detect_sensitive_role_access.yml b/detections/deprecated/kubernetes_aws_detect_sensitive_role_access.yml index 29ef8de65e..bb7b707a96 100644 --- a/detections/deprecated/kubernetes_aws_detect_sensitive_role_access.yml +++ b/detections/deprecated/kubernetes_aws_detect_sensitive_role_access.yml @@ -1,7 +1,7 @@ name: Kubernetes AWS detect sensitive role access id: b6013a7b-85e0-4a45-b051-10b252d69569 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Rod Soto, Splunk status: deprecated type: Hunting @@ -14,26 +14,15 @@ search: '`aws_cloudwatchlogs_eks` objectRef.resource=clusterroles OR clusterrole user.groups{} |`kubernetes_aws_detect_sensitive_role_access_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs. -known_false_positives: 'Sensitive role resource access is necessary for cluster operation, - however source IP, namespace and user group may indicate possible malicious use.' +known_false_positives: Sensitive role resource access is necessary for cluster operation, + however source IP, namespace and user group may indicate possible malicious use. references: [] tags: analytic_story: - Kubernetes Sensitive Role Activity asset_type: AWS EKS Kubernetes cluster - confidence: 50 - impact: 50 - message: tbd - observable: - - name: user.username - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_aws_detect_service_accounts_forbidden_failure_access.yml b/detections/deprecated/kubernetes_aws_detect_service_accounts_forbidden_failure_access.yml index 344bfa7d85..17722e0587 100644 --- a/detections/deprecated/kubernetes_aws_detect_service_accounts_forbidden_failure_access.yml +++ b/detections/deprecated/kubernetes_aws_detect_service_accounts_forbidden_failure_access.yml @@ -1,7 +1,7 @@ name: Kubernetes AWS detect service accounts forbidden failure access id: a6959c57-fa8f-4277-bb86-7c32fba579d5 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rod Soto, Splunk status: deprecated type: Hunting @@ -22,19 +22,8 @@ tags: analytic_story: - Kubernetes Sensitive Object Access Activity asset_type: AWS EKS Kubernetes cluster - confidence: 50 - impact: 50 - message: tbd - observable: - - name: sourceIPs{} - type: IP Address - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_azure_active_service_accounts_by_pod_namespace.yml b/detections/deprecated/kubernetes_azure_active_service_accounts_by_pod_namespace.yml index cc6f35af8d..ef9d02ecbe 100644 --- a/detections/deprecated/kubernetes_azure_active_service_accounts_by_pod_namespace.yml +++ b/detections/deprecated/kubernetes_azure_active_service_accounts_by_pod_namespace.yml @@ -1,7 +1,7 @@ name: Kubernetes Azure active service accounts by pod namespace id: 55a2264a-b7f0-45e5-addd-1e5ab3415c72 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rod Soto, Splunk status: deprecated type: Hunting @@ -22,19 +22,8 @@ tags: analytic_story: - Kubernetes Sensitive Role Activity asset_type: Azure AKS Kubernetes cluster - confidence: 50 - impact: 50 - message: tbd - observable: - - name: user.username - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_azure_detect_rbac_authorization_by_account.yml b/detections/deprecated/kubernetes_azure_detect_rbac_authorization_by_account.yml index 2eb82e151b..0adc47769d 100644 --- a/detections/deprecated/kubernetes_azure_detect_rbac_authorization_by_account.yml +++ b/detections/deprecated/kubernetes_azure_detect_rbac_authorization_by_account.yml @@ -1,7 +1,7 @@ name: Kubernetes Azure detect RBAC authorization by account id: 47af7d20-0607-4079-97d7-7a29af58b54e -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rod Soto, Splunk status: deprecated type: Hunting @@ -22,19 +22,8 @@ tags: analytic_story: - Kubernetes Sensitive Role Activity asset_type: Azure AKS Kubernetes cluster - confidence: 50 - impact: 50 - message: tbd - observable: - - name: user.username - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_azure_detect_sensitive_object_access.yml b/detections/deprecated/kubernetes_azure_detect_sensitive_object_access.yml index 44c2dc672f..8ae1ee647e 100644 --- a/detections/deprecated/kubernetes_azure_detect_sensitive_object_access.yml +++ b/detections/deprecated/kubernetes_azure_detect_sensitive_object_access.yml @@ -1,7 +1,7 @@ name: Kubernetes Azure detect sensitive object access id: 1bba382b-07fd-4ffa-b390-8002739b76e8 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rod Soto, Splunk status: deprecated type: Hunting @@ -21,19 +21,8 @@ tags: analytic_story: - Kubernetes Sensitive Object Access Activity asset_type: Azure AKS Kubernetes cluster - confidence: 50 - impact: 50 - message: tbd - observable: - - name: user.username - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_azure_detect_sensitive_role_access.yml b/detections/deprecated/kubernetes_azure_detect_sensitive_role_access.yml index f882bd700a..9993a0a115 100644 --- a/detections/deprecated/kubernetes_azure_detect_sensitive_role_access.yml +++ b/detections/deprecated/kubernetes_azure_detect_sensitive_role_access.yml @@ -1,7 +1,7 @@ name: Kubernetes Azure detect sensitive role access id: f27349e5-1641-4f6a-9e68-30402be0ad4c -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Rod Soto, Splunk status: deprecated type: Hunting @@ -14,26 +14,15 @@ search: '`kubernetes_azure` category=kube-audit | spath input=properties.log| se | dedup user.username user.groups{} |`kubernetes_azure_detect_sensitive_role_access_filter`' how_to_implement: You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics -known_false_positives: 'Sensitive role resource access is necessary for cluster operation, - however source IP, namespace and user group may indicate possible malicious use.' +known_false_positives: Sensitive role resource access is necessary for cluster operation, + however source IP, namespace and user group may indicate possible malicious use. references: [] tags: analytic_story: - Kubernetes Sensitive Role Activity asset_type: Azure AKS Kubernetes cluster - confidence: 50 - impact: 50 - message: tbd - observable: - - name: user.username - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_azure_detect_service_accounts_forbidden_failure_access.yml b/detections/deprecated/kubernetes_azure_detect_service_accounts_forbidden_failure_access.yml index b9231eb62b..ccbf5daf0c 100644 --- a/detections/deprecated/kubernetes_azure_detect_service_accounts_forbidden_failure_access.yml +++ b/detections/deprecated/kubernetes_azure_detect_service_accounts_forbidden_failure_access.yml @@ -1,7 +1,7 @@ name: Kubernetes Azure detect service accounts forbidden failure access id: 019690d7-420f-4da0-b320-f27b09961514 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rod Soto, Splunk status: deprecated type: Hunting @@ -21,19 +21,8 @@ tags: analytic_story: - Kubernetes Sensitive Object Access Activity asset_type: Azure AKS Kubernetes cluster - confidence: 50 - impact: 50 - message: tbd - observable: - - name: user.username - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_azure_detect_suspicious_kubectl_calls.yml b/detections/deprecated/kubernetes_azure_detect_suspicious_kubectl_calls.yml index 41181a8aff..ef3fed2b2d 100644 --- a/detections/deprecated/kubernetes_azure_detect_suspicious_kubectl_calls.yml +++ b/detections/deprecated/kubernetes_azure_detect_suspicious_kubectl_calls.yml @@ -1,7 +1,7 @@ name: Kubernetes Azure detect suspicious kubectl calls id: 4b6d1ba8-0000-4cec-87e6-6cbbd71651b5 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rod Soto, Splunk status: deprecated type: Hunting @@ -24,19 +24,8 @@ tags: analytic_story: - Kubernetes Sensitive Object Access Activity asset_type: Azure AKS Kubernetes cluster - confidence: 50 - impact: 50 - message: tbd - observable: - - name: sourceIPs{} - type: IP Address - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_azure_pod_scan_fingerprint.yml b/detections/deprecated/kubernetes_azure_pod_scan_fingerprint.yml index 6ed545867f..1b1378b2f7 100644 --- a/detections/deprecated/kubernetes_azure_pod_scan_fingerprint.yml +++ b/detections/deprecated/kubernetes_azure_pod_scan_fingerprint.yml @@ -1,7 +1,7 @@ name: Kubernetes Azure pod scan fingerprint id: 86aad3e0-732f-4f66-bbbc-70df448e461d -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rod Soto, Splunk status: deprecated type: Hunting @@ -21,19 +21,8 @@ tags: analytic_story: - Kubernetes Scanning Activity asset_type: Azure AKS Kubernetes cluster - confidence: 50 - impact: 50 - message: tbd - observable: - - name: sourceIPs{} - type: IP Address - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_azure_scan_fingerprint.yml b/detections/deprecated/kubernetes_azure_scan_fingerprint.yml index 910b36c4bf..8a6b44473d 100644 --- a/detections/deprecated/kubernetes_azure_scan_fingerprint.yml +++ b/detections/deprecated/kubernetes_azure_scan_fingerprint.yml @@ -1,7 +1,7 @@ name: Kubernetes Azure scan fingerprint id: c5e5bd5c-1013-4841-8b23-e7b3253c840a -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rod Soto, Splunk status: deprecated type: Hunting @@ -21,21 +21,10 @@ tags: analytic_story: - Kubernetes Scanning Activity asset_type: Azure AKS Kubernetes cluster - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1526 - observable: - - name: sourceIPs{} - type: IP Address - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_gcp_detect_most_active_service_accounts_by_pod.yml b/detections/deprecated/kubernetes_gcp_detect_most_active_service_accounts_by_pod.yml index bc40619269..0d3a4cdf11 100644 --- a/detections/deprecated/kubernetes_gcp_detect_most_active_service_accounts_by_pod.yml +++ b/detections/deprecated/kubernetes_gcp_detect_most_active_service_accounts_by_pod.yml @@ -1,7 +1,7 @@ name: Kubernetes GCP detect most active service accounts by pod id: 7f5c2779-88a0-4824-9caa-0f606c8f260f -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rod Soto, Splunk status: deprecated type: Hunting @@ -22,19 +22,8 @@ tags: analytic_story: - Kubernetes Sensitive Role Activity asset_type: GCP GKE Kubernetes cluster - confidence: 50 - impact: 50 - message: tbd - observable: - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_gcp_detect_rbac_authorizations_by_account.yml b/detections/deprecated/kubernetes_gcp_detect_rbac_authorizations_by_account.yml index 7d5af8b4a6..09a26684ce 100644 --- a/detections/deprecated/kubernetes_gcp_detect_rbac_authorizations_by_account.yml +++ b/detections/deprecated/kubernetes_gcp_detect_rbac_authorizations_by_account.yml @@ -1,7 +1,7 @@ name: Kubernetes GCP detect RBAC authorizations by account id: 99487de3-7192-4b41-939d-fbe9acfb1340 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rod Soto, Splunk status: deprecated type: Hunting @@ -22,19 +22,8 @@ tags: analytic_story: - Kubernetes Sensitive Role Activity asset_type: GCP GKE Kubernetes cluster - confidence: 50 - impact: 50 - message: tbd - observable: - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_gcp_detect_sensitive_object_access.yml b/detections/deprecated/kubernetes_gcp_detect_sensitive_object_access.yml index 7cdbc43651..557ab8a5c3 100644 --- a/detections/deprecated/kubernetes_gcp_detect_sensitive_object_access.yml +++ b/detections/deprecated/kubernetes_gcp_detect_sensitive_object_access.yml @@ -1,7 +1,7 @@ name: Kubernetes GCP detect sensitive object access id: bdb6d596-86a0-4aba-8369-418ae8b9963a -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rod Soto, Splunk status: deprecated type: Hunting @@ -22,19 +22,8 @@ tags: analytic_story: - Kubernetes Sensitive Object Access Activity asset_type: GCP GKE Kubernetes cluster - confidence: 50 - impact: 50 - message: tbd - observable: - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_gcp_detect_sensitive_role_access.yml b/detections/deprecated/kubernetes_gcp_detect_sensitive_role_access.yml index 9bcd081b67..da1b2cf148 100644 --- a/detections/deprecated/kubernetes_gcp_detect_sensitive_role_access.yml +++ b/detections/deprecated/kubernetes_gcp_detect_sensitive_role_access.yml @@ -1,7 +1,7 @@ name: Kubernetes GCP detect sensitive role access id: a46923f6-36b9-4806-a681-31f314907c30 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Rod Soto, Splunk status: deprecated type: Hunting @@ -14,27 +14,16 @@ search: '`google_gcp_pubsub_message` data.labels.authorization.k8s.io/reason=Clu | dedup src_ip src_user |`kubernetes_gcp_detect_sensitive_role_access_filter`' how_to_implement: You must install splunk add on for GCP. This search works with pubsub messaging servicelogs. -known_false_positives: 'Sensitive role resource access is necessary for cluster operation, +known_false_positives: Sensitive role resource access is necessary for cluster operation, however source IP, user agent, decision and reason may indicate possible malicious - use.' + use. references: [] tags: analytic_story: - Kubernetes Sensitive Role Activity asset_type: GCP GKE EKS Kubernetes cluster - confidence: 50 - impact: 50 - message: tbd - observable: - - name: src_user - type: User - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_gcp_detect_service_accounts_forbidden_failure_access.yml b/detections/deprecated/kubernetes_gcp_detect_service_accounts_forbidden_failure_access.yml index fb104b1612..fff4730076 100644 --- a/detections/deprecated/kubernetes_gcp_detect_service_accounts_forbidden_failure_access.yml +++ b/detections/deprecated/kubernetes_gcp_detect_service_accounts_forbidden_failure_access.yml @@ -1,7 +1,7 @@ name: Kubernetes GCP detect service accounts forbidden failure access id: 7094808d-432a-48e7-bb3c-77e96c894f3b -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rod Soto, Splunk status: deprecated type: Hunting @@ -24,19 +24,8 @@ tags: analytic_story: - Kubernetes Sensitive Object Access Activity asset_type: GCP GKE Kubernetes cluster - confidence: 50 - impact: 50 - message: tbd - observable: - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/kubernetes_gcp_detect_suspicious_kubectl_calls.yml b/detections/deprecated/kubernetes_gcp_detect_suspicious_kubectl_calls.yml index c0fd76eb6b..a78e967c70 100644 --- a/detections/deprecated/kubernetes_gcp_detect_suspicious_kubectl_calls.yml +++ b/detections/deprecated/kubernetes_gcp_detect_suspicious_kubectl_calls.yml @@ -1,7 +1,7 @@ name: Kubernetes GCP detect suspicious kubectl calls id: a5bed417-070a-41f2-a1e4-82b6aa281557 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rod Soto, Splunk status: deprecated type: Hunting @@ -23,19 +23,8 @@ tags: analytic_story: - Kubernetes Sensitive Object Access Activity asset_type: GCP GKE Kubernetes cluster - confidence: 50 - impact: 50 - message: tbd - observable: - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/linux_auditd_find_private_keys.yml b/detections/deprecated/linux_auditd_find_private_keys.yml new file mode 100644 index 0000000000..e9b889bc9e --- /dev/null +++ b/detections/deprecated/linux_auditd_find_private_keys.yml @@ -0,0 +1,83 @@ +name: Linux Auditd Find Private Keys +id: 80bb9988-190b-4ee0-a3c3-509545a8f678 +version: 5 +date: '2025-01-24' +author: Teoderick Contreras, Splunk +status: deprecated +type: TTP +description: The following analytic has been deprecated. + The following analytic detects suspicious attempts to find private keys, + which may indicate an attacker's effort to access sensitive cryptographic information. + Private keys are crucial for securing encrypted communications and data, and unauthorized + access to them can lead to severe security breaches, including data decryption and + identity theft. By monitoring for unusual or unauthorized searches for private keys, + this analytic helps identify potential threats to cryptographic security, enabling + security teams to take swift action to protect the integrity and confidentiality + of encrypted information. +data_source: +- Linux Auditd Execve +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as + dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND + (LIKE (process_exec, "%.pem%") OR LIKE (process_exec, "%.cer%") OR LIKE (process_exec, + "%.crt%") OR LIKE (process_exec, "%.pgp%") OR LIKE (process_exec, "%.key%") OR LIKE + (process_exec, "%.gpg%")OR LIKE (process_exec, "%.ppk%") OR LIKE (process_exec, + "%.p12%")OR LIKE (process_exec, "%.pfx%")OR LIKE (process_exec, "%.p7b%")) | stats + count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | + `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_find_private_keys_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. +references: +- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html +- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to find private keys. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] +tags: + analytic_story: + - Linux Living Off The Land + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + mitre_attack_id: + - T1552.004 + - T1552 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/linux_auditd_find_gpg.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/deprecated/local_account_discovery_with_net.yml b/detections/deprecated/local_account_discovery_with_net.yml new file mode 100644 index 0000000000..7ac754da20 --- /dev/null +++ b/detections/deprecated/local_account_discovery_with_net.yml @@ -0,0 +1,58 @@ +name: Local Account Discovery with Net +id: 5d0d4830-0133-11ec-bae3-acde48001122 +version: 6 +date: '2025-01-24' +author: Mauricio Velazco, Splunk +status: deprecated +type: Hunting +description: The following analytic has been deprecated. + The following analytic detects the execution of `net.exe` or `net1.exe` + with command-line arguments `user` or `users` to query local user accounts. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process names + and command-line executions. This activity is significant as it indicates potential + reconnaissance efforts by adversaries to enumerate local users, which is a common + step in situational awareness and Active Directory discovery. If confirmed malicious, + this behavior could lead to further attacks, including privilege escalation and + lateral movement within the network. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_net` (Processes.process=*user + OR Processes.process=*users) by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `local_account_discovery_with_net_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators or power users may use this command for troubleshooting. +references: +- https://attack.mitre.org/techniques/T1087/001/ +tags: + analytic_story: + - Active Directory Discovery + - Sandworm Tools + asset_type: Endpoint + mitre_attack_id: + - T1087 + - T1087.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/deprecated/monitor_dns_for_brand_abuse.yml b/detections/deprecated/monitor_dns_for_brand_abuse.yml index aeb1119c9c..9ad520f284 100644 --- a/detections/deprecated/monitor_dns_for_brand_abuse.yml +++ b/detections/deprecated/monitor_dns_for_brand_abuse.yml @@ -1,7 +1,7 @@ name: Monitor DNS For Brand Abuse id: 24dd17b1-e2fb-4c31-878c-d4f746595bfa -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: David Dorsey, Splunk status: deprecated type: TTP @@ -21,27 +21,21 @@ how_to_implement: You need to ingest data from your DNS logs. Specifically you m custom command. known_false_positives: None at this time references: [] +rba: + message: Potential brand abuse + risk_objects: + - field: query + type: other + score: 25 + threat_objects: + - field: IPs + type: ip_address tags: analytic_story: - Brand Monitoring asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd - observable: - - name: query - type: Other - role: - - Victim - - name: IPs - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: network diff --git a/detections/deprecated/mshtml_module_load_in_office_product.yml b/detections/deprecated/mshtml_module_load_in_office_product.yml new file mode 100644 index 0000000000..f617d2f40e --- /dev/null +++ b/detections/deprecated/mshtml_module_load_in_office_product.yml @@ -0,0 +1,80 @@ +name: MSHTML Module Load in Office Product +id: 5f1c168e-118b-11ec-84ff-acde48001122 +version: 7 +date: '2025-01-24' +author: Michael Haag, Mauricio Velazco, Splunk +status: deprecated +type: TTP +description: The following analytic has been deprecated. + The following analytic detects the loading of the mshtml.dll module into + an Office product, which is indicative of CVE-2021-40444 exploitation. It leverages + Sysmon EventID 7 to monitor image loads by specific Office processes. This activity + is significant because it can indicate an attempt to exploit a vulnerability in + the MSHTML component via a malicious document. If confirmed malicious, this could + allow an attacker to execute arbitrary code, potentially leading to system compromise, + data exfiltration, or further network penetration. +data_source: +- Sysmon EventID 7 +search: '`sysmon` EventID=7 process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","wordpad.exe","wordview.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe", + "msaccess.exe","Graph.exe","winproj.exe") loaded_file_path IN ("*\\mshtml.dll", + "*\\Microsoft.mshtml.dll","*\\IE.Interop.MSHTML.dll","*\\MshtmlDac.dll","*\\MshtmlDed.dll","*\\MshtmlDer.dll") + | stats count min(_time) as firstTime max(_time) as lastTime by user_id, dest, process_name, + loaded_file, loaded_file_path, original_file_name, process_guid | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `mshtml_module_load_in_office_product_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process names and image loads from your endpoints. If you are using + Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +known_false_positives: Limited false positives will be present, however, tune as necessary. + Some applications may legitimately load mshtml.dll. +references: +- https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/ +- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 +- https://strontic.github.io/xcyclopedia/index-dll +- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/ +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: An instance of $process_name$ was identified on endpoint $dest$ loading + mshtml.dll. + risk_objects: + - field: dest + type: system + score: 80 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - Spearphishing Attachments + - Microsoft MSHTML Remote Code Execution CVE-2021-40444 + - CVE-2023-36884 Office and Windows HTML RCE Vulnerability + asset_type: Endpoint + cve: + - CVE-2021-40444 + mitre_attack_id: + - T1566 + - T1566.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_mshtml.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/deprecated/multiple_okta_users_with_invalid_credentials_from_the_same_ip.yml b/detections/deprecated/multiple_okta_users_with_invalid_credentials_from_the_same_ip.yml index dd8ef0e990..68269b2e43 100644 --- a/detections/deprecated/multiple_okta_users_with_invalid_credentials_from_the_same_ip.yml +++ b/detections/deprecated/multiple_okta_users_with_invalid_credentials_from_the_same_ip.yml @@ -1,16 +1,15 @@ name: Multiple Okta Users With Invalid Credentials From The Same IP id: 19cba45f-cad3-4032-8911-0c09e0444552 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Michael Haag, Mauricio Velazco, Rico Valdez, Splunk status: deprecated type: TTP -description: - '**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Users Failing To Authenticate From Ip`. - This analytic identifies multiple failed logon attempts from - a single IP in a short period of time. Use this analytic to identify patterns of suspicious logins from a - single source and filter as needed or use this to drive tuning for higher fidelity - analytics.' +description: '**DEPRECATION NOTE** - This search has been deprecated and replaced + with `Okta Multiple Users Failing To Authenticate From Ip`. This analytic identifies + multiple failed logon attempts from a single IP in a short period of time. Use this + analytic to identify patterns of suspicious logins from a single source and filter + as needed or use this to drive tuning for higher fidelity analytics.' data_source: [] search: '`okta` eventType=user.session.start outcome.result=FAILURE | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city @@ -28,42 +27,32 @@ references: - https://developer.okta.com/docs/reference/api/event-types/?q=INVALID_CREDENTIALS - https://developer.okta.com/docs/reference/api/system-log/ - https://attack.mitre.org/techniques/T1110/003/ +rba: + message: Multple user accounts have failed to authenticate from a single IP. + risk_objects: + - field: users + type: user + score: 9 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Suspicious Okta Activity asset_type: Okta Tenant - confidence: 30 - impact: 30 - message: Multple user accounts have failed to authenticate from a single IP. mitre_attack_id: - T1110.003 - T1078 - T1078.001 - observable: - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - outcome.reason - - client.geographicalContext.country - - client.geographicalContext.state - - client.geographicalContext.city - - user - - src_ip - - displayMessage - - eventType - - outcome.result - risk_score: 9 security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/okta_multiple_users_from_ip.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/okta_multiple_users_from_ip.log source: Okta - sourcetype: OktaIM2:log \ No newline at end of file + sourcetype: OktaIM2:log diff --git a/detections/deprecated/net_localgroup_discovery.yml b/detections/deprecated/net_localgroup_discovery.yml new file mode 100644 index 0000000000..e54388cb4c --- /dev/null +++ b/detections/deprecated/net_localgroup_discovery.yml @@ -0,0 +1,60 @@ +name: Net Localgroup Discovery +id: 54f5201e-155b-11ec-a6e2-acde48001122 +version: 5 +date: '2025-01-13' +author: Michael Haag, Splunk +status: deprecated +type: Hunting +description: This search has been deprecated in favour of the more generic analytic "c5c8e0f3-147a-43da-bf04-4cfaec27dc44". The following analytic detects the execution of the `net localgroup` command, which is used to enumerate local group memberships on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it can indicate an attacker is gathering information about local group memberships, potentially to identify privileged accounts. If confirmed malicious, this behavior could lead to further privilege escalation or lateral movement within the network. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_net` AND (Processes.process="*localgroup*") + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `net_localgroup_discovery_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present. Tune as needed. +references: +- https://attack.mitre.org/techniques/T1069/001/ +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md +- https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF +- https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ +tags: + analytic_story: + - Prestige Ransomware + - Volt Typhoon + - Graceful Wipe Out Attack + - IcedID + - Windows Discovery Techniques + - Windows Post-Exploitation + - Azorult + - Active Directory Discovery + - Rhysida Ransomware + asset_type: Endpoint + mitre_attack_id: + - T1069 + - T1069.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/deprecated/network_connection_discovery_with_net.yml b/detections/deprecated/network_connection_discovery_with_net.yml new file mode 100644 index 0000000000..0002699f31 --- /dev/null +++ b/detections/deprecated/network_connection_discovery_with_net.yml @@ -0,0 +1,58 @@ +name: Network Connection Discovery With Net +id: 640337e5-6e41-4b7f-af06-9d9eab5e1e2d +version: 6 +date: '2025-01-24' +author: Mauricio Velazco, Splunk +status: deprecated +type: Hunting +description: The following analytic has been deprecated. + The following analytic identifies the execution of `net.exe` or `net1.exe` + with command-line arguments used to list network connections on a compromised system. + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on + process names and command-line executions. This activity is significant as it indicates + potential network reconnaissance by adversaries or Red Teams, aiming to gather situational + awareness and Active Directory information. If confirmed malicious, this behavior + could allow attackers to map the network, identify critical assets, and plan further + attacks, potentially leading to data exfiltration or lateral movement. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_net` AND (Processes.process=*use*) + by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_net_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators or power users may use this command for troubleshooting. +references: +- https://attack.mitre.org/techniques/T1049/ +tags: + analytic_story: + - Active Directory Discovery + - Azorult + - Windows Post-Exploitation + - Prestige Ransomware + asset_type: Endpoint + mitre_attack_id: + - T1049 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/deprecated/o365_suspicious_admin_email_forwarding.yml b/detections/deprecated/o365_suspicious_admin_email_forwarding.yml index 2476713d4c..13dddb8c18 100644 --- a/detections/deprecated/o365_suspicious_admin_email_forwarding.yml +++ b/detections/deprecated/o365_suspicious_admin_email_forwarding.yml @@ -1,14 +1,13 @@ name: O365 Suspicious Admin Email Forwarding id: 7f398cfb-918d-41f4-8db8-2e2474e02c28 -version: 2 -date: '2024-10-17' +version: 3 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: deprecated type: Anomaly -description: - '**DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Mailbox Email Forwarding Enabled`. - This search detects when an admin configured a forwarding rule for multiple - mailboxes to the same destination.' +description: '**DEPRECATION NOTE** - This search has been deprecated and replaced + with `O365 Mailbox Email Forwarding Enabled`. This search detects when an admin + configured a forwarding rule for multiple mailboxes to the same destination.' data_source: [] search: '`o365_management_activity` Operation=Set-Mailbox | spath input=Parameters | rename Identity AS src_user | search ForwardingAddress=* | stats dc(src_user) @@ -19,36 +18,31 @@ how_to_implement: You must install splunk Microsoft Office 365 add-on. This sear works with o365:management:activity known_false_positives: unknown references: [] +rba: + message: User $user$ has configured a forwarding rule for multiple mailboxes to + the same destination $ForwardingAddress$ + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] tags: analytic_story: - Office 365 Collection Techniques - Data Exfiltration asset_type: O365 Tenant - confidence: 60 - impact: 80 - message: User $user$ has configured a forwarding rule for multiple mailboxes to - the same destination $ForwardingAddress$ mitre_attack_id: - T1114.003 - T1114 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Operation - - Parameters - risk_score: 48 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/o365_mailbox_forwarding_enabled.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/o365_mailbox_forwarding_enabled.json sourcetype: o365:management:activity source: o365 diff --git a/detections/deprecated/o365_suspicious_rights_delegation.yml b/detections/deprecated/o365_suspicious_rights_delegation.yml index fcc6cd4f44..e9e6543750 100644 --- a/detections/deprecated/o365_suspicious_rights_delegation.yml +++ b/detections/deprecated/o365_suspicious_rights_delegation.yml @@ -1,55 +1,74 @@ name: O365 Suspicious Rights Delegation id: b25d2973-303e-47c8-bacd-52b61604c6a7 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Patrick Bareiss, Mauricio Velazco, Splunk status: deprecated type: TTP -description: '**DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Elevated Mailbox Permission Assigned`. - This analytic identifies instances where potentially suspicious rights are delegated within the Office 365 environment. Specifically, it detects when a user is granted FullAccess, SendAs, or SendOnBehalf permissions on another users mailbox. Such permissions can allow a user to access, send emails from, or send emails on behalf of the target mailbox. The detection leverages O365 audit logs, focusing on the Add-MailboxPermission operation. By parsing the parameters of this operation, the analytic filters for events where FullAccess, SendAs, or SendOnBehalf rights are granted. It then aggregates this data to capture the source user (who was granted the permissions), the destination user (whose mailbox was affected), the specific operation, and the type of access rights granted. Delegating mailbox rights, especially those as powerful as FullAccess, can pose significant security risks. While there are legitimate scenarios for these permissions, such as an executive assistant needing access to an executives mailbox, there are also malicious scenarios where an attacker or a compromised insider might grant themselves unauthorized access to sensitive mailboxes. Monitoring for these permissions changes is crucial to detect potential insider threats, compromised accounts, or other malicious activities.If the detection is a true positive, it indicates that a user has been granted potentially high-risk permissions on another users mailbox. This could lead to unauthorized access to sensitive emails, impersonation through sending emails as or on behalf of the mailbox owner, or data manipulation by altering or deleting emails. Immediate investigation is required to validate the legitimacy of the permission change and to assess the potential risks associated with the granted access.' +description: '**DEPRECATION NOTE** - This search has been deprecated and replaced + with `O365 Elevated Mailbox Permission Assigned`. This analytic identifies instances + where potentially suspicious rights are delegated within the Office 365 environment. + Specifically, it detects when a user is granted FullAccess, SendAs, or SendOnBehalf + permissions on another users mailbox. Such permissions can allow a user to access, + send emails from, or send emails on behalf of the target mailbox. The detection + leverages O365 audit logs, focusing on the Add-MailboxPermission operation. By parsing + the parameters of this operation, the analytic filters for events where FullAccess, + SendAs, or SendOnBehalf rights are granted. It then aggregates this data to capture + the source user (who was granted the permissions), the destination user (whose mailbox + was affected), the specific operation, and the type of access rights granted. Delegating + mailbox rights, especially those as powerful as FullAccess, can pose significant + security risks. While there are legitimate scenarios for these permissions, such + as an executive assistant needing access to an executives mailbox, there are also + malicious scenarios where an attacker or a compromised insider might grant themselves + unauthorized access to sensitive mailboxes. Monitoring for these permissions changes + is crucial to detect potential insider threats, compromised accounts, or other malicious + activities.If the detection is a true positive, it indicates that a user has been + granted potentially high-risk permissions on another users mailbox. This could lead + to unauthorized access to sensitive emails, impersonation through sending emails + as or on behalf of the mailbox owner, or data manipulation by altering or deleting + emails. Immediate investigation is required to validate the legitimacy of the permission + change and to assess the potential risks associated with the granted access.' data_source: [] search: '`o365_management_activity` Operation=Add-MailboxPermission | spath input=Parameters | rename User AS src_user, Identity AS dest_user | search AccessRights=FullAccess OR AccessRights=SendAs OR AccessRights=SendOnBehalf | stats count earliest(_time) as firstTime latest(_time) as lastTime by user src_user dest_user Operation AccessRights |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_rights_delegation_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: While there are legitimate scenarios for these permissions, such as an executive assistant needing access to an executive's mailbox, there are also malicious scenarios. Investigate and filter as needed. +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: While there are legitimate scenarios for these permissions, + such as an executive assistant needing access to an executive's mailbox, there are + also malicious scenarios. Investigate and filter as needed. references: - https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452 - https://attack.mitre.org/techniques/T1098/002/ - https://attack.mitre.org/techniques/T1114/002/ +rba: + message: User $user$ has delegated suspicious rights $AccessRights$ to user $dest_user$ + that allow access to sensitive + risk_objects: + - field: user + type: user + score: 48 + threat_objects: [] tags: analytic_story: - Office 365 Collection Techniques asset_type: O365 Tenant - confidence: 60 - impact: 80 - message: User $user$ has delegated suspicious rights $AccessRights$ to user $dest_user$ - that allow access to sensitive mitre_attack_id: - T1114.002 - T1114 - T1098.002 - T1098 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Operation - - Parameters - risk_score: 48 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/suspicious_rights_delegation/suspicious_rights_delegation.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/suspicious_rights_delegation/suspicious_rights_delegation.json sourcetype: o365:management:activity source: o365 diff --git a/detections/deprecated/o365_suspicious_user_email_forwarding.yml b/detections/deprecated/o365_suspicious_user_email_forwarding.yml index 2855f74738..1a9c9c5c4c 100644 --- a/detections/deprecated/o365_suspicious_user_email_forwarding.yml +++ b/detections/deprecated/o365_suspicious_user_email_forwarding.yml @@ -1,13 +1,37 @@ name: O365 Suspicious User Email Forwarding id: f8dfe015-dbb3-4569-ba75-b13787e06aa4 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: deprecated type: Anomaly -description: - '**DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Mailbox Email Forwarding Enabled`. - The following analytic detects when multiple users have configured a forwarding rule to the same destination to proactively identify and investigate potential security risks related to email forwarding and take appropriate actions to protect the organizations data and prevent unauthorized access or data breaches. This detection is made by a Splunk query to O365 management activity logs with the operation `Set-Mailbox` to gather information about mailbox configurations. Then, the query uses the `spath` function to extract the parameters and rename the "Identity" field as "src_user" and searches for entries where the "ForwardingSmtpAddress" field is not empty, which indicates the presence of a forwarding rule. Next, the analytic uses the `stats` command to group the results by the forwarding email address and count the number of unique source users (`src_user`). Finally, it filters the results and only retains entries where the count of source users (`count_src_user`) is greater than 1, which indicates that multiple users have set up forwarding rules to the same destination. This detection is important because it suggests that multiple users are forwarding emails to the same destination without proper authorization, which can lead to the exposure of sensitive information, loss of data control, or unauthorized access to confidential emails. Investigating and addressing this issue promptly can help prevent data breaches and mitigate potential damage.indicates a potential security risk since multiple users forwarding emails to the same destination can be a sign of unauthorized access, data exfiltration, or a compromised account. Additionally, it also helps to determine if the forwarding rules are legitimate or if they indicate a security incident. False positives can occur if there are legitimate reasons for multiple users to forward emails to the same destination, such as a shared mailbox or a team collaboration scenario. Next steps include further investigation and context analysis to determine the legitimacy of the forwarding rules.' +description: '**DEPRECATION NOTE** - This search has been deprecated and replaced + with `O365 Mailbox Email Forwarding Enabled`. The following analytic detects when + multiple users have configured a forwarding rule to the same destination to proactively + identify and investigate potential security risks related to email forwarding and + take appropriate actions to protect the organizations data and prevent unauthorized + access or data breaches. This detection is made by a Splunk query to O365 management + activity logs with the operation `Set-Mailbox` to gather information about mailbox + configurations. Then, the query uses the `spath` function to extract the parameters + and rename the "Identity" field as "src_user" and searches for entries where the + "ForwardingSmtpAddress" field is not empty, which indicates the presence of a forwarding + rule. Next, the analytic uses the `stats` command to group the results by the forwarding + email address and count the number of unique source users (`src_user`). Finally, + it filters the results and only retains entries where the count of source users + (`count_src_user`) is greater than 1, which indicates that multiple users have set + up forwarding rules to the same destination. This detection is important because + it suggests that multiple users are forwarding emails to the same destination without + proper authorization, which can lead to the exposure of sensitive information, loss + of data control, or unauthorized access to confidential emails. Investigating and + addressing this issue promptly can help prevent data breaches and mitigate potential + damage.indicates a potential security risk since multiple users forwarding emails + to the same destination can be a sign of unauthorized access, data exfiltration, + or a compromised account. Additionally, it also helps to determine if the forwarding + rules are legitimate or if they indicate a security incident. False positives can + occur if there are legitimate reasons for multiple users to forward emails to the + same destination, such as a shared mailbox or a team collaboration scenario. Next + steps include further investigation and context analysis to determine the legitimacy + of the forwarding rules.' data_source: [] search: '`o365_management_activity` Operation=Set-Mailbox | spath input=Parameters | rename Identity AS src_user | search ForwardingSmtpAddress=* | stats dc(src_user) @@ -18,40 +42,33 @@ how_to_implement: You must install splunk Microsoft Office 365 add-on. This sear works with o365:management:activity known_false_positives: unknown references: [] +rba: + message: User $user$ configured multiple users $src_user$ with a count of $count_src_user$, + a forwarding rule to same destination $ForwardingSmtpAddress$ + risk_objects: + - field: user + type: user + score: 48 + threat_objects: + - field: ForwardingSmtpAddress + type: email_address tags: analytic_story: - Office 365 Collection Techniques - Data Exfiltration asset_type: O365 Tenant - confidence: 60 - impact: 80 - message: User $user$ configured multiple users $src_user$ with a count of $count_src_user$, - a forwarding rule to same destination $ForwardingSmtpAddress$ mitre_attack_id: - T1114.003 - T1114 - observable: - - name: user - type: User - role: - - Victim - - name: ForwardingSmtpAddress - type: Email Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Operation - - Parameters - risk_score: 48 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/o365_mailbox_forwarding_enabled.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/o365_mailbox_forwarding_enabled.json sourcetype: o365:management:activity source: o365 diff --git a/detections/endpoint/office_application_drop_executable.yml b/detections/deprecated/office_application_drop_executable.yml similarity index 88% rename from detections/endpoint/office_application_drop_executable.yml rename to detections/deprecated/office_application_drop_executable.yml index 1f9bce4930..94ddc48e52 100644 --- a/detections/endpoint/office_application_drop_executable.yml +++ b/detections/deprecated/office_application_drop_executable.yml @@ -1,11 +1,12 @@ name: Office Application Drop Executable id: 73ce70c4-146d-11ec-9184-acde48001122 -version: '7' -date: '2024-11-28' +version: 9 +date: '2025-01-24' author: Teoderick Contreras, Michael Haag, Splunk, TheLawsOfChaos, Github -status: production +status: deprecated type: TTP -description: The following analytic detects Microsoft Office applications dropping +description: The following analytic has been deprecated. + The following analytic detects Microsoft Office applications dropping or creating executables or scripts on a Windows OS. It leverages process creation and file system events from the Endpoint data model to identify Office applications like Word or Excel generating files with extensions such as .exe, .dll, or .ps1. @@ -50,6 +51,15 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: process $process_name$ drops a file $file_name$ in host $dest$ + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - CVE-2023-21716 Word RTF Heap Corruption @@ -59,37 +69,18 @@ tags: - AgentTesla - PlugX asset_type: Endpoint - confidence: 80 - impact: 80 - message: process $process_name$ drops a file $file_name$ in host $dest$ mitre_attack_id: - T1566 - T1566.001 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - process_name - - file_name - - process_guid - - dest - - user_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_macro_js_1/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_macro_js_1/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/office_application_spawn_regsvr32_process.yml b/detections/deprecated/office_application_spawn_regsvr32_process.yml similarity index 84% rename from detections/endpoint/office_application_spawn_regsvr32_process.yml rename to detections/deprecated/office_application_spawn_regsvr32_process.yml index d2a1d1f9d3..20aef6978a 100644 --- a/detections/endpoint/office_application_spawn_regsvr32_process.yml +++ b/detections/deprecated/office_application_spawn_regsvr32_process.yml @@ -1,11 +1,12 @@ name: Office Application Spawn Regsvr32 process id: 2d9fc90c-f11f-11eb-9300-acde48001122 -version: '7' -date: '2024-11-28' +version: 8 +date: '2025-01-13' author: Teoderick Contreras, Splunk -status: production +status: deprecated type: TTP -description: The following analytic identifies instances where an Office application +description: The following analytic has been deprecated in favour of a more generic approach in "Windows Office Product Spawned Uncommon Process". + The following analytic identifies instances where an Office application spawns a Regsvr32 process, which is often indicative of macro execution or malicious code. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is a known Office application. @@ -54,45 +55,31 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Office application spawning regsvr32.exe on $dest$ + risk_objects: + - field: dest + type: system + score: 63 + threat_objects: [] tags: analytic_story: - IcedID - Compromised Windows Host - Qakbot asset_type: Endpoint - confidence: 90 - impact: 70 - message: Office application spawning regsvr32.exe on $dest$ mitre_attack_id: - T1566 - T1566.001 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/phish_icedid/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/phish_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/office_application_spawn_rundll32_process.yml b/detections/deprecated/office_application_spawn_rundll32_process.yml similarity index 85% rename from detections/endpoint/office_application_spawn_rundll32_process.yml rename to detections/deprecated/office_application_spawn_rundll32_process.yml index 9eb468df33..fd944b75cf 100644 --- a/detections/endpoint/office_application_spawn_rundll32_process.yml +++ b/detections/deprecated/office_application_spawn_rundll32_process.yml @@ -1,11 +1,12 @@ name: Office Application Spawn rundll32 process id: 958751e4-9c5f-11eb-b103-acde48001122 -version: '7' -date: '2024-11-28' +version: 8 +date: '2025-01-13' author: Teoderick Contreras, Splunk -status: production +status: deprecated type: TTP -description: The following analytic identifies instances where an Office application +description: The following analytic has been deprecated in favour of a more generic approach in "Windows Office Product Spawned Uncommon Process". + The following analytic identifies instances where an Office application spawns a rundll32 process, which is often indicative of macro execution or malicious code. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is a known Office application. @@ -54,6 +55,13 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Office application spawning rundll32.exe on $dest$ + risk_objects: + - field: dest + type: system + score: 63 + threat_objects: [] tags: analytic_story: - Spearphishing Attachments @@ -63,38 +71,18 @@ tags: - NjRAT - Trickbot asset_type: Endpoint - confidence: 90 - impact: 70 - message: Office application spawning rundll32.exe on $dest$ mitre_attack_id: - T1566 - T1566.001 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/datasets/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/datasets/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/deprecated/office_document_creating_schedule_task.yml b/detections/deprecated/office_document_creating_schedule_task.yml new file mode 100644 index 0000000000..0198d43de6 --- /dev/null +++ b/detections/deprecated/office_document_creating_schedule_task.yml @@ -0,0 +1,75 @@ +name: Office Document Creating Schedule Task +id: cc8b7b74-9d0f-11eb-8342-acde48001122 +version: 10 +date: '2025-01-24' +author: Teoderick Contreras, Splunk +status: deprecated +type: TTP +description: The following analytic has been deprecated. + The following analytic detects an Office document creating a scheduled + task, either through a macro VBA API or by loading `taskschd.dll`. This detection + leverages Sysmon EventCode 7 to identify when Office applications load the `taskschd.dll` + file. This activity is significant as it is a common technique used by malicious + macro malware to establish persistence or initiate beaconing. If confirmed malicious, + this could allow an attacker to maintain persistence, execute arbitrary commands, + or schedule future malicious activities, posing a significant threat to the environment. +data_source: +- Sysmon EventID 7 +search: '`sysmon` EventCode=7 process_name IN ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe", + "msaccess.exe") loaded_file_path = "*\\taskschd.dll" | stats min(_time) as firstTime + max(_time) as lastTime count by user_id, dest, process_name,loaded_file, loaded_file_path, + original_file_name, process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `office_document_creating_schedule_task_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. + If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. + Also be sure to include those monitored dll to your own sysmon config. +known_false_positives: False positives may occur if legitimate office documents are + creating scheduled tasks. Ensure to investigate the scheduled task and the command + to be executed. If the task is benign, add the task name to the exclusion list. + Some applications may legitimately load taskschd.dll. +references: +- https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/ +- https://redcanary.com/threat-detection-report/techniques/scheduled-task-job/ +- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/ +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: An Office document was identified creating a scheduled task on $dest$. + Investigate further. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] +tags: + analytic_story: + - Spearphishing Attachments + asset_type: Endpoint + mitre_attack_id: + - T1566 + - T1566.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/datasets/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/deprecated/office_document_executing_macro_code.yml b/detections/deprecated/office_document_executing_macro_code.yml new file mode 100644 index 0000000000..920e9483f5 --- /dev/null +++ b/detections/deprecated/office_document_executing_macro_code.yml @@ -0,0 +1,86 @@ +name: Office Document Executing Macro Code +id: b12c89bc-9d06-11eb-a592-acde48001122 +version: 9 +date: '2025-01-24' +author: Teoderick Contreras, Splunk +status: deprecated +type: TTP +description: The following analytic has been deprecated. + The following analytic identifies office documents executing macro code. + It leverages Sysmon EventCode 7 to detect when processes like WINWORD.EXE or EXCEL.EXE + load specific DLLs associated with macros (e.g., VBE7.DLL). This activity is significant + because macros are a common attack vector for delivering malicious payloads, such + as malware. If confirmed malicious, this could lead to unauthorized code execution, + data exfiltration, or further compromise of the system. Disabling macros by default + is recommended to mitigate this risk. +data_source: +- Sysmon EventID 7 +search: '`sysmon` EventCode=7 process_name IN ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe") + loaded_file_path IN ("*\\VBE7INTL.DLL","*\\VBE7.DLL", "*\\VBEUI.DLL") | stats min(_time) + as firstTime max(_time) as lastTime values(loaded_file) as loaded_file count by + dest EventCode process_name process_guid | `security_content_ctime(firstTime)` | + `security_content_ctime(lastTime)` | `office_document_executing_macro_code_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. + If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. + Also be sure to include those monitored dll to your own sysmon config. +known_false_positives: False positives may occur if legitimate office documents are + executing macro code. Ensure to investigate the macro code and the command to be + executed. If the macro code is benign, add the document name to the exclusion list. + Some applications may legitimately load VBE7INTL.DLL, VBE7.DLL, or VBEUI.DLL. +references: +- https://www.joesandbox.com/analysis/386500/0/html +- https://www.joesandbox.com/analysis/702680/0/html +- https://bazaar.abuse.ch/sample/02cbc1ab80695fc12ff8822b926957c3a600247b9ca412a137f69cb5716c8781/ +- https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing +- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/ +- https://www.fortinet.com/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Office document executing a macro on $dest$ + risk_objects: + - field: dest + type: system + score: 35 + threat_objects: [] +tags: + analytic_story: + - Spearphishing Attachments + - Trickbot + - IcedID + - DarkCrystal RAT + - AgentTesla + - Qakbot + - Azorult + - Remcos + - PlugX + - NjRAT + asset_type: Endpoint + mitre_attack_id: + - T1566 + - T1566.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/datasets/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/deprecated/office_document_spawned_child_process_to_download.yml b/detections/deprecated/office_document_spawned_child_process_to_download.yml new file mode 100644 index 0000000000..def3130752 --- /dev/null +++ b/detections/deprecated/office_document_spawned_child_process_to_download.yml @@ -0,0 +1,85 @@ +name: Office Document Spawned Child Process To Download +id: 6fed27d2-9ec7-11eb-8fe4-aa665a019aa3 +version: 10 +date: '2025-01-24' +author: Teoderick Contreras, Splunk +status: deprecated +type: TTP +description: The following analytic has been deprecated. + The following analytic identifies Office applications spawning child + processes to download content via HTTP/HTTPS. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process creation events where Office applications + like Word or Excel initiate network connections, excluding common browsers. This + activity is significant as it often indicates the use of malicious documents to + execute living-off-the-land binaries (LOLBins) for payload delivery. If confirmed + malicious, this behavior could lead to unauthorized code execution, data exfiltration, + or further malware deployment, posing a severe threat to the organization's security. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name + IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe", + "Graph.exe","winproj.exe") Processes.process IN ("*http:*","*https:*") NOT (Processes.original_file_name + IN("firefox.exe", "chrome.exe","iexplore.exe","msedge.exe")) by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id Processes.original_file_name | + `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `office_document_spawned_child_process_to_download_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Default browser not in the filter list. +references: +- https://app.any.run/tasks/92d7ef61-bfd7-4c92-bc15-322172b4ebec/ +- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/ +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Office document spawning suspicious child process on $dest$ + risk_objects: + - field: dest + type: system + score: 35 + threat_objects: [] +tags: + analytic_story: + - Spearphishing Attachments + - CVE-2023-36884 Office and Windows HTML RCE Vulnerability + - PlugX + - NjRAT + asset_type: Endpoint + mitre_attack_id: + - T1566 + - T1566.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/datasets2/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/deprecated/office_product_spawn_cmd_process.yml b/detections/deprecated/office_product_spawn_cmd_process.yml new file mode 100644 index 0000000000..812d2a3bc1 --- /dev/null +++ b/detections/deprecated/office_product_spawn_cmd_process.yml @@ -0,0 +1,94 @@ +name: Office Product Spawn CMD Process +id: b8b19420-e892-11eb-9244-acde48001122 +version: 9 +date: '2025-01-13' +author: Teoderick Contreras, Splunk +status: deprecated +type: TTP +description: The following analytic has been deprecated in favour of a more generic approach in "Windows Office Product Spawned Uncommon Process". + The following analytic detects an Office product spawning a CMD process, which is indicative of a macro executing shell commands to download or run malicious code. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names. This activity is significant as it often signals the execution of malicious payloads, such as those seen in Trickbot spear-phishing campaigns. If confirmed malicious, this behavior could lead to unauthorized code execution, potentially compromising the system and allowing further malicious activities. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name + = "winword.exe" OR Processes.parent_process_name= "excel.exe" OR Processes.parent_process_name + = "powerpnt.exe" OR Processes.parent_process_name= "onenote.exe" OR Processes.parent_process_name + = "onenotem.exe" OR Processes.parent_process_name = "onenoteviewer.exe" OR Processes.parent_process_name + = "onenoteim.exe" OR Processes.parent_process_name = "msaccess.exe" OR Processes.parent_process_name="Graph.exe" + OR Processes.parent_process_name="winproj.exe") `process_cmd` by Processes.parent_process_name + Processes.parent_process Processes.process_name Processes.process Processes.process_id + Processes.process_guid Processes.user Processes.dest Processes.original_file_name + | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` + | `office_product_spawn_cmd_process_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: IT or network admin may create an document automation that + will run shell script. +references: +- https://twitter.com/cyb3rops/status/1416050325870587910?s=21 +- https://bazaar.abuse.ch/sample/02cbc1ab80695fc12ff8822b926957c3a600247b9ca412a137f69cb5716c8781/ +- https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing +- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/ +drilldown_searches: +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: an office product parent process $parent_process_name$ spawn child process + $process_name$ in host $dest$ + risk_objects: + - field: dest + type: system + score: 56 + - field: user + type: user + score: 56 + threat_objects: [] +tags: + analytic_story: + - Trickbot + - DarkCrystal RAT + - Azorult + - Remcos + - Qakbot + - AgentTesla + - CVE-2023-21716 Word RTF Heap Corruption + - CVE-2023-36884 Office and Windows HTML RCE Vulnerability + - Warzone RAT + - PlugX + - NjRAT + asset_type: Endpoint + mitre_attack_id: + - T1566 + - T1566.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/spear_phish/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/office_product_spawning_bitsadmin.yml b/detections/deprecated/office_product_spawning_bitsadmin.yml similarity index 80% rename from detections/endpoint/office_product_spawning_bitsadmin.yml rename to detections/deprecated/office_product_spawning_bitsadmin.yml index 940117145d..8c3de51640 100644 --- a/detections/endpoint/office_product_spawning_bitsadmin.yml +++ b/detections/deprecated/office_product_spawning_bitsadmin.yml @@ -1,11 +1,12 @@ name: Office Product Spawning BITSAdmin id: e8c591f4-a6d7-11eb-8cf7-acde48001122 -version: '8' -date: '2024-11-28' +version: 9 +date: '2025-01-13' author: Michael Haag, Splunk -status: production +status: deprecated type: TTP -description: The following analytic detects any Windows Office Product spawning `bitsadmin.exe`, +description: The following analytic has been deprecated in favour of a more generic approach in "Windows Office Product Spawned Uncommon Process". + The following analytic detects any Windows Office Product spawning `bitsadmin.exe`, a behavior often associated with malware families like TA551 and IcedID. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant because `bitsadmin.exe` @@ -52,50 +53,34 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Office process $parent_process_name$ observed executing a suspicious child + process $process_name$ with process id $process_id$ on host $dest$ + risk_objects: + - field: dest + type: system + score: 63 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Spearphishing Attachments - CVE-2023-36884 Office and Windows HTML RCE Vulnerability - Compromised Windows Host asset_type: Endpoint - confidence: 90 - impact: 70 - message: office parent process $parent_process_name$ will execute a suspicious child - process $process_name$ with process id $process_id$ in host $dest$ mitre_attack_id: - T1566 - T1566.001 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_macros.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_macros.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/office_product_spawning_certutil.yml b/detections/deprecated/office_product_spawning_certutil.yml similarity index 80% rename from detections/endpoint/office_product_spawning_certutil.yml rename to detections/deprecated/office_product_spawning_certutil.yml index c9b7f0f134..d1e14b4181 100644 --- a/detections/endpoint/office_product_spawning_certutil.yml +++ b/detections/deprecated/office_product_spawning_certutil.yml @@ -1,11 +1,12 @@ name: Office Product Spawning CertUtil id: 6925fe72-a6d5-11eb-9e17-acde48001122 -version: '8' -date: '2024-11-28' +version: 9 +date: '2025-01-13' author: Michael Haag, Splunk -status: production +status: deprecated type: TTP -description: The following analytic detects any Windows Office Product spawning `certutil.exe`, +description: The following analytic has been deprecated in favour of a more generic approach in "Windows Office Product Spawned Uncommon Process". + The following analytic detects any Windows Office Product spawning `certutil.exe`, a behavior often associated with malware families like TA551 and IcedID. This detection leverages Endpoint Detection and Response (EDR) data, focusing on process relationships and command-line executions. The significance lies in the fact that `certutil.exe` @@ -52,6 +53,16 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Office process $parent_process_name$ observed executing a suspicious child + process $process_name$ with process id $process_id$ on host $dest$ + risk_objects: + - field: dest + type: system + score: 63 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Spearphishing Attachments @@ -60,44 +71,18 @@ tags: - AgentTesla - CVE-2023-36884 Office and Windows HTML RCE Vulnerability asset_type: Endpoint - confidence: 90 - impact: 70 - message: office parent process $parent_process_name$ will execute a suspicious child - process $process_name$ with process id $process_id$ in host $dest$ mitre_attack_id: - T1566 - T1566.001 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_macros.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_macros.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/office_product_spawning_mshta.yml b/detections/deprecated/office_product_spawning_mshta.yml similarity index 82% rename from detections/endpoint/office_product_spawning_mshta.yml rename to detections/deprecated/office_product_spawning_mshta.yml index 2965f3c20f..966d3f3b98 100644 --- a/detections/endpoint/office_product_spawning_mshta.yml +++ b/detections/deprecated/office_product_spawning_mshta.yml @@ -1,11 +1,12 @@ name: Office Product Spawning MSHTA id: 6078fa20-a6d2-11eb-b662-acde48001122 -version: '7' -date: '2024-11-28' +version: 8 +date: '2025-01-13' author: Michael Haag, Splunk -status: production +status: deprecated type: TTP -description: The following analytic identifies instances where a Microsoft Office +description: The following analytic has been deprecated in favour of a more generic approach in "Windows Office Product Spawned Uncommon Process". + The following analytic identifies instances where a Microsoft Office product spawns `mshta.exe`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is an Office application. This activity is significant because it is a common @@ -50,6 +51,16 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Office process $parent_process_name$ observed executing a suspicious child + process $process_name$ with process id $process_id$ on host $dest$ + risk_objects: + - field: dest + type: system + score: 63 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Azorult @@ -59,40 +70,13 @@ tags: - NjRAT - CVE-2023-36884 Office and Windows HTML RCE Vulnerability asset_type: Endpoint - confidence: 90 - impact: 70 - message: office parent process $parent_process_name$ will execute a suspicious child - process $process_name$ with process id $process_id$ in host $dest$ mitre_attack_id: - T1566 - T1566.001 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml b/detections/deprecated/office_product_spawning_rundll32_with_no_dll.yml similarity index 81% rename from detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml rename to detections/deprecated/office_product_spawning_rundll32_with_no_dll.yml index 794babfd6f..34040e8cb5 100644 --- a/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml +++ b/detections/deprecated/office_product_spawning_rundll32_with_no_dll.yml @@ -1,11 +1,12 @@ name: Office Product Spawning Rundll32 with no DLL id: c661f6be-a38c-11eb-be57-acde48001122 -version: '8' -date: '2024-11-28' +version: 10 +date: '2025-01-24' author: Michael Haag, Splunk -status: production +status: deprecated type: TTP -description: The following analytic detects any Windows Office Product spawning `rundll32.exe` +description: The following analytic has been deprecated. + The following analytic detects any Windows Office Product spawning `rundll32.exe` without a `.dll` file extension. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process and parent process relationships. This activity is significant as it is a known tactic of the IcedID malware family, @@ -54,51 +55,35 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Office process $parent_process_name$ observed executing a suspicious child + process $process_name$ with process id $process_id$ and no dll commandline $process$ + on host $dest$ + risk_objects: + - field: dest + type: system + score: 63 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Spearphishing Attachments - CVE-2023-36884 Office and Windows HTML RCE Vulnerability - Compromised Windows Host asset_type: Endpoint - confidence: 90 - impact: 70 - message: office parent process $parent_process_name$ will execute a suspicious child - process $process_name$ with process id $process_id$ and no dll commandline $process$ - in host $dest$ mitre_attack_id: - T1566 - T1566.001 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_icedid.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_icedid.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/office_product_spawning_windows_script_host.yml b/detections/deprecated/office_product_spawning_windows_script_host.yml similarity index 83% rename from detections/endpoint/office_product_spawning_windows_script_host.yml rename to detections/deprecated/office_product_spawning_windows_script_host.yml index 2b93960b14..8ff8d57259 100644 --- a/detections/endpoint/office_product_spawning_windows_script_host.yml +++ b/detections/deprecated/office_product_spawning_windows_script_host.yml @@ -1,11 +1,12 @@ name: Office Product Spawning Windows Script Host id: b3628a5b-8d02-42fa-a891-eebf2351cbe1 -version: '9' -date: '2024-11-28' +version: 11 +date: '2025-01-13' author: Michael Haag, Splunk -status: production +status: deprecated type: TTP -description: The following analytic detects an Office product spawning WScript.exe +description: The following analytic has been deprecated in favour of a more generic approach in "Windows Office Product Spawned Uncommon Process". + The following analytic detects an Office product spawning WScript.exe or CScript.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where Office applications are the parent processes. This activity is significant because it may indicate the execution of potentially @@ -53,6 +54,18 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Office process $parent_process_name$ observed executing a suspicious child + process $process_name$ on host $dest$. + risk_objects: + - field: dest + type: system + score: 63 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Spearphishing Attachments @@ -60,44 +73,13 @@ tags: - CVE-2023-36884 Office and Windows HTML RCE Vulnerability - Compromised Windows Host asset_type: Endpoint - confidence: 90 - impact: 70 - message: office parent process $parent_process_name$ will execute a suspicious child - process $process_name$ on host $dest$. mitre_attack_id: - T1566 - T1566.001 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test @@ -105,4 +87,3 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/office_product_spawning_wmic.yml b/detections/deprecated/office_product_spawning_wmic.yml similarity index 83% rename from detections/endpoint/office_product_spawning_wmic.yml rename to detections/deprecated/office_product_spawning_wmic.yml index c9cc9e5120..6360ea5c4e 100644 --- a/detections/endpoint/office_product_spawning_wmic.yml +++ b/detections/deprecated/office_product_spawning_wmic.yml @@ -1,11 +1,12 @@ name: Office Product Spawning Wmic id: ffc236d6-a6c9-11eb-95f1-acde48001122 -version: '9' -date: '2024-11-28' +version: 10 +date: '2025-01-13' author: Michael Haag, Splunk -status: production +status: deprecated type: TTP -description: The following analytic detects any Windows Office Product spawning `wmic.exe`, +description: The following analytic has been deprecated in favour of a more generic approach in "Windows Office Product Spawned Uncommon Process". + The following analytic detects any Windows Office Product spawning `wmic.exe`, specifically when the command-line of `wmic.exe` contains `wmic process call create`. This behavior is identified using data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant @@ -53,6 +54,16 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Office process $parent_process_name$ observed executing a suspicious child + process $process_name$ with process id $process_id$ on host $dest$ + risk_objects: + - field: dest + type: system + score: 63 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Spearphishing Attachments @@ -60,40 +71,13 @@ tags: - CVE-2023-36884 Office and Windows HTML RCE Vulnerability - FIN7 asset_type: Endpoint - confidence: 90 - impact: 70 - message: office parent process $parent_process_name$ will execute a suspicious child - process $process_name$ with process id $process_id$ in host $dest$ mitre_attack_id: - T1566 - T1566.001 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_product_writing_cab_or_inf.yml b/detections/deprecated/office_product_writing_cab_or_inf.yml similarity index 88% rename from detections/endpoint/office_product_writing_cab_or_inf.yml rename to detections/deprecated/office_product_writing_cab_or_inf.yml index 936819f977..dbea8b4ac3 100644 --- a/detections/endpoint/office_product_writing_cab_or_inf.yml +++ b/detections/deprecated/office_product_writing_cab_or_inf.yml @@ -1,11 +1,12 @@ name: Office Product Writing cab or inf id: f48cd1d4-125a-11ec-a447-acde48001122 -version: '8' -date: '2024-11-28' +version: 10 +date: '2025-01-24' author: Michael Haag, Splunk -status: production +status: deprecated type: TTP -description: The following analytic detects Office products writing .cab or .inf files, +description: The following analytic has been deprecated. + The following analytic detects Office products writing .cab or .inf files, indicative of CVE-2021-40444 exploitation. It leverages the Endpoint.Processes and Endpoint.Filesystem data models to identify Office applications creating these file types. This activity is significant as it may signal an attempt to load malicious @@ -56,47 +57,36 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $process_name$ was identified on $dest$ writing an inf or + cab file to this. This is not typical of $process_name$. + risk_objects: + - field: dest + type: system + score: 80 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Spearphishing Attachments - Microsoft MSHTML Remote Code Execution CVE-2021-40444 - Compromised Windows Host asset_type: Endpoint - confidence: 100 cve: - CVE-2021-40444 - impact: 80 - message: An instance of $process_name$ was identified on $dest$ writing an inf or - cab file to this. This is not typical of $process_name$. mitre_attack_id: - T1566 - T1566.001 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - process_name - - process - - file_create_time - - file_name - - file_path - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_cabinf.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_cabinf.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/office_spawning_control.yml b/detections/deprecated/office_spawning_control.yml similarity index 83% rename from detections/endpoint/office_spawning_control.yml rename to detections/deprecated/office_spawning_control.yml index 9546f5e133..8f472a4168 100644 --- a/detections/endpoint/office_spawning_control.yml +++ b/detections/deprecated/office_spawning_control.yml @@ -1,11 +1,12 @@ name: Office Spawning Control id: 053e027c-10c7-11ec-8437-acde48001122 -version: '8' -date: '2024-11-28' +version: 11 +date: '2025-01-24' author: Michael Haag, Splunk -status: production +status: deprecated type: TTP -description: The following analytic identifies instances where `control.exe` is spawned +description: The following analytic has been deprecated. + The following analytic identifies instances where `control.exe` is spawned by a Microsoft Office product. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant because it can indicate exploitation attempts related to CVE-2021-40444, @@ -56,55 +57,38 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ clicking a suspicious attachment. + risk_objects: + - field: dest + type: system + score: 80 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Spearphishing Attachments - Microsoft MSHTML Remote Code Execution CVE-2021-40444 - Compromised Windows Host asset_type: Endpoint - confidence: 100 cve: - CVE-2021-40444 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ clicking a suspicious attachment. mitre_attack_id: - T1566 - T1566.001 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_control.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_control.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/deprecated/okta_account_locked_out.yml b/detections/deprecated/okta_account_locked_out.yml index d7a30ee439..0ad8243973 100644 --- a/detections/deprecated/okta_account_locked_out.yml +++ b/detections/deprecated/okta_account_locked_out.yml @@ -1,19 +1,19 @@ name: Okta Account Locked Out id: d650c0ae-bdc5-400e-9f0f-f7aa0a010ef1 -version: 2 -date: '2024-10-17' +version: 3 +date: '2024-11-14' author: Michael Haag, Splunk status: deprecated type: Anomaly -description: - '**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Accounts Locked Out`. - The following analytic utilizes the user.acount.lock event to identify - associates who are locked out of Okta. An adversary attempting to brute force or - password spray account names may lock accounts out depending on the threshold.' +description: '**DEPRECATION NOTE** - This search has been deprecated and replaced + with `Okta Multiple Accounts Locked Out`. The following analytic utilizes the user.acount.lock + event to identify associates who are locked out of Okta. An adversary attempting + to brute force or password spray account names may lock accounts out depending on + the threshold.' data_source: [] search: '`okta` eventType=user.account.lock | stats count min(_time) as firstTime - max(_time) as lastTime values(displayMessage) values(src_user) as user by src_ip eventType status - | where count >=3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + max(_time) as lastTime values(displayMessage) values(src_user) as user by src_ip + eventType status | where count >=3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `okta_account_locked_out_filter`' how_to_implement: This analytic is specific to Okta and requires Okta logs to be ingested. known_false_positives: False positives may be present. Tune Okta and tune the analytic @@ -21,36 +21,31 @@ known_false_positives: False positives may be present. Tune Okta and tune the an is complete. references: - https://developer.okta.com/docs/reference/api/event-types/?q=user.acount.lock +rba: + message: $user$ account has been locked out. + risk_objects: + - field: user + type: user + score: 64 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Suspicious Okta Activity - Okta MFA Exhaustion asset_type: Infrastructure - confidence: 80 - impact: 80 - message: $src_user$ account has been locked out. mitre_attack_id: - T1110 - observable: - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - src_user - - src_ip - - eventType - - status - risk_score: 64 security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/okta_multiple_accounts_lockout.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/okta_multiple_accounts_lockout.log source: Okta - sourcetype: OktaIM2:log \ No newline at end of file + sourcetype: OktaIM2:log diff --git a/detections/deprecated/okta_account_lockout_events.yml b/detections/deprecated/okta_account_lockout_events.yml index 4d15cada48..07f8d09a9d 100644 --- a/detections/deprecated/okta_account_lockout_events.yml +++ b/detections/deprecated/okta_account_lockout_events.yml @@ -1,26 +1,26 @@ name: Okta Account Lockout Events id: 62b70968-a0a5-4724-8ac4-67871e6f544d -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Michael Haag, Rico Valdez, Splunk status: deprecated type: Anomaly -description: - '**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Accounts Locked Out`. - The following anomaly will generate based on account lockout events utilizing - Okta eventTypes of user.account.lock.limit or user.account.lock. Per the Okta docs - site, this event is fired when a user account has reached the lockout limit. The - account will not auto-unlock and a user or client cannot gain access to the account. - This event indicates an account that will not be able to log in until remedial action - is taken by the account admin. This event can be used to understand the specifics - of an account lockout. Often this indicates a client application that is repeatedly - attempting to authenticate with invalid credentials such as an old password.' +description: '**DEPRECATION NOTE** - This search has been deprecated and replaced + with `Okta Multiple Accounts Locked Out`. The following anomaly will generate based + on account lockout events utilizing Okta eventTypes of user.account.lock.limit or + user.account.lock. Per the Okta docs site, this event is fired when a user account + has reached the lockout limit. The account will not auto-unlock and a user or client + cannot gain access to the account. This event indicates an account that will not + be able to log in until remedial action is taken by the account admin. This event + can be used to understand the specifics of an account lockout. Often this indicates + a client application that is repeatedly attempting to authenticate with invalid + credentials such as an old password.' data_source: [] search: '`okta` eventType IN (user.account.lock.limit,user.account.lock) | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | stats count min(_time) as firstTime - max(_time) as lastTime values(src_user) by displayMessage, country, state, city, - src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + max(_time) as lastTime values(src_user) as users by displayMessage, country, state, + city, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_account_lockout_events_filter`' how_to_implement: This analytic is specific to Okta and requires Okta logs to be ingested. known_false_positives: None. Account lockouts should be followed up on to determine @@ -29,38 +29,31 @@ known_false_positives: None. Account lockouts should be followed up on to determ references: - https://developer.okta.com/docs/reference/api/event-types/#catalog - https://developer.okta.com/docs/reference/api/event-types/?q=user.account.lock +rba: + message: The following user $users$ has locked out their account within Okta. + risk_objects: + - field: users + type: user + score: 25 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Suspicious Okta Activity asset_type: Infrastructure - confidence: 50 - impact: 50 - message: The following user $src_user$ has locked out their account within Okta. mitre_attack_id: - T1078 - T1078.001 - observable: - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - displayMessage - - client.geographicalContext.country - - client.geographicalContext.state - - client.geographicalContext.city - - src_ip - - src_user - risk_score: 25 security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/okta_multiple_accounts_lockout.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/okta_multiple_accounts_lockout.log source: Okta - sourcetype: OktaIM2:log \ No newline at end of file + sourcetype: OktaIM2:log diff --git a/detections/deprecated/okta_failed_sso_attempts.yml b/detections/deprecated/okta_failed_sso_attempts.yml index a6b0768935..6516d32c67 100644 --- a/detections/deprecated/okta_failed_sso_attempts.yml +++ b/detections/deprecated/okta_failed_sso_attempts.yml @@ -1,11 +1,14 @@ name: Okta Failed SSO Attempts id: 371a6545-2618-4032-ad84-93386b8698c5 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Michael Haag, Rico Valdez, Splunk status: deprecated type: Anomaly -description: '**DEPRECATION NOTE** - This search has been deprecated and replaced with this detection `Okta Unauthorized Access to Application - DM`. The following anomaly identifies failed Okta SSO events utilizing the legacy Okta event "unauth app access attempt".' +description: '**DEPRECATION NOTE** - This search has been deprecated and replaced + with this detection `Okta Unauthorized Access to Application - DM`. The following + anomaly identifies failed Okta SSO events utilizing the legacy Okta event "unauth + app access attempt".' data_source: [] search: '`okta` eventType=app.generic.unauth_app_access_attempt | stats min(_time) as firstTime max(_time) as lastTime values(app) as Apps count by src_user, result @@ -17,31 +20,22 @@ known_false_positives: There may be a faulty config preventing legitmate users f accessing apps they should have access to. references: - https://developer.okta.com/docs/reference/api/event-types/?q=app.generic.unauth_app_access_attempt +rba: + message: $src_user$ failed SSO authentication to the app. + risk_objects: + - field: src_user + type: user + score: 16 + threat_objects: [] tags: analytic_story: - Suspicious Okta Activity asset_type: Infrastructure - confidence: 40 - impact: 40 - message: $src_user$ failed SSO authentication to the app. mitre_attack_id: - T1078 - T1078.001 - observable: - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - displayMessage - - app - - src_user - - result - - src_ip - risk_score: 16 security_domain: access diff --git a/detections/deprecated/okta_threatinsight_login_failure_with_high_unknown_users.yml b/detections/deprecated/okta_threatinsight_login_failure_with_high_unknown_users.yml index 0c308a051f..1f87cc42bf 100644 --- a/detections/deprecated/okta_threatinsight_login_failure_with_high_unknown_users.yml +++ b/detections/deprecated/okta_threatinsight_login_failure_with_high_unknown_users.yml @@ -1,49 +1,44 @@ name: Okta ThreatInsight Login Failure with High Unknown users id: 632663b0-4562-4aad-abe9-9f621a049738 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Okta, Inc, Michael Haag, Splunk type: TTP status: deprecated data_source: [] -description: '**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta ThreatInsight Threat Detected`. - The following analytic utilizes Oktas ThreatInsight to identify Login failures with high unknown users count and any included secondary outcome reasons. - This event will trigger when a brute force attempt occurs with unknown usernames attempted.' -search: '`okta` eventType="security.threat.detected" AND outcome.reason="Login failures with high unknown users count*" -| stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason -| `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)` | `okta_threatinsight_login_failure_with_high_unknown_users_filter`' -how_to_implement: This search is specific to Okta and requires Okta logs to be - ingested in your Splunk deployment. -known_false_positives: Fidelity of this is high as it is Okta ThreatInsight. Filter and modify as needed. +description: '**DEPRECATION NOTE** - This search has been deprecated and replaced + with `Okta ThreatInsight Threat Detected`. The following analytic utilizes Oktas + ThreatInsight to identify Login failures with high unknown users count and any included + secondary outcome reasons. This event will trigger when a brute force attempt occurs + with unknown usernames attempted.' +search: '`okta` eventType="security.threat.detected" AND outcome.reason="Login failures + with high unknown users count*" | stats count min(_time) as firstTime max(_time) + as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent + client.userAgent.browser outcome.reason | `security_content_ctime(firstTime)` | + `security_content_ctime(lastTime)` | `okta_threatinsight_login_failure_with_high_unknown_users_filter`' +how_to_implement: This search is specific to Okta and requires Okta logs to be ingested + in your Splunk deployment. +known_false_positives: Fidelity of this is high as it is Okta ThreatInsight. Filter + and modify as needed. references: - https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm +rba: + message: Okta ThreatInsight has detected or prevented a high number of login failures. + risk_objects: + - field: user + type: user + score: 50 + threat_objects: [] tags: analytic_story: - Suspicious Okta Activity asset_type: Infrastructure - confidence: 100 - impact: 50 - message: Okta ThreatInsight has detected or prevented a high number of login failures. mitre_attack_id: - T1078 - T1078.001 - T1110.004 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventType - - client.userAgent.rawUserAgent - - client.userAgent.browser - - outcome.reason - - displayMessage - risk_score: 50 security_domain: access diff --git a/detections/deprecated/okta_threatinsight_suspected_passwordspray_attack.yml b/detections/deprecated/okta_threatinsight_suspected_passwordspray_attack.yml index 9ca05aa50e..478b4895a1 100644 --- a/detections/deprecated/okta_threatinsight_suspected_passwordspray_attack.yml +++ b/detections/deprecated/okta_threatinsight_suspected_passwordspray_attack.yml @@ -1,50 +1,43 @@ name: Okta ThreatInsight Suspected PasswordSpray Attack id: 25dbad05-6682-4dd5-9ce9-8adecf0d9ae2 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Okta, Inc, Michael Haag, Splunk type: TTP status: deprecated data_source: [] -description: - '**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta ThreatInsight Threat Detected`. - The following analytic utilizes Oktas ThreatInsight to identify "PasswordSpray" and any included secondary outcome reasons. This event will trigger when a - brute force attempt occurs with unknown usernames attempted.' -search: '`okta` eventType="security.threat.detected" AND outcome.reason="Password Spray" -| stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason -| `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)` | `okta_threatinsight_suspected_passwordspray_attack_filter`' -how_to_implement: This search is specific to Okta and requires Okta logs to be - ingested in your Splunk deployment. -known_false_positives: Fidelity of this is high as it is Okta ThreatInsight. Filter and modify as needed. +description: '**DEPRECATION NOTE** - This search has been deprecated and replaced + with `Okta ThreatInsight Threat Detected`. The following analytic utilizes Oktas + ThreatInsight to identify "PasswordSpray" and any included secondary outcome reasons. + This event will trigger when a brute force attempt occurs with unknown usernames + attempted.' +search: '`okta` eventType="security.threat.detected" AND outcome.reason="Password + Spray" | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) + by eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_threatinsight_suspected_passwordspray_attack_filter`' +how_to_implement: This search is specific to Okta and requires Okta logs to be ingested + in your Splunk deployment. +known_false_positives: Fidelity of this is high as it is Okta ThreatInsight. Filter + and modify as needed. references: - https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm +rba: + message: Okta ThreatInsight has detected or prevented a PasswordSpray attack. + risk_objects: + - field: outcome.reason + type: other + score: 60 + threat_objects: [] tags: analytic_story: - Suspicious Okta Activity asset_type: Infrastructure - confidence: 100 - impact: 60 - message: Okta ThreatInsight has detected or prevented a PasswordSpray attack. mitre_attack_id: - T1078 - T1078.001 - T1110.003 - observable: - - name: outcome.reason - type: Other - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - eventType - - client.userAgent.rawUserAgent - - client.userAgent.browser - - outcome.reason - - displayMessage - risk_score: 60 security_domain: access diff --git a/detections/deprecated/okta_two_or_more_rejected_okta_pushes.yml b/detections/deprecated/okta_two_or_more_rejected_okta_pushes.yml index 054e1f73d3..9817b5f845 100644 --- a/detections/deprecated/okta_two_or_more_rejected_okta_pushes.yml +++ b/detections/deprecated/okta_two_or_more_rejected_okta_pushes.yml @@ -1,15 +1,14 @@ name: Okta Two or More Rejected Okta Pushes id: d93f785e-4c2c-4262-b8c7-12b77a13fd39 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Michael Haag, Marissa Bower, Splunk status: deprecated type: TTP -description: - '**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Failed MFA Requests For User`. - The following analytic identifies an account that has rejected more than - 2 Push notifications in a 10 minute window. Modify this query for your environment - by upping the count or time window.' +description: '**DEPRECATION NOTE** - This search has been deprecated and replaced + with `Okta Multiple Failed MFA Requests For User`. The following analytic identifies + an account that has rejected more than 2 Push notifications in a 10 minute window. + Modify this query for your environment by upping the count or time window.' data_source: [] search: '`okta` outcome.reason="User rejected Okta push verify" OR (debugContext.debugData.factor="OKTA_VERIFY_PUSH" outcome.result=FAILURE legacyEventType="core.user.factor.attempt_fail" "target{}.detailEntry.methodTypeUsed"="Get @@ -28,30 +27,22 @@ known_false_positives: False positives may be present. Tune Okta and tune the an is complete. references: - https://developer.okta.com/docs/reference/api/event-types/?q=user.acount.lock +rba: + message: $user$ account has rejected multiple Okta pushes. + risk_objects: + - field: user + type: user + score: 64 + threat_objects: [] tags: analytic_story: - Suspicious Okta Activity - Okta MFA Exhaustion asset_type: Infrastructure - confidence: 80 - impact: 80 - message: $user$ account has rejected multiple Okta pushes. mitre_attack_id: - T1110 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - user - - src_ip - - eventType - - status - risk_score: 64 security_domain: access diff --git a/detections/deprecated/osquery_pack___coldroot_detection.yml b/detections/deprecated/osquery_pack___coldroot_detection.yml index b135fd565c..369173b8fd 100644 --- a/detections/deprecated/osquery_pack___coldroot_detection.yml +++ b/detections/deprecated/osquery_pack___coldroot_detection.yml @@ -1,7 +1,7 @@ name: Osquery pack - ColdRoot detection id: a6fffe5e-05c3-4c04-badc-887607fbb8dc -version: 3 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Rico Valdez, Splunk status: deprecated type: TTP @@ -11,33 +11,29 @@ search: '| from datamodel Alerts.Alerts | search app=osquery:results (name=pack_ OR name=pack_osx-attacks_OSX_ColdRoot_RAT_Files) | rename columns.path as path | bucket _time span=30s | stats count(path) by _time, host, user, path | `osquery_pack___coldroot_detection_filter`' how_to_implement: In order to properly run this search, Splunk needs to ingest data - from your osquery deployed agents with the [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) + from your osquery deployed agents with the + [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) pack enabled. Also the [TA-OSquery](https://github.com/d1vious/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the Alerts data model known_false_positives: There are no known false positives. references: [] +rba: + message: Potential ColdRoot detection on $host$ + risk_objects: + - field: host + type: system + score: 25 + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - ColdRoot MacOS RAT asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd - observable: - - name: host - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/password_policy_discovery_with_net.yml b/detections/deprecated/password_policy_discovery_with_net.yml new file mode 100644 index 0000000000..0656e661c8 --- /dev/null +++ b/detections/deprecated/password_policy_discovery_with_net.yml @@ -0,0 +1,57 @@ +name: Password Policy Discovery with Net +id: 09336538-065a-11ec-8665-acde48001122 +version: 7 +date: '2025-01-24' +author: Teoderick Contreras, Mauricio Velazco, Splunk +status: deprecated +type: Hunting +description: The following analytic has been deprecated. + The following analytic identifies the execution of `net.exe` or `net1.exe` + with command line arguments aimed at obtaining the domain password policy. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process names + and command-line executions. This activity is significant as it indicates potential + reconnaissance efforts by adversaries to gather information about Active Directory + password policies. If confirmed malicious, this behavior could allow attackers to + understand password complexity requirements, aiding in brute-force or password-guessing + attacks, ultimately compromising user accounts and gaining unauthorized access to + the network. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process + = "*accounts*" AND Processes.process = "*/domain*" by Processes.dest Processes.user + Processes.parent_process Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `password_policy_discovery_with_net_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators or power users may use this command for troubleshooting. +references: +- https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet +tags: + analytic_story: + - Active Directory Discovery + asset_type: Endpoint + mitre_attack_id: + - T1201 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/deprecated/processes_created_by_netsh.yml b/detections/deprecated/processes_created_by_netsh.yml index c5a02ce2ee..cb947299d8 100644 --- a/detections/deprecated/processes_created_by_netsh.yml +++ b/detections/deprecated/processes_created_by_netsh.yml @@ -1,7 +1,7 @@ name: Processes created by netsh id: b89919ed-fe5f-492c-b139-95dbb162041e -version: 7 -date: '2024-10-17' +version: 8 +date: '2024-11-14' author: Bhavin Patel, Splunk status: deprecated type: TTP @@ -33,29 +33,24 @@ known_false_positives: It is unusual for netsh.exe to have any child processes i the process spawned is legitimate. We explicitely exclude "C:\Program Files\rempl\sedlauncher.exe" process path since it is a legitimate process by Mircosoft. references: [] +rba: + message: Proccesses created by netsh.exe on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Netsh Abuse asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1562.004 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/prohibited_software_on_endpoint.yml b/detections/deprecated/prohibited_software_on_endpoint.yml index 03473629ef..243c1c8374 100644 --- a/detections/deprecated/prohibited_software_on_endpoint.yml +++ b/detections/deprecated/prohibited_software_on_endpoint.yml @@ -1,7 +1,7 @@ name: Prohibited Software On Endpoint id: a51bfe1a-94f0-48cc-b4e4-b6ae50145893 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: David Dorsey, Splunk status: deprecated type: Hunting @@ -30,23 +30,8 @@ tags: - Emotet Malware DHS Report TA18-201A - SamSam Ransomware asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _times - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/reg_exe_used_to_hide_files_directories_via_registry_keys.yml b/detections/deprecated/reg_exe_used_to_hide_files_directories_via_registry_keys.yml index 085db48699..b003f3bd58 100644 --- a/detections/deprecated/reg_exe_used_to_hide_files_directories_via_registry_keys.yml +++ b/detections/deprecated/reg_exe_used_to_hide_files_directories_via_registry_keys.yml @@ -1,7 +1,7 @@ name: Reg exe used to hide files directories via registry keys id: 61a7d1e6-f5d4-41d9-a9be-39a1ffe69459 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Bhavin Patel, Splunk status: deprecated type: TTP @@ -26,31 +26,26 @@ how_to_implement: The detection is based on data that originates from Endpoint D names and speed up the data modeling process. known_false_positives: None at the moment references: [] +rba: + message: Reg.exe used to hide a file or directory on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + - field: user + type: user + score: 25 + threat_objects: [] tags: asset_type: Endpoint analytic_story: - Windows Defense Evasion Tactics - Suspicious Windows Registry Activities - Windows Persistence Techniques - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1564.001 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/remote_registry_key_modifications.yml b/detections/deprecated/remote_registry_key_modifications.yml index 9bd274acf5..71f902a8ad 100644 --- a/detections/deprecated/remote_registry_key_modifications.yml +++ b/detections/deprecated/remote_registry_key_modifications.yml @@ -1,7 +1,7 @@ name: Remote Registry Key modifications id: c9f4b923-f8af-4155-b697-1354f5dcbc5e -version: 5 -date: '2024-10-17' +version: 6 +date: '2024-11-14' author: Bhavin Patel, Splunk status: deprecated type: TTP @@ -21,29 +21,24 @@ how_to_implement: To successfully implement this search, you must populate the ` known_false_positives: This technique may be legitimately used by administrators to modify remote registries, so it's important to filter these events out. references: [] +rba: + message: Registry remotely modified on $dest$ + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Suspicious Windows Registry Activities - Windows Persistence Techniques asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/remote_system_discovery_with_net.yml b/detections/deprecated/remote_system_discovery_with_net.yml similarity index 65% rename from detections/endpoint/remote_system_discovery_with_net.yml rename to detections/deprecated/remote_system_discovery_with_net.yml index ba54daf19a..2377264b52 100644 --- a/detections/endpoint/remote_system_discovery_with_net.yml +++ b/detections/deprecated/remote_system_discovery_with_net.yml @@ -1,11 +1,11 @@ name: Remote System Discovery with Net id: 9df16706-04a2-41e2-bbfe-9b38b34409d3 -version: 4 -date: '2024-11-26' +version: 5 +date: '2025-01-13' author: Mauricio Velazco, Splunk -status: production +status: deprecated type: Hunting -description: The following analytic identifies the execution of `net.exe` or `net1.exe` with command-line arguments used to discover remote systems, such as `domain computers /domain`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to map out networked systems and Active Directory structures. If confirmed malicious, this behavior could lead to further network exploitation, privilege escalation, or lateral movement within the environment. +description: The following analytic has been deprecated in favour of two dedicated analytics "4dc3951f-b3f8-4f46-b412-76a483f72277" and "a23a0e20-0b1b-4a07-82e5-ec5f70811e7a" .The following analytic identifies the execution of `net.exe` or `net1.exe` with command-line arguments used to discover remote systems, such as `domain computers /domain`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to map out networked systems and Active Directory structures. If confirmed malicious, this behavior could lead to further network exploitation, privilege escalation, or lateral movement within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 @@ -21,33 +21,12 @@ tags: - Active Directory Discovery - IcedID asset_type: Endpoint - confidence: 50 - impact: 30 - message: Remote system discovery enumeration on $dest$ by $user$ mitre_attack_id: - T1018 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/deprecated/scheduled_tasks_used_in_badrabbit_ransomware.yml b/detections/deprecated/scheduled_tasks_used_in_badrabbit_ransomware.yml index 5733207051..0197ba45a3 100644 --- a/detections/deprecated/scheduled_tasks_used_in_badrabbit_ransomware.yml +++ b/detections/deprecated/scheduled_tasks_used_in_badrabbit_ransomware.yml @@ -1,7 +1,7 @@ name: Scheduled tasks used in BadRabbit ransomware id: 1297fb80-f42a-4b4a-9c8b-78c066437cf6 -version: 5 -date: '2024-10-17' +version: 6 +date: '2024-11-14' author: Bhavin Patel, Splunk status: deprecated type: TTP @@ -13,8 +13,8 @@ data_source: search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process= "*create*" OR Processes.process= - "*delete*") by Processes.parent_process Processes.process_name Processes.user Processes.dest | - `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` + "*delete*") by Processes.parent_process Processes.process_name Processes.user Processes.dest + | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | search (process=*rhaegal* OR process=*drogon* OR *viserion_*) | `scheduled_tasks_used_in_badrabbit_ransomware_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related @@ -27,29 +27,25 @@ how_to_implement: The detection is based on data that originates from Endpoint D names and speed up the data modeling process. known_false_positives: No known false positives references: [] +rba: + message: Tasks being scheduled with names indicative of BadRabbit ransomware on + $dest$ + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Ransomware asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1053.005 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/spectre_and_meltdown_vulnerable_systems.yml b/detections/deprecated/spectre_and_meltdown_vulnerable_systems.yml index 5a50ca1bbf..1f4a043402 100644 --- a/detections/deprecated/spectre_and_meltdown_vulnerable_systems.yml +++ b/detections/deprecated/spectre_and_meltdown_vulnerable_systems.yml @@ -1,7 +1,7 @@ name: Spectre and Meltdown Vulnerable Systems id: 354be8e0-32cd-4da0-8c47-796de13b60ea -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: David Dorsey, Splunk status: deprecated type: TTP @@ -18,25 +18,21 @@ how_to_implement: The search requires that you are ingesting your vulnerability- known_false_positives: It is possible that your vulnerability scanner is not detecting that the patches have been applied. references: [] +rba: + message: $dest$ enumerated as a Spectre or Meltdown vulnerable system + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Spectre And Meltdown Vulnerabilities asset_type: Endpoint - confidence: 50 cve: - CVE-2017-5753 - impact: 50 - message: tbd - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/suspicious_changes_to_file_associations.yml b/detections/deprecated/suspicious_changes_to_file_associations.yml index e18aeb3d9e..e9438be5a1 100644 --- a/detections/deprecated/suspicious_changes_to_file_associations.yml +++ b/detections/deprecated/suspicious_changes_to_file_associations.yml @@ -1,7 +1,7 @@ name: Suspicious Changes to File Associations id: 1b989a0e-0129-4446-a695-f193a5b746fc -version: 6 -date: '2024-10-17' +version: 7 +date: '2024-11-14' author: Rico Valdez, Splunk status: deprecated type: TTP @@ -32,26 +32,22 @@ known_false_positives: There may be other processes in your environment that use may legitimately use to modify file associations. If this is the case and you are finding false positives, you can modify the search to add those processes as exceptions. references: [] +rba: + message: Suspicious changes to file association on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Suspicious Windows Registry Activities - Windows File Extension and Association Abuse asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1546.001 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/suspicious_email___uba_anomaly.yml b/detections/deprecated/suspicious_email___uba_anomaly.yml index 95611cc4b1..0e3a3f31d6 100644 --- a/detections/deprecated/suspicious_email___uba_anomaly.yml +++ b/detections/deprecated/suspicious_email___uba_anomaly.yml @@ -1,7 +1,7 @@ name: Suspicious Email - UBA Anomaly id: 56e877a6-1455-4479-ad16-0550dc1e33f8 -version: 5 -date: '2024-10-17' +version: 6 +date: '2024-11-14' author: Bhavin Patel, Splunk status: deprecated type: Anomaly @@ -25,25 +25,21 @@ known_false_positives: This detection model will alert on any sender domain that is to investigate and add the URL to an allow list if you determine that it is a legitimate sender. references: [] +rba: + message: Suspicious Email as detected by UBA for $user$ + risk_objects: + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Suspicious Emails asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1566 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/suspicious_file_write.yml b/detections/deprecated/suspicious_file_write.yml index 52be4ad801..8630632e57 100644 --- a/detections/deprecated/suspicious_file_write.yml +++ b/detections/deprecated/suspicious_file_write.yml @@ -1,7 +1,7 @@ name: Suspicious File Write id: 57f76b8a-32f0-42ed-b358-d9fa3ca7bac8 -version: 5 -date: '2024-10-17' +version: 6 +date: '2024-11-14' author: Rico Valdez, Splunk status: deprecated type: Hunting @@ -33,19 +33,8 @@ tags: analytic_story: - Hidden Cobra Malware asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/suspicious_powershell_command_line_arguments.yml b/detections/deprecated/suspicious_powershell_command_line_arguments.yml index 29dc289399..b2efc4ee51 100644 --- a/detections/deprecated/suspicious_powershell_command_line_arguments.yml +++ b/detections/deprecated/suspicious_powershell_command_line_arguments.yml @@ -1,7 +1,7 @@ name: Suspicious Powershell Command-Line Arguments id: 2cdb91d2-542c-497f-b252-be495e71f38c -version: 8 -date: '2024-10-17' +version: 9 +date: '2024-11-14' author: David Dorsey, Splunk status: deprecated type: TTP @@ -32,31 +32,26 @@ how_to_implement: The detection is based on data that originates from Endpoint D known_false_positives: Legitimate process can have this combination of command-line options, but it's not common. references: [] +rba: + message: Suspicious Powershell Command Line Arguments observed on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Malicious PowerShell - Hermetic Wiper - CISA AA22-320A asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1059.001 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/suspicious_rundll32_rename.yml b/detections/deprecated/suspicious_rundll32_rename.yml index 0be18969d9..48fdc6b2d5 100644 --- a/detections/deprecated/suspicious_rundll32_rename.yml +++ b/detections/deprecated/suspicious_rundll32_rename.yml @@ -1,7 +1,7 @@ name: Suspicious Rundll32 Rename id: 7360137f-abad-473e-8189-acbdaa34d114 -version: 6 -date: '2024-10-17' +version: 7 +date: '2024-11-14' author: Michael Haag, Splunk status: deprecated type: Hunting @@ -39,39 +39,13 @@ tags: - Suspicious Rundll32 Activity - Masquerading - Rename System Utilities asset_type: Endpoint - confidence: 90 - impact: 70 - message: Suspicious renamed rundll32.exe binary ran on $dest$ by $user$ mitre_attack_id: - T1218 - T1036 - T1218.011 - T1036.003 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: User - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 63 security_domain: endpoint diff --git a/detections/deprecated/suspicious_writes_to_system_volume_information.yml b/detections/deprecated/suspicious_writes_to_system_volume_information.yml index 9db993173f..866160575b 100644 --- a/detections/deprecated/suspicious_writes_to_system_volume_information.yml +++ b/detections/deprecated/suspicious_writes_to_system_volume_information.yml @@ -1,7 +1,7 @@ name: Suspicious writes to System Volume Information id: cd6297cd-2bdd-4aa1-84aa-5d2f84228fac -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Rico Valdez, Splunk status: deprecated type: Hunting @@ -9,10 +9,10 @@ description: This search detects writes to the 'System Volume Information' folde by something other than the System process. data_source: - Sysmon EventID 1 -search: '(`sysmon` OR tag=process) EventCode=11 process_id!=4 file_path=*System\ Volume +search: (`sysmon` OR tag=process) EventCode=11 process_id!=4 file_path=*System\ Volume Information* | stats count min(_time) as firstTime max(_time) as lastTime by dest, Image, file_path | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` - | `suspicious_writes_to_system_volume_information_filter`' + | `suspicious_writes_to_system_volume_information_filter` how_to_implement: You need to be ingesting logs with both the process name and command-line from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -24,21 +24,10 @@ tags: analytic_story: - Collection and Staging asset_type: Windows - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1036 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/uncommon_processes_on_endpoint.yml b/detections/deprecated/uncommon_processes_on_endpoint.yml index cd005e9758..e0378b0e1f 100644 --- a/detections/deprecated/uncommon_processes_on_endpoint.yml +++ b/detections/deprecated/uncommon_processes_on_endpoint.yml @@ -1,7 +1,7 @@ name: Uncommon Processes On Endpoint id: 29ccce64-a10c-4389-a45f-337cb29ba1f7 -version: 6 -date: '2024-10-17' +version: 7 +date: '2024-11-14' author: David Dorsey, Splunk status: deprecated type: Hunting @@ -30,21 +30,10 @@ tags: - Unusual Processes - Hermetic Wiper asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1204.002 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/unsigned_image_loaded_by_lsass.yml b/detections/deprecated/unsigned_image_loaded_by_lsass.yml index abad39d5ec..db021a2bf3 100644 --- a/detections/deprecated/unsigned_image_loaded_by_lsass.yml +++ b/detections/deprecated/unsigned_image_loaded_by_lsass.yml @@ -1,7 +1,7 @@ name: Unsigned Image Loaded by LSASS id: 56ef054c-76ef-45f9-af4a-a634695dcd65 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Patrick Bareiss, Splunk status: deprecated type: TTP @@ -10,9 +10,8 @@ description: This search detects loading of unsigned images by LSASS. Deprecated data_source: - Sysmon EventID 7 search: '`sysmon` EventID=7 Image=*lsass.exe Signed=false | stats count min(_time) - as firstTime max(_time) as lastTime by dest, Image, ImageLoaded, Signed, SHA1 - | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` - | `unsigned_image_loaded_by_lsass_filter`' + as firstTime max(_time) as lastTime by dest, Image, ImageLoaded, Signed, SHA1 | + `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `unsigned_image_loaded_by_lsass_filter`' how_to_implement: This search needs Sysmon Logs with a sysmon configuration, which includes EventCode 7 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations @@ -23,25 +22,21 @@ known_false_positives: Other tools could load images into LSASS for legitimate r But enterprise tools should always use signed DLLs. references: - https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf +rba: + message: Unsigned image loaded by LSASS on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Credential Dumping asset_type: Windows - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1003.001 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/unsuccessful_netbackup_backups.yml b/detections/deprecated/unsuccessful_netbackup_backups.yml index 2a8da81803..3e8fc0b5af 100644 --- a/detections/deprecated/unsuccessful_netbackup_backups.yml +++ b/detections/deprecated/unsuccessful_netbackup_backups.yml @@ -1,7 +1,7 @@ name: Unsuccessful Netbackup backups id: a34aae96-ccf8-4aaa-952c-3ea21444444f -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: David Dorsey, Splunk status: deprecated type: Hunting @@ -22,19 +22,8 @@ tags: analytic_story: - Monitor Backup Solution asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/web_fraud___account_harvesting.yml b/detections/deprecated/web_fraud___account_harvesting.yml index ff403542db..4fb3b3b784 100644 --- a/detections/deprecated/web_fraud___account_harvesting.yml +++ b/detections/deprecated/web_fraud___account_harvesting.yml @@ -1,7 +1,7 @@ name: Web Fraud - Account Harvesting id: bf1d7b5c-df2f-4249-a401-c09fdc221ddf -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Jim Apger, Splunk status: deprecated type: TTP @@ -35,28 +35,21 @@ known_false_positives: As is common with many fraud-related searches, we are usu references: - https://splunkbase.splunk.com/app/2734/ - https://splunkbase.splunk.com/app/1809/ +rba: + message: Multiple user accounts using the same email domain + risk_objects: + - field: src_user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Web Fraud Detection asset_type: Account - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1136 - observable: - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - http_content_type - - uri - - cookie - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/web_fraud___anomalous_user_clickspeed.yml b/detections/deprecated/web_fraud___anomalous_user_clickspeed.yml index 2708e005f0..518a5be28e 100644 --- a/detections/deprecated/web_fraud___anomalous_user_clickspeed.yml +++ b/detections/deprecated/web_fraud___anomalous_user_clickspeed.yml @@ -1,7 +1,7 @@ name: Web Fraud - Anomalous User Clickspeed id: 31337bbb-bc22-4752-b599-ef192df2dc7a -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Jim Apger, Splunk status: deprecated type: Anomaly @@ -31,27 +31,21 @@ references: - https://en.wikipedia.org/wiki/Session_(computer_science) - https://en.wikipedia.org/wiki/HTTP_cookie - https://splunkbase.splunk.com/app/1809/ +rba: + message: Web sessions exhibiting unauthentic characteristics + risk_objects: + - field: session_id + type: other + score: 25 + threat_objects: [] tags: analytic_story: - Web Fraud Detection asset_type: Account - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1078 - observable: - - name: session_id - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - http_content_type - - cookie - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/web_fraud___password_sharing_across_accounts.yml b/detections/deprecated/web_fraud___password_sharing_across_accounts.yml index 2d09283498..48c9b3908c 100644 --- a/detections/deprecated/web_fraud___password_sharing_across_accounts.yml +++ b/detections/deprecated/web_fraud___password_sharing_across_accounts.yml @@ -1,7 +1,7 @@ name: Web Fraud - Password Sharing Across Accounts id: 31337a1a-53b9-4e05-96e9-55c934cb71d3 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Jim Apger, Splunk status: deprecated type: Anomaly @@ -26,25 +26,19 @@ references: - https://en.wikipedia.org/wiki/Session_(computer_science) - https://en.wikipedia.org/wiki/HTTP_cookie - https://splunkbase.splunk.com/app/1809/ +rba: + message: Password sharing across accounts + risk_objects: + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Web Fraud Detection asset_type: Account - confidence: 50 - impact: 50 - message: tbd - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - http_content_type - - uri - risk_score: 25 security_domain: threat diff --git a/detections/deprecated/windows_command_shell_fetch_env_variables.yml b/detections/deprecated/windows_command_shell_fetch_env_variables.yml new file mode 100644 index 0000000000..90618ba3e5 --- /dev/null +++ b/detections/deprecated/windows_command_shell_fetch_env_variables.yml @@ -0,0 +1,81 @@ +name: Windows Command Shell Fetch Env Variables +id: 048839e4-1eaa-43ff-8a22-86d17f6fcc13 +version: 5 +date: '2025-01-24' +author: Teoderick Contreras, Splunk +status: deprecated +type: TTP +description: The following analytic has been deprecated. + The following analytic identifies a suspicious process command line fetching + environment variables with a non-shell parent process. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on command-line executions and parent + process names. This activity is significant as it is commonly associated with malware + like Qakbot, which uses this technique to gather system information. If confirmed + malicious, this behavior could indicate that the parent process has been compromised, + potentially allowing attackers to execute arbitrary commands, escalate privileges, + or persist within the environment. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process = "*cmd /c + set" OR Processes.process = "*cmd.exe /c set" AND NOT (Processes.parent_process_name + = "cmd.exe" OR Processes.parent_process_name = "powershell*" OR Processes.parent_process_name="pwsh.exe" + OR Processes.parent_process_name = "explorer.exe") by Processes.dest Processes.user + Processes.parent_process_name Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_command_shell_fetch_env_variables_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: shell process that are not included in this search may cause + False positive. Filter is needed. +references: +- https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: non-shell parent process has a child process $process_name$ with a commandline + $process$ to fetch env variables on $dest$ + risk_objects: + - field: dest + type: system + score: 56 + threat_objects: [] +tags: + analytic_story: + - Qakbot + asset_type: Endpoint + mitre_attack_id: + - T1055 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr/sysmon_wermgr.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/deprecated/windows_connhost_exe_started_forcefully.yml b/detections/deprecated/windows_connhost_exe_started_forcefully.yml index 97ce18f097..2718083864 100644 --- a/detections/deprecated/windows_connhost_exe_started_forcefully.yml +++ b/detections/deprecated/windows_connhost_exe_started_forcefully.yml @@ -1,15 +1,15 @@ name: Windows connhost exe started forcefully id: c114aaca-68ee-41c2-ad8c-32bf21db8769 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Rod Soto, Jose Hernandez, Splunk status: deprecated type: TTP -description: 'The search looks for the Console Window Host process (connhost.exe) - executed using the force flag -ForceV1. This is not regular behavior in the Windows - OS and is often seen executed by the Ryuk Ransomware. DEPRECATED This event is actually +description: The search looks for the Console Window Host process (connhost.exe) executed + using the force flag -ForceV1. This is not regular behavior in the Windows OS and + is often seen executed by the Ryuk Ransomware. DEPRECATED This event is actually seen in the windows 10 client of attack_range_local. After further testing we realized - this is not specific to Ryuk.' + this is not specific to Ryuk. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -29,25 +29,21 @@ how_to_implement: The detection is based on data that originates from Endpoint D known_false_positives: This process should not be ran forcefully, we have not see any false positives for this detection references: [] +rba: + message: Potentially suspicious connhost.exe behavior on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Ryuk Ransomware asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1059.003 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/windows_dll_search_order_hijacking_hunt.yml b/detections/deprecated/windows_dll_search_order_hijacking_hunt.yml index 659b65928e..38d777ae9a 100644 --- a/detections/deprecated/windows_dll_search_order_hijacking_hunt.yml +++ b/detections/deprecated/windows_dll_search_order_hijacking_hunt.yml @@ -1,7 +1,7 @@ name: Windows DLL Search Order Hijacking Hunt id: 79c7d0fc-60c7-41be-a616-ccda752efe89 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-14' author: Michael Haag, Splunk status: deprecated type: Hunting @@ -27,7 +27,8 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.user Processes.parent_process_name Processes.process_name Processes.process_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup hijacklibs library AS process_name OUTPUT islibrary | search islibrary - = True | rename parent_process_name as process_name , process_name AS ImageLoaded, process_path AS Module_Path | `windows_dll_search_order_hijacking_hunt_filter`' + = True | rename parent_process_name as process_name , process_name AS ImageLoaded, + process_path AS Module_Path | `windows_dll_search_order_hijacking_hunt_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -46,38 +47,18 @@ tags: - Living Off The Land - Windows Defense Evasion Tactics asset_type: Endpoint - confidence: 10 - impact: 10 - message: Potential Windows DLL Search Order Hijacking detected on $dest$ mitre_attack_id: - T1574.001 - T1574 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process_path - risk_score: 1 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/deprecated/windows_hosts_file_modification.yml b/detections/deprecated/windows_hosts_file_modification.yml index 5a02313c4d..0c7453eab3 100644 --- a/detections/deprecated/windows_hosts_file_modification.yml +++ b/detections/deprecated/windows_hosts_file_modification.yml @@ -1,7 +1,7 @@ name: Windows hosts file modification id: 06a6fc63-a72d-41dc-8736-7e3dd9612116 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-14' author: Rico Valdez, Splunk status: deprecated type: TTP @@ -23,23 +23,19 @@ how_to_implement: To successfully implement this search, you must be ingesting d known_false_positives: There may be legitimate reasons for system administrators to add entries to this file. references: [] +rba: + message: Host file modified on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Host Redirection asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/deprecated/windows_lateral_tool_transfer_remcom.yml b/detections/deprecated/windows_lateral_tool_transfer_remcom.yml index 167e76f761..47789c6b30 100644 --- a/detections/deprecated/windows_lateral_tool_transfer_remcom.yml +++ b/detections/deprecated/windows_lateral_tool_transfer_remcom.yml @@ -1,6 +1,6 @@ name: Windows Lateral Tool Transfer RemCom id: e373a840-5bdc-47ef-b2fd-9cc7aaf387f0 -version: 5 +version: 6 date: '2024-12-10' author: Michael Haag, Splunk type: TTP @@ -9,10 +9,33 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: NOTE - This search is deprecated in favor of `Windows Service Execution RemCom` as the latter is a more accurate name for the detection. The following analytic identifies the execution of RemCom.exe, an open-source alternative to PsExec, used for lateral movement and remote command execution. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, original file names, and command-line arguments. This activity is significant as it indicates potential lateral movement within the network. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to further compromise and control over additional systems within the network. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=remcom.exe OR Processes.original_file_name=RemCom.exe) Processes.process="*\\*" Processes.process IN ("*/user:*", "*/pwd:*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_lateral_tool_transfer_remcom_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be present based on Administrative use. Filter as needed. +description: NOTE - This search is deprecated in favor of `Windows Service Execution + RemCom` as the latter is a more accurate name for the detection. The following analytic + identifies the execution of RemCom.exe, an open-source alternative to PsExec, used + for lateral movement and remote command execution. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names, original file names, + and command-line arguments. This activity is significant as it indicates potential + lateral movement within the network. If confirmed malicious, this could allow an + attacker to execute commands remotely, potentially leading to further compromise + and control over additional systems within the network. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=remcom.exe + OR Processes.original_file_name=RemCom.exe) Processes.process="*\\*" Processes.process + IN ("*/user:*", "*/pwd:*") by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_lateral_tool_transfer_remcom_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present based on Administrative use. + Filter as needed. references: - https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ - https://github.com/kavika13/RemCom @@ -22,57 +45,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to move laterally. + risk_objects: + - field: user + type: user + score: 40 + - field: dest + type: system + score: 40 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to move laterally. mitre_attack_id: - T1570 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1570/remcom/remcom_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1570/remcom/remcom_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/deprecated/windows_modify_registry_reg_restore.yml b/detections/deprecated/windows_modify_registry_reg_restore.yml new file mode 100644 index 0000000000..f63d1b0214 --- /dev/null +++ b/detections/deprecated/windows_modify_registry_reg_restore.yml @@ -0,0 +1,60 @@ +name: Windows Modify Registry Reg Restore +id: d0072bd2-6d73-4c1b-bc77-ded6d2da3a4e +version: 5 +date: '2025-01-24' +author: Teoderick Contreras, Splunk +status: deprecated +type: Hunting +description: The following analytic has been deprecated. + The following analytic detects the execution of reg.exe with the "restore" + parameter, indicating an attempt to restore registry backup data on a host. This + detection leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process execution logs and command-line arguments. This activity is significant + as it may indicate post-exploitation actions, such as those performed by tools like + winpeas, which use "reg save" and "reg restore" to manipulate registry settings. + If confirmed malicious, this could allow an attacker to revert registry changes, + potentially bypassing security controls and maintaining persistence. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process + = "* restore *" by Processes.process_name Processes.original_file_name Processes.process + Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process + Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_reg_restore_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: network administrator can use this command tool to backup registry + before updates or modifying critical registries. +references: +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/quser +- https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS +- https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ +tags: + analytic_story: + - Windows Post-Exploitation + - Prestige Ransomware + asset_type: Endpoint + mitre_attack_id: + - T1012 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/deprecated/windows_msiexec_with_network_connections.yml b/detections/deprecated/windows_msiexec_with_network_connections.yml new file mode 100644 index 0000000000..5c17518468 --- /dev/null +++ b/detections/deprecated/windows_msiexec_with_network_connections.yml @@ -0,0 +1,87 @@ +name: Windows MSIExec With Network Connections +id: 827409a1-5393-4d8d-8da4-bbb297c262a7 +version: 7 +date: '2025-01-24' +author: Michael Haag, Splunk +status: deprecated +type: TTP +description: The following analytic has been deprecated. + The following analytic detects MSIExec making network connections over + ports 443 or 80. This behavior is identified by correlating process creation events + from Endpoint Detection and Response (EDR) agents with network traffic logs. Typically, + MSIExec does not perform network communication to the internet, making this activity + unusual and potentially indicative of malicious behavior. If confirmed malicious, + an attacker could be using MSIExec to download or communicate with external servers, + potentially leading to data exfiltration, command and control (C2) communication, + or further malware deployment. +data_source: +- Sysmon EventID 1 AND Sysmon EventID 3 +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes + where `process_msiexec` by _time Processes.user Processes.process_id Processes.process_name + Processes.dest Processes.process_path Processes.process Processes.parent_process_name + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic + where All_Traffic.dest_port IN ("80","443") by All_Traffic.process_id All_Traffic.dest + All_Traffic.dest_port All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` ] + | table _time user dest parent_process_name process_name process_path process process_id + dest_port dest_ip | `windows_msiexec_with_network_connections_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives will be present and filtering is required. +references: +- https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: An instance of $process_name$ was identified on endpoint $dest$ contacting + a remote destination $dest_ip$ + risk_objects: + - field: user + type: user + score: 35 + - field: dest + type: system + score: 35 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name +tags: + analytic_story: + - Windows System Binary Proxy Execution MSIExec + asset_type: Endpoint + mitre_attack_id: + - T1218.007 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/deprecated/windows_network_share_interaction_with_net.yml b/detections/deprecated/windows_network_share_interaction_with_net.yml new file mode 100644 index 0000000000..fea71519c1 --- /dev/null +++ b/detections/deprecated/windows_network_share_interaction_with_net.yml @@ -0,0 +1,80 @@ +name: Windows Network Share Interaction With Net +id: 4dc3951f-b3f8-4f46-b412-76a483f72277 +version: 6 +date: '2025-01-24' +author: Dean Luxton +status: deprecated +type: TTP +data_source: +- Sysmon EventID 1 +description: The following analytic has been deprecated. + This analytic detects network share discovery and collection activities + performed on Windows systems using the Net command. Attackers often use network + share discovery to identify accessible shared resources within a network, which + can be a precursor to privilege escalation or data exfiltration. By monitoring Windows + Event Logs for the usage of the Net command to list and interact with network shares, + this detection helps identify potential reconnaissance and collection activities. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime values(Processes.user_category) as user_category values(Processes.user_bunit) + as user_bunit FROM datamodel=Endpoint.Processes WHERE `process_net` BY Processes.user + Processes.dest Processes.process_exec Processes.parent_process_exec Processes.process + Processes.parent_process | `drop_dm_object_name(Processes)` | regex process="net[\s\.ex1]+view|net[\s\.ex1]+share|net[\s\.ex1]+use\s" + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_network_share_interaction_with_net_filter`' +how_to_implement: The detection is based on data originating from either Endpoint + Detection and Response (EDR) telemetry or EventCode 4688 with process command line + logging enabled. These sources provide security-related telemetry from the endpoints. + To implement this search, you must ingest logs that contain the process name, parent + process, and complete command-line executions. These logs must be mapped to the + Splunk Common Information Model (CIM) to normalize the field names capture the data + within the datamodel schema. +known_false_positives: Unknown +references: +- https://attack.mitre.org/techniques/T1135/ +drilldown_searches: +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: User $user$ leveraged net.exe on $dest$ to interact with network shares, + executed by parent process $parent_process$ + risk_objects: + - field: dest + type: system + score: 20 + - field: user + type: user + score: 20 + threat_objects: [] +tags: + analytic_story: + - Active Directory Discovery + - Active Directory Privilege Escalation + - Network Discovery + asset_type: Endpoint + atomic_guid: + - ab39a04f-0c93-4540-9ff2-83f862c385ae + mitre_attack_id: + - T1135 + - T1039 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/net_share/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_office_product_spawning_msdt.yml b/detections/deprecated/windows_office_product_spawning_msdt.yml similarity index 83% rename from detections/endpoint/windows_office_product_spawning_msdt.yml rename to detections/deprecated/windows_office_product_spawning_msdt.yml index d8c51b1823..cfdabb0241 100644 --- a/detections/endpoint/windows_office_product_spawning_msdt.yml +++ b/detections/deprecated/windows_office_product_spawning_msdt.yml @@ -1,11 +1,12 @@ name: Windows Office Product Spawning MSDT id: 127eba64-c981-40bf-8589-1830638864a7 -version: '8' -date: '2024-11-28' +version: 10 +date: '2025-01-24' author: Michael Haag, Teoderick Contreras, Splunk -status: production +status: deprecated type: TTP -description: The following analytic detects a Microsoft Office product spawning the +description: The following analytic has been deprecated. + The following analytic detects a Microsoft Office product spawning the Windows msdt.exe process. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where Office applications are the parent process. This activity is significant as it may indicate an attempt @@ -56,56 +57,36 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Office process $parent_process_name$ has spawned a child process $process_name$ + on host $dest$. + risk_objects: + - field: user + type: user + score: 100 + - field: dest + type: system + score: 100 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Spearphishing Attachments - Compromised Windows Host - Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190 asset_type: Endpoint - confidence: 100 cve: - CVE-2022-30190 - impact: 100 - message: Office parent process $parent_process_name$ has spawned a child process - $process_name$ on host $dest$. mitre_attack_id: - T1566 - T1566.001 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test @@ -113,4 +94,3 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/msdt.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/deprecated/windows_query_registry_reg_save.yml b/detections/deprecated/windows_query_registry_reg_save.yml new file mode 100644 index 0000000000..291c0cf7a0 --- /dev/null +++ b/detections/deprecated/windows_query_registry_reg_save.yml @@ -0,0 +1,60 @@ +name: Windows Query Registry Reg Save +id: cbee60c1-b776-456f-83c2-faa56bdbe6c6 +version: 6 +date: '2025-01-24' +author: Teoderick Contreras, Splunk +status: deprecated +type: Hunting +description: The following analytic has been deprecated. + The following analytic detects the execution of the reg.exe process with + the "save" parameter. This detection leverages data from Endpoint Detection and + Response (EDR) agents, focusing on process execution logs and command-line arguments. + This activity is significant because threat actors often use the "reg save" command + to dump credentials or test registry modification capabilities on compromised hosts. + If confirmed malicious, this behavior could allow attackers to escalate privileges, + persist in the environment, or access sensitive information stored in the registry. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process + = "* save *" by Processes.process_name Processes.original_file_name Processes.process + Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process + Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_query_registry_reg_save_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: network administrator can use this command tool to backup registry + before updates or modifying critical registries. +references: +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/quser +- https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS +- https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ +tags: + analytic_story: + - Windows Post-Exploitation + - CISA AA23-347A + - Prestige Ransomware + asset_type: Endpoint + mitre_attack_id: + - T1012 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/deprecated/windows_service_stop_via_net__and_sc_application.yml b/detections/deprecated/windows_service_stop_via_net__and_sc_application.yml new file mode 100644 index 0000000000..00ff416650 --- /dev/null +++ b/detections/deprecated/windows_service_stop_via_net__and_sc_application.yml @@ -0,0 +1,79 @@ +name: Windows Service Stop Via Net and SC Application +id: 827af04b-0d08-479b-9b84-b7d4644e4b80 +version: 5 +date: '2025-01-24' +author: Teoderick Contreras, Splunk +status: deprecated +type: Anomaly +description: The following analytic has been deprecated. + The following analytic identifies attempts to stop services on a system + using `net.exe` or `sc.exe`. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process names, GUIDs, and command-line executions. This + activity is significant as adversaries often terminate security or critical services + to evade detection and further their objectives. If confirmed malicious, this behavior + could allow attackers to disable security defenses, facilitate ransomware encryption, + or disrupt essential services, leading to potential data loss or system compromise. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name + = "sc.exe" OR Processes.original_file_name= "sc.exe" AND Processes.process="*stop*" + by Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid + Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_service_stop_via_net__and_sc_application_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Windows OS or software may stop and restart services due to + some critical update. +references: +- https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: $process$ was executed on $dest$ attempting to stop service. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] +tags: + analytic_story: + - Prestige Ransomware + - Graceful Wipe Out Attack + asset_type: Endpoint + mitre_attack_id: + - T1489 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/prestige_ransomware/sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_valid_account_with_never_expires_password.yml b/detections/deprecated/windows_valid_account_with_never_expires_password.yml similarity index 84% rename from detections/endpoint/windows_valid_account_with_never_expires_password.yml rename to detections/deprecated/windows_valid_account_with_never_expires_password.yml index a885aaf1ba..01b416d1d5 100644 --- a/detections/endpoint/windows_valid_account_with_never_expires_password.yml +++ b/detections/deprecated/windows_valid_account_with_never_expires_password.yml @@ -1,11 +1,12 @@ name: Windows Valid Account With Never Expires Password id: 73a931db-1830-48b3-8296-cd9cfa09c3c8 -version: '4' -date: '2024-11-28' +version: 6 +date: '2025-01-24' author: Teoderick Contreras, Splunk -status: production +status: deprecated type: TTP -description: The following analytic detects the use of net.exe to update user account +description: The following analytic has been deprecated. + The following analytic detects the use of net.exe to update user account policies to set passwords as non-expiring. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving "/maxpwage:unlimited". This activity is significant as it can indicate an attempt to maintain persistence, @@ -52,45 +53,30 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ attempting to make non-expiring password on host user accounts. + risk_objects: + - field: dest + type: system + score: 100 + threat_objects: [] tags: analytic_story: - Azorult - Compromised Windows Host asset_type: Endpoint - confidence: 100 - impact: 100 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ attempting to make non-expiring password on host user accounts. mitre_attack_id: - T1489 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/winword_spawning_cmd.yml b/detections/deprecated/winword_spawning_cmd.yml similarity index 84% rename from detections/endpoint/winword_spawning_cmd.yml rename to detections/deprecated/winword_spawning_cmd.yml index 0379596615..5760517a84 100644 --- a/detections/endpoint/winword_spawning_cmd.yml +++ b/detections/deprecated/winword_spawning_cmd.yml @@ -1,11 +1,12 @@ name: Winword Spawning Cmd id: 6fcbaedc-a37b-11eb-956b-acde48001122 -version: '6' -date: '2024-11-28' +version: 7 +date: '2025-01-13' author: Michael Haag, Splunk -status: production +status: deprecated type: TTP -description: The following analytic identifies instances where Microsoft Word (winword.exe) +description: The following analytic has been deprecated in favour of a more generic approach in "Windows Office Product Spawned Uncommon Process". + The following analytic identifies instances where Microsoft Word (winword.exe) spawns the command prompt (cmd.exe). This behavior is detected using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the parent process is winword.exe. This activity is significant because it is uncommon and @@ -50,6 +51,19 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: '$parent_process_name$ on $dest$ by $user$ launched command: $process_name$ + which is very common in spearphishing attacks.' + risk_objects: + - field: dest + type: system + score: 70 + - field: user + type: user + score: 70 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Spearphishing Attachments @@ -57,44 +71,13 @@ tags: - CVE-2023-21716 Word RTF Heap Corruption - DarkCrystal RAT asset_type: Endpoint - confidence: 100 - impact: 70 - message: '$parent_process_name$ on $dest$ by $user$ launched command: $process_name$ - which is very common in spearphishing attacks.' mitre_attack_id: - T1566 - T1566.001 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/winword_spawning_powershell.yml b/detections/deprecated/winword_spawning_powershell.yml similarity index 85% rename from detections/endpoint/winword_spawning_powershell.yml rename to detections/deprecated/winword_spawning_powershell.yml index 001d2338b3..b2e102dc75 100644 --- a/detections/endpoint/winword_spawning_powershell.yml +++ b/detections/deprecated/winword_spawning_powershell.yml @@ -1,11 +1,12 @@ name: Winword Spawning PowerShell id: b2c950b8-9be2-11eb-8658-acde48001122 -version: '6' -date: '2024-11-28' +version: 7 +date: '2025-01-13' author: Michael Haag, Splunk -status: production +status: deprecated type: TTP -description: The following analytic identifies instances where Microsoft Word (winword.exe) +description: The following analytic has been deprecated in favour of a more generic approach in "Windows Office Product Spawned Uncommon Process". + The following analytic identifies instances where Microsoft Word (winword.exe) spawns a PowerShell process. This behavior is detected using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the parent process is winword.exe. This activity is significant because it is uncommon and @@ -53,6 +54,19 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: '$parent_process_name$ on $dest$ by $user$ launched the following powershell + process: $process_name$ which is very common in spearphishing attacks' + risk_objects: + - field: dest + type: system + score: 70 + - field: user + type: user + score: 70 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Spearphishing Attachments @@ -60,44 +74,13 @@ tags: - CVE-2023-21716 Word RTF Heap Corruption - DarkCrystal RAT asset_type: Endpoint - confidence: 100 - impact: 70 - message: '$parent_process_name$ on $dest$ by $user$ launched the following powershell - process: $process_name$ which is very common in spearphishing attacks' mitre_attack_id: - T1566 - T1566.001 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/winword_spawning_windows_script_host.yml b/detections/deprecated/winword_spawning_windows_script_host.yml similarity index 88% rename from detections/endpoint/winword_spawning_windows_script_host.yml rename to detections/deprecated/winword_spawning_windows_script_host.yml index 6ac533acc8..16ee7d84c1 100644 --- a/detections/endpoint/winword_spawning_windows_script_host.yml +++ b/detections/deprecated/winword_spawning_windows_script_host.yml @@ -1,11 +1,12 @@ name: Winword Spawning Windows Script Host id: 637e1b5c-9be1-11eb-9c32-acde48001122 -version: '5' -date: '2024-11-28' +version: 6 +date: '2025-01-13' author: Michael Haag, Splunk -status: production +status: deprecated type: TTP -description: The following analytic identifies instances where Microsoft Winword.exe +description: The following analytic has been deprecated in favour of a more generic approach. + The following analytic identifies instances where Microsoft Winword.exe spawns Windows Script Host processes (cscript.exe or wscript.exe). This behavior is detected using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the parent process is Winword.exe. This activity is significant @@ -50,44 +51,31 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ on $dest$ spawned Windows Script Host from Winword.exe + risk_objects: + - field: dest + type: system + score: 70 + - field: user + type: user + score: 70 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Spearphishing Attachments - Compromised Windows Host - CVE-2023-21716 Word RTF Heap Corruption asset_type: Endpoint - confidence: 100 - impact: 70 - message: User $user$ on $dest$ spawned Windows Script Host from Winword.exe mitre_attack_id: - T1566 - T1566.001 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - process_name - - process_id - - parent_process_name - - dest - - user - - parent_process_id - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/3cx_supply_chain_attack_network_indicators.yml b/detections/endpoint/3cx_supply_chain_attack_network_indicators.yml index 5e52b02525..a99649df6a 100644 --- a/detections/endpoint/3cx_supply_chain_attack_network_indicators.yml +++ b/detections/endpoint/3cx_supply_chain_attack_network_indicators.yml @@ -1,55 +1,61 @@ name: 3CX Supply Chain Attack Network Indicators id: 791b727c-deec-4fbe-a732-756131b3c5a1 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk type: TTP status: experimental data_source: - Sysmon EventID 22 -description: The following analytic identifies DNS queries to domains associated with the 3CX supply chain attack. It leverages the Network_Resolution datamodel to detect these suspicious domain indicators. This activity is significant because it can indicate a potential compromise stemming from the 3CX supply chain attack, which is known for distributing malicious software through trusted updates. If confirmed malicious, this activity could allow attackers to establish a foothold in the network, exfiltrate sensitive data, or further propagate malware, leading to extensive damage and data breaches. -search: '| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(DNS)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | lookup 3cx_ioc_domains domain as query OUTPUT Description isIOC | search isIOC=true | `3cx_supply_chain_attack_network_indicators_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information into the `Network Resolution` datamodel in the `DNS` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA''s are installed. -known_false_positives: False positives will be present for accessing the 3cx[.]com website. Remove from the lookup as needed. +description: The following analytic identifies DNS queries to domains associated with + the 3CX supply chain attack. It leverages the Network_Resolution datamodel to detect + these suspicious domain indicators. This activity is significant because it can + indicate a potential compromise stemming from the 3CX supply chain attack, which + is known for distributing malicious software through trusted updates. If confirmed + malicious, this activity could allow attackers to establish a foothold in the network, + exfiltrate sensitive data, or further propagate malware, leading to extensive damage + and data breaches. +search: '| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) + as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(DNS)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | lookup + 3cx_ioc_domains domain as query OUTPUT Description isIOC | search isIOC=true | `3cx_supply_chain_attack_network_indicators_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + into the `Network Resolution` datamodel in the `DNS` node. In addition, confirm + the latest CIM App 4.20 or higher is installed and the latest TA''s are installed. +known_false_positives: False positives will be present for accessing the 3cx[.]com + website. Remove from the lookup as needed. references: - https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ - https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ - https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898 - https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/ +rba: + message: Indicators related to 3CX supply chain attack have been identified on $src$. + risk_objects: + - field: src + type: system + score: 100 + threat_objects: + - field: query + type: domain tags: analytic_story: - 3CX Supply Chain Attack asset_type: Network - confidence: 100 cve: - CVE-2023-29059 - impact: 100 - message: Indicators related to 3CX supply chain attack have been identified on $src$. mitre_attack_id: - T1195.002 - observable: - - name: src - type: Hostname - role: - - Victim - - name: query - type: URL String - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - DNS.src - - DNS.query - - _time - risk_score: 100 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/3CX/3cx_network-windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/3CX/3cx_network-windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/7zip_commandline_to_smb_share_path.yml b/detections/endpoint/7zip_commandline_to_smb_share_path.yml index 008d8b7081..01c78be576 100644 --- a/detections/endpoint/7zip_commandline_to_smb_share_path.yml +++ b/detections/endpoint/7zip_commandline_to_smb_share_path.yml @@ -1,17 +1,39 @@ name: 7zip CommandLine To SMB Share Path id: 01d29b48-ff6f-11eb-b81e-acde48001123 -version: 4 -date: '2024-11-26' +version: 5 +date: '2025-01-21' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the execution of 7z or 7za processes with command lines pointing to SMB network shares. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it may indicate an attempt to archive and exfiltrate sensitive files to a network share, a technique observed in CONTI LEAK tools. If confirmed malicious, this behavior could lead to data exfiltration, compromising sensitive information and potentially aiding further attacks. +description: The following analytic detects the execution of 7z or 7za processes with + command lines pointing to SMB network shares. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process names and command-line arguments. + This activity is significant as it may indicate an attempt to archive and exfiltrate + sensitive files to a network share, a technique observed in CONTI LEAK tools. If + confirmed malicious, this behavior could lead to data exfiltration, compromising + sensitive information and potentially aiding further attacks. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name ="7z.exe" OR Processes.process_name = "7za.exe" OR Processes.process_name = "7zr.exe" OR Processes.original_file_name = "7z.exe" OR Processes.original_file_name = "7za.exe" OR Processes.original_file_name = "7zr.exe") AND (Processes.process="*\\C$\\*" OR Processes.process="*\\Admin$\\*" OR Processes.process="*\\IPC$\\*") by Processes.original_file_name Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.parent_process_id Processes.process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `7zip_commandline_to_smb_share_path_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name ="7z.exe" + OR Processes.process_name = "7za.exe" OR Processes.process_name = "7zr.exe" OR Processes.original_file_name + = "7z.exe" OR Processes.original_file_name = "7za.exe" OR Processes.original_file_name + = "7zr.exe") AND (Processes.process="*\\C$\\*" OR Processes.process="*\\Admin$\\*" + OR Processes.process="*\\IPC$\\*") by Processes.original_file_name Processes.parent_process_name + Processes.parent_process Processes.process_name Processes.process Processes.parent_process_id + Processes.process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `7zip_commandline_to_smb_share_path_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://threadreaderapp.com/thread/1423361119926816776.html @@ -19,40 +41,18 @@ tags: analytic_story: - Ransomware asset_type: Endpoint - confidence: 50 - impact: 50 - message: archive process $process_name$ with suspicious cmdline $process$ in host $dest$ mitre_attack_id: - T1560.001 - T1560 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-sysmon_7z.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-sysmon_7z.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/access_lsass_memory_for_dump_creation.yml b/detections/endpoint/access_lsass_memory_for_dump_creation.yml index 792b6405c1..ad6103c9b0 100644 --- a/detections/endpoint/access_lsass_memory_for_dump_creation.yml +++ b/detections/endpoint/access_lsass_memory_for_dump_creation.yml @@ -1,16 +1,31 @@ name: Access LSASS Memory for Dump Creation id: fb4c31b0-13e8-4155-8aa5-24de4b8d6717 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Patrick Bareiss, Splunk status: production type: TTP -description: The following analytic detects attempts to dump the LSASS process memory, a common technique in credential dumping attacks. It leverages Sysmon logs, specifically EventCode 10, to identify suspicious call traces to dbgcore.dll and dbghelp.dll associated with lsass.exe. This activity is significant as it often precedes the theft of sensitive login credentials, posing a high risk of unauthorized access to systems and data. If confirmed malicious, attackers could gain access to critical credentials, enabling further compromise and lateral movement within the network. +description: The following analytic detects attempts to dump the LSASS process memory, + a common technique in credential dumping attacks. It leverages Sysmon logs, specifically + EventCode 10, to identify suspicious call traces to dbgcore.dll and dbghelp.dll + associated with lsass.exe. This activity is significant as it often precedes the + theft of sensitive login credentials, posing a high risk of unauthorized access + to systems and data. If confirmed malicious, attackers could gain access to critical + credentials, enabling further compromise and lateral movement within the network. data_source: - Sysmon EventID 10 -search: '`sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll* | stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetImage, TargetProcessId, SourceImage, SourceProcessId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `access_lsass_memory_for_dump_creation_filter`' -how_to_implement: This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -known_false_positives: Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual. +search: '`sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll* + | stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetImage, + TargetProcessId, SourceImage, SourceProcessId | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)` | `access_lsass_memory_for_dump_creation_filter`' +how_to_implement: This search requires Sysmon Logs and a Sysmon configuration, which + includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. + We strongly recommend that you specify your environment-specific configurations + (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition + with configurations for your Splunk environment. The search also uses a post-filter + macro designed to filter out known false positives. +known_false_positives: Administrators can create memory dumps for debugging purposes, + but memory dumps of the LSASS process would be unusual. references: - https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf drilldown_searches: @@ -19,47 +34,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: process $SourceImage$ injected into $TargetImage$ and was attempted dump + LSASS on $dest$. Adversaries tend to do this when trying to accesss credential + material stored in the process memory of the Local Security Authority Subsystem + Service (LSASS). + risk_objects: + - field: dest + type: system + score: 63 + threat_objects: + - field: TargetImage + type: process tags: analytic_story: - CISA AA23-347A - Credential Dumping asset_type: Windows - confidence: 90 - impact: 70 - message: process $SourceImage$ injected into $TargetImage$ and was attempted dump LSASS on $dest$. Adversaries tend to do this when trying to accesss credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). mitre_attack_id: - T1003.001 - T1003 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: TargetImage - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - TargetImage - - CallTrace - - dest - - TargetProcessId - - SourceImage - - SourceProcessId - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/account_discovery_with_net_app.yml b/detections/endpoint/account_discovery_with_net_app.yml deleted file mode 100644 index dd3ef42497..0000000000 --- a/detections/endpoint/account_discovery_with_net_app.yml +++ /dev/null @@ -1,77 +0,0 @@ -name: Account Discovery With Net App -id: 339805ce-ac30-11eb-b87d-acde48001122 -version: 7 -date: '2024-09-30' -author: Teoderick Contreras, Splunk, TheLawsOfChaos, Github Community -status: production -type: TTP -description: The following analytic detects potential account discovery activities using the 'net' command, commonly employed by malware like Trickbot for reconnaissance. It leverages Endpoint Detection and Response (EDR) data, focusing on specific command-line patterns and process relationships. This activity is significant as it often precedes further malicious actions, such as lateral movement or privilege escalation. If confirmed malicious, attackers could gain valuable information about user accounts, enabling them to escalate privileges or move laterally within the network, posing a significant security risk. -data_source: -- Sysmon EventID 1 -- Windows Event Log Security 4688 -- CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND (Processes.process="* user *" OR Processes.process="*config*" OR Processes.process="*view /all*") by Processes.process_name Processes.dest Processes.user Processes.parent_process_name | where count >=4 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `account_discovery_with_net_app_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Admin or power user may used this series of command. -references: -- https://labs.vipre.com/trickbot-and-its-modules/ -- https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/ -- https://app.any.run/tasks/48414a33-3d66-4a46-afe5-c2003bb55ccf/ -drilldown_searches: -- name: View the detection results for - "$user$" and "$dest$" - search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -tags: - analytic_story: - - Trickbot - - IcedID - asset_type: Endpoint - confidence: 50 - impact: 10 - message: Suspicious $process_name$ usage detected on endpoint $dest$ by user $user$. - mitre_attack_id: - - T1087.002 - - T1087 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim - - name: process_name - type: Process Name - role: - - Attacker - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 5 - security_domain: endpoint -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog diff --git a/detections/endpoint/active_directory_lateral_movement_identified.yml b/detections/endpoint/active_directory_lateral_movement_identified.yml index dd1b694964..d5ec38e26e 100644 --- a/detections/endpoint/active_directory_lateral_movement_identified.yml +++ b/detections/endpoint/active_directory_lateral_movement_identified.yml @@ -1,15 +1,42 @@ name: Active Directory Lateral Movement Identified id: 6aa6f9dd-adfe-45a8-8f74-c4c7a0d7d037 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Correlation data_source: [] -description: The following analytic identifies potential lateral movement activities within an organization's Active Directory (AD) environment. It detects this activity by correlating multiple analytics from the Active Directory Lateral Movement analytic story within a specified time frame. This is significant for a SOC as lateral movement is a common tactic used by attackers to expand their access within a network, posing a substantial risk. If confirmed malicious, this activity could allow attackers to escalate privileges, access sensitive information, and persist within the environment, leading to severe security breaches. -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Active Directory Lateral Movement" All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `active_directory_lateral_movement_identified_filter`' -how_to_implement: Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased as the analytic story includes over 30 analytics. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance. -known_false_positives: False positives will most likely be present based on risk scoring and how the organization handles system to system communication. Filter, or modify as needed. In addition to count by analytics, adding a risk score may be useful. In our testing, with 22 events over 30 days, the risk scores ranged from 500 to 80,000. Your organization will be different, monitor and modify as needed. +description: The following analytic identifies potential lateral movement activities + within an organization's Active Directory (AD) environment. It detects this activity + by correlating multiple analytics from the Active Directory Lateral Movement analytic + story within a specified time frame. This is significant for a SOC as lateral movement + is a common tactic used by attackers to expand their access within a network, posing + a substantial risk. If confirmed malicious, this activity could allow attackers + to escalate privileges, access sensitive information, and persist within the environment, + leading to severe security breaches. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) + as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as + annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) + as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) + as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) + as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, + dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Active + Directory Lateral Movement" All_Risk.risk_object_type="system" by All_Risk.risk_object + All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where + source_count >= 4 | `active_directory_lateral_movement_identified_filter`' +how_to_implement: Splunk Enterprise Security is required to utilize this correlation. + In addition, modify the source_count value to your environment. In our testing, + a count of 4 or 5 was decent in a lab, but the number may need to be increased as + the analytic story includes over 30 analytics. In addition, based on false positives, + modify any analytics to be anomaly and lower or increase risk based on organization + importance. +known_false_positives: False positives will most likely be present based on risk scoring + and how the organization handles system to system communication. Filter, or modify + as needed. In addition to count by analytics, adding a risk score may be useful. + In our testing, with 22 events over 30 days, the risk scores ranged from 500 to + 80,000. Your organization will be different, monitor and modify as needed. references: - https://attack.mitre.org/tactics/TA0008/ - https://research.splunk.com/stories/active_directory_lateral_movement/ @@ -19,7 +46,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$risk_object$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: @@ -27,34 +59,17 @@ tags: - Active Directory Lateral Movement asset_type: Endpoint atomic_guid: [] - confidence: 80 - impact: 80 - message: Activity related to lateral movement has been identified on $risk_object$. mitre_attack_id: - T1210 - observable: - - name: risk_object - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - All_Risk.calculated_risk_score - - All_Risk.annotations.mitre_attack.mitre_tactic_id - - All_Risk.annotations.mitre_attack.mitre_technique_id - - All_Risk.tag - - All_Risk.analyticstories - - All_Risk.risk_object_type - - All_Risk.risk_object - - All_Risk.annotations.mitre_attack.mitre_tactic - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/living_off_the_land/adlm_risk.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/living_off_the_land/adlm_risk.log source: adlm sourcetype: stash diff --git a/detections/endpoint/active_directory_privilege_escalation_identified.yml b/detections/endpoint/active_directory_privilege_escalation_identified.yml index 8e6d7b4536..86ffe34cf6 100644 --- a/detections/endpoint/active_directory_privilege_escalation_identified.yml +++ b/detections/endpoint/active_directory_privilege_escalation_identified.yml @@ -1,15 +1,42 @@ name: Active Directory Privilege Escalation Identified id: 583e8a68-f2f7-45be-8fc9-bf725f0e22fd -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: Correlation data_source: [] -description: The following analytic identifies potential privilege escalation activities within an organization's Active Directory (AD) environment. It detects this activity by correlating multiple analytics from the Active Directory Privilege Escalation analytic story within a specified time frame. This is significant for a SOC as it helps identify coordinated attempts to gain elevated privileges, which could indicate a serious security threat. If confirmed malicious, this activity could allow attackers to gain unauthorized access to sensitive systems and data, leading to potential data breaches and further compromise of the network. -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Active Directory Privilege Escalation" All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `active_directory_privilege_escalation_identified_filter`' -how_to_implement: Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased as the analytic story includes over 30 analytics. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance. -known_false_positives: False positives will most likely be present based on risk scoring and how the organization handles system to system communication. Filter, or modify as needed. In addition to count by analytics, adding a risk score may be useful. In our testing, with 22 events over 30 days, the risk scores ranged from 500 to 80,000. Your organization will be different, monitor and modify as needed. +description: The following analytic identifies potential privilege escalation activities + within an organization's Active Directory (AD) environment. It detects this activity + by correlating multiple analytics from the Active Directory Privilege Escalation + analytic story within a specified time frame. This is significant for a SOC as it + helps identify coordinated attempts to gain elevated privileges, which could indicate + a serious security threat. If confirmed malicious, this activity could allow attackers + to gain unauthorized access to sensitive systems and data, leading to potential + data breaches and further compromise of the network. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) + as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as + annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) + as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) + as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) + as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, + dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Active + Directory Privilege Escalation" All_Risk.risk_object_type="system" by All_Risk.risk_object + All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where + source_count >= 4 | `active_directory_privilege_escalation_identified_filter`' +how_to_implement: Splunk Enterprise Security is required to utilize this correlation. + In addition, modify the source_count value to your environment. In our testing, + a count of 4 or 5 was decent in a lab, but the number may need to be increased as + the analytic story includes over 30 analytics. In addition, based on false positives, + modify any analytics to be anomaly and lower or increase risk based on organization + importance. +known_false_positives: False positives will most likely be present based on risk scoring + and how the organization handles system to system communication. Filter, or modify + as needed. In addition to count by analytics, adding a risk score may be useful. + In our testing, with 22 events over 30 days, the risk scores ranged from 500 to + 80,000. Your organization will be different, monitor and modify as needed. references: - https://attack.mitre.org/tactics/TA0004/ - https://research.splunk.com/stories/active_directory_privilege_escalation/ @@ -19,7 +46,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$risk_object$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: @@ -27,34 +59,17 @@ tags: - Active Directory Privilege Escalation asset_type: Endpoint atomic_guid: [] - confidence: 80 - impact: 80 - message: Activity related to privilege escalation has been identified on $risk_object$. mitre_attack_id: - T1484 - observable: - - name: risk_object - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - All_Risk.calculated_risk_score - - All_Risk.annotations.mitre_attack.mitre_tactic_id - - All_Risk.annotations.mitre_attack.mitre_technique_id - - All_Risk.tag - - All_Risk.analyticstories - - All_Risk.risk_object_type - - All_Risk.risk_object - - All_Risk.annotations.mitre_attack.mitre_tactic - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1484/privesc/priv_esc.log + - data: + https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1484/privesc/priv_esc.log source: adlm sourcetype: stash diff --git a/detections/endpoint/active_setup_registry_autostart.yml b/detections/endpoint/active_setup_registry_autostart.yml index 17c51e259e..5f7d8e5d76 100644 --- a/detections/endpoint/active_setup_registry_autostart.yml +++ b/detections/endpoint/active_setup_registry_autostart.yml @@ -5,15 +5,23 @@ date: '2024-12-08' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects suspicious modifications to the Active Setup registry for persistence and privilege escalation. It leverages data from the Endpoint.Registry data model, focusing on changes to the "StubPath" value within the "SOFTWARE\\Microsoft\\Active Setup\\Installed Components" path. This activity is significant as it is commonly used by malware, adware, and APTs to maintain persistence on compromised machines. If confirmed malicious, this could allow attackers to execute code upon system startup, potentially leading to further system compromise and unauthorized access. +description: The following analytic detects suspicious modifications to the Active + Setup registry for persistence and privilege escalation. It leverages data from + the Endpoint.Registry data model, focusing on changes to the "StubPath" value within + the "SOFTWARE\\Microsoft\\Active Setup\\Installed Components" path. This activity + is significant as it is commonly used by malware, adware, and APTs to maintain persistence + on compromised machines. If confirmed malicious, this could allow attackers to execute + code upon system startup, potentially leading to further system compromise and unauthorized + access. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_value_name= "StubPath" Registry.registry_path = "*\\SOFTWARE\\Microsoft\\Active - Setup\\Installed Components*") BY Registry.registry_path Registry.registry_key_name - Registry.registry_value_name Registry.registry_value_data Registry.process_guid - Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`| `active_setup_registry_autostart_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= + "StubPath" Registry.registry_path = "*\\SOFTWARE\\Microsoft\\Active Setup\\Installed + Components*") BY Registry.registry_path Registry.registry_key_name Registry.registry_value_name + Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | + `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `active_setup_registry_autostart_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official @@ -28,9 +36,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: modified/added/deleted registry entry $registry_path$ on $dest$ + risk_objects: + - field: dest + type: system + score: 64 + - field: user + type: user + score: 64 + threat_objects: [] tags: analytic_story: - Data Destruction @@ -38,38 +61,18 @@ tags: - Hermetic Wiper - Windows Persistence Techniques asset_type: Endpoint - confidence: 80 - impact: 80 - message: modified/added/deleted registry entry $registry_path$ in $dest$ mitre_attack_id: - T1547.014 - T1547 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1547.014/active_setup_stubpath/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1547.014/active_setup_stubpath/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/add_defaultuser_and_password_in_registry.yml b/detections/endpoint/add_defaultuser_and_password_in_registry.yml index 22d3994a11..cd0c7eb48c 100644 --- a/detections/endpoint/add_defaultuser_and_password_in_registry.yml +++ b/detections/endpoint/add_defaultuser_and_password_in_registry.yml @@ -5,14 +5,22 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly -description: The following analytic detects suspicious registry modifications that implement auto admin logon by adding DefaultUserName and DefaultPassword values. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" registry path. This activity is significant because it is associated with BlackMatter ransomware, which uses this technique to automatically log on to compromised hosts and continue encryption after a safe mode boot. If confirmed malicious, this could allow attackers to maintain persistence and further encrypt the network, leading to significant data loss and operational disruption. +description: The following analytic detects suspicious registry modifications that + implement auto admin logon by adding DefaultUserName and DefaultPassword values. + It leverages data from the Endpoint.Registry data model, specifically monitoring + changes to the "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" registry + path. This activity is significant because it is associated with BlackMatter ransomware, + which uses this technique to automatically log on to compromised hosts and continue + encryption after a safe mode boot. If confirmed malicious, this could allow attackers + to maintain persistence and further encrypt the network, leading to significant + data loss and operational disruption. data_source: - Sysmon EventID 13 - Sysmon EventID 14 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path= "*SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" - AND Registry.registry_value_name= DefaultPassword OR Registry.registry_value_name= - DefaultUserName) BY Registry.registry_path Registry.registry_key_name +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*SOFTWARE\\Microsoft\\Windows + NT\\CurrentVersion\\Winlogon*" AND Registry.registry_value_name= DefaultPassword + OR Registry.registry_value_name= DefaultUserName) BY Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `add_defaultuser_and_password_in_registry_filter`' @@ -29,41 +37,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: modified registry key $registry_key_name$ with registry value $registry_value_name$ + to prepare autoadminlogon + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - BlackMatter Ransomware asset_type: Endpoint - confidence: 50 - impact: 50 - message: modified registry key $registry_key_name$ with registry value $registry_value_name$ to prepare autoadminlogon mitre_attack_id: - T1552.002 - T1552 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/add_or_set_windows_defender_exclusion.yml b/detections/endpoint/add_or_set_windows_defender_exclusion.yml index 38269fe035..cf78828ce7 100644 --- a/detections/endpoint/add_or_set_windows_defender_exclusion.yml +++ b/detections/endpoint/add_or_set_windows_defender_exclusion.yml @@ -1,7 +1,7 @@ name: Add or Set Windows Defender Exclusion id: 773b66fe-4dd9-11ec-8289-acde48001122 -version: '5' -date: '2024-11-28' +version: '6' +date: '2024-12-17' author: Teoderick Contreras, Splunk status: production type: TTP @@ -53,54 +53,40 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: exclusion command $process$ executed on $dest$ + risk_objects: + - field: user + type: user + score: 64 + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - - WhisperGate - - Windows Defense Evasion Tactics + - CISA AA22-320A + - AgentTesla - Remcos - Data Destruction - - CISA AA22-320A - - ValleyRAT - Compromised Windows Host - - AgentTesla + - ValleyRAT + - Windows Defense Evasion Tactics + - WhisperGate + - Crypto Stealer asset_type: Endpoint - confidence: 80 - impact: 80 - message: exclusion command $process$ executed on $dest$ mitre_attack_id: - T1562.001 - T1562 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/adsisearcher_account_discovery.yml b/detections/endpoint/adsisearcher_account_discovery.yml index abe5faa710..65286be5b8 100644 --- a/detections/endpoint/adsisearcher_account_discovery.yml +++ b/detections/endpoint/adsisearcher_account_discovery.yml @@ -1,15 +1,28 @@ name: AdsiSearcher Account Discovery id: de7fcadc-04f3-11ec-a241-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell to query Active Directory for domain users. It leverages PowerShell Script Block Logging (EventCode=4104) to identify script blocks containing `[adsisearcher]`, `objectcategory=user`, and `.findAll()`. This activity is significant as it may indicate an attempt by adversaries or Red Teams to enumerate domain users for situational awareness and Active Directory discovery. If confirmed malicious, this could lead to further reconnaissance, privilege escalation, or lateral movement within the network. +description: The following analytic detects the use of the `[Adsisearcher]` type accelerator + in PowerShell to query Active Directory for domain users. It leverages PowerShell + Script Block Logging (EventCode=4104) to identify script blocks containing `[adsisearcher]`, + `objectcategory=user`, and `.findAll()`. This activity is significant as it may + indicate an attempt by adversaries or Red Teams to enumerate domain users for situational + awareness and Active Directory discovery. If confirmed malicious, this could lead + to further reconnaissance, privilege escalation, or lateral movement within the + network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText = "*[adsisearcher]*" ScriptBlockText = "*objectcategory=user*" ScriptBlockText = "*.findAll()*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Computer ScriptBlockText UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `adsisearcher_account_discovery_filter`' -how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +search: '`powershell` EventCode=4104 ScriptBlockText = "*[adsisearcher]*" ScriptBlockText + = "*objectcategory=user*" ScriptBlockText = "*.findAll()*" | stats count min(_time) + as firstTime max(_time) as lastTime by EventCode Computer ScriptBlockText UserID + | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `adsisearcher_account_discovery_filter`' +how_to_implement: The following Hunting analytic requires PowerShell operational logs + to be imported. Modify the powershell macro as needed to match the sourcetype or + add index. This analytic is specific to 4104, or PowerShell Script Block Logging. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1087/002/ @@ -21,9 +34,25 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Powershell process having commandline "AdsiSearcher" used for user enumeration + on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Industroyer2 @@ -31,36 +60,18 @@ tags: - CISA AA23-347A - Data Destruction asset_type: Endpoint - confidence: 50 - impact: 50 - message: Powershell process having commandline "AdsiSearcher" used for user enumeration on $dest$ mitre_attack_id: - T1087.002 - T1087 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Message - - ComputerName - - User - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/adsisearcher_powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/adsisearcher_powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml b/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml index 6212f428a5..0a86ed9fd9 100644 --- a/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml +++ b/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml @@ -1,18 +1,40 @@ name: Allow File And Printing Sharing In Firewall id: ce27646e-d411-11eb-8a00-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the modification of firewall settings to allow file and printer sharing. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving 'netsh' commands that enable file and printer sharing. This activity is significant because it can indicate an attempt by ransomware to discover and encrypt files on additional machines connected to the compromised host. If confirmed malicious, this could lead to widespread file encryption across the network, significantly increasing the impact of a ransomware attack. +description: The following analytic detects the modification of firewall settings + to allow file and printer sharing. It leverages data from Endpoint Detection and + Response (EDR) agents, focusing on command-line executions involving 'netsh' commands + that enable file and printer sharing. This activity is significant because it can + indicate an attempt by ransomware to discover and encrypt files on additional machines + connected to the compromised host. If confirmed malicious, this could lead to widespread + file encryption across the network, significantly increasing the impact of a ransomware + attack. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process= "*firewall*" Processes.process= "*group=\"File and Printer Sharing\"*" Processes.process="*enable=Yes*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_file_and_printing_sharing_in_firewall_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: network admin may modify this firewall feature that may cause this rule to be triggered. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process= + "*firewall*" Processes.process= "*group=\"File and Printer Sharing\"*" Processes.process="*enable=Yes*" + by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name + Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `allow_file_and_printing_sharing_in_firewall_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: network admin may modify this firewall feature that may cause + this rule to be triggered. references: - https://community.fortinet.com:443/t5/FortiEDR/How-FortiEDR-detects-and-blocks-Revil-Ransomware-aka-sodinokibi/ta-p/189638?externalID=FD52469 - https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/ @@ -22,51 +44,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A suspicious modification of firewall to allow file and printer sharing + detected on host - $dest$ + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Ransomware - BlackByte Ransomware asset_type: Endpoint - confidence: 50 - impact: 50 - message: A suspicious modification of firewall to allow file and printer sharing detected on host - $dest$ mitre_attack_id: - T1562.007 - T1562 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 25.0 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml index 53d5a34e90..99c90a80c7 100644 --- a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml +++ b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml @@ -5,11 +5,18 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects suspicious modifications to firewall rule registry settings that allow inbound traffic on specific ports with a public profile. It leverages data from the Endpoint.Registry data model, focusing on registry paths and values indicative of such changes. This activity is significant as it may indicate an adversary attempting to grant remote access to a machine by modifying firewall rules. If confirmed malicious, this could enable unauthorized remote access, potentially leading to further exploitation, data exfiltration, or lateral movement within the network. +description: The following analytic detects suspicious modifications to firewall rule + registry settings that allow inbound traffic on specific ports with a public profile. + It leverages data from the Endpoint.Registry data model, focusing on registry paths + and values indicative of such changes. This activity is significant as it may indicate + an adversary attempting to grant remote access to a machine by modifying firewall + rules. If confirmed malicious, this could enable unauthorized remote access, potentially + leading to further exploitation, data exfiltration, or lateral movement within the + network. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path= "*\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\*" +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\*" Registry.registry_value_data = "*|Action=Allow|*" Registry.registry_value_data = "*|Dir=In|*" Registry.registry_value_data = "*|LPort=*") BY Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data @@ -29,9 +36,25 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious firewall allow rule modifications were detected via the registry + on endpoint $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Prohibited Traffic Allowed or Protocol Mismatch @@ -40,38 +63,18 @@ tags: - NjRAT - PlugX asset_type: Endpoint - confidence: 50 - impact: 50 - message: Suspicious firewall allow rule modifications were detected via the registry on endpoint $dest$ by user $user$. mitre_attack_id: - T1021.001 - T1021 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/honeypots/casper/datasets1/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/honeypots/casper/datasets1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml b/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml index c26dfe87ae..677ec6f051 100644 --- a/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml +++ b/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml @@ -1,16 +1,29 @@ name: Allow Inbound Traffic In Firewall Rule id: a5d85486-b89c-11eb-8267-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects a suspicious PowerShell command that allows inbound traffic to a specific local port within the public profile. It leverages PowerShell script block logging (EventCode 4104) to identify commands containing keywords like "firewall," "Inbound," "Allow," and "-LocalPort." This activity is significant because it may indicate an attacker attempting to establish remote access by modifying firewall rules. If confirmed malicious, this could allow unauthorized access to the machine, potentially leading to further exploitation and data exfiltration. +description: The following analytic detects a suspicious PowerShell command that allows + inbound traffic to a specific local port within the public profile. It leverages + PowerShell script block logging (EventCode 4104) to identify commands containing + keywords like "firewall," "Inbound," "Allow," and "-LocalPort." This activity is + significant because it may indicate an attacker attempting to establish remote access + by modifying firewall rules. If confirmed malicious, this could allow unauthorized + access to the machine, potentially leading to further exploitation and data exfiltration. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText = "*firewall*" ScriptBlockText = "*Inbound*" ScriptBlockText = "*Allow*" ScriptBlockText = "*-LocalPort*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_inbound_traffic_in_firewall_rule_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event. -known_false_positives: administrator may allow inbound traffic in certain network or machine. +search: '`powershell` EventCode=4104 ScriptBlockText = "*firewall*" ScriptBlockText + = "*Inbound*" ScriptBlockText = "*Allow*" ScriptBlockText = "*-LocalPort*" | stats + count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `allow_inbound_traffic_in_firewall_rule_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the powershell logs from your endpoints. make sure you enable needed + registry to monitor this event. +known_false_positives: administrator may allow inbound traffic in certain network + or machine. references: - https://docs.microsoft.com/en-us/powershell/module/netsecurity/new-netfirewallrule?view=windowsserver2019-ps drilldown_searches: @@ -19,43 +32,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious firewall modification detected on endpoint $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 3 + - field: dest + type: system + score: 3 + threat_objects: [] tags: analytic_story: - Prohibited Traffic Allowed or Protocol Mismatch asset_type: Endpoint - confidence: 30 - impact: 10 - message: Suspicious firewall modification detected on endpoint $dest$ by user $user$. mitre_attack_id: - T1021.001 - T1021 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ScriptBlockText - - Computer - - UserID - risk_score: 3 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021/allow_inbound_traffic_in_firewall_rule/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021/allow_inbound_traffic_in_firewall_rule/windows-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/allow_network_discovery_in_firewall.yml b/detections/endpoint/allow_network_discovery_in_firewall.yml index 463ac61009..1334af8f48 100644 --- a/detections/endpoint/allow_network_discovery_in_firewall.yml +++ b/detections/endpoint/allow_network_discovery_in_firewall.yml @@ -1,18 +1,40 @@ name: Allow Network Discovery In Firewall id: ccd6a38c-d40b-11eb-85a5-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects a suspicious modification to the firewall to allow network discovery on a machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving the 'netsh' command to enable network discovery. This activity is significant because it is commonly used by ransomware, such as REvil and RedDot, to discover and compromise additional machines on the network. If confirmed malicious, this could lead to widespread file encryption across multiple hosts, significantly amplifying the impact of the ransomware attack. +description: The following analytic detects a suspicious modification to the firewall + to allow network discovery on a machine. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on command-line executions involving the 'netsh' + command to enable network discovery. This activity is significant because it is + commonly used by ransomware, such as REvil and RedDot, to discover and compromise + additional machines on the network. If confirmed malicious, this could lead to widespread + file encryption across multiple hosts, significantly amplifying the impact of the + ransomware attack. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process= "*firewall*" Processes.process= "*group=\"Network Discovery\"*" Processes.process="*enable*" Processes.process="*Yes*" by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_network_discovery_in_firewall_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: network admin may modify this firewall feature that may cause this rule to be triggered. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process= + "*firewall*" Processes.process= "*group=\"Network Discovery\"*" Processes.process="*enable*" + Processes.process="*Yes*" by Processes.dest Processes.user Processes.parent_process + Processes.original_file_name Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_network_discovery_in_firewall_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: network admin may modify this firewall feature that may cause + this rule to be triggered. references: - https://community.fortinet.com:443/t5/FortiEDR/How-FortiEDR-detects-and-blocks-Revil-Ransomware-aka-sodinokibi/ta-p/189638?externalID=FD52469 - https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/ @@ -22,9 +44,22 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious modification to the firewall to allow network discovery detected + on host - $dest$ + risk_objects: + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Ransomware @@ -32,39 +67,18 @@ tags: - BlackByte Ransomware - NjRAT asset_type: Endpoint - confidence: 50 - impact: 50 - message: Suspicious modification to the firewall to allow network discovery detected on host - $dest$ mitre_attack_id: - T1562.007 - T1562 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 25.0 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/allow_operation_with_consent_admin.yml b/detections/endpoint/allow_operation_with_consent_admin.yml index 0341465380..14a5ede122 100644 --- a/detections/endpoint/allow_operation_with_consent_admin.yml +++ b/detections/endpoint/allow_operation_with_consent_admin.yml @@ -5,16 +5,24 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects a registry modification that allows the 'Consent Admin' to perform operations requiring elevation without user consent or credentials. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the 'ConsentPromptBehaviorAdmin' value within the Windows Policies System registry path. This activity is significant as it indicates a potential privilege escalation attempt, which could allow an attacker to execute high-privilege tasks without user approval. If confirmed malicious, this could lead to unauthorized administrative access and control over the compromised machine, posing a severe security risk. +description: The following analytic detects a registry modification that allows the + 'Consent Admin' to perform operations requiring elevation without user consent or + credentials. It leverages data from the Endpoint.Registry data model, specifically + monitoring changes to the 'ConsentPromptBehaviorAdmin' value within the Windows + Policies System registry path. This activity is significant as it indicates a potential + privilege escalation attempt, which could allow an attacker to execute high-privilege + tasks without user approval. If confirmed malicious, this could lead to unauthorized + administrative access and control over the compromised machine, posing a severe + security risk. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path= "*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System*" +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System*" Registry.registry_value_name = ConsentPromptBehaviorAdmin Registry.registry_value_data - = "0x00000000") BY Registry.registry_path Registry.registry_key_name - Registry.registry_value_name Registry.registry_value_data Registry.process_guid - Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `allow_operation_with_consent_admin_filter`' + = "0x00000000") BY Registry.registry_path Registry.registry_key_name Registry.registry_value_name + Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | + `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `allow_operation_with_consent_admin_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official @@ -29,9 +37,25 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious registry modification was performed on endpoint $dest$ by user + $user$. This behavior is indicative of privilege escalation. + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Ransomware @@ -39,37 +63,17 @@ tags: - Azorult - MoonPeak asset_type: Endpoint - confidence: 50 - impact: 50 - message: Suspicious registry modification was performed on endpoint $dest$ by user $user$. This behavior is indicative of privilege escalation. mitre_attack_id: - T1548 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/anomalous_usage_of_7zip.yml b/detections/endpoint/anomalous_usage_of_7zip.yml index 3c21966aab..c92c682b76 100644 --- a/detections/endpoint/anomalous_usage_of_7zip.yml +++ b/detections/endpoint/anomalous_usage_of_7zip.yml @@ -1,18 +1,38 @@ name: Anomalous usage of 7zip id: 9364ee8e-a39a-11eb-8f1d-acde48001122 -version: 5 -date: '2024-09-30' +version: 7 +date: '2024-11-13' author: Michael Haag, Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the execution of 7z.exe, a 7-Zip utility, spawned from rundll32.exe or dllhost.exe. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process names and parent processes. This activity is significant as it may indicate an adversary attempting to use 7-Zip for data exfiltration, often by renaming the executable to evade detection. If confirmed malicious, this could lead to unauthorized data archiving and exfiltration, compromising sensitive information and potentially leading to further system exploitation. +description: The following analytic detects the execution of 7z.exe, a 7-Zip utility, + spawned from rundll32.exe or dllhost.exe. This behavior is identified using Endpoint + Detection and Response (EDR) telemetry, focusing on process names and parent processes. + This activity is significant as it may indicate an adversary attempting to use 7-Zip + for data exfiltration, often by renaming the executable to evade detection. If confirmed + malicious, this could lead to unauthorized data archiving and exfiltration, compromising + sensitive information and potentially leading to further system exploitation. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("rundll32.exe", "dllhost.exe") Processes.process_name=*7z* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `anomalous_usage_of_7zip_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives should be limited as this behavior is not normal for `rundll32.exe` or `dllhost.exe` to spawn and run 7zip. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name + IN ("rundll32.exe", "dllhost.exe") Processes.process_name=*7z* by Processes.dest + Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `anomalous_usage_of_7zip_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives should be limited as this behavior is not normal + for `rundll32.exe` or `dllhost.exe` to spawn and run 7zip. references: - https://attack.mitre.org/techniques/T1560/001/ - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ @@ -23,9 +43,30 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$. This behavior is indicative of suspicious loading + of 7zip. + risk_objects: + - field: user + type: user + score: 64 + - field: dest + type: system + score: 64 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - NOBELIUM Group @@ -34,49 +75,18 @@ tags: - Graceful Wipe Out Attack - BlackSuit Ransomware asset_type: Endpoint - confidence: 80 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior is indicative of suspicious loading of 7zip. mitre_attack_id: - T1560.001 - T1560 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_name - - Processes.process - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.parent_process - - Processes.process_id - - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/any_powershell_downloadfile.yml b/detections/endpoint/any_powershell_downloadfile.yml index 728aa2b257..65331578b1 100644 --- a/detections/endpoint/any_powershell_downloadfile.yml +++ b/detections/endpoint/any_powershell_downloadfile.yml @@ -1,18 +1,40 @@ name: Any Powershell DownloadFile id: 1a93b7ea-7af7-11eb-adb5-acde48001122 -version: 7 -date: '2024-09-30' +version: 10 +date: '2025-01-27' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the use of PowerShell's `DownloadFile` method to download files. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant as it is commonly used in malicious frameworks to download and execute additional payloads. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the system. Analysts should investigate the source and destination of the download and review AMSI or PowerShell transaction logs for additional context. +description: The following analytic detects the use of PowerShell's `DownloadFile` + method to download files. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process execution logs. This activity is significant as + it is commonly used in malicious frameworks to download and execute additional payloads. + If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, + or further compromise of the system. Analysts should investigate the source and + destination of the download and review AMSI or PowerShell transaction logs for additional + context. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*DownloadFile* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadfile_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be present and filtering will need to occur by parent process or command line argument. It may be required to modify this query to an EDR product for more granular coverage. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*DownloadFile* + by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.parent_process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)`| `any_powershell_downloadfile_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present and filtering will need to occur + by parent process or command line argument. It may be required to modify this query + to an EDR product for more granular coverage. references: - https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-5.0 - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/ @@ -23,65 +45,55 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadFile + within PowerShell. + risk_objects: + - field: user + type: user + score: 56 + - field: dest + type: system + score: 56 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - - DarkCrystal RAT - - Ingress Tool Transfer - - Hermetic Wiper - - Malicious PowerShell - Data Destruction - - Log4Shell CVE-2021-44228 - - Phemedrone Stealer - - Braodo Stealer + - Ingress Tool Transfer + - DarkCrystal RAT - PXA Stealer + - Braodo Stealer + - Phemedrone Stealer + - Log4Shell CVE-2021-44228 + - Malicious PowerShell + - Hermetic Wiper + - Crypto Stealer + - Nexus APT Threat Activity + - Earth Estries asset_type: Endpoint - confidence: 70 cve: - CVE-2021-44228 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadFile within PowerShell. mitre_attack_id: - T1059 - T1059.001 - T1105 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/any_powershell_downloadstring.yml b/detections/endpoint/any_powershell_downloadstring.yml index 51a39c24cb..c94d2f49c5 100644 --- a/detections/endpoint/any_powershell_downloadstring.yml +++ b/detections/endpoint/any_powershell_downloadstring.yml @@ -1,18 +1,40 @@ name: Any Powershell DownloadString id: 4d015ef2-7adf-11eb-95da-acde48001122 -version: 6 -date: '2024-09-30' +version: 8 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the use of PowerShell's `DownloadString` method to download files. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because `DownloadString` is commonly used in malicious PowerShell scripts to fetch and execute remote code. If confirmed malicious, this behavior could allow an attacker to download and run arbitrary code, potentially leading to unauthorized access, data exfiltration, or further compromise of the affected system. +description: The following analytic detects the use of PowerShell's `DownloadString` + method to download files. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process execution logs that include command-line details. + This activity is significant because `DownloadString` is commonly used in malicious + PowerShell scripts to fetch and execute remote code. If confirmed malicious, this + behavior could allow an attacker to download and run arbitrary code, potentially + leading to unauthorized access, data exfiltration, or further compromise of the + affected system. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*.DownloadString* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadstring_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be present and filtering will need to occur by parent process or command line argument. It may be required to modify this query to an EDR product for more granular coverage. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*.DownloadString* by + Processes.dest Processes.user Processes.parent_process Processes.parent_process_name + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)`| `any_powershell_downloadstring_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present and filtering will need to occur + by parent process or command line argument. It may be required to modify this query + to an EDR product for more granular coverage. references: - https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-5.0 - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/ @@ -24,9 +46,30 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadString + within PowerShell. + risk_objects: + - field: user + type: user + score: 56 + - field: dest + type: system + score: 56 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Winter Vivern @@ -39,52 +82,19 @@ tags: - SysAid On-Prem Software CVE-2023-47246 Vulnerability - Phemedrone Stealer asset_type: Endpoint - confidence: 70 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadString within PowerShell. mitre_attack_id: - T1059 - T1059.001 - T1105 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/attacker_tools_on_endpoint.yml b/detections/endpoint/attacker_tools_on_endpoint.yml index cec1b2f2c7..13d06f14d7 100644 --- a/detections/endpoint/attacker_tools_on_endpoint.yml +++ b/detections/endpoint/attacker_tools_on_endpoint.yml @@ -1,7 +1,7 @@ name: Attacker Tools On Endpoint id: a51bfe1a-94f0-48cc-b4e4-16a110145893 -version: '6' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Bhavin Patel, Splunk status: production type: TTP @@ -50,6 +50,19 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An attacker tool $process_name$, listed in attacker_tools.csv is executed + on host $dest$ by User $user$. This process $process_name$ is known to do- $description$ + risk_objects: + - field: user + type: user + score: 64 + - field: dest + type: system + score: 64 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - XMRig @@ -59,42 +72,20 @@ tags: - CISA AA22-264A - Compromised Windows Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: An attacker tool $process_name$,listed in attacker_tools.csv is executed - on host $dest$ by User $user$. This process $process_name$ is known to do- $description$ mitre_attack_id: - T1036.005 - T1036 - T1003 - T1595 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.process_name - - Processes.parent_process - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1595/attacker_scan_tools/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1595/attacker_scan_tools/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml b/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml index 6c596e2406..e9c57444bf 100644 --- a/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml +++ b/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml @@ -1,18 +1,39 @@ name: Attempt To Add Certificate To Untrusted Store id: 6bc5243e-ef36-45dc-9b12-f4a6be131159 -version: 10 -date: '2024-09-30' +version: 12 +date: '2024-11-13' author: Patrick Bareiss, Rico Valdez, Splunk status: production type: TTP -description: The following analytic detects attempts to add a certificate to the untrusted certificate store using the 'certutil -addstore' command. It leverages process activity and command-line arguments from Endpoint Detection and Response (EDR) logs mapped to the Splunk `Processes` data model. This activity is significant as it may indicate an attacker trying to disable security tools to gain unauthorized access. If confirmed malicious, this could lead to the compromise of system security, allowing attackers to bypass defenses and potentially escalate privileges or persist in the environment. +description: The following analytic detects attempts to add a certificate to the untrusted + certificate store using the 'certutil -addstore' command. It leverages process activity + and command-line arguments from Endpoint Detection and Response (EDR) logs mapped + to the Splunk `Processes` data model. This activity is significant as it may indicate + an attacker trying to disable security tools to gain unauthorized access. If confirmed + malicious, this could lead to the compromise of system security, allowing attackers + to bypass defenses and potentially escalate privileges or persist in the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*-addstore*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `attempt_to_add_certificate_to_untrusted_store_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: There may be legitimate reasons for administrators to add a certificate to the untrusted certificate store. In such cases, this will typically be done on a large number of systems. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) + as process max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` + (Processes.process=*-addstore*) by Processes.dest Processes.user Processes.parent_process + Processes.parent_process_name Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` + |`security_content_ctime(lastTime)` | `attempt_to_add_certificate_to_untrusted_store_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: There may be legitimate reasons for administrators to add a + certificate to the untrusted certificate store. In such cases, this will typically + be done on a large number of systems. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md drilldown_searches: @@ -21,55 +42,45 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + attempting to add a certificate to the store on endpoint $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 35 + - field: dest + type: system + score: 35 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Disabling Security Tools asset_type: Endpoint - confidence: 50 - impact: 70 - message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to add a certificate to the store on endpoint $dest$ by user $user$. mitre_attack_id: - T1553.004 - T1553 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.parent_process - - Processes.process_id - - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.004/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.004/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/auto_admin_logon_registry_entry.yml b/detections/endpoint/auto_admin_logon_registry_entry.yml index 778a3f65bd..55ffcf2ec8 100644 --- a/detections/endpoint/auto_admin_logon_registry_entry.yml +++ b/detections/endpoint/auto_admin_logon_registry_entry.yml @@ -5,16 +5,24 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects a suspicious registry modification that enables auto admin logon on a host. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the "AutoAdminLogon" value within the "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" registry path. This activity is significant because it was observed in BlackMatter ransomware attacks to maintain access after a safe mode reboot, facilitating further encryption. If confirmed malicious, this could allow attackers to automatically log in and continue their operations, potentially leading to widespread network encryption and data loss. +description: The following analytic detects a suspicious registry modification that + enables auto admin logon on a host. It leverages data from the Endpoint.Registry + data model, specifically looking for changes to the "AutoAdminLogon" value within + the "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" registry path. This + activity is significant because it was observed in BlackMatter ransomware attacks + to maintain access after a safe mode reboot, facilitating further encryption. If + confirmed malicious, this could allow attackers to automatically log in and continue + their operations, potentially leading to widespread network encryption and data + loss. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path= "*SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" - AND Registry.registry_value_name=AutoAdminLogon AND Registry.registry_value_data=1) - BY Registry.registry_path Registry.registry_key_name Registry.registry_value_name - Registry.registry_value_data Registry.process_guid Registry.dest | `drop_dm_object_name(Registry)` - | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `auto_admin_logon_registry_entry_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*SOFTWARE\\Microsoft\\Windows + NT\\CurrentVersion\\Winlogon*" AND Registry.registry_value_name=AutoAdminLogon AND + Registry.registry_value_data=1) BY Registry.registry_path Registry.registry_key_name + Registry.registry_value_name Registry.registry_value_data Registry.process_guid + Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `auto_admin_logon_registry_entry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official @@ -28,42 +36,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: modified registry key $registry_key_name$ with registry value $registry_value_name$ + to prepare autoadminlogon + risk_objects: + - field: dest + type: system + score: 63 + threat_objects: [] tags: analytic_story: - BlackMatter Ransomware - Windows Registry Abuse asset_type: Endpoint - confidence: 90 - impact: 70 - message: modified registry key $registry_key_name$ with registry value $registry_value_name$ to prepare autoadminlogon mitre_attack_id: - T1552.002 - T1552 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/batch_file_write_to_system32.yml b/detections/endpoint/batch_file_write_to_system32.yml index ba56bec885..b7fa5f29ff 100644 --- a/detections/endpoint/batch_file_write_to_system32.yml +++ b/detections/endpoint/batch_file_write_to_system32.yml @@ -1,7 +1,7 @@ name: Batch File Write to System32 id: 503d17cb-9eab-4cf8-a20e-01d5c6987ae3 -version: '7' -date: '2024-11-28' +version: 8 +date: '2024-12-10' author: Steven Dick, Michael Haag, Rico Valdez, Splunk status: production type: TTP @@ -30,7 +30,7 @@ how_to_implement: To successfully implement this search you need to be ingesting your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: It is possible for this search to generate a notable event +known_false_positives: It is possible for this search to generate a finding event for a batch file write to a path that includes the string "system32", but is not the actual Windows system directory. As such, you should confirm the path of the batch file identified by the search. In addition, a false positive may be generated @@ -52,53 +52,36 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A file - $file_name$ was written to system32 has occurred on endpoint $dest$ + by user $user$. + risk_objects: + - field: user + type: user + score: 63 + - field: dest + type: system + score: 63 + threat_objects: + - field: file_name + type: file_name tags: analytic_story: - SamSam Ransomware - Compromised Windows Host asset_type: Endpoint - confidence: 90 - impact: 70 - message: A file - $file_name$ was written to system32 has occurred on endpoint $dest$ - by user $user$. mitre_attack_id: - T1204 - T1204.002 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: file_name - type: File Name - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.dest - - Filesystem.file_create_time - - Filesystem.file_name - - Filesystem.user - - Filesystem.file_path - - Processes.process_name - - Processes.dest - - Filesystem.process_guid - - Processes.process_guid - - Processes.dest - - Processes.process_name - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/batch_file_in_system32/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/batch_file_in_system32/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml b/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml index 9132d4be45..0b6dcac7d9 100644 --- a/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml +++ b/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml @@ -1,17 +1,37 @@ name: Bcdedit Command Back To Normal Mode Boot id: dc7a8004-0f18-11ec-8c54-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the execution of a suspicious `bcdedit` command that reconfigures a host from safe mode back to normal boot. This detection leverages Endpoint Detection and Response (EDR) data, focusing on command-line executions involving `bcdedit.exe` with specific parameters. This activity is significant as it may indicate the presence of ransomware, such as BlackMatter, which manipulates boot configurations to facilitate encryption processes. If confirmed malicious, this behavior could allow attackers to maintain control over the boot process, potentially leading to further system compromise and data encryption. +description: The following analytic detects the execution of a suspicious `bcdedit` + command that reconfigures a host from safe mode back to normal boot. This detection + leverages Endpoint Detection and Response (EDR) data, focusing on command-line executions + involving `bcdedit.exe` with specific parameters. This activity is significant as + it may indicate the presence of ransomware, such as BlackMatter, which manipulates + boot configurations to facilitate encryption processes. If confirmed malicious, + this behavior could allow attackers to maintain control over the boot process, potentially + leading to further system compromise and data encryption. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe Processes.process="*/deletevalue*" Processes.process="*{current}*" Processes.process="*safeboot*" by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bcdedit_command_back_to_normal_mode_boot_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe + Processes.process="*/deletevalue*" Processes.process="*{current}*" Processes.process="*safeboot*" + by Processes.process_name Processes.process Processes.parent_process_name Processes.dest + Processes.user |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `bcdedit_command_back_to_normal_mode_boot_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ @@ -21,44 +41,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: bcdedit process with commandline $process$ to bring back to normal boot + configuration the $dest$ + risk_objects: + - field: user + type: user + score: 35 + - field: dest + type: system + score: 35 + threat_objects: [] tags: analytic_story: - BlackMatter Ransomware asset_type: Endpoint - confidence: 70 - impact: 50 - message: bcdedit process with commandline $process$ to bring back to normal boot configuration the $dest$ mitre_attack_id: - T1490 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_name - - Processes.process - - Processes.parent_process_name - - Processes.parent_process - - Processes.dest - - Processes.user - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/bcdedit_failure_recovery_modification.yml b/detections/endpoint/bcdedit_failure_recovery_modification.yml index aa220c5897..1425eee424 100644 --- a/detections/endpoint/bcdedit_failure_recovery_modification.yml +++ b/detections/endpoint/bcdedit_failure_recovery_modification.yml @@ -1,7 +1,7 @@ name: BCDEdit Failure Recovery Modification id: 809b31d2-5462-11eb-ae93-0242ac130002 -version: '5' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -49,53 +49,39 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to disable the ability to recover + the endpoint. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Ransomware - Compromised Windows Host - Ryuk Ransomware asset_type: Endpoint - confidence: 80 - impact: 100 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ attempting disable the ability to recover the - endpoint. mitre_attack_id: - T1490 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_name - - Processes.process - - Processes.parent_process_name - - Processes.dest - - Processes.user - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/bits_job_persistence.yml b/detections/endpoint/bits_job_persistence.yml index 355cb2e0aa..eee12eeb44 100644 --- a/detections/endpoint/bits_job_persistence.yml +++ b/detections/endpoint/bits_job_persistence.yml @@ -1,18 +1,41 @@ name: BITS Job Persistence id: e97a5ffe-90bf-11eb-928a-acde48001122 -version: 5 -date: '2024-09-30' +version: 7 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the use of `bitsadmin.exe` to schedule a BITS job for persistence on an endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line parameters such as `create`, `addfile`, and `resume`. This activity is significant because BITS jobs can be used by attackers to maintain persistence, download malicious payloads, or exfiltrate data. If confirmed malicious, this could allow an attacker to persist in the environment, execute arbitrary code, or transfer sensitive information, necessitating further investigation and potential remediation. +description: The following analytic detects the use of `bitsadmin.exe` to schedule + a BITS job for persistence on an endpoint. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on specific command-line parameters such as + `create`, `addfile`, and `resume`. This activity is significant because BITS jobs + can be used by attackers to maintain persistence, download malicious payloads, or + exfiltrate data. If confirmed malicious, this could allow an attacker to persist + in the environment, execute arbitrary code, or transfer sensitive information, necessitating + further investigation and potential remediation. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_bitsadmin` Processes.process IN (*create*, *addfile*, *setnotifyflags*, *setnotifycmdline*, *setminretrydelay*, *setcustomheaders*, *resume* ) by Processes.dest Processes.user Processes.original_file_name Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bits_job_persistence_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Limited false positives will be present. Typically, applications will use `BitsAdmin.exe`. Any filtering should be done based on command-line arguments (legitimate applications) or parent process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_bitsadmin` Processes.process + IN (*create*, *addfile*, *setnotifyflags*, *setnotifycmdline*, *setminretrydelay*, + *setcustomheaders*, *resume* ) by Processes.dest Processes.user Processes.original_file_name + Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bits_job_persistence_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Limited false positives will be present. Typically, applications + will use `BitsAdmin.exe`. Any filtering should be done based on command-line arguments + (legitimate applications) or parent process. references: - https://attack.mitre.org/techniques/T1197/ - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin @@ -24,63 +47,51 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to persist using BITS. + risk_objects: + - field: user + type: user + score: 56 + - field: dest + type: system + score: 56 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - BITS Jobs - Living Off The Land asset_type: Endpoint - confidence: 80 - impact: 70 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to persist using BITS. mitre_attack_id: - T1197 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/crowdstrike_falcon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/crowdstrike_falcon.log source: crowdstrike sourcetype: crowdstrike:events:sensor diff --git a/detections/endpoint/bitsadmin_download_file.yml b/detections/endpoint/bitsadmin_download_file.yml index 684066eb50..bdab9e207a 100644 --- a/detections/endpoint/bitsadmin_download_file.yml +++ b/detections/endpoint/bitsadmin_download_file.yml @@ -1,18 +1,40 @@ name: BITSAdmin Download File id: 80630ff4-8e4c-11eb-aab5-acde48001122 -version: 6 -date: '2024-09-30' +version: 8 +date: '2024-11-13' author: Michael Haag, Sittikorn S status: production type: TTP -description: The following analytic detects the use of `bitsadmin.exe` with the `transfer` parameter to download a remote object. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant because `bitsadmin.exe` can be exploited to download and execute malicious files without immediate detection. If confirmed malicious, an attacker could use this technique to download and execute payloads, potentially leading to code execution, privilege escalation, or persistent access within the environment. Review parallel and child processes, especially `svchost.exe`, for associated artifacts. +description: The following analytic detects the use of `bitsadmin.exe` with the `transfer` + parameter to download a remote object. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process and command-line telemetry. This + activity is significant because `bitsadmin.exe` can be exploited to download and + execute malicious files without immediate detection. If confirmed malicious, an + attacker could use this technique to download and execute payloads, potentially + leading to code execution, privilege escalation, or persistent access within the + environment. Review parallel and child processes, especially `svchost.exe`, for + associated artifacts. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_bitsadmin` Processes.process IN ("*transfer*", "*addfile*") by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bitsadmin_download_file_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Limited false positives, however it may be required to filter based on parent process name or network connection. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_bitsadmin` Processes.process + IN ("*transfer*", "*addfile*") by Processes.dest Processes.user Processes.parent_process + Processes.parent_process_name Processes.original_file_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bitsadmin_download_file_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Limited false positives, however it may be required to filter + based on parent process name or network connection. references: - https://github.com/redcanaryco/atomic-red-team/blob/8eb52117b748d378325f7719554a896e37bccec7/atomics/T1105/T1105.md#atomic-test-9---windows---bitsadmin-bits-download - https://github.com/redcanaryco/atomic-red-team/blob/bc705cb7aaa5f26f2d96585fac8e4c7052df0ff9/atomics/T1197/T1197.md @@ -24,9 +46,29 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to download a file. + risk_objects: + - field: user + type: user + score: 49 + - field: dest + type: system + score: 49 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Ingress Tool Transfer @@ -36,56 +78,24 @@ tags: - Flax Typhoon - Gozi Malware asset_type: Endpoint - confidence: 70 - impact: 70 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a file. mitre_attack_id: - T1197 - T1105 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/crowdstrike_falcon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/crowdstrike_falcon.log source: crowdstrike sourcetype: crowdstrike:events:sensor diff --git a/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml b/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml index 195c1ab5d9..b6d19b0b39 100644 --- a/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml +++ b/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml @@ -1,18 +1,18 @@ name: CertUtil Download With URLCache and Split Arguments id: 415b4306-8bfb-11eb-85c4-acde48001122 -version: '8' -date: '2024-12-07' +version: 10 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP description: The following analytic detects the use of certutil.exe to download files - using the `-urlcache` and `-f` arguments. It leverages Endpoint Detection and - Response (EDR) data, focusing on command-line executions that include these specific - arguments. This activity is significant because certutil.exe is typically used for - certificate services, and its use to download files from remote locations is uncommon - and potentially malicious. If confirmed, this behavior could indicate an attempt - to download and execute malicious payloads, leading to potential system compromise - and unauthorized data access. + using the `-urlcache` and `-f` arguments. It leverages Endpoint Detection and Response + (EDR) data, focusing on command-line executions that include these specific arguments. + This activity is significant because certutil.exe is typically used for certificate + services, and its use to download files from remote locations is uncommon and potentially + malicious. If confirmed, this behavior could indicate an attempt to download and + execute malicious payloads, leading to potential system compromise and unauthorized + data access. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 @@ -54,6 +54,21 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to download a file. + risk_objects: + - field: user + type: user + score: 90 + - field: dest + type: system + score: 90 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - ProxyNotShell @@ -65,51 +80,17 @@ tags: - Compromised Windows Host - CISA AA22-277A asset_type: Endpoint - confidence: 100 - impact: 90 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ attempting to download a file. mitre_attack_id: - T1105 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml b/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml index e6456971e5..97a0c24ba9 100644 --- a/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml +++ b/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml @@ -1,14 +1,14 @@ name: CertUtil Download With VerifyCtl and Split Arguments id: 801ad9e4-8bfb-11eb-8b31-acde48001122 -version: '8' -date: '2024-12-07' +version: 10 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP description: The following analytic detects the use of `certutil.exe` to download - files using the `-VerifyCtl` and `-f` arguments. This behavior is identified - by monitoring command-line executions for these specific arguments via Endpoint - Detection and Response (EDR) telemetry. This activity is significant because `certutil.exe` + files using the `-VerifyCtl` and `-f` arguments. This behavior is identified by + monitoring command-line executions for these specific arguments via Endpoint Detection + and Response (EDR) telemetry. This activity is significant because `certutil.exe` is a legitimate tool often abused by attackers to download and execute malicious payloads. If confirmed malicious, this could allow an attacker to download and execute arbitrary files, potentially leading to code execution, data exfiltration, or further @@ -55,6 +55,21 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to download a file. + risk_objects: + - field: user + type: user + score: 90 + - field: dest + type: system + score: 90 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - DarkSide Ransomware @@ -62,51 +77,17 @@ tags: - Living Off The Land - Ingress Tool Transfer asset_type: Endpoint - confidence: 100 - impact: 90 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ attempting to download a file. mitre_attack_id: - T1105 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/certutil_exe_certificate_extraction.yml b/detections/endpoint/certutil_exe_certificate_extraction.yml index 5179489fd3..6dafec9ff9 100644 --- a/detections/endpoint/certutil_exe_certificate_extraction.yml +++ b/detections/endpoint/certutil_exe_certificate_extraction.yml @@ -1,7 +1,7 @@ name: Certutil exe certificate extraction id: 337a46be-600f-11eb-ae93-0242ac130002 -version: '6' -date: '2024-11-28' +version: 8 +date: '2024-12-10' author: Rod Soto, Splunk status: production type: TTP @@ -52,6 +52,21 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting export a certificate. + risk_objects: + - field: user + type: user + score: 63 + - field: dest + type: system + score: 63 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Windows Persistence Techniques @@ -60,49 +75,15 @@ tags: - Compromised Windows Host - Windows Certificate Services asset_type: Endpoint - confidence: 70 - impact: 90 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ attempting export a certificate. - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/certutil_exe_certificate_extraction/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/certutil_exe_certificate_extraction/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/certutil_with_decode_argument.yml b/detections/endpoint/certutil_with_decode_argument.yml index faec0b2896..f00b0f4387 100644 --- a/detections/endpoint/certutil_with_decode_argument.yml +++ b/detections/endpoint/certutil_with_decode_argument.yml @@ -1,18 +1,40 @@ name: CertUtil With Decode Argument id: bfe94226-8c10-11eb-a4b3-acde48001122 -version: 5 -date: '2024-09-30' +version: 7 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the use of CertUtil.exe with the 'decode' argument, which may indicate an attempt to decode a previously encoded file, potentially containing malicious payloads. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving CertUtil.exe. This activity is significant because attackers often use CertUtil to decode malicious files downloaded from the internet, which are then executed to compromise the system. If confirmed malicious, this activity could lead to unauthorized code execution, further system compromise, and potential data exfiltration. +description: The following analytic detects the use of CertUtil.exe with the 'decode' + argument, which may indicate an attempt to decode a previously encoded file, potentially + containing malicious payloads. This detection leverages data from Endpoint Detection + and Response (EDR) agents, focusing on command-line executions involving CertUtil.exe. + This activity is significant because attackers often use CertUtil to decode malicious + files downloaded from the internet, which are then executed to compromise the system. + If confirmed malicious, this activity could lead to unauthorized code execution, + further system compromise, and potential data exfiltration. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` Processes.process=*decode* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_with_decode_argument_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Typically seen used to `encode` files, but it is possible to see legitimate use of `decode`. Filter based on parent-child relationship, file paths, endpoint or user. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_certutil` Processes.process=*decode* + by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `certutil_with_decode_argument_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Typically seen used to `encode` files, but it is possible to + see legitimate use of `decode`. Filter based on parent-child relationship, file + paths, endpoint or user. references: - https://attack.mitre.org/techniques/T1140/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md @@ -24,9 +46,29 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to decode a file. + risk_objects: + - field: user + type: user + score: 40 + - field: dest + type: system + score: 40 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Deobfuscate-Decode Files or Information @@ -38,50 +80,17 @@ tags: - Cozy Bear - Midnight Blizzard asset_type: Endpoint - confidence: 80 - impact: 50 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to decode a file. mitre_attack_id: - T1140 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/change_to_safe_mode_with_network_config.yml b/detections/endpoint/change_to_safe_mode_with_network_config.yml index 944e05e096..6d8c2aa9ec 100644 --- a/detections/endpoint/change_to_safe_mode_with_network_config.yml +++ b/detections/endpoint/change_to_safe_mode_with_network_config.yml @@ -1,17 +1,37 @@ name: Change To Safe Mode With Network Config id: 81f1dce0-0f18-11ec-a5d7-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the execution of a suspicious `bcdedit` command that configures a host to boot in safe mode with network support. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving `bcdedit.exe` with specific parameters. This activity is significant because it is a known technique used by BlackMatter ransomware to force a compromised host into safe mode for continued encryption. If confirmed malicious, this could allow attackers to bypass certain security controls, persist in the environment, and continue their malicious activities. +description: The following analytic detects the execution of a suspicious `bcdedit` + command that configures a host to boot in safe mode with network support. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on command-line + executions involving `bcdedit.exe` with specific parameters. This activity is significant + because it is a known technique used by BlackMatter ransomware to force a compromised + host into safe mode for continued encryption. If confirmed malicious, this could + allow attackers to bypass certain security controls, persist in the environment, + and continue their malicious activities. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe Processes.process="*/set*" Processes.process="*{current}*" Processes.process="*safeboot*" Processes.process="*network*" by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `change_to_safe_mode_with_network_config_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe + Processes.process="*/set*" Processes.process="*{current}*" Processes.process="*safeboot*" + Processes.process="*network*" by Processes.process_name Processes.process Processes.parent_process_name + Processes.dest Processes.user |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `change_to_safe_mode_with_network_config_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ @@ -21,44 +41,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: bcdedit process with commandline $process$ to force safemode boot the $dest$ + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - BlackMatter Ransomware asset_type: Endpoint - confidence: 50 - impact: 50 - message: bcdedit process with commandline $process$ to force safemode boot the $dest$ mitre_attack_id: - T1490 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_name - - Processes.process - - Processes.parent_process_name - - Processes.parent_process - - Processes.dest - - Processes.user - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/chcp_command_execution.yml b/detections/endpoint/chcp_command_execution.yml index 2e3fc9984c..056af37cda 100644 --- a/detections/endpoint/chcp_command_execution.yml +++ b/detections/endpoint/chcp_command_execution.yml @@ -1,18 +1,40 @@ name: CHCP Command Execution id: 21d236ec-eec1-11eb-b23e-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the execution of the chcp.exe application, which is used to change the active code page of the console. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where chcp.exe is executed by cmd.exe with specific command-line arguments. This activity is significant because it can indicate the presence of malware, such as IcedID, which uses this technique to determine the locale region, language, or country of the compromised host. If confirmed malicious, this could lead to further system compromise and data exfiltration. +description: The following analytic detects the execution of the chcp.exe application, + which is used to change the active code page of the console. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process creation + events where chcp.exe is executed by cmd.exe with specific command-line arguments. + This activity is significant because it can indicate the presence of malware, such + as IcedID, which uses this technique to determine the locale region, language, or + country of the compromised host. If confirmed malicious, this could lead to further + system compromise and data exfiltration. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=chcp.com Processes.parent_process_name = cmd.exe (Processes.parent_process=*/c* OR Processes.parent_process=*/k*) by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `chcp_command_execution_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: other tools or script may used this to change code page to UTF-* or others +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=chcp.com + Processes.parent_process_name = cmd.exe (Processes.parent_process=*/c* OR Processes.parent_process=*/k*) + by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process + Processes.process_id Processes.parent_process_id Processes.dest Processes.user | + `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `chcp_command_execution_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: other tools or script may used this to change code page to + UTF-* or others references: - https://ss64.com/nt/chcp.html - https://twitter.com/tccontre18/status/1419941156633329665?s=20 @@ -22,48 +44,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: parent process $parent_process_name$ spawning chcp process $process_name$ + with parent command line $parent_process$ + risk_objects: + - field: dest + type: system + score: 9 + - field: user + type: user + score: 9 + threat_objects: [] tags: analytic_story: - - IcedID - Azorult - Forest Blizzard + - Crypto Stealer + - IcedID asset_type: Endpoint - confidence: 30 - impact: 30 - message: parent process $parent_process_name$ spawning chcp process $process_name$ with parent command line $parent_process$ mitre_attack_id: - T1059 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - process_name - - process - - parent_process_name - - parent_process - - process_id - - parent_process_id - - dest - - user - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/check_elevated_cmd_using_whoami.yml b/detections/endpoint/check_elevated_cmd_using_whoami.yml index 4836eaefd4..b5f5648875 100644 --- a/detections/endpoint/check_elevated_cmd_using_whoami.yml +++ b/detections/endpoint/check_elevated_cmd_using_whoami.yml @@ -1,17 +1,36 @@ name: Check Elevated CMD using whoami id: a9079b18-1633-11ec-859c-acde48001122 -version: 3 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic identifies the execution of the 'whoami' command with specific parameters to check for elevated privileges. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant because it is commonly used by attackers, such as FIN7, to perform reconnaissance on a compromised host. If confirmed malicious, this behavior could indicate an attacker is assessing their privilege level, potentially leading to further privilege escalation or persistence within the environment. +description: The following analytic identifies the execution of the 'whoami' command + with specific parameters to check for elevated privileges. It leverages data from + Endpoint Detection and Response (EDR) agents, focusing on process and command-line + telemetry. This activity is significant because it is commonly used by attackers, + such as FIN7, to perform reconnaissance on a compromised host. If confirmed malicious, + this behavior could indicate an attacker is assessing their privilege level, potentially + leading to further privilege escalation or persistence within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*whoami*" Processes.process = "*/group*" Processes.process = "* find *" Processes.process = "*12288*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `check_elevated_cmd_using_whoami_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process = "*whoami*" + Processes.process = "*/group*" Processes.process = "* find *" Processes.process + = "*12288*" by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `check_elevated_cmd_using_whoami_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: [] drilldown_searches: @@ -20,45 +39,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Process name $process_name$ with commandline $process$ on $dest$ + risk_objects: + - field: dest + type: system + score: 56 + - field: user + type: user + score: 56 + threat_objects: [] tags: analytic_story: - FIN7 asset_type: Endpoint - confidence: 80 - impact: 70 - message: Process name $process_name$ with commandline $process$ in $dest$ mitre_attack_id: - T1033 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_name - - Processes.process_id - - Processes.process - - Processes.dest - - Processes.user - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_js_2/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_js_2/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/child_processes_of_spoolsv_exe.yml b/detections/endpoint/child_processes_of_spoolsv_exe.yml index 5e1a946f1a..b43429e414 100644 --- a/detections/endpoint/child_processes_of_spoolsv_exe.yml +++ b/detections/endpoint/child_processes_of_spoolsv_exe.yml @@ -1,53 +1,63 @@ name: Child Processes of Spoolsv exe id: aa0c4aeb-5b18-41c4-8c07-f1442d7599df -version: 5 -date: '2024-10-17' +version: 6 +date: '2024-11-13' author: Rico Valdez, Splunk status: experimental type: TTP -description: The following analytic identifies child processes spawned by spoolsv.exe, the Print Spooler service in Windows, which typically runs with SYSTEM privileges. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. Monitoring this activity is crucial as it can indicate exploitation attempts, such as those associated with CVE-2018-8440, which can lead to privilege escalation. If confirmed malicious, attackers could gain SYSTEM-level access, allowing them to execute arbitrary code, escalate privileges, and potentially compromise the entire system. +description: The following analytic identifies child processes spawned by spoolsv.exe, + the Print Spooler service in Windows, which typically runs with SYSTEM privileges. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process and parent process relationships. Monitoring this activity is + crucial as it can indicate exploitation attempts, such as those associated with + CVE-2018-8440, which can lead to privilege escalation. If confirmed malicious, attackers + could gain SYSTEM-level access, allowing them to execute arbitrary code, escalate + privileges, and potentially compromise the entire system. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe AND Processes.process_name!=regsvr32.exe by Processes.dest Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `child_processes_of_spoolsv_exe_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Some legitimate printer-related processes may show up as children of spoolsv.exe. You should confirm that any activity as legitimate and may be added as exclusions in the search. +search: '| tstats `security_content_summariesonly` count values(Processes.process_name) + as process_name values(Processes.process) as process min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe + AND Processes.process_name!=regsvr32.exe by Processes.dest Processes.parent_process + Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `child_processes_of_spoolsv_exe_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Some legitimate printer-related processes may show up as children + of spoolsv.exe. You should confirm that any activity as legitimate and may be added + as exclusions in the search. references: [] +rba: + message: Potentially suspicious child processes of spoolsv.exe on $dest$ + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Data Destruction - Hermetic Wiper - Windows Privilege Escalation asset_type: Endpoint - confidence: 50 cve: - CVE-2018-8440 - impact: 50 - message: tbd mitre_attack_id: - T1068 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_name - - Processes.process - - Processes.parent_process_name - - Processes.process_name - - Processes.dest - - Processes.parent_process - - Processes.user - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml b/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml index 39f74fca9d..2e3eaddaf9 100644 --- a/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml +++ b/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml @@ -1,7 +1,7 @@ name: Clear Unallocated Sector Using Cipher App id: cd80a6ac-c9d9-11eb-8839-acde48001122 -version: '5' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: TTP @@ -49,58 +49,39 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to clear the unallocated sectors + of a specific disk. + risk_objects: + - field: user + type: user + score: 90 + - field: dest + type: system + score: 90 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Ransomware - Compromised Windows Host asset_type: Endpoint - confidence: 90 - impact: 100 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ attempting to clear the unallocated sectors - of a specific disk. mitre_attack_id: - T1070.004 - T1070 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/clop_common_exec_parameter.yml b/detections/endpoint/clop_common_exec_parameter.yml index 1ea9da0313..3618dec57d 100644 --- a/detections/endpoint/clop_common_exec_parameter.yml +++ b/detections/endpoint/clop_common_exec_parameter.yml @@ -1,7 +1,7 @@ name: Clop Common Exec Parameter id: 5a8a2a72-8322-11eb-9ee9-acde48001122 -version: '6' -date: '2024-11-28' +version: 8 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: TTP @@ -50,57 +50,38 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting using arguments to execute its main + code or feature of its code related to Clop ransomware. + risk_objects: + - field: user + type: user + score: 100 + - field: dest + type: system + score: 100 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Compromised Windows Host - Clop Ransomware asset_type: Endpoint - confidence: 100 - impact: 100 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ attempting using arguments to execute its main - code or feature of its code related to Clop ransomware. mitre_attack_id: - T1204 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_b/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_b/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/clop_ransomware_known_service_name.yml b/detections/endpoint/clop_ransomware_known_service_name.yml index 7df1a61956..094e346b74 100644 --- a/detections/endpoint/clop_ransomware_known_service_name.yml +++ b/detections/endpoint/clop_ransomware_known_service_name.yml @@ -1,7 +1,7 @@ name: Clop Ransomware Known Service Name id: 07e08a12-870c-11eb-b5f9-acde48001122 -version: '5' -date: '2024-11-28' +version: 6 +date: '2024-12-10' author: Teoderick Contreras status: production type: TTP @@ -40,38 +40,29 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of a known Clop Ransomware Service Name detected on $dest$ + risk_objects: + - field: dest + type: system + score: 100 + threat_objects: [] tags: analytic_story: - Compromised Windows Host - Clop Ransomware asset_type: Endpoint - confidence: 100 - impact: 100 - message: An instance of a known Clop Ransomware Service Name detected on $dest$ mitre_attack_id: - T1543 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - EventCode - - cmdline - - _time - - parent_process_name - - process_name - - OriginalFileName - - process_path - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-xml.log source: XmlWinEventLog:System sourcetype: XmlWinEventLog diff --git a/detections/endpoint/cmd_carry_out_string_command_parameter.yml b/detections/endpoint/cmd_carry_out_string_command_parameter.yml index f61bc4534d..ead8c6acad 100644 --- a/detections/endpoint/cmd_carry_out_string_command_parameter.yml +++ b/detections/endpoint/cmd_carry_out_string_command_parameter.yml @@ -1,82 +1,79 @@ name: CMD Carry Out String Command Parameter id: 54a6ed00-3256-11ec-b031-acde48001122 -version: 6 -date: '2024-10-17' +version: 7 +date: '2024-11-13' author: Teoderick Contreras, Bhavin Patel, Splunk status: production type: Hunting -description: The following analytic detects the use of `cmd.exe /c` to execute commands, a technique often employed by adversaries and malware to run batch commands or invoke other shells like PowerShell. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. Monitoring this activity is crucial as it can indicate script-based attacks or unauthorized command execution. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, or persistence within the environment. +description: The following analytic detects the use of `cmd.exe /c` to execute commands, + a technique often employed by adversaries and malware to run batch commands or invoke + other shells like PowerShell. This detection leverages data from Endpoint Detection + and Response (EDR) agents, focusing on command-line executions and process metadata. + Monitoring this activity is crucial as it can indicate script-based attacks or unauthorized + command execution. If confirmed malicious, this behavior could lead to unauthorized + code execution, privilege escalation, or persistence within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` AND Processes.process="* /c*" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_carry_out_string_command_parameter_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be high based on legitimate scripted code in any environment. Filter as needed. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_cmd` AND Processes.process="* + /c*" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `cmd_carry_out_string_command_parameter_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be high based on legitimate scripted code + in any environment. Filter as needed. references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ tags: analytic_story: - - AsyncRAT - - Winter Vivern - - WhisperGate - - Living Off The Land + - Data Destruction - DarkGate Malware + - Chaos Ransomware + - Hermetic Wiper + - Warzone RAT + - Winter Vivern - ProxyNotShell - - Log4Shell CVE-2021-44228 + - IcedID + - Living Off The Land - NjRAT - - RedLine Stealer + - Log4Shell CVE-2021-44228 + - CISA AA23-347A + - AsyncRAT - Rhysida Ransomware - - IcedID - - Chaos Ransomware - - PlugX + - DarkCrystal RAT + - Crypto Stealer - Azorult - Qakbot - - Hermetic Wiper - - Warzone RAT - - DarkCrystal RAT - - CISA AA23-347A - - Data Destruction + - RedLine Stealer + - PlugX + - WhisperGate asset_type: Endpoint - automated_detection_testing: passed - confidence: 50 cve: - CVE-2021-44228 - impact: 60 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting spawn a new process. mitre_attack_id: - T1059.003 - T1059 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_name - - Processes.process_id - - Processes.process - - Processes.dest - - Processes.user - - Processes.process_id - - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/cmd_carry_str_param/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/cmd_carry_str_param/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/cmd_echo_pipe___escalation.yml b/detections/endpoint/cmd_echo_pipe___escalation.yml index ffb7b18231..107dc77582 100644 --- a/detections/endpoint/cmd_echo_pipe___escalation.yml +++ b/detections/endpoint/cmd_echo_pipe___escalation.yml @@ -1,7 +1,7 @@ name: CMD Echo Pipe - Escalation id: eb277ba0-b96b-11eb-b00e-acde48001122 -version: '6' -date: '2024-11-28' +version: 8 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -51,6 +51,22 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ potentially performing privilege escalation + using named pipes related to Cobalt Strike and other frameworks. + risk_objects: + - field: user + type: user + score: 64 + - field: dest + type: system + score: 64 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Graceful Wipe Out Attack @@ -58,55 +74,20 @@ tags: - Compromised Windows Host - BlackByte Ransomware asset_type: Endpoint - confidence: 80 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ potentially performing privilege escalation - using named pipes related to Cobalt Strike and other frameworks. mitre_attack_id: - T1059 - T1059.003 - T1543.003 - T1543 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml index fb005bd54d..d71bc60a38 100644 --- a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml +++ b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml @@ -1,16 +1,30 @@ name: CMLUA Or CMSTPLUA UAC Bypass id: f87b5062-b405-11eb-a889-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the use of COM objects like CMLUA or CMSTPLUA to bypass User Account Control (UAC). It leverages Sysmon EventCode 7 to identify the loading of specific DLLs (CMLUA.dll, CMSTPLUA.dll, CMLUAUTIL.dll) by processes not typically associated with these libraries. This activity is significant as it indicates an attempt to gain elevated privileges, a common tactic used by ransomware adversaries. If confirmed malicious, this could allow attackers to execute code with administrative rights, leading to potential system compromise and further malicious activities. +description: The following analytic detects the use of COM objects like CMLUA or CMSTPLUA + to bypass User Account Control (UAC). It leverages Sysmon EventCode 7 to identify + the loading of specific DLLs (CMLUA.dll, CMSTPLUA.dll, CMLUAUTIL.dll) by processes + not typically associated with these libraries. This activity is significant as it + indicates an attempt to gain elevated privileges, a common tactic used by ransomware + adversaries. If confirmed malicious, this could allow attackers to execute code + with administrative rights, leading to potential system compromise and further malicious + activities. data_source: - Sysmon EventID 7 -search: '`sysmon` EventCode=7 ImageLoaded IN ("*\\CMLUA.dll", "*\\CMSTPLUA.dll", "*\\CMLUAUTIL.dll") NOT(process_name IN("CMSTP.exe", "CMMGR32.exe")) NOT(Image IN("*\\windows\\*", "*\\program files*")) | stats count min(_time) as firstTime max(_time) as lastTime by dest Image ImageLoaded process_name EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmlua_or_cmstplua_uac_bypass_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: Legitimate windows application that are not on the list loading this dll. Filter as needed. +search: '`sysmon` EventCode=7 ImageLoaded IN ("*\\CMLUA.dll", "*\\CMSTPLUA.dll", + "*\\CMLUAUTIL.dll") NOT(process_name IN("CMSTP.exe", "CMMGR32.exe")) NOT(Image IN("*\\windows\\*", + "*\\program files*")) | stats count min(_time) as firstTime max(_time) as lastTime + by dest Image ImageLoaded process_name EventCode Signed ProcessId | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `cmlua_or_cmstplua_uac_bypass_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name and imageloaded executions from your endpoints. If you + are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +known_false_positives: Legitimate windows application that are not on the list loading + this dll. Filter as needed. references: - https://attack.mitre.org/techniques/T1218/003/ drilldown_searches: @@ -19,9 +33,22 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The following module $ImageLoaded$ was loaded by a non-standard application + on endpoint $dest$ + risk_objects: + - field: dest + type: system + score: 80 + threat_objects: [] tags: analytic_story: - DarkSide Ransomware @@ -29,35 +56,18 @@ tags: - LockBit Ransomware - ValleyRAT asset_type: Endpoint - confidence: 100 - impact: 80 - message: The following module $ImageLoaded$ was loaded by a non-standard application on endpoint $dest$ mitre_attack_id: - T1218 - T1218.003 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Image - - ImageLoaded - - process_name - - dest - - EventCode - - Signed - - ProcessId - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/darkside_cmstp_com/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/darkside_cmstp_com/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/cobalt_strike_named_pipes.yml b/detections/endpoint/cobalt_strike_named_pipes.yml index 76c185898b..85ae717a21 100644 --- a/detections/endpoint/cobalt_strike_named_pipes.yml +++ b/detections/endpoint/cobalt_strike_named_pipes.yml @@ -1,17 +1,33 @@ name: Cobalt Strike Named Pipes id: 5876d429-0240-4709-8b93-ea8330b411b5 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the use of default or publicly known named pipes associated with Cobalt Strike. It leverages Sysmon EventID 17 and 18 to identify specific named pipes commonly used by Cobalt Strike's Artifact Kit and Malleable C2 Profiles. This activity is significant because Cobalt Strike is a popular tool for adversaries to conduct post-exploitation tasks, and identifying its named pipes can reveal potential malicious activity. If confirmed malicious, this could indicate an active Cobalt Strike beacon, leading to unauthorized access, data exfiltration, or further lateral movement within the network. +description: The following analytic detects the use of default or publicly known named + pipes associated with Cobalt Strike. It leverages Sysmon EventID 17 and 18 to identify + specific named pipes commonly used by Cobalt Strike's Artifact Kit and Malleable + C2 Profiles. This activity is significant because Cobalt Strike is a popular tool + for adversaries to conduct post-exploitation tasks, and identifying its named pipes + can reveal potential malicious activity. If confirmed malicious, this could indicate + an active Cobalt Strike beacon, leading to unauthorized access, data exfiltration, + or further lateral movement within the network. data_source: - Sysmon EventID 17 - Sysmon EventID 18 -search: '`sysmon` EventID=17 OR EventID=18 PipeName IN (\\msagent_*, \\DserNamePipe*, \\srvsvc_*, \\postex_*, \\status_*, \\MSSE-*, \\spoolss_*, \\win_svc*, \\ntsvcs*, \\winsock*, \\UIA_PIPE*) | stats count min(_time) as firstTime max(_time) as lastTime by dest, process_name, process_id process_path, PipeName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cobalt_strike_named_pipes_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: The idea of using named pipes with Cobalt Strike is to blend in. Therefore, some of the named pipes identified and added may cause false positives. Filter by process name or pipe name to reduce false positives. +search: '`sysmon` EventID=17 OR EventID=18 PipeName IN (\\msagent_*, \\DserNamePipe*, + \\srvsvc_*, \\postex_*, \\status_*, \\MSSE-*, \\spoolss_*, \\win_svc*, \\ntsvcs*, + \\winsock*, \\UIA_PIPE*) | stats count min(_time) as firstTime max(_time) as lastTime + by dest, process_name, process_id process_path, PipeName | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `cobalt_strike_named_pipes_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. +known_false_positives: The idea of using named pipes with Cobalt Strike is to blend + in. Therefore, some of the named pipes identified and added may cause false positives. + Filter by process name or pipe name to reduce false positives. references: - https://attack.mitre.org/techniques/T1218/009/ - https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipes @@ -25,9 +41,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $process_name$ was identified on endpoint $dest$ accessing + known suspicious named pipes related to Cobalt Strike. + risk_objects: + - field: dest + type: system + score: 72 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Trickbot @@ -38,37 +69,17 @@ tags: - LockBit Ransomware - Gozi Malware asset_type: Endpoint - confidence: 90 - impact: 80 - message: An instance of $process_name$ was identified on endpoint $dest$ accessing known suspicious named pipes related to Cobalt Strike. mitre_attack_id: - T1055 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventID - - PipeName - - dest - - process_name - - process_path - - process_id - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/common_ransomware_extensions.yml b/detections/endpoint/common_ransomware_extensions.yml index ebd15cc818..b7dbef7eb3 100644 --- a/detections/endpoint/common_ransomware_extensions.yml +++ b/detections/endpoint/common_ransomware_extensions.yml @@ -1,21 +1,36 @@ name: Common Ransomware Extensions id: a9e5c5db-db11-43ca-86a8-c852d1b2c0ec -version: 8 -date: '2024-12-12' +version: 11 +date: '2025-01-07' author: David Dorsey, Michael Haag, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects modifications to files with extensions commonly associated with ransomware. It leverages the Endpoint.Filesystem data model to identify changes in file extensions that match known ransomware patterns. This activity is significant because it suggests an attacker is attempting to encrypt or alter files, potentially leading to severe data loss and operational disruption. If confirmed malicious, this activity could result in the encryption of critical data, rendering it inaccessible and causing significant damage to the organization's data integrity and availability. +description: The following analytic detects modifications to files with extensions + commonly associated with ransomware. It leverages the Endpoint.Filesystem data model + to identify changes in file extensions that match known ransomware patterns. This + activity is significant because it suggests an attacker is attempting to encrypt + or alter files, potentially leading to severe data loss and operational disruption. + If confirmed malicious, this activity could result in the encryption of critical + data, rendering it inaccessible and causing significant damage to the organization's + data integrity and availability. data_source: - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime count latest(Filesystem.user) as user values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.dest _time span=1h -| `drop_dm_object_name(Filesystem)` -| rex field=file_name "(?\.[^\.]+)$" -| rex field=file_path "(?([^\\\]*\\\)*).*" -| stats min(firstTime) as firstTime max(lastTime) as lastTime latest(user) as user dc(true_file_path) as path_count dc(file_name) as file_count latest(true_file_path) as file_path by dest file_name -| `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ransomware_extensions` | where path_count > 1 OR file_count > 20 | `common_ransomware_extensions_filter`' -how_to_implement: 'You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint Filesystem data model node. To see the additional metadata, add the following fields, if not already present, please review the detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`' -known_false_positives: It is possible for a legitimate file with these extensions to be created. If this is a true ransomware attack, there will be a large number of files created with these extensions. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime count latest(Filesystem.user) as user values(Filesystem.file_path) as + file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.dest + _time span=1h | `drop_dm_object_name(Filesystem)` | rex field=file_name "(?\.[^\.]+)$" + | rex field=file_path "(?([^\\\]*\\\)*).*" | stats min(firstTime) + as firstTime max(lastTime) as lastTime latest(user) as user dc(true_file_path) as + path_count dc(file_name) as file_count latest(true_file_path) as file_path by dest + file_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` + | `ransomware_extensions` | where path_count > 1 OR file_count > 20 | `common_ransomware_extensions_filter`' +how_to_implement: 'You must be ingesting data that records the filesystem activity + from your hosts to populate the Endpoint Filesystem data model node. To see the + additional metadata, add the following fields, if not already present, please review + the detailed documentation on how to create a new field within Incident Review' +known_false_positives: It is possible for a legitimate file with these extensions + to be created. If this is a true ransomware attack, there will be a large number + of files created with these extensions. references: - https://github.com/splunk/security_content/issues/2448 drilldown_searches: @@ -24,9 +39,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The device $dest$ wrote $file_count$ files to $path_count$ path(s) with the $Extensions$ extension. This extension and behavior may indicate a $Name$ ransomware attack. + risk_objects: + - field: user + type: user + score: 90 + - field: dest + type: system + score: 90 + threat_objects: [] tags: analytic_story: - SamSam Ransomware @@ -37,35 +67,17 @@ tags: - LockBit Ransomware - Rhysida Ransomware asset_type: Endpoint - confidence: 100 - impact: 90 - message: The device $dest$ wrote $file_count$ files to $path_count$ path(s) with the $Extensions$ extension. This extension and behavior may indicate a $Name$ ransomware attack. mitre_attack_id: - T1485 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.user - - Filesystem.dest - - Filesystem.file_path - - Filesystem.file_name - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_notes/ransom-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_notes/ransom-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/common_ransomware_notes.yml b/detections/endpoint/common_ransomware_notes.yml index 05fbddadbf..2535f7533b 100644 --- a/detections/endpoint/common_ransomware_notes.yml +++ b/detections/endpoint/common_ransomware_notes.yml @@ -1,16 +1,31 @@ name: Common Ransomware Notes id: ada0f478-84a8-4641-a3f1-d82362d6bd71 -version: 6 -date: '2024-10-17' +version: 7 +date: '2024-11-13' author: David Dorsey, Splunk status: production type: Hunting -description: The following analytic detects the creation of files with names commonly associated with ransomware notes. It leverages file-system activity data from the Endpoint Filesystem data model, typically populated by endpoint detection and response (EDR) tools or Sysmon logs. This activity is significant because ransomware notes indicate a potential ransomware attack, which can lead to data encryption and extortion. If confirmed malicious, this activity could result in significant data loss, operational disruption, and financial impact due to ransom demands. +description: The following analytic detects the creation of files with names commonly + associated with ransomware notes. It leverages file-system activity data from the + Endpoint Filesystem data model, typically populated by endpoint detection and response + (EDR) tools or Sysmon logs. This activity is significant because ransomware notes + indicate a potential ransomware attack, which can lead to data encryption and extortion. + If confirmed malicious, this activity could result in significant data loss, operational + disruption, and financial impact due to ransom demands. data_source: - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ransomware_notes` | `common_ransomware_notes_filter`' -how_to_implement: You must be ingesting data that records file-system activity from your hosts to populate the Endpoint Filesystem data-model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes. -known_false_positives: It's possible that a legitimate file could be created with the same name used by ransomware note files. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) + as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` + | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ransomware_notes` + | `common_ransomware_notes_filter`' +how_to_implement: You must be ingesting data that records file-system activity from + your hosts to populate the Endpoint Filesystem data-model node. This is typically + populated via endpoint detection-and-response product, such as Carbon Black, or + via other endpoint data sources, such as Sysmon. The data used for this search is + typically generated via logs that report file-system reads and writes. +known_false_positives: It's possible that a legitimate file could be created with + the same name used by ransomware note files. references: [] tags: analytic_story: @@ -22,39 +37,17 @@ tags: - LockBit Ransomware - Rhysida Ransomware asset_type: Endpoint - confidence: 100 - impact: 90 - message: A file - $file_name$ was written to disk on endpoint $dest$ by user $user$, this is indicative of a known ransomware note file and should be reviewed immediately. mitre_attack_id: - T1485 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: file_name - type: File Name - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.user - - Filesystem.dest - - Filesystem.file_path - - Filesystem.file_name - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_notes/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_notes/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/connectwise_screenconnect_path_traversal.yml b/detections/endpoint/connectwise_screenconnect_path_traversal.yml index 59d5b9de0f..17290493c7 100644 --- a/detections/endpoint/connectwise_screenconnect_path_traversal.yml +++ b/detections/endpoint/connectwise_screenconnect_path_traversal.yml @@ -1,16 +1,36 @@ name: ConnectWise ScreenConnect Path Traversal id: 56a3ac65-e747-41f7-b014-dff7423c1dda -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk data_source: - Sysmon EventID 11 type: TTP status: production -description: The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability, which allows path traversal attacks by manipulating file_path and file_name parameters in the URL. It leverages the Endpoint datamodel Filesystem node to identify suspicious file system events, specifically targeting paths and filenames associated with ScreenConnect. This activity is significant as it can lead to unauthorized access to sensitive files and directories, potentially resulting in data exfiltration or arbitrary code execution. If confirmed malicious, attackers could gain unauthorized access and control over the host system, posing a severe security risk. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\ScreenConnect\\App_Extensions\\*") Filesystem.file_name IN ("*.aspx","*.ashx") by Filesystem.file_create_time Filesystem.process_id Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `connectwise_screenconnect_path_traversal_filter`' -how_to_implement: This analytic utilizes the Endpoint datamodel Filesystem node to identify path traversal attempts against ScreenConnect. Note that using SACL auditing or other file system monitoring tools may also be used to detect path traversal attempts. Typically the data for this analytic will come from EDR or other properly CIM mapped data sources. -known_false_positives: False positives are not expected, as the detection is based on the presence of file system events that indicate path traversal attempts. The analytic may be modified to look for any file writes to this path as it is not common for files to write here. +description: The following analytic detects attempts to exploit the ConnectWise ScreenConnect + CVE-2024-1708 vulnerability, which allows path traversal attacks by manipulating + file_path and file_name parameters in the URL. It leverages the Endpoint datamodel + Filesystem node to identify suspicious file system events, specifically targeting + paths and filenames associated with ScreenConnect. This activity is significant + as it can lead to unauthorized access to sensitive files and directories, potentially + resulting in data exfiltration or arbitrary code execution. If confirmed malicious, + attackers could gain unauthorized access and control over the host system, posing + a severe security risk. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\ScreenConnect\\App_Extensions\\*") + Filesystem.file_name IN ("*.aspx","*.ashx") by Filesystem.file_create_time Filesystem.process_id + Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.dest + | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `connectwise_screenconnect_path_traversal_filter`' +how_to_implement: This analytic utilizes the Endpoint datamodel Filesystem node to + identify path traversal attempts against ScreenConnect. Note that using SACL auditing + or other file system monitoring tools may also be used to detect path traversal + attempts. Typically the data for this analytic will come from EDR or other properly + CIM mapped data sources. +known_false_positives: False positives are not expected, as the detection is based + on the presence of file system events that indicate path traversal attempts. The + analytic may be modified to look for any file writes to this path as it is not common + for files to write here. references: - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass - https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2 @@ -21,35 +41,31 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A path traversal attack against ScreenConnect has been detected on $dest$. + risk_objects: + - field: dest + type: system + score: 100 + threat_objects: [] tags: analytic_story: - ConnectWise ScreenConnect Vulnerabilities asset_type: Endpoint - confidence: 100 - impact: 100 - message: A path traversal attack against ScreenConnect has been detected on $dest$. mitre_attack_id: - T1190 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Filesystem.file_create_time - - Filesystem.process_id - - Filesystem.process_guid - - Filesystem.file_name - - Filesystem.file_path - - Filesystem.dest - risk_score: 100 security_domain: endpoint cve: - CVE-2024-1708 @@ -57,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/screenconnect/sysmon_app_extensions.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/screenconnect/sysmon_app_extensions.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/connectwise_screenconnect_path_traversal_windows_sacl.yml b/detections/endpoint/connectwise_screenconnect_path_traversal_windows_sacl.yml index 7e3ed2e675..91abe981ca 100644 --- a/detections/endpoint/connectwise_screenconnect_path_traversal_windows_sacl.yml +++ b/detections/endpoint/connectwise_screenconnect_path_traversal_windows_sacl.yml @@ -1,7 +1,7 @@ name: ConnectWise ScreenConnect Path Traversal Windows SACL id: 4e127857-1fc9-4c95-9d69-ba24c91d52d7 -version: '4' -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Michael Haag, Splunk data_source: - Windows Event Log Security 4663 @@ -46,35 +46,24 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A path traversal attack against ScreenConnect has been detected on $dest$. + risk_objects: + - field: dest + type: system + score: 100 + threat_objects: [] tags: analytic_story: - ConnectWise ScreenConnect Vulnerabilities - Compromised Windows Host asset_type: Endpoint - confidence: 100 - impact: 100 - message: A path traversal attack against ScreenConnect has been detected on $dest$. mitre_attack_id: - T1190 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - ObjectName - - ObjectType - - ProcessName - - AccessMask - - process_id - - EventCode - - Computer - - Caller_User_Name - risk_score: 100 security_domain: endpoint cve: - CVE-2024-1708 @@ -82,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/screenconnect/4663_connectwise_aspx_app_extensions.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/screenconnect/4663_connectwise_aspx_app_extensions.log sourcetype: XmlWinEventLog source: XmlWinEventLog:Security diff --git a/detections/endpoint/conti_common_exec_parameter.yml b/detections/endpoint/conti_common_exec_parameter.yml index 86180b315f..68ddb073f8 100644 --- a/detections/endpoint/conti_common_exec_parameter.yml +++ b/detections/endpoint/conti_common_exec_parameter.yml @@ -1,7 +1,7 @@ name: Conti Common Exec parameter id: 624919bc-c382-11eb-adcc-acde48001122 -version: '5' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: TTP @@ -51,57 +51,38 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ executing specific Conti Ransomware related + parameters. + risk_objects: + - field: user + type: user + score: 64 + - field: dest + type: system + score: 64 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Ransomware - Compromised Windows Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ executing specific Conti Ransomware related - parameters. mitre_attack_id: - T1204 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/inf1/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/inf1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/control_loading_from_world_writable_directory.yml b/detections/endpoint/control_loading_from_world_writable_directory.yml index 6955040c7b..aaddd2c8b2 100644 --- a/detections/endpoint/control_loading_from_world_writable_directory.yml +++ b/detections/endpoint/control_loading_from_world_writable_directory.yml @@ -1,7 +1,7 @@ name: Control Loading from World Writable Directory id: 10423ac4-10c9-11ec-8dc4-acde48001122 -version: '5' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -56,59 +56,41 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to load a suspicious file from disk. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Microsoft MSHTML Remote Code Execution CVE-2021-40444 - Living Off The Land - Compromised Windows Host asset_type: Endpoint - confidence: 100 cve: - CVE-2021-40444 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ attempting to load a suspicious file from disk. mitre_attack_id: - T1218 - T1218.002 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.002/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml b/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml index b7c2d5d2de..2b94e92f3d 100644 --- a/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml +++ b/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml @@ -1,18 +1,41 @@ name: Create or delete windows shares using net exe id: 743a322c-9a68-4a0f-9c17-85d9cce2a27c -version: 10 +version: 11 date: '2024-12-12' author: Bhavin Patel, Splunk status: production type: TTP -description: The following analytic detects the creation or deletion of Windows shares using the net.exe command. It leverages Endpoint Detection and Response (EDR) data to identify processes involving net.exe with actions related to share management. This activity is significant because it may indicate an attacker attempting to manipulate network shares for malicious purposes, such as data exfiltration, malware distribution, or establishing persistence. If confirmed malicious, this activity could lead to unauthorized access to sensitive information, service disruption, or malware introduction. Immediate investigation is required to determine the intent and mitigate potential threats. +description: The following analytic detects the creation or deletion of Windows shares + using the net.exe command. It leverages Endpoint Detection and Response (EDR) data + to identify processes involving net.exe with actions related to share management. + This activity is significant because it may indicate an attacker attempting to manipulate + network shares for malicious purposes, such as data exfiltration, malware distribution, + or establishing persistence. If confirmed malicious, this activity could lead to + unauthorized access to sensitive information, service disruption, or malware introduction. + Immediate investigation is required to determine the intent and mitigate potential + threats. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by Processes.process Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process IN ("*share* /delete*", "*share* /REMARK:*", "*share* /CACHE:*") | `create_or_delete_windows_shares_using_net_exe_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrators often leverage net.exe to create or delete network shares. You should verify that the activity was intentional and is legitimate. +search: '| tstats `security_content_summariesonly` count values(Processes.user) as + user values(Processes.parent_process) as parent_process min(_time) as firstTime + max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by + Processes.process Processes.process_name Processes.parent_process_name Processes.original_file_name + Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)` | search process IN ("*share* /delete*", "*share* + /REMARK:*", "*share* /CACHE:*") | `create_or_delete_windows_shares_using_net_exe_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators often leverage net.exe to create or delete network + shares. You should verify that the activity was intentional and is legitimate. references: - https://attack.mitre.org/techniques/T1070/005/ drilldown_searches: @@ -21,9 +44,29 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ enumerating Windows file shares. + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Hidden Cobra Malware @@ -32,51 +75,18 @@ tags: - Prestige Ransomware - DarkGate Malware asset_type: Endpoint - confidence: 50 - impact: 50 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ enumerating Windows file shares. mitre_attack_id: - T1070 - T1070.005 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.005/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.005/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/create_remote_thread_in_shell_application.yml b/detections/endpoint/create_remote_thread_in_shell_application.yml index 76ec6a577c..5a9e5a6de1 100644 --- a/detections/endpoint/create_remote_thread_in_shell_application.yml +++ b/detections/endpoint/create_remote_thread_in_shell_application.yml @@ -1,15 +1,29 @@ name: Create Remote Thread In Shell Application id: 10399c1e-f51e-11eb-b920-acde48001122 -version: 5 -date: '2024-11-26' +version: 6 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects suspicious process injection in command shell applications, specifically targeting `cmd.exe` and `powershell.exe`. It leverages Sysmon EventCode 8 to identify the creation of remote threads within these shell processes. This activity is significant because it is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to system security. +description: The following analytic detects suspicious process injection in command + shell applications, specifically targeting `cmd.exe` and `powershell.exe`. It leverages + Sysmon EventCode 8 to identify the creation of remote threads within these shell + processes. This activity is significant because it is a common technique used by + malware, such as IcedID, to inject malicious code and execute it within legitimate + processes. If confirmed malicious, this behavior could allow an attacker to execute + arbitrary code, escalate privileges, or maintain persistence within the environment, + posing a severe threat to system security. data_source: - Sysmon EventID 8 -search: '`sysmon` EventCode=8 TargetImage IN ("*\\cmd.exe", "*\\powershell*", "*\\pwsh.exe") | stats count min(_time) as firstTime max(_time) as lastTime by TargetImage TargetProcessId SourceProcessId EventCode StartAddress SourceImage dest |rename SourceImage as process_name| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `create_remote_thread_in_shell_application_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +search: '`sysmon` EventCode=8 TargetImage IN ("*\\cmd.exe", "*\\powershell*", "*\\pwsh.exe") + | stats count min(_time) as firstTime max(_time) as lastTime by TargetImage TargetProcessId + SourceProcessId EventCode StartAddress SourceImage dest |rename SourceImage as + process_name| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `create_remote_thread_in_shell_application_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. known_false_positives: unknown references: - https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/ @@ -19,47 +33,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: process $process_name$ create a remote thread to shell app process $TargetImage$ + in host $dest$ + risk_objects: + - field: dest + type: system + score: 70 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - IcedID - Qakbot - Warzone RAT asset_type: Endpoint - confidence: 100 - impact: 70 - message: process $process_name$ create a remote thread to shell app process $TargetImage$ in host $dest$ mitre_attack_id: - T1055 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - SourceImage - - TargetImage - - TargetProcessId - - SourceProcessId - - StartAddress - - EventCode - - dest - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/create_remote_thread_into_lsass.yml b/detections/endpoint/create_remote_thread_into_lsass.yml index 93090b9533..daf76493ed 100644 --- a/detections/endpoint/create_remote_thread_into_lsass.yml +++ b/detections/endpoint/create_remote_thread_into_lsass.yml @@ -1,16 +1,31 @@ name: Create Remote Thread into LSASS id: 67d4dbef-9564-4699-8da8-03a151529edc -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Patrick Bareiss, Splunk status: production type: TTP -description: The following analytic detects the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS). This behavior is identified using Sysmon EventID 8 logs, focusing on processes that create remote threads in lsass.exe. This activity is significant because it is commonly associated with credential dumping, a tactic used by adversaries to steal user authentication credentials. If confirmed malicious, this could allow attackers to gain unauthorized access to sensitive information, leading to potential compromise of the entire network. Analysts should investigate to differentiate between legitimate tools and potential threats. +description: The following analytic detects the creation of a remote thread in the + Local Security Authority Subsystem Service (LSASS). This behavior is identified + using Sysmon EventID 8 logs, focusing on processes that create remote threads in + lsass.exe. This activity is significant because it is commonly associated with credential + dumping, a tactic used by adversaries to steal user authentication credentials. + If confirmed malicious, this could allow attackers to gain unauthorized access to + sensitive information, leading to potential compromise of the entire network. Analysts + should investigate to differentiate between legitimate tools and potential threats. data_source: - Sysmon EventID 8 -search: '`sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, EventCode, TargetImage, TargetProcessId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `create_remote_thread_into_lsass_filter`' -how_to_implement: This search needs Sysmon Logs with a Sysmon configuration, which includes EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -known_false_positives: Other tools can access LSASS for legitimate reasons and generate an event. In these cases, tweaking the search may help eliminate noise. +search: '`sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as firstTime + max(_time) as lastTime by dest, EventCode, TargetImage, TargetProcessId | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)` | `create_remote_thread_into_lsass_filter`' +how_to_implement: This search needs Sysmon Logs with a Sysmon configuration, which + includes EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`. + We strongly recommend that you specify your environment-specific configurations + (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition + with configurations for your Splunk environment. The search also uses a post-filter + macro designed to filter out known false positives. +known_false_positives: Other tools can access LSASS for legitimate reasons and generate + an event. In these cases, tweaking the search may help eliminate noise. references: - https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf drilldown_searches: @@ -19,47 +34,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A process has created a remote thread into $TargetImage$ on $dest$. This + behavior is indicative of credential dumping and should be investigated. + risk_objects: + - field: dest + type: system + score: 81 + threat_objects: + - field: TargetImage + type: process_name tags: analytic_story: - Credential Dumping - BlackSuit Ransomware asset_type: Windows - confidence: 90 - impact: 90 - message: A process has created a remote thread into $TargetImage$ on $dest$. This behavior is indicative of credential dumping and should be investigated. mitre_attack_id: - T1003.001 - T1003 - observable: - - name: TargetImage - type: Other - role: - - Attacker - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventID - - TargetImage - - dest - - EventCode - - TargetImage - - TargetProcessId - - dest - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml b/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml index 7fbe0c79f0..ee0bb861f3 100644 --- a/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml +++ b/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml @@ -1,16 +1,31 @@ name: Creation of lsass Dump with Taskmgr id: b2fbe95a-9c62-4c12-8a29-24b97e84c0cd -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the creation of an lsass.exe process dump using Windows Task Manager. It leverages Sysmon EventID 11 to identify file creation events where the target filename matches *lsass*.dmp. This activity is significant because creating an lsass dump can be a precursor to credential theft, as the dump file contains sensitive information such as user passwords. If confirmed malicious, an attacker could use the lsass dump to extract credentials and escalate privileges, potentially compromising the entire network. +description: The following analytic detects the creation of an lsass.exe process dump + using Windows Task Manager. It leverages Sysmon EventID 11 to identify file creation + events where the target filename matches *lsass*.dmp. This activity is significant + because creating an lsass dump can be a precursor to credential theft, as the dump + file contains sensitive information such as user passwords. If confirmed malicious, + an attacker could use the lsass dump to extract credentials and escalate privileges, + potentially compromising the entire network. data_source: - Sysmon EventID 11 -search: '`sysmon` EventID=11 process_name=taskmgr.exe TargetFilename=*lsass*.dmp | stats count min(_time) as firstTime max(_time) as lastTime by dest, object_category, process_name, TargetFilename | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `creation_of_lsass_dump_with_taskmgr_filter`' -how_to_implement: This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 11 for detecting file create of lsass.dmp. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -known_false_positives: Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual. +search: '`sysmon` EventID=11 process_name=taskmgr.exe TargetFilename=*lsass*.dmp | + stats count min(_time) as firstTime max(_time) as lastTime by dest, object_category, + process_name, TargetFilename | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `creation_of_lsass_dump_with_taskmgr_filter`' +how_to_implement: This search requires Sysmon Logs and a Sysmon configuration, which + includes EventCode 11 for detecting file create of lsass.dmp. This search uses an + input macro named `sysmon`. We strongly recommend that you specify your environment-specific + configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace + the macro definition with configurations for your Splunk environment. The search + also uses a post-filter macro designed to filter out known false positives. +known_false_positives: Administrators can create memory dumps for debugging purposes, + but memory dumps of the LSASS process would be unusual. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-5---dump-lsassexe-memory-using-windows-task-manager - https://attack.mitre.org/techniques/T1003/001/ @@ -21,41 +36,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $process_name$ was identified on endpoint $dest$ writing $TargetFilename$ + to disk. This behavior is related to dumping credentials via Task Manager. + risk_objects: + - field: dest + type: system + score: 80 + threat_objects: [] tags: analytic_story: - Credential Dumping - CISA AA22-257A asset_type: Windows - confidence: 100 - impact: 80 - message: $process_name$ was identified on endpoint $dest$ writing $TargetFilename$ to disk. This behavior is related to dumping credentials via Task Manager. mitre_attack_id: - T1003.001 - T1003 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventID - - process_name - - TargetFilename - - dest - - object_category - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/creation_of_shadow_copy.yml b/detections/endpoint/creation_of_shadow_copy.yml index 3fbf5b355c..49b3059565 100644 --- a/detections/endpoint/creation_of_shadow_copy.yml +++ b/detections/endpoint/creation_of_shadow_copy.yml @@ -1,7 +1,7 @@ name: Creation of Shadow Copy id: eb120f5f-b879-4a63-97c1-93352b5df844 -version: '5' -date: '2024-11-28' +version: 6 +date: '2024-12-10' author: Patrick Bareiss, Splunk status: production type: TTP @@ -52,60 +52,44 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to create a shadow copy to perform + offline password cracking. + risk_objects: + - field: user + type: user + score: 81 + - field: dest + type: system + score: 81 + threat_objects: + - field: parent_process_name + type: parent_process_name tags: analytic_story: - Volt Typhoon - Compromised Windows Host - Credential Dumping asset_type: Endpoint - confidence: 90 - impact: 90 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ attempting to create a shadow copy to perform - offline password cracking. mitre_attack_id: - T1003.003 - T1003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/crowdstrike_falcon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/crowdstrike_falcon.log source: crowdstrike sourcetype: crowdstrike:events:sensor diff --git a/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml b/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml index 92e1cc6817..9571ea9236 100644 --- a/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml +++ b/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml @@ -1,7 +1,7 @@ name: Creation of Shadow Copy with wmic and powershell id: 2ed8b538-d284-449a-be1d-82ad1dbd186b -version: 7 -date: '2024-12-08' +version: 8 +date: '2024-12-10' author: Patrick Bareiss, Splunk status: production type: TTP @@ -50,6 +50,18 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to create a shadow copy to perform + offline password cracking. + risk_objects: + - field: user + type: user + score: 81 + - field: dest + type: system + score: 81 + threat_objects: [] tags: analytic_story: - Volt Typhoon @@ -57,45 +69,18 @@ tags: - Compromised Windows Host - Credential Dumping asset_type: Endpoint - confidence: 90 - impact: 90 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ attempting to create a shadow copy to perform - offline password cracking. mitre_attack_id: - T1003.003 - T1003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml b/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml index 91a051bd7f..69aa5fe62b 100644 --- a/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml +++ b/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml @@ -1,7 +1,7 @@ name: Credential Dumping via Copy Command from Shadow Copy id: d8c406fe-23d2-45f3-a983-1abe7b83ff3b -version: '5' -date: '2024-11-28' +version: 6 +date: '2024-12-10' author: Patrick Bareiss, Splunk status: production type: TTP @@ -51,50 +51,35 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to copy SAM and NTDS.dit for offline + password cracking. + risk_objects: + - field: user + type: user + score: 81 + - field: dest + type: system + score: 81 + threat_objects: [] tags: analytic_story: - Compromised Windows Host - Credential Dumping asset_type: Endpoint - confidence: 90 - impact: 90 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ attempting to copy SAM and NTDS.dit for offline - password cracking. mitre_attack_id: - T1003.003 - T1003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml b/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml index 6549888584..ed7082bfee 100644 --- a/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml +++ b/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml @@ -1,7 +1,7 @@ name: Credential Dumping via Symlink to Shadow Copy id: c5eac648-fae0-4263-91a6-773df1f4c903 -version: '5' -date: '2024-11-28' +version: 6 +date: '2024-12-10' author: Patrick Bareiss, Splunk status: production type: TTP @@ -50,50 +50,35 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to create symlink to a shadow copy + to grab credentials. + risk_objects: + - field: user + type: user + score: 81 + - field: dest + type: system + score: 81 + threat_objects: [] tags: analytic_story: - Compromised Windows Host - Credential Dumping asset_type: Endpoint - confidence: 90 - impact: 90 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ attempting to create symlink to a shadow copy - to grab credentials. mitre_attack_id: - T1003.003 - T1003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/crowdstrike_admin_weak_password_policy.yml b/detections/endpoint/crowdstrike_admin_weak_password_policy.yml index ba86802987..b5bea9804b 100644 --- a/detections/endpoint/crowdstrike_admin_weak_password_policy.yml +++ b/detections/endpoint/crowdstrike_admin_weak_password_policy.yml @@ -1,14 +1,28 @@ name: Crowdstrike Admin Weak Password Policy id: bb1481fd-23c0-4195-b6a0-94d746c9637c -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk data_source: [] type: TTP status: production -description: The following analytic detects CrowdStrike alerts for admin weak password policy violations, identifying instances where administrative passwords do not meet security standards. These alerts highlight significant vulnerabilities that could be exploited by attackers to gain unauthorized access. Promptly addressing these alerts is crucial for maintaining robust security and protecting critical systems and data from potential threats. -search: '`crowdstrike_identities` primaryDisplayName = "*admin*" | rename riskFactors{}.severity as severity, riskFactors{}.type as risk_type, roles{}.type as role_type, accounts{}.domain as domain, accounts{}.dn as dn, accounts{}.samAccountName as user | stats count min(_time) as firstTime max(_time) as lastTime by domain dn primaryDisplayName risk_type severity riskScore riskScoreSeverity user role_type | where risk_type = "WEAK_PASSWORD_POLICY" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `crowdstrike_admin_weak_password_policy_filter`' -how_to_implement: To implement crowdstrike:identities logs, use the Falcon Streaming API. Set up an API client, authenticate with your CrowdStrike credentials, and subscribe to the "crowdstrike:identities" event stream. Process and store the logs as needed, integrating them into your logging or SIEM system for monitoring and analysis. +description: The following analytic detects CrowdStrike alerts for admin weak password + policy violations, identifying instances where administrative passwords do not meet + security standards. These alerts highlight significant vulnerabilities that could + be exploited by attackers to gain unauthorized access. Promptly addressing these + alerts is crucial for maintaining robust security and protecting critical systems + and data from potential threats. +search: '`crowdstrike_identities` primaryDisplayName = "*admin*" | rename riskFactors{}.severity + as severity, riskFactors{}.type as risk_type, roles{}.type as role_type, accounts{}.domain + as domain, accounts{}.dn as dn, accounts{}.samAccountName as user | stats count + min(_time) as firstTime max(_time) as lastTime by domain dn primaryDisplayName + risk_type severity riskScore riskScoreSeverity user role_type | where risk_type + = "WEAK_PASSWORD_POLICY" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `crowdstrike_admin_weak_password_policy_filter`' +how_to_implement: To implement crowdstrike:identities logs, use the Falcon Streaming + API. Set up an API client, authenticate with your CrowdStrike credentials, and subscribe + to the "crowdstrike:identities" event stream. Process and store the logs as needed, + integrating them into your logging or SIEM system for monitoring and analysis. known_false_positives: unknown references: - https://www.crowdstrike.com/wp-content/uploads/2022/12/CrowdStrike-Falcon-Event-Streams-Add-on-Guide-v3.pdf @@ -18,40 +32,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Weak Password for Admin User found on $domain$ + risk_objects: + - field: user + type: user + score: 80 + threat_objects: [] tags: analytic_story: - Compromised Windows Host asset_type: Endpoint - confidence: 80 - impact: 100 - message: Weak Password for Admin User found on $domain$ mitre_attack_id: - T1110 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - riskFactors{}.severity - - riskFactors{}.type - - roles{}.type - - accounts{}.domain - - accounts{}.dn - - accounts{}.samAccountName - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/admin_weak_password_policy/crowdstrike_weak_password_admin_cleaned.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/admin_weak_password_policy/crowdstrike_weak_password_admin_cleaned.log sourcetype: crowdstrike:identities source: crowdstrike:identities diff --git a/detections/endpoint/crowdstrike_admin_with_duplicate_password.yml b/detections/endpoint/crowdstrike_admin_with_duplicate_password.yml index e79de23f10..1973095184 100644 --- a/detections/endpoint/crowdstrike_admin_with_duplicate_password.yml +++ b/detections/endpoint/crowdstrike_admin_with_duplicate_password.yml @@ -1,14 +1,28 @@ name: Crowdstrike Admin With Duplicate Password id: b8bccfbf-6ac2-40f2-83b6-e72b7efaa7d4 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk data_source: [] type: TTP status: production -description: The following analytic detects CrowdStrike alerts for admin accounts with duplicate password risk, identifying instances where administrative users share the same password. This practice significantly increases the risk of unauthorized access and potential breaches. Addressing these alerts promptly is crucial for maintaining strong security protocols, ensuring each admin account uses a unique, secure password to protect critical systems and data. -search: '`crowdstrike_identities` primaryDisplayName = "*admin*" | rename riskFactors{}.severity as severity, riskFactors{}.type as risk_type, roles{}.type as role_type, accounts{}.domain as domain, accounts{}.dn as dn, accounts{}.samAccountName as user | stats count min(_time) as firstTime max(_time) as lastTime by domain dn primaryDisplayName risk_type severity riskScore riskScoreSeverity user role_type | where risk_type = "DUPLICATE_PASSWORD" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `crowdstrike_admin_with_duplicate_password_filter`' -how_to_implement: To implement crowdstrike:identities logs, use the Falcon Streaming API. Set up an API client, authenticate with your CrowdStrike credentials, and subscribe to the "crowdstrike:identities" event stream. Process and store the logs as needed, integrating them into your logging or SIEM system for monitoring and analysis. +description: The following analytic detects CrowdStrike alerts for admin accounts + with duplicate password risk, identifying instances where administrative users share + the same password. This practice significantly increases the risk of unauthorized + access and potential breaches. Addressing these alerts promptly is crucial for maintaining + strong security protocols, ensuring each admin account uses a unique, secure password + to protect critical systems and data. +search: '`crowdstrike_identities` primaryDisplayName = "*admin*" | rename riskFactors{}.severity + as severity, riskFactors{}.type as risk_type, roles{}.type as role_type, accounts{}.domain + as domain, accounts{}.dn as dn, accounts{}.samAccountName as user | stats count + min(_time) as firstTime max(_time) as lastTime by domain dn primaryDisplayName + risk_type severity riskScore riskScoreSeverity user role_type | where risk_type + = "DUPLICATE_PASSWORD" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `crowdstrike_admin_with_duplicate_password_filter`' +how_to_implement: To implement crowdstrike:identities logs, use the Falcon Streaming + API. Set up an API client, authenticate with your CrowdStrike credentials, and subscribe + to the "crowdstrike:identities" event stream. Process and store the logs as needed, + integrating them into your logging or SIEM system for monitoring and analysis. known_false_positives: unknown references: - https://www.crowdstrike.com/wp-content/uploads/2022/12/CrowdStrike-Falcon-Event-Streams-Add-on-Guide-v3.pdf @@ -18,40 +32,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Duplicate Password for Admin User found on $domain$ + risk_objects: + - field: user + type: user + score: 80 + threat_objects: [] tags: analytic_story: - Compromised Windows Host asset_type: Endpoint - confidence: 80 - impact: 100 - message: Duplicate Password for Admin User found on $domain$ mitre_attack_id: - T1110 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - riskFactors{}.severity - - riskFactors{}.type - - roles{}.type - - accounts{}.domain - - accounts{}.dn - - accounts{}.samAccountName - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/admin_duplicate_password/crowdstrike_admin_dup_pwd_cleaned.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/admin_duplicate_password/crowdstrike_admin_dup_pwd_cleaned.log sourcetype: crowdstrike:identities source: crowdstrike:identities diff --git a/detections/endpoint/crowdstrike_high_identity_risk_severity.yml b/detections/endpoint/crowdstrike_high_identity_risk_severity.yml index 29dfcd8537..149a914419 100644 --- a/detections/endpoint/crowdstrike_high_identity_risk_severity.yml +++ b/detections/endpoint/crowdstrike_high_identity_risk_severity.yml @@ -1,14 +1,26 @@ name: Crowdstrike High Identity Risk Severity id: 0df524ad-6d78-4883-9987-d29418928103 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk data_source: [] type: TTP status: production -description: The following analytic detects CrowdStrike alerts for High Identity Risk Severity with a risk score of 70 or higher. These alerts indicate significant vulnerabilities in user identities, such as suspicious behavior or compromised credentials. Promptly investigating and addressing these alerts is crucial to prevent potential security breaches and ensure the integrity and protection of sensitive information and systems. -search: '`crowdstrike_identities` riskScoreSeverity="HIGH" OR riskScore >= 0.70 | rename riskFactors{}.severity as severity, riskFactors{}.type as risk_type, roles{}.type as role_type, accounts{}.domain as domain, accounts{}.dn as dn, accounts{}.samAccountName as user | stats count min(_time) as firstTime max(_time) as lastTime by domain dn primaryDisplayName risk_type severity riskScore riskScoreSeverity user role_type | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `crowdstrike_high_identity_risk_severity_filter`' -how_to_implement: To implement crowdstrike:identities logs, use the Falcon Streaming API. Set up an API client, authenticate with your CrowdStrike credentials, and subscribe to the "crowdstrike:identities" event stream. Process and store the logs as needed, integrating them into your logging or SIEM system for monitoring and analysis. +description: The following analytic detects CrowdStrike alerts for High Identity Risk + Severity with a risk score of 70 or higher. These alerts indicate significant vulnerabilities + in user identities, such as suspicious behavior or compromised credentials. Promptly + investigating and addressing these alerts is crucial to prevent potential security + breaches and ensure the integrity and protection of sensitive information and systems. +search: '`crowdstrike_identities` riskScoreSeverity="HIGH" OR riskScore >= 0.70 | + rename riskFactors{}.severity as severity, riskFactors{}.type as risk_type, roles{}.type + as role_type, accounts{}.domain as domain, accounts{}.dn as dn, accounts{}.samAccountName + as user | stats count min(_time) as firstTime max(_time) as lastTime by domain + dn primaryDisplayName risk_type severity riskScore riskScoreSeverity user role_type + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `crowdstrike_high_identity_risk_severity_filter`' +how_to_implement: To implement crowdstrike:identities logs, use the Falcon Streaming + API. Set up an API client, authenticate with your CrowdStrike credentials, and subscribe + to the "crowdstrike:identities" event stream. Process and store the logs as needed, + integrating them into your logging or SIEM system for monitoring and analysis. known_false_positives: unknown references: - https://www.crowdstrike.com/wp-content/uploads/2022/12/CrowdStrike-Falcon-Event-Streams-Add-on-Guide-v3.pdf @@ -18,40 +30,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: High Identity Risk Score Severity found on $domain$ + risk_objects: + - field: user + type: user + score: 90 + threat_objects: [] tags: analytic_story: - Compromised Windows Host asset_type: Endpoint - confidence: 90 - impact: 100 - message: High Identity Risk Score Severity found on $domain$ mitre_attack_id: - T1110 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - riskFactors{}.severity - - riskFactors{}.type - - roles{}.type - - accounts{}.domain - - accounts{}.dn - - accounts{}.samAccountName - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/high_risk_score/crowdstrike_high_riskscore_cleaned.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/high_risk_score/crowdstrike_high_riskscore_cleaned.log sourcetype: crowdstrike:identities source: crowdstrike:identities diff --git a/detections/endpoint/crowdstrike_medium_identity_risk_severity.yml b/detections/endpoint/crowdstrike_medium_identity_risk_severity.yml index 287e827d22..cf73fc7546 100644 --- a/detections/endpoint/crowdstrike_medium_identity_risk_severity.yml +++ b/detections/endpoint/crowdstrike_medium_identity_risk_severity.yml @@ -1,14 +1,28 @@ name: Crowdstrike Medium Identity Risk Severity id: c23b425c-9024-4bd7-b526-c18a4a51d93e -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk data_source: [] type: TTP status: production -description: The following analytic detects CrowdStrike alerts for Medium Identity Risk Severity with a risk score of 55 or higher. These alerts indicate significant vulnerabilities in user identities, such as suspicious behavior or compromised credentials. Promptly investigating and addressing these alerts is crucial to prevent potential security breaches and ensure the integrity and protection of sensitive information and systems. -search: '`crowdstrike_identities` riskScoreSeverity = "MEDIUM" OR riskScore >= 0.55 AND riskScore < 0.70 | rename riskFactors{}.severity as severity, riskFactors{}.type as risk_type, roles{}.type as role_type, accounts{}.domain as domain, accounts{}.dn as dn, accounts{}.samAccountName as user | stats count min(_time) as firstTime max(_time) as lastTime by domain dn primaryDisplayName risk_type severity riskScore riskScoreSeverity user role_type | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `crowdstrike_medium_identity_risk_severity_filter`' -how_to_implement: To implement crowdstrike:identities logs, use the Falcon Streaming API. Set up an API client, authenticate with your CrowdStrike credentials, and subscribe to the "crowdstrike:identities" event stream. Process and store the logs as needed, integrating them into your logging or SIEM system for monitoring and analysis. +description: The following analytic detects CrowdStrike alerts for Medium Identity + Risk Severity with a risk score of 55 or higher. These alerts indicate significant + vulnerabilities in user identities, such as suspicious behavior or compromised credentials. + Promptly investigating and addressing these alerts is crucial to prevent potential + security breaches and ensure the integrity and protection of sensitive information + and systems. +search: '`crowdstrike_identities` riskScoreSeverity = "MEDIUM" OR riskScore >= 0.55 + AND riskScore < 0.70 | rename riskFactors{}.severity as severity, riskFactors{}.type + as risk_type, roles{}.type as role_type, accounts{}.domain as domain, accounts{}.dn + as dn, accounts{}.samAccountName as user | stats count min(_time) as firstTime max(_time) + as lastTime by domain dn primaryDisplayName risk_type severity riskScore riskScoreSeverity + user role_type | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `crowdstrike_medium_identity_risk_severity_filter`' +how_to_implement: To implement crowdstrike:identities logs, use the Falcon Streaming + API. Set up an API client, authenticate with your CrowdStrike credentials, and subscribe + to the "crowdstrike:identities" event stream. Process and store the logs as needed, + integrating them into your logging or SIEM system for monitoring and analysis. known_false_positives: unknown references: - https://www.crowdstrike.com/wp-content/uploads/2022/12/CrowdStrike-Falcon-Event-Streams-Add-on-Guide-v3.pdf @@ -18,40 +32,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Medium Identity Risk Score Severity found on $domain$ + risk_objects: + - field: user + type: user + score: 70 + threat_objects: [] tags: analytic_story: - Compromised Windows Host asset_type: Endpoint - confidence: 70 - impact: 100 - message: Medium Identity Risk Score Severity found on $domain$ mitre_attack_id: - T1110 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - riskFactors{}.severity - - riskFactors{}.type - - roles{}.type - - accounts{}.domain - - accounts{}.dn - - accounts{}.samAccountName - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/riskscore/crowdstrike_riskscore_cleaned.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/riskscore/crowdstrike_riskscore_cleaned.log sourcetype: crowdstrike:identities source: crowdstrike:identities diff --git a/detections/endpoint/crowdstrike_medium_severity_alert.yml b/detections/endpoint/crowdstrike_medium_severity_alert.yml index 4434865a56..406835ddf2 100644 --- a/detections/endpoint/crowdstrike_medium_severity_alert.yml +++ b/detections/endpoint/crowdstrike_medium_severity_alert.yml @@ -1,14 +1,28 @@ name: Crowdstrike Medium Severity Alert id: 7e80d92a-6ec3-4eb1-a444-1480acfe2d14 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk data_source: [] type: Anomaly status: production -description: The following analytic detects a CrowdStrike alert with MEDIUM severity indicates a potential threat that requires prompt attention. This alert level suggests suspicious activity that may compromise security but is not immediately critical. It typically involves detectable but non-imminent risks, such as unusual behavior or attempted policy violations, which should be investigated further and mitigated quickly to prevent escalation of attacks. -search: '`crowdstrike_stream` | rename event.EndpointIp as src_ip, event.EndpointName as src_host, event.UserName as user, event.IncidentDescription as description, event.IncidentType as type, event.NumbersOfAlerts as count_alerts, event.SeverityName as severity | stats count min(_time) as firstTime max(_time) as lastTime by src_ip, src_host, user, description, type, count_alerts, severity | where LIKE (severity, "%MEDIUM%") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `crowdstrike_medium_severity_alert_filter`' -how_to_implement: To implement CrowdStrike stream JSON logs, use the Falcon Streaming API. Set up an API client, authenticate with your CrowdStrike credentials, and subscribe to the "CrowdStrike:Event:Streams:JSON" event stream. Process and store the JSON logs as needed, integrating them into your logging or SIEM system for monitoring and analysis. +description: The following analytic detects a CrowdStrike alert with MEDIUM severity + indicates a potential threat that requires prompt attention. This alert level suggests + suspicious activity that may compromise security but is not immediately critical. + It typically involves detectable but non-imminent risks, such as unusual behavior + or attempted policy violations, which should be investigated further and mitigated + quickly to prevent escalation of attacks. +search: '`crowdstrike_stream` | rename event.EndpointIp as src_ip, event.EndpointName + as src_host, event.UserName as user, event.IncidentDescription as description, event.IncidentType + as type, event.NumbersOfAlerts as count_alerts, event.SeverityName as severity | + stats count min(_time) as firstTime max(_time) as lastTime by src_ip, src_host, + user, description, type, count_alerts, severity | where LIKE (severity, "%MEDIUM%") + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `crowdstrike_medium_severity_alert_filter`' +how_to_implement: To implement CrowdStrike stream JSON logs, use the Falcon Streaming + API. Set up an API client, authenticate with your CrowdStrike credentials, and subscribe + to the "CrowdStrike:Event:Streams:JSON" event stream. Process and store the JSON + logs as needed, integrating them into your logging or SIEM system for monitoring + and analysis. known_false_positives: unknown references: - https://www.crowdstrike.com/wp-content/uploads/2022/12/CrowdStrike-Falcon-Event-Streams-Add-on-Guide-v3.pdf @@ -18,42 +32,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A MEDIUM Severity Crowdstrike Alert found in $src_host$ + risk_objects: + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - Compromised Windows Host asset_type: Endpoint - confidence: 70 - impact: 70 - message: A MEDIUM Severity Crowdstrike Alert found in $src_host$ mitre_attack_id: - T1110 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - event.EndpointIp - - event.EndpointName - - event.UserName - - event.IncidentDescription - - event.IncidentType - - event.NumbersOfAlerts - - event.SeverityName - risk_score: 49 security_domain: endpoint - manual_test: This detection is marked manual test because the attack_data file and TA do not provide the event.EndpointIp and event.EndpointName fields. event.EndpointName is required to be present for the Risk Message Validation Integration Testing. This will be investigated and is a tracked issue. + manual_test: This detection is marked manual test because the attack_data file and + TA do not provide the event.EndpointIp and event.EndpointName fields. event.EndpointName + is required to be present for the Risk Message Validation Integration Testing. + This will be investigated and is a tracked issue. tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/medium_alert/crowdstrike_medium_clean.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/medium_alert/crowdstrike_medium_clean.log sourcetype: CrowdStrike:Event:Streams:JSON source: CrowdStrike:Event:Streams diff --git a/detections/endpoint/crowdstrike_multiple_low_severity_alerts.yml b/detections/endpoint/crowdstrike_multiple_low_severity_alerts.yml index f0ae09358a..6fc6074d39 100644 --- a/detections/endpoint/crowdstrike_multiple_low_severity_alerts.yml +++ b/detections/endpoint/crowdstrike_multiple_low_severity_alerts.yml @@ -1,14 +1,30 @@ name: Crowdstrike Multiple LOW Severity Alerts id: 5c2c02d8-bee7-4f5c-9dea-e3e1012daddb -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk data_source: [] type: Anomaly status: production -description: The following analytic detects multiple CrowdStrike LOW severity alerts, indicating a series of minor suspicious activities or policy violations. These alerts are not immediately critical but should be reviewed to prevent potential threats. They often highlight unusual behavior or low-level risks that, if left unchecked, could escalate into more significant security issues. Regular monitoring and analysis of these alerts are essential for maintaining robust security. -search: '`crowdstrike_stream` tag=alert event.SeverityName= LOW | rename event.EndpointIp as src_ip, event.EndpointName as src_host, event.UserName as user, event.IncidentDescription as description, event.IncidentType as type, event.NumbersOfAlerts as count_alerts, event.SeverityName as severity | stats dc(type) as type_count, values(user) as users, values(description) as descriptions, values(type) as types, values(severity) count min(_time) as firstTime max(_time) as lastTime by src_ip src_host | where type_count >= 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `crowdstrike_multiple_low_severity_alerts_filter`' -how_to_implement: To implement CrowdStrike stream JSON logs, use the Falcon Streaming API. Set up an API client, authenticate with your CrowdStrike credentials, and subscribe to the "CrowdStrike:Event:Streams:JSON" event stream. Process and store the JSON logs as needed, integrating them into your logging or SIEM system for monitoring and analysis. +description: The following analytic detects multiple CrowdStrike LOW severity alerts, + indicating a series of minor suspicious activities or policy violations. These alerts + are not immediately critical but should be reviewed to prevent potential threats. + They often highlight unusual behavior or low-level risks that, if left unchecked, + could escalate into more significant security issues. Regular monitoring and analysis + of these alerts are essential for maintaining robust security. +search: '`crowdstrike_stream` tag=alert event.SeverityName= LOW | rename event.EndpointIp + as src_ip, event.EndpointName as src_host, event.UserName as user, event.IncidentDescription + as description, event.IncidentType as type, event.NumbersOfAlerts as count_alerts, + event.SeverityName as severity | stats dc(type) as type_count, values(user) as users, + values(description) as descriptions, values(type) as types, values(severity) count + min(_time) as firstTime max(_time) as lastTime by src_ip src_host | where type_count + >= 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `crowdstrike_multiple_low_severity_alerts_filter`' +how_to_implement: To implement CrowdStrike stream JSON logs, use the Falcon Streaming + API. Set up an API client, authenticate with your CrowdStrike credentials, and subscribe + to the "CrowdStrike:Event:Streams:JSON" event stream. Process and store the JSON + logs as needed, integrating them into your logging or SIEM system for monitoring + and analysis. known_false_positives: unknown references: - https://www.crowdstrike.com/wp-content/uploads/2022/12/CrowdStrike-Falcon-Event-Streams-Add-on-Guide-v3.pdf @@ -18,41 +34,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src_host$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_host$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_host$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Several LOW severity alerts found in $src_host$ + risk_objects: + - field: src_host + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Compromised Windows Host asset_type: Endpoint - confidence: 70 - impact: 70 - message: Several LOW severity alerts found in $src_host$ mitre_attack_id: - T1110 - observable: - - name: src_host - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - event.EndpointIp - - event.EndpointName - - event.UserName - - event.IncidentDescription - - event.IncidentType - - event.NumbersOfAlerts - - event.SeverityName - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/crowdstrike_multiple_low_cleaned.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/crowdstrike_multiple_low_cleaned.log sourcetype: CrowdStrike:Event:Streams:JSON source: CrowdStrike:Event:Streams diff --git a/detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml b/detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml index 6580ceb4ee..263bee3e17 100644 --- a/detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml +++ b/detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml @@ -1,14 +1,29 @@ name: Crowdstrike Privilege Escalation For Non-Admin User id: 69e2860c-0e4b-40ae-9dc4-bf9e3bf2a548 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk data_source: [] type: Anomaly status: production -description: The following analytic detects CrowdStrike alerts for privilege escalation attempts by non-admin users. These alerts indicate unauthorized efforts by regular users to gain elevated permissions, posing a significant security risk. Detecting and addressing these attempts promptly helps prevent potential breaches and ensures that user privileges remain properly managed, maintaining the integrity of the organization's security protocols. -search: '`crowdstrike_stream` tag=alert | rename event.EndpointIp as src_ip, event.EndpointName as src_host, event.UserName as user, event.IncidentDescription as description, event.IncidentType as type, event.NumbersOfAlerts as count_alerts, event.SeverityName as severity | stats count min(_time) as firstTime max(_time) as lastTime by src_ip, src_host, user, description, type, count_alerts, severity | where LIKE(type,"%Privilege escalation%") AND NOT LIKE(user, "%adm%") AND NOT LIKE(user, "%svc%") AND NOT LIKE(user, "%admin%") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `crowdstrike_privilege_escalation_for_non_admin_user_filter`' -how_to_implement: To implement CrowdStrike stream JSON logs, use the Falcon Streaming API. Set up an API client, authenticate with your CrowdStrike credentials, and subscribe to the "CrowdStrike:Event:Streams:JSON" event stream. Process and store the JSON logs as needed, integrating them into your logging or SIEM system for monitoring and analysis. +description: The following analytic detects CrowdStrike alerts for privilege escalation + attempts by non-admin users. These alerts indicate unauthorized efforts by regular + users to gain elevated permissions, posing a significant security risk. Detecting + and addressing these attempts promptly helps prevent potential breaches and ensures + that user privileges remain properly managed, maintaining the integrity of the organization's + security protocols. +search: '`crowdstrike_stream` tag=alert | rename event.EndpointIp as src_ip, event.EndpointName + as src_host, event.UserName as user, event.IncidentDescription as description, event.IncidentType + as type, event.NumbersOfAlerts as count_alerts, event.SeverityName as severity | + stats count min(_time) as firstTime max(_time) as lastTime by src_ip, src_host, + user, description, type, count_alerts, severity | where LIKE(type,"%Privilege escalation%") + AND NOT LIKE(user, "%adm%") AND NOT LIKE(user, "%svc%") AND NOT LIKE(user, "%admin%") + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `crowdstrike_privilege_escalation_for_non_admin_user_filter`' +how_to_implement: To implement CrowdStrike stream JSON logs, use the Falcon Streaming + API. Set up an API client, authenticate with your CrowdStrike credentials, and subscribe + to the "CrowdStrike:Event:Streams:JSON" event stream. Process and store the JSON + logs as needed, integrating them into your logging or SIEM system for monitoring + and analysis. known_false_positives: unknown references: - https://www.crowdstrike.com/wp-content/uploads/2022/12/CrowdStrike-Falcon-Event-Streams-Add-on-Guide-v3.pdf @@ -18,42 +33,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A Privilege escalation happened in Non-Admin Account in $src_host$ + risk_objects: + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - Compromised Windows Host asset_type: Endpoint - confidence: 70 - impact: 70 - message: A Privilege escalation happened in Non-Admin Account in $src_host$ mitre_attack_id: - T1110 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - event.EndpointIp - - event.EndpointName - - event.UserName - - event.IncidentDescription - - event.IncidentType - - event.NumbersOfAlerts - - event.SeverityName - risk_score: 49 security_domain: endpoint - manual_test: This detection is marked manual test because the attack_data file and TA do not provide the event.EndpointIp and event.EndpointName fields. event.EndpointName is required to be present for the Risk Message Validation Integration Testing. This will be investigated and is a tracked issue. + manual_test: This detection is marked manual test because the attack_data file and + TA do not provide the event.EndpointIp and event.EndpointName fields. event.EndpointName + is required to be present for the Risk Message Validation Integration Testing. + This will be investigated and is a tracked issue. tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/privilege_escalation/crowdstrike_priv_esc_cleaned.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/privilege_escalation/crowdstrike_priv_esc_cleaned.log sourcetype: CrowdStrike:Event:Streams:JSON source: CrowdStrike:Event:Streams diff --git a/detections/endpoint/crowdstrike_user_weak_password_policy.yml b/detections/endpoint/crowdstrike_user_weak_password_policy.yml index 88c8cb2623..8c9c0b82c6 100644 --- a/detections/endpoint/crowdstrike_user_weak_password_policy.yml +++ b/detections/endpoint/crowdstrike_user_weak_password_policy.yml @@ -1,14 +1,28 @@ name: Crowdstrike User Weak Password Policy id: b49b6ef4-57cd-4d42-bd7e-64e00f11cc87 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk data_source: [] type: Anomaly status: production -description: The following analytic detects CrowdStrike alerts for weak password policy violations, identifying instances where passwords do not meet the required security standards. These alerts highlight potential vulnerabilities that could be exploited by attackers, emphasizing the need for stronger password practices. Addressing these alerts promptly helps to enhance overall security and protect sensitive information from unauthorized access. -search: '`crowdstrike_identities` primaryDisplayName != "*admin*" | rename riskFactors{}.severity as severity, riskFactors{}.type as risk_type, roles{}.type as role_type, accounts{}.domain as domain, accounts{}.dn as dn, accounts{}.samAccountName as user | stats count min(_time) as firstTime max(_time) as lastTime by domain dn primaryDisplayName risk_type severity riskScore riskScoreSeverity user role_type | where risk_type = "WEAK_PASSWORD_POLICY" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `crowdstrike_user_weak_password_policy_filter`' -how_to_implement: To implement crowdstrike:identities logs, use the Falcon Streaming API. Set up an API client, authenticate with your CrowdStrike credentials, and subscribe to the "crowdstrike:identities" event stream. Process and store the logs as needed, integrating them into your logging or SIEM system for monitoring and analysis. +description: The following analytic detects CrowdStrike alerts for weak password policy + violations, identifying instances where passwords do not meet the required security + standards. These alerts highlight potential vulnerabilities that could be exploited + by attackers, emphasizing the need for stronger password practices. Addressing these + alerts promptly helps to enhance overall security and protect sensitive information + from unauthorized access. +search: '`crowdstrike_identities` primaryDisplayName != "*admin*" | rename riskFactors{}.severity + as severity, riskFactors{}.type as risk_type, roles{}.type as role_type, accounts{}.domain + as domain, accounts{}.dn as dn, accounts{}.samAccountName as user | stats count + min(_time) as firstTime max(_time) as lastTime by domain dn primaryDisplayName + risk_type severity riskScore riskScoreSeverity user role_type | where risk_type + = "WEAK_PASSWORD_POLICY" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `crowdstrike_user_weak_password_policy_filter`' +how_to_implement: To implement crowdstrike:identities logs, use the Falcon Streaming + API. Set up an API client, authenticate with your CrowdStrike credentials, and subscribe + to the "crowdstrike:identities" event stream. Process and store the logs as needed, + integrating them into your logging or SIEM system for monitoring and analysis. known_false_positives: unknown references: - https://www.crowdstrike.com/wp-content/uploads/2022/12/CrowdStrike-Falcon-Event-Streams-Add-on-Guide-v3.pdf @@ -18,40 +32,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User Weak Password found on $domain$ + risk_objects: + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - Compromised Windows Host asset_type: Endpoint - confidence: 70 - impact: 70 - message: User Weak Password found on $domain$ mitre_attack_id: - T1110 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - riskFactors{}.severity - - riskFactors{}.type - - roles{}.type - - accounts{}.domain - - accounts{}.dn - - accounts{}.samAccountName - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/non_adminweak_password_policy/crowdstrike_user_weak_password_cleaned.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/non_adminweak_password_policy/crowdstrike_user_weak_password_cleaned.log sourcetype: crowdstrike:identities source: crowdstrike:identities diff --git a/detections/endpoint/crowdstrike_user_with_duplicate_password.yml b/detections/endpoint/crowdstrike_user_with_duplicate_password.yml index 1644e8c058..1d5ae49ccd 100644 --- a/detections/endpoint/crowdstrike_user_with_duplicate_password.yml +++ b/detections/endpoint/crowdstrike_user_with_duplicate_password.yml @@ -1,14 +1,28 @@ name: Crowdstrike User with Duplicate Password id: 386dd914-16e5-400b-9bf6-25572cc4415a -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk data_source: [] type: Anomaly status: production -description: The following analytic detects CrowdStrike alerts for non-admin accounts with duplicate password risk, identifying instances where multiple non-admin users share the same password. This practice weakens security and increases the potential for unauthorized access. Addressing these alerts is essential to ensure each user account has a unique, strong password, thereby enhancing overall security and protecting sensitive information. -search: '`crowdstrike_identities` primaryDisplayName != "*admin*" | rename riskFactors{}.severity as severity, riskFactors{}.type as risk_type, roles{}.type as role_type, accounts{}.domain as domain, accounts{}.dn as dn, accounts{}.samAccountName as user | stats count min(_time) as firstTime max(_time) as lastTime by domain dn primaryDisplayName risk_type severity riskScore riskScoreSeverity user role_type | where risk_type = "DUPLICATE_PASSWORD" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `crowdstrike_user_with_duplicate_password_filter`' -how_to_implement: To implement crowdstrike:identities logs, use the Falcon Streaming API. Set up an API client, authenticate with your CrowdStrike credentials, and subscribe to the "crowdstrike:identities" event stream. Process and store the logs as needed, integrating them into your logging or SIEM system for monitoring and analysis. +description: The following analytic detects CrowdStrike alerts for non-admin accounts + with duplicate password risk, identifying instances where multiple non-admin users + share the same password. This practice weakens security and increases the potential + for unauthorized access. Addressing these alerts is essential to ensure each user + account has a unique, strong password, thereby enhancing overall security and protecting + sensitive information. +search: '`crowdstrike_identities` primaryDisplayName != "*admin*" | rename riskFactors{}.severity + as severity, riskFactors{}.type as risk_type, roles{}.type as role_type, accounts{}.domain + as domain, accounts{}.dn as dn, accounts{}.samAccountName as user | stats count + min(_time) as firstTime max(_time) as lastTime by domain dn primaryDisplayName + risk_type severity riskScore riskScoreSeverity user role_type | where risk_type + = "DUPLICATE_PASSWORD" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `crowdstrike_user_with_duplicate_password_filter`' +how_to_implement: To implement crowdstrike:identities logs, use the Falcon Streaming + API. Set up an API client, authenticate with your CrowdStrike credentials, and subscribe + to the "crowdstrike:identities" event stream. Process and store the logs as needed, + integrating them into your logging or SIEM system for monitoring and analysis. known_false_positives: unknown references: - https://www.crowdstrike.com/wp-content/uploads/2022/12/CrowdStrike-Falcon-Event-Streams-Add-on-Guide-v3.pdf @@ -18,40 +32,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User with Duplicate Password found on $domain$ + risk_objects: + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - Compromised Windows Host asset_type: Endpoint - confidence: 70 - impact: 70 - message: User with Duplicate Password found on $domain$ mitre_attack_id: - T1110 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - riskFactors{}.severity - - riskFactors{}.type - - roles{}.type - - accounts{}.domain - - accounts{}.dn - - accounts{}.samAccountName - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/user_duplicate_password/crowdstrike_user_dup_pwd_cleaned.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/user_duplicate_password/crowdstrike_user_dup_pwd_cleaned.log sourcetype: crowdstrike:identities source: crowdstrike:identities diff --git a/detections/endpoint/csc_net_on_the_fly_compilation.yml b/detections/endpoint/csc_net_on_the_fly_compilation.yml index fcd7b1b7d5..523efe64be 100644 --- a/detections/endpoint/csc_net_on_the_fly_compilation.yml +++ b/detections/endpoint/csc_net_on_the_fly_compilation.yml @@ -1,18 +1,41 @@ name: CSC Net On The Fly Compilation id: ea73128a-43ab-11ec-9753-acde48001122 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the use of the .NET compiler csc.exe for on-the-fly compilation of potentially malicious .NET code. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns associated with csc.exe. This activity is significant because adversaries and malware often use this technique to evade detection by compiling malicious code at runtime. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network. +description: The following analytic detects the use of the .NET compiler csc.exe for + on-the-fly compilation of potentially malicious .NET code. It leverages data from + Endpoint Detection and Response (EDR) agents, focusing on specific command-line + patterns associated with csc.exe. This activity is significant because adversaries + and malware often use this technique to evade detection by compiling malicious code + at runtime. If confirmed malicious, this could allow attackers to execute arbitrary + code, potentially leading to system compromise, data exfiltration, or further lateral + movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_csc` Processes.process = "*/noconfig*" Processes.process = "*/fullpaths*" Processes.process = "*@*" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `csc_net_on_the_fly_compilation_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: A network operator or systems administrator may utilize an automated powershell script taht execute .net code that may generate false positive. filter is needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_csc` Processes.process + = "*/noconfig*" Processes.process = "*/fullpaths*" Processes.process = "*@*" by + Processes.dest Processes.user Processes.parent_process_name Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `csc_net_on_the_fly_compilation_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: A network operator or systems administrator may utilize an + automated powershell script taht execute .net code that may generate false positive. + filter is needed. references: - https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/ - https://tccontre.blogspot.com/2019/06/maicious-macro-that-compile-c-code-as.html @@ -20,36 +43,18 @@ tags: analytic_story: - Windows Defense Evasion Tactics asset_type: Endpoint - confidence: 50 - impact: 50 - message: csc.exe with commandline $process$ to compile .net code on $dest$ by $user$ mitre_attack_id: - T1027.004 - T1027 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/curl_download_and_bash_execution.yml b/detections/endpoint/curl_download_and_bash_execution.yml index 4acfecd8ab..0fd2ed2163 100644 --- a/detections/endpoint/curl_download_and_bash_execution.yml +++ b/detections/endpoint/curl_download_and_bash_execution.yml @@ -1,7 +1,7 @@ name: Curl Download and Bash Execution id: 900bc324-59f3-11ec-9fb4-acde48001122 -version: '6' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Michael Haag, Splunk, DipsyTipsy status: production type: TTP @@ -53,6 +53,19 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $process_name$ was identified on endpoint $dest$ attempting + to download a remote file and run it with bash. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Compromised Windows Host @@ -60,44 +73,14 @@ tags: - Linux Living Off The Land - Ingress Tool Transfer asset_type: Endpoint - confidence: 100 cve: - CVE-2021-44228 - impact: 80 - message: An instance of $process_name$ was identified on endpoint $dest$ attempting - to download a remote file and run it with bash. mitre_attack_id: - T1105 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint manual_test: Due to current limitations in command line extraction capabilities with Sysmon for Linux, full CommandLine data cannot be collected for complete @@ -105,6 +88,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/linux-sysmon_curlwget.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/linux-sysmon_curlwget.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/delete_shadowcopy_with_powershell.yml b/detections/endpoint/delete_shadowcopy_with_powershell.yml index 4769734851..5b45b2d365 100644 --- a/detections/endpoint/delete_shadowcopy_with_powershell.yml +++ b/detections/endpoint/delete_shadowcopy_with_powershell.yml @@ -1,15 +1,27 @@ name: Delete ShadowCopy With PowerShell id: 5ee2bcd0-b2ff-11eb-bb34-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the use of PowerShell to delete shadow copies via the WMIC PowerShell module. It leverages EventCode 4104 and searches for specific keywords like "ShadowCopy," "Delete," or "Remove" within the ScriptBlockText. This activity is significant because deleting shadow copies is a common tactic used by ransomware, such as DarkSide, to prevent data recovery. If confirmed malicious, this action could lead to irreversible data loss and hinder recovery efforts, significantly impacting business continuity and data integrity. +description: The following analytic detects the use of PowerShell to delete shadow + copies via the WMIC PowerShell module. It leverages EventCode 4104 and searches + for specific keywords like "ShadowCopy," "Delete," or "Remove" within the ScriptBlockText. + This activity is significant because deleting shadow copies is a common tactic used + by ransomware, such as DarkSide, to prevent data recovery. If confirmed malicious, + this action could lead to irreversible data loss and hinder recovery efforts, significantly + impacting business continuity and data integrity. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText= "*ShadowCopy*" (ScriptBlockText = "*Delete*" OR ScriptBlockText = "*Remove*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText |rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `delete_shadowcopy_with_powershell_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event. +search: '`powershell` EventCode=4104 ScriptBlockText= "*ShadowCopy*" (ScriptBlockText + = "*Delete*" OR ScriptBlockText = "*Remove*") | stats count min(_time) as firstTime + max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText |rename + Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | + `security_content_ctime(lastTime)` | `delete_shadowcopy_with_powershell_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the powershell logs from your endpoints. make sure you enable needed + registry to monitor this event. known_false_positives: unknown references: - https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations @@ -20,9 +32,25 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An attempt to delete ShadowCopy was performed using PowerShell on $dest$ + by $user$. + risk_objects: + - field: user + type: user + score: 81 + - field: dest + type: system + score: 81 + threat_objects: [] tags: analytic_story: - DarkSide Ransomware @@ -30,36 +58,17 @@ tags: - Revil Ransomware - DarkGate Malware asset_type: Endpoint - confidence: 90 - impact: 90 - message: An attempt to delete ShadowCopy was performed using PowerShell on $dest$ by $user$. mitre_attack_id: - T1490 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCode - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/deleting_shadow_copies.yml b/detections/endpoint/deleting_shadow_copies.yml index f692d66095..89b5ebed9b 100644 --- a/detections/endpoint/deleting_shadow_copies.yml +++ b/detections/endpoint/deleting_shadow_copies.yml @@ -1,7 +1,7 @@ name: Deleting Shadow Copies id: b89919ed-ee5f-492c-b139-95dbb162039e -version: '8' -date: '2024-11-28' +version: 10 +date: '2024-12-10' author: David Dorsey, Splunk status: production type: TTP @@ -52,6 +52,21 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to delete shadow copies. + risk_objects: + - field: user + type: user + score: 81 + - field: dest + type: system + score: 81 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Chaos Ransomware @@ -66,51 +81,17 @@ tags: - Compromised Windows Host - Clop Ransomware asset_type: Endpoint - confidence: 90 - impact: 90 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ attempting to delete shadow copies. mitre_attack_id: - T1490 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_azurehound_command_line_arguments.yml b/detections/endpoint/detect_azurehound_command_line_arguments.yml index ca802ff301..406db0ca35 100644 --- a/detections/endpoint/detect_azurehound_command_line_arguments.yml +++ b/detections/endpoint/detect_azurehound_command_line_arguments.yml @@ -1,7 +1,7 @@ name: Detect AzureHound Command-Line Arguments id: 26f02e96-c300-11eb-b611-acde48001122 -version: '6' -date: '2024-11-28' +version: 8 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -51,15 +51,26 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ using AzureHound to enumerate AzureAD. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Windows Discovery Techniques - Compromised Windows Host asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ using AzureHound to enumerate AzureAD. mitre_attack_id: - T1087.002 - T1069.001 @@ -68,45 +79,15 @@ tags: - T1087 - T1069.002 - T1069 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_azurehound_file_modifications.yml b/detections/endpoint/detect_azurehound_file_modifications.yml index c3c6583c1f..71aee3b142 100644 --- a/detections/endpoint/detect_azurehound_file_modifications.yml +++ b/detections/endpoint/detect_azurehound_file_modifications.yml @@ -1,16 +1,32 @@ name: Detect AzureHound File Modifications id: 1c34549e-c31b-11eb-996b-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the creation of specific AzureHound-related files, such as `*-azurecollection.zip` and various `.json` files, on disk. It leverages data from the Endpoint.Filesystem datamodel, focusing on file creation events with specific filenames. This activity is significant because AzureHound is a tool used to gather information about Azure environments, similar to SharpHound for on-premises Active Directory. If confirmed malicious, this activity could indicate an attacker is collecting sensitive Azure environment data, potentially leading to further exploitation or privilege escalation within the cloud infrastructure. +description: The following analytic detects the creation of specific AzureHound-related + files, such as `*-azurecollection.zip` and various `.json` files, on disk. It leverages + data from the Endpoint.Filesystem datamodel, focusing on file creation events with + specific filenames. This activity is significant because AzureHound is a tool used + to gather information about Azure environments, similar to SharpHound for on-premises + Active Directory. If confirmed malicious, this activity could indicate an attacker + is collecting sensitive Azure environment data, potentially leading to further exploitation + or privilege escalation within the cloud infrastructure. data_source: - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*-azurecollection.zip", "*-azprivroleadminrights.json", "*-azglobaladminrights.json", "*-azcloudappadmins.json", "*-azapplicationadmins.json") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.user | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_file_modifications_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on file modifications that include the name of the process, and file, responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -known_false_positives: False positives should be limited as the analytic is specific to a filename with extension .zip. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*-azurecollection.zip", + "*-azprivroleadminrights.json", "*-azglobaladminrights.json", "*-azcloudappadmins.json", + "*-azapplicationadmins.json") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name + Filesystem.file_path Filesystem.dest Filesystem.user | `drop_dm_object_name(Filesystem)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_file_modifications_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on file modifications that include the name of the process, and file, responsible + for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` + node. +known_false_positives: False positives should be limited as the analytic is specific + to a filename with extension .zip. Filter as needed. references: - https://posts.specterops.io/introducing-bloodhound-4-0-the-azure-update-9b2b26c5e350 - https://github.com/BloodHoundAD/Legacy-AzureHound.ps1/blob/master/AzureHound.ps1 @@ -20,16 +36,31 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A file - $file_name$ was written to disk that is related to AzureHound, + a AzureAD enumeration utility, has occurred on endpoint $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 63 + - field: dest + type: system + score: 63 + threat_objects: + - field: file_name + type: file_name tags: analytic_story: - Windows Discovery Techniques asset_type: Endpoint - confidence: 90 - impact: 70 - message: A file - $file_name$ was written to disk that is related to AzureHound, a AzureAD enumeration utility, has occurred on endpoint $dest$ by user $user$. mitre_attack_id: - T1087.002 - T1069.001 @@ -38,35 +69,15 @@ tags: - T1087 - T1069.002 - T1069 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: file_name - type: File Name - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - file_path - - dest - - file_name - - process_id - - file_create_time - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_baron_samedit_cve_2021_3156.yml b/detections/endpoint/detect_baron_samedit_cve_2021_3156.yml index 51473d194c..6cb38639a8 100644 --- a/detections/endpoint/detect_baron_samedit_cve_2021_3156.yml +++ b/detections/endpoint/detect_baron_samedit_cve_2021_3156.yml @@ -1,37 +1,43 @@ name: Detect Baron Samedit CVE-2021-3156 id: 93fbec4e-0375-440c-8db3-4508eca470c4 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Shannon Davis, Splunk status: experimental type: TTP -description: The following analytic detects attempts to exploit the Baron Samedit vulnerability (CVE-2021-3156) by identifying the use of the "sudoedit -s \\" command. This detection leverages logs from Linux systems, specifically searching for instances of the sudoedit command with the "-s" flag followed by a double quote. This activity is significant because it indicates an attempt to exploit a known vulnerability that allows attackers to gain root privileges. If confirmed malicious, this could lead to complete system compromise, unauthorized access to sensitive data, and potential data breaches. +description: The following analytic detects attempts to exploit the Baron Samedit + vulnerability (CVE-2021-3156) by identifying the use of the "sudoedit -s \\" command. + This detection leverages logs from Linux systems, specifically searching for instances + of the sudoedit command with the "-s" flag followed by a double quote. This activity + is significant because it indicates an attempt to exploit a known vulnerability + that allows attackers to gain root privileges. If confirmed malicious, this could + lead to complete system compromise, unauthorized access to sensitive data, and potential + data breaches. data_source: [] search: '`linux_hosts` "sudoedit -s \\" | `detect_baron_samedit_cve_2021_3156_filter`' -how_to_implement: Splunk Universal Forwarder running on Linux systems, capturing logs from the /var/log directory. The vulnerability is exposed when a non privledged user tries passing in a single \ character at the end of the command while using the shell and edit flags. +how_to_implement: Splunk Universal Forwarder running on Linux systems, capturing logs + from the /var/log directory. The vulnerability is exposed when a non privledged + user tries passing in a single \ character at the end of the command while using + the shell and edit flags. known_false_positives: unknown references: [] +rba: + message: Potential Baron Samedit behavior on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Baron Samedit CVE-2021-3156 asset_type: Endpoint - confidence: 50 cve: - CVE-2021-3156 - impact: 50 - message: tbd mitre_attack_id: - T1068 - observable: - - name: dest - type: Other - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/detect_baron_samedit_cve_2021_3156_segfault.yml b/detections/endpoint/detect_baron_samedit_cve_2021_3156_segfault.yml index c27585e4f2..b6da8b499b 100644 --- a/detections/endpoint/detect_baron_samedit_cve_2021_3156_segfault.yml +++ b/detections/endpoint/detect_baron_samedit_cve_2021_3156_segfault.yml @@ -1,38 +1,46 @@ name: Detect Baron Samedit CVE-2021-3156 Segfault id: 10f2bae0-bbe6-4984-808c-37dc1c67980d -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Shannon Davis, Splunk status: experimental type: TTP -description: The following analytic identifies a heap-based buffer overflow in sudoedit by detecting Linux logs containing both "sudoedit" and "segfault" terms. This detection leverages Splunk to monitor for more than five occurrences of these terms on a single host within a specified timeframe. This activity is significant because exploiting this vulnerability (CVE-2021-3156) can allow attackers to gain root privileges, leading to potential system compromise, unauthorized access, and data breaches. If confirmed malicious, this could result in elevated privileges and full control over the affected system, posing a severe security risk. +description: The following analytic identifies a heap-based buffer overflow in sudoedit + by detecting Linux logs containing both "sudoedit" and "segfault" terms. This detection + leverages Splunk to monitor for more than five occurrences of these terms on a single + host within a specified timeframe. This activity is significant because exploiting + this vulnerability (CVE-2021-3156) can allow attackers to gain root privileges, + leading to potential system compromise, unauthorized access, and data breaches. + If confirmed malicious, this could result in elevated privileges and full control + over the affected system, posing a severe security risk. data_source: [] -search: '`linux_hosts` TERM(sudoedit) TERM(segfault) | stats count min(_time) as firstTime max(_time) as lastTime by host | where count > 5 | `detect_baron_samedit_cve_2021_3156_segfault_filter`' -how_to_implement: Splunk Universal Forwarder running on Linux systems (tested on Centos and Ubuntu), where segfaults are being logged. This also captures instances where the exploit has been compiled into a binary. The detection looks for greater than 5 instances of sudoedit combined with segfault over your search time period on a single host -known_false_positives: If sudoedit is throwing segfaults for other reasons this will pick those up too. +search: '`linux_hosts` TERM(sudoedit) TERM(segfault) | stats count min(_time) as firstTime + max(_time) as lastTime by host | where count > 5 | `detect_baron_samedit_cve_2021_3156_segfault_filter`' +how_to_implement: Splunk Universal Forwarder running on Linux systems (tested on Centos + and Ubuntu), where segfaults are being logged. This also captures instances where + the exploit has been compiled into a binary. The detection looks for greater than + 5 instances of sudoedit combined with segfault over your search time period on a + single host +known_false_positives: If sudoedit is throwing segfaults for other reasons this will + pick those up too. references: [] +rba: + message: Potential Baron Samedit segfault on $host$ + risk_objects: + - field: host + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Baron Samedit CVE-2021-3156 asset_type: Endpoint - confidence: 50 cve: - CVE-2021-3156 - impact: 50 - message: tbd mitre_attack_id: - T1068 - observable: - - name: host - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - host - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/detect_baron_samedit_cve_2021_3156_via_osquery.yml b/detections/endpoint/detect_baron_samedit_cve_2021_3156_via_osquery.yml index 0b9df268ba..7787f11f60 100644 --- a/detections/endpoint/detect_baron_samedit_cve_2021_3156_via_osquery.yml +++ b/detections/endpoint/detect_baron_samedit_cve_2021_3156_via_osquery.yml @@ -1,38 +1,43 @@ name: Detect Baron Samedit CVE-2021-3156 via OSQuery id: 1de31d5d-8fa6-4ee0-af89-17069134118a -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Shannon Davis, Splunk status: experimental type: TTP -description: The following analytic detects the execution of the "sudoedit -s *" command, which is associated with the Baron Samedit CVE-2021-3156 heap-based buffer overflow vulnerability. This detection leverages the `osquery_process` data source to identify instances where this specific command is run. This activity is significant because it indicates an attempt to exploit a known vulnerability that allows privilege escalation. If confirmed malicious, an attacker could gain full control of the system, execute arbitrary code, or access sensitive data, leading to potential data breaches and system disruptions. +description: The following analytic detects the execution of the "sudoedit -s *" command, + which is associated with the Baron Samedit CVE-2021-3156 heap-based buffer overflow + vulnerability. This detection leverages the `osquery_process` data source to identify + instances where this specific command is run. This activity is significant because + it indicates an attempt to exploit a known vulnerability that allows privilege escalation. + If confirmed malicious, an attacker could gain full control of the system, execute + arbitrary code, or access sensitive data, leading to potential data breaches and + system disruptions. data_source: [] search: '`osquery_process` | search "columns.cmdline"="sudoedit -s \\*" | `detect_baron_samedit_cve_2021_3156_via_osquery_filter`' -how_to_implement: OSQuery installed and configured to pick up process events (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. The vulnerability is exposed when a non privledged user tries passing in a single \ character at the end of the command while using the shell and edit flags. +how_to_implement: OSQuery installed and configured to pick up process events (info + at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. + The vulnerability is exposed when a non privledged user tries passing in a single + \ character at the end of the command while using the shell and edit flags. known_false_positives: unknown references: [] +rba: + message: Potential Baron Samedit behavior on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Baron Samedit CVE-2021-3156 asset_type: Endpoint - confidence: 50 cve: - CVE-2021-3156 - impact: 50 - message: tbd mitre_attack_id: - T1068 - observable: - - name: dest - type: Other - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - columns.cmdline - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/detect_certify_command_line_arguments.yml b/detections/endpoint/detect_certify_command_line_arguments.yml index 81cacc62a4..ac2d074956 100644 --- a/detections/endpoint/detect_certify_command_line_arguments.yml +++ b/detections/endpoint/detect_certify_command_line_arguments.yml @@ -1,7 +1,7 @@ name: Detect Certify Command Line Arguments id: e6d2dc61-a8b9-4b03-906c-da0ca75d71b8 -version: '4' -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Steven Dick status: production type: TTP @@ -53,50 +53,35 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Certify/Certipy arguments detected on $dest$. + risk_objects: + - field: dest + type: system + score: 90 + threat_objects: + - field: process_name + type: process_name + - field: process_name + type: process_name tags: analytic_story: - Compromised Windows Host - Windows Certificate Services - Ingress Tool Transfer asset_type: Endpoint - confidence: 90 - impact: 100 - message: Certify/Certipy arguments detected on $dest$. mitre_attack_id: - T1649 - T1105 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker - - name: process_name - type: Process Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml b/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml index 786066e6f7..80357f3580 100644 --- a/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml +++ b/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml @@ -1,15 +1,33 @@ name: Detect Certify With PowerShell Script Block Logging id: f533ca6c-9440-4686-80cb-7f294c07812a -version: 3 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Steven Dick status: production type: TTP -description: The following analytic detects the use of the Certify tool via an in-memory PowerShell function to enumerate Active Directory Certificate Services (AD CS) environments. It leverages PowerShell Script Block Logging (EventCode 4104) to identify specific command patterns associated with Certify's enumeration and exploitation functions. This activity is significant as it indicates potential reconnaissance or exploitation attempts against AD CS, which could lead to unauthorized certificate issuance. If confirmed malicious, attackers could leverage this to escalate privileges, persist in the environment, or access sensitive information by abusing AD CS. +description: The following analytic detects the use of the Certify tool via an in-memory + PowerShell function to enumerate Active Directory Certificate Services (AD CS) environments. + It leverages PowerShell Script Block Logging (EventCode 4104) to identify specific + command patterns associated with Certify's enumeration and exploitation functions. + This activity is significant as it indicates potential reconnaissance or exploitation + attempts against AD CS, which could lead to unauthorized certificate issuance. If + confirmed malicious, attackers could leverage this to escalate privileges, persist + in the environment, or access sensitive information by abusing AD CS. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText IN ("*find *") AND ScriptBlockText IN ("* /vulnerable*","* -vulnerable*","* /enrolleeSuppliesSubject *","* /json /outfile*")) OR (ScriptBlockText IN (,"*auth *","*req *",) AND ScriptBlockText IN ("* -ca *","* -username *","* -u *")) OR (ScriptBlockText IN ("*request *","*download *") AND ScriptBlockText IN ("* /ca:*")) | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command Values(OpCode) as reason values(Path) as file_name values(UserID) as user by _time Computer EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval file_name = case(isnotnull(file_name),file_name,true(),"unknown") | eval signature = substr(command,0,256) | rename Computer as dest,EventCode as signature_id | `detect_certify_with_powershell_script_block_logging_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.. +search: '`powershell` EventCode=4104 (ScriptBlockText IN ("*find *") AND ScriptBlockText + IN ("* /vulnerable*","* -vulnerable*","* /enrolleeSuppliesSubject *","* /json /outfile*")) + OR (ScriptBlockText IN (,"*auth *","*req *",) AND ScriptBlockText IN ("* -ca *","* + -username *","* -u *")) OR (ScriptBlockText IN ("*request *","*download *") AND + ScriptBlockText IN ("* /ca:*")) | stats count min(_time) as firstTime max(_time) + as lastTime list(ScriptBlockText) as command Values(OpCode) as reason values(Path) + as file_name values(UserID) as user by _time Computer EventCode | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | eval file_name = case(isnotnull(file_name),file_name,true(),"unknown") + | eval signature = substr(command,0,256) | rename Computer as dest,EventCode as + signature_id | `detect_certify_with_powershell_script_block_logging_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.. known_false_positives: Unknown, partial script block matches. references: - https://github.com/GhostPack/Certify @@ -20,48 +38,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Certify arguments through PowerShell detected on $dest$. + risk_objects: + - field: dest + type: system + score: 90 + - field: user + type: user + score: 90 + threat_objects: [] tags: analytic_story: - Windows Certificate Services - Malicious PowerShell asset_type: Endpoint - confidence: 90 - impact: 100 - message: Certify arguments through PowerShell detected on $dest$. mitre_attack_id: - T1649 - T1059 - T1059.001 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - OpCode - - Path - - user - - Computer - - EventCode - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/detect_certipy_file_modifications.yml b/detections/endpoint/detect_certipy_file_modifications.yml index 94f6b395b0..48a6a3129b 100644 --- a/detections/endpoint/detect_certipy_file_modifications.yml +++ b/detections/endpoint/detect_certipy_file_modifications.yml @@ -1,15 +1,37 @@ name: Detect Certipy File Modifications id: 7e3df743-b1d8-4631-8fa8-bd5819688876 -version: 3 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Steven Dick status: production type: TTP -description: The following analytic detects the use of the Certipy tool to enumerate Active Directory Certificate Services (AD CS) environments by identifying unique file modifications. It leverages endpoint process and filesystem data to spot the creation of files with specific names or extensions associated with Certipy's information gathering and exfiltration activities. This activity is significant as it indicates potential reconnaissance and data exfiltration efforts by an attacker. If confirmed malicious, this could lead to unauthorized access to sensitive AD CS information, enabling further attacks or privilege escalation within the network. +description: The following analytic detects the use of the Certipy tool to enumerate + Active Directory Certificate Services (AD CS) environments by identifying unique + file modifications. It leverages endpoint process and filesystem data to spot the + creation of files with specific names or extensions associated with Certipy's information + gathering and exfiltration activities. This activity is significant as it indicates + potential reconnaissance and data exfiltration efforts by an attacker. If confirmed + malicious, this could lead to unauthorized access to sensitive AD CS information, + enabling further attacks or privilege escalation within the network. data_source: - Sysmon EventID 1 AND Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime values(Processes.process_current_directory) as process_current_directory FROM datamodel=Endpoint.Processes where Processes.action="allowed" BY _time span=1h Processes.user Processes.dest Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.parent_process_name Processes.parent_process Processes.process_guid Processes.action |`drop_dm_object_name(Processes)` | join max=0 dest process_guid [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*_certipy.zip", "*_certipy.txt", "*_certipy.json", "*.ccache") by Filesystem.file_create_time Filesystem.process_id Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` ] | fields firstTime lastTime user dest file_create_time file_name file_path parent_process_name parent_process process_name process_path process_current_directory process process_guid process_id | where isnotnull(file_name) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_certipy_file_modifications_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints as well as file creation or deletion events. +search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) + AS lastTime values(Processes.process_current_directory) as process_current_directory + FROM datamodel=Endpoint.Processes where Processes.action="allowed" BY _time span=1h + Processes.user Processes.dest Processes.process_id Processes.process_name Processes.process + Processes.process_path Processes.parent_process_name Processes.parent_process Processes.process_guid + Processes.action |`drop_dm_object_name(Processes)` | join max=0 dest process_guid + [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*_certipy.zip", + "*_certipy.txt", "*_certipy.json", "*.ccache") by Filesystem.file_create_time Filesystem.process_id + Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.dest + | `drop_dm_object_name(Filesystem)` ] | fields firstTime lastTime user dest file_create_time + file_name file_path parent_process_name parent_process process_name process_path + process_current_directory process process_guid process_id | where isnotnull(file_name) + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_certipy_file_modifications_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints as well as file creation or deletion events. known_false_positives: Unknown references: - https://github.com/ly4k/Certipy @@ -19,66 +41,46 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious files $file_name$ related to Certipy detected on $dest$ + risk_objects: + - field: dest + type: system + score: 45 + - field: user + type: user + score: 45 + threat_objects: + - field: file_name + type: file_name + - field: process_name + type: process_name tags: analytic_story: - Windows Certificate Services - Data Exfiltration - Ingress Tool Transfer asset_type: Endpoint - confidence: 90 - impact: 50 - message: Suspicious files $file_name$ related to Certipy detected on $dest$ mitre_attack_id: - T1649 - T1560 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim - - name: file_name - type: File Name - role: - - Attacker - - name: process_name - type: Process Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.user - - Processes.dest - - Processes.process_id - - Processes.process_name - - Processes.process - - Processes.process_path - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_guid - - Processes.action - - Filesystem.file_create_time - - Filesystem.process_id - - Filesystem.process_guid - - Filesystem.file_name - - Filesystem.file_path - - Filesystem.dest - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/detect_computer_changed_with_anonymous_account.yml b/detections/endpoint/detect_computer_changed_with_anonymous_account.yml index f1bdb3499a..0b55a03dbe 100644 --- a/detections/endpoint/detect_computer_changed_with_anonymous_account.yml +++ b/detections/endpoint/detect_computer_changed_with_anonymous_account.yml @@ -1,16 +1,29 @@ name: Detect Computer Changed with Anonymous Account id: 1400624a-d42d-484d-8843-e6753e6e3645 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Rod Soto, Jose Hernandez, Splunk status: experimental type: Hunting -description: The following analytic detects changes to computer accounts using an anonymous logon. It leverages Windows Security Event Codes 4742 (Computer Change) and 4624 (Successful Logon) with the TargetUserName set to "ANONYMOUS LOGON" and LogonType 3. This activity is significant because anonymous logons should not typically be modifying computer accounts, indicating potential unauthorized access or misconfiguration. If confirmed malicious, this could allow an attacker to alter computer accounts, potentially leading to privilege escalation or persistent access within the network. +description: The following analytic detects changes to computer accounts using an + anonymous logon. It leverages Windows Security Event Codes 4742 (Computer Change) + and 4624 (Successful Logon) with the TargetUserName set to "ANONYMOUS LOGON" and + LogonType 3. This activity is significant because anonymous logons should not typically + be modifying computer accounts, indicating potential unauthorized access or misconfiguration. + If confirmed malicious, this could allow an attacker to alter computer accounts, + potentially leading to privilege escalation or persistent access within the network. data_source: - Windows Event Log Security 4624 - Windows Event Log Security 4742 -search: '`wineventlog_security` EventCode=4624 OR EventCode=4742 TargetUserName="ANONYMOUS LOGON" LogonType=3 | stats count values(host) as host, values(TargetDomainName) as Domain, values(user) as user | `detect_computer_changed_with_anonymous_account_filter`' -how_to_implement: This search requires audit computer account management to be enabled on the system in order to generate Event ID 4742. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Event Logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. +search: '`wineventlog_security` EventCode=4624 OR EventCode=4742 TargetUserName="ANONYMOUS + LOGON" LogonType=3 | stats count values(host) as host, values(TargetDomainName) + as Domain, values(user) as user | `detect_computer_changed_with_anonymous_account_filter`' +how_to_implement: This search requires audit computer account management to be enabled + on the system in order to generate Event ID 4742. We strongly recommend that you + specify your environment-specific configurations (index, source, sourcetype, etc.) + for Windows Event Logs. Replace the macro definition with configurations for your + Splunk environment. The search also uses a post-filter macro designed to filter + out known false positives. known_false_positives: None thus far found references: - https://www.lares.com/blog/from-lares-labs-defensive-guidance-for-zerologon-cve-2020-1472/ @@ -18,32 +31,12 @@ tags: analytic_story: - Detect Zerologon Attack asset_type: Windows - confidence: 70 cve: - CVE-2020-1472 - impact: 70 - message: The following $EventCode$ occurred on $dest$ by $user$ with Logon Type 3, which may be indicative of the an account or group being changed by an anonymous account. mitre_attack_id: - T1210 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - TargetUserName - - LogonType - - TargetDomainName - - user - risk_score: 49 security_domain: endpoint diff --git a/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml b/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml index 9a66c3551e..9f13d8ec5e 100644 --- a/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml +++ b/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml @@ -1,16 +1,29 @@ name: Detect Copy of ShadowCopy with Script Block Logging id: 9251299c-ea5b-11eb-a8de-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the use of PowerShell commands to copy the SAM, SYSTEM, or SECURITY hives, which are critical for credential theft. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command executed. This activity is significant as it indicates an attempt to exfiltrate sensitive registry hives for offline password cracking. If confirmed malicious, this could lead to unauthorized access to credentials, enabling further compromise of the system and potential lateral movement within the network. +description: The following analytic detects the use of PowerShell commands to copy + the SAM, SYSTEM, or SECURITY hives, which are critical for credential theft. It + leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze + the full command executed. This activity is significant as it indicates an attempt + to exfiltrate sensitive registry hives for offline password cracking. If confirmed + malicious, this could lead to unauthorized access to credentials, enabling further + compromise of the system and potential lateral movement within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText IN ("*copy*","*[System.IO.File]::Copy*") AND ScriptBlockText IN ("*System32\\config\\SAM*", "*System32\\config\\SYSTEM*","*System32\\config\\SECURITY*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_copy_of_shadowcopy_with_script_block_logging_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Limited false positives as the scope is limited to SAM, SYSTEM and SECURITY hives. +search: '`powershell` EventCode=4104 ScriptBlockText IN ("*copy*","*[System.IO.File]::Copy*") + AND ScriptBlockText IN ("*System32\\config\\SAM*", "*System32\\config\\SYSTEM*","*System32\\config\\SECURITY*") + | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer + UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_copy_of_shadowcopy_with_script_block_logging_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Limited false positives as the scope is limited to SAM, SYSTEM + and SECURITY hives. references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934 - https://github.com/GossiTheDog/HiveNightmare @@ -21,46 +34,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: PowerShell was identified running a script to capture the SAM hive on endpoint + $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: [] tags: analytic_story: - Credential Dumping asset_type: Endpoint - confidence: 100 cve: - CVE-2021-36934 - impact: 80 - message: PowerShell was identified running a script to capture the SAM hive on endpoint $dest$ by user $user$. mitre_attack_id: - T1003.002 - T1003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - OpCode - - Computer - - UserID - - EventCode - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/detect_copy_of_shadowcopy_with_script_block_logging/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/detect_copy_of_shadowcopy_with_script_block_logging/windows-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_credential_dumping_through_lsass_access.yml b/detections/endpoint/detect_credential_dumping_through_lsass_access.yml index b70a7f5076..cbca225e2f 100644 --- a/detections/endpoint/detect_credential_dumping_through_lsass_access.yml +++ b/detections/endpoint/detect_credential_dumping_through_lsass_access.yml @@ -1,16 +1,34 @@ name: Detect Credential Dumping through LSASS access id: 2c365e57-4414-4540-8dc0-73ab10729996 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Patrick Bareiss, Splunk status: production type: TTP -description: The following analytic detects attempts to read LSASS memory, indicative of credential dumping. It leverages Sysmon EventCode 10, filtering for specific access permissions (0x1010 and 0x1410) on the lsass.exe process. This activity is significant because it suggests an attacker is trying to extract credentials from LSASS memory, potentially leading to unauthorized access, data breaches, and compromise of sensitive information. If confirmed malicious, this could enable attackers to escalate privileges, move laterally within the network, or exfiltrate data. Extensive triage is necessary to differentiate between malicious and benign activities. +description: The following analytic detects attempts to read LSASS memory, indicative + of credential dumping. It leverages Sysmon EventCode 10, filtering for specific + access permissions (0x1010 and 0x1410) on the lsass.exe process. This activity is + significant because it suggests an attacker is trying to extract credentials from + LSASS memory, potentially leading to unauthorized access, data breaches, and compromise + of sensitive information. If confirmed malicious, this could enable attackers to + escalate privileges, move laterally within the network, or exfiltrate data. Extensive + triage is necessary to differentiate between malicious and benign activities. data_source: - Sysmon EventID 10 -search: '`sysmon` EventCode=10 TargetImage=*lsass.exe (GrantedAccess=0x1010 OR GrantedAccess=0x1410) | stats count min(_time) as firstTime max(_time) as lastTime by dest, SourceImage, SourceProcessId, TargetImage, TargetProcessId, EventCode, GrantedAccess | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_credential_dumping_through_lsass_access_filter`' -how_to_implement: This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -known_false_positives: The activity may be legitimate. Other tools can access lsass for legitimate reasons, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise. +search: '`sysmon` EventCode=10 TargetImage=*lsass.exe (GrantedAccess=0x1010 OR GrantedAccess=0x1410) + | stats count min(_time) as firstTime max(_time) as lastTime by dest, SourceImage, + SourceProcessId, TargetImage, TargetProcessId, EventCode, GrantedAccess | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)` | `detect_credential_dumping_through_lsass_access_filter`' +how_to_implement: This search needs Sysmon Logs and a sysmon configuration, which + includes EventCode 10 with lsass.exe. This search uses an input macro named `sysmon`. + We strongly recommend that you specify your environment-specific configurations + (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition + with configurations for your Splunk environment. The search also uses a post-filter + macro designed to filter out known false positives. +known_false_positives: The activity may be legitimate. Other tools can access lsass + for legitimate reasons, and it's possible this event could be generated in those + cases. In these cases, false positives should be fairly obvious and you may need + to tweak the search to eliminate noise. references: [] drilldown_searches: - name: View the detection results for - "$dest$" and "$TargetImage$" @@ -18,9 +36,22 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$TargetImage$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$TargetImage$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$TargetImage$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The $SourceImage$ has attempted access to read $TargetImage$ was identified + on endpoint $dest$, this is indicative of credential dumping and should be investigated. + risk_objects: + - field: dest + type: system + score: 80 + threat_objects: [] tags: analytic_story: - Detect Zerologon Attack @@ -28,40 +59,18 @@ tags: - Credential Dumping - BlackSuit Ransomware asset_type: Windows - confidence: 100 - impact: 80 - message: The $SourceImage$ has attempted access to read $TargetImage$ was identified on endpoint $dest$, this is indicative of credential dumping and should be investigated. mitre_attack_id: - T1003.001 - T1003 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: TargetImage - type: Other - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - TargetImage - - GrantedAccess - - dest - - SourceImage - - SourceProcessId - - TargetImage - - TargetProcessId - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml b/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml index a06dd609a0..7e5e09b90a 100644 --- a/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml +++ b/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml @@ -1,16 +1,31 @@ name: Detect Empire with PowerShell Script Block Logging id: bc1dc6b8-c954-11eb-bade-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects suspicious PowerShell execution indicative of PowerShell-Empire activity. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze commands sent to PowerShell, specifically looking for patterns involving `system.net.webclient` and base64 encoding. This behavior is significant as it often represents initial stagers used by PowerShell-Empire, a known post-exploitation framework. If confirmed malicious, this activity could allow attackers to download and execute additional payloads, leading to potential code execution, data exfiltration, or further compromise of the affected system. +description: The following analytic detects suspicious PowerShell execution indicative + of PowerShell-Empire activity. It leverages PowerShell Script Block Logging (EventCode=4104) + to capture and analyze commands sent to PowerShell, specifically looking for patterns + involving `system.net.webclient` and base64 encoding. This behavior is significant + as it often represents initial stagers used by PowerShell-Empire, a known post-exploitation + framework. If confirmed malicious, this activity could allow attackers to download + and execute additional payloads, leading to potential code execution, data exfiltration, + or further compromise of the affected system. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText=*system.net.webclient* AND ScriptBlockText=*frombase64string*) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_empire_with_powershell_script_block_logging_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: False positives may only pertain to it not being related to Empire, but another framework. Filter as needed if any applications use the same pattern. +search: '`powershell` EventCode=4104 (ScriptBlockText=*system.net.webclient* AND + ScriptBlockText=*frombase64string*) | stats count min(_time) as firstTime max(_time) + as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename UserID + as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `detect_empire_with_powershell_script_block_logging_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: False positives may only pertain to it not being related to + Empire, but another framework. Filter as needed if any applications use the same + pattern. references: - https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. - https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 @@ -19,51 +34,48 @@ references: - https://github.com/BC-SECURITY/Empire - https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html drilldown_searches: -- name: View the detection results for - "$UserID$" and "$Computer$" - search: '%original_detection_search% | search UserID = "$UserID$" Computer = "$Computer$"' +- name: View the detection results for - "$user$" and "$Computer$" + search: '%original_detection_search% | search user = "$user$" Computer = "$Computer$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$UserID$" and "$Computer$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$UserID$", "$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$Computer$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The following behavior was identified and typically related to PowerShell-Empire + on $Computer$ by $user$. + risk_objects: + - field: user + type: user + score: 81 + - field: Computer + type: system + score: 81 + threat_objects: [] tags: analytic_story: - Malicious PowerShell - Hermetic Wiper - Data Destruction asset_type: Endpoint - confidence: 90 - impact: 90 - message: The following behavior was identified and typically related to PowerShell-Empire on $Computer$ by $UserID$. mitre_attack_id: - T1059 - T1059.001 - observable: - - name: UserID - type: User - role: - - Victim - - name: Computer - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCode - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/empire.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/empire.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml b/detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml index 485cb08fcc..c159f44c23 100644 --- a/detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml +++ b/detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml @@ -1,19 +1,40 @@ name: Detect Excessive Account Lockouts From Endpoint id: c026e3dd-7e18-4abb-8f41-929e836efe74 -version: 10 -date: '2024-09-30' +version: 11 +date: '2024-11-13' author: David Dorsey, Splunk status: production type: Anomaly -description: The following analytic detects endpoints causing a high number of account lockouts within a short period. It leverages the Windows security event logs ingested into the `Change` datamodel, specifically under the `Account_Management` node, to identify and count lockout events. This activity is significant as it may indicate a brute-force attack or misconfigured system causing repeated authentication failures. If confirmed malicious, this behavior could lead to account lockouts, disrupting user access and potentially indicating an ongoing attack attempting to compromise user credentials. +description: The following analytic detects endpoints causing a high number of account + lockouts within a short period. It leverages the Windows security event logs ingested + into the `Change` datamodel, specifically under the `Account_Management` node, to + identify and count lockout events. This activity is significant as it may indicate + a brute-force attack or misconfigured system causing repeated authentication failures. + If confirmed malicious, this behavior could lead to account lockouts, disrupting + user access and potentially indicating an ongoing attack attempting to compromise + user credentials. data_source: [] -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Changes.user) as user from datamodel=Change.All_Changes where All_Changes.result="*lock*" by All_Changes.dest All_Changes.result |`drop_dm_object_name("All_Changes")` |`drop_dm_object_name("Account_Management")`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search count > 5 | `detect_excessive_account_lockouts_from_endpoint_filter`' -how_to_implement: 'You must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment. - - **Splunk>Phantom Playbook Integration** If Splunk>Phantom is also configured in your environment, a Playbook called "Excessive Account Lockouts Enrichment and Response" can be configured to run when any results are found by this detection search. The Playbook executes the Contextual and Investigative searches in this Story, conducts additional information gathering on Windows endpoints, and takes a response action to shut down the affected endpoint. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. - - Playbook Link:`https://my.phantom.us/4.1/playbook/excessive-account-lockouts-enrichment-and-response/`)' -known_false_positives: It's possible that a widely used system, such as a kiosk, could cause a large number of account lockouts. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime values(All_Changes.user) as user from datamodel=Change.All_Changes where + All_Changes.result="*lock*" by All_Changes.dest All_Changes.result |`drop_dm_object_name("All_Changes")` + |`drop_dm_object_name("Account_Management")`| `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | search count > 5 | `detect_excessive_account_lockouts_from_endpoint_filter`' +how_to_implement: You must ingest your Windows security event logs in the `Change` + datamodel under the nodename is `Account_Management`, for this search to execute + successfully. Please consider updating the cron schedule and the count of lockouts + you want to monitor, according to your environment.\n**Splunk>Phantom Playbook Integration** + If Splunk>Phantom is also configured in your environment, a Playbook called \"Excessive + Account Lockouts Enrichment and Response\" can be configured to run when any results + are found by this detection search. The Playbook executes the Contextual and Investigative + searches in this Story, conducts additional information gathering on Windows endpoints, + and takes a response action to shut down the affected endpoint. To use this integration, + install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add + the correct hostname to the \"Phantom Instance\" field in the Adaptive Response + Actions when configuring this detection search, and set the corresponding Playbook + to active.\nPlaybook + Link:`https://my.phantom.us/4.1/playbook/excessive-account-lockouts-enrichment-and-response/`) +known_false_positives: It's possible that a widely used system, such as a kiosk, could + cause a large number of account lockouts. references: [] drilldown_searches: - name: View the detection results for - "$user$" and "$dest$" @@ -21,52 +42,49 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Multiple accounts have been locked out. Review $dest$ and results related + to $user$. + risk_objects: + - field: user + type: user + score: 36 + - field: dest + type: system + score: 36 + threat_objects: [] tags: analytic_story: - Active Directory Password Spraying asset_type: Windows - confidence: 60 - impact: 60 - message: Multiple accounts have been locked out. Review $dest$ and results related to $user$. mitre_attack_id: - T1078 - T1078.002 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.user - - nodename - - All_Changes.result - - All_Changes.dest - risk_score: 36 security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/account_lockout/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/account_lockout/windows-security.log source: WinEventLog:Security sourcetype: WinEventLog - update_timestamp: true - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/account_lockout/windows-system.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/account_lockout/windows-system.log source: WinEventLog:System sourcetype: WinEventLog - update_timestamp: true - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/account_lockout/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/account_lockout/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/detect_excessive_user_account_lockouts.yml b/detections/endpoint/detect_excessive_user_account_lockouts.yml index 86ab796ff4..e80d4200a3 100644 --- a/detections/endpoint/detect_excessive_user_account_lockouts.yml +++ b/detections/endpoint/detect_excessive_user_account_lockouts.yml @@ -1,15 +1,29 @@ name: Detect Excessive User Account Lockouts id: 95a7f9a5-6096-437e-a19e-86f42ac609bd -version: 7 -date: '2024-09-30' +version: 8 +date: '2024-11-13' author: David Dorsey, Splunk status: production type: Anomaly -description: The following analytic identifies user accounts experiencing an excessive number of lockouts within a short timeframe. It leverages the 'Change' data model, specifically focusing on events where the result indicates a lockout. This activity is significant as it may indicate a brute-force attack or misconfiguration, both of which require immediate attention. If confirmed malicious, this behavior could lead to account compromise, unauthorized access, and potential lateral movement within the network. +description: The following analytic identifies user accounts experiencing an excessive + number of lockouts within a short timeframe. It leverages the 'Change' data model, + specifically focusing on events where the result indicates a lockout. This activity + is significant as it may indicate a brute-force attack or misconfiguration, both + of which require immediate attention. If confirmed malicious, this behavior could + lead to account compromise, unauthorized access, and potential lateral movement + within the network. data_source: [] -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where All_Changes.result="*lock*" by All_Changes.user All_Changes.result |`drop_dm_object_name("All_Changes")` |`drop_dm_object_name("Account_Management")`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search count > 5 | `detect_excessive_user_account_lockouts_filter`' -how_to_implement: ou must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment. -known_false_positives: It is possible that a legitimate user is experiencing an issue causing multiple account login failures leading to lockouts. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Change.All_Changes where All_Changes.result="*lock*" + by All_Changes.user All_Changes.result |`drop_dm_object_name("All_Changes")` |`drop_dm_object_name("Account_Management")`| + `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search + count > 5 | `detect_excessive_user_account_lockouts_filter`' +how_to_implement: ou must ingest your Windows security event logs in the `Change` + datamodel under the nodename is `Account_Management`, for this search to execute + successfully. Please consider updating the cron schedule and the count of lockouts + you want to monitor, according to your environment. +known_false_positives: It is possible that a legitimate user is experiencing an issue + causing multiple account login failures leading to lockouts. references: [] drilldown_searches: - name: View the detection results for - "$user$" @@ -17,38 +31,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Excessive user account lockouts for $user$ in a short period of time + risk_objects: + - field: user + type: user + score: 36 + threat_objects: [] tags: analytic_story: - Active Directory Password Spraying asset_type: Windows - confidence: 60 - impact: 60 - message: Excessive user account lockouts for $user$ in a short period of time mitre_attack_id: - T1078 - T1078.003 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.result - - nodename - - All_Changes.user - risk_score: 36 security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/account_lockout/windows-xml-1.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/account_lockout/windows-xml-1.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_exchange_web_shell.yml b/detections/endpoint/detect_exchange_web_shell.yml index 5305a86eb0..6301bf3efc 100644 --- a/detections/endpoint/detect_exchange_web_shell.yml +++ b/detections/endpoint/detect_exchange_web_shell.yml @@ -54,6 +54,20 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A file - $file_name$ was written to disk that is related to IIS exploitation + previously performed by HAFNIUM. Review further file modifications on endpoint + $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 81 + - field: dest + type: system + score: 81 + threat_objects: + - field: file_name + type: file_name tags: analytic_story: - ProxyNotShell @@ -63,45 +77,20 @@ tags: - Compromised Windows Host - BlackByte Ransomware asset_type: Endpoint - confidence: 90 - impact: 90 - message: A file - $file_name$ was written to disk that is related to IIS exploitation - previously performed by HAFNIUM. Review further file modifications on endpoint - $dest$ by user $user$. mitre_attack_id: - T1505 - T1505.003 - T1190 - T1133 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: file_name - type: File Name - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.file_path - - Filesystem.process_id - - Filesystem.file_name - - Filesystem.file_hash - - Filesystem.user - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/windows-sysmon_proxylogon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/windows-sysmon_proxylogon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_html_help_renamed.yml b/detections/endpoint/detect_html_help_renamed.yml index faf314f721..5ad0885f0f 100644 --- a/detections/endpoint/detect_html_help_renamed.yml +++ b/detections/endpoint/detect_html_help_renamed.yml @@ -1,18 +1,39 @@ name: Detect HTML Help Renamed id: 62fed254-513b-460e-953d-79771493a9f3 -version: 7 -date: '2024-10-17' +version: 8 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic detects instances where hh.exe (HTML Help) has been renamed and is executing a Compiled HTML Help (CHM) file. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names. This activity is significant because attackers can use renamed hh.exe to execute malicious scripts embedded in CHM files, potentially leading to code execution. If confirmed malicious, this technique could allow attackers to run arbitrary scripts, escalate privileges, or persist within the environment, posing a significant security risk. +description: The following analytic detects instances where hh.exe (HTML Help) has + been renamed and is executing a Compiled HTML Help (CHM) file. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process names + and original file names. This activity is significant because attackers can use + renamed hh.exe to execute malicious scripts embedded in CHM files, potentially leading + to code execution. If confirmed malicious, this technique could allow attackers + to run arbitrary scripts, escalate privileges, or persist within the environment, + posing a significant security risk. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=hh.exe AND Processes.original_file_name=HH.EXE by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_renamed_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Although unlikely a renamed instance of hh.exe will be used legitimately, filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=hh.exe + AND Processes.original_file_name=HH.EXE by Processes.dest Processes.user Processes.parent_process_name + Processes.original_file_name Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `detect_html_help_renamed_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Although unlikely a renamed instance of hh.exe will be used + legitimately, filter as needed. references: - https://attack.mitre.org/techniques/T1218/001/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md @@ -22,51 +43,18 @@ tags: - Suspicious Compiled HTML Activity - Living Off The Land asset_type: Endpoint - confidence: 100 - impact: 80 - message: The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ executed by $user$ mitre_attack_id: - T1218 - T1218.001 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_html_help_spawn_child_process.yml b/detections/endpoint/detect_html_help_spawn_child_process.yml index 1015f9c63e..7bbbcdff80 100644 --- a/detections/endpoint/detect_html_help_spawn_child_process.yml +++ b/detections/endpoint/detect_html_help_spawn_child_process.yml @@ -1,7 +1,7 @@ name: Detect HTML Help Spawn Child Process id: 723716de-ee55-4cd4-9759-c44e7e55ba4b -version: '6' -date: '2024-11-28' +version: 8 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -54,6 +54,22 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ spawning a child process, typically not normal + behavior. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Suspicious Compiled HTML Activity @@ -61,53 +77,18 @@ tags: - Living Off The Land - Compromised Windows Host asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ spawning a child process, typically not normal - behavior. mitre_attack_id: - T1218 - T1218.001 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_html_help_url_in_command_line.yml b/detections/endpoint/detect_html_help_url_in_command_line.yml index 3ff882049d..b91592327f 100644 --- a/detections/endpoint/detect_html_help_url_in_command_line.yml +++ b/detections/endpoint/detect_html_help_url_in_command_line.yml @@ -1,7 +1,7 @@ name: Detect HTML Help URL in Command Line id: 8c5835b9-39d9-438b-817c-95f14c69a31e -version: '6' -date: '2024-11-28' +version: 8 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -54,59 +54,40 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ contacting a remote destination to potentally + download a malicious payload. + risk_objects: + - field: user + type: user + score: 90 + - field: dest + type: system + score: 90 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Suspicious Compiled HTML Activity - Living Off The Land - Compromised Windows Host asset_type: Endpoint - confidence: 100 - impact: 90 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ contacting a remote destination to potentally - download a malicious payload. mitre_attack_id: - T1218 - T1218.001 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml b/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml index 239311a142..335817cd7b 100644 --- a/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml +++ b/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml @@ -1,7 +1,7 @@ name: Detect HTML Help Using InfoTech Storage Handlers id: 0b2eefa5-5508-450d-b970-3dd2fb761aec -version: '6' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -55,54 +55,37 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $process_name$ has been identified using Infotech Storage Handlers to load + a specific file within a CHM on $dest$ under user $user$. + risk_objects: + - field: user + type: user + score: 72 + - field: dest + type: system + score: 72 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Suspicious Compiled HTML Activity - Living Off The Land - Compromised Windows Host asset_type: Endpoint - confidence: 90 - impact: 80 - message: $process_name$ has been identified using Infotech Storage Handlers to load - a specific file within a CHM on $dest$ under user $user$. mitre_attack_id: - T1218 - T1218.001 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml b/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml index 00bb8bbf27..d3616fae42 100644 --- a/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml +++ b/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml @@ -1,16 +1,30 @@ name: Detect Mimikatz With PowerShell Script Block Logging id: 8148c29c-c952-11eb-9255-acde48001122 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the execution of Mimikatz commands via PowerShell by leveraging PowerShell Script Block Logging (EventCode=4104). This method captures and logs the full command sent to PowerShell, allowing for the identification of suspicious activities such as Pass the Ticket, Pass the Hash, and credential dumping. This activity is significant as Mimikatz is a well-known tool used for credential theft and lateral movement. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information within the environment. +description: The following analytic detects the execution of Mimikatz commands via + PowerShell by leveraging PowerShell Script Block Logging (EventCode=4104). This + method captures and logs the full command sent to PowerShell, allowing for the identification + of suspicious activities such as Pass the Ticket, Pass the Hash, and credential + dumping. This activity is significant as Mimikatz is a well-known tool used for + credential theft and lateral movement. If confirmed malicious, this could lead to + unauthorized access, privilege escalation, and potential compromise of sensitive + information within the environment. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText IN (*mimikatz*, *-dumpcr*, *sekurlsa::pth*, *kerberos::ptt*, *kerberos::golden*) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mimikatz_with_powershell_script_block_logging_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: False positives should be limited as the commands being identifies are quite specific to EventCode 4104 and Mimikatz. Filter as needed. +search: '`powershell` EventCode=4104 ScriptBlockText IN (*mimikatz*, *-dumpcr*, *sekurlsa::pth*, + *kerberos::ptt*, *kerberos::golden*) | stats count min(_time) as firstTime max(_time) + as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename UserID + as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `detect_mimikatz_with_powershell_script_block_logging_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: False positives should be limited as the commands being identifies + are quite specific to EventCode 4104 and Mimikatz. Filter as needed. references: - https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. - https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 @@ -18,14 +32,30 @@ references: - https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/ - https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html drilldown_searches: -- name: View the detection results for - "$UserID$" and "$Computer$" - search: '%original_detection_search% | search UserID = "$UserID$" Computer = "$Computer$"' +- name: View the detection results for - "$user$" and "$Computer$" + search: '%original_detection_search% | search user = "$user$" Computer = "$Computer$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$UserID$" and "$Computer$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$UserID$", "$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$Computer$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The following behavior was identified and typically related to MimiKatz + being loaded within the context of PowerShell on $Computer$ by $user$. + risk_objects: + - field: user + type: user + score: 90 + - field: Computer + type: system + score: 90 + threat_objects: [] tags: analytic_story: - Malicious PowerShell @@ -36,37 +66,18 @@ tags: - CISA AA23-347A - Data Destruction asset_type: Endpoint - confidence: 100 - impact: 90 - message: The following behavior was identified and typically related to MimiKatz being loaded within the context of PowerShell on $Computer$ by $UserID$. mitre_attack_id: - T1003 - T1059.001 - observable: - - name: UserID - type: User - role: - - Victim - - name: Computer - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCode - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/credaccess-powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/credaccess-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_mshta_inline_hta_execution.yml b/detections/endpoint/detect_mshta_inline_hta_execution.yml index 07277de72a..7c5118b8b9 100644 --- a/detections/endpoint/detect_mshta_inline_hta_execution.yml +++ b/detections/endpoint/detect_mshta_inline_hta_execution.yml @@ -1,7 +1,7 @@ name: Detect mshta inline hta execution id: a0873b32-5b68-11eb-ae93-0242ac130002 -version: '10' -date: '2024-11-28' +version: 13 +date: '2024-12-10' author: Bhavin Patel, Michael Haag, Splunk status: production type: TTP @@ -53,6 +53,22 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ executing with inline HTA, indicative of defense + evasion. + risk_objects: + - field: user + type: user + score: 90 + - field: dest + type: system + score: 90 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Gozi Malware @@ -60,53 +76,18 @@ tags: - Living Off The Land - Compromised Windows Host asset_type: Endpoint - confidence: 100 - impact: 90 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ executing with inline HTA, indicative of defense - evasion. mitre_attack_id: - T1218 - T1218.005 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_mshta_renamed.yml b/detections/endpoint/detect_mshta_renamed.yml index f733763a8d..229050f266 100644 --- a/detections/endpoint/detect_mshta_renamed.yml +++ b/detections/endpoint/detect_mshta_renamed.yml @@ -1,18 +1,38 @@ name: Detect mshta renamed id: 8f45fcf0-5b68-11eb-ae93-0242ac130002 -version: 6 -date: '2024-10-17' +version: 7 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies instances where mshta.exe has been renamed and executed. It leverages Endpoint Detection and Response (EDR) data, specifically focusing on the original file name field to detect discrepancies. This activity is significant because renaming mshta.exe is a common tactic used by attackers to evade detection and execute malicious scripts. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network. +description: The following analytic identifies instances where mshta.exe has been + renamed and executed. It leverages Endpoint Detection and Response (EDR) data, specifically + focusing on the original file name field to detect discrepancies. This activity + is significant because renaming mshta.exe is a common tactic used by attackers to + evade detection and execute malicious scripts. If confirmed malicious, this could + allow an attacker to execute arbitrary code, potentially leading to system compromise, + data exfiltration, or further lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=mshta.exe AND Processes.original_file_name=MSHTA.EXE by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mshta_renamed_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Although unlikely, some legitimate applications may use a moved copy of mshta.exe, but never renamed, triggering a false positive. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=mshta.exe + AND Processes.original_file_name=MSHTA.EXE by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `detect_mshta_renamed_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Although unlikely, some legitimate applications may use a moved + copy of mshta.exe, but never renamed, triggering a false positive. references: - https://github.com/redcanaryco/AtomicTestHarnesses - https://redcanary.com/blog/introducing-atomictestharnesses/ @@ -21,51 +41,18 @@ tags: - Suspicious MSHTA Activity - Living Off The Land asset_type: Endpoint - confidence: 100 - impact: 80 - message: The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ executed by user $user$ mitre_attack_id: - T1218 - T1218.005 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_mshta_url_in_command_line.yml b/detections/endpoint/detect_mshta_url_in_command_line.yml index 73cfce8e53..ca6dcb56be 100644 --- a/detections/endpoint/detect_mshta_url_in_command_line.yml +++ b/detections/endpoint/detect_mshta_url_in_command_line.yml @@ -1,7 +1,7 @@ name: Detect MSHTA Url in Command Line id: 9b3af1e6-5b68-11eb-ae93-0242ac130002 -version: '7' -date: '2024-11-28' +version: 9 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -53,6 +53,22 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to access a remote destination to + download an additional payload. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Suspicious MSHTA Activity @@ -60,53 +76,18 @@ tags: - Living Off The Land - Compromised Windows Host asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ attempting to access a remote destination to - download an additional payload. mitre_attack_id: - T1218 - T1218.005 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_new_local_admin_account.yml b/detections/endpoint/detect_new_local_admin_account.yml index d15216ca68..f70320bd1c 100644 --- a/detections/endpoint/detect_new_local_admin_account.yml +++ b/detections/endpoint/detect_new_local_admin_account.yml @@ -5,19 +5,28 @@ date: '2024-12-12' author: David Dorsey, Splunk status: production type: TTP -description: The following analytic detects the creation of new accounts elevated to local administrators. It uses Windows event logs, specifically EventCode 4720 (user account creation) and EventCode 4732 (user added to Administrators group). This activity is significant as it indicates potential unauthorized privilege escalation, which is critical for SOC monitoring. If confirmed malicious, this could allow attackers to gain administrative access, leading to unauthorized data access, system modifications, and disruption of services. Immediate investigation is required to mitigate risks and prevent further unauthorized actions. +description: The following analytic detects the creation of new accounts elevated + to local administrators. It uses Windows event logs, specifically EventCode 4720 + (user account creation) and EventCode 4732 (user added to Administrators group). + This activity is significant as it indicates potential unauthorized privilege escalation, + which is critical for SOC monitoring. If confirmed malicious, this could allow attackers + to gain administrative access, leading to unauthorized data access, system modifications, + and disruption of services. Immediate investigation is required to mitigate risks + and prevent further unauthorized actions. data_source: - Windows Event Log Security 4732 - Windows Event Log Security 4720 -search: '`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) -| transaction user dest connected=false maxspan=180m -| stats count min(_time) as firstTime max(_time) as lastTime dc(EventCode) as distinct_eventcodes by src_user user dest -| where distinct_eventcodes>1 -| `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)` -| `detect_new_local_admin_account_filter`' -how_to_implement: You must be ingesting Windows event logs using the Splunk Windows TA and collecting event code 4720 and 4732 -known_false_positives: The activity may be legitimate. For this reason, it's best to verify the account with an administrator and ask whether there was a valid service request for the account creation. If your local administrator group name is not "Administrators", this search may generate an excessive number of false positives +search: '`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) + | transaction user dest connected=false maxspan=180m | stats count min(_time) as + firstTime max(_time) as lastTime dc(EventCode) as distinct_eventcodes by src_user + user dest | where distinct_eventcodes>1 | `security_content_ctime(firstTime)` | + `security_content_ctime(lastTime)` | `detect_new_local_admin_account_filter`' +how_to_implement: You must be ingesting Windows event logs using the Splunk Windows + TA and collecting event code 4720 and 4732 +known_false_positives: The activity may be legitimate. For this reason, it's best + to verify the account with an administrator and ask whether there was a valid service + request for the account creation. If your local administrator group name is not + "Administrators", this search may generate an excessive number of false positives references: [] drilldown_searches: - name: View the detection results for - "$user$" and "$dest$" @@ -25,9 +34,25 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A $user$ on $dest$ was added recently. Identify if this was legitimate + behavior or not. + risk_objects: + - field: user + type: user + score: 42 + - field: dest + type: system + score: 42 + threat_objects: [] tags: analytic_story: - DHS Report TA18-074A @@ -35,43 +60,26 @@ tags: - CISA AA22-257A - CISA AA24-241A asset_type: Windows - confidence: 70 - impact: 60 - message: A $user$ on $dest$ was added recently. Identify if this was legitimate behavior or not. mitre_attack_id: - T1136.001 - T1136 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Group_Name - - member_id - - dest - - user - risk_score: 42 security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security.log source: WinEventLog:Security sourcetype: WinEventLog - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-system.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-system.log source: WinEventLog:System sourcetype: WinEventLog - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml b/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml index ebb62a7e2c..4e6934e5fc 100644 --- a/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml +++ b/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml @@ -1,17 +1,51 @@ name: Detect Outlook exe writing a zip file id: a51bfe1a-94f0-4822-b1e4-16ae10145893 -version: 8 -date: '2024-11-28' +version: 9 +date: '2024-12-10' author: Bhavin Patel, Splunk status: experimental type: TTP -description: The following analytic identifies the execution of `outlook.exe` writing a `.zip` file to the disk. It leverages data from the Endpoint data model, specifically monitoring process and filesystem activities. This behavior is significant as it may indicate the use of Outlook to deliver malicious payloads or exfiltrate data via compressed files. If confirmed malicious, this activity could lead to unauthorized data access, data exfiltration, or the delivery of malware, potentially compromising the security of the affected system and network. +description: The following analytic identifies the execution of `outlook.exe` writing + a `.zip` file to the disk. It leverages data from the Endpoint data model, specifically + monitoring process and filesystem activities. This behavior is significant as it + may indicate the use of Outlook to deliver malicious payloads or exfiltrate data + via compressed files. If confirmed malicious, this activity could lead to unauthorized + data access, data exfiltration, or the delivery of malware, potentially compromising + the security of the affected system and network. data_source: - Sysmon EventID 1 AND Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=outlook.exe by _time span=5m Processes.parent_process_id Processes.process_id Processes.dest Processes.process_name Processes.parent_process_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id| rename parent_process_id as outlook_id| join malicious_id type=inner[| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where (Filesystem.file_path=*.zip* OR Filesystem.file_name=*.lnk ) AND (Filesystem.file_path=C:\\Users* OR Filesystem.file_path=*Local\\Temp*) by _time span=5m Filesystem.process_id Filesystem.file_hash Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id| fields malicious_id outlook_id dest file_path file_name file_hash count file_id] | table firstTime lastTime user malicious_id outlook_id process_name parent_process_name file_name file_path | where file_name != "" | `detect_outlook_exe_writing_a_zip_file_filter`' -how_to_implement: You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon. -known_false_positives: It is not uncommon for outlook to write legitimate zip files to the disk. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=outlook.exe + by _time span=5m Processes.parent_process_id Processes.process_id Processes.dest + Processes.process_name Processes.parent_process_name Processes.user | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename + process_id as malicious_id| rename parent_process_id as outlook_id| join malicious_id + type=inner[| tstats `security_content_summariesonly` count values(Filesystem.file_path) + as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem + where (Filesystem.file_path=*.zip* OR Filesystem.file_name=*.lnk ) AND (Filesystem.file_path=C:\\Users* + OR Filesystem.file_path=*Local\\Temp*) by _time span=5m Filesystem.process_id Filesystem.file_hash + Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | rename process_id as malicious_id| fields + malicious_id outlook_id dest file_path file_name file_hash count file_id] | table + firstTime lastTime user malicious_id outlook_id process_name parent_process_name + file_name file_path | where file_name != "" | `detect_outlook_exe_writing_a_zip_file_filter`' +how_to_implement: You must be ingesting data that records filesystem and process activity + from your hosts to populate the Endpoint data model. This is typically populated + via endpoint detection-and-response product, such as Carbon Black, or endpoint data + sources, such as Sysmon. +known_false_positives: It is not uncommon for outlook to write legitimate zip files + to the disk. references: [] +rba: + message: ZIP file written by outlook.exe on $dest$ + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Spearphishing Attachments @@ -20,32 +54,11 @@ tags: - PXA Stealer - Meduza Stealer asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1566 - T1566.001 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_name - - Processes.parent_process_id - - Processes.process_id - - Processes.dest - - Processes.parent_process_name - - Processes.user - risk_score: 25 security_domain: network diff --git a/detections/endpoint/detect_password_spray_attack_behavior_from_source.yml b/detections/endpoint/detect_password_spray_attack_behavior_from_source.yml index 1271d4052c..a3a18311fa 100644 --- a/detections/endpoint/detect_password_spray_attack_behavior_from_source.yml +++ b/detections/endpoint/detect_password_spray_attack_behavior_from_source.yml @@ -1,16 +1,37 @@ name: Detect Password Spray Attack Behavior From Source id: b6391b15-e913-4c2c-8949-9eecc06efacc -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Steven Dick status: production type: TTP -description: The following analytic identifies one source failing to authenticate with 10 or more unique users. This behavior could represent an adversary performing a Password Spraying attack to obtain initial access or elevate privileges. This logic can be used for real time security monitoring as well as threat hunting exercises and works well against any number of data sources ingested into the CIM datamodel. Environments can be very different depending on the organization. Test and customize this detections thresholds if needed. +description: The following analytic identifies one source failing to authenticate + with 10 or more unique users. This behavior could represent an adversary performing + a Password Spraying attack to obtain initial access or elevate privileges. This + logic can be used for real time security monitoring as well as threat hunting exercises + and works well against any number of data sources ingested into the CIM datamodel. + Environments can be very different depending on the organization. Test and customize + this detections thresholds if needed. data_source: - Authentication Events (various) -search: '| tstats `security_content_summariesonly` max(_time) as lastTime, min(_time) as firstTime, values(Authentication.user_category) as user_category values(Authentication.src_category) as src_category values(Authentication.app) as app count from datamodel=Authentication.Authentication where * by Authentication.action,Authentication.src,Authentication.user | `drop_dm_object_name("Authentication")` | eval user=case((match(upper(user),"[a-zA-Z0-9]{3}")),upper(user),true(),null), src=upper(src), success=if(action="success",count,0),success_user=if(action="success",user,null),failure=if(action="failure",count,0), failed_user=if(action="failure",user,null) | `detect_password_spray_attack_behavior_from_source_filter` | stats count min(firstTime) as firstTime max(lastTime) as lastTime values(app) as app values(src_category) as src_category values(success_user) as user values(failed_user) as failed_user dc(success_user) as success_dc dc(failed_user) as failed_dc dc(user) as user_dc ,sum(failure) as failure,sum(success) as success by src | fields - _time | where user_dc >= 10 AND .25 > (success/failure) AND failed_dc > success_dc | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' -how_to_implement: This detection requires ingesting authentication data to the appropriate accelerated datamodel. Recommend adjusting the search time window for this correlation to match the number of unique users (user_dc) in hours. i.e. 10 users over 10hrs -known_false_positives: Domain controllers, authentication chokepoints, and vulnerability scanners. +search: '| tstats `security_content_summariesonly` max(_time) as lastTime, min(_time) + as firstTime, values(Authentication.user_category) as user_category values(Authentication.src_category) + as src_category values(Authentication.app) as app count from datamodel=Authentication.Authentication + where * by Authentication.action,Authentication.src,Authentication.user | `drop_dm_object_name("Authentication")` + | eval user=case((match(upper(user),"[a-zA-Z0-9]{3}")),upper(user),true(),null), + src=upper(src), success=if(action="success",count,0),success_user=if(action="success",user,null),failure=if(action="failure",count,0), + failed_user=if(action="failure",user,null) | `detect_password_spray_attack_behavior_from_source_filter` + | stats count min(firstTime) as firstTime max(lastTime) as lastTime values(app) + as app values(src_category) as src_category values(success_user) as user values(failed_user) + as failed_user dc(success_user) as success_dc dc(failed_user) as failed_dc dc(user) + as user_dc ,sum(failure) as failure,sum(success) as success by src | fields - _time + | where user_dc >= 10 AND .25 > (success/failure) AND failed_dc > success_dc | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' +how_to_implement: This detection requires ingesting authentication data to the appropriate + accelerated datamodel. Recommend adjusting the search time window for this correlation + to match the number of unique users (user_dc) in hours. i.e. 10 users over 10hrs +known_false_positives: Domain controllers, authentication chokepoints, and vulnerability + scanners. references: - https://attack.mitre.org/techniques/T1110/003/ - https://www.microsoft.com/en-us/security/blog/2020/04/23/protecting-organization-password-spray-attacks/ @@ -21,50 +42,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The source [$src$] attempted to access $user_dc$ distinct users a total + of $count$ times between [$firstTime$] and [$lastTime$]. $success$ successful + logins detected. + risk_objects: + - field: src + type: system + score: 60 + - field: user + type: user + score: 60 + threat_objects: [] tags: analytic_story: - Compromised User Account asset_type: Account - confidence: 75 - impact: 80 - message: The source [$src$] attempted to access $user_dc$ distinct users a total of $count$ times between [$firstTime$] and [$lastTime$]. $success$ successful logins detected. mitre_attack_id: - T1110.003 - T1110 - observable: - - name: src - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim - - name: failed_user - type: User - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Authentication.user_category - - Authentication.src_category - - Authentication.app - - Authentication.action - - Authentication.src - - Authentication.user - risk_score: 60 security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/detect_password_spray_attack_behavior_on_user.yml b/detections/endpoint/detect_password_spray_attack_behavior_on_user.yml index a191014ffd..bd82127859 100644 --- a/detections/endpoint/detect_password_spray_attack_behavior_on_user.yml +++ b/detections/endpoint/detect_password_spray_attack_behavior_on_user.yml @@ -1,16 +1,37 @@ name: Detect Password Spray Attack Behavior On User id: a7539705-7183-4a12-9b6a-b6eef645a6d7 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Steven Dick status: production type: TTP -description: The following analytic identifies any user failing to authenticate from 10 or more unique sources. This behavior could represent an adversary performing a Password Spraying attack to obtain initial access or elevate privileges. This logic can be used for real time security monitoring as well as threat hunting exercises. Environments can be very different depending on the organization. Test and customize this detections thresholds as needed +description: The following analytic identifies any user failing to authenticate from + 10 or more unique sources. This behavior could represent an adversary performing + a Password Spraying attack to obtain initial access or elevate privileges. This + logic can be used for real time security monitoring as well as threat hunting exercises. + Environments can be very different depending on the organization. Test and customize + this detections thresholds as needed data_source: - Authentication Events (various) -search: '| tstats `security_content_summariesonly` max(_time) as lastTime, min(_time) as firstTime, values(Authentication.user_category) as user_category values(Authentication.src_category) as src_category values(Authentication.app) as app count from datamodel=Authentication.Authentication where * by Authentication.action,Authentication.src,Authentication.user | `drop_dm_object_name("Authentication")` | eval user=case((match(upper(user),"[a-zA-Z0-9]{3}")),upper(user),true(),null), success=if(action="success",count,0), src=upper(src), success_src=if(action="success",src,null), failure=if(action="failure",count,0), failed_src=if(action="failure",src,null) | `detect_password_spray_attack_behavior_on_user_filter` | stats count min(firstTime) as firstTime max(lastTime) as lastTime values(app) as app values(src_category) as src_category values(success_src) as src values(failed_src) as failed_src dc(success_src) as success_dc dc(failed_src) as failed_dc dc(src) as src_dc, sum(failure) as failure, sum(success) as success by user | fields - _time | where src_dc >= 10 AND .25 > (success/failure) AND failed_dc > success_dc | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' -how_to_implement: This detection requires ingesting authentication data to the appropriate accelerated datamodel. Recommend adjusting the search time window for this correlation to match the number of unique users (user_dc) in hours. i.e. 10 users over 10hrs -known_false_positives: Domain controllers, authentication chokepoints, and vulnerability scanners. +search: '| tstats `security_content_summariesonly` max(_time) as lastTime, min(_time) + as firstTime, values(Authentication.user_category) as user_category values(Authentication.src_category) + as src_category values(Authentication.app) as app count from datamodel=Authentication.Authentication + where * by Authentication.action,Authentication.src,Authentication.user | `drop_dm_object_name("Authentication")` + | eval user=case((match(upper(user),"[a-zA-Z0-9]{3}")),upper(user),true(),null), + success=if(action="success",count,0), src=upper(src), success_src=if(action="success",src,null), + failure=if(action="failure",count,0), failed_src=if(action="failure",src,null) | + `detect_password_spray_attack_behavior_on_user_filter` | stats count min(firstTime) + as firstTime max(lastTime) as lastTime values(app) as app values(src_category) as + src_category values(success_src) as src values(failed_src) as failed_src dc(success_src) + as success_dc dc(failed_src) as failed_dc dc(src) as src_dc, sum(failure) as failure, + sum(success) as success by user | fields - _time | where src_dc >= 10 AND .25 > + (success/failure) AND failed_dc > success_dc | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' +how_to_implement: This detection requires ingesting authentication data to the appropriate + accelerated datamodel. Recommend adjusting the search time window for this correlation + to match the number of unique users (user_dc) in hours. i.e. 10 users over 10hrs +known_false_positives: Domain controllers, authentication chokepoints, and vulnerability + scanners. references: - https://attack.mitre.org/techniques/T1110/003/ - https://www.microsoft.com/en-us/security/blog/2020/04/23/protecting-organization-password-spray-attacks/ @@ -21,46 +42,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A total of $src_dc$ distinct sources attempted to access the account [$user$], + $count$ times between [$firstTime$] and [$lastTime$]. $success$ successful logins + detected. + risk_objects: + - field: src + type: system + score: 60 + - field: user + type: user + score: 60 + threat_objects: [] tags: analytic_story: - Compromised User Account + - Crypto Stealer asset_type: Account - confidence: 75 - impact: 80 - message: A total of $src_dc$ distinct sources attempted to access the account [$user$], $count$ times between [$firstTime$] and [$lastTime$]. $success$ successful logins detected. mitre_attack_id: - T1110.003 - T1110 - observable: - - name: src - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Authentication.user_category - - Authentication.src_category - - Authentication.app - - Authentication.action - - Authentication.src - - Authentication.user - risk_score: 60 security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml b/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml index 188dd6f56f..0151aeb432 100644 --- a/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml +++ b/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml @@ -1,17 +1,38 @@ name: Detect Path Interception By Creation Of program exe id: cbef820c-e1ff-407f-887f-0a9240a2d477 -version: 8 -date: '2024-09-30' +version: 10 +date: '2024-11-13' author: Patrick Bareiss, Splunk status: production type: TTP -description: The following analytic identifies the creation of a program executable in an unquoted service path, a common technique for privilege escalation. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is 'services.exe'. This activity is significant because unquoted service paths can be exploited by attackers to execute arbitrary code with elevated privileges. If confirmed malicious, this could allow an attacker to gain higher-level access, potentially leading to full system compromise and persistent control over the affected endpoint. +description: The following analytic identifies the creation of a program executable + in an unquoted service path, a common technique for privilege escalation. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process creation + events where the parent process is 'services.exe'. This activity is significant + because unquoted service paths can be exploited by attackers to execute arbitrary + code with elevated privileges. If confirmed malicious, this could allow an attacker + to gain higher-level access, potentially leading to full system compromise and persistent + control over the affected endpoint. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=services.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | rex field=process "^.*?\\\\(?[^\\\\]*\.(?:exe|bat|com|ps1))" | eval process_name = lower(process_name) | eval service_process = lower(service_process) | where process_name != service_process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_path_interception_by_creation_of_program_exe_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=services.exe + by Processes.user Processes.process_name Processes.parent_process_name Processes.process + Processes.dest | `drop_dm_object_name(Processes)` | rex field=process "^.*?\\\\(?[^\\\\]*\.(?:exe|bat|com|ps1))" + | eval process_name = lower(process_name) | eval service_process = lower(service_process) + | where process_name != service_process | `security_content_ctime(firstTime)` | + `security_content_ctime(lastTime)` | `detect_path_interception_by_creation_of_program_exe_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae @@ -21,58 +42,46 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to perform privilege escalation by + using unquoted service paths. + risk_objects: + - field: user + type: user + score: 49 + - field: dest + type: system + score: 49 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Windows Persistence Techniques asset_type: Endpoint - confidence: 70 - impact: 70 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to perform privilege escalation by using unquoted service paths. mitre_attack_id: - T1574.009 - T1574 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.009/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.009/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml b/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml index ac2d1bf5e2..08ebbb0515 100644 --- a/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml +++ b/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml @@ -1,18 +1,40 @@ name: Detect Prohibited Applications Spawning cmd exe id: dcfd6b40-42f9-469d-a433-2e53f7486664 -version: 9 -date: '2024-10-17' +version: 10 +date: '2024-11-13' author: Bhavin Patel, Splunk status: production type: Hunting -description: The following analytic detects executions of cmd.exe spawned by processes that are commonly abused by attackers and do not typically launch cmd.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUID, process name, parent process, and command-line executions. This activity is significant because it may indicate an attempt to execute unauthorized commands or scripts, often a precursor to further malicious actions. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, or persistence within the environment. +description: The following analytic detects executions of cmd.exe spawned by processes + that are commonly abused by attackers and do not typically launch cmd.exe. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process GUID, + process name, parent process, and command-line executions. This activity is significant + because it may indicate an attempt to execute unauthorized commands or scripts, + often a precursor to further malicious actions. If confirmed malicious, this behavior + could lead to unauthorized code execution, privilege escalation, or persistence + within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` by Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |search [`prohibited_apps_launching_cmd_macro`] | `detect_prohibited_applications_spawning_cmd_exe_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: There are circumstances where an application may legitimately execute and interact with the Windows command-line interface. Investigate and modify the lookup file, as appropriate. +search: '| tstats `security_content_summariesonly` count values(Processes.process) + as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where `process_cmd` by Processes.parent_process_name Processes.process_name Processes.original_file_name + Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)` |search [`prohibited_apps_launching_cmd_macro`] + | `detect_prohibited_applications_spawning_cmd_exe_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: There are circumstances where an application may legitimately + execute and interact with the Windows command-line interface. Investigate and modify + the lookup file, as appropriate. references: [] tags: analytic_story: @@ -21,51 +43,18 @@ tags: - Suspicious Zoom Child Processes - NOBELIUM Group asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ running prohibited applications. mitre_attack_id: - T1059 - T1059.003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_psexec_with_accepteula_flag.yml b/detections/endpoint/detect_psexec_with_accepteula_flag.yml index 4d74498cd7..24de8df12b 100644 --- a/detections/endpoint/detect_psexec_with_accepteula_flag.yml +++ b/detections/endpoint/detect_psexec_with_accepteula_flag.yml @@ -1,18 +1,41 @@ name: Detect PsExec With accepteula Flag id: 27c3a83d-cada-47c6-9042-67baf19d2574 -version: 7 -date: '2024-09-30' +version: 9 +date: '2024-11-13' author: Bhavin Patel, Splunk status: production type: TTP -description: The following analytic identifies the execution of `PsExec.exe` with the `accepteula` flag in the command line. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because PsExec is commonly used by threat actors to execute code on remote systems, and the `accepteula` flag indicates first-time usage, which could signify initial compromise. If confirmed malicious, this activity could allow attackers to gain remote code execution capabilities, potentially leading to further system compromise and lateral movement within the network. +description: The following analytic identifies the execution of `PsExec.exe` with + the `accepteula` flag in the command line. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process execution logs and command-line arguments. + This activity is significant because PsExec is commonly used by threat actors to + execute code on remote systems, and the `accepteula` flag indicates first-time usage, + which could signify initial compromise. If confirmed malicious, this activity could + allow attackers to gain remote code execution capabilities, potentially leading + to further system compromise and lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_psexec` Processes.process=*accepteula* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)`| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_psexec_with_accepteula_flag_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrators can leverage PsExec for accessing remote systems and might pass `accepteula` as an argument if they are running this tool for the first time. However, it is not likely that you'd see multiple occurrences of this event on a machine +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where `process_psexec` Processes.process=*accepteula* by Processes.dest Processes.user + Processes.parent_process_name Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)`| `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)` | `detect_psexec_with_accepteula_flag_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators can leverage PsExec for accessing remote systems + and might pass `accepteula` as an argument if they are running this tool for the + first time. However, it is not likely that you'd see multiple occurrences of this + event on a machine references: - https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF drilldown_searches: @@ -21,9 +44,29 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ running the utility for possibly the first time. + risk_objects: + - field: user + type: user + score: 35 + - field: dest + type: system + score: 35 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - SamSam Ransomware @@ -39,51 +82,18 @@ tags: - DarkGate Malware - Rhysida Ransomware asset_type: Endpoint - confidence: 70 - impact: 50 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ running the utility for possibly the first time. mitre_attack_id: - T1021 - T1021.002 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_rare_executables.yml b/detections/endpoint/detect_rare_executables.yml index 8c752373bf..b97ff44ccd 100644 --- a/detections/endpoint/detect_rare_executables.yml +++ b/detections/endpoint/detect_rare_executables.yml @@ -1,18 +1,38 @@ name: Detect Rare Executables id: 44fddcb2-8d3b-454c-874e-7c6de5a4f7ac -version: 6 -date: '2024-09-30' +version: 7 +date: '2024-11-13' author: Bhavin Patel, Splunk status: production type: Anomaly -description: The following analytic detects the execution of rare processes that appear only once across the network within a specified timeframe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant for a SOC as it helps identify potentially malicious activities or unauthorized software, which could indicate a security breach or ongoing attack. If confirmed malicious, such rare processes could lead to data theft, privilege escalation, or complete system compromise, making early detection crucial for minimizing impact. +description: The following analytic detects the execution of rare processes that appear + only once across the network within a specified timeframe. It leverages data from + Endpoint Detection and Response (EDR) agents, focusing on process execution logs. + This activity is significant for a SOC as it helps identify potentially malicious + activities or unauthorized software, which could indicate a security breach or ongoing + attack. If confirmed malicious, such rare processes could lead to data theft, privilege + escalation, or complete system compromise, making early detection crucial for minimizing + impact. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` dc(Processes.dest) as dc_dest values(Processes.dest) as dest values(Processes.user) as user min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name | `drop_dm_object_name(Processes)` | search dc_dest < 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rare_executables_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Some legitimate processes may be only rarely executed in your environment. +search: '| tstats `security_content_summariesonly` dc(Processes.dest) as dc_dest values(Processes.dest) + as dest values(Processes.user) as user min(_time) as firstTime max(_time) as lastTime + from datamodel=Endpoint.Processes by Processes.process_name | `drop_dm_object_name(Processes)` + | search dc_dest < 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `detect_rare_executables_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Some legitimate processes may be only rarely executed in your + environment. references: [] drilldown_searches: - name: View the detection results for - "$dest$" @@ -20,38 +40,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A rare process - [$process_name$] has been detected on less than 10 hosts + in your environment. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Unusual Processes - Rhysida Ransomware + - Crypto Stealer asset_type: Endpoint - confidence: 50 - impact: 50 - message: A rare process - [$process_name$] has been detected on less than 10 hosts in your environment. mitre_attack_id: - T1204 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.process_name - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/rare_executables/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/rare_executables/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_rclone_command_line_usage.yml b/detections/endpoint/detect_rclone_command_line_usage.yml index d8fdc96b61..a36e49cace 100644 --- a/detections/endpoint/detect_rclone_command_line_usage.yml +++ b/detections/endpoint/detect_rclone_command_line_usage.yml @@ -1,18 +1,41 @@ name: Detect RClone Command-Line Usage id: 32e0baea-b3f1-11eb-a2ce-acde48001122 -version: 5 -date: '2024-09-30' +version: 7 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the usage of `rclone.exe` with specific command-line arguments indicative of file transfer activities. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as `rclone.exe` is often used by adversaries for data exfiltration, especially during ransomware attacks. If confirmed malicious, this behavior could lead to unauthorized data transfer, resulting in data breaches and potential loss of sensitive information. Immediate isolation of the affected endpoint and further investigation are recommended. +description: The following analytic detects the usage of `rclone.exe` with specific + command-line arguments indicative of file transfer activities. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on command-line executions + and process details. This activity is significant as `rclone.exe` is often used + by adversaries for data exfiltration, especially during ransomware attacks. If confirmed + malicious, this behavior could lead to unauthorized data transfer, resulting in + data breaches and potential loss of sensitive information. Immediate isolation of + the affected endpoint and further investigation are recommended. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rclone` Processes.process IN ("*copy*", "*mega*", "*pcloud*", "*ftp*", "*--config*", "*--progress*", "*--no-check-certificate*", "*--ignore-existing*", "*--auto-confirm*", "*--transfers*", "*--multi-thread-streams*") by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rclone_command_line_usage_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives should be limited as this is restricted to the Rclone process name. Filter or tune the analytic as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_rclone` Processes.process + IN ("*copy*", "*mega*", "*pcloud*", "*ftp*", "*--config*", "*--progress*", "*--no-check-certificate*", + "*--ignore-existing*", "*--auto-confirm*", "*--transfers*", "*--multi-thread-streams*") by + Processes.dest Processes.user Processes.parent_process Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `detect_rclone_command_line_usage_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives should be limited as this is restricted to + the Rclone process name. Filter or tune the analytic as needed. references: - https://redcanary.com/blog/rclone-mega-extortion/ - https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations @@ -24,55 +47,46 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to connect to a remote cloud service + to move files or folders. + risk_objects: + - field: user + type: user + score: 35 + - field: dest + type: system + score: 35 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - DarkSide Ransomware - Ransomware asset_type: Endpoint - confidence: 70 - impact: 50 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to connect to a remote cloud service to move files or folders. mitre_attack_id: - T1020 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - - Processes.original_file_name - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1020/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1020/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_regasm_spawning_a_process.yml b/detections/endpoint/detect_regasm_spawning_a_process.yml index ba8fd36d47..008e3a9fdf 100644 --- a/detections/endpoint/detect_regasm_spawning_a_process.yml +++ b/detections/endpoint/detect_regasm_spawning_a_process.yml @@ -1,7 +1,7 @@ name: Detect Regasm Spawning a Process id: 72170ec5-f7d2-42f5-aefb-2b8be6aad15f -version: '7' -date: '2024-11-28' +version: 9 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -55,6 +55,22 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ spawning a child process, typically not normal + behavior for $parent_process_name$. + risk_objects: + - field: user + type: user + score: 64 + - field: dest + type: system + score: 64 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Suspicious Regsvcs Regasm Activity @@ -64,49 +80,18 @@ tags: - DarkGate Malware - Snake Keylogger asset_type: Endpoint - confidence: 80 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ spawning a child process, typically not normal - behavior for $parent_process_name$. mitre_attack_id: - T1218 - T1218.009 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.parent_process_name - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_regasm_with_network_connection.yml b/detections/endpoint/detect_regasm_with_network_connection.yml index b498470a10..9b010fad35 100644 --- a/detections/endpoint/detect_regasm_with_network_connection.yml +++ b/detections/endpoint/detect_regasm_with_network_connection.yml @@ -1,16 +1,30 @@ name: Detect Regasm with Network Connection id: 07921114-6db4-4e2e-ae58-3ea8a52ae93f -version: 6 -date: '2024-09-30' +version: 7 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the execution of regasm.exe establishing a network connection to a public IP address, excluding private IP ranges. This detection leverages Sysmon EventID 3 logs to identify such behavior. This activity is significant as regasm.exe is a legitimate Microsoft-signed binary that can be exploited to bypass application control mechanisms. If confirmed malicious, this behavior could indicate an adversary's attempt to establish a remote Command and Control (C2) channel, potentially leading to privilege escalation and further malicious actions within the environment. +description: The following analytic detects the execution of regasm.exe establishing + a network connection to a public IP address, excluding private IP ranges. This detection + leverages Sysmon EventID 3 logs to identify such behavior. This activity is significant + as regasm.exe is a legitimate Microsoft-signed binary that can be exploited to bypass + application control mechanisms. If confirmed malicious, this behavior could indicate + an adversary's attempt to establish a remote Command and Control (C2) channel, potentially + leading to privilege escalation and further malicious actions within the environment. data_source: - Sysmon EventID 3 -search: '`sysmon` EventID=3 dest_ip!=10.0.0.0/8 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 process_name=regasm.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_with_network_connection_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: Although unlikely, limited instances of regasm.exe with a network connection may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. +search: '`sysmon` EventID=3 dest_ip!=10.0.0.0/8 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 + process_name=regasm.exe | stats count min(_time) as firstTime max(_time) as lastTime + by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `detect_regasm_with_network_connection_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. +known_false_positives: Although unlikely, limited instances of regasm.exe with a network + connection may cause a false positive. Filter based endpoint usage, command line + arguments, or process lineage. references: - https://attack.mitre.org/techniques/T1218/009/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md @@ -21,53 +35,45 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $process_name$ contacting a remote destination was identified + on endpoint $dest$ by user $user$. This behavior is not normal for $process_name$. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Suspicious Regsvcs Regasm Activity - Living Off The Land - Handala Wiper asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of $process_name$ contacting a remote destination was identified on endpoint $dest$ by user $user$. This behavior is not normal for $process_name$. mitre_attack_id: - T1218 - T1218.009 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventID - - dest_ip - - process_name - - dest - - user - - src_ip - - dest_host - - dest_ip - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml b/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml index 359cc546b5..39e4bbbd17 100644 --- a/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml +++ b/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml @@ -1,18 +1,40 @@ name: Detect Regasm with no Command Line Arguments id: c3bc1430-04e7-4178-835f-047d8e6e97df -version: 6 -date: '2024-09-30' +version: 8 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects instances of regasm.exe running without command line arguments. This behavior typically indicates process injection, where another process manipulates regasm.exe. The detection leverages Endpoint Detection and Response (EDR) data, focusing on process names and command-line executions. This activity is significant as it may signal an attempt to evade detection or execute malicious code. If confirmed malicious, attackers could achieve code execution, potentially leading to privilege escalation, persistence, or access to sensitive information. Investigate network connections, parallel processes, and suspicious module loads for further context. +description: The following analytic detects instances of regasm.exe running without + command line arguments. This behavior typically indicates process injection, where + another process manipulates regasm.exe. The detection leverages Endpoint Detection + and Response (EDR) data, focusing on process names and command-line executions. + This activity is significant as it may signal an attempt to evade detection or execute + malicious code. If confirmed malicious, attackers could achieve code execution, + potentially leading to privilege escalation, persistence, or access to sensitive + information. Investigate network connections, parallel processes, and suspicious + module loads for further context. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regasm` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(regasm\.exe.{0,4}$)" | `detect_regasm_with_no_command_line_arguments_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Although unlikely, limited instances of regasm.exe or may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes + where `process_regasm` by _time span=1h Processes.process_id Processes.process_name + Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | regex process="(?i)(regasm\.exe.{0,4}$)" | `detect_regasm_with_no_command_line_arguments_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Although unlikely, limited instances of regasm.exe or may cause + a false positive. Filter based endpoint usage, command line arguments, or process + lineage. references: - https://attack.mitre.org/techniques/T1218/009/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md @@ -23,60 +45,47 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The process $process_name$ was spawned by $parent_process_name$ without + any command-line arguments on $dest$ by $user$. + risk_objects: + - field: user + type: user + score: 49 + - field: dest + type: system + score: 49 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Suspicious Regsvcs Regasm Activity - Living Off The Land - Handala Wiper asset_type: Endpoint - confidence: 70 - impact: 70 - message: The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $dest$ by $user$. mitre_attack_id: - T1218 - T1218.009 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_regsvcs_spawning_a_process.yml b/detections/endpoint/detect_regsvcs_spawning_a_process.yml index cb64e0a18f..621501a8a9 100644 --- a/detections/endpoint/detect_regsvcs_spawning_a_process.yml +++ b/detections/endpoint/detect_regsvcs_spawning_a_process.yml @@ -1,7 +1,7 @@ name: Detect Regsvcs Spawning a Process id: bc477b57-5c21-4ab6-9c33-668772e7f114 -version: '6' -date: '2024-11-28' +version: 8 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -54,55 +54,39 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ typically not normal for this process. + risk_objects: + - field: user + type: user + score: 64 + - field: dest + type: system + score: 64 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Suspicious Regsvcs Regasm Activity - Living Off The Land - Compromised Windows Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ typically not normal for this process. mitre_attack_id: - T1218 - T1218.009 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.parent_process_name - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_regsvcs_with_network_connection.yml b/detections/endpoint/detect_regsvcs_with_network_connection.yml index 793df12d63..43d8cd8f6f 100644 --- a/detections/endpoint/detect_regsvcs_with_network_connection.yml +++ b/detections/endpoint/detect_regsvcs_with_network_connection.yml @@ -1,16 +1,31 @@ name: Detect Regsvcs with Network Connection id: e3e7a1c0-f2b9-445c-8493-f30a63522d1a -version: 7 -date: '2024-09-30' +version: 8 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies instances of Regsvcs.exe establishing a network connection to a public IP address, excluding private IP ranges. This detection leverages Sysmon EventID 3 logs to monitor network connections initiated by Regsvcs.exe. This activity is significant as Regsvcs.exe, a legitimate Microsoft-signed binary, can be exploited to bypass application control mechanisms and establish remote Command and Control (C2) channels. If confirmed malicious, this behavior could allow an attacker to escalate privileges, persist in the environment, and exfiltrate sensitive data. Immediate investigation and remediation are recommended. +description: The following analytic identifies instances of Regsvcs.exe establishing + a network connection to a public IP address, excluding private IP ranges. This detection + leverages Sysmon EventID 3 logs to monitor network connections initiated by Regsvcs.exe. + This activity is significant as Regsvcs.exe, a legitimate Microsoft-signed binary, + can be exploited to bypass application control mechanisms and establish remote Command + and Control (C2) channels. If confirmed malicious, this behavior could allow an + attacker to escalate privileges, persist in the environment, and exfiltrate sensitive + data. Immediate investigation and remediation are recommended. data_source: - Sysmon EventID 3 -search: '`sysmon` EventID=3 dest_ip!=10.0.0.0/8 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 process_name=regsvcs.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_with_network_connection_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: Although unlikely, limited instances of regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. +search: '`sysmon` EventID=3 dest_ip!=10.0.0.0/8 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 + process_name=regsvcs.exe | stats count min(_time) as firstTime max(_time) as lastTime + by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `detect_regsvcs_with_network_connection_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. +known_false_positives: Although unlikely, limited instances of regsvcs.exe may cause + a false positive. Filter based endpoint usage, command line arguments, or process + lineage. references: - https://attack.mitre.org/techniques/T1218/009/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md @@ -21,51 +36,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $process_name$ contacting a remote destination was identified + on endpoint $dest$ by user $user$. This behavior is not normal for $process_name$. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Suspicious Regsvcs Regasm Activity - Living Off The Land asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of $process_name$ contacting a remote destination was identified on endpoint $dest$ by user $user$. This behavior is not normal for $process_name$. mitre_attack_id: - T1218 - T1218.009 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventID - - dest_ip - - process_name - - dest - - user - - src_ip - - dest_host - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml b/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml index 5fdb62fa14..05dfb21ac7 100644 --- a/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml +++ b/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml @@ -1,18 +1,39 @@ name: Detect Regsvcs with No Command Line Arguments id: 6b74d578-a02e-4e94-a0d1-39440d0bf254 -version: 6 -date: '2024-09-30' +version: 8 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects instances of regsvcs.exe running without command line arguments. This behavior typically indicates process injection, where another process manipulates regsvcs.exe. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, IDs, and command-line executions. This activity is significant as it may signal an attempt to evade detection and execute malicious code. If confirmed malicious, the attacker could achieve code execution, potentially leading to privilege escalation, persistence, or access to sensitive information. +description: The following analytic detects instances of regsvcs.exe running without + command line arguments. This behavior typically indicates process injection, where + another process manipulates regsvcs.exe. The detection leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names, IDs, and command-line + executions. This activity is significant as it may signal an attempt to evade detection + and execute malicious code. If confirmed malicious, the attacker could achieve code + execution, potentially leading to privilege escalation, persistence, or access to + sensitive information. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regsvcs` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(regsvcs\.exe.{0,4}$)"| `detect_regsvcs_with_no_command_line_arguments_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Although unlikely, limited instances of regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes + where `process_regsvcs` by _time span=1h Processes.process_id Processes.process_name + Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | regex process="(?i)(regsvcs\.exe.{0,4}$)"| `detect_regsvcs_with_no_command_line_arguments_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Although unlikely, limited instances of regsvcs.exe may cause + a false positive. Filter based endpoint usage, command line arguments, or process + lineage. references: - https://attack.mitre.org/techniques/T1218/009/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md @@ -23,59 +44,46 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The process $process_name$ was spawned by $parent_process_name$ without + any command-line arguments on $dest$ by $user$. + risk_objects: + - field: user + type: user + score: 49 + - field: dest + type: system + score: 49 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Suspicious Regsvcs Regasm Activity - Living Off The Land asset_type: Endpoint - confidence: 70 - impact: 70 - message: The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $dest$ by $user$. mitre_attack_id: - T1218 - T1218.009 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_regsvr32_application_control_bypass.yml b/detections/endpoint/detect_regsvr32_application_control_bypass.yml index 246b9b08e4..ba41b5d992 100644 --- a/detections/endpoint/detect_regsvr32_application_control_bypass.yml +++ b/detections/endpoint/detect_regsvr32_application_control_bypass.yml @@ -1,7 +1,7 @@ name: Detect Regsvr32 Application Control Bypass id: 070e9b80-6252-11eb-ae93-0242ac130002 -version: '6' -date: '2024-11-28' +version: 8 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -53,6 +53,22 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ in an attempt + to bypass detection and preventative controls was identified on endpoint $dest$ + by user $user$. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Living Off The Land @@ -62,53 +78,18 @@ tags: - Compromised Windows Host - BlackByte Ransomware asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ in an attempt - to bypass detection and preventative controls was identified on endpoint $dest$ - by user $user$. mitre_attack_id: - T1218 - T1218.010 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.010/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.010/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_remote_access_software_usage_file.yml b/detections/endpoint/detect_remote_access_software_usage_file.yml index cc60690ec0..25292e24c2 100644 --- a/detections/endpoint/detect_remote_access_software_usage_file.yml +++ b/detections/endpoint/detect_remote_access_software_usage_file.yml @@ -1,16 +1,41 @@ name: Detect Remote Access Software Usage File id: 3bf5541a-6a45-4fdc-b01d-59b899fff961 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Steven Dick status: production type: Anomaly -description: The following analytic detects the writing of files from known remote access software to disk within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on file path, file name, and user information. This activity is significant as adversaries often use remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access. If confirmed malicious, this could allow attackers to persist in the environment, potentially leading to data exfiltration, further compromise, or complete control over affected systems. +description: The following analytic detects the writing of files from known remote + access software to disk within the environment. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on file path, file name, and user + information. This activity is significant as adversaries often use remote access + tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access. + If confirmed malicious, this could allow attackers to persist in the environment, + potentially leading to data exfiltration, further compromise, or complete control + over affected systems. data_source: - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count, min(_time) as firstTime, max(_time) as lastTime, values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.dest, Filesystem.user, Filesystem.file_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Filesystem)` | lookup remote_access_software remote_utility AS file_name OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = TRUE | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_file_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the file path, file name, and the user that created the file. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Filesystem` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. The "exceptions" macro leverages both an Assets and Identities lookup, as well as a KVStore collection called "remote_software_exceptions" that lets you track and maintain device-based exceptions for this set of detections. -known_false_positives: Known or approved applications used by the organization or usage of built-in functions. Known false positives can be added to the remote_access_software_usage_exception.csv lookup to globally suppress these situations across all remote access content +search: '| tstats `security_content_summariesonly` count, min(_time) as firstTime, + max(_time) as lastTime, values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem + by Filesystem.dest, Filesystem.user, Filesystem.file_name | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `drop_dm_object_name(Filesystem)` | lookup + remote_access_software remote_utility AS file_name OUTPUT isutility, description + as signature, comment_reference as desc, category | search isutility = TRUE | `remote_access_software_usage_exceptions` + | `detect_remote_access_software_usage_file_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the file path, file name, and the user that created + the file. These logs must be processed using the appropriate Splunk Technology Add-ons + that are specific to the EDR product. The logs must also be mapped to the `Filesystem` + node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) + to normalize the field names and speed up the data modeling process. The "exceptions" + macro leverages both an Assets and Identities lookup, as well as a KVStore collection + called "remote_software_exceptions" that lets you track and maintain device-based + exceptions for this set of detections. +known_false_positives: Known or approved applications used by the organization or + usage of built-in functions. Known false positives can be added to the remote_access_software_usage_exception.csv + lookup to globally suppress these situations across all remote access content references: - https://attack.mitre.org/techniques/T1219/ - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ @@ -21,9 +46,33 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +- name: Investigate files on $dest$ + search: '| from datamodel:Endpoint.Filesystem | search dest=$dest$ file_name=$file_name$' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A file for known a remote access software [$file_name$] was created on + $dest$ by $user$. + risk_objects: + - field: dest + type: system + score: 25 + - field: user + type: user + score: 25 + threat_objects: + - field: file_name + type: file_name + - field: signature + type: signature tags: analytic_story: - Insider Threat @@ -31,40 +80,20 @@ tags: - Ransomware - Gozi Malware - CISA AA24-241A + - Remote Monitoring and Management Software asset_type: Endpoint - confidence: 50 - impact: 50 - message: A file for known a remote access software [$file_name$] was created on $dest$ by $user$. mitre_attack_id: - T1219 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim - - name: file_name - type: File Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.dest - - Filesystem.user - - Filesystem.file_name - risk_score: 25 security_domain: endpoint manual_test: This detection uses A&I lookups from Enterprise Security. tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml b/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml index 6287e78971..b1a9ef4f84 100644 --- a/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml +++ b/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml @@ -1,18 +1,34 @@ name: Detect Remote Access Software Usage FileInfo id: ccad96d7-a48c-4f13-8b9c-9f6a31cba454 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Steven Dick status: production type: Anomaly -description: The following analytic detects the execution of processes with file or code signing attributes from known remote access software within the environment. It leverages Sysmon EventCode 1 data and cross-references a lookup table of remote access utilities such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This activity is significant as adversaries often use these tools to maintain unauthorized remote access. If confirmed malicious, this could allow attackers to persist in the environment, potentially leading to data exfiltration or further compromise of the network. +description: The following analytic detects the execution of processes with file or + code signing attributes from known remote access software within the environment. + It leverages Sysmon EventCode 1 data and cross-references a lookup table of remote + access utilities such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This activity + is significant as adversaries often use these tools to maintain unauthorized remote + access. If confirmed malicious, this could allow attackers to persist in the environment, + potentially leading to data exfiltration or further compromise of the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '`sysmon` EventCode=1 | stats count min(_time) as firstTime max(_time) as lastTime, values(Company) as Company values(Product) as Product by dest, user, parent_process_name, process_name, process | lookup remote_access_software remote_utility_fileinfo AS Product OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = True | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_fileinfo_filter`' -how_to_implement: This analytic relies on Sysmon to be properly installed and utilized in the environment. Ensure that proper logging is setup for Sysmon and data is being ingested into Splunk. The "exceptions" macro leverages both an Assets and Identities lookup, as well as a KVStore collection named "remote_software_exceptions" that lets you track and maintain device-based exceptions for this set of detections. -known_false_positives: Known or approved applications used by the organization or usage of built-in functions. Known false positives can be added to the remote_access_software_usage_exception.csv lookup to globally suppress these situations across all remote access content +search: '`sysmon` EventCode=1 | stats count min(_time) as firstTime max(_time) as + lastTime, values(Company) as Company values(Product) as Product by dest, user, parent_process_name, + process_name, process | lookup remote_access_software remote_utility_fileinfo AS + Product OUTPUT isutility, description as signature, comment_reference as desc, category + | search isutility = True | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_fileinfo_filter`' +how_to_implement: This analytic relies on Sysmon to be properly installed and utilized + in the environment. Ensure that proper logging is setup for Sysmon and data is being + ingested into Splunk. The "exceptions" macro leverages both an Assets and Identities + lookup, as well as a KVStore collection named "remote_software_exceptions" that + lets you track and maintain device-based exceptions for this set of detections. +known_false_positives: Known or approved applications used by the organization or + usage of built-in functions. Known false positives can be added to the remote_access_software_usage_exception.csv + lookup to globally suppress these situations across all remote access content references: - https://attack.mitre.org/techniques/T1219/ - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ @@ -23,50 +39,53 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +- name: Investigate processes on $dest$ + search: '| from datamodel:Endpoint.Processes| search dest=$dest$ process_name=$process_name$' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A file attributes for known a remote access software [$process_name$] was + detected on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + - field: user + type: user + score: 25 + threat_objects: + - field: process_name + type: process_name + - field: signature + type: signature tags: analytic_story: - Insider Threat - Command And Control - Ransomware - Gozi Malware + - Remote Monitoring and Management Software asset_type: Endpoint - confidence: 50 - impact: 50 - message: A file attributes for known a remote access software [$process_name$] was detected on $dest$ mitre_attack_id: - T1219 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - EventCode - - Company - - Product - - user - - parent_process_name - - process_name - - process - risk_score: 25 security_domain: endpoint manual_test: This detection uses A&I lookups from Enterprise Security. tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_remote_access_software_usage_process.yml b/detections/endpoint/detect_remote_access_software_usage_process.yml index 1f729d3002..e0417a4071 100644 --- a/detections/endpoint/detect_remote_access_software_usage_process.yml +++ b/detections/endpoint/detect_remote_access_software_usage_process.yml @@ -1,18 +1,46 @@ name: Detect Remote Access Software Usage Process id: ffd5e001-2e34-48f4-97a2-26dc4bb08178 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Steven Dick status: production type: Anomaly -description: The following analytic detects the execution of known remote access software within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes mapped to the Endpoint data model. This activity is significant as adversaries often use remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access. If confirmed malicious, this could allow attackers to control systems remotely, exfiltrate data, or deploy additional malware, posing a severe threat to the organization's security. +description: The following analytic detects the execution of known remote access software + within the environment. It leverages data from Endpoint Detection and Response (EDR) + agents, focusing on process names and parent processes mapped to the Endpoint data + model. This activity is significant as adversaries often use remote access tools + like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access. + If confirmed malicious, this could allow attackers to control systems remotely, + exfiltrate data, or deploy additional malware, posing a severe threat to the organization's + security. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.process!=unknown by Processes.dest Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup remote_access_software remote_utility AS process_name OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = True | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_process_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. The "exceptions" macro leverages both an Assets and Identities lookup, as well as a KVStore collection called "remote_software_exceptions" that lets you track and maintain device- based exceptions for this set of detections. -known_false_positives: It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment. Known false positives can be added to the remote_access_software_usage_exception.csv lookup to globally suppress these situations across all remote access content +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes + where Processes.dest!=unknown Processes.process!=unknown by Processes.dest Processes.user + Processes.process_name Processes.process | `security_content_ctime(firstTime)` | + `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup remote_access_software + remote_utility AS process_name OUTPUT isutility, description as signature, comment_reference + as desc, category | search isutility = True | `remote_access_software_usage_exceptions` + | `detect_remote_access_software_usage_process_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. The "exceptions" macro leverages both + an Assets and Identities lookup, as well as a KVStore collection called "remote_software_exceptions" + that lets you track and maintain device- based exceptions for this set of detections. +known_false_positives: It is possible that legitimate remote access software is used + within the environment. Ensure that the lookup is reviewed and updated with any + additional remote access software that is used within the environment. Known false + positives can be added to the remote_access_software_usage_exception.csv lookup + to globally suppress these situations across all remote access content references: - https://attack.mitre.org/techniques/T1219/ - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ @@ -23,9 +51,33 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +- name: Investigate processes on $dest$ + search: '| from datamodel:Endpoint.Processes| search dest=$dest$ process_name=$process_name$' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A process for a known remote access software $process_name$ was identified + on $dest$. + risk_objects: + - field: dest + type: system + score: 25 + - field: user + type: user + score: 25 + threat_objects: + - field: process_name + type: process_name + - field: signature + type: signature tags: analytic_story: - Insider Threat @@ -33,43 +85,20 @@ tags: - Ransomware - Gozi Malware - CISA AA24-241A + - Remote Monitoring and Management Software asset_type: Endpoint - confidence: 50 - impact: 50 - message: A process for a known remote access software $process_name$ was identified on $dest$. mitre_attack_id: - T1219 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_name - risk_score: 25 security_domain: endpoint manual_test: This detection uses A&I lookups from Enterprise Security. tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_remote_access_software_usage_registry.yml b/detections/endpoint/detect_remote_access_software_usage_registry.yml index a89b8e1e71..a757b157c9 100644 --- a/detections/endpoint/detect_remote_access_software_usage_registry.yml +++ b/detections/endpoint/detect_remote_access_software_usage_registry.yml @@ -1,7 +1,7 @@ name: Detect Remote Access Software Usage Registry id: 33804986-25dd-43cf-bb6b-dc14956c7cbc -version: 1 -date: '2024-11-21' +version: 3 +date: '2025-01-10' author: Steven Dick status: production type: Anomaly @@ -39,6 +39,20 @@ drilldown_searches: search: '| from datamodel:Endpoint.Registry| search dest=$dest$ registry_path=$registry_path$' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A process for a known remote access software [$signature$] was detected on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + - field: user + type: user + score: 25 + threat_objects: + - field: registry_path + type: registry_path + - field: signature + type: signature tags: analytic_story: - Insider Threat @@ -46,42 +60,14 @@ tags: - Ransomware - Gozi Malware - CISA AA24-241A + - Remote Monitoring and Management Software asset_type: Endpoint - confidence: 50 - impact: 50 - message: A process for a known remote access software [$signature$] was detected on $dest$ mitre_attack_id: - T1219 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim - - name: registry_path - type: Other - role: - - Attacker - - name: signature - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.registry_value_name - - Registry.registry_value_data - - Registry.registry_key_name - risk_score: 25 security_domain: endpoint manual_test: This detection uses A&I lookups from Enterprise Security. tests: diff --git a/detections/endpoint/detect_renamed_7_zip.yml b/detections/endpoint/detect_renamed_7_zip.yml index 8373d98313..e2a994e020 100644 --- a/detections/endpoint/detect_renamed_7_zip.yml +++ b/detections/endpoint/detect_renamed_7_zip.yml @@ -1,69 +1,58 @@ name: Detect Renamed 7-Zip id: 4057291a-b8cf-11eb-95fe-acde48001122 -version: 5 -date: '2024-10-17' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic detects the usage of a renamed 7-Zip executable using Sysmon data. It leverages the OriginalFileName field to identify instances where the 7-Zip process has been renamed. This activity is significant as attackers often rename legitimate tools to evade detection while staging or exfiltrating data. If confirmed malicious, this behavior could indicate data exfiltration attempts or other unauthorized data manipulation, potentially leading to significant data breaches or loss of sensitive information. Analysts should validate the legitimacy of the 7-Zip executable and investigate parallel processes for further suspicious activities. +description: The following analytic detects the usage of a renamed 7-Zip executable + using Sysmon data. It leverages the OriginalFileName field to identify instances + where the 7-Zip process has been renamed. This activity is significant as attackers + often rename legitimate tools to evade detection while staging or exfiltrating data. + If confirmed malicious, this behavior could indicate data exfiltration attempts + or other unauthorized data manipulation, potentially leading to significant data + breaches or loss of sensitive information. Analysts should validate the legitimacy + of the 7-Zip executable and investigate parallel processes for further suspicious + activities. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.original_file_name=7z*.exe AND Processes.process_name!=7z*.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_7_zip_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Limited false positives, however this analytic will need to be modified for each environment if Sysmon is not used. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.original_file_name=7z*.exe + AND Processes.process_name!=7z*.exe) by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `detect_renamed_7_zip_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Limited false positives, however this analytic will need to + be modified for each environment if Sysmon is not used. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md tags: analytic_story: - Collection and Staging asset_type: Endpoint - confidence: 90 - impact: 30 - message: The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ by $user$. mitre_attack_id: - T1560.001 - T1560 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 27 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_renamed_psexec.yml b/detections/endpoint/detect_renamed_psexec.yml index b57326a6f1..3b2380accc 100644 --- a/detections/endpoint/detect_renamed_psexec.yml +++ b/detections/endpoint/detect_renamed_psexec.yml @@ -1,75 +1,64 @@ name: Detect Renamed PSExec id: 683e6196-b8e8-11eb-9a79-acde48001122 -version: 8 -date: '2024-10-17' +version: 10 +date: '2025-01-27' author: Michael Haag, Splunk, Alex Oberkircher, Github Community status: production type: Hunting -description: The following analytic identifies instances where `PsExec.exe` has been renamed and executed on an endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names. This activity is significant because renaming `PsExec.exe` is a common tactic to evade detection. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to unauthorized access, lateral movement, or further compromise of the network. +description: The following analytic identifies instances where `PsExec.exe` has been + renamed and executed on an endpoint. It leverages data from Endpoint Detection and + Response (EDR) agents, focusing on process names and original file names. This activity + is significant because renaming `PsExec.exe` is a common tactic to evade detection. + If confirmed malicious, this could allow an attacker to execute commands remotely, + potentially leading to unauthorized access, lateral movement, or further compromise + of the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name!=psexec.exe AND Processes.process_name!=psexec64.exe) AND Processes.original_file_name=psexec.c by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_psexec_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Limited false positives should be present. It is possible some third party applications may use older versions of PsExec, filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name!=psexec.exe + AND Processes.process_name!=psexec64.exe) AND Processes.original_file_name=psexec.c + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `detect_renamed_psexec_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Limited false positives should be present. It is possible some + third party applications may use older versions of PsExec, filter as needed. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.yaml - https://redcanary.com/blog/threat-hunting-psexec-lateral-movement/ tags: analytic_story: - - SamSam Ransomware + - BlackByte Ransomware - DHS Report TA18-074A - - HAFNIUM Group - DarkSide Ransomware - - Active Directory Lateral Movement + - SamSam Ransomware - CISA AA22-320A + - HAFNIUM Group - Sandworm Tools - - BlackByte Ransomware + - Active Directory Lateral Movement + - Nexus APT Threat Activity - DarkGate Malware + - Earth Estries - Rhysida Ransomware asset_type: Endpoint - confidence: 90 - impact: 30 - message: The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ by $user$. mitre_attack_id: - T1569 - T1569.002 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 27 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_renamed_rclone.yml b/detections/endpoint/detect_renamed_rclone.yml index 7e35894d6e..04c0a7e651 100644 --- a/detections/endpoint/detect_renamed_rclone.yml +++ b/detections/endpoint/detect_renamed_rclone.yml @@ -1,18 +1,39 @@ name: Detect Renamed RClone id: 6dca1124-b3ec-11eb-9328-acde48001122 -version: 5 -date: '2024-10-17' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic detects the execution of a renamed `rclone.exe` process, which is commonly used for data exfiltration to remote destinations. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and original file names that do not match. This activity is significant because ransomware groups often use RClone to exfiltrate sensitive data. If confirmed malicious, this behavior could indicate an ongoing data exfiltration attempt, potentially leading to significant data loss and further compromise of the affected systems. +description: The following analytic detects the execution of a renamed `rclone.exe` + process, which is commonly used for data exfiltration to remote destinations. This + detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on + process names and original file names that do not match. This activity is significant + because ransomware groups often use RClone to exfiltrate sensitive data. If confirmed + malicious, this behavior could indicate an ongoing data exfiltration attempt, potentially + leading to significant data loss and further compromise of the affected systems. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.original_file_name=rclone.exe AND Processes.process_name!=rclone.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_rclone_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives should be limited as this analytic identifies renamed instances of `rclone.exe`. Filter as needed if there is a legitimate business use case. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.original_file_name=rclone.exe + AND Processes.process_name!=rclone.exe) by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `detect_renamed_rclone_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives should be limited as this analytic identifies + renamed instances of `rclone.exe`. Filter as needed if there is a legitimate business + use case. references: - https://redcanary.com/blog/rclone-mega-extortion/ - https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations @@ -22,50 +43,17 @@ tags: - DarkSide Ransomware - Ransomware asset_type: Endpoint - confidence: 90 - impact: 30 - message: The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ by $user$. mitre_attack_id: - T1020 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 27 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1020/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1020/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_renamed_winrar.yml b/detections/endpoint/detect_renamed_winrar.yml index 2fa0b592b9..43af74579c 100644 --- a/detections/endpoint/detect_renamed_winrar.yml +++ b/detections/endpoint/detect_renamed_winrar.yml @@ -1,66 +1,55 @@ name: Detect Renamed WinRAR id: 1b7bfb2c-b8e6-11eb-99ac-acde48001122 -version: 6 -date: '2024-10-17' +version: 8 +date: '2025-01-27' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies instances where `WinRAR.exe` has been renamed and executed. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names within the Endpoint data model. This activity is significant because renaming executables is a common tactic used by attackers to evade detection. If confirmed malicious, this could indicate an attempt to bypass security controls, potentially leading to unauthorized data extraction or further system compromise. +description: The following analytic identifies instances where `WinRAR.exe` has been + renamed and executed. It leverages data from Endpoint Detection and Response (EDR) + agents, focusing on process names and original file names within the Endpoint data + model. This activity is significant because renaming executables is a common tactic + used by attackers to evade detection. If confirmed malicious, this could indicate + an attempt to bypass security controls, potentially leading to unauthorized data + extraction or further system compromise. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.original_file_name=WinRAR.exe (Processes.process_name!=rar.exe OR Processes.process_name!=winrar.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_winrar_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Unknown. It is possible third party applications use renamed instances of WinRAR. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.original_file_name=WinRAR.exe + (Processes.process_name!=rar.exe OR Processes.process_name!=winrar.exe) by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id Processes.original_file_name | + `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `detect_renamed_winrar_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Unknown. It is possible third party applications use renamed + instances of WinRAR. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md tags: analytic_story: - Collection and Staging + - Earth Estries + - Nexus APT Threat Activity - CISA AA22-277A asset_type: Endpoint - confidence: 90 - impact: 30 - message: The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ by $user$. mitre_attack_id: - T1560.001 - T1560 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 27 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/detect_rtlo_in_file_name.yml b/detections/endpoint/detect_rtlo_in_file_name.yml index b933a54548..0754140915 100644 --- a/detections/endpoint/detect_rtlo_in_file_name.yml +++ b/detections/endpoint/detect_rtlo_in_file_name.yml @@ -1,16 +1,34 @@ name: Detect RTLO In File Name id: 468b7e11-d362-43b8-b6ec-7a2d3b246678 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Steven Dick status: production type: TTP -description: The following analytic identifies the use of the right-to-left override (RTLO) character in file names. It leverages data from the Endpoint.Filesystem datamodel, specifically focusing on file creation events and file names containing the RTLO character (U+202E). This activity is significant because adversaries use RTLO to disguise malicious files as benign by reversing the text that follows the character. If confirmed malicious, this technique can deceive users and security tools, leading to the execution of harmful files and potential system compromise. +description: The following analytic identifies the use of the right-to-left override + (RTLO) character in file names. It leverages data from the Endpoint.Filesystem datamodel, + specifically focusing on file creation events and file names containing the RTLO + character (U+202E). This activity is significant because adversaries use RTLO to + disguise malicious files as benign by reversing the text that follows the character. + If confirmed malicious, this technique can deceive users and security tools, leading + to the execution of harmful files and potential system compromise. data_source: - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_create_time) as file_create_time from datamodel=Endpoint.Filesystem where Filesystem.file_name!=unknown by Filesystem.dest Filesystem.user Filesystem.process_id Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex file_name = "\\x{202E}" | rex field=file_name "(?.+)(?\\x{202E})(?.+)" | eval file_name_with_RTLO=file_name | eval file_name=RTLO_file_1.RTLO_file_2 | fields - RTLO* | `detect_rtlo_in_file_name_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that includes the full command line of the process being launched on your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: Implementation in regions that use right to left in native language. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime values(Filesystem.file_create_time) as file_create_time from datamodel=Endpoint.Filesystem + where Filesystem.file_name!=unknown by Filesystem.dest Filesystem.user Filesystem.process_id + Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | + `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex + file_name = "\\x{202E}" | rex field=file_name "(?.+)(?\\x{202E})(?.+)" + | eval file_name_with_RTLO=file_name | eval file_name=RTLO_file_1.RTLO_file_2 | + fields - RTLO* | `detect_rtlo_in_file_name_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that includes the full command line of the process being launched on + your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: Implementation in regions that use right to left in native + language. references: - https://attack.mitre.org/techniques/T1036/002/ - https://resources.infosecinstitute.com/topic/spoof-using-right-to-left-override-rtlo-technique-2/ @@ -21,48 +39,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious RTLO detected in $file_name$ on endpoint $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 40 + - field: dest + type: system + score: 40 + threat_objects: + - field: file_name + type: file_name tags: analytic_story: - Spearphishing Attachments asset_type: Endpoint - confidence: 80 - impact: 50 - message: Suspicious RTLO detected in $file_name$ on endpoint $dest$ by user $user$. mitre_attack_id: - T1036.002 - T1036 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim - - name: file_name - type: File Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.dest - - Filesystem.user - - Filesystem.file_name - - Filesystem.file_path - - Filesystem.process_id - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.002/outlook_attachment/rtlo_events.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.002/outlook_attachment/rtlo_events.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_rtlo_in_process.yml b/detections/endpoint/detect_rtlo_in_process.yml index e2a59626eb..f9af08e747 100644 --- a/detections/endpoint/detect_rtlo_in_process.yml +++ b/detections/endpoint/detect_rtlo_in_process.yml @@ -1,18 +1,41 @@ name: Detect RTLO In Process id: 22ac27b4-7189-4a4f-9375-b9017c9620d7 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Steven Dick status: production type: TTP -description: The following analytic identifies the abuse of the right-to-left override (RTLO) character (U+202E) in process names. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line data. This activity is significant because adversaries use the RTLO character to disguise malicious files or commands, making them appear benign. If confirmed malicious, this technique can allow attackers to execute harmful code undetected, potentially leading to unauthorized access, data exfiltration, or further system compromise. +description: The following analytic identifies the abuse of the right-to-left override + (RTLO) character (U+202E) in process names. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process execution logs and command-line data. + This activity is significant because adversaries use the RTLO character to disguise + malicious files or commands, making them appear benign. If confirmed malicious, + this technique can allow attackers to execute harmful code undetected, potentially + leading to unauthorized access, data exfiltration, or further system compromise. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process!=unknown AND Processes.action=allowed by Processes.dest Processes.user Processes.original_file_name Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | regex process="\\x{202E}" | rex field=process "(?.+)(?\\x{202E})(?.+)" | eval process_with_RTLO=process | eval process=RTLO_command_1.RTLO_command_2 | fields - RTLO* | `detect_rtlo_in_process_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Implementation in regions that use right to left in native language. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process!=unknown AND + Processes.action=allowed by Processes.dest Processes.user Processes.original_file_name + Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process + Processes.process_id Processes.process_guid Processes.parent_process_id | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | regex + process="\\x{202E}" | rex field=process "(?.+)(?\\x{202E})(?.+)" + | eval process_with_RTLO=process | eval process=RTLO_command_1.RTLO_command_2 | + fields - RTLO* | `detect_rtlo_in_process_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Implementation in regions that use right to left in native + language. references: - https://attack.mitre.org/techniques/T1036/002/ - https://resources.infosecinstitute.com/topic/spoof-using-right-to-left-override-rtlo-technique-2/ @@ -23,53 +46,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious RTLO detected in $process_name$ on endpoint $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 40 + - field: dest + type: system + score: 40 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Spearphishing Attachments asset_type: Endpoint - confidence: 80 - impact: 50 - message: Suspicious RTLO detected in $process_name$ on endpoint $dest$ by user $user$. mitre_attack_id: - T1036.002 - T1036 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim - - name: process_name - type: Process Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.process_guid - - Processes.parent_process_id - - Processes.parent_process_name - - Processes.parent_process - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.002/outlook_attachment/rtlo_events.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.002/outlook_attachment/rtlo_events.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml b/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml index 0acc430f26..8e285e9c2f 100644 --- a/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml +++ b/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml @@ -1,7 +1,7 @@ name: Detect Rundll32 Application Control Bypass - advpack id: 4aefadfe-9abd-4bf8-b3fd-867e9ef95bf8 -version: '6' -date: '2024-11-28' +version: 8 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -54,59 +54,40 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ loading advpack.dll + and ieadvpack.dll by calling the LaunchINFSection function on the command line + was identified on endpoint $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Suspicious Rundll32 Activity - Living Off The Land - Compromised Windows Host asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ loading advpack.dll - and ieadvpack.dll by calling the LaunchINFSection function on the command line - was identified on endpoint $dest$ by user $user$. mitre_attack_id: - T1218 - T1218.011 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml b/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml index b1cb36557e..c61eded5b1 100644 --- a/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml +++ b/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml @@ -1,7 +1,7 @@ name: Detect Rundll32 Application Control Bypass - setupapi id: 61e7b44a-6088-4f26-b788-9a96ba13b37a -version: '6' -date: '2024-11-28' +version: 8 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -54,59 +54,40 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ loading setupapi.dll + and iesetupapi.dll by calling the LaunchINFSection function on the command line + was identified on endpoint $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Suspicious Rundll32 Activity - Living Off The Land - Compromised Windows Host asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ loading setupapi.dll - and iesetupapi.dll by calling the LaunchINFSection function on the command line - was identified on endpoint $dest$ by user $user$. mitre_attack_id: - T1218 - T1218.011 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml b/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml index 9cefe6f03a..58bfea6011 100644 --- a/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml +++ b/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml @@ -1,7 +1,7 @@ name: Detect Rundll32 Application Control Bypass - syssetup id: 71b9bf37-cde1-45fb-b899-1b0aa6fa1183 -version: '6' -date: '2024-11-28' +version: 8 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -54,59 +54,40 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ loading syssetup.dll + by calling the LaunchINFSection function on the command line was identified on + endpoint $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Suspicious Rundll32 Activity - Living Off The Land - Compromised Windows Host asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ loading syssetup.dll - by calling the LaunchINFSection function on the command line was identified on - endpoint $dest$ by user $user$. mitre_attack_id: - T1218 - T1218.011 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_rundll32_inline_hta_execution.yml b/detections/endpoint/detect_rundll32_inline_hta_execution.yml index d1fc946319..310dee62f4 100644 --- a/detections/endpoint/detect_rundll32_inline_hta_execution.yml +++ b/detections/endpoint/detect_rundll32_inline_hta_execution.yml @@ -1,18 +1,39 @@ name: Detect Rundll32 Inline HTA Execution id: 91c79f14-5b41-11eb-ae93-0242ac130002 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the execution of "rundll32.exe" with inline protocol handlers such as "JavaScript", "VBScript", and "About". This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on command-line arguments. This activity is significant as it is often associated with fileless malware or application whitelisting bypass techniques. If confirmed malicious, this could allow an attacker to execute arbitrary code, bypass security controls, and maintain persistence within the environment. +description: The following analytic detects the execution of "rundll32.exe" with inline + protocol handlers such as "JavaScript", "VBScript", and "About". This behavior is + identified using Endpoint Detection and Response (EDR) telemetry, focusing on command-line + arguments. This activity is significant as it is often associated with fileless + malware or application whitelisting bypass techniques. If confirmed malicious, this + could allow an attacker to execute arbitrary code, bypass security controls, and + maintain persistence within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` (Processes.process=*vbscript* OR Processes.process=*javascript* OR Processes.process=*about*) by Processes.user Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_rundll32_inline_hta_execution_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive. +search: '| tstats `security_content_summariesonly` count values(Processes.process) + as process values(Processes.parent_process) as parent_process min(_time) as firstTime + max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` + (Processes.process=*vbscript* OR Processes.process=*javascript* OR Processes.process=*about*) + by Processes.user Processes.process_name Processes.parent_process_name Processes.original_file_name + Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)` | `detect_rundll32_inline_hta_execution_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Although unlikely, some legitimate applications may exhibit + this behavior, triggering a false positive. references: - https://github.com/redcanaryco/AtomicTestHarnesses - https://redcanary.com/blog/introducing-atomictestharnesses/ @@ -23,48 +44,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious rundll32.exe inline HTA execution on $dest$ + risk_objects: + - field: dest + type: system + score: 56 + threat_objects: [] tags: analytic_story: - Suspicious MSHTA Activity - NOBELIUM Group - Living Off The Land asset_type: Endpoint - confidence: 80 - impact: 70 - message: Suspicious rundll32.exe inline HTA execution on $dest$ mitre_attack_id: - T1218 - T1218.005 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_sharphound_command_line_arguments.yml b/detections/endpoint/detect_sharphound_command_line_arguments.yml index ac7865950b..25d0f48916 100644 --- a/detections/endpoint/detect_sharphound_command_line_arguments.yml +++ b/detections/endpoint/detect_sharphound_command_line_arguments.yml @@ -1,18 +1,38 @@ name: Detect SharpHound Command-Line Arguments id: a0bdd2f6-c2ff-11eb-b918-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the execution of SharpHound command-line arguments, specifically `-collectionMethod` and `invoke-bloodhound`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as SharpHound is commonly used for Active Directory enumeration, which can be a precursor to lateral movement or privilege escalation. If confirmed malicious, this activity could allow an attacker to map out the network, identify high-value targets, and plan further attacks, potentially compromising sensitive information and critical systems. +description: The following analytic detects the execution of SharpHound command-line + arguments, specifically `-collectionMethod` and `invoke-bloodhound`. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process names + and command-line executions. This activity is significant as SharpHound is commonly + used for Active Directory enumeration, which can be a precursor to lateral movement + or privilege escalation. If confirmed malicious, this activity could allow an attacker + to map out the network, identify high-value targets, and plan further attacks, potentially + compromising sensitive information and critical systems. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*-collectionMethod*","*invoke-bloodhound*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_command_line_arguments_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives should be limited as the arguments used are specific to SharpHound. Filter as needed or add more command-line arguments as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*-collectionMethod*","*invoke-bloodhound*") + by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_command_line_arguments_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives should be limited as the arguments used are + specific to SharpHound. Filter as needed or add more command-line arguments as needed. references: - https://attack.mitre.org/software/S0521/ - https://thedfirreport.com/?s=bloodhound @@ -25,18 +45,27 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Possible SharpHound command-Line arguments identified on $dest$ + risk_objects: + - field: dest + type: system + score: 24 + threat_objects: [] tags: analytic_story: - Windows Discovery Techniques - Ransomware - BlackSuit Ransomware asset_type: Endpoint - confidence: 80 - impact: 30 - message: Possible SharpHound command-Line arguments identified on $dest$ mitre_attack_id: - T1087.002 - T1069.001 @@ -45,29 +74,15 @@ tags: - T1087 - T1069.002 - T1069 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_sharphound_file_modifications.yml b/detections/endpoint/detect_sharphound_file_modifications.yml index e900ca34d2..6d6d2d57ee 100644 --- a/detections/endpoint/detect_sharphound_file_modifications.yml +++ b/detections/endpoint/detect_sharphound_file_modifications.yml @@ -1,16 +1,32 @@ name: Detect SharpHound File Modifications id: 42b4b438-beed-11eb-ba1d-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the creation of files typically associated with SharpHound, a reconnaissance tool used for gathering domain and trust data. It leverages file modification events from the Endpoint.Filesystem data model, focusing on default file naming patterns like `*_BloodHound.zip` and various JSON files. This activity is significant as it indicates potential domain enumeration, which is a precursor to more targeted attacks. If confirmed malicious, an attacker could gain detailed insights into the domain structure, facilitating lateral movement and privilege escalation. +description: The following analytic detects the creation of files typically associated + with SharpHound, a reconnaissance tool used for gathering domain and trust data. + It leverages file modification events from the Endpoint.Filesystem data model, focusing + on default file naming patterns like `*_BloodHound.zip` and various JSON files. + This activity is significant as it indicates potential domain enumeration, which + is a precursor to more targeted attacks. If confirmed malicious, an attacker could + gain detailed insights into the domain structure, facilitating lateral movement + and privilege escalation. data_source: - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*bloodhound.zip", "*_computers.json", "*_gpos.json", "*_domains.json", "*_users.json", "*_groups.json", "*_ous.json", "*_containers.json") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.user| `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_file_modifications_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on file modifications that include the name of the process, and file, responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -known_false_positives: False positives should be limited as the analytic is specific to a filename with extension .zip. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*bloodhound.zip", + "*_computers.json", "*_gpos.json", "*_domains.json", "*_users.json", "*_groups.json", + "*_ous.json", "*_containers.json") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name + Filesystem.file_path Filesystem.dest Filesystem.user| `drop_dm_object_name(Filesystem)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_file_modifications_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on file modifications that include the name of the process, and file, responsible + for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` + node. +known_false_positives: False positives should be limited as the analytic is specific + to a filename with extension .zip. Filter as needed. references: - https://attack.mitre.org/software/S0521/ - https://thedfirreport.com/?s=bloodhound @@ -23,18 +39,30 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potential SharpHound file modifications identified on $dest$ + risk_objects: + - field: dest + type: system + score: 24 + - field: user + type: user + score: 24 + threat_objects: [] tags: analytic_story: - Windows Discovery Techniques - Ransomware - BlackSuit Ransomware asset_type: Endpoint - confidence: 80 - impact: 30 - message: Potential SharpHound file modifications identified on $dest$ mitre_attack_id: - T1087.002 - T1069.001 @@ -43,31 +71,15 @@ tags: - T1087 - T1069.002 - T1069 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - file_path - - dest - - file_name - - process_id - - file_create_time - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_sharphound_usage.yml b/detections/endpoint/detect_sharphound_usage.yml index bb91384d98..8f75b08dfe 100644 --- a/detections/endpoint/detect_sharphound_usage.yml +++ b/detections/endpoint/detect_sharphound_usage.yml @@ -1,18 +1,39 @@ name: Detect SharpHound Usage id: dd04b29a-beed-11eb-87bc-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the usage of the SharpHound binary by identifying its original filename, `SharpHound.exe`, and the process name. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process metadata and command-line executions. SharpHound is a tool used for Active Directory enumeration, often by attackers during the reconnaissance phase. If confirmed malicious, this activity could allow an attacker to map out the network, identify high-value targets, and plan further attacks, potentially leading to privilege escalation and lateral movement within the environment. +description: The following analytic detects the usage of the SharpHound binary by + identifying its original filename, `SharpHound.exe`, and the process name. This + detection leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process metadata and command-line executions. SharpHound is a tool used for Active + Directory enumeration, often by attackers during the reconnaissance phase. If confirmed + malicious, this activity could allow an attacker to map out the network, identify + high-value targets, and plan further attacks, potentially leading to privilege escalation + and lateral movement within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sharphound.exe OR Processes.original_file_name=SharpHound.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_usage_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives should be limited as this is specific to a file attribute not used by anything else. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sharphound.exe + OR Processes.original_file_name=SharpHound.exe) by Processes.dest Processes.user + Processes.parent_process_name Processes.original_file_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_usage_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives should be limited as this is specific to a + file attribute not used by anything else. Filter as needed. references: - https://attack.mitre.org/software/S0521/ - https://thedfirreport.com/?s=bloodhound @@ -25,17 +46,26 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potential SharpHound binary identified on $dest$ + risk_objects: + - field: dest + type: system + score: 24 + threat_objects: [] tags: analytic_story: - Windows Discovery Techniques - Ransomware asset_type: Endpoint - confidence: 80 - impact: 30 - message: Potential SharpHound binary identified on $dest$ mitre_attack_id: - T1087.002 - T1069.001 @@ -44,33 +74,15 @@ tags: - T1087 - T1069.002 - T1069 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml b/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml index c8b65b0af1..93af7b9881 100644 --- a/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml +++ b/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml @@ -1,51 +1,61 @@ name: Detect suspicious processnames using pretrained model in DSDL id: a15f8977-ad7d-4669-92ef-b59b97219bf5 -version: 3 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk type: Anomaly status: experimental data_source: - Sysmon EventID 1 -description: The following analytic identifies suspicious process names using a pre-trained Deep Learning model. It leverages Endpoint Detection and Response (EDR) telemetry to analyze process names and predict their likelihood of being malicious. The model, a character-level Recurrent Neural Network (RNN), classifies process names as benign or suspicious based on a threshold score of 0.5. This detection is significant as it helps identify malware, such as TrickBot, which often uses randomly generated filenames to evade detection. If confirmed malicious, this activity could indicate the presence of malware capable of propagating across the network and executing harmful actions. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name Processes.parent_process_name Processes.process Processes.user Processes.dest | `drop_dm_object_name(Processes)` | rename process_name as text | fields text, parent_process_name, process, user, dest | apply detect_suspicious_processnames_using_pretrained_model_in_dsdl | rename predicted_label as is_suspicious_score | rename text as process_name | where is_suspicious_score > 0.5 | `detect_suspicious_processnames_using_pretrained_model_in_dsdl_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be present if a suspicious processname is similar to a benign processname. +description: The following analytic identifies suspicious process names using a pre-trained + Deep Learning model. It leverages Endpoint Detection and Response (EDR) telemetry + to analyze process names and predict their likelihood of being malicious. The model, + a character-level Recurrent Neural Network (RNN), classifies process names as benign + or suspicious based on a threshold score of 0.5. This detection is significant as + it helps identify malware, such as TrickBot, which often uses randomly generated + filenames to evade detection. If confirmed malicious, this activity could indicate + the presence of malware capable of propagating across the network and executing + harmful actions. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes by Processes.process_name Processes.parent_process_name + Processes.process Processes.user Processes.dest | `drop_dm_object_name(Processes)` + | rename process_name as text | fields text, parent_process_name, process, user, + dest | apply detect_suspicious_processnames_using_pretrained_model_in_dsdl | rename + predicted_label as is_suspicious_score | rename text as process_name | where is_suspicious_score + > 0.5 | `detect_suspicious_processnames_using_pretrained_model_in_dsdl_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present if a suspicious processname + is similar to a benign processname. references: - https://www.cisa.gov/uscert/ncas/alerts/aa20-302a - https://www.splunk.com/en_us/blog/security/random-words-on-entropy-and-dns.html +rba: + message: The process $process$ is running from an unusual place by $user$ on $dest$ + with a processname that appears to be randomly generated. + risk_objects: + - field: dest + type: system + score: 45 + - field: user + type: user + score: 45 + threat_objects: [] tags: analytic_story: - Suspicious Command-Line Executions asset_type: Endpoint - confidence: 90 - context: - - Source:Endpoint - - Stage:Execution - impact: 50 - message: The process $process$ is running from an unusual place by $user$ on $dest$ with a processname that appears to be randomly generated. mitre_attack_id: - T1059 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process - - Processes.parent_process_name - - Processes.process_name - - Processes.parent_process - - Processes.user - - Processes.dest - risk_score: 45 security_domain: endpoint diff --git a/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml b/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml index 438f5f32d2..eb1159dade 100644 --- a/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml +++ b/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml @@ -1,18 +1,39 @@ name: Detect Use of cmd exe to Launch Script Interpreters id: b89919ed-fe5f-492c-b139-95dbb162039e -version: 7 -date: '2024-09-30' +version: 8 +date: '2024-11-13' author: Bhavin Patel, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the execution of cscript.exe or wscript.exe processes initiated by cmd.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes within the Endpoint data model. This activity is significant as it may indicate script-based attacks or administrative actions that could be leveraged for malicious purposes. If confirmed malicious, this behavior could allow attackers to execute scripts, potentially leading to code execution, privilege escalation, or persistence within the environment. +description: The following analytic detects the execution of cscript.exe or wscript.exe + processes initiated by cmd.exe. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process names and parent processes within the Endpoint + data model. This activity is significant as it may indicate script-based attacks + or administrative actions that could be leveraged for malicious purposes. If confirmed + malicious, this behavior could allow attackers to execute scripts, potentially leading + to code execution, privilege escalation, or persistence within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name="cmd.exe" (Processes.process_name=cscript.exe OR Processes.process_name =wscript.exe) by Processes.parent_process Processes.process_name Processes.process Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_use_of_cmd_exe_to_launch_script_interpreters_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: This detection may also be triggered by legitimate applications and numerous service accounts, which often end with a $ sign. To manage this, it's advised to check the service account's activities and, if they are valid, modify the filter macro to exclude them. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name="cmd.exe" + (Processes.process_name=cscript.exe OR Processes.process_name =wscript.exe) by Processes.parent_process + Processes.process_name Processes.process Processes.user Processes.dest | `drop_dm_object_name("Processes")` + | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_use_of_cmd_exe_to_launch_script_interpreters_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: This detection may also be triggered by legitimate applications + and numerous service accounts, which often end with a $ sign. To manage this, it's + advised to check the service account's activities and, if they are valid, modify + the filter macro to exclude them. references: - https://attack.mitre.org/techniques/T1059/ - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/ @@ -22,43 +43,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: cmd.exe launching script interpreters $process_name$ on $dest$ + risk_objects: + - field: dest + type: system + score: 35 + threat_objects: [] tags: analytic_story: - Emotet Malware DHS Report TA18-201A - Suspicious Command-Line Executions - Azorult asset_type: Endpoint - confidence: 50 - impact: 70 - message: cmd.exe launching script interpreters $process_name$ on $dest$ mitre_attack_id: - T1059 - T1059.003 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process - - Processes.parent_process_name - - Processes.process_name - - Processes.parent_process - - Processes.user - - Processes.dest - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/cmd_spawns_cscript/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/cmd_spawns_cscript/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_wmi_event_subscription_persistence.yml b/detections/endpoint/detect_wmi_event_subscription_persistence.yml index 6dcd57635d..4ed7920815 100644 --- a/detections/endpoint/detect_wmi_event_subscription_persistence.yml +++ b/detections/endpoint/detect_wmi_event_subscription_persistence.yml @@ -1,16 +1,30 @@ name: Detect WMI Event Subscription Persistence id: 01d9a0c2-cece-11eb-ab46-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the creation of WMI Event Subscriptions, which can be used to establish persistence or perform privilege escalation. It detects EventID 19 (EventFilter creation), EventID 20 (EventConsumer creation), and EventID 21 (FilterToConsumerBinding creation) from Sysmon logs. This activity is significant because WMI Event Subscriptions can execute code with elevated SYSTEM privileges, making it a powerful persistence mechanism. If confirmed malicious, an attacker could maintain long-term access, escalate privileges, and execute arbitrary code, posing a severe threat to the environment. +description: The following analytic identifies the creation of WMI Event Subscriptions, + which can be used to establish persistence or perform privilege escalation. It detects + EventID 19 (EventFilter creation), EventID 20 (EventConsumer creation), and EventID + 21 (FilterToConsumerBinding creation) from Sysmon logs. This activity is significant + because WMI Event Subscriptions can execute code with elevated SYSTEM privileges, + making it a powerful persistence mechanism. If confirmed malicious, an attacker + could maintain long-term access, escalate privileges, and execute arbitrary code, + posing a severe threat to the environment. data_source: - Sysmon EventID 20 -search: '`sysmon` EventID=20 | stats count min(_time) as firstTime max(_time) as lastTime by Computer User Destination | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_wmi_event_subscription_persistence_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with that provide WMI Event Subscription from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA and have enabled EventID 19, 20 and 21. Tune and filter known good to limit the volume. -known_false_positives: It is possible some applications will create a consumer and may be required to be filtered. For tuning, add any additional LOLBin's for further depth of coverage. +search: '`sysmon` EventID=20 | stats count min(_time) as firstTime max(_time) as lastTime + by Computer User Destination | rename Computer as dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `detect_wmi_event_subscription_persistence_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with that provide WMI Event Subscription from your endpoints. If you are using + Sysmon, you must have at least version 6.0.4 of the Sysmon TA and have enabled EventID + 19, 20 and 21. Tune and filter known good to limit the volume. +known_false_positives: It is possible some applications will create a consumer and + may be required to be filtered. For tuning, add any additional LOLBin's for further + depth of coverage. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ @@ -22,38 +36,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Possible malicious WMI Subscription created on $dest$ + risk_objects: + - field: dest + type: system + score: 63 + threat_objects: [] tags: analytic_story: - Suspicious WMI Use asset_type: Endpoint - confidence: 90 - impact: 70 - message: Possible malicious WMI Subscription created on $dest$ mitre_attack_id: - T1546.003 - T1546 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Destination - - dest - - User - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detection_of_tools_built_by_nirsoft.yml b/detections/endpoint/detection_of_tools_built_by_nirsoft.yml index 82c62dec44..c832f0c8c9 100644 --- a/detections/endpoint/detection_of_tools_built_by_nirsoft.yml +++ b/detections/endpoint/detection_of_tools_built_by_nirsoft.yml @@ -1,42 +1,57 @@ name: Detection of tools built by NirSoft id: 3d8d201c-aa03-422d-b0ee-2e5ecf9718c0 -version: 5 -date: '2024-10-17' +version: 6 +date: '2024-11-13' author: Bhavin Patel, Splunk status: experimental type: TTP -description: The following analytic identifies the execution of tools built by NirSoft by detecting specific command-line arguments such as "/stext" and "/scomma". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because NirSoft tools, while legitimate, can be exploited by attackers for malicious purposes such as credential theft or system reconnaissance. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or further compromise of the affected system. +description: The following analytic identifies the execution of tools built by NirSoft + by detecting specific command-line arguments such as "/stext" and "/scomma". It + leverages data from Endpoint Detection and Response (EDR) agents, focusing on process + names, parent processes, and command-line executions. This activity is significant + because NirSoft tools, while legitimate, can be exploited by attackers for malicious + purposes such as credential theft or system reconnaissance. If confirmed malicious, + this activity could lead to unauthorized access, data exfiltration, or further compromise + of the affected system. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="* /stext *" OR Processes.process="* /scomma *" ) by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `detection_of_tools_built_by_nirsoft_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: While legitimate, these NirSoft tools are prone to abuse. You should verfiy that the tool was used for a legitimate purpose. +search: '| tstats `security_content_summariesonly` count min(_time) values(Processes.process) + as process max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="* + /stext *" OR Processes.process="* /scomma *" ) by Processes.parent_process Processes.process_name + Processes.user Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + |`security_content_ctime(lastTime)` | `detection_of_tools_built_by_nirsoft_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: While legitimate, these NirSoft tools are prone to abuse. You + should verfiy that the tool was used for a legitimate purpose. references: [] +rba: + message: NirSoft tools detected on $dest$ + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Emotet Malware DHS Report TA18-201A asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1072 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process - - Processes.parent_process - - Processes.process_name - - Processes.user - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/disable_amsi_through_registry.yml b/detections/endpoint/disable_amsi_through_registry.yml index b3787fc67f..2a5c9bdad9 100644 --- a/detections/endpoint/disable_amsi_through_registry.yml +++ b/detections/endpoint/disable_amsi_through_registry.yml @@ -5,12 +5,20 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects modifications to the Windows registry that disable the Antimalware Scan Interface (AMSI) by setting the "AmsiEnable" value to "0x00000000". This detection leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows Script\\Settings\\AmsiEnable". Disabling AMSI is significant as it is a common technique used by ransomware, Remote Access Trojans (RATs), and Advanced Persistent Threats (APTs) to evade detection and impair defenses. If confirmed malicious, this activity could allow attackers to execute payloads with minimal alerts, leading to potential system compromise and data exfiltration. +description: The following analytic detects modifications to the Windows registry + that disable the Antimalware Scan Interface (AMSI) by setting the "AmsiEnable" value + to "0x00000000". This detection leverages data from the Endpoint.Registry data model, + specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows + Script\\Settings\\AmsiEnable". Disabling AMSI is significant as it is a common technique + used by ransomware, Remote Access Trojans (RATs), and Advanced Persistent Threats + (APTs) to evade detection and impair defenses. If confirmed malicious, this activity + could allow attackers to execute payloads with minimal alerts, leading to potential + system compromise and data exfiltration. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows Script\\Settings\\AmsiEnable" - Registry.registry_value_data = "0x00000000") BY Registry.registry_path +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows + Script\\Settings\\AmsiEnable" Registry.registry_value_data = "0x00000000") BY Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` @@ -30,43 +38,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Disable AMSI Through Registry on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Ransomware - CISA AA23-347A - Windows Registry Abuse asset_type: Endpoint - confidence: 50 - impact: 50 - message: Disable AMSI Through Registry on $dest$ mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 25.0 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/disable_defender_antivirus_registry.yml b/detections/endpoint/disable_defender_antivirus_registry.yml index 447b4ac098..30927bf7f4 100644 --- a/detections/endpoint/disable_defender_antivirus_registry.yml +++ b/detections/endpoint/disable_defender_antivirus_registry.yml @@ -5,16 +5,24 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects the modification of Windows Defender registry settings to disable antivirus and antispyware protections. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with Windows Defender policies. This activity is significant because disabling antivirus protections is a common tactic used by adversaries to evade detection and maintain persistence on compromised systems. If confirmed malicious, this action could allow attackers to execute further malicious activities undetected, leading to potential data breaches, system compromise, and further propagation of malware within the network. +description: The following analytic detects the modification of Windows Defender registry + settings to disable antivirus and antispyware protections. It leverages data from + the Endpoint.Registry data model, specifically monitoring changes to registry paths + associated with Windows Defender policies. This activity is significant because + disabling antivirus protections is a common tactic used by adversaries to evade + detection and maintain persistence on compromised systems. If confirmed malicious, + this action could allow attackers to execute further malicious activities undetected, + leading to potential data breaches, system compromise, and further propagation of + malware within the network. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender*" Registry.registry_value_name - IN ("DisableAntiSpyware","DisableAntiVirus") Registry.registry_value_data = 0x00000001) - BY Registry.registry_path Registry.registry_key_name Registry.registry_value_name - Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | - `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `disable_defender_antivirus_registry_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Policies\\Microsoft\\Windows + Defender*" Registry.registry_value_name IN ("DisableAntiSpyware","DisableAntiVirus") + Registry.registry_value_data = 0x00000001) BY Registry.registry_path Registry.registry_key_name + Registry.registry_value_name Registry.registry_value_data Registry.process_guid + Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_antivirus_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official @@ -28,47 +36,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Modified/added/deleted registry entry $registry_path$ on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - IcedID - Windows Registry Abuse - CISA AA24-241A asset_type: Endpoint - confidence: 70 - impact: 70 - message: Modified/added/deleted registry entry $registry_path$ in $dest$ mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml index 965c1c081f..ab4480dab1 100644 --- a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml +++ b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml @@ -15,13 +15,13 @@ description: The following analytic detects the modification of the Windows regi files to bypass initial detection by Windows Defender, increasing the risk of malware infection. If confirmed malicious, this action could enable attackers to execute malicious code undetected, leading to potential system compromise and data breaches. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name - = DisableBlockAtFirstSeen Registry.registry_value_data = 0x00000001) BY - Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data - Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` - | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `disable_defender_blockatfirstseen_feature_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows + Defender\\SpyNet*" Registry.registry_value_name = DisableBlockAtFirstSeen Registry.registry_value_data + = 0x00000001) BY Registry.registry_path Registry.registry_key_name Registry.registry_value_name + Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | + `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `disable_defender_blockatfirstseen_feature_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official @@ -35,9 +35,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: modified/added/deleted registry entry $registry_path$ on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - Azorult @@ -45,38 +60,18 @@ tags: - IcedID - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: modified/added/deleted registry entry $registry_path$ in $dest$ mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/disable_defender_enhanced_notification.yml b/detections/endpoint/disable_defender_enhanced_notification.yml index a5cb79c8ff..55022f84b4 100644 --- a/detections/endpoint/disable_defender_enhanced_notification.yml +++ b/detections/endpoint/disable_defender_enhanced_notification.yml @@ -1,16 +1,44 @@ name: Disable Defender Enhanced Notification id: dc65678c-301f-11ec-8e30-acde48001122 -version: 6 -date: '2024-11-14' +version: 7 +date: '2025-01-21' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects the modification of the registry to disable Windows Defender's Enhanced Notification feature. It leverages data from Endpoint Detection and Response (EDR) agents, specifically monitoring changes to the registry path associated with Windows Defender reporting. This activity is significant because disabling Enhanced Notifications can prevent users and administrators from receiving critical security alerts, potentially allowing malicious activities to go unnoticed. If confirmed malicious, this action could enable an attacker to bypass detection mechanisms, maintain persistence, and escalate their activities without triggering alerts. +description: The following analytic detects the modification of the registry to disable + Windows Defender's Enhanced Notification feature. It leverages data from Endpoint + Detection and Response (EDR) agents, specifically monitoring changes to the registry + path associated with Windows Defender reporting. This activity is significant because + disabling Enhanced Notifications can prevent users and administrators from receiving + critical security alerts, potentially allowing malicious activities to go unnoticed. + If confirmed malicious, this action could enable an attacker to bypass detection + mechanisms, maintain persistence, and escalate their activities without triggering + alerts. data_source: - Sysmon EventID 1 AND Sysmon EventID 12 - Sysmon EventID 1 AND Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*Microsoft\\Windows Defender\\Reporting*" Registry.registry_value_name = DisableEnhancedNotifications Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_enhanced_notification_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) + AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id + Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name + Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` + | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry + WHERE (Registry.registry_path = "*Microsoft\\Windows Defender\\Reporting*" Registry.registry_value_name + = DisableEnhancedNotifications Registry.registry_value_data = 0x00000001) BY _time + span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name + Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] + | fields firstTime lastTime dest user parent_process_name parent_process process_name + process_path process registry_key_name registry_path registry_value_name registry_value_data + process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `disable_defender_enhanced_notification_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: user may choose to disable windows defender AV references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ @@ -20,9 +48,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: modified/added/deleted registry entry $registry_path$ on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - Azorult @@ -30,47 +73,18 @@ tags: - IcedID - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: modified/added/deleted registry entry $registry_path$ in $dest$ mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.user - - Processes.dest - - Processes.process_id - - Processes.process_name - - Processes.process - - Processes.process_path - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_guid - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/disable_defender_mpengine_registry.yml b/detections/endpoint/disable_defender_mpengine_registry.yml index fdf0824111..3929c04a3b 100644 --- a/detections/endpoint/disable_defender_mpengine_registry.yml +++ b/detections/endpoint/disable_defender_mpengine_registry.yml @@ -1,17 +1,24 @@ name: Disable Defender MpEngine Registry id: cc391750-3024-11ec-955a-acde48001122 -version: 8 -date: '2024-12-08' +version: 9 +date: '2024-12-16' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects the modification of the Windows Defender MpEngine registry value, specifically setting MpEnablePus to 0x00000000. This detection leverages endpoint registry logs, focusing on changes within the path "*\\Policies\\Microsoft\\Windows Defender\\MpEngine*". This activity is significant as it indicates an attempt to disable key Windows Defender features, potentially allowing malware to evade detection. If confirmed malicious, this could lead to undetected malware execution, persistence, and further system compromise. Immediate investigation and endpoint isolation are recommended. +description: The following analytic detects the modification of the Windows Defender + MpEngine registry value, specifically setting MpEnablePus to 0x00000000. This detection + leverages endpoint registry logs, focusing on changes within the path "*\\Policies\\Microsoft\\Windows + Defender\\MpEngine*". This activity is significant as it indicates an attempt to + disable key Windows Defender features, potentially allowing malware to evade detection. + If confirmed malicious, this could lead to undetected malware execution, persistence, + and further system compromise. Immediate investigation and endpoint isolation are + recommended. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender\\MpEngine*" - Registry.registry_value_name = MpEnablePus Registry.registry_value_data = 0x00000000) - BY Registry.registry_path Registry.registry_key_name Registry.registry_value_name +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Policies\\Microsoft\\Windows + Defender\\MpEngine*" Registry.registry_value_name = MpEnablePus Registry.registry_value_data + = 0x00000000) BY Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_mpengine_registry_filter`' @@ -28,46 +35,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Modified/added/deleted registry entry $registry_path$ on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - IcedID - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: Modified/added/deleted registry entry $registry_path$ in $dest$ mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/disable_defender_spynet_reporting.yml b/detections/endpoint/disable_defender_spynet_reporting.yml index 9cda683204..56f02bc045 100644 --- a/detections/endpoint/disable_defender_spynet_reporting.yml +++ b/detections/endpoint/disable_defender_spynet_reporting.yml @@ -5,16 +5,23 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects the modification of the registry to disable Windows Defender SpyNet reporting. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender SpyNet settings. This activity is significant because disabling SpyNet reporting can prevent Windows Defender from sending telemetry data, potentially allowing malicious activities to go undetected. If confirmed malicious, this action could enable an attacker to evade detection, maintain persistence, and carry out further attacks without being flagged by Windows Defender. +description: The following analytic detects the modification of the registry to disable + Windows Defender SpyNet reporting. It leverages data from the Endpoint.Registry + data model, specifically monitoring changes to the registry path associated with + Windows Defender SpyNet settings. This activity is significant because disabling + SpyNet reporting can prevent Windows Defender from sending telemetry data, potentially + allowing malicious activities to go undetected. If confirmed malicious, this action + could enable an attacker to evade detection, maintain persistence, and carry out + further attacks without being flagged by Windows Defender. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name - = SpynetReporting Registry.registry_value_data = 0x00000000) BY Registry.registry_path - Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data - Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` - | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `disable_defender_spynet_reporting_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows + Defender\\SpyNet*" Registry.registry_value_name = SpynetReporting Registry.registry_value_data + = 0x00000000) BY Registry.registry_path Registry.registry_key_name Registry.registry_value_name + Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | + `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `disable_defender_spynet_reporting_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official @@ -28,9 +35,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: modified/added/deleted registry entry $registry_path$ on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - Azorult @@ -39,38 +61,18 @@ tags: - IcedID - CISA AA23-347A asset_type: Endpoint - confidence: 70 - impact: 70 - message: modified/added/deleted registry entry $registry_path$ in $dest$ mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml index 4274d86902..19a9ae5f37 100644 --- a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml +++ b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml @@ -1,20 +1,27 @@ name: Disable Defender Submit Samples Consent Feature id: 73922ff8-3022-11ec-bf5e-acde48001122 version: 8 -date: '2024-12-08' -author: Teoderick Contreras, Splunk,Steven Dick +date: '2024-12-16' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects the modification of the Windows registry to disable the Windows Defender Submit Samples Consent feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender SpyNet and the SubmitSamplesConsent value set to 0x00000000. This activity is significant as it indicates an attempt to bypass or evade detection by preventing Windows Defender from submitting samples for further analysis. If confirmed malicious, this could allow an attacker to execute malicious code without being detected by Windows Defender, leading to potential system compromise. +description: The following analytic detects the modification of the Windows registry + to disable the Windows Defender Submit Samples Consent feature. It leverages data + from the Endpoint.Registry data model, specifically monitoring changes to the registry + path associated with Windows Defender SpyNet and the SubmitSamplesConsent value + set to 0x00000000. This activity is significant as it indicates an attempt to bypass + or evade detection by preventing Windows Defender from submitting samples for further + analysis. If confirmed malicious, this could allow an attacker to execute malicious + code without being detected by Windows Defender, leading to potential system compromise. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name - = SubmitSamplesConsent Registry.registry_value_data = 0x00000000) BY - Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name - Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` - | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `disable_defender_submit_samples_consent_feature_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows + Defender\\SpyNet*" Registry.registry_value_name = SubmitSamplesConsent Registry.registry_value_data + = 0x00000000) BY Registry.user Registry.dest Registry.registry_path Registry.registry_key_name + Registry.registry_value_name Registry.registry_value_data Registry.process_guid + | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `disable_defender_submit_samples_consent_feature_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official @@ -28,9 +35,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: modified/added/deleted registry entry $registry_path$ on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - Azorult @@ -38,38 +60,18 @@ tags: - IcedID - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: modified/added/deleted registry entry $registry_path$ in $dest$ mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/disable_etw_through_registry.yml b/detections/endpoint/disable_etw_through_registry.yml index a8e8c58d12..ec08c5b5b1 100644 --- a/detections/endpoint/disable_etw_through_registry.yml +++ b/detections/endpoint/disable_etw_through_registry.yml @@ -5,11 +5,18 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects modifications to the registry that disable the Event Tracing for Windows (ETW) feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled" with a value set to "0x00000000". This activity is significant because disabling ETW can allow attackers to evade detection mechanisms, making it harder for security tools to monitor malicious activities. If confirmed malicious, this could enable attackers to execute payloads with minimal alerts, impairing defenses and potentially leading to further compromise of the system. +description: The following analytic detects modifications to the registry that disable + the Event Tracing for Windows (ETW) feature. It leverages data from the Endpoint.Registry + data model, specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled" + with a value set to "0x00000000". This activity is significant because disabling + ETW can allow attackers to evade detection mechanisms, making it harder for security + tools to monitor malicious activities. If confirmed malicious, this could enable + attackers to execute payloads with minimal alerts, impairing defenses and potentially + leading to further compromise of the system. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled" +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled" Registry.registry_value_data = "0x00000000") BY Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) @@ -28,43 +35,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Disable ETW Through Registry on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Ransomware - CISA AA23-347A - Windows Registry Abuse asset_type: Endpoint - confidence: 50 - impact: 50 - message: Disable ETW Through Registry on $dest$ mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 25.0 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/disable_logs_using_wevtutil.yml b/detections/endpoint/disable_logs_using_wevtutil.yml index 0da2407d03..33e17afd7d 100644 --- a/detections/endpoint/disable_logs_using_wevtutil.yml +++ b/detections/endpoint/disable_logs_using_wevtutil.yml @@ -1,18 +1,39 @@ name: Disable Logs Using WevtUtil id: 236e7c8e-c9d9-11eb-a824-acde48001122 -version: 5 -date: '2024-11-26' +version: 6 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the execution of "wevtutil.exe" with parameters to disable event logs. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because disabling event logs is a common tactic used by ransomware to evade detection and hinder forensic investigations. If confirmed malicious, this action could allow attackers to operate undetected, making it difficult to trace their activities and respond effectively to the incident. +description: The following analytic detects the execution of "wevtutil.exe" with parameters + to disable event logs. It leverages data from Endpoint Detection and Response (EDR) + agents, focusing on process names and command-line arguments. This activity is significant + because disabling event logs is a common tactic used by ransomware to evade detection + and hinder forensic investigations. If confirmed malicious, this action could allow + attackers to operate undetected, making it difficult to trace their activities and + respond effectively to the incident. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "wevtutil.exe" AND (Processes.process = "*sl*" OR Processes.process = "*set-log*" ) Processes.process = "*/e:false*" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_logs_using_wevtutil_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: network operator may disable audit event logs for debugging purposes. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "wevtutil.exe" + AND (Processes.process = "*sl*" OR Processes.process = "*set-log*" ) Processes.process + = "*/e:false*" by Processes.parent_process_name Processes.parent_process Processes.process_name + Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `disable_logs_using_wevtutil_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: network operator may disable audit event logs for debugging + purposes. references: - https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/ drilldown_searches: @@ -21,45 +42,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: WevtUtil.exe used to disable Event Logging on $dest$ + risk_objects: + - field: dest + type: system + score: 24 + threat_objects: [] tags: analytic_story: - Ransomware - CISA AA23-347A - Rhysida Ransomware asset_type: Endpoint - confidence: 80 - impact: 30 - message: WevtUtil.exe used to disable Event Logging on $dest$ mitre_attack_id: - T1070 - T1070.001 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.dest - - Processes.user - - Processes.process_id - - Processes.process_guid - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/disable_registry_tool.yml b/detections/endpoint/disable_registry_tool.yml index 436c268b52..8ec26fee70 100644 --- a/detections/endpoint/disable_registry_tool.yml +++ b/detections/endpoint/disable_registry_tool.yml @@ -5,13 +5,21 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects modifications to the Windows registry aimed at disabling the Registry Editor (regedit). It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools" with a value of "0x00000001". This activity is significant because malware, such as RATs or trojans, often disable registry tools to prevent the removal of their entries, aiding in persistence and defense evasion. If confirmed malicious, this could hinder incident response efforts and allow the attacker to maintain control over the compromised system. +description: The following analytic detects modifications to the Windows registry + aimed at disabling the Registry Editor (regedit). It leverages data from the Endpoint.Registry + data model, specifically monitoring changes to the registry path + "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools" + with a value of "0x00000001". This activity is significant because malware, such + as RATs or trojans, often disable registry tools to prevent the removal of their + entries, aiding in persistence and defense evasion. If confirmed malicious, this + could hinder incident response efforts and allow the attacker to maintain control + over the compromised system. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools" - Registry.registry_value_data = "0x00000001") BY Registry.user Registry.dest - Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools" + Registry.registry_value_data = "0x00000001") BY Registry.user Registry.dest Registry.registry_path + Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_registry_tool_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -27,44 +35,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Disabled Registry Tools on $dest$ + risk_objects: + - field: dest + type: system + score: 40 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse - NjRAT asset_type: Endpoint - confidence: 100 - impact: 40 - message: Disabled Registry Tools on $dest$ mitre_attack_id: - T1562.001 - T1562 - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/disable_schedule_task.yml b/detections/endpoint/disable_schedule_task.yml index 0fe4c203ca..4474a3fc1d 100644 --- a/detections/endpoint/disable_schedule_task.yml +++ b/detections/endpoint/disable_schedule_task.yml @@ -1,17 +1,37 @@ name: Disable Schedule Task id: db596056-3019-11ec-a9ff-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the execution of a command to disable an existing scheduled task using 'schtasks.exe' with the '/change' and '/disable' parameters. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Disabling scheduled tasks is significant as it is a common tactic used by adversaries, including malware like IcedID, to disable security applications and evade detection. If confirmed malicious, this activity could allow attackers to persist undetected, disable critical security defenses, and further compromise the targeted host. +description: The following analytic detects the execution of a command to disable + an existing scheduled task using 'schtasks.exe' with the '/change' and '/disable' + parameters. This detection leverages data from Endpoint Detection and Response (EDR) + agents, focusing on process names and command-line arguments. Disabling scheduled + tasks is significant as it is a common tactic used by adversaries, including malware + like IcedID, to disable security applications and evade detection. If confirmed + malicious, this activity could allow attackers to persist undetected, disable critical + security defenses, and further compromise the targeted host. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process=*/change* Processes.process=*/disable* by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_schedule_task_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime + max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe + Processes.process=*/change* Processes.process=*/disable* by Processes.user Processes.process_name + Processes.process Processes.parent_process_name Processes.parent_process Processes.dest + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `disable_schedule_task_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: admin may disable problematic schedule task references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ @@ -21,40 +41,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: schtask process with commandline $process$ to disable schedule task in + $dest$ + risk_objects: + - field: dest + type: system + score: 56 + threat_objects: [] tags: analytic_story: - IcedID - Living Off The Land asset_type: Endpoint - confidence: 80 - impact: 70 - message: schtask process with commandline $process$ to disable schedule task in $dest$ mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.user - - Processes.process_name - - Processes.parent_process_name - - Processes.dest - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_schtask/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_schtask/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/disable_security_logs_using_minint_registry.yml b/detections/endpoint/disable_security_logs_using_minint_registry.yml index aa6d9f83ab..5b17f161ee 100644 --- a/detections/endpoint/disable_security_logs_using_minint_registry.yml +++ b/detections/endpoint/disable_security_logs_using_minint_registry.yml @@ -5,15 +5,22 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects a suspicious registry modification aimed at disabling security audit logs by adding a specific registry entry. It leverages data from the Endpoint.Registry data model, focusing on changes to the "Control\\MiniNt" registry path. This activity is significant because it can prevent Windows from logging any events to the Security Log, effectively blinding security monitoring efforts. If confirmed malicious, this technique could allow an attacker to operate undetected, making it difficult to trace their actions and compromising the integrity of security audits. +description: The following analytic detects a suspicious registry modification aimed + at disabling security audit logs by adding a specific registry entry. It leverages + data from the Endpoint.Registry data model, focusing on changes to the "Control\\MiniNt" + registry path. This activity is significant because it can prevent Windows from + logging any events to the Security Log, effectively blinding security monitoring + efforts. If confirmed malicious, this technique could allow an attacker to operate + undetected, making it difficult to trace their actions and compromising the integrity + of security audits. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path="*\\Control\\MiniNt\\*") BY Registry.user - Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name - Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` - | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `disable_security_logs_using_minint_registry_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\Control\\MiniNt\\*") + BY Registry.user Registry.dest Registry.registry_path Registry.registry_key_name + Registry.registry_value_name Registry.registry_value_data Registry.process_guid + | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `disable_security_logs_using_minint_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official @@ -27,46 +34,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Modified/added/deleted registry entry $registry_path$ on $dest$ + risk_objects: + - field: dest + type: system + score: 80 + - field: user + type: user + score: 80 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - CISA AA23-347A - Windows Registry Abuse asset_type: Endpoint - confidence: 100 - impact: 80 - message: Modified/added/deleted registry entry $registry_path$ in $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/minint_reg/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/minint_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/disable_show_hidden_files.yml b/detections/endpoint/disable_show_hidden_files.yml index 7fe93f8122..b5bd58fc01 100644 --- a/detections/endpoint/disable_show_hidden_files.yml +++ b/detections/endpoint/disable_show_hidden_files.yml @@ -5,15 +5,21 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly -description: The following analytic detects modifications to the Windows registry that disable the display of hidden files. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with hidden file settings. This activity is significant because malware, such as worms and trojan spyware, often use hidden files to evade detection. If confirmed malicious, this behavior could allow an attacker to conceal malicious files on the system, making it harder for security tools and analysts to identify and remove the threat. +description: The following analytic detects modifications to the Windows registry + that disable the display of hidden files. It leverages data from the Endpoint.Registry + data model, specifically monitoring changes to registry paths associated with hidden + file settings. This activity is significant because malware, such as worms and trojan + spyware, often use hidden files to evade detection. If confirmed malicious, this + behavior could allow an attacker to conceal malicious files on the system, making + it harder for security tools and analysts to identify and remove the threat. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden" +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden" OR (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt" Registry.registry_value_data = "0x00000001") OR (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden" - Registry.registry_value_data = "0x00000000" )) BY Registry.user Registry.dest - Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.registry_value_data = "0x00000000" )) BY Registry.user Registry.dest Registry.registry_path + Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_show_hidden_files_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -29,52 +35,50 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Disabled 'Show Hidden Files' on $dest$ + risk_objects: + - field: dest + type: system + score: 40 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse - Azorult asset_type: Endpoint - confidence: 100 - impact: 40 - message: Disabled 'Show Hidden Files' on $dest$ mitre_attack_id: - T1564.001 - T1562.001 - T1564 - T1562 - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log source: WinEventLog:Security sourcetype: WinEventLog - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log source: WinEventLog:System sourcetype: WinEventLog - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/disable_uac_remote_restriction.yml b/detections/endpoint/disable_uac_remote_restriction.yml index ebf5f5ea45..7dc22b9e16 100644 --- a/detections/endpoint/disable_uac_remote_restriction.yml +++ b/detections/endpoint/disable_uac_remote_restriction.yml @@ -5,15 +5,23 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects the modification of the registry to disable UAC remote restriction by setting the "LocalAccountTokenFilterPolicy" value to "0x00000001". It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "*\\CurrentVersion\\Policies\\System*". This activity is significant because disabling UAC remote restriction can allow an attacker to bypass User Account Control (UAC) protections, potentially leading to privilege escalation. If confirmed malicious, this could enable an attacker to execute unauthorized actions with elevated privileges, compromising the security of the affected system. +description: The following analytic detects the modification of the registry to disable + UAC remote restriction by setting the "LocalAccountTokenFilterPolicy" value to "0x00000001". + It leverages data from the Endpoint.Registry data model, specifically monitoring + changes to the registry path "*\\CurrentVersion\\Policies\\System*". This activity + is significant because disabling UAC remote restriction can allow an attacker to + bypass User Account Control (UAC) protections, potentially leading to privilege + escalation. If confirmed malicious, this could enable an attacker to execute unauthorized + actions with elevated privileges, compromising the security of the affected system. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path="*\\CurrentVersion\\Policies\\System*" Registry.registry_value_name="LocalAccountTokenFilterPolicy" - Registry.registry_value_data="0x00000001" ) BY Registry.user Registry.dest - Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data - Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_uac_remote_restriction_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\CurrentVersion\\Policies\\System*" + Registry.registry_value_name="LocalAccountTokenFilterPolicy" Registry.registry_value_data="0x00000001" ) + BY Registry.user Registry.dest Registry.registry_path Registry.registry_key_name + Registry.registry_value_name Registry.registry_value_data Registry.process_guid + | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `disable_uac_remote_restriction_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official @@ -27,9 +35,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Modified/added/deleted registry entry $registry_path$ on $dest$ + risk_objects: + - field: dest + type: system + score: 80 + - field: user + type: user + score: 80 + threat_objects: [] tags: analytic_story: - Suspicious Windows Registry Activities @@ -37,38 +60,18 @@ tags: - CISA AA23-347A - Windows Registry Abuse asset_type: Endpoint - confidence: 100 - impact: 80 - message: Modified/added/deleted registry entry $registry_path$ in $dest$ mitre_attack_id: - T1548.002 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/LocalAccountTokenFilterPolicy/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/LocalAccountTokenFilterPolicy/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/disable_windows_app_hotkeys.yml b/detections/endpoint/disable_windows_app_hotkeys.yml index eaddc13bde..240de81130 100644 --- a/detections/endpoint/disable_windows_app_hotkeys.yml +++ b/detections/endpoint/disable_windows_app_hotkeys.yml @@ -5,16 +5,23 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects a suspicious registry modification aimed at disabling Windows hotkeys for native applications. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values indicative of this behavior. This activity is significant as it can impair an analyst's ability to use essential tools like Task Manager and Command Prompt, hindering incident response efforts. If confirmed malicious, this technique can allow an attacker to maintain persistence and evade detection, complicating the remediation process. +description: The following analytic detects a suspicious registry modification aimed + at disabling Windows hotkeys for native applications. It leverages data from the + Endpoint.Registry data model, focusing on specific registry paths and values indicative + of this behavior. This activity is significant as it can impair an analyst's ability + to use essential tools like Task Manager and Command Prompt, hindering incident + response efforts. If confirmed malicious, this technique can allow an attacker to + maintain persistence and evade detection, complicating the remediation process. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path="*\\Windows NT\\CurrentVersion\\Image File Execution - Options\\*" AND Registry.registry_value_data= "HotKey Disabled" AND Registry.registry_value_name - = "Debugger") BY Registry.dest Registry.user Registry.registry_path - Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data - Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_app_hotkeys_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\Windows + NT\\CurrentVersion\\Image File Execution Options\\*" AND Registry.registry_value_data= + "HotKey Disabled" AND Registry.registry_value_name = "Debugger") BY Registry.dest + Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name + Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` + | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `disable_windows_app_hotkeys_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official @@ -28,43 +35,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Disabled 'Windows App Hotkeys' on $dest$ + risk_objects: + - field: dest + type: system + score: 40 + threat_objects: [] tags: analytic_story: - XMRig - Windows Registry Abuse asset_type: Endpoint - confidence: 100 - impact: 40 - message: Disabled 'Windows App Hotkeys' on $dest$ mitre_attack_id: - T1562.001 - T1562 - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guidr - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/hotkey_disabled_hidden_user/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/hotkey_disabled_hidden_user/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/disable_windows_behavior_monitoring.yml b/detections/endpoint/disable_windows_behavior_monitoring.yml index e98b317f7b..317a4b3bd1 100644 --- a/detections/endpoint/disable_windows_behavior_monitoring.yml +++ b/detections/endpoint/disable_windows_behavior_monitoring.yml @@ -5,23 +5,29 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic identifies modifications in the registry to disable Windows Defender's real-time behavior monitoring. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with Windows Defender settings. This activity is significant because disabling real-time protection is a common tactic used by malware such as RATs, bots, or Trojans to evade detection. If confirmed malicious, this action could allow an attacker to execute code, escalate privileges, or persist in the environment without being detected by antivirus software. +description: The following analytic identifies modifications in the registry to disable + Windows Defender's real-time behavior monitoring. It leverages data from the Endpoint.Registry + data model, specifically monitoring changes to registry paths associated with Windows + Defender settings. This activity is significant because disabling real-time protection + is a common tactic used by malware such as RATs, bots, or Trojans to evade detection. + If confirmed malicious, this action could allow an attacker to execute code, escalate + privileges, or persist in the environment without being detected by antivirus software. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time - Protection\\DisableBehaviorMonitoring" OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows - Defender\\Real-Time Protection\\DisableOnAccessProtection" OR Registry.registry_path= - "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableScanOnRealtimeEnable" - OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows Defender\\Real-Time - Protection\\DisableRealtimeMonitoring" OR Registry.registry_path= "*\\Real-Time - Protection\\DisableIntrusionPreventionSystem" OR Registry.registry_path= "*\\Real-Time - Protection\\DisableIOAVProtection" OR Registry.registry_path= "*\\Real-Time Protection\\DisableScriptScanning" - AND Registry.registry_value_data = "0x00000001") BY Registry.dest - Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name - Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` - | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `disable_windows_behavior_monitoring_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows + Defender\\Real-Time Protection\\DisableBehaviorMonitoring" OR Registry.registry_path= + "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnAccessProtection" + OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time + Protection\\DisableScanOnRealtimeEnable" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows + Defender\\Real-Time Protection\\DisableRealtimeMonitoring" OR Registry.registry_path= + "*\\Real-Time Protection\\DisableIntrusionPreventionSystem" OR Registry.registry_path= + "*\\Real-Time Protection\\DisableIOAVProtection" OR Registry.registry_path= "*\\Real-Time + Protection\\DisableScriptScanning" AND Registry.registry_value_data = "0x00000001") + BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name + Registry.registry_value_name Registry.registry_value_data Registry.process_guid + | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `disable_windows_behavior_monitoring_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official @@ -35,9 +41,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows Defender real time behavior monitoring disabled on $dest$ + risk_objects: + - field: dest + type: system + score: 40 + threat_objects: [] tags: analytic_story: - Azorult @@ -48,34 +66,18 @@ tags: - CISA AA23-347A - Revil Ransomware asset_type: Endpoint - confidence: 100 - impact: 40 - message: Windows Defender real time behavior monitoring disabled on $dest$ mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/disable_windows_smartscreen_protection.yml b/detections/endpoint/disable_windows_smartscreen_protection.yml index 3ba30d7517..9f5299efe5 100644 --- a/detections/endpoint/disable_windows_smartscreen_protection.yml +++ b/detections/endpoint/disable_windows_smartscreen_protection.yml @@ -5,16 +5,24 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects modifications to the Windows registry that disable SmartScreen protection. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with SmartScreen settings. This activity is significant because SmartScreen provides an early warning system against phishing and malware. Disabling it can indicate malicious intent, often seen in Remote Access Trojans (RATs) to evade detection while downloading additional payloads. If confirmed malicious, this action could allow attackers to bypass security measures, increasing the risk of successful phishing attacks and malware infections. +description: The following analytic detects modifications to the Windows registry + that disable SmartScreen protection. It leverages data from the Endpoint.Registry + data model, specifically monitoring changes to registry paths associated with SmartScreen + settings. This activity is significant because SmartScreen provides an early warning + system against phishing and malware. Disabling it can indicate malicious intent, + often seen in Remote Access Trojans (RATs) to evade detection while downloading + additional payloads. If confirmed malicious, this action could allow attackers to + bypass security measures, increasing the risk of successful phishing attacks and + malware infections. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE Registry.registry_path IN ("*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SmartScreenEnabled", +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path IN ("*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SmartScreenEnabled", "*\\Microsoft\\Windows\\System\\EnableSmartScreen") Registry.registry_value_data IN - ("Off", "0") BY Registry.dest Registry.user Registry.registry_path - Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data - Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `disable_windows_smartscreen_protection_filter`' + ("Off", "0") BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name + Registry.registry_value_name Registry.registry_value_data Registry.process_guid + | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `disable_windows_smartscreen_protection_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official @@ -28,47 +36,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The Windows Smartscreen was disabled on $dest$ by $user$. + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - CISA AA23-347A - Windows Registry Abuse asset_type: Endpoint - confidence: 50 - impact: 50 - message: The Windows Smartscreen was disabled on $dest$ by $user$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml index 22db024347..1606e574da 100644 --- a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml +++ b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml @@ -1,16 +1,29 @@ name: Disabled Kerberos Pre-Authentication Discovery With Get-ADUser id: 114c6bfe-9406-11ec-bcce-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the execution of the `Get-ADUser` PowerShell cmdlet with parameters indicating a search for domain accounts with Kerberos Pre-Authentication disabled. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this specific activity. This behavior is significant because discovering accounts with Kerberos Pre-Authentication disabled can allow adversaries to perform offline password cracking. If confirmed malicious, this activity could lead to unauthorized access to user accounts, potentially compromising sensitive information and escalating privileges within the network. +description: The following analytic detects the execution of the `Get-ADUser` PowerShell + cmdlet with parameters indicating a search for domain accounts with Kerberos Pre-Authentication + disabled. It leverages PowerShell Script Block Logging (EventCode=4104) to identify + this specific activity. This behavior is significant because discovering accounts + with Kerberos Pre-Authentication disabled can allow adversaries to perform offline + password cracking. If confirmed malicious, this activity could lead to unauthorized + access to user accounts, potentially compromising sensitive information and escalating + privileges within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-ADUser*" AND ScriptBlockText="*4194304*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_get_aduser_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Administrators or power users may use search for accounts with Kerberos Pre Authentication disabled for legitimate purposes. +search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-ADUser*" AND ScriptBlockText="*4194304*") + | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer + UserID EventCode ScriptBlockText | rename Computer as dest | `security_content_ctime(firstTime)` + | `disabled_kerberos_pre_authentication_discovery_with_get_aduser_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Administrators or power users may use search for accounts with + Kerberos Pre Authentication disabled for legitimate purposes. references: - https://attack.mitre.org/techniques/T1558/004/ - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html @@ -21,42 +34,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Disabled Kerberos Pre-Authentication Discovery With Get-ADUser from $dest$ + risk_objects: + - field: dest + type: system + score: 54 + threat_objects: [] tags: analytic_story: - CISA AA23-347A - Active Directory Kerberos Attacks - BlackSuit Ransomware asset_type: Endpoint - confidence: 90 - impact: 60 - message: Disabled Kerberos Pre-Authentication Discovery With Get-ADUser from $dest$ mitre_attack_id: - T1558 - T1558.004 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCode - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/getaduser/get-aduser-powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/getaduser/get-aduser-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml index f6c7e6a1b0..e5ac20f37f 100644 --- a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml +++ b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml @@ -1,15 +1,27 @@ name: Disabled Kerberos Pre-Authentication Discovery With PowerView id: b0b34e2c-90de-11ec-baeb-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the execution of the `Get-DomainUser` commandlet with the `-PreauthNotRequired` parameter using PowerShell Script Block Logging (EventCode=4104). This command is part of PowerView, a tool used for enumerating Windows Active Directory networks. Identifying domain accounts with Kerberos Pre-Authentication disabled is significant because adversaries can leverage this information to attempt offline password cracking. If confirmed malicious, this activity could lead to unauthorized access to domain accounts, potentially compromising sensitive information and escalating privileges within the network. +description: The following analytic detects the execution of the `Get-DomainUser` + commandlet with the `-PreauthNotRequired` parameter using PowerShell Script Block + Logging (EventCode=4104). This command is part of PowerView, a tool used for enumerating + Windows Active Directory networks. Identifying domain accounts with Kerberos Pre-Authentication + disabled is significant because adversaries can leverage this information to attempt + offline password cracking. If confirmed malicious, this activity could lead to unauthorized + access to domain accounts, potentially compromising sensitive information and escalating + privileges within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainUser*" AND ScriptBlockText="*PreauthNotRequired*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_powerview_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainUser*" AND ScriptBlockText="*PreauthNotRequired*") + | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer + UserID EventCode ScriptBlockText | rename Computer as dest | `security_content_ctime(firstTime)` + | `disabled_kerberos_pre_authentication_discovery_with_powerview_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: Administrators or power users may use PowerView for troubleshooting references: - https://attack.mitre.org/techniques/T1558/004/ @@ -21,40 +33,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Disabled Kerberos Pre-Authentication Discovery With PowerView from $dest$ + risk_objects: + - field: dest + type: system + score: 54 + threat_objects: [] tags: analytic_story: - Active Directory Kerberos Attacks asset_type: Endpoint - confidence: 90 - impact: 60 - message: Disabled Kerberos Pre-Authentication Discovery With PowerView from $dest$ mitre_attack_id: - T1558 - T1558.004 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCode - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/getdomainuser.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/getdomainuser.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/disabling_cmd_application.yml b/detections/endpoint/disabling_cmd_application.yml index c837fee005..e44063b3ce 100644 --- a/detections/endpoint/disabling_cmd_application.yml +++ b/detections/endpoint/disabling_cmd_application.yml @@ -5,13 +5,20 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects modifications to the registry that disable the CMD prompt application. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the "DisableCMD" registry value. This activity is significant because disabling CMD can hinder an analyst's ability to investigate and remediate threats, a tactic often used by malware such as RATs, Trojans, or Worms. If confirmed malicious, this could prevent security teams from using CMD for directory and file traversal, complicating incident response and allowing the attacker to maintain persistence. +description: The following analytic detects modifications to the registry that disable + the CMD prompt application. It leverages data from the Endpoint.Registry data model, + specifically looking for changes to the "DisableCMD" registry value. This activity + is significant because disabling CMD can hinder an analyst's ability to investigate + and remediate threats, a tactic often used by malware such as RATs, Trojans, or + Worms. If confirmed malicious, this could prevent security teams from using CMD + for directory and file traversal, complicating incident response and allowing the + attacker to maintain persistence. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\DisableCMD" - Registry.registry_value_data = "0x00000001") BY Registry.dest Registry.user - Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\DisableCMD" + Registry.registry_value_data = "0x00000001") BY Registry.dest Registry.user Registry.registry_path + Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_cmd_application_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -27,48 +34,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The Windows command prompt was disabled on $dest$ by $user$. + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse - NjRAT asset_type: Endpoint - confidence: 50 - impact: 50 - message: The Windows command prompt was disabled on $dest$ by $user$. mitre_attack_id: - T1562.001 - T1562 - T1112 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/disabling_controlpanel.yml b/detections/endpoint/disabling_controlpanel.yml index 6d0ff8b564..f79553ba91 100644 --- a/detections/endpoint/disabling_controlpanel.yml +++ b/detections/endpoint/disabling_controlpanel.yml @@ -5,13 +5,21 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects registry modifications that disable the Control Panel on Windows systems. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel" with a value of "0x00000001". This activity is significant as it is commonly used by malware to prevent users from accessing the Control Panel, thereby hindering the removal of malicious artifacts and persistence mechanisms. If confirmed malicious, this could allow attackers to maintain control over the infected machine and prevent remediation efforts. +description: The following analytic detects registry modifications that disable the + Control Panel on Windows systems. It leverages data from the Endpoint.Registry data + model, specifically monitoring changes to the registry path + "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel" + with a value of "0x00000001". This activity is significant as it is commonly used + by malware to prevent users from accessing the Control Panel, thereby hindering + the removal of malicious artifacts and persistence mechanisms. If confirmed malicious, + this could allow attackers to maintain control over the infected machine and prevent + remediation efforts. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel" - Registry.registry_value_data = "0x00000001") BY Registry.dest Registry.user - Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel" + Registry.registry_value_data = "0x00000001") BY Registry.dest Registry.user Registry.registry_path + Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_controlpanel_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -27,47 +35,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The Windows Control Panel was disabled on $dest$ by $user$. + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - confidence: 50 - impact: 50 - message: The Windows Control Panel was disabled on $dest$ by $user$. mitre_attack_id: - T1562.001 - T1562 - T1112 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test (XML) attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-xml.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/disabling_defender_services.yml b/detections/endpoint/disabling_defender_services.yml index 43441ec74a..d482293596 100644 --- a/detections/endpoint/disabling_defender_services.yml +++ b/detections/endpoint/disabling_defender_services.yml @@ -5,17 +5,24 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects the disabling of Windows Defender services by monitoring registry modifications. It leverages registry event data to identify changes to specific registry paths associated with Defender services, where the 'Start' value is set to '0x00000004'. This activity is significant because disabling Defender services can indicate an attempt by an adversary to evade detection and maintain persistence on the endpoint. If confirmed malicious, this action could allow attackers to execute further malicious activities undetected, leading to potential data breaches or system compromise. +description: The following analytic detects the disabling of Windows Defender services + by monitoring registry modifications. It leverages registry event data to identify + changes to specific registry paths associated with Defender services, where the + 'Start' value is set to '0x00000004'. This activity is significant because disabling + Defender services can indicate an attempt by an adversary to evade detection and + maintain persistence on the endpoint. If confirmed malicious, this action could + allow attackers to execute further malicious activities undetected, leading to potential + data breaches or system compromise. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path = "*\\System\\CurrentControlSet\\Services\\*" AND - (Registry.registry_path IN("*WdBoot*", "*WdFilter*", "*WdNisDrv*", "*WdNisSvc*","*WinDefend*", +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\System\\CurrentControlSet\\Services\\*" + AND (Registry.registry_path IN("*WdBoot*", "*WdFilter*", "*WdNisDrv*", "*WdNisSvc*","*WinDefend*", "*SecurityHealthService*")) AND Registry.registry_value_name = Start Registry.registry_value_data - = 0x00000004) BY Registry.dest Registry.user Registry.registry_path - Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data - Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_defender_services_filter`' + = 0x00000004) BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name + Registry.registry_value_name Registry.registry_value_data Registry.process_guid + | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `disabling_defender_services_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official @@ -29,47 +36,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: modified/added/deleted registry entry $registry_path$ on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - IcedID - Windows Registry Abuse - RedLine Stealer asset_type: Endpoint - confidence: 70 - impact: 70 - message: modified/added/deleted registry entry $registry_path$ in $dest$ mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon2.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon2.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/disabling_firewall_with_netsh.yml b/detections/endpoint/disabling_firewall_with_netsh.yml index e2d98f9e94..d2cf8713d8 100644 --- a/detections/endpoint/disabling_firewall_with_netsh.yml +++ b/detections/endpoint/disabling_firewall_with_netsh.yml @@ -1,18 +1,39 @@ name: Disabling Firewall with Netsh id: 6860a62c-9203-11eb-9e05-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies the disabling of the firewall using the netsh application. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include keywords like "firewall," "off," or "disable." This activity is significant because disabling the firewall can expose the system to external threats, allowing malware to communicate with its command and control (C2) server. If confirmed malicious, this action could lead to unauthorized data exfiltration, further malware downloads, and broader network compromise. +description: The following analytic identifies the disabling of the firewall using + the netsh application. It leverages data from Endpoint Detection and Response (EDR) + agents, focusing on command-line executions that include keywords like "firewall," + "off," or "disable." This activity is significant because disabling the firewall + can expose the system to external threats, allowing malware to communicate with + its command and control (C2) server. If confirmed malicious, this action could lead + to unauthorized data exfiltration, further malware downloads, and broader network + compromise. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process= "*firewall*" (Processes.process= "*off*" OR Processes.process= "*disable*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_firewall_with_netsh_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: admin may disable firewall during testing or fixing network problem. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process= + "*firewall*" (Processes.process= "*off*" OR Processes.process= "*disable*") by + Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_firewall_with_netsh_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: admin may disable firewall during testing or fixing network + problem. references: - https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html drilldown_searches: @@ -21,51 +42,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The Windows Firewall was disabled on $dest$ by $user$. + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - BlackByte Ransomware asset_type: Endpoint - confidence: 50 - impact: 50 - message: The Windows Firewall was disabled on $dest$ by $user$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/disabling_folderoptions_windows_feature.yml b/detections/endpoint/disabling_folderoptions_windows_feature.yml index 2cbf245b4f..e95416caed 100644 --- a/detections/endpoint/disabling_folderoptions_windows_feature.yml +++ b/detections/endpoint/disabling_folderoptions_windows_feature.yml @@ -5,13 +5,21 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects the modification of the Windows registry to disable the Folder Options feature, which prevents users from showing hidden files and file extensions. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoFolderOptions" with a value of "0x00000001". This activity is significant as it is commonly used by malware to conceal malicious files and deceive users with fake file extensions. If confirmed malicious, this could allow an attacker to hide their presence and malicious files, making detection and remediation more difficult. +description: The following analytic detects the modification of the Windows registry + to disable the Folder Options feature, which prevents users from showing hidden + files and file extensions. It leverages data from the Endpoint.Registry data model, + specifically monitoring changes to the registry path + "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoFolderOptions" + with a value of "0x00000001". This activity is significant as it is commonly used + by malware to conceal malicious files and deceive users with fake file extensions. + If confirmed malicious, this could allow an attacker to hide their presence and + malicious files, making detection and remediation more difficult. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoFolderOptions" - Registry.registry_value_data = "0x00000001") BY Registry.dest Registry.user - Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoFolderOptions" + Registry.registry_value_data = "0x00000001") BY Registry.dest Registry.user Registry.registry_path + Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_folderoptions_windows_feature_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -27,47 +35,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The Windows Folder Options, to hide files, was disabled on $dest$ by $user$. + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - CISA AA23-347A - Windows Registry Abuse asset_type: Endpoint - confidence: 50 - impact: 50 - message: The Windows Folder Options, to hide files, was disabled on $dest$ by $user$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/disabling_norun_windows_app.yml b/detections/endpoint/disabling_norun_windows_app.yml index 1ffc33851b..9c50c5cdad 100644 --- a/detections/endpoint/disabling_norun_windows_app.yml +++ b/detections/endpoint/disabling_norun_windows_app.yml @@ -5,13 +5,19 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects the modification of the Windows registry to disable the Run application in the Start menu. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun" with a value of "0x00000001". This activity is significant because the Run application is a useful shortcut for executing known applications and scripts. If confirmed malicious, this action could hinder system cleaning efforts and make it more difficult to run essential tools, thereby aiding malware persistence. +description: The following analytic detects the modification of the Windows registry + to disable the Run application in the Start menu. It leverages data from the Endpoint.Registry + data model, specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun" + with a value of "0x00000001". This activity is significant because the Run application + is a useful shortcut for executing known applications and scripts. If confirmed + malicious, this action could hinder system cleaning efforts and make it more difficult + to run essential tools, thereby aiding malware persistence. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun" - Registry.registry_value_data = "0x00000001") BY Registry.dest Registry.user - Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun" + Registry.registry_value_data = "0x00000001") BY Registry.dest Registry.user Registry.registry_path + Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_norun_windows_app_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -28,47 +34,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The Windows registry was modified to disable run application in window + start menu on $dest$ by $user$. + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - confidence: 50 - impact: 50 - message: The Windows registry was modified to disable run application in window start menu on $dest$ by $user$. mitre_attack_id: - T1562.001 - T1562 - T1112 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/disabling_remote_user_account_control.yml b/detections/endpoint/disabling_remote_user_account_control.yml index 11bb89dd3a..3083113ca0 100644 --- a/detections/endpoint/disabling_remote_user_account_control.yml +++ b/detections/endpoint/disabling_remote_user_account_control.yml @@ -1,16 +1,33 @@ name: Disabling Remote User Account Control id: bbc644bc-37df-4e1a-9c88-ec9a53e2038c -version: 7 -date: '2024-12-03' +version: 8 +date: '2024-12-16' author: David Dorsey, Patrick Bareiss, Splunk status: production type: TTP -description: The following analytic identifies modifications to the registry key that controls the enforcement of Windows User Account Control (UAC). It detects changes to the registry path `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA` where the value is set to `0x00000000`. This activity is significant because disabling UAC can allow unauthorized changes to the system without user consent, potentially leading to privilege escalation. If confirmed malicious, an attacker could gain elevated privileges, making it easier to execute further attacks or maintain persistence within the environment. +description: The following analytic identifies modifications to the registry key that + controls the enforcement of Windows User Account Control (UAC). It detects changes + to the registry path `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA` + where the value is set to `0x00000000`. This activity is significant because disabling + UAC can allow unauthorized changes to the system without user consent, potentially + leading to privilege escalation. If confirmed malicious, an attacker could gain + elevated privileges, making it easier to execute further attacks or maintain persistence + within the environment. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path=*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA* Registry.registry_value_data="0x00000000" by Registry.dest, Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action | `drop_dm_object_name(Registry)` | `disabling_remote_user_account_control_filter`' -how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report registry modifications. -known_false_positives: This registry key may be modified via administrators to implement a change in system policy. This type of change should be a very rare occurrence. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path=*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA* + Registry.registry_value_data="0x00000000" by Registry.dest, Registry.registry_key_name + Registry.user Registry.registry_path Registry.registry_value_data Registry.action + | `drop_dm_object_name(Registry)` | `disabling_remote_user_account_control_filter`' +how_to_implement: To successfully implement this search, you must be ingesting data + that records registry activity from your hosts to populate the endpoint data model + in the registry node. This is typically populated via endpoint detection-and-response + product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. + The data used for this search is typically generated via logs that report registry + modifications. +known_false_positives: This registry key may be modified via administrators to implement + a change in system policy. This type of change should be a very rare occurrence. references: [] drilldown_searches: - name: View the detection results for - "$user$" and "$dest$" @@ -18,9 +35,25 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The Windows registry keys that control the enforcement of Windows User + Account Control (UAC) were modified on $dest$ by $user$. + risk_objects: + - field: user + type: user + score: 42 + - field: dest + type: system + score: 42 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics @@ -30,38 +63,18 @@ tags: - Azorult - AgentTesla asset_type: Endpoint - confidence: 60 - impact: 70 - message: The Windows registry keys that control the enforcement of Windows User Account Control (UAC) were modified on $dest$ by $user$. mitre_attack_id: - T1548.002 - T1548 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_path - - Registry.registry_value_name - - Registry.dest - - Registry.registry_key_name - - Registry.user - - Registry.action - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/disabling_systemrestore_in_registry.yml b/detections/endpoint/disabling_systemrestore_in_registry.yml index a3f35e1389..eb0087089d 100644 --- a/detections/endpoint/disabling_systemrestore_in_registry.yml +++ b/detections/endpoint/disabling_systemrestore_in_registry.yml @@ -5,18 +5,26 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects the modification of registry keys to disable System Restore on a machine. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with System Restore settings. This activity is significant because disabling System Restore can hinder recovery efforts and is a tactic often used by Remote Access Trojans (RATs) to maintain persistence on an infected system. If confirmed malicious, this action could prevent system recovery, allowing the attacker to sustain their foothold and potentially cause further damage or data loss. +description: The following analytic detects the modification of registry keys to disable + System Restore on a machine. It leverages data from the Endpoint.Registry data model, + specifically monitoring changes to registry paths associated with System Restore + settings. This activity is significant because disabling System Restore can hinder + recovery efforts and is a tactic often used by Remote Access Trojans (RATs) to maintain + persistence on an infected system. If confirmed malicious, this action could prevent + system recovery, allowing the attacker to sustain their foothold and potentially + cause further damage or data loss. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableSR" - OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableConfig" - OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableSR" - OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableConfig" - Registry.registry_value_data = "0x00000001") BY Registry.dest Registry.user - Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data - Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_systemrestore_in_registry_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows + NT\\CurrentVersion\\SystemRestore\\DisableSR" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows + NT\\CurrentVersion\\SystemRestore\\DisableConfig" OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows + NT\\SystemRestore\\DisableSR" OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows + NT\\SystemRestore\\DisableConfig" Registry.registry_value_data = "0x00000001") BY + Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name + Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| + where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `disabling_systemrestore_in_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official @@ -30,55 +38,54 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The Windows registry was modified to disable system restore on $dest$ by + $user$. + risk_objects: + - field: user + type: user + score: 49 + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse - NjRAT asset_type: Endpoint - confidence: 70 - impact: 70 - message: The Windows registry was modified to disable system restore on $dest$ by $user$. mitre_attack_id: - T1490 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log source: WinEventLog:Security sourcetype: WinEventLog - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log source: WinEventLog:System sourcetype: WinEventLog - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-xml.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/disabling_task_manager.yml b/detections/endpoint/disabling_task_manager.yml index d84538fea9..8abca4e5ca 100644 --- a/detections/endpoint/disabling_task_manager.yml +++ b/detections/endpoint/disabling_task_manager.yml @@ -5,13 +5,20 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic identifies modifications to the Windows registry that disable Task Manager. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr" with a value of "0x00000001". This activity is significant as it is commonly associated with malware such as RATs, Trojans, and worms, which disable Task Manager to prevent users from terminating malicious processes. If confirmed malicious, this could allow attackers to maintain persistence and control over the infected system. +description: The following analytic identifies modifications to the Windows registry + that disable Task Manager. It leverages data from the Endpoint.Registry data model, + specifically looking for changes to the registry path + "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr" + with a value of "0x00000001". This activity is significant as it is commonly associated + with malware such as RATs, Trojans, and worms, which disable Task Manager to prevent + users from terminating malicious processes. If confirmed malicious, this could allow + attackers to maintain persistence and control over the infected system. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr" - Registry.registry_value_data = "0x00000001") BY Registry.dest Registry.user - Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr" + Registry.registry_value_data = "0x00000001") BY Registry.dest Registry.user Registry.registry_path + Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_task_manager_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -28,46 +35,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The Windows Task Manager was disabled on $dest$ by $user$. + risk_objects: + - field: user + type: user + score: 42 + - field: dest + type: system + score: 42 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse - NjRAT asset_type: Endpoint - confidence: 60 - impact: 70 - message: The Windows Task Manager was disabled on $dest$ by $user$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml b/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml index 2743ee1d13..20ea2dd34b 100644 --- a/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml +++ b/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml @@ -1,16 +1,41 @@ name: Disabling Windows Local Security Authority Defences via Registry id: 45cd08f8-a2c9-4f4e-baab-e1a0c624b0ab -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Dean Luxton status: production type: TTP data_source: - Sysmon EventID 13 AND Sysmon EventID 1 -description: The following analytic identifies the deletion of registry keys that disable Local Security Authority (LSA) protection and Microsoft Defender Device Guard. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry actions and paths associated with LSA and Device Guard settings. This activity is significant because disabling these defenses can leave a system vulnerable to various attacks, including credential theft and unauthorized code execution. If confirmed malicious, this action could allow attackers to bypass critical security mechanisms, leading to potential system compromise and persistent access. -search: '| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Endpoint.Registry where Registry.registry_path IN ("*\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\LsaCfgFlags", "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\*", "*\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\RunAsPPL") Registry.action IN (deleted, unknown) by Registry.action Registry.registry_path Registry.process_guid Registry.dest Registry.user| `drop_dm_object_name(Registry)` | join type=outer process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)`] | table _time action dest user parent_process_name parent_process process_name process process_guid registry_path | `disabling_windows_local_security_authority_defences_via_registry_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Potential to be triggered by an administrator disabling protections for troubleshooting purposes. +description: The following analytic identifies the deletion of registry keys that + disable Local Security Authority (LSA) protection and Microsoft Defender Device + Guard. It leverages data from Endpoint Detection and Response (EDR) agents, focusing + on registry actions and paths associated with LSA and Device Guard settings. This + activity is significant because disabling these defenses can leave a system vulnerable + to various attacks, including credential theft and unauthorized code execution. + If confirmed malicious, this action could allow attackers to bypass critical security + mechanisms, leading to potential system compromise and persistent access. +search: '| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Endpoint.Registry + where Registry.registry_path IN ("*\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\LsaCfgFlags", + "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\*", "*\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\RunAsPPL") + Registry.action IN (deleted, unknown) by Registry.action Registry.registry_path + Registry.process_guid Registry.dest Registry.user| `drop_dm_object_name(Registry)` + | join type=outer process_guid [| tstats `security_content_summariesonly` count + FROM datamodel=Endpoint.Processes by Processes.user Processes.process_name Processes.process + Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid + | `drop_dm_object_name(Processes)`] | table _time action dest user parent_process_name + parent_process process_name process process_guid registry_path | `disabling_windows_local_security_authority_defences_via_registry_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Potential to be triggered by an administrator disabling protections + for troubleshooting purposes. references: - https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage @@ -20,43 +45,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An attempt to disable Windows LSA defences was detected on $dest$. The + reg key $registry_path$ was deleted by $user$. + risk_objects: + - field: user + type: user + score: 60 + - field: dest + type: system + score: 60 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - confidence: 100 - impact: 60 - message: An attempt to disable Windows LSA defences was detected on $dest$. The reg key $registry_path$ was deleted by $user$. mitre_attack_id: - T1556 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.action - - Registry.registry_path - - Registry.dest - - Registry.user - risk_score: 60 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/disable_lsa_protection/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/disable_lsa_protection/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml b/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml index 6b10290013..78d801f784 100644 --- a/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml +++ b/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml @@ -1,64 +1,76 @@ name: DLLHost with no Command Line Arguments with Network id: f1c07594-a141-11eb-8407-acde48001122 -version: 7 -date: '2024-10-17' +version: 8 +date: '2024-11-13' author: Steven Dick, Michael Haag, Splunk status: experimental type: TTP -description: The following analytic detects instances of DLLHost.exe running without command line arguments while establishing a network connection. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process execution and network activity data. It is significant because DLLHost.exe typically runs with specific arguments, and its absence can indicate malicious activity, such as Cobalt Strike usage. If confirmed malicious, this activity could allow attackers to execute code, move laterally, or exfiltrate data, posing a severe threat to the network's security. +description: The following analytic detects instances of DLLHost.exe running without + command line arguments while establishing a network connection. This behavior is + identified using Endpoint Detection and Response (EDR) telemetry, focusing on process + execution and network activity data. It is significant because DLLHost.exe typically + runs with specific arguments, and its absence can indicate malicious activity, such + as Cobalt Strike usage. If confirmed malicious, this activity could allow attackers + to execute code, move laterally, or exfiltrate data, posing a severe threat to the + network's security. data_source: - Sysmon EventID 1 AND Sysmon EventID 3 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=dllhost.exe Processes.action!="blocked" by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(dllhost\.exe.{0,4}$)" | rename dest as src | join host process_id [| tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by host All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] | `dllhost_with_no_command_line_arguments_with_network_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Although unlikely, some legitimate third party applications may use a moved copy of dllhost, triggering a false positive. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=dllhost.exe + Processes.action!="blocked" by host _time span=1h Processes.process_id Processes.process_name + Processes.dest Processes.process_path Processes.process Processes.parent_process_name + Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | regex process="(?i)(dllhost\.exe.{0,4}$)" + | rename dest as src | join host process_id [| tstats `security_content_summariesonly` + count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) + as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port + != 0 by host All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] | `dllhost_with_no_command_line_arguments_with_network_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Although unlikely, some legitimate third party applications + may use a moved copy of dllhost, triggering a false positive. references: - https://raw.githubusercontent.com/threatexpress/malleable-c2/c3385e481159a759f79b8acfe11acf240893b830/jquery-c2.4.2.profile - https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/ +rba: + message: The process $process_name$ was spawned by $parent_process_name$ without + any command-line arguments on $src$ by $user$. + risk_objects: + - field: user + type: user + score: 49 + - field: dest + type: system + score: 49 + threat_objects: + - field: parent_image + type: process + - field: process_name + type: process_name tags: analytic_story: - BlackByte Ransomware - Cobalt Strike - Graceful Wipe Out Attack asset_type: Endpoint - confidence: 70 - impact: 70 - message: The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $src$ by $user$. mitre_attack_id: - T1055 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_image - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventID - - process_name - - process_id - - parent_process_name - - dest_port - - process_path - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon_dllhost.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon_dllhost.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/dns_exfiltration_using_nslookup_app.yml b/detections/endpoint/dns_exfiltration_using_nslookup_app.yml index e5e00cdfeb..9e42a31685 100644 --- a/detections/endpoint/dns_exfiltration_using_nslookup_app.yml +++ b/detections/endpoint/dns_exfiltration_using_nslookup_app.yml @@ -1,7 +1,7 @@ name: DNS Exfiltration Using Nslookup App id: 2452e632-9e0d-11eb-bacd-acde48001122 -version: '6' -date: '2024-11-28' +version: 8 +date: '2024-12-10' author: Teoderick Contreras, Splunk, Wouter Jansen status: production type: TTP @@ -53,6 +53,21 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ performing activity related to DNS exfiltration. + risk_objects: + - field: user + type: user + score: 72 + - field: dest + type: system + score: 72 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Suspicious DNS Traffic @@ -61,51 +76,17 @@ tags: - Command And Control - Compromised Windows Host asset_type: Endpoint - confidence: 80 - impact: 90 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ performing activity related to DNS exfiltration. mitre_attack_id: - T1048 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/nslookup_exfil/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/nslookup_exfil/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/domain_account_discovery_with_dsquery.yml b/detections/endpoint/domain_account_discovery_with_dsquery.yml index c9055eb099..cde94f4d78 100644 --- a/detections/endpoint/domain_account_discovery_with_dsquery.yml +++ b/detections/endpoint/domain_account_discovery_with_dsquery.yml @@ -1,17 +1,37 @@ name: Domain Account Discovery with Dsquery id: b1a8ce04-04c2-11ec-bea7-acde48001122 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic identifies the execution of `dsquery.exe` with command-line arguments used to discover domain users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to map out domain users, which is a common precursor to further attacks. If confirmed malicious, this behavior could allow attackers to gain insights into user accounts, facilitating subsequent actions like privilege escalation or lateral movement within the network. +description: The following analytic identifies the execution of `dsquery.exe` with + command-line arguments used to discover domain users. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names and command-line + executions. This activity is significant as it indicates potential reconnaissance + efforts by adversaries to map out domain users, which is a common precursor to further + attacks. If confirmed malicious, this behavior could allow attackers to gain insights + into user accounts, facilitating subsequent actions like privilege escalation or + lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="dsquery.exe" AND Processes.process = "*user*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_dsquery_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name="dsquery.exe" + AND Processes.process = "*user*" by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `domain_account_discovery_with_dsquery_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/dsquery.htm @@ -20,44 +40,18 @@ tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 50 - message: an instance of process $process_name$ with commandline $process$ in $dest$ mitre_attack_id: - T1087.002 - T1087 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - - Processes.parent_process_name - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/domain_account_discovery_with_net_app.yml b/detections/endpoint/domain_account_discovery_with_net_app.yml deleted file mode 100644 index aaff8ce6a9..0000000000 --- a/detections/endpoint/domain_account_discovery_with_net_app.yml +++ /dev/null @@ -1,74 +0,0 @@ -name: Domain Account Discovery With Net App -id: 98f6a534-04c2-11ec-96b2-acde48001122 -version: 4 -date: '2024-09-30' -author: Teoderick Contreras, Mauricio Velazco, Splunk -status: production -type: TTP -description: The following analytic detects the execution of `net.exe` or `net1.exe` with command-line arguments used to query domain users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt by adversaries to enumerate domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map out user accounts, potentially leading to further exploitation or lateral movement within the network. -data_source: -- Sysmon EventID 1 -- Windows Event Log Security 4688 -- CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process = "* user*" AND Processes.process = "*/do*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_net_app_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrators or power users may use this command for troubleshooting. -references: -- https://docs.microsoft.com/en-us/defender-for-identity/playbook-domain-dominance -- https://attack.mitre.org/techniques/T1087/002/ -drilldown_searches: -- name: View the detection results for - "$user$" and "$dest$" - search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -tags: - analytic_story: - - Active Directory Discovery - - Graceful Wipe Out Attack - - Rhysida Ransomware - asset_type: Endpoint - confidence: 50 - impact: 50 - message: an instance of process $process_name$ with commandline $process$ in $dest$ - mitre_attack_id: - - T1087.002 - - T1087 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - - Processes.parent_process_name - risk_score: 25 - security_domain: endpoint -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog diff --git a/detections/endpoint/domain_account_discovery_with_wmic.yml b/detections/endpoint/domain_account_discovery_with_wmic.yml index 813ed1392b..d374d2851a 100644 --- a/detections/endpoint/domain_account_discovery_with_wmic.yml +++ b/detections/endpoint/domain_account_discovery_with_wmic.yml @@ -1,17 +1,38 @@ name: Domain Account Discovery with Wmic id: 383572e0-04c5-11ec-bdcc-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the execution of `wmic.exe` with command-line arguments used to query for domain users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns indicative of domain account discovery. This activity is significant as it often precedes lateral movement or privilege escalation attempts by adversaries. If confirmed malicious, this behavior could allow attackers to map out user accounts within the domain, facilitating further attacks and potentially compromising sensitive information. +description: The following analytic detects the execution of `wmic.exe` with command-line + arguments used to query for domain users. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on specific command-line patterns indicative + of domain account discovery. This activity is significant as it often precedes lateral + movement or privilege escalation attempts by adversaries. If confirmed malicious, + this behavior could allow attackers to map out user accounts within the domain, + facilitating further attacks and potentially compromising sensitive information. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="wmic.exe" AND Processes.process = "*/NAMESPACE:\\\\root\\directory\\ldap*" AND Processes.process = "*ds_user*" AND Processes.process = "*GET*" AND Processes.process = "*ds_samaccountname*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_wmic_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name="wmic.exe" + AND Processes.process = "*/NAMESPACE:\\\\root\\directory\\ldap*" AND Processes.process + = "*ds_user*" AND Processes.process = "*GET*" AND Processes.process = "*ds_samaccountname*" + by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `domain_account_discovery_with_wmic_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1087/002/ @@ -21,51 +42,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: an instance of process $process_name$ with commandline $process$ on $dest$ + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: + - field: parent_process_name + type: parent_process_name tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 50 - message: an instance of process $process_name$ with commandline $process$ in $dest$ mitre_attack_id: - T1087.002 - T1087 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - - Processes.parent_process_name - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/domain_controller_discovery_with_nltest.yml b/detections/endpoint/domain_controller_discovery_with_nltest.yml index 7caf8b3370..c2e1e0eb8e 100644 --- a/detections/endpoint/domain_controller_discovery_with_nltest.yml +++ b/detections/endpoint/domain_controller_discovery_with_nltest.yml @@ -1,17 +1,36 @@ name: Domain Controller Discovery with Nltest id: 41243735-89a7-4c83-bcdd-570aa78f00a1 -version: 4 -date: '2024-11-26' +version: 5 +date: '2024-12-10' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the execution of `nltest.exe` with command-line arguments `/dclist:` or `/dsgetdc:` to discover domain controllers. It leverages Endpoint Detection and Response (EDR) data, focusing on process names and command-line arguments. This activity is significant because both Red Teams and adversaries use `nltest.exe` for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map out domain controllers, facilitating further attacks such as privilege escalation or lateral movement within the network. +description: The following analytic detects the execution of `nltest.exe` with command-line + arguments `/dclist:` or `/dsgetdc:` to discover domain controllers. It leverages + Endpoint Detection and Response (EDR) data, focusing on process names and command-line + arguments. This activity is significant because both Red Teams and adversaries use + `nltest.exe` for situational awareness and Active Directory discovery. If confirmed + malicious, this behavior could allow attackers to map out domain controllers, facilitating + further attacks such as privilege escalation or lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_nltest` (Processes.process="*/dclist:*" OR Processes.process="*/dsgetdc:*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_controller_discovery_with_nltest_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_nltest` (Processes.process="*/dclist:*" + OR Processes.process="*/dsgetdc:*") by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `domain_controller_discovery_with_nltest_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1018/ @@ -22,9 +41,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Domain controller discovery on $dest$ by $user$ + risk_objects: + - field: dest + type: system + score: 21 + threat_objects: [] tags: analytic_story: - Active Directory Discovery @@ -32,37 +63,17 @@ tags: - Rhysida Ransomware - BlackSuit Ransomware asset_type: Endpoint - confidence: 70 - impact: 30 - message: Domain controller discovery on $dest$ by $user$ mitre_attack_id: - T1018 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 21 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/domain_controller_discovery_with_wmic.yml b/detections/endpoint/domain_controller_discovery_with_wmic.yml index c134e91ba6..da0ebfa675 100644 --- a/detections/endpoint/domain_controller_discovery_with_wmic.yml +++ b/detections/endpoint/domain_controller_discovery_with_wmic.yml @@ -1,17 +1,37 @@ name: Domain Controller Discovery with Wmic id: 64c7adaa-48ee-483c-b0d6-7175bc65e6cc -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic identifies the execution of `wmic.exe` with command-line arguments used to discover domain controllers in a Windows domain. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it is commonly used by adversaries and Red Teams for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map out the network, identify key systems, and plan further attacks, potentially leading to unauthorized access and data exfiltration. +description: The following analytic identifies the execution of `wmic.exe` with command-line + arguments used to discover domain controllers in a Windows domain. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process names + and command-line arguments. This activity is significant because it is commonly + used by adversaries and Red Teams for situational awareness and Active Directory + discovery. If confirmed malicious, this behavior could allow attackers to map out + the network, identify key systems, and plan further attacks, potentially leading + to unauthorized access and data exfiltration. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="wmic.exe") (Processes.process="" OR Processes.process="*DomainControllerAddress*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_controller_discovery_with_wmic_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="wmic.exe") + (Processes.process="" OR Processes.process="*DomainControllerAddress*") by Processes.dest + Processes.user Processes.parent_process Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_controller_discovery_with_wmic_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1018/ @@ -19,37 +39,17 @@ tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 70 - impact: 30 - message: Domain controller discovery on $dest$ by $user$ mitre_attack_id: - T1018 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 21 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/domain_group_discovery_with_adsisearcher.yml b/detections/endpoint/domain_group_discovery_with_adsisearcher.yml index a8fa23c479..e1abeaa0b5 100644 --- a/detections/endpoint/domain_group_discovery_with_adsisearcher.yml +++ b/detections/endpoint/domain_group_discovery_with_adsisearcher.yml @@ -1,15 +1,28 @@ name: Domain Group Discovery with Adsisearcher id: 089c862f-5f83-49b5-b1c8-7e4ff66560c7 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell to query Active Directory for domain groups. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific script blocks containing `[adsisearcher]` and group-related queries. This activity is significant as it may indicate an attempt by adversaries or Red Teams to enumerate domain groups for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance, privilege escalation, or lateral movement within the network. +description: The following analytic detects the use of the `[Adsisearcher]` type accelerator + in PowerShell to query Active Directory for domain groups. It leverages PowerShell + Script Block Logging (EventCode=4104) to identify specific script blocks containing + `[adsisearcher]` and group-related queries. This activity is significant as it may + indicate an attempt by adversaries or Red Teams to enumerate domain groups for situational + awareness and Active Directory discovery. If confirmed malicious, this behavior + could lead to further reconnaissance, privilege escalation, or lateral movement + within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` (ScriptBlockText = "*[adsisearcher]*" AND ScriptBlockText = "*(objectcategory=group)*" AND ScriptBlockText = "*findAll()*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `domain_group_discovery_with_adsisearcher_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +search: '`powershell` (ScriptBlockText = "*[adsisearcher]*" AND ScriptBlockText = + "*(objectcategory=group)*" AND ScriptBlockText = "*findAll()*") | stats count min(_time) + as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID + | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` + | `domain_group_discovery_with_adsisearcher_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: Administrators or power users may use Adsisearcher for troubleshooting. references: - https://attack.mitre.org/techniques/T1069/002/ @@ -20,39 +33,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Domain group discovery enumeration using PowerShell on $dest$ by $user$ + risk_objects: + - field: dest + type: system + score: 18 + threat_objects: [] tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 60 - impact: 30 - message: Domain group discovery enumeration using PowerShell on $dest$ by $user$ mitre_attack_id: - T1069 - T1069.002 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ScriptBlockText - - Computer - - UserID - risk_score: 18 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/domain_group_discovery_with_adsisearcher/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/domain_group_discovery_with_adsisearcher/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/domain_group_discovery_with_dsquery.yml b/detections/endpoint/domain_group_discovery_with_dsquery.yml index 6ae8ccb612..1ab2a63c77 100644 --- a/detections/endpoint/domain_group_discovery_with_dsquery.yml +++ b/detections/endpoint/domain_group_discovery_with_dsquery.yml @@ -1,17 +1,37 @@ name: Domain Group Discovery With Dsquery id: f0c9d62f-a232-4edd-b17e-bc409fb133d4 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic identifies the execution of `dsquery.exe` with command-line arguments used to query for domain groups. It leverages Endpoint Detection and Response (EDR) data, focusing on process names and command-line arguments. This activity is significant because both Red Teams and adversaries use `dsquery.exe` to enumerate domain groups, gaining situational awareness and facilitating further Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map out the domain structure, identify high-value targets, and plan subsequent attacks, potentially leading to privilege escalation or data exfiltration. +description: The following analytic identifies the execution of `dsquery.exe` with + command-line arguments used to query for domain groups. It leverages Endpoint Detection + and Response (EDR) data, focusing on process names and command-line arguments. This + activity is significant because both Red Teams and adversaries use `dsquery.exe` + to enumerate domain groups, gaining situational awareness and facilitating further + Active Directory discovery. If confirmed malicious, this behavior could allow attackers + to map out the domain structure, identify high-value targets, and plan subsequent + attacks, potentially leading to privilege escalation or data exfiltration. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="dsquery.exe") (Processes.process="*group*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_dsquery_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="dsquery.exe") + (Processes.process="*group*") by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `domain_group_discovery_with_dsquery_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1069/002/ @@ -19,38 +39,18 @@ tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 30 - message: Domain group discovery enumeration on $dest$ by $user$ mitre_attack_id: - T1069 - T1069.002 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/domain_group_discovery_with_net.yml b/detections/endpoint/domain_group_discovery_with_net.yml deleted file mode 100644 index f4dba5c26b..0000000000 --- a/detections/endpoint/domain_group_discovery_with_net.yml +++ /dev/null @@ -1,61 +0,0 @@ -name: Domain Group Discovery With Net -id: f2f14ac7-fa81-471a-80d5-7eb65c3c7349 -version: 5 -date: '2024-12-11' -author: Mauricio Velazco, Splunk -status: production -type: Hunting -description: The following analytic identifies the execution of `net.exe` with command-line arguments used to query domain groups, specifically `group /domain`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate domain groups, which is a common step in Active Directory Discovery. If confirmed malicious, this behavior could allow attackers to gain insights into the domain structure, aiding in further attacks such as privilege escalation or lateral movement. -data_source: -- Sysmon EventID 1 -- Windows Event Log Security 4688 -- CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND (Processes.process=*group* AND Processes.process=*/do*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_net_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrators or power users may use this command for troubleshooting. -references: -- https://attack.mitre.org/techniques/T1069/002/ -tags: - analytic_story: - - Windows Post-Exploitation - - Active Directory Discovery - - Prestige Ransomware - - Graceful Wipe Out Attack - - Rhysida Ransomware - - Cleo File Transfer Software - asset_type: Endpoint - confidence: 50 - impact: 30 - message: Domain group discovery enumeration on $dest$ by $user$ - mitre_attack_id: - - T1069 - - T1069.002 - observable: - - name: dest - type: Endpoint - role: - - Victim - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 15 - security_domain: endpoint -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog diff --git a/detections/endpoint/domain_group_discovery_with_wmic.yml b/detections/endpoint/domain_group_discovery_with_wmic.yml index e7bb7e59ee..77e3b1886c 100644 --- a/detections/endpoint/domain_group_discovery_with_wmic.yml +++ b/detections/endpoint/domain_group_discovery_with_wmic.yml @@ -1,17 +1,37 @@ name: Domain Group Discovery With Wmic id: a87736a6-95cd-4728-8689-3c64d5026b3e -version: 4 -date: '2024-11-26' +version: 5 +date: '2024-12-10' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic identifies the execution of `wmic.exe` with command-line arguments used to query for domain groups. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to gain situational awareness and map out Active Directory structures. If confirmed malicious, this behavior could allow attackers to identify and target specific domain groups, potentially leading to privilege escalation or lateral movement within the network. +description: The following analytic identifies the execution of `wmic.exe` with command-line + arguments used to query for domain groups. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process names and command-line executions. + This activity is significant as it indicates potential reconnaissance efforts by + adversaries to gain situational awareness and map out Active Directory structures. + If confirmed malicious, this behavior could allow attackers to identify and target + specific domain groups, potentially leading to privilege escalation or lateral movement + within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` (Processes.process=*/NAMESPACE:\\\\root\\directory\\ldap* AND Processes.process=*ds_group* AND Processes.process="*GET ds_samaccountname*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_wmic_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_wmic` (Processes.process=*/NAMESPACE:\\\\root\\directory\\ldap* + AND Processes.process=*ds_group* AND Processes.process="*GET ds_samaccountname*") + by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_wmic_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1069/002/ @@ -19,38 +39,18 @@ tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 30 - message: Domain group discovery enumeration on $dest$ by $user$ mitre_attack_id: - T1069 - T1069.002 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/download_files_using_telegram.yml b/detections/endpoint/download_files_using_telegram.yml index 32643a7bbd..97a948b1af 100644 --- a/detections/endpoint/download_files_using_telegram.yml +++ b/detections/endpoint/download_files_using_telegram.yml @@ -1,16 +1,30 @@ name: Download Files Using Telegram id: 58194e28-ae5e-11eb-8912-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects suspicious file downloads by the Telegram application on a Windows system. It leverages Sysmon EventCode 15 to identify instances where Telegram.exe creates files with a Zone.Identifier, indicating a download. This activity is significant as it may indicate an adversary using Telegram to download malicious tools, such as network scanners, for further exploitation. If confirmed malicious, this behavior could lead to network mapping, lateral movement, and potential compromise of additional systems within the network. +description: The following analytic detects suspicious file downloads by the Telegram + application on a Windows system. It leverages Sysmon EventCode 15 to identify instances + where Telegram.exe creates files with a Zone.Identifier, indicating a download. + This activity is significant as it may indicate an adversary using Telegram to download + malicious tools, such as network scanners, for further exploitation. If confirmed + malicious, this behavior could lead to network mapping, lateral movement, and potential + compromise of additional systems within the network. data_source: - Sysmon EventID 15 -search: '`sysmon` EventCode= 15 process_name = "telegram.exe" TargetFilename = "*:Zone.Identifier" |stats count min(_time) as firstTime max(_time) as lastTime by dest EventCode process_name process_id TargetFilename Hash | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `download_files_using_telegram_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and TargetFilename from your endpoints or Events that monitor filestream events which is happened when process download something. (EventCode 15) If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: normal download of file in telegram app. (if it was a common app in network) +search: '`sysmon` EventCode= 15 process_name = "telegram.exe" TargetFilename = "*:Zone.Identifier" + |stats count min(_time) as firstTime max(_time) as lastTime by dest EventCode process_name + process_id TargetFilename Hash | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `download_files_using_telegram_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name and TargetFilename from your endpoints or Events that + monitor filestream events which is happened when process download something. (EventCode + 15) If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon + TA. +known_false_positives: normal download of file in telegram app. (if it was a common + app in network) references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ drilldown_searches: @@ -19,42 +33,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious files were downloaded with the Telegram application on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - - XMRig - Phemedrone Stealer + - Crypto Stealer - Snake Keylogger + - XMRig asset_type: Endpoint - confidence: 70 - impact: 70 - message: Suspicious files were downloaded with the Telegram application on $dest$ mitre_attack_id: - T1105 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - EventCode - - Image - - process_id - - TargetFilename - - Hash - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/minergate/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/minergate/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/drop_icedid_license_dat.yml b/detections/endpoint/drop_icedid_license_dat.yml index d6d6952154..12460ee148 100644 --- a/detections/endpoint/drop_icedid_license_dat.yml +++ b/detections/endpoint/drop_icedid_license_dat.yml @@ -1,15 +1,28 @@ name: Drop IcedID License dat id: b7a045fc-f14a-11eb-8e79-acde48001122 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the dropping of a suspicious file named "license.dat" in %appdata% or %programdata%. This behavior is associated with the IcedID malware, which uses this file to inject its core bot into other processes for banking credential theft. The detection leverages Sysmon EventCode 11 to monitor file creation events in these directories. This activity is significant as it indicates a potential malware infection aiming to steal sensitive banking information. If confirmed malicious, the attacker could gain unauthorized access to financial data, leading to significant financial loss and data breaches. +description: The following analytic detects the dropping of a suspicious file named + "license.dat" in %appdata% or %programdata%. This behavior is associated with the + IcedID malware, which uses this file to inject its core bot into other processes + for banking credential theft. The detection leverages Sysmon EventCode 11 to monitor + file creation events in these directories. This activity is significant as it indicates + a potential malware infection aiming to steal sensitive banking information. If + confirmed malicious, the attacker could gain unauthorized access to financial data, + leading to significant financial loss and data breaches. data_source: - Sysmon EventID 11 -search: '`sysmon` EventCode= 11 TargetFilename = "*\\license.dat" AND (TargetFilename="*\\appdata\\*" OR TargetFilename="*\\programdata\\*") |stats count min(_time) as firstTime max(_time) as lastTime by TargetFilename EventCode process_id process_name dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_icedid_license_dat_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +search: '`sysmon` EventCode= 11 TargetFilename = "*\\license.dat" AND (TargetFilename="*\\appdata\\*" + OR TargetFilename="*\\programdata\\*") |stats count min(_time) as firstTime max(_time) + as lastTime by TargetFilename EventCode process_id process_name dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `drop_icedid_license_dat_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. known_false_positives: unknown references: - https://www.cisecurity.org/insights/white-papers/security-primer-icedid @@ -17,32 +30,18 @@ tags: analytic_story: - IcedID asset_type: Endpoint - confidence: 90 - impact: 70 - message: A process $process_name$ created a file $TargetFilename$ on host $dest$ mitre_attack_id: - T1204 - T1204.002 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/dsquery_domain_discovery.yml b/detections/endpoint/dsquery_domain_discovery.yml index bf0ea6fb0d..72e21dfb8e 100644 --- a/detections/endpoint/dsquery_domain_discovery.yml +++ b/detections/endpoint/dsquery_domain_discovery.yml @@ -1,7 +1,7 @@ name: DSQuery Domain Discovery id: cc316032-924a-11eb-91a2-acde48001122 -version: '5' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -53,53 +53,38 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + performing domain discovery on endpoint $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 72 + - field: dest + type: system + score: 72 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Active Directory Discovery - Domain Trust Discovery - Compromised Windows Host asset_type: Endpoint - confidence: 90 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - performing domain discovery on endpoint $dest$ by user $user$. mitre_attack_id: - T1482 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/dump_lsass_via_comsvcs_dll.yml b/detections/endpoint/dump_lsass_via_comsvcs_dll.yml index 10e6fd6a52..f2ca5506a9 100644 --- a/detections/endpoint/dump_lsass_via_comsvcs_dll.yml +++ b/detections/endpoint/dump_lsass_via_comsvcs_dll.yml @@ -1,7 +1,7 @@ name: Dump LSASS via comsvcs DLL id: 8943b567-f14d-4ee8-a0bb-2121d4ce3184 -version: '6' -date: '2024-11-28' +version: 8 +date: '2024-12-10' author: Patrick Bareiss, Splunk status: production type: TTP @@ -18,8 +18,21 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*comsvcs.dll* Processes.process IN ("*MiniDump*", "*#24*") by Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_comsvcs_dll_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*comsvcs.dll* + Processes.process IN ("*MiniDump*", "*#24*") by Processes.user Processes.parent_process_name + Processes.process_name Processes.original_file_name Processes.process Processes.dest + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `dump_lsass_via_comsvcs_dll_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: None identified. references: - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ @@ -39,6 +52,21 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + accessing credentials using comsvcs.dll on endpoint $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Living Off The Land @@ -54,52 +82,18 @@ tags: - Compromised Windows Host - Credential Dumping asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - accessing credentials using comsvcs.dll on endpoint $dest$ by user $user$. mitre_attack_id: - T1003.001 - T1003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/dump_lsass_via_procdump.yml b/detections/endpoint/dump_lsass_via_procdump.yml index 5318870c4c..e1881104a9 100644 --- a/detections/endpoint/dump_lsass_via_procdump.yml +++ b/detections/endpoint/dump_lsass_via_procdump.yml @@ -1,7 +1,7 @@ name: Dump LSASS via procdump id: 3742ebfe-64c2-11eb-ae93-0242ac130002 -version: '7' -date: '2024-11-28' +version: 9 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -52,6 +52,21 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + attempting to dump lsass.exe on endpoint $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - CISA AA22-257A @@ -59,53 +74,24 @@ tags: - Compromised Windows Host - Credential Dumping asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - attempting to dump lsass.exe on endpoint $dest$ by user $user$. mitre_attack_id: - T1003.001 - T1003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/crowdstrike_falcon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/crowdstrike_falcon.log source: crowdstrike sourcetype: crowdstrike:events:sensor diff --git a/detections/endpoint/elevated_group_discovery_with_powerview.yml b/detections/endpoint/elevated_group_discovery_with_powerview.yml index e25c937eb4..1493676285 100644 --- a/detections/endpoint/elevated_group_discovery_with_powerview.yml +++ b/detections/endpoint/elevated_group_discovery_with_powerview.yml @@ -1,15 +1,29 @@ name: Elevated Group Discovery with PowerView id: 10d62950-0de5-4199-a710-cff9ea79b413 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of the `Get-DomainGroupMember` cmdlet from PowerView, identified through PowerShell Script Block Logging (EventCode=4104). This cmdlet is used to enumerate members of elevated domain groups such as Domain Admins and Enterprise Admins. Monitoring this activity is crucial as it indicates potential reconnaissance efforts by adversaries to identify high-privileged users within the domain. If confirmed malicious, this activity could lead to targeted attacks on privileged accounts, facilitating further compromise and lateral movement within the network. +description: The following analytic detects the execution of the `Get-DomainGroupMember` + cmdlet from PowerView, identified through PowerShell Script Block Logging (EventCode=4104). + This cmdlet is used to enumerate members of elevated domain groups such as Domain + Admins and Enterprise Admins. Monitoring this activity is crucial as it indicates + potential reconnaissance efforts by adversaries to identify high-privileged users + within the domain. If confirmed malicious, this activity could lead to targeted + attacks on privileged accounts, facilitating further compromise and lateral movement + within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainGroupMember*") AND ScriptBlockText IN ("*Domain Admins*","*Enterprise Admins*", "*Schema Admins*", "*Account Operators*" , "*Server Operators*", "*Protected Users*", "*Dns Admins*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `elevated_group_discovery_with_powerview_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainGroupMember*") + AND ScriptBlockText IN ("*Domain Admins*","*Enterprise Admins*", "*Schema Admins*", + "*Account Operators*" , "*Server Operators*", "*Protected Users*", "*Dns Admins*") + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` + | `elevated_group_discovery_with_powerview_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: Administrators or power users may use this PowerView for troubleshooting. references: - https://attack.mitre.org/techniques/T1069/002/ @@ -20,35 +34,22 @@ tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 70 - impact: 30 - message: Elevated group discovery using PowerView on $dest$ by $user$ mitre_attack_id: - T1069 - T1069.002 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ScriptBlockText - - Computer - - UserID - risk_score: 21 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-powershell-xml-powerview.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-powershell-xml-powerview.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-xml.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/elevated_group_discovery_with_wmic.yml b/detections/endpoint/elevated_group_discovery_with_wmic.yml index c66d1f3ef3..3c74c3e9ca 100644 --- a/detections/endpoint/elevated_group_discovery_with_wmic.yml +++ b/detections/endpoint/elevated_group_discovery_with_wmic.yml @@ -1,17 +1,40 @@ name: Elevated Group Discovery With Wmic id: 3f6bbf22-093e-4cb4-9641-83f47b8444b6 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the execution of `wmic.exe` with command-line arguments querying specific elevated domain groups. It leverages Endpoint Detection and Response (EDR) telemetry to identify processes that access the LDAP namespace and search for groups like "Domain Admins" or "Enterprise Admins." This activity is significant as it indicates potential reconnaissance efforts by adversaries to identify high-privilege accounts within Active Directory. If confirmed malicious, this behavior could lead to privilege escalation, allowing attackers to gain elevated access and control over critical network resources. +description: The following analytic detects the execution of `wmic.exe` with command-line + arguments querying specific elevated domain groups. It leverages Endpoint Detection + and Response (EDR) telemetry to identify processes that access the LDAP namespace + and search for groups like "Domain Admins" or "Enterprise Admins." This activity + is significant as it indicates potential reconnaissance efforts by adversaries to + identify high-privilege accounts within Active Directory. If confirmed malicious, + this behavior could lead to privilege escalation, allowing attackers to gain elevated + access and control over critical network resources. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="wmic.exe") (Processes.process=*/NAMESPACE:\\\\root\\directory\\ldap*) (Processes.process="*Domain Admins*" OR Processes.process="*Enterprise Admins*" OR Processes.process="*Schema Admins*" OR Processes.process="*Account Operators*" OR Processes.process="*Server Operators*" OR Processes.process="*Protected Users*" OR Processes.process="*Dns Admins*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `elevated_group_discovery_with_wmic_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="wmic.exe") + (Processes.process=*/NAMESPACE:\\\\root\\directory\\ldap*) (Processes.process="*Domain + Admins*" OR Processes.process="*Enterprise Admins*" OR Processes.process="*Schema + Admins*" OR Processes.process="*Account Operators*" OR Processes.process="*Server + Operators*" OR Processes.process="*Protected Users*" OR Processes.process="*Dns + Admins*") by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `elevated_group_discovery_with_wmic_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1069/002/ @@ -23,45 +46,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Elevated domain group discovery enumeration on $dest$ by $user$ + risk_objects: + - field: dest + type: system + score: 21 + threat_objects: [] tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 70 - impact: 30 - message: Elevated domain group discovery enumeration on $dest$ by $user$ mitre_attack_id: - T1069 - T1069.002 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 21 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/enable_rdp_in_other_port_number.yml b/detections/endpoint/enable_rdp_in_other_port_number.yml index e5a9c76da6..2b14b852fb 100644 --- a/detections/endpoint/enable_rdp_in_other_port_number.yml +++ b/detections/endpoint/enable_rdp_in_other_port_number.yml @@ -1,19 +1,27 @@ name: Enable RDP In Other Port Number id: 99495452-b899-11eb-96dc-acde48001122 -version: 8 -date: '2024-12-03' +version: 9 +date: '2024-12-16' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects modifications to the registry that enable RDP on a machine using a non-default port number. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" and the "PortNumber" value. This activity is significant as attackers often modify RDP settings to facilitate lateral movement and maintain remote access to compromised systems. If confirmed malicious, this could allow attackers to bypass network defenses, gain persistent access, and potentially control the compromised machine. +description: The following analytic detects modifications to the registry that enable + RDP on a machine using a non-default port number. It leverages data from the Endpoint.Registry + data model, specifically monitoring changes to the registry path "HKLM\SYSTEM\CurrentControlSet\Control\Terminal + Server\WinStations\RDP-Tcp" and the "PortNumber" value. This activity is significant + as attackers often modify RDP settings to facilitate lateral movement and maintain + remote access to compromised systems. If confirmed malicious, this could allow attackers + to bypass network defenses, gain persistent access, and potentially control the + compromised machine. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path="*\\CurrentControlSet\\Control\\Terminal - Server\\WinStations\\RDP-Tcp*" Registry.registry_value_name = "PortNumber") BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name - Registry.registry_value_name Registry.registry_value_data Registry.process_guid - | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `enable_rdp_in_other_port_number_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\CurrentControlSet\\Control\\Terminal + Server\\WinStations\\RDP-Tcp*" Registry.registry_value_name = "PortNumber") BY Registry.dest + Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name + Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` + | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `enable_rdp_in_other_port_number_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official @@ -27,45 +35,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: RDP was moved to a non-standard port on $dest$ by $user$. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: [] tags: analytic_story: - Prohibited Traffic Allowed or Protocol Mismatch - Windows Registry Abuse asset_type: Endpoint - confidence: 100 - impact: 80 - message: RDP was moved to a non-standard port on $dest$ by $user$. mitre_attack_id: - T1021 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/honeypots/casper/datasets1/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/honeypots/casper/datasets1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml b/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml index 1f5b03347f..db86959936 100644 --- a/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml +++ b/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml @@ -5,11 +5,18 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects a suspicious registry modification that enables the plain text credential feature in Windows by setting the "UseLogonCredential" value to 1 in the WDigest registry path. This detection leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values. This activity is significant because it is commonly used by malware and tools like Mimikatz to dump plain text credentials, indicating a potential credential dumping attempt. If confirmed malicious, this could allow an attacker to obtain sensitive credentials, leading to further compromise and lateral movement within the network. +description: The following analytic detects a suspicious registry modification that + enables the plain text credential feature in Windows by setting the "UseLogonCredential" + value to 1 in the WDigest registry path. This detection leverages data from the + Endpoint.Registry data model, focusing on specific registry paths and values. This + activity is significant because it is commonly used by malware and tools like Mimikatz + to dump plain text credentials, indicating a potential credential dumping attempt. + If confirmed malicious, this could allow an attacker to obtain sensitive credentials, + leading to further compromise and lateral movement within the network. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path="*\\System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\*" +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\*" Registry.registry_value_name = "UseLogonCredential" Registry.registry_value_data=0x00000001) BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid @@ -28,47 +35,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: wdigest registry $registry_path$ was modified on $dest$ + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: [] tags: analytic_story: - Credential Dumping - Windows Registry Abuse - CISA AA22-320A asset_type: Endpoint - confidence: 100 - impact: 80 - message: wdigest registry $registry_path$ was modified in $dest$ mitre_attack_id: - T1112 - T1003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/wdigest_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/wdigest_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/enumerate_users_local_group_using_telegram.yml b/detections/endpoint/enumerate_users_local_group_using_telegram.yml index 37f05ec177..a597067625 100644 --- a/detections/endpoint/enumerate_users_local_group_using_telegram.yml +++ b/detections/endpoint/enumerate_users_local_group_using_telegram.yml @@ -1,7 +1,7 @@ name: Enumerate Users Local Group Using Telegram id: fcd74532-ae54-11eb-a5ab-acde48001122 -version: '6' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: TTP @@ -40,47 +40,33 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The Telegram application has been identified enumerating local groups on + $dest$ by $user$. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: [] tags: analytic_story: - XMRig - Compromised Windows Host asset_type: Endpoint - confidence: 100 - impact: 80 - message: The Telegram application has been identified enumerating local groups on - $dest$ by $user$. mitre_attack_id: - T1087 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - user - - dest - - EventCode - - Process_Name - - Process_ID - - Account_Name - - Account_Domain - - Logon_ID - - Security_ID - - Message - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087/enumerate_users_local_group_using_telegram/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087/enumerate_users_local_group_using_telegram/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/esentutl_sam_copy.yml b/detections/endpoint/esentutl_sam_copy.yml index 3d2de049a2..cf7ea2b703 100644 --- a/detections/endpoint/esentutl_sam_copy.yml +++ b/detections/endpoint/esentutl_sam_copy.yml @@ -1,17 +1,37 @@ name: Esentutl SAM Copy id: d372f928-ce4f-11eb-a762-acde48001122 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic detects the use of `esentutl.exe` to access credentials stored in the ntds.dit or SAM file. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it may indicate an attempt to extract sensitive credential information, which is a common tactic in lateral movement and privilege escalation. If confirmed malicious, this could allow an attacker to gain unauthorized access to user credentials, potentially compromising the entire network. +description: The following analytic detects the use of `esentutl.exe` to access credentials + stored in the ntds.dit or SAM file. This detection leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process execution logs that include + command-line details. This activity is significant because it may indicate an attempt + to extract sensitive credential information, which is a common tactic in lateral + movement and privilege escalation. If confirmed malicious, this could allow an attacker + to gain unauthorized access to user credentials, potentially compromising the entire + network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_esentutl` Processes.process IN ("*ntds*", "*SAM*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esentutl_sam_copy_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_esentutl` Processes.process + IN ("*ntds*", "*SAM*") by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `esentutl_sam_copy_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives should be limited. Filter as needed. references: - https://github.com/redcanaryco/atomic-red-team/blob/6a570c2a4630cf0c2bd41a2e8375b5d5ab92f700/atomics/T1003.002/T1003.002.md @@ -21,51 +41,18 @@ tags: - Credential Dumping - Living Off The Land asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user user$ attempting to capture credentials for offline cracking or observability. mitre_attack_id: - T1003.002 - T1003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/etw_registry_disabled.yml b/detections/endpoint/etw_registry_disabled.yml index a00720eabd..6a16286298 100644 --- a/detections/endpoint/etw_registry_disabled.yml +++ b/detections/endpoint/etw_registry_disabled.yml @@ -1,20 +1,27 @@ name: ETW Registry Disabled id: 8ed523ac-276b-11ec-ac39-acde48001122 -version: 8 -date: '2024-12-08' +version: 10 +date: '2024-12-16' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects a registry modification that disables the ETW for the .NET Framework. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the ETWEnabled registry value under the .NETFramework path. This activity is significant because disabling ETW can allow attackers to evade Endpoint Detection and Response (EDR) tools and hide their execution from audit logs. If confirmed malicious, this action could enable attackers to operate undetected, potentially leading to further compromise and persistent access within the environment. +description: The following analytic detects a registry modification that disables + the ETW for the .NET Framework. It leverages data from the Endpoint.Registry data + model, specifically monitoring changes to the ETWEnabled registry value under the + .NETFramework path. This activity is significant because disabling ETW can allow + attackers to evade Endpoint Detection and Response (EDR) tools and hide their execution + from audit logs. If confirmed malicious, this action could enable attackers to operate + undetected, potentially leading to further compromise and persistent access within + the environment. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path="*\\SOFTWARE\\Microsoft\\.NETFramework*" Registry.registry_value_name - = ETWEnabled Registry.registry_value_data=0x00000000) BY Registry.dest - Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name - Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` - | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `etw_registry_disabled_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\SOFTWARE\\Microsoft\\.NETFramework*" + Registry.registry_value_name = ETWEnabled Registry.registry_value_data=0x00000000) + BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name + Registry.registry_value_name Registry.registry_value_data Registry.process_guid + | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `etw_registry_disabled_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official @@ -29,9 +36,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Modified/added/deleted registry entry $registry_path$ on $dest$ + risk_objects: + - field: dest + type: system + score: 90 + - field: user + type: user + score: 90 + threat_objects: [] tags: analytic_story: - Hermetic Wiper @@ -41,39 +63,19 @@ tags: - CISA AA23-347A - Data Destruction asset_type: Endpoint - confidence: 100 - impact: 90 - message: Modified/added/deleted registry entry $registry_path$ in $dest$ mitre_attack_id: - T1562.006 - T1127 - T1562 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127/etw_disable/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127/etw_disable/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/eventvwr_uac_bypass.yml b/detections/endpoint/eventvwr_uac_bypass.yml index 0585adffec..d86cc12b72 100644 --- a/detections/endpoint/eventvwr_uac_bypass.yml +++ b/detections/endpoint/eventvwr_uac_bypass.yml @@ -1,17 +1,42 @@ name: Eventvwr UAC Bypass id: 9cf8fe08-7ad8-11eb-9819-acde48001122 -version: 6 -date: '2024-09-30' +version: 7 +date: '2024-11-13' author: Steven Dick, Michael Haag, Splunk status: production type: TTP -description: The following analytic detects an Eventvwr UAC bypass by identifying suspicious registry modifications in the path that Eventvwr.msc references upon execution. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry changes and process execution details. This activity is significant because it indicates a potential privilege escalation attempt, allowing an attacker to execute arbitrary commands with elevated privileges. If confirmed malicious, this could lead to unauthorized code execution, persistence, and further compromise of the affected system. +description: The following analytic detects an Eventvwr UAC bypass by identifying + suspicious registry modifications in the path that Eventvwr.msc references upon + execution. This detection leverages data from Endpoint Detection and Response (EDR) + agents, focusing on registry changes and process execution details. This activity + is significant because it indicates a potential privilege escalation attempt, allowing + an attacker to execute arbitrary commands with elevated privileges. If confirmed + malicious, this could lead to unauthorized code execution, persistence, and further + compromise of the affected system. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*mscfile\\shell\\open\\command\\*") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `eventvwr_uac_bypass_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) + AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id + Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name + Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` + | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry + WHERE (Registry.registry_path="*mscfile\\shell\\open\\command\\*") BY _time span=1h + Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime + dest user parent_process_name parent_process process_name process_path process registry_key_name + registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `eventvwr_uac_bypass_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Some false positives may be present and will need to be filtered. references: - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/ @@ -24,9 +49,25 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Registry values were modified to bypass UAC using Event Viewer on $dest$ + by $user$. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics @@ -35,47 +76,18 @@ tags: - Windows Registry Abuse - ValleyRAT asset_type: Endpoint - confidence: 100 - impact: 80 - message: Registry values were modified to bypass UAC using Event Viewer on $dest$ by $user$. mitre_attack_id: - T1548.002 - T1548 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.user - - Processes.dest - - Processes.process_id - - Processes.process_name - - Processes.process - - Processes.process_path - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_guid - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/excessive_attempt_to_disable_services.yml b/detections/endpoint/excessive_attempt_to_disable_services.yml index 313f24c289..613e48bf8e 100644 --- a/detections/endpoint/excessive_attempt_to_disable_services.yml +++ b/detections/endpoint/excessive_attempt_to_disable_services.yml @@ -1,17 +1,38 @@ name: Excessive Attempt To Disable Services id: 8fa2a0f0-acd9-11eb-8994-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies a suspicious series of command-line executions attempting to disable multiple services. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes where "sc.exe" is used with parameters like "config" or "Disabled" within a short time frame. This activity is significant as it may indicate an adversary's attempt to disable security or other critical services to further compromise the system. If confirmed malicious, this could lead to the attacker achieving persistence, evading detection, or disabling security mechanisms, thereby increasing the risk of further exploitation. +description: The following analytic identifies a suspicious series of command-line + executions attempting to disable multiple services. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on processes where "sc.exe" is used + with parameters like "config" or "Disabled" within a short time frame. This activity + is significant as it may indicate an adversary's attempt to disable security or + other critical services to further compromise the system. If confirmed malicious, + this could lead to the attacker achieving persistence, evading detection, or disabling + security mechanisms, thereby increasing the risk of further exploitation. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "sc.exe" AND Processes.process="*config*" OR Processes.process="*Disabled*" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user _time span=1m | where count >=4 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_attempt_to_disable_services_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name = + "sc.exe" AND Processes.process="*config*" OR Processes.process="*Disabled*" by Processes.process_name + Processes.parent_process_name Processes.dest Processes.user _time span=1m | where + count >=4 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `excessive_attempt_to_disable_services_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ @@ -21,45 +42,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An excessive amount of $process_name$ was executed on $dest$ attempting + to disable services. + risk_objects: + - field: dest + type: system + score: 80 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - XMRig - Azorult asset_type: Endpoint - confidence: 100 - impact: 80 - message: An excessive amount of $process_name$ was executed on $dest$ attempting to disable services. mitre_attack_id: - T1489 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process - - Processes.process_id - - Processes.process_name - - Processes.parent_process_name - - Processes.dest - - Processes.user - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml b/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml index 9b49578493..49dfca5f3e 100644 --- a/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml +++ b/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml @@ -1,18 +1,39 @@ name: Excessive distinct processes from Windows Temp id: 23587b6a-c479-11eb-b671-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Hart, Mauricio Velazco, Splunk status: production type: Anomaly -description: The following analytic identifies an excessive number of distinct processes executing from the Windows\Temp directory. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process paths and counts within a 20-minute window. This behavior is significant as it often indicates the presence of post-exploit frameworks like Koadic and Meterpreter, which use this technique to execute malicious actions. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, and maintain persistence within the environment, posing a severe threat to system integrity and security. +description: The following analytic identifies an excessive number of distinct processes + executing from the Windows\Temp directory. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process paths and counts within a 20-minute + window. This behavior is significant as it often indicates the presence of post-exploit + frameworks like Koadic and Meterpreter, which use this technique to execute malicious + actions. If confirmed malicious, this activity could allow attackers to execute + arbitrary code, escalate privileges, and maintain persistence within the environment, + posing a severe threat to system integrity and security. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process distinct_count(Processes.process) as distinct_process_count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_path = "*\\Windows\\Temp\\*" by Processes.dest Processes.user _time span=20m | where distinct_process_count > 37 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_distinct_processes_from_windows_temp_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Many benign applications will create processes from executables in Windows\Temp, although unlikely to exceed the given threshold. Filter as needed. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + distinct_count(Processes.process) as distinct_process_count min(_time) as firstTime + max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_path + = "*\\Windows\\Temp\\*" by Processes.dest Processes.user _time span=20m | where + distinct_process_count > 37 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `excessive_distinct_processes_from_windows_temp_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Many benign applications will create processes from executables + in Windows\Temp, although unlikely to exceed the given threshold. Filter as needed. references: - https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/ drilldown_searches: @@ -21,37 +42,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Multiple processes were executed out of windows\temp within a short amount + of time on $dest$. + risk_objects: + - field: dest + type: system + score: 80 + threat_objects: [] tags: analytic_story: - Meterpreter asset_type: Endpoint - confidence: 100 - impact: 80 - message: Multiple processes were executed out of windows\temp within a short amount of time on $dest$. mitre_attack_id: - T1059 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process - - Processes.dest - - Processes.user - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/excessive_distinct_processes_from_windows_temp/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/excessive_distinct_processes_from_windows_temp/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml b/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml index b4c84b73a2..cc43bf87e4 100644 --- a/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml +++ b/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml @@ -1,17 +1,30 @@ name: Excessive File Deletion In WinDefender Folder id: b5baa09a-7a05-11ec-8da4-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects excessive file deletion events in the Windows Defender folder. It leverages Sysmon EventCodes 23 and 26 to identify processes deleting multiple files within this directory. This behavior is significant as it may indicate an attempt to corrupt or disable Windows Defender, a key security component. If confirmed malicious, this activity could allow an attacker to disable endpoint protection, facilitating further malicious actions without detection. +description: The following analytic detects excessive file deletion events in the + Windows Defender folder. It leverages Sysmon EventCodes 23 and 26 to identify processes + deleting multiple files within this directory. This behavior is significant as it + may indicate an attempt to corrupt or disable Windows Defender, a key security component. + If confirmed malicious, this activity could allow an attacker to disable endpoint + protection, facilitating further malicious actions without detection. data_source: - Sysmon EventID 23 - Sysmon EventID 26 -search: '`sysmon` EventCode IN ("23","26") TargetFilename = "*\\ProgramData\\Microsoft\\Windows Defender\\*" | stats count, values(TargetFilename) as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, process_name, process_guid | rename Image as process | where count >=50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_file_deletion_in_windefender_folder_filter`' -how_to_implement: To successfully implement this search, you must ingest logs that include the process name, TargetFilename, and ProcessID executions from your endpoints. If you are utilizing Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed. -known_false_positives: Windows Defender AV updates may trigger this alert. Please adjust the filter macros to mitigate false positives. +search: '`sysmon` EventCode IN ("23","26") TargetFilename = "*\\ProgramData\\Microsoft\\Windows + Defender\\*" | stats count, values(TargetFilename) as deleted_files, min(_time) + as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, + process_name, process_guid | rename Image as process | where count >=50 | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `excessive_file_deletion_in_windefender_folder_filter`' +how_to_implement: To successfully implement this search, you must ingest logs that + include the process name, TargetFilename, and ProcessID executions from your endpoints. + If you are utilizing Sysmon, ensure you have at least version 2.0 of the Sysmon + TA installed. +known_false_positives: Windows Defender AV updates may trigger this alert. Please + adjust the filter macros to mitigate false positives. references: - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ drilldown_searches: @@ -20,53 +33,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Excessive file deletion events were detected in the Windows Defender folder + on $dest$ by $user$. Investigate further to determine if this activity is malicious. + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: + - field: deleted_files + type: file_name tags: analytic_story: - Data Destruction - WhisperGate - BlackByte Ransomware asset_type: Endpoint - confidence: 50 - impact: 50 - message: Excessive file deletion events were detected in the Windows Defender folder on $dest$ by $user$. Investigate further to determine if this activity is malicious. mitre_attack_id: - T1485 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim - - name: deleted_files - type: File Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - TargetFilename - - user - - dest - - signature - - signature_id - - Image - - process_name - - process_path - - process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/excessive_file_del_in_windefender_dir/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/excessive_file_del_in_windefender_dir/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml b/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml index 1c819752ad..87384b30be 100644 --- a/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml +++ b/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml @@ -1,18 +1,42 @@ name: Excessive number of service control start as disabled id: 77592bec-d5cc-11eb-9e60-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Hart, Splunk status: production type: Anomaly -description: The following analytic detects an excessive number of `sc.exe` processes launched with the command line argument `start= disabled` within a short period. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and process GUIDs. This activity is significant as it may indicate an attempt to disable critical services, potentially impairing system defenses. If confirmed malicious, this behavior could allow an attacker to disrupt security mechanisms, hinder incident response, and maintain control over the compromised system. +description: The following analytic detects an excessive number of `sc.exe` processes + launched with the command line argument `start= disabled` within a short period. + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on + process names, command-line executions, and process GUIDs. This activity is significant + as it may indicate an attempt to disable critical services, potentially impairing + system defenses. If confirmed malicious, this behavior could allow an attacker to + disrupt security mechanisms, hinder incident response, and maintain control over + the compromised system. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` distinct_count(Processes.process) as distinct_cmdlines values(Processes.process_id) as process_ids min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process_name = "sc.exe" AND Processes.process="*start= disabled*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_id, _time span=30m | where distinct_cmdlines >= 8 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_number_of_service_control_start_as_disabled_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Legitimate programs and administrators will execute sc.exe with the start disabled flag. It is possible, but unlikely from the telemetry of normal Windows operation we observed, that sc.exe will be called more than seven times in a short period of time. +search: '| tstats `security_content_summariesonly` distinct_count(Processes.process) + as distinct_cmdlines values(Processes.process_id) as process_ids min(_time) as firstTime + max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process_name + = "sc.exe" AND Processes.process="*start= disabled*" by Processes.dest Processes.user + Processes.parent_process Processes.process_name Processes.parent_process_id, _time + span=30m | where distinct_cmdlines >= 8 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `excessive_number_of_service_control_start_as_disabled_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Legitimate programs and administrators will execute sc.exe + with the start disabled flag. It is possible, but unlikely from the telemetry of + normal Windows operation we observed, that sc.exe will be called more than seven + times in a short period of time. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/sc-create - https://attack.mitre.org/techniques/T1562/001/ @@ -22,47 +46,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An excessive amount of $process_name$ was executed on $dest$ attempting + to disable services. + risk_objects: + - field: dest + type: system + score: 80 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Windows Defense Evasion Tactics asset_type: Endpoint - confidence: 100 - impact: 80 - message: An excessive amount of $process_name$ was executed on $dest$ attempting to disable services. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/sc_service_start_disabled/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/sc_service_start_disabled/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/excessive_number_of_taskhost_processes.yml b/detections/endpoint/excessive_number_of_taskhost_processes.yml index 6b5b38552a..d31f36a50d 100644 --- a/detections/endpoint/excessive_number_of_taskhost_processes.yml +++ b/detections/endpoint/excessive_number_of_taskhost_processes.yml @@ -1,18 +1,43 @@ name: Excessive number of taskhost processes id: f443dac2-c7cf-11eb-ab51-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Hart status: production type: Anomaly -description: The following analytic identifies an excessive number of taskhost.exe and taskhostex.exe processes running within a short time frame. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and their counts. This behavior is significant as it is commonly associated with post-exploitation tools like Meterpreter and Koadic, which use multiple instances of these processes for actions such as discovery and lateral movement. If confirmed malicious, this activity could indicate an ongoing attack, allowing attackers to execute code, escalate privileges, or move laterally within the network. +description: The following analytic identifies an excessive number of taskhost.exe + and taskhostex.exe processes running within a short time frame. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process names and + their counts. This behavior is significant as it is commonly associated with post-exploitation + tools like Meterpreter and Koadic, which use multiple instances of these processes + for actions such as discovery and lateral movement. If confirmed malicious, this + activity could indicate an ongoing attack, allowing attackers to execute code, escalate + privileges, or move laterally within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process_id) as process_ids min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process_name = "taskhost.exe" OR Processes.process_name = "taskhostex.exe" BY Processes.dest Processes.process_name _time span=1h | `drop_dm_object_name(Processes)` | eval pid_count=mvcount(process_ids) | eval taskhost_count_=if(process_name == "taskhost.exe", pid_count, 0) | eval taskhostex_count_=if(process_name == "taskhostex.exe", pid_count, 0) | stats sum(taskhost_count_) as taskhost_count, sum(taskhostex_count_) as taskhostex_count by _time, dest, firstTime, lastTime | where taskhost_count > 10 or taskhostex_count > 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_number_of_taskhost_processes_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrators, administrative actions or certain applications may run many instances of taskhost and taskhostex concurrently. Filter as needed. +search: '| tstats `security_content_summariesonly` values(Processes.process_id) as + process_ids min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes + WHERE Processes.process_name = "taskhost.exe" OR Processes.process_name = "taskhostex.exe" + BY Processes.dest Processes.process_name _time span=1h | `drop_dm_object_name(Processes)` + | eval pid_count=mvcount(process_ids) | eval taskhost_count_=if(process_name == + "taskhost.exe", pid_count, 0) | eval taskhostex_count_=if(process_name == "taskhostex.exe", + pid_count, 0) | stats sum(taskhost_count_) as taskhost_count, sum(taskhostex_count_) + as taskhostex_count by _time, dest, firstTime, lastTime | where taskhost_count > + 10 or taskhostex_count > 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `excessive_number_of_taskhost_processes_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators, administrative actions or certain applications + may run many instances of taskhost and taskhostex concurrently. Filter as needed. references: - https://attack.mitre.org/software/S0250/ drilldown_searches: @@ -21,38 +46,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An excessive amount of taskhost.exe and taskhostex.exe was executed on + $dest$ indicative of suspicious behavior. + risk_objects: + - field: dest + type: system + score: 56 + threat_objects: [] tags: analytic_story: - Meterpreter asset_type: Endpoint - confidence: 70 - impact: 80 - message: An excessive amount of taskhost.exe and taskhostex.exe was executed on $dest$ indicative of suspicious behavior. mitre_attack_id: - T1059 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_id - - Processes.process_name - - Processes.dest - - Processes.user - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/excessive_distinct_processes_from_windows_temp/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/excessive_distinct_processes_from_windows_temp/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/excessive_usage_of_cacls_app.yml b/detections/endpoint/excessive_usage_of_cacls_app.yml index 63c454e9da..f6a5a7eec9 100644 --- a/detections/endpoint/excessive_usage_of_cacls_app.yml +++ b/detections/endpoint/excessive_usage_of_cacls_app.yml @@ -1,18 +1,39 @@ name: Excessive Usage Of Cacls App id: 0bdf6092-af17-11eb-939a-acde48001122 -version: 5 -date: '2024-12-06' +version: 6 +date: '2024-12-16' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies excessive usage of `cacls.exe`, `xcacls.exe`, or `icacls.exe` to change file or folder permissions. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an adversary attempting to restrict access to malware components or artifacts on a compromised system. If confirmed malicious, this behavior could prevent users from deleting or accessing critical files, aiding in the persistence and concealment of malicious activities. +description: The following analytic identifies excessive usage of `cacls.exe`, `xcacls.exe`, + or `icacls.exe` to change file or folder permissions. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names and command-line + executions. This activity is significant as it may indicate an adversary attempting + to restrict access to malware components or artifacts on a compromised system. If + confirmed malicious, this behavior could prevent users from deleting or accessing + critical files, aiding in the persistence and concealment of malicious activities. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id values(Processes.process_name) as process_name count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "cacls.exe" OR Processes.process_name = "icacls.exe" OR Processes.process_name = "XCACLS.exe" by Processes.parent_process_name Processes.parent_process Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_cacls_app_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrators or administrative scripts may use this application. Filter as needed. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + values(Processes.process_id) as process_id values(Processes.process_name) as process_name + count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.process_name = "cacls.exe" OR Processes.process_name = "icacls.exe" + OR Processes.process_name = "XCACLS.exe" by Processes.parent_process_name Processes.parent_process + Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_cacls_app_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators or administrative scripts may use this application. + Filter as needed. references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ drilldown_searches: @@ -21,48 +42,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An excessive amount of $process_name$ was executed on $dest$ attempting + to modify permissions. + risk_objects: + - field: dest + type: system + score: 80 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - - XMRig - Azorult - Windows Post-Exploitation - Prestige Ransomware + - XMRig + - Crypto Stealer - Defense Evasion or Unauthorized Access Via SDDL Tampering asset_type: Endpoint - confidence: 100 - impact: 80 - message: An excessive amount of $process_name$ was executed on $dest$ attempting to modify permissions. mitre_attack_id: - T1222 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process - - Processes.process_id - - Processes.process_name - - Processes.parent_process_name - - Processes.dest - - Processes.user - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/excessive_usage_of_nslookup_app.yml b/detections/endpoint/excessive_usage_of_nslookup_app.yml index 6f1b98e42a..4c46de9669 100644 --- a/detections/endpoint/excessive_usage_of_nslookup_app.yml +++ b/detections/endpoint/excessive_usage_of_nslookup_app.yml @@ -1,17 +1,32 @@ name: Excessive Usage of NSLOOKUP App id: 0a69fdaa-a2b8-11eb-b16d-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Stanislav Miskovic, Splunk status: production type: Anomaly -description: The following analytic detects excessive usage of the nslookup application, which may indicate potential DNS exfiltration attempts. It leverages Sysmon EventCode 1 to monitor process executions, specifically focusing on nslookup.exe. The detection identifies outliers by comparing the frequency of nslookup executions against a calculated threshold. This activity is significant as it can reveal attempts by malware or APT groups to exfiltrate data via DNS queries. If confirmed malicious, this behavior could allow attackers to stealthily transfer sensitive information out of the network, bypassing traditional data exfiltration defenses. +description: The following analytic detects excessive usage of the nslookup application, + which may indicate potential DNS exfiltration attempts. It leverages Sysmon EventCode + 1 to monitor process executions, specifically focusing on nslookup.exe. The detection + identifies outliers by comparing the frequency of nslookup executions against a + calculated threshold. This activity is significant as it can reveal attempts by + malware or APT groups to exfiltrate data via DNS queries. If confirmed malicious, + this behavior could allow attackers to stealthily transfer sensitive information + out of the network, bypassing traditional data exfiltration defenses. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '`sysmon` EventCode = 1 process_name = "nslookup.exe" | bucket _time span=1m | stats count as numNsLookup by dest, _time | eventstats avg(numNsLookup) as avgNsLookup, stdev(numNsLookup) as stdNsLookup, count as numSlots by dest | eval upperThreshold=(avgNsLookup + stdNsLookup *3) | eval isOutlier=if(numNsLookup > 20 and numNsLookup >= upperThreshold, 1, 0) | search isOutlier=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_nslookup_app_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of nslookup.exe may be used. +search: '`sysmon` EventCode = 1 process_name = "nslookup.exe" | bucket _time span=1m + | stats count as numNsLookup by dest, _time | eventstats avg(numNsLookup) as avgNsLookup, + stdev(numNsLookup) as stdNsLookup, count as numSlots by dest | eval upperThreshold=(avgNsLookup + + stdNsLookup *3) | eval isOutlier=if(numNsLookup > 20 and numNsLookup >= upperThreshold, + 1, 0) | search isOutlier=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `excessive_usage_of_nslookup_app_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. Tune and filter known instances of nslookup.exe may be used. known_false_positives: unknown references: - https://www.mandiant.com/resources/fin7-spear-phishing-campaign-targets-personnel-involved-sec-filings @@ -23,9 +38,22 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Excessive usage of nslookup.exe has been detected on $dest$. This detection + is triggered as as it violates the dynamic threshold + risk_objects: + - field: dest + type: system + score: 28 + threat_objects: [] tags: analytic_story: - Suspicious DNS Traffic @@ -33,30 +61,17 @@ tags: - Data Exfiltration - Command And Control asset_type: Endpoint - confidence: 70 - impact: 40 - message: Excessive usage of nslookup.exe has been detected on $dest$. This detection is triggered as as it violates the dynamic threshold mitre_attack_id: - T1048 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - process_name - - EventCode - risk_score: 28 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/nslookup_exfil/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/nslookup_exfil/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/excessive_usage_of_sc_service_utility.yml b/detections/endpoint/excessive_usage_of_sc_service_utility.yml index 331e4ae543..bf447f6818 100644 --- a/detections/endpoint/excessive_usage_of_sc_service_utility.yml +++ b/detections/endpoint/excessive_usage_of_sc_service_utility.yml @@ -1,18 +1,34 @@ name: Excessive Usage Of SC Service Utility id: cb6b339e-d4c6-11eb-a026-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects excessive usage of the `sc.exe` service utility on a host machine. It leverages Sysmon EventCode 1 logs to identify instances where `sc.exe` is executed more frequently than normal within a 15-minute window. This behavior is significant as it is commonly associated with ransomware, cryptocurrency miners, and other malware attempting to create, modify, delete, or disable services, potentially related to security applications or for privilege escalation. If confirmed malicious, this activity could allow attackers to manipulate critical services, leading to system compromise or disruption of security defenses. +description: The following analytic detects excessive usage of the `sc.exe` service + utility on a host machine. It leverages Sysmon EventCode 1 logs to identify instances + where `sc.exe` is executed more frequently than normal within a 15-minute window. + This behavior is significant as it is commonly associated with ransomware, cryptocurrency + miners, and other malware attempting to create, modify, delete, or disable services, + potentially related to security applications or for privilege escalation. If confirmed + malicious, this activity could allow attackers to manipulate critical services, + leading to system compromise or disruption of security defenses. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '`sysmon` EventCode = 1 process_name = "sc.exe" | bucket _time span=15m | stats values(process) as process count as numScExe by dest, _time | eventstats avg(numScExe) as avgScExe, stdev(numScExe) as stdScExe, count as numSlots by dest | eval upperThreshold=(avgScExe + stdScExe *3) | eval isOutlier=if(avgScExe > 5 and avgScExe >= upperThreshold, 1, 0) | search isOutlier=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_sc_service_utility_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed taskkill.exe may be used. -known_false_positives: excessive execution of sc.exe is quite suspicious since it can modify or execute app in high privilege permission. +search: '`sysmon` EventCode = 1 process_name = "sc.exe" | bucket _time span=15m | + stats values(process) as process count as numScExe by dest, _time | eventstats + avg(numScExe) as avgScExe, stdev(numScExe) as stdScExe, count as numSlots by dest + | eval upperThreshold=(avgScExe + stdScExe *3) | eval isOutlier=if(avgScExe > + 5 and avgScExe >= upperThreshold, 1, 0) | search isOutlier=1 | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `excessive_usage_of_sc_service_utility_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. Tune and filter known instances where renamed taskkill.exe may be used. +known_false_positives: excessive execution of sc.exe is quite suspicious since it + can modify or execute app in high privilege permission. references: - https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/ drilldown_searches: @@ -21,39 +37,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Excessive Usage Of SC Service Utility + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - - Ransomware - Azorult + - Ransomware + - Crypto Stealer asset_type: Endpoint - confidence: 50 - impact: 50 - message: Excessive Usage Of SC Service Utility mitre_attack_id: - T1569 - T1569.002 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - process_name - - process - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/excessive_usage_of_taskkill.yml b/detections/endpoint/excessive_usage_of_taskkill.yml index d84d915514..14669e1cab 100644 --- a/detections/endpoint/excessive_usage_of_taskkill.yml +++ b/detections/endpoint/excessive_usage_of_taskkill.yml @@ -1,17 +1,37 @@ name: Excessive Usage Of Taskkill id: fe5bca48-accb-11eb-a67c-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies excessive usage of `taskkill.exe`, a command-line utility used to terminate processes. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on instances where `taskkill.exe` is executed ten or more times within a one-minute span. This behavior is significant as adversaries often use `taskkill.exe` to disable security tools or other critical processes to evade detection. If confirmed malicious, this activity could allow attackers to bypass security defenses, maintain persistence, and further compromise the system. +description: The following analytic identifies excessive usage of `taskkill.exe`, + a command-line utility used to terminate processes. The detection leverages data + from Endpoint Detection and Response (EDR) agents, focusing on instances where `taskkill.exe` + is executed ten or more times within a one-minute span. This behavior is significant + as adversaries often use `taskkill.exe` to disable security tools or other critical + processes to evade detection. If confirmed malicious, this activity could allow + attackers to bypass security defenses, maintain persistence, and further compromise + the system. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "taskkill.exe" by Processes.parent_process_name Processes.process_name Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_taskkill_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "taskkill.exe" by + Processes.parent_process_name Processes.process_name Processes.dest Processes.user + _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `excessive_usage_of_taskkill_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Unknown. Filter as needed. references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ @@ -22,50 +42,46 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Excessive usage of taskkill.exe with process id $process_id$ (more than + 10 within 1m) has been detected on $dest$ with a parent process of $parent_process_name$. + risk_objects: + - field: dest + type: system + score: 28 + threat_objects: + - field: parent_process_name + type: parent_process_name tags: analytic_story: - - XMRig - Azorult - - CISA AA22-264A - AgentTesla - CISA AA22-277A - NjRAT + - CISA AA22-264A + - XMRig + - Crypto Stealer asset_type: Endpoint - confidence: 70 - impact: 40 - message: Excessive usage of taskkill.exe with process id $process_id$ (more than 10 within 1m) has been detected on $dest$ with a parent process of $parent_process_name$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: parent_process_name - type: Process Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.parent_process_name - - Processes.process_name - - Processes.dest - - Processes.user - - Processes.process - - Processes.process_id - risk_score: 28 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml b/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml index 6b6c056881..aefa14a98f 100644 --- a/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml +++ b/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml @@ -1,45 +1,50 @@ name: Exchange PowerShell Abuse via SSRF id: 29228ab4-0762-11ec-94aa-acde48001122 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: experimental type: TTP -description: The following analytic detects suspicious behavior indicative of ProxyShell exploitation against on-premise Microsoft Exchange servers. It identifies HTTP POST requests to `autodiscover.json` containing `PowerShell` in the URI, leveraging server-side request forgery (SSRF) to access backend PowerShell. This detection uses Exchange server logs ingested into Splunk. Monitoring this activity is crucial as it may indicate an attacker attempting to execute commands or scripts on the Exchange server. If confirmed malicious, this could lead to unauthorized access, privilege escalation, or persistent control over the Exchange environment. +description: The following analytic detects suspicious behavior indicative of ProxyShell + exploitation against on-premise Microsoft Exchange servers. It identifies HTTP POST + requests to `autodiscover.json` containing `PowerShell` in the URI, leveraging server-side + request forgery (SSRF) to access backend PowerShell. This detection uses Exchange + server logs ingested into Splunk. Monitoring this activity is crucial as it may + indicate an attacker attempting to execute commands or scripts on the Exchange server. + If confirmed malicious, this could lead to unauthorized access, privilege escalation, + or persistent control over the Exchange environment. data_source: [] -search: '`exchange` c_uri="*//autodiscover*" cs_uri_query="*PowerShell*" cs_method="POST" | stats count min(_time) as firstTime max(_time) as lastTime by dest, cs_uri_query, cs_method, c_uri | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exchange_powershell_abuse_via_ssrf_filter`' -how_to_implement: The following analytic requires on-premise Exchange to be logging to Splunk using the TA - https://splunkbase.splunk.com/app/3225. Ensure logs are parsed correctly, or tune the analytic for your environment. +search: '`exchange` c_uri="*//autodiscover*" cs_uri_query="*PowerShell*" cs_method="POST" + | stats count min(_time) as firstTime max(_time) as lastTime by dest, cs_uri_query, + cs_method, c_uri | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `exchange_powershell_abuse_via_ssrf_filter`' +how_to_implement: The following analytic requires on-premise Exchange to be logging + to Splunk using the TA - https://splunkbase.splunk.com/app/3225. Ensure logs are + parsed correctly, or tune the analytic for your environment. known_false_positives: Limited false positives, however, tune as needed. references: - https://github.com/GossiTheDog/ThreatHunting/blob/master/AzureSentinel/Exchange-Powershell-via-SSRF - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 +rba: + message: Activity related to ProxyShell has been identified on $dest$. Review events + and take action accordingly. + risk_objects: + - field: dest + type: system + score: 80 + threat_objects: [] tags: analytic_story: - ProxyShell - BlackByte Ransomware - ProxyNotShell asset_type: Endpoint - confidence: 100 - impact: 80 - message: Activity related to ProxyShell has been identified on $dest$. Review events and take action accordingly. mitre_attack_id: - T1190 - T1133 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - cs_uri_query - - cs_method - - c_uri - risk_score: 80 security_domain: endpoint diff --git a/detections/endpoint/exchange_powershell_module_usage.yml b/detections/endpoint/exchange_powershell_module_usage.yml index 716e5761d5..0f67e57eea 100644 --- a/detections/endpoint/exchange_powershell_module_usage.yml +++ b/detections/endpoint/exchange_powershell_module_usage.yml @@ -1,16 +1,31 @@ name: Exchange PowerShell Module Usage id: 2d10095e-05ae-11ec-8fdf-acde48001122 -version: 7 -date: '2024-09-30' +version: 8 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the usage of specific Exchange PowerShell modules, such as New-MailboxExportRequest, New-ManagementRoleAssignment, New-MailboxSearch, and Get-Recipient. It leverages PowerShell Script Block Logging (EventCode 4104) to identify these commands. This activity is significant because these modules can be exploited by adversaries who have gained access via ProxyShell or ProxyNotShell vulnerabilities. If confirmed malicious, attackers could export mailbox contents, assign management roles, conduct mailbox searches, or view recipient objects, potentially leading to data exfiltration, privilege escalation, or unauthorized access to sensitive information. +description: The following analytic detects the usage of specific Exchange PowerShell + modules, such as New-MailboxExportRequest, New-ManagementRoleAssignment, New-MailboxSearch, + and Get-Recipient. It leverages PowerShell Script Block Logging (EventCode 4104) + to identify these commands. This activity is significant because these modules can + be exploited by adversaries who have gained access via ProxyShell or ProxyNotShell + vulnerabilities. If confirmed malicious, attackers could export mailbox contents, + assign management roles, conduct mailbox searches, or view recipient objects, potentially + leading to data exfiltration, privilege escalation, or unauthorized access to sensitive + information. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText IN ("*New-MailboxExportRequest*", "*New-ManagementRoleAssignment*", "*New-MailboxSearch*", "*Get-Recipient*", "Search-Mailbox") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exchange_powershell_module_usage_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Administrators or power users may use this PowerShell commandlet for troubleshooting. +search: '`powershell` EventCode=4104 ScriptBlockText IN ("*New-MailboxExportRequest*", + "*New-ManagementRoleAssignment*", "*New-MailboxSearch*", "*Get-Recipient*", "Search-Mailbox") + | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer + UserID EventCode ScriptBlockText | rename Computer as dest |rename UserID as user + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exchange_powershell_module_usage_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Administrators or power users may use this PowerShell commandlet + for troubleshooting. references: - https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps - https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps @@ -27,9 +42,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious Exchange PowerShell module usaged was identified on $dest$. + risk_objects: + - field: dest + type: system + score: 32 + threat_objects: [] tags: analytic_story: - ProxyNotShell @@ -38,33 +65,18 @@ tags: - BlackByte Ransomware - CISA AA22-264A asset_type: Endpoint - confidence: 80 - impact: 40 - message: Suspicious Exchange PowerShell module usaged was identified on $dest$. mitre_attack_id: - T1059 - T1059.001 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCode - risk_score: 32 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/exchange/windows-powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/exchange/windows-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/executable_file_written_in_administrative_smb_share.yml b/detections/endpoint/executable_file_written_in_administrative_smb_share.yml index 9a81402aef..b86556c3ad 100644 --- a/detections/endpoint/executable_file_written_in_administrative_smb_share.yml +++ b/detections/endpoint/executable_file_written_in_administrative_smb_share.yml @@ -1,7 +1,7 @@ name: Executable File Written in Administrative SMB Share id: f63c34fe-a435-11eb-935a-acde48001122 -version: '6' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP @@ -46,6 +46,14 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $src_user$ dropped or created an executable file in known sensitive SMB + share. Share name=$ShareName$, Target name=$RelativeTargetName$, and Access mask=$AccessMask$ + risk_objects: + - field: src_user + type: user + score: 70 + threat_objects: [] tags: analytic_story: - Active Directory Lateral Movement @@ -59,37 +67,18 @@ tags: - Hermetic Wiper - Trickbot asset_type: Endpoint - confidence: 100 - impact: 70 - message: $src_user$ dropped or created an executable file in known sensitive SMB - share. Share name=$ShareName$, Target name=$RelativeTargetName$, and Access mask=$AccessMask$ mitre_attack_id: - T1021 - T1021.002 - observable: - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Share_Name - - Relative_Target_Name - - Object_Type - - Access_Mask - - user - - src_port - - Source_Address - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/exe_smbshare/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/exe_smbshare/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml index 75d4463450..ead8a42979 100644 --- a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml @@ -1,23 +1,35 @@ name: Executables Or Script Creation In Suspicious Path id: a7e3f0f0-ae42-11eb-b245-acde48001122 -version: 5 -date: '2024-11-28' +version: 10 +date: '2025-01-27' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies the creation of executables or scripts in suspicious file paths on Windows systems. It leverages the Endpoint.Filesystem data model to detect files with specific extensions (e.g., .exe, .dll, .ps1) created in uncommon directories (e.g., \windows\fonts\, \users\public\). This activity is significant as adversaries often use these paths to evade detection and maintain persistence. If confirmed malicious, this behavior could allow attackers to execute unauthorized code, escalate privileges, or persist within the environment, posing a significant security threat. +description: The following analytic identifies the creation of executables or scripts + in suspicious file paths on Windows systems. It leverages the Endpoint.Filesystem + data model to detect files with specific extensions (e.g., .exe, .dll, .ps1) created + in uncommon directories (e.g., \windows\fonts\, \users\public\). This activity is + significant as adversaries often use these paths to evade detection and maintain + persistence. If confirmed malicious, this behavior could allow attackers to execute + unauthorized code, escalate privileges, or persist within the environment, posing + a significant security threat. data_source: - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where - Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe", "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif") AND - Filesystem.file_path IN ("*\\windows\\fonts\\*", "*\\windows\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*", "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*", "*\\Windows\\repair\\*", "*\\AppData\\Local\\Temp*", "*\\PerfLogs\\*", "*:\\temp\\*") - by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user - | `drop_dm_object_name(Filesystem)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +search: '| tstats `security_content_summariesonly` values(Filesystem.file_path) as + file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem + where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe", + "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif") AND Filesystem.file_path IN ("*\\windows\\fonts\\*", + "*\\windows\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*", + "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*", + "*\\Windows\\repair\\*", "*\\AppData\\Local\\Temp*", "*\\PerfLogs\\*", "*:\\temp\\*") + by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user + | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `executables_or_script_creation_in_suspicious_path_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -known_false_positives: Administrators may allow creation of script or exe in the paths specified. Filter as needed. +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the Filesystem responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Filesystem` node. +known_false_positives: Administrators may allow creation of script or exe in the paths + specified. Filter as needed. references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ @@ -29,73 +41,73 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious executable or scripts with file name $file_name$, $file_path$ + and process_id $process_id$ executed in suspicious file path in Windows by $user$ + risk_objects: + - field: user + type: user + score: 20 + threat_objects: + - field: file_name + type: file_name tags: analytic_story: - - Double Zero Destructor - - Graceful Wipe Out Attack - - AsyncRAT - - WhisperGate - - DarkGate Malware - - AgentTesla - - Brute Ratel C4 - - NjRAT - - RedLine Stealer - - Rhysida Ransomware - - Swift Slicer - - IcedID - - DarkCrystal RAT - Chaos Ransomware - - PlugX + - Trickbot + - Snake Keylogger + - CISA AA23-347A - Industroyer2 - - Azorult - - Remcos - - XMRig + - WinDealer RAT - Qakbot - - Volt Typhoon - - Hermetic Wiper - Warzone RAT - - Trickbot - - Amadey - - BlackByte Ransomware + - IcedID + - ValleyRAT + - Azorult + - Handala Wiper - LockBit Ransomware - - CISA AA23-347A - - Data Destruction - - Snake Keylogger + - Meduza Stealer + - Brute Ratel C4 + - AsyncRAT - AcidPour - - Handala Wiper + - Derusbi + - DarkGate Malware + - Graceful Wipe Out Attack + - NjRAT + - WhisperGate + - Data Destruction + - BlackByte Ransomware + - AgentTesla + - Swift Slicer + - Crypto Stealer + - Hermetic Wiper - MoonPeak - - ValleyRAT - - Meduza Stealer + - Double Zero Destructor + - XMRig + - PlugX + - Amadey + - DarkCrystal RAT + - Remcos + - Nexus APT Threat Activity + - Earth Estries + - Rhysida Ransomware + - RedLine Stealer + - Volt Typhoon asset_type: Endpoint - confidence: 50 - impact: 40 - message: Suspicious executable or scripts with file name $file_name$, $file_path$ and process_id $process_id$ executed in suspicious file path in Windows by $user$ mitre_attack_id: - T1036 - observable: - - name: user - type: User - role: - - Victim - - name: file_name - type: File Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.file_path - - Filesystem.file_create_time - - Filesystem.process_id - - Filesystem.file_name - - Filesystem.user - risk_score: 20 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml b/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml index 776d31e917..3c5861b898 100644 --- a/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml +++ b/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml @@ -1,17 +1,37 @@ name: Execute Javascript With Jscript COM CLSID id: dc64d064-d346-11eb-8588-acde48001122 -version: 3 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the execution of JavaScript using the JScript.Encode CLSID (COM Object) by cscript.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and parent processes. This activity is significant as it is a known technique used by ransomware, such as Reddot, to execute malicious scripts and potentially disable AMSI (Antimalware Scan Interface). If confirmed malicious, this behavior could allow attackers to execute arbitrary code, evade detection, and maintain persistence within the environment. +description: The following analytic detects the execution of JavaScript using the + JScript.Encode CLSID (COM Object) by cscript.exe. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names, command-line executions, + and parent processes. This activity is significant as it is a known technique used + by ransomware, such as Reddot, to execute malicious scripts and potentially disable + AMSI (Antimalware Scan Interface). If confirmed malicious, this behavior could allow + attackers to execute arbitrary code, evade detection, and maintain persistence within + the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "cscript.exe" Processes.process="*-e:{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}*" by Processes.parent_process_name Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `execute_javascript_with_jscript_com_clsid_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "cscript.exe" + Processes.process="*-e:{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}*" by Processes.parent_process_name + Processes.process_name Processes.process Processes.parent_process Processes.process_id + Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `execute_javascript_with_jscript_com_clsid_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/ @@ -21,50 +41,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious process of cscript.exe with a parent process $parent_process_name$ + where it tries to execute javascript using jscript.encode CLSID (COM OBJ), detected + on $dest$ by $user$ + risk_objects: + - field: user + type: user + score: 56 + - field: dest + type: system + score: 56 + threat_objects: + - field: parent_process_name + type: parent_process_name tags: analytic_story: - Ransomware asset_type: Endpoint - confidence: 70 - impact: 80 - message: Suspicious process of cscript.exe with a parent process $parent_process_name$ where it tries to execute javascript using jscript.encode CLSID (COM OBJ), detected on $dest$ by $user$ mitre_attack_id: - T1059 - T1059.005 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim - - name: parent_process_name - type: Process Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.parent_process - - Processes.process_id - - Processes.dest - - Processes.user - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/execution_of_file_with_multiple_extensions.yml b/detections/endpoint/execution_of_file_with_multiple_extensions.yml index fa5d5a9608..906eec9db6 100644 --- a/detections/endpoint/execution_of_file_with_multiple_extensions.yml +++ b/detections/endpoint/execution_of_file_with_multiple_extensions.yml @@ -1,17 +1,38 @@ name: Execution of File with Multiple Extensions id: b06a555e-dce0-417d-a2eb-28a5d8d66ef7 -version: 6 -date: '2024-09-30' +version: 8 +date: '2024-11-13' author: Rico Valdez, Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the execution of files with multiple extensions, such as ".doc.exe" or ".pdf.exe". This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the file name contains double extensions. This activity is significant because attackers often use double extensions to disguise malicious executables as benign documents, increasing the likelihood of user execution. If confirmed malicious, this technique can lead to unauthorized code execution, potentially compromising the endpoint and allowing further malicious activities. +description: The following analytic detects the execution of files with multiple extensions, + such as ".doc.exe" or ".pdf.exe". This behavior is identified using Endpoint Detection + and Response (EDR) telemetry, focusing on process creation events where the file + name contains double extensions. This activity is significant because attackers + often use double extensions to disguise malicious executables as benign documents, + increasing the likelihood of user execution. If confirmed malicious, this technique + can lead to unauthorized code execution, potentially compromising the endpoint and + allowing further malicious activities. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*.doc.exe", "*.xls.exe","*.ppt.exe", "*.htm.exe", "*.html.exe", "*.txt.exe", "*.pdf.exe", "*.docx.exe", "*.xlsx.exe", "*.pptx.exe","*.one.exe", "*.bat.exe", "*rtf.exe") by Processes.dest Processes.user Processes.process Processes.process_name Processes.parent_process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `execution_of_file_with_multiple_extensions_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*.doc.exe", + "*.xls.exe","*.ppt.exe", "*.htm.exe", "*.html.exe", "*.txt.exe", "*.pdf.exe", "*.docx.exe", + "*.xlsx.exe", "*.pptx.exe","*.one.exe", "*.bat.exe", "*rtf.exe") by Processes.dest + Processes.user Processes.process Processes.process_name Processes.parent_process + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` + | `execution_of_file_with_multiple_extensions_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: None identified. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat @@ -21,9 +42,27 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: process $process$ have double extensions in the file name is executed on + $dest$ by $user$ + risk_objects: + - field: user + type: user + score: 56 + - field: dest + type: system + score: 56 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Windows File Extension and Association Abuse @@ -31,40 +70,18 @@ tags: - AsyncRAT - DarkGate Malware asset_type: Endpoint - confidence: 70 - impact: 80 - message: process $process$ have double extensions in the file name is executed on $dest$ by $user$ mitre_attack_id: - T1036 - T1036.003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process - - Processes.dest - - Processes.user - - Processes.parent_process - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/file_with_samsam_extension.yml b/detections/endpoint/file_with_samsam_extension.yml index 65c47fde68..f09d658da1 100644 --- a/detections/endpoint/file_with_samsam_extension.yml +++ b/detections/endpoint/file_with_samsam_extension.yml @@ -1,18 +1,35 @@ name: File with Samsam Extension id: 02c6cfc2-ae66-4735-bfc7-6291da834cbf -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Rico Valdez, Splunk status: production type: TTP -description: The following analytic detects file writes with extensions indicative of a SamSam ransomware attack. It leverages file-system activity data to identify file names ending in .stubbin, .berkshire, .satoshi, .sophos, or .keyxml. This activity is significant because SamSam ransomware is highly destructive, leading to file encryption and ransom demands. If confirmed malicious, the impact includes significant financial losses, operational disruptions, and reputational damage. Immediate actions should include isolating affected systems, restoring files from backups, and investigating the attack source to prevent further incidents. +description: The following analytic detects file writes with extensions indicative + of a SamSam ransomware attack. It leverages file-system activity data to identify + file names ending in .stubbin, .berkshire, .satoshi, .sophos, or .keyxml. This activity + is significant because SamSam ransomware is highly destructive, leading to file + encryption and ransom demands. If confirmed malicious, the impact includes significant + financial losses, operational disruptions, and reputational damage. Immediate actions + should include isolating affected systems, restoring files from backups, and investigating + the attack source to prevent further incidents. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`| rex field=file_name "(?\.[^\.]+)$" | search file_extension=.stubbin OR file_extension=.berkshire OR file_extension=.satoshi OR file_extension=.sophos OR file_extension=.keyxml | `file_with_samsam_extension_filter`' -how_to_implement: You must be ingesting data that records file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. -known_false_positives: Because these extensions are not typically used in normal operations, you should investigate all results. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) + as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` + | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`| rex + field=file_name "(?\.[^\.]+)$" | search file_extension=.stubbin + OR file_extension=.berkshire OR file_extension=.satoshi OR file_extension=.sophos + OR file_extension=.keyxml | `file_with_samsam_extension_filter`' +how_to_implement: You must be ingesting data that records file-system activity from + your hosts to populate the Endpoint file-system data-model node. If you are using + Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you + want to collect data. +known_false_positives: Because these extensions are not typically used in normal operations, + you should investigate all results. references: [] drilldown_searches: - name: View the detection results for - "$user$" and "$dest$" @@ -20,44 +37,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: File writes $file_name$ with extensions consistent with a SamSam ransomware + attack seen on $dest$ + risk_objects: + - field: user + type: user + score: 90 + - field: dest + type: system + score: 90 + threat_objects: + - field: file_name + type: file_name tags: analytic_story: - SamSam Ransomware asset_type: Endpoint - confidence: 90 - impact: 100 - message: File writes $file_name$ with extensions consistent with a SamSam ransomware attack seen on $dest$ - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim - - name: file_name - type: File Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.user - - Filesystem.dest - - Filesystem.file_path - - Filesystem.file_name - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/samsam_extension/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/samsam_extension/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/firewall_allowed_program_enable.yml b/detections/endpoint/firewall_allowed_program_enable.yml index 44ca8b97b2..39966aac74 100644 --- a/detections/endpoint/firewall_allowed_program_enable.yml +++ b/detections/endpoint/firewall_allowed_program_enable.yml @@ -1,18 +1,41 @@ name: Firewall Allowed Program Enable id: 9a8f63a8-43ac-11ec-904c-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the modification of a firewall rule to allow the execution of a specific application. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events with command-line arguments related to firewall rule changes. This activity is significant as it may indicate an attempt to bypass firewall restrictions, potentially allowing unauthorized applications to communicate over the network. If confirmed malicious, this could enable an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the target environment. +description: The following analytic detects the modification of a firewall rule to + allow the execution of a specific application. This detection leverages data from + Endpoint Detection and Response (EDR) agents, focusing on process creation events + with command-line arguments related to firewall rule changes. This activity is significant + as it may indicate an attempt to bypass firewall restrictions, potentially allowing + unauthorized applications to communicate over the network. If confirmed malicious, + this could enable an attacker to execute arbitrary code, escalate privileges, or + maintain persistence within the target environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*firewall*" Processes.process = "*allow*" Processes.process = "*add*" Processes.process = "*ENABLE*" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `firewall_allowed_program_enable_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: A network operator or systems administrator may utilize an automated or manual execution of this firewall rule that may generate false positives. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process = "*firewall*" + Processes.process = "*allow*" Processes.process = "*add*" Processes.process = "*ENABLE*" + by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `firewall_allowed_program_enable_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: A network operator or systems administrator may utilize an + automated or manual execution of this firewall rule that may generate false positives. + Filter as needed. references: - https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/ drilldown_searches: @@ -21,9 +44,22 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: firewall allowed program commandline $process$ of $process_name$ on $dest$ + by $user$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics @@ -32,36 +68,18 @@ tags: - NjRAT - PlugX asset_type: Endpoint - confidence: 50 - impact: 50 - message: firewall allowed program commandline $process$ of $process_name$ on $dest$ by $user$ mitre_attack_id: - T1562.004 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/first_time_seen_child_process_of_zoom.yml b/detections/endpoint/first_time_seen_child_process_of_zoom.yml index eb7ecf75e3..dd00bbb7e0 100644 --- a/detections/endpoint/first_time_seen_child_process_of_zoom.yml +++ b/detections/endpoint/first_time_seen_child_process_of_zoom.yml @@ -1,53 +1,65 @@ name: First Time Seen Child Process of Zoom id: e91bd102-d630-4e76-ab73-7e3ba22c5961 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: David Dorsey, Splunk status: experimental type: Anomaly -description: The following analytic identifies the first-time execution of child processes spawned by Zoom (zoom.exe or zoom.us). It leverages Endpoint Detection and Response (EDR) data, specifically monitoring process creation events and comparing them against previously seen child processes. This activity is significant because the execution of unfamiliar child processes by Zoom could indicate malicious exploitation or misuse of the application. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the endpoint. +description: The following analytic identifies the first-time execution of child processes + spawned by Zoom (zoom.exe or zoom.us). It leverages Endpoint Detection and Response + (EDR) data, specifically monitoring process creation events and comparing them against + previously seen child processes. This activity is significant because the execution + of unfamiliar child processes by Zoom could indicate malicious exploitation or misuse + of the application. If confirmed malicious, this could lead to unauthorized code + execution, data exfiltration, or further compromise of the endpoint. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` min(_time) as firstTime values(Processes.parent_process_name) as parent_process_name values(Processes.parent_process_id) as parent_process_id values(Processes.process_name) as process_name values(Processes.process) as process from datamodel=Endpoint.Processes where (Processes.parent_process_name=zoom.exe OR Processes.parent_process_name=zoom.us) by Processes.process_id Processes.dest | `drop_dm_object_name(Processes)` | lookup zoom_first_time_child_process dest as dest process_name as process_name OUTPUT firstTimeSeen | where isnull(firstTimeSeen) OR firstTimeSeen > relative_time(now(), "`previously_seen_zoom_child_processes_window`") | `security_content_ctime(firstTime)` | table firstTime dest, process_id, process_name, parent_process_id, parent_process_name |`first_time_seen_child_process_of_zoom_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: A new child process of zoom isn't malicious by that fact alone. Further investigation of the actions of the child process is needed to verify any malicious behavior is taken. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime values(Processes.parent_process_name) + as parent_process_name values(Processes.parent_process_id) as parent_process_id + values(Processes.process_name) as process_name values(Processes.process) as process + from datamodel=Endpoint.Processes where (Processes.parent_process_name=zoom.exe + OR Processes.parent_process_name=zoom.us) by Processes.process_id Processes.dest + | `drop_dm_object_name(Processes)` | lookup zoom_first_time_child_process dest as + dest process_name as process_name OUTPUT firstTimeSeen | where isnull(firstTimeSeen) + OR firstTimeSeen > relative_time(now(), "`previously_seen_zoom_child_processes_window`") + | `security_content_ctime(firstTime)` | table firstTime dest, process_id, process_name, + parent_process_id, parent_process_name |`first_time_seen_child_process_of_zoom_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: A new child process of zoom isn't malicious by that fact alone. + Further investigation of the actions of the child process is needed to verify any + malicious behavior is taken. references: [] +rba: + message: Child process $process_name$ with $process_id$ spawned by zoom.exe or zoom.us + which has not been previously on host $dest$ + risk_objects: + - field: user + type: user + score: 64 + - field: dest + type: system + score: 64 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Suspicious Zoom Child Processes asset_type: Endpoint - confidence: 80 - impact: 80 - message: Child process $process_name$ with $process_id$ spawned by zoom.exe or zoom.us which has not been previously on host $dest$ mitre_attack_id: - T1068 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim - - name: process_name - type: Process Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.parent_process_name - - Processes.parent_process_id - - Processes.process_name - - Processes.process - - Processes.parent_process_name - - Processes.process_id - - Processes.dest - risk_score: 64 security_domain: endpoint diff --git a/detections/endpoint/first_time_seen_running_windows_service.yml b/detections/endpoint/first_time_seen_running_windows_service.yml index 0fd17fe892..8576de1a20 100644 --- a/detections/endpoint/first_time_seen_running_windows_service.yml +++ b/detections/endpoint/first_time_seen_running_windows_service.yml @@ -1,42 +1,55 @@ name: First Time Seen Running Windows Service id: 823136f2-d755-4b6d-ae04-372b486a5808 -version: 6 -date: '2024-10-17' +version: 7 +date: '2024-11-13' author: David Dorsey, Splunk status: experimental type: Anomaly -description: The following analytic detects the first occurrence of a Windows service running in your environment. It leverages Windows system event logs, specifically EventCode 7036, to identify services entering the "running" state. This activity is significant because the appearance of a new or previously unseen service could indicate the installation of unauthorized or malicious software. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, maintain persistence, or escalate privileges within the environment. Monitoring for new services helps in early detection of potential threats. +description: The following analytic detects the first occurrence of a Windows service + running in your environment. It leverages Windows system event logs, specifically + EventCode 7036, to identify services entering the "running" state. This activity + is significant because the appearance of a new or previously unseen service could + indicate the installation of unauthorized or malicious software. If confirmed malicious, + this activity could allow an attacker to execute arbitrary code, maintain persistence, + or escalate privileges within the environment. Monitoring for new services helps + in early detection of potential threats. data_source: - Windows Event Log System 7036 -search: '`wineventlog_system` EventCode=7036 | rex field=Message "The (?[-\(\)\s\w]+) service entered the (?\w+) state" | where state="running" | lookup previously_seen_running_windows_services service as service OUTPUT firstTimeSeen | where isnull(firstTimeSeen) OR firstTimeSeen > relative_time(now(), `previously_seen_windows_services_window`) | table _time dest service | `first_time_seen_running_windows_service_filter`' -how_to_implement: While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows system event logs in order for this search to execute successfully. You should run the baseline search `Previously Seen Running Windows Services - Initial` to build the initial table of child processes and hostnames for this search to work. You should also schedule at the same interval as this search the second baseline search `Previously Seen Running Windows Services - Update` to keep this table up to date and to age out old Windows Services. Please update the `previously_seen_windows_services_window` macro to adjust the time window. Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above. -known_false_positives: A previously unseen service is not necessarily malicious. Verify that the service is legitimate and that was installed by a legitimate process. +search: '`wineventlog_system` EventCode=7036 | rex field=Message "The (?[-\(\)\s\w]+) + service entered the (?\w+) state" | where state="running" | lookup previously_seen_running_windows_services + service as service OUTPUT firstTimeSeen | where isnull(firstTimeSeen) OR firstTimeSeen + > relative_time(now(), `previously_seen_windows_services_window`) | table _time + dest service | `first_time_seen_running_windows_service_filter`' +how_to_implement: While this search does not require you to adhere to Splunk CIM, + you must be ingesting your Windows system event logs in order for this search to + execute successfully. You should run the baseline search `Previously Seen Running + Windows Services - Initial` to build the initial table of child processes and hostnames + for this search to work. You should also schedule at the same interval as this search + the second baseline search `Previously Seen Running Windows Services - Update` to + keep this table up to date and to age out old Windows Services. Please update the + `previously_seen_windows_services_window` macro to adjust the time window. Please + ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above. +known_false_positives: A previously unseen service is not necessarily malicious. Verify + that the service is legitimate and that was installed by a legitimate process. references: [] +rba: + message: Windows Service observed running for first time on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Windows Service Abuse - Orangeworm Attack Group - NOBELIUM Group asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1569 - T1569.002 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Message - - dest - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/fodhelper_uac_bypass.yml b/detections/endpoint/fodhelper_uac_bypass.yml index 389ba97798..b1be122909 100644 --- a/detections/endpoint/fodhelper_uac_bypass.yml +++ b/detections/endpoint/fodhelper_uac_bypass.yml @@ -1,7 +1,7 @@ name: FodHelper UAC Bypass id: 909f8fd8-7ac8-11eb-a1f3-acde48001122 -version: '6' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -52,6 +52,19 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious registry keys added by process fodhelper.exe with a parent_process + of $parent_process_name$ that has been executed on $dest$ by $user$. + risk_objects: + - field: user + type: user + score: 81 + - field: dest + type: system + score: 81 + threat_objects: + - field: parent_process_name + type: parent_process_name tags: analytic_story: - IcedID @@ -59,46 +72,19 @@ tags: - Compromised Windows Host - Windows Defense Evasion Tactics asset_type: Endpoint - confidence: 90 - impact: 90 - message: Suspicious registy keys added by process fodhelper.exe with a parent_process - of $parent_process_name$ that has been executed on $dest$ by $user$. mitre_attack_id: - T1112 - T1548.002 - T1548 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim - - name: parent_process_name - type: Process Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.parent_process_name - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/fsutil_zeroing_file.yml b/detections/endpoint/fsutil_zeroing_file.yml index d22e607e99..91e21bf58e 100644 --- a/detections/endpoint/fsutil_zeroing_file.yml +++ b/detections/endpoint/fsutil_zeroing_file.yml @@ -1,17 +1,37 @@ name: Fsutil Zeroing File id: 4e5e024e-fabb-11eb-8b8f-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the execution of the 'fsutil' command with the 'setzerodata' parameter, which zeros out a target file. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it is a technique used by ransomware, such as LockBit, to evade detection by erasing its malware path after encrypting the host. If confirmed malicious, this action could hinder forensic investigations and allow attackers to cover their tracks, complicating incident response efforts. +description: The following analytic detects the execution of the 'fsutil' command + with the 'setzerodata' parameter, which zeros out a target file. This detection + leverages data from Endpoint Detection and Response (EDR) agents, focusing on process + names and command-line arguments. This activity is significant because it is a technique + used by ransomware, such as LockBit, to evade detection by erasing its malware path + after encrypting the host. If confirmed malicious, this action could hinder forensic + investigations and allow attackers to cover their tracks, complicating incident + response efforts. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe Processes.process="*setzerodata*" by Processes.user Processes.process_name Processes.parent_process_name Processes.dest Processes.process Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `fsutil_zeroing_file_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count values(Processes.process) + as process values(Processes.parent_process) as parent_process min(_time) as firstTime + max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe + Processes.process="*setzerodata*" by Processes.user Processes.process_name Processes.parent_process_name + Processes.dest Processes.process Processes.parent_process | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `fsutil_zeroing_file_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://app.any.run/tasks/e0ac072d-58c9-4f53-8a3b-3e491c7ac5db/ @@ -22,41 +42,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Possible file data deletion on $dest$ using $process$ + risk_objects: + - field: dest + type: system + score: 54 + threat_objects: [] tags: analytic_story: - Ransomware - LockBit Ransomware asset_type: Endpoint - confidence: 90 - impact: 60 - message: Possible file data deletion on $dest$ using $process$ mitre_attack_id: - T1070 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.user - - Processes.process_name - - Processes.parent_process_name - - Processes.dest - - Processes.process - - Processes.parent_process - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/fsutil_file_zero/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/fsutil_file_zero/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml b/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml index ef2d36939f..70746a5993 100644 --- a/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml +++ b/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml @@ -1,17 +1,38 @@ name: Get ADDefaultDomainPasswordPolicy with Powershell id: 36e46ebe-065a-11ec-b4c7-acde48001122 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the execution of `powershell.exe` running the `Get-ADDefaultDomainPasswordPolicy` cmdlet, which is used to retrieve the password policy in a Windows domain. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Monitoring this activity is crucial as it can indicate attempts by adversaries to gather information about domain policies for situational awareness and Active Directory discovery. If confirmed malicious, this activity could lead to further reconnaissance and potential exploitation of domain security settings. +description: The following analytic detects the execution of `powershell.exe` running + the `Get-ADDefaultDomainPasswordPolicy` cmdlet, which is used to retrieve the password + policy in a Windows domain. This detection leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process names and command-line executions. + Monitoring this activity is crucial as it can indicate attempts by adversaries to + gather information about domain policies for situational awareness and Active Directory + discovery. If confirmed malicious, this activity could lead to further reconnaissance + and potential exploitation of domain security settings. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe" OR Processes.process_name="powershell*") AND Processes.process = "*Get-ADDefaultDomainPasswordPolicy*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_addefaultdomainpasswordpolicy_with_powershell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe" + OR Processes.process_name="powershell*") AND Processes.process = "*Get-ADDefaultDomainPasswordPolicy*" + by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `get_addefaultdomainpasswordpolicy_with_powershell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet @@ -21,43 +42,17 @@ tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 30 - impact: 30 - message: an instance of process $process_name$ with commandline $process$ in $dest$ mitre_attack_id: - T1201 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - - Processes.parent_process_name - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml b/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml index 27663ba886..a77b953e01 100644 --- a/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml +++ b/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml @@ -1,15 +1,27 @@ name: Get ADDefaultDomainPasswordPolicy with Powershell Script Block id: 1ff7ccc8-065a-11ec-91e4-acde48001122 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of the `Get-ADDefaultDomainPasswordPolicy` PowerShell cmdlet, which is used to retrieve the password policy in a Windows domain. This detection leverages PowerShell Script Block Logging (EventCode=4104) to identify the specific command execution. Monitoring this activity is significant as it can indicate an attempt to gather domain policy information, which is often a precursor to further malicious actions. If confirmed malicious, this activity could allow an attacker to understand password policies, aiding in password attacks or further domain enumeration. +description: The following analytic detects the execution of the `Get-ADDefaultDomainPasswordPolicy` + PowerShell cmdlet, which is used to retrieve the password policy in a Windows domain. + This detection leverages PowerShell Script Block Logging (EventCode=4104) to identify + the specific command execution. Monitoring this activity is significant as it can + indicate an attempt to gather domain policy information, which is often a precursor + to further malicious actions. If confirmed malicious, this activity could allow + an attacker to understand password policies, aiding in password attacks or further + domain enumeration. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText ="*Get-ADDefaultDomainPasswordPolicy*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_addefaultdomainpasswordpolicy_with_powershell_script_block_filter`' -how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +search: '`powershell` EventCode=4104 ScriptBlockText ="*Get-ADDefaultDomainPasswordPolicy*" + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `get_addefaultdomainpasswordpolicy_with_powershell_script_block_filter`' +how_to_implement: The following Hunting analytic requires PowerShell operational logs + to be imported. Modify the powershell macro as needed to match the sourcetype or + add index. This analytic is specific to 4104, or PowerShell Script Block Logging. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet @@ -19,35 +31,17 @@ tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 30 - impact: 30 - message: Powershell process having commandline "Get-ADDefaultDomainPasswordPolicy" to query domain password policy on $dest$ mitre_attack_id: - T1201 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Message - - ComputerName - - User - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/get_aduser_with_powershell.yml b/detections/endpoint/get_aduser_with_powershell.yml index 7e1e41a272..1c21e48521 100644 --- a/detections/endpoint/get_aduser_with_powershell.yml +++ b/detections/endpoint/get_aduser_with_powershell.yml @@ -1,17 +1,38 @@ name: Get ADUser with PowerShell id: 0b6ee3f4-04e3-11ec-a87d-acde48001122 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of `powershell.exe` with command-line arguments used to enumerate domain users via the `Get-ADUser` cmdlet. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt by adversaries to gather information about domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance, enabling attackers to identify high-value targets and plan subsequent attacks. +description: The following analytic detects the execution of `powershell.exe` with + command-line arguments used to enumerate domain users via the `Get-ADUser` cmdlet. + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on + process names and command-line executions. This activity is significant as it may + indicate an attempt by adversaries to gather information about domain users for + situational awareness and Active Directory discovery. If confirmed malicious, this + behavior could lead to further reconnaissance, enabling attackers to identify high-value + targets and plan subsequent attacks. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe" OR Processes.process_name="powershell*") AND Processes.process = "*Get-ADUser*" AND Processes.process = "*-filter*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduser_with_powershell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe" + OR Processes.process_name="powershell*") AND Processes.process = "*Get-ADUser*" + AND Processes.process = "*-filter*" by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `get_aduser_with_powershell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://www.blackhillsinfosec.com/red-blue-purple/ @@ -22,44 +43,18 @@ tags: - Active Directory Discovery - CISA AA23-347A asset_type: Endpoint - confidence: 50 - impact: 50 - message: an instance of process $process_name$ with commandline $process$ in $dest$ mitre_attack_id: - T1087.002 - T1087 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - - Processes.parent_process_name - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/get_aduser_with_powershell_script_block.yml b/detections/endpoint/get_aduser_with_powershell_script_block.yml index 71278afb8e..ecdc645ace 100644 --- a/detections/endpoint/get_aduser_with_powershell_script_block.yml +++ b/detections/endpoint/get_aduser_with_powershell_script_block.yml @@ -1,15 +1,27 @@ name: Get ADUser with PowerShell Script Block id: 21432e40-04f4-11ec-b7e6-acde48001122 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of the `Get-AdUser` PowerShell cmdlet, which is used to enumerate all domain users. It leverages PowerShell Script Block Logging (EventCode=4104) to identify instances where this command is executed with a filter. This activity is significant as it may indicate an attempt by adversaries or Red Teams to gather information about domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance and potential exploitation of user accounts within the domain. +description: The following analytic detects the execution of the `Get-AdUser` PowerShell + cmdlet, which is used to enumerate all domain users. It leverages PowerShell Script + Block Logging (EventCode=4104) to identify instances where this command is executed + with a filter. This activity is significant as it may indicate an attempt by adversaries + or Red Teams to gather information about domain users for situational awareness + and Active Directory discovery. If confirmed malicious, this behavior could lead + to further reconnaissance and potential exploitation of user accounts within the + domain. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText = "*get-aduser*" ScriptBlockText = "*-filter*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduser_with_powershell_script_block_filter`' -how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +search: '`powershell` EventCode=4104 ScriptBlockText = "*get-aduser*" ScriptBlockText + = "*-filter*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode + ScriptBlockText Computer UserID | rename Computer as dest, UserID as user| `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `get_aduser_with_powershell_script_block_filter`' +how_to_implement: The following Hunting analytic requires PowerShell operational logs + to be imported. Modify the powershell macro as needed to match the sourcetype or + add index. This analytic is specific to 4104, or PowerShell Script Block Logging. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://www.blackhillsinfosec.com/red-blue-purple/ @@ -20,36 +32,18 @@ tags: - Active Directory Discovery - CISA AA23-347A asset_type: Endpoint - confidence: 50 - impact: 50 - message: Powershell process having commandline "get-aduser" for user enumeration on $dest$ mitre_attack_id: - T1087.002 - T1087 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Message - - ComputerName - - User - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/aduser_powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/aduser_powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml index b2395ae5cb..e5a8d6839d 100644 --- a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml +++ b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml @@ -1,17 +1,38 @@ name: Get ADUserResultantPasswordPolicy with Powershell id: 8b5ef342-065a-11ec-b0fc-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the execution of `powershell.exe` running the `Get-ADUserResultantPasswordPolicy` cmdlet, which is used to obtain the password policy in a Windows domain. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential enumeration of domain policies, a common tactic for situational awareness and Active Directory discovery by adversaries. If confirmed malicious, this could allow attackers to understand password policies, aiding in further attacks such as password spraying or brute force attempts. +description: The following analytic detects the execution of `powershell.exe` running + the `Get-ADUserResultantPasswordPolicy` cmdlet, which is used to obtain the password + policy in a Windows domain. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process names and command-line executions. This activity + is significant as it indicates potential enumeration of domain policies, a common + tactic for situational awareness and Active Directory discovery by adversaries. + If confirmed malicious, this could allow attackers to understand password policies, + aiding in further attacks such as password spraying or brute force attempts. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe" OR Processes.process_name="powershell*") AND Processes.process = "*Get-ADUserResultantPasswordPolicy*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduserresultantpasswordpolicy_with_powershell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe" + OR Processes.process_name="powershell*") AND Processes.process = "*Get-ADUserResultantPasswordPolicy*" + by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `get_aduserresultantpasswordpolicy_with_powershell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet @@ -23,51 +44,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: an instance of process $process_name$ with commandline $process$ on $dest$ + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: + - field: parent_process_name + type: parent_process_name tags: analytic_story: - Active Directory Discovery - CISA AA23-347A asset_type: Endpoint - confidence: 50 - impact: 50 - message: an instance of process $process_name$ with commandline $process$ in $dest$ mitre_attack_id: - T1201 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - - Processes.parent_process_name - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell_script_block.yml b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell_script_block.yml index 21099ac055..5370f63e74 100644 --- a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell_script_block.yml +++ b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell_script_block.yml @@ -1,15 +1,27 @@ name: Get ADUserResultantPasswordPolicy with Powershell Script Block id: 737e1eb0-065a-11ec-921a-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the execution of the `Get-ADUserResultantPasswordPolicy` PowerShell cmdlet, which is used to obtain the password policy in a Windows domain. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. Monitoring this behavior is significant as it may indicate an attempt to enumerate domain policies, a common tactic used by adversaries for situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to understand password policies, aiding in further attacks such as password guessing or policy exploitation. +description: The following analytic detects the execution of the `Get-ADUserResultantPasswordPolicy` + PowerShell cmdlet, which is used to obtain the password policy in a Windows domain. + It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. + Monitoring this behavior is significant as it may indicate an attempt to enumerate + domain policies, a common tactic used by adversaries for situational awareness and + Active Directory discovery. If confirmed malicious, this activity could allow attackers + to understand password policies, aiding in further attacks such as password guessing + or policy exploitation. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText="*Get-ADUserResultantPasswordPolicy*" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduserresultantpasswordpolicy_with_powershell_script_block_filter`' -how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +search: '`powershell` EventCode=4104 ScriptBlockText="*Get-ADUserResultantPasswordPolicy*" + | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer + UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduserresultantpasswordpolicy_with_powershell_script_block_filter`' +how_to_implement: The following Hunting analytic requires PowerShell operational logs + to be imported. Modify the powershell macro as needed to match the sourcetype or + add index. This analytic is specific to 4104, or PowerShell Script Block Logging. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet @@ -21,44 +33,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: powershell process having commandline to query domain user password policy + detected on host - $dest$. + risk_objects: + - field: dest + type: system + score: 9 + - field: user + type: user + score: 9 + threat_objects: [] tags: analytic_story: - Active Directory Discovery - CISA AA23-347A asset_type: Endpoint - confidence: 30 - impact: 30 - message: powershell process having commandline to query domain user password policy detected on host - $dest$. mitre_attack_id: - T1201 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCode - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/get_domainpolicy_with_powershell.yml b/detections/endpoint/get_domainpolicy_with_powershell.yml index 51bc51afba..01f20fddfa 100644 --- a/detections/endpoint/get_domainpolicy_with_powershell.yml +++ b/detections/endpoint/get_domainpolicy_with_powershell.yml @@ -1,17 +1,38 @@ name: Get DomainPolicy with Powershell id: b8f9947e-065a-11ec-aafb-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the execution of `powershell.exe` running the `Get-DomainPolicy` cmdlet, which is used to retrieve password policies in a Windows domain. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to gather domain policy information, which is crucial for planning further attacks. If confirmed malicious, this could lead to unauthorized access to sensitive domain configurations, aiding in privilege escalation and lateral movement within the network. +description: The following analytic detects the execution of `powershell.exe` running + the `Get-DomainPolicy` cmdlet, which is used to retrieve password policies in a + Windows domain. It leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process names and command-line executions. This activity is significant + as it indicates potential reconnaissance efforts by adversaries to gather domain + policy information, which is crucial for planning further attacks. If confirmed + malicious, this could lead to unauthorized access to sensitive domain configurations, + aiding in privilege escalation and lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe" OR Processes.process_name="powershell*") AND Processes.process = "*Get-DomainPolicy*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainpolicy_with_powershell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe" + OR Processes.process_name="powershell*") AND Processes.process = "*Get-DomainPolicy*" + by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `get_domainpolicy_with_powershell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet @@ -23,50 +44,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: an instance of process $process_name$ with commandline $process$ on $dest$ + risk_objects: + - field: user + type: user + score: 30 + - field: dest + type: system + score: 30 + threat_objects: + - field: parent_process_name + type: parent_process_name tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 60 - impact: 50 - message: an instance of process $process_name$ with commandline $process$ in $dest$ mitre_attack_id: - T1201 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - - Processes.parent_process_name - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml b/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml index 040b3b3a8f..b48ac3b943 100644 --- a/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml +++ b/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml @@ -1,63 +1,71 @@ name: Get DomainPolicy with Powershell Script Block id: a360d2b2-065a-11ec-b0bf-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the execution of the `Get-DomainPolicy` cmdlet using PowerShell Script Block Logging (EventCode=4104). It leverages logs capturing script block text to identify attempts to obtain the password policy in a Windows domain. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to gather domain policy information, which is crucial for planning further attacks. If confirmed malicious, this behavior could lead to detailed knowledge of domain security settings, aiding in privilege escalation or lateral movement within the network. +description: The following analytic detects the execution of the `Get-DomainPolicy` + cmdlet using PowerShell Script Block Logging (EventCode=4104). It leverages logs + capturing script block text to identify attempts to obtain the password policy in + a Windows domain. This activity is significant as it indicates potential reconnaissance + efforts by adversaries or Red Teams to gather domain policy information, which is + crucial for planning further attacks. If confirmed malicious, this behavior could + lead to detailed knowledge of domain security settings, aiding in privilege escalation + or lateral movement within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText ="*Get-DomainPolicy*" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainpolicy_with_powershell_script_block_filter`' -how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +search: '`powershell` EventCode=4104 ScriptBlockText ="*Get-DomainPolicy*" | stats + count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode + ScriptBlockText | rename UserID as user | `security_content_ctime(firstTime)` | + `security_content_ctime(lastTime)` | `get_domainpolicy_with_powershell_script_block_filter`' +how_to_implement: The following analytic requires PowerShell operational logs to be + imported. Modify the powershell macro as needed to match the sourcetype or add index. + This analytic is specific to 4104, or PowerShell Script Block Logging. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet - https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainPolicy/ - https://attack.mitre.org/techniques/T1201/ drilldown_searches: -- name: View the detection results for - "$Computer$" and "$UserID$" - search: '%original_detection_search% | search Computer = "$Computer$" UserID = "$UserID$"' +- name: View the detection results for - "$Computer$" and "$user$" + search: '%original_detection_search% | search Computer = "$Computer$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$Computer$" and "$UserID$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$UserID$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Powershell process with command line indicative of querying domain policy. + risk_objects: + - field: Computer + type: system + score: 30 + - field: user + type: user + score: 30 + threat_objects: [] tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 60 - impact: 50 - message: powershell process having commandline $ScriptBlockText$ to query domain policy. mitre_attack_id: - T1201 - observable: - - name: Computer - type: Hostname - role: - - Victim - - name: UserID - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCode - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/domainpolicy.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/domainpolicy.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/get_domaintrust_with_powershell.yml b/detections/endpoint/get_domaintrust_with_powershell.yml index 104e0fc7d8..b694145437 100644 --- a/detections/endpoint/get_domaintrust_with_powershell.yml +++ b/detections/endpoint/get_domaintrust_with_powershell.yml @@ -1,18 +1,39 @@ name: Get-DomainTrust with PowerShell id: 4fa7f846-054a-11ec-a836-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the execution of the Get-DomainTrust command from PowerView using PowerShell, which is used to gather domain trust information. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant as it indicates potential reconnaissance efforts by an adversary to understand domain trust relationships, which can inform lateral movement strategies. If confirmed malicious, this could allow attackers to map out the network, identify potential targets, and plan further attacks, potentially compromising additional systems within the domain. +description: The following analytic identifies the execution of the Get-DomainTrust + command from PowerView using PowerShell, which is used to gather domain trust information. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process and command-line telemetry. This activity is significant as + it indicates potential reconnaissance efforts by an adversary to understand domain + trust relationships, which can inform lateral movement strategies. If confirmed + malicious, this could allow attackers to map out the network, identify potential + targets, and plan further attacks, potentially compromising additional systems within + the domain. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=*get-domaintrust* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domaintrust_with_powershell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Limited false positives as this requires an active Administrator or adversary to bring in, import, and execute. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process=*get-domaintrust* + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domaintrust_with_powershell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Limited false positives as this requires an active Administrator + or adversary to bring in, import, and execute. references: - https://blog.harmj0y.net/redteaming/a-guide-to-attacking-domain-trusts/ drilldown_searches: @@ -21,49 +42,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious PowerShell Get-DomainTrust was identified on endpoint $dest$ + by user $user$. + risk_objects: + - field: user + type: user + score: 12 + - field: dest + type: system + score: 12 + threat_objects: [] tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 40 - impact: 30 - message: Suspicious PowerShell Get-DomainTrust was identified on endpoint $dest$ by user $user$. mitre_attack_id: - T1482 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 12 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/get_domaintrust_with_powershell_script_block.yml b/detections/endpoint/get_domaintrust_with_powershell_script_block.yml index 8bdd67f052..49b74c7d07 100644 --- a/detections/endpoint/get_domaintrust_with_powershell_script_block.yml +++ b/detections/endpoint/get_domaintrust_with_powershell_script_block.yml @@ -1,16 +1,29 @@ name: Get-DomainTrust with PowerShell Script Block id: 89275e7e-0548-11ec-bf75-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the execution of the Get-DomainTrust command from PowerView using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, allowing for detailed inspection. Identifying this activity is significant because it may indicate an attempt to gather domain trust information, which is often a precursor to lateral movement or privilege escalation. If confirmed malicious, this activity could enable an attacker to map trust relationships within the domain, potentially leading to further exploitation and compromise of additional systems. +description: The following analytic detects the execution of the Get-DomainTrust command + from PowerView using PowerShell Script Block Logging (EventCode=4104). This method + captures the full command sent to PowerShell, allowing for detailed inspection. + Identifying this activity is significant because it may indicate an attempt to gather + domain trust information, which is often a precursor to lateral movement or privilege + escalation. If confirmed malicious, this activity could enable an attacker to map + trust relationships within the domain, potentially leading to further exploitation + and compromise of additional systems. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText = "*get-domaintrust*" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domaintrust_with_powershell_script_block_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: It is possible certain system management frameworks utilize this command to gather trust information. +search: '`powershell` EventCode=4104 ScriptBlockText = "*get-domaintrust*" | stats + count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode + ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `get_domaintrust_with_powershell_script_block_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: It is possible certain system management frameworks utilize + this command to gather trust information. references: - https://blog.harmj0y.net/redteaming/a-guide-to-attacking-domain-trusts/ - https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -23,43 +36,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious PowerShell Get-DomainTrust was identified on endpoint $dest$ + by user $user$. + risk_objects: + - field: user + type: user + score: 12 + - field: dest + type: system + score: 12 + threat_objects: [] tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 40 - impact: 30 - message: Suspicious PowerShell Get-DomainTrust was identified on endpoint $dest$ by user $user$. mitre_attack_id: - T1482 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCode - risk_score: 12 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/domaintrust.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/domaintrust.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/get_domainuser_with_powershell.yml b/detections/endpoint/get_domainuser_with_powershell.yml index 7e134634f4..f6f9362eb3 100644 --- a/detections/endpoint/get_domainuser_with_powershell.yml +++ b/detections/endpoint/get_domainuser_with_powershell.yml @@ -1,17 +1,39 @@ name: Get DomainUser with PowerShell id: 9a5a41d6-04e7-11ec-923c-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the execution of `powershell.exe` with command-line arguments used to enumerate domain users via the `Get-DomainUser` command. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions mapped to the `Processes` node of the `Endpoint` data model. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams using PowerView for Active Directory discovery. If confirmed malicious, this could allow attackers to gain situational awareness and identify valuable targets within the domain, potentially leading to further exploitation. +description: The following analytic detects the execution of `powershell.exe` with + command-line arguments used to enumerate domain users via the `Get-DomainUser` command. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process names and command-line executions mapped to the `Processes` + node of the `Endpoint` data model. This activity is significant as it indicates + potential reconnaissance efforts by adversaries or Red Teams using PowerView for + Active Directory discovery. If confirmed malicious, this could allow attackers to + gain situational awareness and identify valuable targets within the domain, potentially + leading to further exploitation. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe" OR Processes.process_name="powershell*") AND Processes.process = "*Get-DomainUser*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainuser_with_powershell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe" + OR Processes.process_name="powershell*") AND Processes.process = "*Get-DomainUser*" + by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `get_domainuser_with_powershell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainUser/ @@ -21,52 +43,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: an instance of process $process_name$ with commandline $process$ on $dest$ + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: + - field: parent_process_name + type: parent_process_name tags: analytic_story: - Active Directory Discovery - CISA AA23-347A asset_type: Endpoint - confidence: 50 - impact: 50 - message: an instance of process $process_name$ with commandline $process$ in $dest$ mitre_attack_id: - T1087.002 - T1087 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - - Processes.parent_process_name - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/get_domainuser_with_powershell_script_block.yml b/detections/endpoint/get_domainuser_with_powershell_script_block.yml index 15f8ca9271..8b3e401a5a 100644 --- a/detections/endpoint/get_domainuser_with_powershell_script_block.yml +++ b/detections/endpoint/get_domainuser_with_powershell_script_block.yml @@ -1,15 +1,27 @@ name: Get DomainUser with PowerShell Script Block id: 61994268-04f4-11ec-865c-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the execution of the `Get-DomainUser` cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is part of PowerView, a tool often used for domain enumeration. The detection leverages PowerShell operational logs to identify instances where this command is executed. Monitoring this activity is crucial as it may indicate an adversary's attempt to gather information about domain users, which is a common step in Active Directory Discovery. If confirmed malicious, this activity could lead to further reconnaissance and potential exploitation of domain resources. +description: The following analytic detects the execution of the `Get-DomainUser` + cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is part + of PowerView, a tool often used for domain enumeration. The detection leverages + PowerShell operational logs to identify instances where this command is executed. + Monitoring this activity is crucial as it may indicate an adversary's attempt to + gather information about domain users, which is a common step in Active Directory + Discovery. If confirmed malicious, this activity could lead to further reconnaissance + and potential exploitation of domain resources. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-DomainUser*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainuser_with_powershell_script_block_filter`' -how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-DomainUser*" | stats + count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer UserID | rename Computer as dest, UserID as user| `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `get_domainuser_with_powershell_script_block_filter`' +how_to_implement: The following Hunting analytic requires PowerShell operational logs + to be imported. Modify the powershell macro as needed to match the sourcetype or + add index. This analytic is specific to 4104, or PowerShell Script Block Logging. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainUser/ @@ -19,44 +31,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Powershell process having commandline "*Get-DomainUser*" for user enumeration + on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Active Directory Discovery - CISA AA23-347A asset_type: Endpoint - confidence: 50 - impact: 50 - message: Powershell process having commandline "*Get-DomainUser*" for user enumeration on $dest$ mitre_attack_id: - T1087.002 - T1087 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Message - - ComputerName - - User - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/get_foresttrust_with_powershell.yml b/detections/endpoint/get_foresttrust_with_powershell.yml index 4054f61b0a..06ed2a33db 100644 --- a/detections/endpoint/get_foresttrust_with_powershell.yml +++ b/detections/endpoint/get_foresttrust_with_powershell.yml @@ -1,18 +1,39 @@ name: Get-ForestTrust with PowerShell id: 584f4884-0bf1-11ec-a5ec-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the execution of the Get-ForestTrust command via PowerShell, commonly used by adversaries to gather domain trust information. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Identifying this activity is crucial as it indicates potential reconnaissance efforts to map out domain trusts, which can inform further attacks. If confirmed malicious, this activity could allow attackers to understand domain relationships, aiding in lateral movement and privilege escalation within the network. +description: The following analytic detects the execution of the Get-ForestTrust command + via PowerShell, commonly used by adversaries to gather domain trust information. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process names and command-line executions. Identifying this activity + is crucial as it indicates potential reconnaissance efforts to map out domain trusts, + which can inform further attacks. If confirmed malicious, this activity could allow + attackers to understand domain relationships, aiding in lateral movement and privilege + escalation within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe OR Processes.process_name=cmd.exe Processes.process=*get-foresttrust* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_foresttrust_with_powershell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Limited false positives as this requires an active Administrator or adversary to bring in, import, and execute. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe + OR Processes.process_name=cmd.exe Processes.process=*get-foresttrust* by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_foresttrust_with_powershell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Limited false positives as this requires an active Administrator + or adversary to bring in, import, and execute. references: - https://powersploit.readthedocs.io/en/latest/Recon/Get-ForestTrust/ drilldown_searches: @@ -21,49 +42,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious PowerShell Get-ForestTrust was identified on endpoint $dest$ + by user $user$. + risk_objects: + - field: user + type: user + score: 12 + - field: dest + type: system + score: 12 + threat_objects: [] tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 40 - impact: 30 - message: Suspicious PowerShell Get-ForestTrust was identified on endpoint $dest$ by user $user$. mitre_attack_id: - T1482 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 12 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/get_foresttrust_with_powershell_script_block.yml b/detections/endpoint/get_foresttrust_with_powershell_script_block.yml index bd3b8b0589..8f5863abd2 100644 --- a/detections/endpoint/get_foresttrust_with_powershell_script_block.yml +++ b/detections/endpoint/get_foresttrust_with_powershell_script_block.yml @@ -1,15 +1,27 @@ name: Get-ForestTrust with PowerShell Script Block id: 70fac80e-0bf1-11ec-9ba0-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the execution of the Get-ForestTrust command from PowerSploit using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, providing detailed visibility into potentially suspicious activities. Monitoring this behavior is crucial as it can indicate an attempt to gather domain trust information, which is often a precursor to lateral movement or privilege escalation. If confirmed malicious, this activity could allow an attacker to map trust relationships within the domain, facilitating further exploitation and access to sensitive resources. +description: The following analytic detects the execution of the Get-ForestTrust command + from PowerSploit using PowerShell Script Block Logging (EventCode=4104). This method + captures the full command sent to PowerShell, providing detailed visibility into + potentially suspicious activities. Monitoring this behavior is crucial as it can + indicate an attempt to gather domain trust information, which is often a precursor + to lateral movement or privilege escalation. If confirmed malicious, this activity + could allow an attacker to map trust relationships within the domain, facilitating + further exploitation and access to sensitive resources. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText = "*get-foresttrust*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_foresttrust_with_powershell_script_block_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +search: '`powershell` EventCode=4104 ScriptBlockText = "*get-foresttrust*" | stats + count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `get_foresttrust_with_powershell_script_block_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: False positives may be present. Tune as needed. references: - https://powersploit.readthedocs.io/en/latest/Recon/Get-ForestTrust/ @@ -20,45 +32,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious PowerShell Get-ForestTrust was identified on endpoint $dest$ + by user $user$. + risk_objects: + - field: user + type: user + score: 12 + - field: dest + type: system + score: 12 + threat_objects: [] tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 40 - impact: 30 - message: Suspicious PowerShell Get-ForestTrust was identified on endpoint $dest$ by user $user$. mitre_attack_id: - T1482 - T1059.001 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ScriptBlockText - - Path - - Opcode - - Computer - - UserID - risk_score: 12 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/discovery/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/discovery/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/get_wmiobject_group_discovery.yml b/detections/endpoint/get_wmiobject_group_discovery.yml index 74644e095f..ca6601298b 100644 --- a/detections/endpoint/get_wmiobject_group_discovery.yml +++ b/detections/endpoint/get_wmiobject_group_discovery.yml @@ -1,17 +1,37 @@ name: Get WMIObject Group Discovery id: 5434f670-155d-11ec-8cca-acde48001122 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic detects the use of the `Get-WMIObject Win32_Group` command executed via PowerShell to enumerate local groups on an endpoint. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Identifying local groups can be a precursor to privilege escalation or lateral movement. If confirmed malicious, this activity could allow an attacker to map out group memberships, aiding in further exploitation or unauthorized access to sensitive resources. +description: The following analytic detects the use of the `Get-WMIObject Win32_Group` + command executed via PowerShell to enumerate local groups on an endpoint. This detection + leverages data from Endpoint Detection and Response (EDR) agents, focusing on process + names and command-line executions. Identifying local groups can be a precursor to + privilege escalation or lateral movement. If confirmed malicious, this activity + could allow an attacker to map out group memberships, aiding in further exploitation + or unauthorized access to sensitive resources. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=powershell.exe OR processes.process_name=cmd.exe) (Processes.process="*Get-WMIObject*" AND Processes.process="*Win32_Group*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `get_wmiobject_group_discovery_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=powershell.exe + OR processes.process_name=cmd.exe) (Processes.process="*Get-WMIObject*" AND Processes.process="*Win32_Group*") + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | + `get_wmiobject_group_discovery_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present. Tune as needed. references: - https://attack.mitre.org/techniques/T1069/001/ @@ -20,43 +40,18 @@ tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 30 - message: System group discovery on $dest$ by $user$. mitre_attack_id: - T1069 - T1069.001 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml b/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml index 39f402b636..04fa251a96 100644 --- a/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml +++ b/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml @@ -1,15 +1,26 @@ name: Get WMIObject Group Discovery with Script Block Logging id: 69df7f7c-155d-11ec-a055-acde48001122 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic detects the execution of the `Get-WMIObject Win32_Group` command using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, allowing for detailed analysis. Identifying group information on an endpoint is not inherently malicious but can be suspicious based on context such as time, endpoint, and user. This activity is significant as it may indicate reconnaissance efforts by an attacker. If confirmed malicious, it could lead to further enumeration and potential lateral movement within the network. +description: The following analytic detects the execution of the `Get-WMIObject Win32_Group` + command using PowerShell Script Block Logging (EventCode=4104). This method captures + the full command sent to PowerShell, allowing for detailed analysis. Identifying + group information on an endpoint is not inherently malicious but can be suspicious + based on context such as time, endpoint, and user. This activity is significant + as it may indicate reconnaissance efforts by an attacker. If confirmed malicious, + it could lead to further enumeration and potential lateral movement within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-WMIObject*" AND ScriptBlockText = "*Win32_Group*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_wmiobject_group_discovery_with_script_block_logging_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-WMIObject*" AND ScriptBlockText + = "*Win32_Group*" | stats count min(_time) as firstTime max(_time) as lastTime by + EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_wmiobject_group_discovery_with_script_block_logging_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: False positives may be present. Tune as needed. references: - https://www.splunk.com/en_us/blog/security/powershell-detections-threat-research-release-august-2021.html @@ -22,36 +33,18 @@ tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 30 - message: System group discovery enumeration on $dest$ by $user$. mitre_attack_id: - T1069 - T1069.001 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Message - - ComputerName - - User - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/getadcomputer_with_powershell.yml b/detections/endpoint/getadcomputer_with_powershell.yml index 06df5ece36..57df18394d 100644 --- a/detections/endpoint/getadcomputer_with_powershell.yml +++ b/detections/endpoint/getadcomputer_with_powershell.yml @@ -1,17 +1,37 @@ name: GetAdComputer with PowerShell id: c5a31f80-5888-4d81-9f78-1cc65026316e -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of `powershell.exe` with the `Get-AdComputer` commandlet, which is used to discover remote systems within a domain. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it indicates potential reconnaissance efforts by adversaries to map out domain computers, which is a common step in the attack lifecycle. If confirmed malicious, this behavior could allow attackers to gain situational awareness and plan further attacks, potentially leading to unauthorized access and data exfiltration. +description: The following analytic detects the execution of `powershell.exe` with + the `Get-AdComputer` commandlet, which is used to discover remote systems within + a domain. This detection leverages data from Endpoint Detection and Response (EDR) + agents, focusing on process names and command-line arguments. This activity is significant + because it indicates potential reconnaissance efforts by adversaries to map out + domain computers, which is a common step in the attack lifecycle. If confirmed malicious, + this behavior could allow attackers to gain situational awareness and plan further + attacks, potentially leading to unauthorized access and data exfiltration. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-AdComputer*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadcomputer_with_powershell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") + (Processes.process=*Get-AdComputer*) by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `getadcomputer_with_powershell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1018/ @@ -19,37 +39,17 @@ tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 30 - message: Remote system discovery enumeration on $dest$ by $user$ mitre_attack_id: - T1018 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/getadcomputer_with_powershell_script_block.yml b/detections/endpoint/getadcomputer_with_powershell_script_block.yml index 0e8f0f9739..c0723130b0 100644 --- a/detections/endpoint/getadcomputer_with_powershell_script_block.yml +++ b/detections/endpoint/getadcomputer_with_powershell_script_block.yml @@ -1,16 +1,28 @@ name: GetAdComputer with PowerShell Script Block id: a9a1da02-8e27-4bf7-a348-f4389c9da487 -version: 5 -date: '2024-10-17' +version: 6 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of the `Get-AdComputer` PowerShell commandlet using PowerShell Script Block Logging (EventCode=4104). This detection leverages script block text to identify when this commandlet is run. The `Get-AdComputer` commandlet is significant as it can be used by adversaries to enumerate all domain computers, aiding in situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to map the network, identify targets, and plan further attacks, potentially leading to unauthorized access and data exfiltration. +description: The following analytic detects the execution of the `Get-AdComputer` + PowerShell commandlet using PowerShell Script Block Logging (EventCode=4104). This + detection leverages script block text to identify when this commandlet is run. The + `Get-AdComputer` commandlet is significant as it can be used by adversaries to enumerate + all domain computers, aiding in situational awareness and Active Directory discovery. + If confirmed malicious, this activity could allow attackers to map the network, + identify targets, and plan further attacks, potentially leading to unauthorized + access and data exfiltration. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-AdComputer*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getadcomputer_with_powershell_script_block_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Administrators or power users may use this PowerShell commandlet for troubleshooting. +search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-AdComputer*") | stats + count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode + ScriptBlockText | `security_content_ctime(firstTime)` | `getadcomputer_with_powershell_script_block_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Administrators or power users may use this PowerShell commandlet + for troubleshooting. references: - https://attack.mitre.org/techniques/T1018/ - https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2019-ps @@ -20,32 +32,17 @@ tags: - CISA AA22-320A - Gozi Malware asset_type: Endpoint - confidence: 50 - impact: 30 - message: Remote system discovery enumeration on $Computer$ by $UserID$ mitre_attack_id: - T1018 - observable: - - name: Computer - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCode - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/getadgroup_with_powershell.yml b/detections/endpoint/getadgroup_with_powershell.yml index 8ce2215d7b..d381b71e36 100644 --- a/detections/endpoint/getadgroup_with_powershell.yml +++ b/detections/endpoint/getadgroup_with_powershell.yml @@ -1,17 +1,37 @@ name: GetAdGroup with PowerShell id: 872e3063-0fc4-4e68-b2f3-f2b99184a708 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of `powershell.exe` with the `Get-AdGroup` commandlet, which is used to query domain groups in a Windows Domain. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is crucial as it may indicate an adversary or Red Team enumerating domain groups for situational awareness and Active Directory discovery. If confirmed malicious, this activity could lead to further reconnaissance, privilege escalation, or lateral movement within the network. +description: The following analytic detects the execution of `powershell.exe` with + the `Get-AdGroup` commandlet, which is used to query domain groups in a Windows + Domain. This detection leverages data from Endpoint Detection and Response (EDR) + agents, focusing on process names and command-line arguments. Monitoring this activity + is crucial as it may indicate an adversary or Red Team enumerating domain groups + for situational awareness and Active Directory discovery. If confirmed malicious, + this activity could lead to further reconnaissance, privilege escalation, or lateral + movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-AdGroup*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadgroup_with_powershell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") + (Processes.process=*Get-AdGroup*) by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `getadgroup_with_powershell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1069/002/ @@ -20,38 +40,18 @@ tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 30 - message: Domain group discovery enumeration on $dest$ by $user$ mitre_attack_id: - T1069 - T1069.002 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/getadgroup_with_powershell_script_block.yml b/detections/endpoint/getadgroup_with_powershell_script_block.yml index 64c37d39b9..0e2b7f09ef 100644 --- a/detections/endpoint/getadgroup_with_powershell_script_block.yml +++ b/detections/endpoint/getadgroup_with_powershell_script_block.yml @@ -1,16 +1,28 @@ name: GetAdGroup with PowerShell Script Block id: e4c73d68-794b-468d-b4d0-dac1772bbae7 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of the `Get-AdGroup` PowerShell cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is used to enumerate all domain groups, which adversaries may exploit for situational awareness and Active Directory discovery. Monitoring this activity is crucial as it can indicate reconnaissance efforts within the network. If confirmed malicious, this behavior could lead to further exploitation, such as privilege escalation or lateral movement, by providing attackers with detailed information about the domain's group structure. +description: The following analytic detects the execution of the `Get-AdGroup` PowerShell + cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is used + to enumerate all domain groups, which adversaries may exploit for situational awareness + and Active Directory discovery. Monitoring this activity is crucial as it can indicate + reconnaissance efforts within the network. If confirmed malicious, this behavior + could lead to further exploitation, such as privilege escalation or lateral movement, + by providing attackers with detailed information about the domain's group structure. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-ADGroup*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadgroup_with_powershell_script_block_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Administrators or power users may use this PowerShell commandlet for troubleshooting. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-ADGroup*" | stats count + min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer + UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `getadgroup_with_powershell_script_block_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Administrators or power users may use this PowerShell commandlet + for troubleshooting. references: - https://attack.mitre.org/techniques/T1069/002/ - https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2019-ps @@ -18,32 +30,18 @@ tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 30 - message: Domain group discovery enumeration using PowerShell on $dest$ by $user$ mitre_attack_id: - T1069 - T1069.002 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Message - - Computer - - UserID - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/getcurrent_user_with_powershell.yml b/detections/endpoint/getcurrent_user_with_powershell.yml index 2544767d59..0b6c3fdefc 100644 --- a/detections/endpoint/getcurrent_user_with_powershell.yml +++ b/detections/endpoint/getcurrent_user_with_powershell.yml @@ -1,17 +1,37 @@ name: GetCurrent User with PowerShell id: 7eb9c3d5-c98c-4088-acc5-8240bad15379 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of `powershell.exe` with command-line arguments invoking the `GetCurrent` method of the WindowsIdentity .NET class. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries may use this method to identify the logged-in user on a compromised endpoint, aiding in situational awareness and Active Directory discovery. If confirmed malicious, this could allow attackers to gain insights into user context, potentially facilitating further exploitation and lateral movement within the network. +description: The following analytic detects the execution of `powershell.exe` with + command-line arguments invoking the `GetCurrent` method of the WindowsIdentity .NET + class. This detection leverages data from Endpoint Detection and Response (EDR) + agents, focusing on process names and command-line executions. This activity is + significant as adversaries may use this method to identify the logged-in user on + a compromised endpoint, aiding in situational awareness and Active Directory discovery. + If confirmed malicious, this could allow attackers to gain insights into user context, + potentially facilitating further exploitation and lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*System.Security.Principal.WindowsIdentity* OR Processes.process=*GetCurrent()*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getcurrent_user_with_powershell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") + (Processes.process=*System.Security.Principal.WindowsIdentity* OR Processes.process=*GetCurrent()*) + by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getcurrent_user_with_powershell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1033/ @@ -19,38 +39,17 @@ tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 30 - message: System user discovery on $dest$ mitre_attack_id: - T1033 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/getcurrent_user_with_powershell_script_block.yml b/detections/endpoint/getcurrent_user_with_powershell_script_block.yml index acd2cab9a6..2203c5173f 100644 --- a/detections/endpoint/getcurrent_user_with_powershell_script_block.yml +++ b/detections/endpoint/getcurrent_user_with_powershell_script_block.yml @@ -1,16 +1,30 @@ name: GetCurrent User with PowerShell Script Block id: 80879283-c30f-44f7-8471-d1381f6d437a -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of the `GetCurrent` method from the WindowsIdentity .NET class using PowerShell Script Block Logging (EventCode=4104). This method identifies the current Windows user. The detection leverages PowerShell script block logs to identify when this method is called. This activity is significant because adversaries and Red Teams may use it to gain situational awareness and perform Active Directory discovery on compromised endpoints. If confirmed malicious, this could allow attackers to map out user accounts and potentially escalate privileges or move laterally within the network. +description: The following analytic detects the execution of the `GetCurrent` method + from the WindowsIdentity .NET class using PowerShell Script Block Logging (EventCode=4104). + This method identifies the current Windows user. The detection leverages PowerShell + script block logs to identify when this method is called. This activity is significant + because adversaries and Red Teams may use it to gain situational awareness and perform + Active Directory discovery on compromised endpoints. If confirmed malicious, this + could allow attackers to map out user accounts and potentially escalate privileges + or move laterally within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText = "*[System.Security.Principal.WindowsIdentity]*" ScriptBlockText = "*GetCurrent()*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getcurrent_user_with_powershell_script_block_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Administrators or power users may use this PowerShell commandlet for troubleshooting. +search: '`powershell` EventCode=4104 ScriptBlockText = "*[System.Security.Principal.WindowsIdentity]*" ScriptBlockText + = "*GetCurrent()*" | stats count min(_time) as firstTime max(_time) as lastTime + by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as + user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `getcurrent_user_with_powershell_script_block_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Administrators or power users may use this PowerShell commandlet + for troubleshooting. references: - https://attack.mitre.org/techniques/T1033/ - https://docs.microsoft.com/en-us/dotnet/api/system.security.principal.windowsidentity.getcurrent?view=net-6.0&viewFallbackFrom=net-5.0 @@ -18,33 +32,17 @@ tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 30 - message: System user discovery on $dest$ by $user$ mitre_attack_id: - T1033 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Path - - Message - - OpCode - - ComputerName - - User - - EventCode - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/getdomaincomputer_with_powershell.yml b/detections/endpoint/getdomaincomputer_with_powershell.yml index a839689dc7..4cada0e98a 100644 --- a/detections/endpoint/getdomaincomputer_with_powershell.yml +++ b/detections/endpoint/getdomaincomputer_with_powershell.yml @@ -1,17 +1,37 @@ name: GetDomainComputer with PowerShell id: ed550c19-712e-43f6-bd19-6f58f61b3a5e -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the execution of `powershell.exe` with command-line arguments that utilize `Get-DomainComputer` to discover remote systems. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as `Get-DomainComputer` is part of PowerView, a tool often used by adversaries for domain enumeration and situational awareness. If confirmed malicious, this activity could allow attackers to map out the network, identify critical systems, and plan further attacks, potentially leading to unauthorized access and data exfiltration. +description: The following analytic detects the execution of `powershell.exe` with + command-line arguments that utilize `Get-DomainComputer` to discover remote systems. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process names and command-line executions. This activity is significant + as `Get-DomainComputer` is part of PowerView, a tool often used by adversaries for + domain enumeration and situational awareness. If confirmed malicious, this activity + could allow attackers to map out the network, identify critical systems, and plan + further attacks, potentially leading to unauthorized access and data exfiltration. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-DomainComputer*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getdomaincomputer_with_powershell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") + (Processes.process=*Get-DomainComputer*) by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `getdomaincomputer_with_powershell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use PowerView for troubleshooting. references: - https://attack.mitre.org/techniques/T1018/ @@ -21,44 +41,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Remote system discovery enumeration on $dest$ by $user$ + risk_objects: + - field: dest + type: system + score: 24 + threat_objects: [] tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 80 - impact: 30 - message: Remote system discovery enumeration on $dest$ by $user$ mitre_attack_id: - T1018 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml b/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml index 23c6796ab5..6110518366 100644 --- a/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml +++ b/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml @@ -1,15 +1,27 @@ name: GetDomainComputer with PowerShell Script Block id: f64da023-b988-4775-8d57-38e512beb56e -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the execution of the `Get-DomainComputer` commandlet using PowerShell Script Block Logging (EventCode=4104). This commandlet is part of PowerView, a tool often used for enumerating domain computers within Windows environments. The detection leverages script block text analysis to identify this specific command. Monitoring this activity is crucial as it can indicate an adversary's attempt to gather information about domain computers, which is a common step in Active Directory reconnaissance. If confirmed malicious, this activity could lead to further network enumeration and potential lateral movement within the domain. +description: The following analytic detects the execution of the `Get-DomainComputer` + commandlet using PowerShell Script Block Logging (EventCode=4104). This commandlet + is part of PowerView, a tool often used for enumerating domain computers within + Windows environments. The detection leverages script block text analysis to identify + this specific command. Monitoring this activity is crucial as it can indicate an + adversary's attempt to gather information about domain computers, which is a common + step in Active Directory reconnaissance. If confirmed malicious, this activity could + lead to further network enumeration and potential lateral movement within the domain. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainComputer*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `getdomaincomputer_with_powershell_script_block_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainComputer*") | + stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID + EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` + | `getdomaincomputer_with_powershell_script_block_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: Administrators or power users may use PowerView for troubleshooting. references: - https://attack.mitre.org/techniques/T1018/ @@ -20,39 +32,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Remote system discovery with PowerView on $dest$ by $user$ + risk_objects: + - field: dest + type: system + score: 24 + threat_objects: [] tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 80 - impact: 30 - message: Remote system discovery with PowerView on $dest$ by $user$ mitre_attack_id: - T1018 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCode - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/getdomaincontroller_with_powershell.yml b/detections/endpoint/getdomaincontroller_with_powershell.yml index 2e7ce8733b..bfeaa95e16 100644 --- a/detections/endpoint/getdomaincontroller_with_powershell.yml +++ b/detections/endpoint/getdomaincontroller_with_powershell.yml @@ -1,17 +1,37 @@ name: GetDomainController with PowerShell id: 868ee0e4-52ab-484a-833a-6d85b7c028d0 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of `powershell.exe` with the `Get-DomainController` command, which is used to discover remote systems within a Windows domain. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is crucial as it may indicate an attempt to enumerate domain controllers, a common tactic in Active Directory discovery. If confirmed malicious, this activity could allow attackers to gain situational awareness, potentially leading to further exploitation and lateral movement within the network. +description: The following analytic detects the execution of `powershell.exe` with + the `Get-DomainController` command, which is used to discover remote systems within + a Windows domain. This detection leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process names and command-line arguments. Monitoring this + activity is crucial as it may indicate an attempt to enumerate domain controllers, + a common tactic in Active Directory discovery. If confirmed malicious, this activity + could allow attackers to gain situational awareness, potentially leading to further + exploitation and lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-DomainController*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getdomaincontroller_with_powershell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") + (Processes.process=*Get-DomainController*) by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `getdomaincontroller_with_powershell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use PowerView for troubleshooting. references: - https://attack.mitre.org/techniques/T1018/ @@ -20,37 +40,17 @@ tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 80 - impact: 30 - message: Remote system discovery using PowerView on $dest$ by $user$ mitre_attack_id: - T1018 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml b/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml index e9f9ade50f..7d2d8523fc 100644 --- a/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml +++ b/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml @@ -1,16 +1,28 @@ name: GetDomainController with PowerShell Script Block id: 676b600a-a94d-4951-b346-11329431e6c1 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the execution of the `Get-DomainController` commandlet using PowerShell Script Block Logging (EventCode=4104). This commandlet is part of PowerView, a tool often used for domain enumeration. The detection leverages script block text to identify this specific activity. Monitoring this behavior is crucial as it may indicate an adversary or Red Team performing reconnaissance to map out domain controllers. If confirmed malicious, this activity could lead to further domain enumeration, potentially exposing sensitive information and aiding in lateral movement within the network. +description: The following analytic detects the execution of the `Get-DomainController` + commandlet using PowerShell Script Block Logging (EventCode=4104). This commandlet + is part of PowerView, a tool often used for domain enumeration. The detection leverages + script block text to identify this specific activity. Monitoring this behavior is + crucial as it may indicate an adversary or Red Team performing reconnaissance to + map out domain controllers. If confirmed malicious, this activity could lead to + further domain enumeration, potentially exposing sensitive information and aiding + in lateral movement within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainController*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getdomaincontroller_with_powershell_script_block_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Administrators or power users may use this PowerShell commandlet for troubleshooting. +search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainController*") + | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer + UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getdomaincontroller_with_powershell_script_block_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Administrators or power users may use this PowerShell commandlet + for troubleshooting. references: - https://attack.mitre.org/techniques/T1018/ - https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainController/ @@ -20,39 +32,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$Computer$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Remote system discovery with PowerView on $Computer$ by $UserID$ + risk_objects: + - field: Computer + type: system + score: 24 + threat_objects: [] tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 80 - impact: 30 - message: Remote system discovery with PowerView on $Computer$ by $UserID$ mitre_attack_id: - T1018 - observable: - - name: Computer - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCode - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/getdc.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/getdc.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/getdomaingroup_with_powershell.yml b/detections/endpoint/getdomaingroup_with_powershell.yml index 21b723baaa..85f7f11b3e 100644 --- a/detections/endpoint/getdomaingroup_with_powershell.yml +++ b/detections/endpoint/getdomaingroup_with_powershell.yml @@ -1,17 +1,38 @@ name: GetDomainGroup with PowerShell id: 93c94be3-bead-4a60-860f-77ca3fe59903 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the execution of `powershell.exe` with command-line arguments that query for domain groups using `Get-DomainGroup`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions mapped to the `Processes` node of the `Endpoint` data model. Monitoring this activity is crucial as `Get-DomainGroup` is part of PowerView, a tool often used by adversaries for domain enumeration and situational awareness. If confirmed malicious, this activity could allow attackers to gain insights into domain group structures, aiding in further exploitation and privilege escalation. +description: The following analytic detects the execution of `powershell.exe` with + command-line arguments that query for domain groups using `Get-DomainGroup`. This + detection leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process names and command-line executions mapped to the `Processes` node of the + `Endpoint` data model. Monitoring this activity is crucial as `Get-DomainGroup` + is part of PowerView, a tool often used by adversaries for domain enumeration and + situational awareness. If confirmed malicious, this activity could allow attackers + to gain insights into domain group structures, aiding in further exploitation and + privilege escalation. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-DomainGroup*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getdomaingroup_with_powershell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") + (Processes.process=*Get-DomainGroup*) by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `getdomaingroup_with_powershell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1069/002/ @@ -22,45 +43,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Domain group discovery with PowerView on $dest$ by $user$ + risk_objects: + - field: dest + type: system + score: 15 + threat_objects: [] tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 30 - message: Domain group discovery with PowerView on $dest$ by $user$ mitre_attack_id: - T1069 - T1069.002 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/getdomaingroup_with_powershell_script_block.yml b/detections/endpoint/getdomaingroup_with_powershell_script_block.yml index 5591ec7a74..913dbacb5e 100644 --- a/detections/endpoint/getdomaingroup_with_powershell_script_block.yml +++ b/detections/endpoint/getdomaingroup_with_powershell_script_block.yml @@ -1,16 +1,28 @@ name: GetDomainGroup with PowerShell Script Block id: 09725404-a44f-4ed3-9efa-8ed5d69e4c53 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the execution of the `Get-DomainGroup` cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet, part of the PowerView tool, is used to enumerate domain groups within a Windows domain. The detection leverages script block text to identify this specific command. Monitoring this activity is crucial as it may indicate an adversary or Red Team performing reconnaissance to gain situational awareness and map out Active Directory structures. If confirmed malicious, this activity could lead to further exploitation, including privilege escalation and lateral movement within the network. +description: The following analytic detects the execution of the `Get-DomainGroup` + cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet, part + of the PowerView tool, is used to enumerate domain groups within a Windows domain. + The detection leverages script block text to identify this specific command. Monitoring + this activity is crucial as it may indicate an adversary or Red Team performing + reconnaissance to gain situational awareness and map out Active Directory structures. + If confirmed malicious, this activity could lead to further exploitation, including + privilege escalation and lateral movement within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainGroup*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getdomaingroup_with_powershell_script_block_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Administrators or power users may use this PowerView functions for troubleshooting. +search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainGroup*") | stats + count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode + ScriptBlockText | `security_content_ctime(firstTime)` | `getdomaingroup_with_powershell_script_block_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Administrators or power users may use this PowerView functions + for troubleshooting. references: - https://attack.mitre.org/techniques/T1069/002/ - https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainGroup/ @@ -20,40 +32,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$Computer$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Domain group discovery enumeration using PowerView on $Computer$ by $UserID$ + risk_objects: + - field: Computer + type: system + score: 15 + threat_objects: [] tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 30 - message: Domain group discovery enumeration using PowerView on $Computer$ by $UserID$ mitre_attack_id: - T1069 - T1069.002 - observable: - - name: Computer - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCode - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/domaingroup.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/domaingroup.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/getlocaluser_with_powershell.yml b/detections/endpoint/getlocaluser_with_powershell.yml index 6665f0ab23..690b834301 100644 --- a/detections/endpoint/getlocaluser_with_powershell.yml +++ b/detections/endpoint/getlocaluser_with_powershell.yml @@ -1,46 +1,57 @@ name: GetLocalUser with PowerShell id: 85fae8fa-0427-11ec-8b78-acde48001122 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of `powershell.exe` with the `Get-LocalUser` commandlet, which is used to query local user accounts. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is significant because adversaries and Red Teams may use it to enumerate local users for situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to identify potential targets for further exploitation or privilege escalation within the environment. +description: The following analytic detects the execution of `powershell.exe` with + the `Get-LocalUser` commandlet, which is used to query local user accounts. This + detection leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process names and command-line arguments. Monitoring this activity is significant + because adversaries and Red Teams may use it to enumerate local users for situational + awareness and Active Directory discovery. If confirmed malicious, this activity + could allow attackers to identify potential targets for further exploitation or + privilege escalation within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-LocalUser*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getlocaluser_with_powershell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrators or power users may use this PowerShell commandlet for troubleshooting. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") + (Processes.process=*Get-LocalUser*) by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `getlocaluser_with_powershell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators or power users may use this PowerShell commandlet + for troubleshooting. references: - https://attack.mitre.org/techniques/T1087/001/ tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 30 - message: Local user discovery enumeration using PowerShell on $dest$ by $user$ mitre_attack_id: - T1087 - T1087.001 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/getlocaluser_with_powershell_script_block.yml b/detections/endpoint/getlocaluser_with_powershell_script_block.yml index 6bde9c3ad2..754d2cadae 100644 --- a/detections/endpoint/getlocaluser_with_powershell_script_block.yml +++ b/detections/endpoint/getlocaluser_with_powershell_script_block.yml @@ -1,16 +1,29 @@ name: GetLocalUser with PowerShell Script Block id: 2e891cbe-0426-11ec-9c9c-acde48001122 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of the `Get-LocalUser` PowerShell commandlet using PowerShell Script Block Logging (EventCode=4104). This commandlet lists all local users on a system. The detection leverages script block text from PowerShell logs to identify this activity. Monitoring this behavior is significant as adversaries and Red Teams may use it to enumerate local users for situational awareness and Active Directory discovery. If confirmed malicious, this activity could lead to further reconnaissance, enabling attackers to identify potential targets for privilege escalation or lateral movement. +description: The following analytic detects the execution of the `Get-LocalUser` PowerShell + commandlet using PowerShell Script Block Logging (EventCode=4104). This commandlet + lists all local users on a system. The detection leverages script block text from + PowerShell logs to identify this activity. Monitoring this behavior is significant + as adversaries and Red Teams may use it to enumerate local users for situational + awareness and Active Directory discovery. If confirmed malicious, this activity + could lead to further reconnaissance, enabling attackers to identify potential targets + for privilege escalation or lateral movement. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-LocalUser*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getlocaluser_with_powershell_script_block_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Administrators or power users may use this PowerShell commandlet for troubleshooting. +search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-LocalUser*") | stats + count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `getlocaluser_with_powershell_script_block_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Administrators or power users may use this PowerShell commandlet + for troubleshooting. references: - https://attack.mitre.org/techniques/T1087/001/ - https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html @@ -19,33 +32,19 @@ tags: - Active Directory Discovery - Malicious PowerShell asset_type: Endpoint - confidence: 50 - impact: 30 - message: Local user discovery enumeration using PowerShell on $Computer$ by $user$ mitre_attack_id: - T1087 - T1087.001 - T1059.001 - observable: - - name: Computer - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ScriptBlockText - - Computer - - UserID - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/getnettcpconnection_with_powershell.yml b/detections/endpoint/getnettcpconnection_with_powershell.yml index cb7faa1a85..bedb098129 100644 --- a/detections/endpoint/getnettcpconnection_with_powershell.yml +++ b/detections/endpoint/getnettcpconnection_with_powershell.yml @@ -1,17 +1,37 @@ name: GetNetTcpconnection with PowerShell id: e02af35c-1de5-4afe-b4be-f45aba57272b -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic identifies the execution of `powershell.exe` with the `Get-NetTcpConnection` command, which lists current TCP connections on a system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Monitoring this activity is significant as it may indicate an adversary or Red Team performing network reconnaissance or situational awareness. If confirmed malicious, this activity could allow attackers to map network connections, aiding in lateral movement or further exploitation within the network. +description: The following analytic identifies the execution of `powershell.exe` with + the `Get-NetTcpConnection` command, which lists current TCP connections on a system. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process names and command-line executions. Monitoring this activity + is significant as it may indicate an adversary or Red Team performing network reconnaissance + or situational awareness. If confirmed malicious, this activity could allow attackers + to map network connections, aiding in lateral movement or further exploitation within + the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-NetTcpConnection*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getnettcpconnection_with_powershell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") + (Processes.process=*Get-NetTcpConnection*) by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `getnettcpconnection_with_powershell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1049/ @@ -20,37 +40,17 @@ tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 30 - message: Network Connection discovery on $dest$ by $user$ mitre_attack_id: - T1049 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml b/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml index 3112e995bc..aa0100c6f2 100644 --- a/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml +++ b/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml @@ -1,16 +1,28 @@ name: GetNetTcpconnection with PowerShell Script Block id: 091712ff-b02a-4d43-82ed-34765515d95d -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of the `Get-NetTcpconnection` PowerShell cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet lists network connections on a system, which adversaries may use for situational awareness and Active Directory discovery. Monitoring this activity is crucial as it can indicate reconnaissance efforts by an attacker. If confirmed malicious, this behavior could allow an attacker to map the network, identify critical systems, and plan further attacks, potentially leading to data exfiltration or lateral movement within the network. +description: The following analytic detects the execution of the `Get-NetTcpconnection` + PowerShell cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet + lists network connections on a system, which adversaries may use for situational + awareness and Active Directory discovery. Monitoring this activity is crucial as + it can indicate reconnaissance efforts by an attacker. If confirmed malicious, this + behavior could allow an attacker to map the network, identify critical systems, + and plan further attacks, potentially leading to data exfiltration or lateral movement + within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-NetTcpconnection*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getnettcpconnection_with_powershell_script_block_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Administrators or power users may use this PowerShell commandlet for troubleshooting. +search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-NetTcpconnection*") + | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer + UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getnettcpconnection_with_powershell_script_block_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Administrators or power users may use this PowerShell commandlet + for troubleshooting. references: - https://attack.mitre.org/techniques/T1049/ - https://docs.microsoft.com/en-us/powershell/module/nettcpip/get-nettcpconnection?view=windowsserver2019-ps @@ -18,32 +30,17 @@ tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 30 - message: Network Connection discovery on $Computer$ by $user$ mitre_attack_id: - T1049 - observable: - - name: Computer - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCode - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/nettcpconnection.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/nettcpconnection.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml b/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml index a07fe4a02f..207b36cf90 100644 --- a/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml +++ b/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml @@ -1,17 +1,39 @@ name: GetWmiObject Ds Computer with PowerShell id: 7141122c-3bc2-4aaa-ab3b-7a85a0bbefc3 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the execution of `powershell.exe` with command-line arguments that utilize the `Get-WmiObject` cmdlet to discover remote systems, specifically targeting the `DS_Computer` parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate domain computers and gather situational awareness within Active Directory. If confirmed malicious, this behavior could allow attackers to map the network, identify critical systems, and plan further attacks, potentially leading to unauthorized access and data exfiltration. +description: The following analytic detects the execution of `powershell.exe` with + command-line arguments that utilize the `Get-WmiObject` cmdlet to discover remote + systems, specifically targeting the `DS_Computer` parameter. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process names + and command-line executions. This activity is significant as it indicates potential + reconnaissance efforts by adversaries to enumerate domain computers and gather situational + awareness within Active Directory. If confirmed malicious, this behavior could allow + attackers to map the network, identify critical systems, and plan further attacks, + potentially leading to unauthorized access and data exfiltration. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-WmiObject* AND Processes.process="*namespace root\\directory\\ldap*" AND Processes.process="*class ds_computer*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_computer_with_powershell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") + (Processes.process=*Get-WmiObject* AND Processes.process="*namespace root\\directory\\ldap*" + AND Processes.process="*class ds_computer*") by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `getwmiobject_ds_computer_with_powershell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1018/ @@ -21,44 +43,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Remote system discovery enumeration using WMI on $dest$ by $user$ + risk_objects: + - field: dest + type: system + score: 21 + threat_objects: [] tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 70 - impact: 30 - message: Remote system discovery enumeration using WMI on $dest$ by $user$ mitre_attack_id: - T1018 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 21 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml b/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml index ccda84eb9d..ab5ae3dd63 100644 --- a/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml +++ b/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml @@ -1,16 +1,28 @@ name: GetWmiObject Ds Computer with PowerShell Script Block id: 29b99201-723c-4118-847a-db2b3d3fb8ea -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the execution of the `Get-WmiObject` cmdlet with the `DS_Computer` class parameter via PowerShell Script Block Logging (EventCode=4104). This detection leverages script block text to identify queries targeting domain computers using WMI. Monitoring this activity is crucial as adversaries and Red Teams may use it for Active Directory Discovery and situational awareness. If confirmed malicious, this behavior could allow attackers to map out domain computers, facilitating further attacks such as lateral movement or privilege escalation. +description: The following analytic detects the execution of the `Get-WmiObject` cmdlet + with the `DS_Computer` class parameter via PowerShell Script Block Logging (EventCode=4104). + This detection leverages script block text to identify queries targeting domain + computers using WMI. Monitoring this activity is crucial as adversaries and Red + Teams may use it for Active Directory Discovery and situational awareness. If confirmed + malicious, this behavior could allow attackers to map out domain computers, facilitating + further attacks such as lateral movement or privilege escalation. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText="*namespace root\\directory\\ldap*" AND ScriptBlockText="*class ds_computer*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getwmiobject_ds_computer_with_powershell_script_block_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Administrators or power users may use this PowerShell commandlet for troubleshooting. +search: '`powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText="*namespace + root\\directory\\ldap*" AND ScriptBlockText="*class ds_computer*") | stats count + min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode + ScriptBlockText | `security_content_ctime(firstTime)` | `getwmiobject_ds_computer_with_powershell_script_block_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Administrators or power users may use this PowerShell commandlet + for troubleshooting. references: - https://attack.mitre.org/techniques/T1018/ - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1 @@ -20,39 +32,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$Computer$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Remote system discovery enumeration on $Computer$ by $UserID$ + risk_objects: + - field: Computer + type: system + score: 15 + threat_objects: [] tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 30 - message: Remote system discovery enumeration on $Computer$ by $UserID$ mitre_attack_id: - T1018 - observable: - - name: Computer - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCode - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/getwmiobject_ds_group_with_powershell.yml b/detections/endpoint/getwmiobject_ds_group_with_powershell.yml index 6ec59747aa..11b144c48c 100644 --- a/detections/endpoint/getwmiobject_ds_group_with_powershell.yml +++ b/detections/endpoint/getwmiobject_ds_group_with_powershell.yml @@ -1,17 +1,38 @@ name: GetWmiObject Ds Group with PowerShell id: df275a44-4527-443b-b884-7600e066e3eb -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies the execution of `powershell.exe` with command-line arguments used to query domain groups via the `Get-WmiObject` cmdlet and the `-class ds_group` parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate domain groups, which is a common step in Active Directory Discovery. If confirmed malicious, this could allow attackers to gain insights into the domain structure, aiding in further attacks and privilege escalation. +description: The following analytic identifies the execution of `powershell.exe` with + command-line arguments used to query domain groups via the `Get-WmiObject` cmdlet + and the `-class ds_group` parameter. This detection leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names and command-line + executions. This activity is significant as it indicates potential reconnaissance + efforts by adversaries to enumerate domain groups, which is a common step in Active + Directory Discovery. If confirmed malicious, this could allow attackers to gain + insights into the domain structure, aiding in further attacks and privilege escalation. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-WmiObject* AND Processes.process="*namespace root\\directory\\ldap*" AND Processes.process="*class ds_group*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_group_with_powershell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") + (Processes.process=*Get-WmiObject* AND Processes.process="*namespace root\\directory\\ldap*" + AND Processes.process="*class ds_group*") by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `getwmiobject_ds_group_with_powershell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1069/002/ @@ -22,45 +43,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Domain group discovery enumeration on $dest$ by $user$ + risk_objects: + - field: dest + type: system + score: 15 + threat_objects: [] tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 30 - message: Domain group discovery enumeration on $dest$ by $user$ mitre_attack_id: - T1069 - T1069.002 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml b/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml index 22c9d6092f..5dcd4326a6 100644 --- a/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml +++ b/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml @@ -1,16 +1,29 @@ name: GetWmiObject Ds Group with PowerShell Script Block id: 67740bd3-1506-469c-b91d-effc322cc6e5 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the execution of the `Get-WmiObject` commandlet with the `DS_Group` parameter via PowerShell Script Block Logging (EventCode=4104). This method leverages WMI to query all domain groups. Monitoring this activity is crucial as adversaries and Red Teams may use it for domain group enumeration, aiding in situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to map out the domain structure, potentially leading to further exploitation and privilege escalation within the network. +description: The following analytic detects the execution of the `Get-WmiObject` commandlet + with the `DS_Group` parameter via PowerShell Script Block Logging (EventCode=4104). + This method leverages WMI to query all domain groups. Monitoring this activity is + crucial as adversaries and Red Teams may use it for domain group enumeration, aiding + in situational awareness and Active Directory discovery. If confirmed malicious, + this activity could allow attackers to map out the domain structure, potentially + leading to further exploitation and privilege escalation within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText="*namespace root\\directory\\ldap*" AND ScriptBlockText="*class ds_group*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`getwmiobject_ds_group_with_powershell_script_block_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Administrators or power users may use this PowerShell commandlet for troubleshooting. +search: '`powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText="*namespace + root\\directory\\ldap*" AND ScriptBlockText="*class ds_group*") | stats count min(_time) + as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText + | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`|`getwmiobject_ds_group_with_powershell_script_block_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Administrators or power users may use this PowerShell commandlet + for troubleshooting. references: - https://attack.mitre.org/techniques/T1069/002/ - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1 @@ -20,40 +33,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Domain group discovery enumeration using PowerShell on $dest$ by $user$ + risk_objects: + - field: dest + type: system + score: 15 + threat_objects: [] tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 30 - message: Domain group discovery enumeration using PowerShell on $dest$ by $user$ mitre_attack_id: - T1069 - T1069.002 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCode - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/getwmiobject_ds_user_with_powershell.yml b/detections/endpoint/getwmiobject_ds_user_with_powershell.yml index 47f97e6a25..5cd432dcaa 100644 --- a/detections/endpoint/getwmiobject_ds_user_with_powershell.yml +++ b/detections/endpoint/getwmiobject_ds_user_with_powershell.yml @@ -1,17 +1,39 @@ name: GetWmiObject DS User with PowerShell id: 22d3b118-04df-11ec-8fa3-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the execution of `powershell.exe` with command-line arguments used to query domain users via the `Get-WmiObject` cmdlet and `-class ds_user` parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate domain users, which is a common step in Active Directory Discovery. If confirmed malicious, this could lead to further attacks, including privilege escalation and lateral movement within the network. +description: The following analytic detects the execution of `powershell.exe` with + command-line arguments used to query domain users via the `Get-WmiObject` cmdlet + and `-class ds_user` parameter. This detection leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process names and command-line executions. + This activity is significant as it indicates potential reconnaissance efforts by + adversaries to enumerate domain users, which is a common step in Active Directory + Discovery. If confirmed malicious, this could lead to further attacks, including + privilege escalation and lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe" OR Processes.process_name="powershell*") AND Processes.process = "*get-wmiobject*" AND Processes.process = "*ds_user*" AND Processes.process = "*root\\directory\\ldap*" AND Processes.process = "*-namespace*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_user_with_powershell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe" + OR Processes.process_name="powershell*") AND Processes.process = "*get-wmiobject*" + AND Processes.process = "*ds_user*" AND Processes.process = "*root\\directory\\ldap*" + AND Processes.process = "*-namespace*" by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `getwmiobject_ds_user_with_powershell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/dsquery.htm @@ -21,51 +43,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: an instance of process $process_name$ with commandline $process$ on $dest$ + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: + - field: parent_process_name + type: parent_process_name tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 50 - message: an instance of process $process_name$ with commandline $process$ in $dest$ mitre_attack_id: - T1087.002 - T1087 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - - Processes.parent_process_name - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/getwmiobject_ds_user_with_powershell_script_block.yml b/detections/endpoint/getwmiobject_ds_user_with_powershell_script_block.yml index 124ff99680..ac5f12c52e 100644 --- a/detections/endpoint/getwmiobject_ds_user_with_powershell_script_block.yml +++ b/detections/endpoint/getwmiobject_ds_user_with_powershell_script_block.yml @@ -1,15 +1,28 @@ name: GetWmiObject DS User with PowerShell Script Block id: fabd364e-04f3-11ec-b34b-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the execution of the `Get-WmiObject` cmdlet with the `DS_User` class parameter via PowerShell Script Block Logging (EventCode=4104). It leverages logs to identify attempts to query all domain users using WMI. This activity is significant as it may indicate an adversary or Red Team operation attempting to enumerate domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance, enabling attackers to map out the network and identify potential targets for privilege escalation or lateral movement. +description: The following analytic detects the execution of the `Get-WmiObject` cmdlet + with the `DS_User` class parameter via PowerShell Script Block Logging (EventCode=4104). + It leverages logs to identify attempts to query all domain users using WMI. This + activity is significant as it may indicate an adversary or Red Team operation attempting + to enumerate domain users for situational awareness and Active Directory discovery. + If confirmed malicious, this behavior could lead to further reconnaissance, enabling + attackers to map out the network and identify potential targets for privilege escalation + or lateral movement. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText = "*get-wmiobject*" ScriptBlockText = "*ds_user*" ScriptBlockText = "*-namespace*" ScriptBlockText = "*root\\directory\\ldap*" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_user_with_powershell_script_block_filter`' -how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +search: '`powershell` EventCode=4104 ScriptBlockText = "*get-wmiobject*" ScriptBlockText + = "*ds_user*" ScriptBlockText = "*-namespace*" ScriptBlockText = "*root\\directory\\ldap*" + | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer + UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user| + `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_user_with_powershell_script_block_filter`' +how_to_implement: The following Hunting analytic requires PowerShell operational logs + to be imported. Modify the powershell macro as needed to match the sourcetype or + add index. This analytic is specific to 4104, or PowerShell Script Block Logging. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://www.blackhillsinfosec.com/red-blue-purple/ @@ -20,44 +33,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: powershell process having commandline for user enumeration detected on + host - $dest$ + risk_objects: + - field: dest + type: system + score: 25 + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 50 - message: powershell process having commandline for user enumeration detected on host - $dest$ mitre_attack_id: - T1087.002 - T1087 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCode - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/getwmiobject_user_account_with_powershell.yml b/detections/endpoint/getwmiobject_user_account_with_powershell.yml index 35378a0a38..0c6134ae47 100644 --- a/detections/endpoint/getwmiobject_user_account_with_powershell.yml +++ b/detections/endpoint/getwmiobject_user_account_with_powershell.yml @@ -1,18 +1,39 @@ name: GetWmiObject User Account with PowerShell id: b44f6ac6-0429-11ec-87e9-acde48001122 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of `powershell.exe` with command-line arguments that utilize the `Get-WmiObject` cmdlet and the `Win32_UserAccount` parameter to query local user accounts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt by adversaries to enumerate user accounts for situational awareness or Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance, privilege escalation, or lateral movement within the network. +description: The following analytic detects the execution of `powershell.exe` with + command-line arguments that utilize the `Get-WmiObject` cmdlet and the `Win32_UserAccount` + parameter to query local user accounts. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process names and command-line executions. + This activity is significant as it may indicate an attempt by adversaries to enumerate + user accounts for situational awareness or Active Directory discovery. If confirmed + malicious, this behavior could lead to further reconnaissance, privilege escalation, + or lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-WmiObject* AND Processes.process=*Win32_UserAccount*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_user_account_with_powershell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrators or power users may use this PowerShell commandlet for troubleshooting. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") + (Processes.process=*Get-WmiObject* AND Processes.process=*Win32_UserAccount*) by + Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_user_account_with_powershell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators or power users may use this PowerShell commandlet + for troubleshooting. references: - https://attack.mitre.org/techniques/T1087/001/ tags: @@ -20,28 +41,18 @@ tags: - Winter Vivern - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 30 - message: Local user discovery enumeration using PowerShell on $dest$ by $user$ mitre_attack_id: - T1087 - T1087.001 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/getwmiobject_user_account_with_powershell_script_block.yml b/detections/endpoint/getwmiobject_user_account_with_powershell_script_block.yml index b8a6c9925d..1a5ed182ed 100644 --- a/detections/endpoint/getwmiobject_user_account_with_powershell_script_block.yml +++ b/detections/endpoint/getwmiobject_user_account_with_powershell_script_block.yml @@ -1,16 +1,27 @@ name: GetWmiObject User Account with PowerShell Script Block id: 640b0eda-0429-11ec-accd-acde48001122 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of the `Get-WmiObject` commandlet with the `Win32_UserAccount` parameter via PowerShell Script Block Logging (EventCode=4104). This method leverages script block text to identify when a list of all local users is being enumerated. This activity is significant as it may indicate an adversary or Red Team operation attempting to gather user information for situational awareness and Active Directory discovery. If confirmed malicious, this could lead to further reconnaissance, privilege escalation, or lateral movement within the network. +description: The following analytic detects the execution of the `Get-WmiObject` commandlet + with the `Win32_UserAccount` parameter via PowerShell Script Block Logging (EventCode=4104). + This method leverages script block text to identify when a list of all local users + is being enumerated. This activity is significant as it may indicate an adversary + or Red Team operation attempting to gather user information for situational awareness + and Active Directory discovery. If confirmed malicious, this could lead to further + reconnaissance, privilege escalation, or lateral movement within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText="*Get-WmiObject*" AND ScriptBlockText="*Win32_UserAccount*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `getwmiobject_user_account_with_powershell_script_block_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Administrators or power users may use this PowerShell commandlet for troubleshooting. +search: '`powershell` EventCode=4104 (ScriptBlockText="*Get-WmiObject*" AND ScriptBlockText="*Win32_UserAccount*") + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer UserID | `security_content_ctime(firstTime)` | `getwmiobject_user_account_with_powershell_script_block_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Administrators or power users may use this PowerShell commandlet + for troubleshooting. references: - https://attack.mitre.org/techniques/T1087/001/ - https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html @@ -20,33 +31,19 @@ tags: - Active Directory Discovery - Malicious PowerShell asset_type: Endpoint - confidence: 50 - impact: 30 - message: Local user discovery enumeration using PowerShell on $Computer$ by $UserID$ mitre_attack_id: - T1087 - T1087.001 - T1059.001 - observable: - - name: Computer - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ScriptBlockText - - Computer - - UserID - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml b/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml index 2dd86849c6..46ab4b2a2e 100644 --- a/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml +++ b/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml @@ -1,7 +1,7 @@ name: GPUpdate with no Command Line Arguments with Network id: 2c853856-a140-11eb-a5b5-acde48001122 -version: '6' -date: '2024-11-28' +version: 8 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -54,6 +54,22 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Process gpupdate.exe with parent_process $parent_process_name$ is executed + on $dest$ by user $user$, followed by an outbound network connection to $C2$ on + port $dest_port$. This behaviour is seen with cobaltstrike. + risk_objects: + - field: user + type: user + score: 81 + - field: dest + type: system + score: 81 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: C2 + type: ip_address tags: analytic_story: - Graceful Wipe Out Attack @@ -61,47 +77,17 @@ tags: - Compromised Windows Host - BlackByte Ransomware asset_type: Endpoint - confidence: 90 - impact: 90 - message: Process gpupdate.exe with parent_process $parent_process_name$ is executed - on $dest$ by user $user$, followed by an outbound network connection to $C2$ on - port $dest_port$. This behaviour is seen with cobaltstrike. mitre_attack_id: - T1055 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim - - name: parent_process_name - type: Process Name - role: - - Attacker - - name: C2 - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventID - - process_name - - process_id - - parent_process_name - - dest_port - - process_path - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml b/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml index be661ffec4..6d6557e0ab 100644 --- a/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml +++ b/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml @@ -1,7 +1,7 @@ name: Headless Browser Mockbin or Mocky Request id: 94fc85a1-e55b-4265-95e1-4b66730e05c0 -version: 3 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP @@ -9,10 +9,28 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic detects headless browser activity accessing mockbin.org or mocky.io. It identifies processes with the "--headless" and "--disable-gpu" command line arguments, along with references to mockbin.org or mocky.io. This behavior is significant as headless browsers are often used for automated tasks, including malicious activities like web scraping or automated attacks. If confirmed malicious, this activity could indicate an attempt to bypass traditional browser security measures, potentially leading to data exfiltration or further exploitation of web applications. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="*--headless*" AND Processes.process="*--disable-gpu*" AND (Processes.process="*mockbin.org/*" OR Processes.process="*mocky.io/*")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `headless_browser_mockbin_or_mocky_request_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: False positives are not expected with this detection, unless within the organization there is a legitimate need for headless browsing accessing mockbin.org or mocky.io. +description: The following analytic detects headless browser activity accessing mockbin.org + or mocky.io. It identifies processes with the "--headless" and "--disable-gpu" command + line arguments, along with references to mockbin.org or mocky.io. This behavior + is significant as headless browsers are often used for automated tasks, including + malicious activities like web scraping or automated attacks. If confirmed malicious, + this activity could indicate an attempt to bypass traditional browser security measures, + potentially leading to data exfiltration or further exploitation of web applications. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process="*--headless*" + AND Processes.process="*--disable-gpu*" AND (Processes.process="*mockbin.org/*" + OR Processes.process="*mocky.io/*")) by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `headless_browser_mockbin_or_mocky_request_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: False positives are not expected with this detection, unless + within the organization there is a legitimate need for headless browsing accessing + mockbin.org or mocky.io. references: - https://mockbin.org/ - https://www.mocky.io/ @@ -22,45 +40,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Headless browser activity accessing mockbin.org or mocky.io detected on + $dest$ by $user$. + risk_objects: + - field: user + type: user + score: 56 + - field: dest + type: system + score: 56 + threat_objects: [] tags: analytic_story: - Forest Blizzard asset_type: Endpoint atomic_guid: [] - confidence: 70 - impact: 80 - message: Headless browser activity accessing mockbin.org or mocky.io detected on $dest$ by $user$. mitre_attack_id: - T1564.003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 56 - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/headlessbrowser/headless_mockbin.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/headlessbrowser/headless_mockbin.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/headless_browser_usage.yml b/detections/endpoint/headless_browser_usage.yml index 9a6324c014..a9351e7245 100644 --- a/detections/endpoint/headless_browser_usage.yml +++ b/detections/endpoint/headless_browser_usage.yml @@ -1,7 +1,7 @@ name: Headless Browser Usage id: 869ba261-c272-47d7-affe-5c0aa85c93d6 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting @@ -9,10 +9,28 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic detects the usage of headless browsers within an organization. It identifies processes containing the "--headless" and "--disable-gpu" command line arguments, which are indicative of headless browsing. This detection leverages data from the Endpoint.Processes datamodel to identify such processes. Monitoring headless browser usage is significant as these tools can be exploited by adversaries for malicious activities like web scraping, automated testing, and undetected web interactions. If confirmed malicious, this activity could lead to unauthorized data extraction, automated attacks, or other covert operations on web applications. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="*--headless*" AND Processes.process="*--disable-gpu*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `headless_browser_usage_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: This hunting analytic is meant to assist with baselining and understanding headless browsing in use. Filter as needed. +description: The following analytic detects the usage of headless browsers within + an organization. It identifies processes containing the "--headless" and "--disable-gpu" + command line arguments, which are indicative of headless browsing. This detection + leverages data from the Endpoint.Processes datamodel to identify such processes. + Monitoring headless browser usage is significant as these tools can be exploited + by adversaries for malicious activities like web scraping, automated testing, and + undetected web interactions. If confirmed malicious, this activity could lead to + unauthorized data extraction, automated attacks, or other covert operations on web + applications. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process="*--headless*" + AND Processes.process="*--disable-gpu*") by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `headless_browser_usage_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: This hunting analytic is meant to assist with baselining and + understanding headless browsing in use. Filter as needed. references: - https://cert.gov.ua/article/5702579 tags: @@ -20,38 +38,17 @@ tags: - Forest Blizzard asset_type: Endpoint atomic_guid: [] - confidence: 50 - impact: 30 - message: Behavior related to headless browser usage detected on $dest$ by $user$. mitre_attack_id: - T1564.003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 15 - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - - sourcetype security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/headlessbrowser/headless_mockbin.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/headlessbrowser/headless_mockbin.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/hide_user_account_from_sign_in_screen.yml b/detections/endpoint/hide_user_account_from_sign_in_screen.yml index 360c2972a2..4f0cf07c61 100644 --- a/detections/endpoint/hide_user_account_from_sign_in_screen.yml +++ b/detections/endpoint/hide_user_account_from_sign_in_screen.yml @@ -5,16 +5,23 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects a suspicious registry modification that hides a user account from the Windows Login screen. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "*\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist*" with a value of "0x00000000". This activity is significant as it may indicate an adversary attempting to create a hidden admin account to avoid detection and maintain persistence on the compromised machine. If confirmed malicious, this could allow the attacker to maintain undetected access and control over the system, posing a severe security risk. +description: The following analytic detects a suspicious registry modification that + hides a user account from the Windows Login screen. It leverages data from the Endpoint.Registry + data model, specifically monitoring changes to the registry path "*\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist*" + with a value of "0x00000000". This activity is significant as it may indicate an + adversary attempting to create a hidden admin account to avoid detection and maintain + persistence on the compromised machine. If confirmed malicious, this could allow + the attacker to maintain undetected access and control over the system, posing a + severe security risk. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path="*\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist*" - AND Registry.registry_value_data = "0x00000000") BY Registry.dest - Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name - Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` - | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `hide_user_account_from_sign_in_screen_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\Windows + NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist*" AND Registry.registry_value_data + = "0x00000000") BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name + Registry.registry_value_name Registry.registry_value_data Registry.process_guid + | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `hide_user_account_from_sign_in_screen_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official @@ -28,9 +35,28 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious registry modification ($registry_value_name$) which is used + go hide a user account on the Windows Login screen detected on $dest$ executed + by $user$ + risk_objects: + - field: user + type: user + score: 72 + - field: dest + type: system + score: 72 + threat_objects: + - field: registry_value_name + type: registry_value_name tags: analytic_story: - XMRig @@ -38,42 +64,18 @@ tags: - Azorult - Warzone RAT asset_type: Endpoint - confidence: 80 - impact: 90 - message: Suspicious registry modification ($registry_value_name$) which is used go hide a user account on the Windows Login screen detected on $dest$ executed by $user$ mitre_attack_id: - T1562.001 - T1562 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim - - name: registry_value_name - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/hotkey_disabled_hidden_user/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/hotkey_disabled_hidden_user/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml b/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml index 328268b77a..c95af49a98 100644 --- a/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml +++ b/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml @@ -1,7 +1,7 @@ name: Hiding Files And Directories With Attrib exe id: 6e5a3ae4-90a3-462d-9aa6-0119f638c0f1 -version: '8' -date: '2024-11-28' +version: 9 +date: '2024-12-10' author: Bhavin Patel, Splunk status: production type: TTP @@ -48,44 +48,36 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Attrib.exe with +h flag to hide files on $dest$ executed by $user$ is detected. + risk_objects: + - field: user + type: user + score: 72 + - field: dest + type: system + score: 72 + threat_objects: [] tags: analytic_story: - - Windows Persistence Techniques - Azorult + - Windows Persistence Techniques - Compromised Windows Host - Windows Defense Evasion Tactics + - Crypto Stealer asset_type: Endpoint - confidence: 80 - impact: 90 - message: Attrib.exe with +h flag to hide files on $dest$ executed by $user$ is detected. mitre_attack_id: - T1222 - T1222.001 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process - - Processes.process_name - - Processes.parent_process - - Processes.user - - Processes.dest - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml b/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml index 40456bc74e..e52e4222e0 100644 --- a/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml +++ b/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml @@ -1,16 +1,34 @@ name: High Frequency Copy Of Files In Network Share id: 40925f12-4709-11ec-bb43-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects a high frequency of file copying or moving within network shares, which may indicate potential data sabotage or exfiltration attempts. It leverages Windows Security Event Logs (EventCode 5145) to monitor access to specific file types and network shares. This activity is significant as it can reveal insider threats attempting to transfer classified or internal files, potentially leading to data breaches or evidence tampering. If confirmed malicious, this behavior could result in unauthorized data access, data loss, or compromised sensitive information. +description: The following analytic detects a high frequency of file copying or moving + within network shares, which may indicate potential data sabotage or exfiltration + attempts. It leverages Windows Security Event Logs (EventCode 5145) to monitor access + to specific file types and network shares. This activity is significant as it can + reveal insider threats attempting to transfer classified or internal files, potentially + leading to data breaches or evidence tampering. If confirmed malicious, this behavior + could result in unauthorized data access, data loss, or compromised sensitive information. data_source: - Windows Event Log Security 5145 -search: '`wineventlog_security` EventCode=5145 RelativeTargetName IN ("*.doc","*.docx","*.xls","*.xlsx","*.ppt","*.pptx","*.log","*.txt","*.db","*.7z","*.zip","*.rar","*.tar","*.gz","*.jpg","*.gif","*.png","*.bmp","*.pdf","*.rtf","*.key") ObjectType=File ShareName IN ("\\\\*\\C$","\\\\*\\IPC$","\\\\*\\admin$") AccessMask= "0x2" | bucket _time span=5m | stats values(RelativeTargetName) as valRelativeTargetName, values(ShareName) as valShareName, values(ObjectType) as valObjectType, values(AccessMask) as valAccessmask, values(src_port) as valSrcPort, values(SourceAddress) as valSrcAddress count as numShareName by dest, _time, EventCode, src_user, src_ip | eventstats avg(numShareName) as avgShareName, stdev(numShareName) as stdShareName, count as numSlots by dest, _time, EventCode, src_user | eval upperThreshold=(avgShareName + stdShareName *3) | eval isOutlier=if(avgShareName > 20 and avgShareName >= upperThreshold, 1, 0) | search isOutlier=1 | `high_frequency_copy_of_files_in_network_share_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5145 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy. -known_false_positives: This behavior may seen in normal transfer of file within network if network share is common place for sharing documents. +search: '`wineventlog_security` EventCode=5145 RelativeTargetName IN ("*.doc","*.docx","*.xls","*.xlsx","*.ppt","*.pptx","*.log","*.txt","*.db","*.7z","*.zip","*.rar","*.tar","*.gz","*.jpg","*.gif","*.png","*.bmp","*.pdf","*.rtf","*.key") + ObjectType=File ShareName IN ("\\\\*\\C$","\\\\*\\IPC$","\\\\*\\admin$") AccessMask= + "0x2" | bucket _time span=5m | stats values(RelativeTargetName) as valRelativeTargetName, + values(ShareName) as valShareName, values(ObjectType) as valObjectType, values(AccessMask) + as valAccessmask, values(src_port) as valSrcPort, values(SourceAddress) as valSrcAddress + count as numShareName by dest, _time, EventCode, src_user, src_ip | eventstats avg(numShareName) + as avgShareName, stdev(numShareName) as stdShareName, count as numSlots by dest, + _time, EventCode, src_user | eval upperThreshold=(avgShareName + stdShareName *3) + | eval isOutlier=if(avgShareName > 20 and avgShareName >= upperThreshold, 1, 0) + | search isOutlier=1 | `high_frequency_copy_of_files_in_network_share_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + Windows Security Event Logs with 5145 EventCode enabled. The Windows TA is also + required. Also enable the object Audit access success/failure in your group policy. +known_false_positives: This behavior may seen in normal transfer of file within network + if network share is common place for sharing documents. references: - https://attack.mitre.org/techniques/T1537/ drilldown_searches: @@ -19,48 +37,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: High frequency copy of document into a network share from $src_ip$ by $src_user$ + risk_objects: + - field: src_user + type: user + score: 9 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Information Sabotage - Insider Threat asset_type: Endpoint - confidence: 30 - impact: 30 - message: High frequency copy of document into a network share from $src_ip$ by $src_user$ mitre_attack_id: - T1537 - observable: - - name: src_user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Share_Name - - Relative_Target_Name - - Object_Type - - Access_Mask - - user - - src_port - - Source_Address - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/high_frequency_copy_of_files_in_network_share/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/high_frequency_copy_of_files_in_network_share/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/high_process_termination_frequency.yml b/detections/endpoint/high_process_termination_frequency.yml index 6835d76660..2214668507 100644 --- a/detections/endpoint/high_process_termination_frequency.yml +++ b/detections/endpoint/high_process_termination_frequency.yml @@ -1,15 +1,26 @@ name: High Process Termination Frequency id: 17cd75b2-8666-11eb-9ab4-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Teoderick Contreras status: production type: Anomaly -description: The following analytic identifies a high frequency of process termination events on a computer within a short period. It leverages Sysmon EventCode 5 logs to detect instances where 15 or more processes are terminated within a 3-second window. This behavior is significant as it is commonly associated with ransomware attempting to avoid exceptions during file encryption. If confirmed malicious, this activity could indicate an active ransomware attack, potentially leading to widespread file encryption and significant data loss. +description: The following analytic identifies a high frequency of process termination + events on a computer within a short period. It leverages Sysmon EventCode 5 logs + to detect instances where 15 or more processes are terminated within a 3-second + window. This behavior is significant as it is commonly associated with ransomware + attempting to avoid exceptions during file encryption. If confirmed malicious, this + activity could indicate an active ransomware attack, potentially leading to widespread + file encryption and significant data loss. data_source: - Sysmon EventID 5 -search: '`sysmon` EventCode=5 |bin _time span=3s |stats values(Image) as proc_terminated min(_time) as firstTime max(_time) as lastTime count by _time dest EventCode ProcessID | where count >= 15 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `high_process_termination_frequency_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the Image (process full path of terminated process) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +search: '`sysmon` EventCode=5 |bin _time span=3s |stats values(Image) as proc_terminated + min(_time) as firstTime max(_time) as lastTime count by _time dest EventCode ProcessID + | where count >= 15 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `high_process_termination_frequency_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the Image (process full path of terminated process) from your endpoints. + If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. known_false_positives: admin or user tool that can terminate multiple process. references: - https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft @@ -20,46 +31,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: High frequency process termination (more than 15 processes within 3s) detected + on host $dest$ + risk_objects: + - field: dest + type: system + score: 72 + threat_objects: + - field: proc_terminated + type: process tags: analytic_story: - - Clop Ransomware - LockBit Ransomware - - BlackByte Ransomware - - Rhysida Ransomware + - Clop Ransomware - Snake Keylogger + - Rhysida Ransomware + - BlackByte Ransomware + - Crypto Stealer asset_type: Endpoint - confidence: 80 - impact: 90 - message: High frequency process termination (more than 15 processes within 3s) detected on host $dest$ mitre_attack_id: - T1486 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: proc_terminated - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - EventCode - - Image - - dest - - _time - - ProcessID - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/hunting_3cxdesktopapp_software.yml b/detections/endpoint/hunting_3cxdesktopapp_software.yml index 7e2c649411..67d921a0ac 100644 --- a/detections/endpoint/hunting_3cxdesktopapp_software.yml +++ b/detections/endpoint/hunting_3cxdesktopapp_software.yml @@ -1,7 +1,7 @@ name: Hunting 3CXDesktopApp Software id: 553d0429-1a1c-44bf-b3f5-a8513deb9ee5 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk type: Hunting status: production @@ -9,10 +9,31 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic detects the presence of any version of the 3CXDesktopApp, also known as the 3CX Desktop App, on Mac or Windows systems. It leverages the Endpoint data model's Processes node to identify instances of the application running, although it does not provide file version information. This activity is significant because 3CX has identified vulnerabilities in versions 18.12.407 and 18.12.416, which could be exploited by attackers. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further compromise of the affected systems. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=3CXDesktopApp.exe OR Processes.process_name="3CX Desktop App" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `hunting_3cxdesktopapp_software_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: There may be false positives generated due to the reliance on version numbers for identification purposes. Despite this limitation, the primary goal of this approach is to aid in the detection of the software within the environment. +description: The following analytic detects the presence of any version of the 3CXDesktopApp, + also known as the 3CX Desktop App, on Mac or Windows systems. It leverages the Endpoint + data model's Processes node to identify instances of the application running, although + it does not provide file version information. This activity is significant because + 3CX has identified vulnerabilities in versions 18.12.407 and 18.12.416, which could + be exploited by attackers. If confirmed malicious, this could lead to unauthorized + access, data exfiltration, or further compromise of the affected systems. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=3CXDesktopApp.exe + OR Processes.process_name="3CX Desktop App" by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `hunting_3cxdesktopapp_software_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: There may be false positives generated due to the reliance + on version numbers for identification purposes. Despite this limitation, the primary + goal of this approach is to aid in the detection of the software within the environment. references: - https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ - https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp @@ -23,44 +44,19 @@ tags: analytic_story: - 3CX Supply Chain Attack asset_type: Endpoint - confidence: 50 cve: - CVE-2023-29059 - impact: 80 - message: An instance $process_name$ was identified on endpoint $dest$. mitre_attack_id: - T1195.002 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/3CX/3cx_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/3CX/3cx_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/icacls_deny_command.yml b/detections/endpoint/icacls_deny_command.yml index 9ee94c4cdc..20178963ee 100644 --- a/detections/endpoint/icacls_deny_command.yml +++ b/detections/endpoint/icacls_deny_command.yml @@ -1,7 +1,7 @@ name: Icacls Deny Command id: cf8d753e-a8fe-11eb-8f58-acde48001122 -version: 5 -date: '2024-12-06' +version: 6 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: TTP @@ -50,46 +50,37 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Process name $process_name$ with deny argument executed by $user$ to change + security permission of a specific file or directory on host $dest$ + risk_objects: + - field: dest + type: system + score: 72 + - field: user + type: user + score: 72 + threat_objects: [] tags: analytic_story: - Azorult - Sandworm Tools - - XMRig - Compromised Windows Host + - XMRig + - Crypto Stealer - Defense Evasion or Unauthorized Access Via SDDL Tampering asset_type: Endpoint - confidence: 80 - impact: 90 - message: Process name $process_name$ with deny argument executed by $user$ to change - security permission of a specific file or directory on host $dest$ mitre_attack_id: - T1222 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.parent_process_name - - Processes.process_name - - Processes.dest - - Processes.user - - Processes.process_id - - Processes.process - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/icacls_grant_command.yml b/detections/endpoint/icacls_grant_command.yml index f4618f0bfb..a3850db7a3 100644 --- a/detections/endpoint/icacls_grant_command.yml +++ b/detections/endpoint/icacls_grant_command.yml @@ -1,17 +1,37 @@ name: ICACLS Grant Command id: b1b1e316-accc-11eb-a9b4-acde48001122 -version: 4 -date: '2024-12-06' +version: '5' +date: '2024-12-17' author: Teoderick Contreras, Splunk status: production -type: TTP -description: The following analytic detects the use of the ICACLS command to grant additional access permissions to files or directories. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific process names and command-line arguments. This activity is significant because it is commonly used by Advanced Persistent Threats (APTs) and coinminer scripts to evade detection and maintain control over compromised systems. If confirmed malicious, this behavior could allow attackers to manipulate file permissions, potentially leading to unauthorized access, data exfiltration, or further system compromise. +type: Anomaly +description: The following analytic detects the use of the ICACLS command to grant + additional access permissions to files or directories. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on specific process names and command-line + arguments. This activity is significant because it is commonly used by Advanced + Persistent Threats (APTs) and coinminer scripts to evade detection and maintain + control over compromised systems. If confirmed malicious, this behavior could allow + attackers to manipulate file permissions, potentially leading to unauthorized access, + data exfiltration, or further system compromise. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe") AND Processes.process IN ("*/grant*", "*/G*") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icacls_grant_command_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe", + "cacls.exe", "xcacls.exe") AND Processes.process IN ("*/grant*", "*/G*") by Processes.parent_process_name + Processes.parent_process Processes.process_name Processes.process Processes.process_guid + Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `icacls_grant_command_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Unknown. Filter as needed. references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ @@ -21,46 +41,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Process name $process_name$ with grant argument executed by $user$ to change + security permission of a specific file or directory on host $dest$ + risk_objects: + - field: dest + type: system + score: 49 + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - - XMRig - Ransomware + - Crypto Stealer + - XMRig - Defense Evasion or Unauthorized Access Via SDDL Tampering asset_type: Endpoint - confidence: 70 - impact: 70 - message: Process name $process_name$ with grant argument executed by $user$ to change security permission of a specific file or directory on host $dest$ mitre_attack_id: - T1222 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.parent_process_name - - Processes.process_name - - Processes.dest - - Processes.user - - Processes.process_id - - Processes.process - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml b/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml index 1d08d86553..d0965e6ffb 100644 --- a/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml +++ b/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml @@ -1,17 +1,30 @@ name: IcedID Exfiltrated Archived File Creation id: 0db4da70-f14b-11eb-8043-acde48001122 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the creation of suspicious files named passff.tar and cookie.tar, which are indicative of archived stolen browser information such as history and cookies on a machine compromised with IcedID. It leverages Sysmon EventCode 11 to identify these specific filenames. This activity is significant because it suggests that sensitive browser data has been exfiltrated, which could lead to further exploitation or data breaches. If confirmed malicious, this could allow attackers to access personal information, conduct further phishing attacks, or escalate their presence within the network. +description: The following analytic detects the creation of suspicious files named + passff.tar and cookie.tar, which are indicative of archived stolen browser information + such as history and cookies on a machine compromised with IcedID. It leverages Sysmon + EventCode 11 to identify these specific filenames. This activity is significant + because it suggests that sensitive browser data has been exfiltrated, which could + lead to further exploitation or data breaches. If confirmed malicious, this could + allow attackers to access personal information, conduct further phishing attacks, + or escalate their presence within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '`sysmon` EventCode= 11 (TargetFilename = "*\\passff.tar" OR TargetFilename = "*\\cookie.tar") |stats count min(_time) as firstTime max(_time) as lastTime by TargetFilename EventCode process_id process_name dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icedid_exfiltrated_archived_file_creation_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +search: '`sysmon` EventCode= 11 (TargetFilename = "*\\passff.tar" OR TargetFilename + = "*\\cookie.tar") |stats count min(_time) as firstTime max(_time) as lastTime by + TargetFilename EventCode process_id process_name dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `icedid_exfiltrated_archived_file_creation_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. known_false_positives: unknown references: - https://www.cisecurity.org/insights/white-papers/security-primer-icedid @@ -19,37 +32,18 @@ tags: analytic_story: - IcedID asset_type: Endpoint - confidence: 90 - impact: 80 - message: Process $process_name$ create a file $TargetFilename$ on host $dest$ mitre_attack_id: - T1560.001 - T1560 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - TargetFilename - - EventCode - - process_id - - process_name - - dest - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml index 7bdab33244..67d36cf818 100644 --- a/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml +++ b/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml @@ -1,7 +1,7 @@ name: Impacket Lateral Movement Commandline Parameters id: 8ce07472-496f-11ec-ab3b-3e22fbd008af -version: '6' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Mauricio Velazco, Splunk status: production type: TTP @@ -60,6 +60,14 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious command line parameters on $dest$ may represent a lateral movement + attack with Impackets tools + risk_objects: + - field: dest + type: system + score: 63 + threat_objects: [] tags: analytic_story: - WhisperGate @@ -73,43 +81,21 @@ tags: - Compromised Windows Host - CISA AA22-277A asset_type: Endpoint - confidence: 70 - impact: 90 - message: Suspicious command line parameters on $dest$ may represent a lateral movement - attack with Impackets tools mitre_attack_id: - T1021 - T1021.002 - T1021.003 - T1047 - T1543.003 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/impacket/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/impacket/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml index e4aa7d34b7..b48dcbbc37 100644 --- a/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml +++ b/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml @@ -1,7 +1,7 @@ name: Impacket Lateral Movement smbexec CommandLine Parameters id: bb3c1bac-6bdf-4aa0-8dc9-068b8b712a76 -version: '4' -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -61,6 +61,14 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious command-line parameters on $dest$ may represent lateral movement + using smbexec. + risk_objects: + - field: dest + type: system + score: 63 + threat_objects: [] tags: analytic_story: - WhisperGate @@ -74,38 +82,21 @@ tags: - CISA AA22-277A asset_type: Endpoint atomic_guid: [] - confidence: 70 - impact: 90 - message: Suspicious command-line parameters on $dest$ may represent lateral movement - using smbexec. mitre_attack_id: - T1021 - T1021.002 - T1021.003 - T1047 - T1543.003 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.process_name - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/smbexec_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/smbexec_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml index 323dd1fa6b..7965e0f409 100644 --- a/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml +++ b/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml @@ -1,7 +1,7 @@ name: Impacket Lateral Movement WMIExec Commandline Parameters id: d6e464e4-5c6a-474e-82d2-aed616a3a492 -version: '4' -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -60,6 +60,14 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious command-line parameters on $dest$ may represent lateral movement + using wmiexec. + risk_objects: + - field: dest + type: system + score: 63 + threat_objects: [] tags: analytic_story: - WhisperGate @@ -74,38 +82,21 @@ tags: - CISA AA22-277A asset_type: Endpoint atomic_guid: [] - confidence: 70 - impact: 90 - message: Suspicious command-line parameters on $dest$ may represent lateral movement - using wmiexec. mitre_attack_id: - T1021 - T1021.002 - T1021.003 - T1047 - T1543.003 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.process_name - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/wmiexec_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/wmiexec_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/interactive_session_on_remote_endpoint_with_powershell.yml b/detections/endpoint/interactive_session_on_remote_endpoint_with_powershell.yml index 99735271b1..a096091412 100644 --- a/detections/endpoint/interactive_session_on_remote_endpoint_with_powershell.yml +++ b/detections/endpoint/interactive_session_on_remote_endpoint_with_powershell.yml @@ -1,16 +1,31 @@ name: Interactive Session on Remote Endpoint with PowerShell id: a4e8f3a4-48b2-11ec-bcfc-3e22fbd008af -version: 6 -date: '2024-09-30' +version: 7 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the use of the `Enter-PSSession` cmdlet to establish an interactive session on a remote endpoint via the WinRM protocol. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity by searching for specific script block text patterns. This behavior is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this activity could allow attackers to execute commands remotely, potentially leading to further compromise of the network and unauthorized access to sensitive information. +description: The following analytic detects the use of the `Enter-PSSession` cmdlet + to establish an interactive session on a remote endpoint via the WinRM protocol. + It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity + by searching for specific script block text patterns. This behavior is significant + as it may indicate lateral movement or remote code execution attempts by adversaries. + If confirmed malicious, this activity could allow attackers to execute commands + remotely, potentially leading to further compromise of the network and unauthorized + access to sensitive information. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText="*Enter-PSSession*" AND ScriptBlockText="*-ComputerName*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `interactive_session_on_remote_endpoint_with_powershell_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Administrators may leverage WinRM and `Enter-PSSession` for administrative and troubleshooting tasks. This activity is usually limited to a small set of hosts or users. In certain environments, tuning may not be possible. +search: '`powershell` EventCode=4104 (ScriptBlockText="*Enter-PSSession*" AND ScriptBlockText="*-ComputerName*") + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `interactive_session_on_remote_endpoint_with_powershell_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup instructions + can be found + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Administrators may leverage WinRM and `Enter-PSSession` for + administrative and troubleshooting tasks. This activity is usually limited to a + small set of hosts or users. In certain environments, tuning may not be possible. references: - https://attack.mitre.org/techniques/T1021/006/ - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enter-pssession?view=powershell-7.2 @@ -20,39 +35,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An interactive session was opened on a remote endpoint from $dest$ + risk_objects: + - field: dest + type: system + score: 45 + threat_objects: [] tags: analytic_story: - Active Directory Lateral Movement asset_type: Endpoint - confidence: 50 - impact: 90 - message: An interactive session was opened on a remote endpoint from $dest$ mitre_attack_id: - T1021 - T1021.006 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Message - - ComputerName - - User - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_pssession/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_pssession/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/java_writing_jsp_file.yml b/detections/endpoint/java_writing_jsp_file.yml index 283304bac3..7c1a51343d 100644 --- a/detections/endpoint/java_writing_jsp_file.yml +++ b/detections/endpoint/java_writing_jsp_file.yml @@ -1,16 +1,37 @@ name: Java Writing JSP File id: eb65619c-4f8d-4383-a975-d352765d344b -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the Java process writing a .jsp file to disk, which may indicate a web shell being deployed. It leverages data from the Endpoint datamodel, specifically monitoring process and filesystem activities. This activity is significant because web shells can provide attackers with remote control over the compromised server, leading to further exploitation. If confirmed malicious, this could allow unauthorized access, data exfiltration, or further compromise of the affected system, posing a severe security risk. +description: The following analytic detects the Java process writing a .jsp file to + disk, which may indicate a web shell being deployed. It leverages data from the + Endpoint datamodel, specifically monitoring process and filesystem activities. This + activity is significant because web shells can provide attackers with remote control + over the compromised server, leading to further exploitation. If confirmed malicious, + this could allow unauthorized access, data exfiltration, or further compromise of + the affected system, posing a severe security risk. data_source: - Sysmon EventID 1 AND Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN ("java","java.exe", "javaw.exe") by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_name="*.jsp*" by _time Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.user | `drop_dm_object_name(Filesystem)` | fields _time process_guid file_path file_name file_create_time user dest process_name] | stats count min(_time) as firstTime max(_time) as lastTime by dest process_name process_guid file_name file_path file_create_time user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `java_writing_jsp_file_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: False positives are possible and filtering may be required. Restrict by assets or filter known jsp files that are common for the environment. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes + where Processes.process_name IN ("java","java.exe", "javaw.exe") by _time Processes.process_id + Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)` + | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem + where Filesystem.file_name="*.jsp*" by _time Filesystem.dest Filesystem.file_create_time + Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.user + | `drop_dm_object_name(Filesystem)` | fields _time process_guid file_path file_name + file_create_time user dest process_name] | stats count min(_time) as firstTime max(_time) + as lastTime by dest process_name process_guid file_name file_path file_create_time + user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `java_writing_jsp_file_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` + node. In addition, confirm the latest CIM App 4.20 or higher is installed and the + latest TA for the endpoint product. +known_false_positives: False positives are possible and filtering may be required. + Restrict by assets or filter known jsp files that are common for the environment. references: - https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/ - https://github.com/TheGejr/SpringShell @@ -21,60 +42,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $process_name$ was identified on endpoint $dest$ writing + a jsp file $file_name$ to disk, potentially indicative of exploitation. + risk_objects: + - field: dest + type: system + score: 42 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Spring4Shell CVE-2022-22965 - Atlassian Confluence Server and Data Center CVE-2022-26134 - SysAid On-Prem Software CVE-2023-47246 Vulnerability asset_type: Endpoint - confidence: 70 cve: - CVE-2022-22965 - impact: 60 - message: An instance of $process_name$ was identified on endpoint $dest$ writing a jsp file $file_name$ to disk, potentially indicative of exploitation. mitre_attack_id: - T1190 - T1133 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - - Filesystem.dest - - Filesystem.file_create_time - - Filesystem.file_name - - Filesystem.file_path - - Filesystem.process_guid - - Filesystem.user - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/java_write_jsp-linux-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/java_write_jsp-linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/jscript_execution_using_cscript_app.yml b/detections/endpoint/jscript_execution_using_cscript_app.yml index 26b541ed1f..a88bd5debd 100644 --- a/detections/endpoint/jscript_execution_using_cscript_app.yml +++ b/detections/endpoint/jscript_execution_using_cscript_app.yml @@ -1,17 +1,37 @@ name: Jscript Execution Using Cscript App id: 002f1e24-146e-11ec-a470-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the execution of JScript using the cscript.exe process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This behavior is significant because JScript files are typically executed by wscript.exe, making cscript.exe execution unusual and potentially indicative of malicious activity, such as the FIN7 group's tactics. If confirmed malicious, this activity could allow attackers to execute arbitrary scripts, leading to code execution, data exfiltration, or further system compromise. +description: The following analytic detects the execution of JScript using the cscript.exe + process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process and command-line telemetry. This behavior is significant because JScript + files are typically executed by wscript.exe, making cscript.exe execution unusual + and potentially indicative of malicious activity, such as the FIN7 group's tactics. + If confirmed malicious, this activity could allow attackers to execute arbitrary + scripts, leading to code execution, data exfiltration, or further system compromise. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = "cscript.exe" AND Processes.parent_process = "*//e:jscript*") OR (Processes.process_name = "cscript.exe" AND Processes.process = "*//e:jscript*") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jscript_execution_using_cscript_app_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name + = "cscript.exe" AND Processes.parent_process = "*//e:jscript*") OR (Processes.process_name + = "cscript.exe" AND Processes.process = "*//e:jscript*") by Processes.parent_process_name + Processes.parent_process Processes.process_name Processes.process_id Processes.process + Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `jscript_execution_using_cscript_app_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation @@ -22,47 +42,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Process name $process_name$ with commandline $process$ to execute jscript + on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - FIN7 - Remcos asset_type: Endpoint - confidence: 70 - impact: 70 - message: Process name $process_name$ with commandline $process$ to execute jscript in $dest$ mitre_attack_id: - T1059 - T1059.007 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_name - - Processes.process_id - - Processes.process - - Processes.dest - - Processes.user - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_macro_js_1/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_macro_js_1/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml b/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml index 344fa08b5e..948d171659 100644 --- a/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml +++ b/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml @@ -1,7 +1,7 @@ name: Kerberoasting spn request with RC4 encryption id: 5cc67381-44fa-4111-8a37-7a230943f027 -version: '8' -date: '2024-11-28' +version: 9 +date: '2024-12-10' author: Jose Hernandez, Patrick Bareiss, Mauricio Velazco, Dean Luxton, Splunk status: production type: TTP @@ -45,6 +45,13 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ requested a service ticket for SPN $service_id$ with RC4 encryption + risk_objects: + - field: user + type: user + score: 72 + threat_objects: [] tags: analytic_story: - Windows Privilege Escalation @@ -53,34 +60,18 @@ tags: - Compromised Windows Host - Hermetic Wiper asset_type: Endpoint - confidence: 80 - impact: 90 - message: User $user$ requested a service ticket for SPN $service_id$ with RC4 encryption mitre_attack_id: - T1558 - T1558.003 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - TicketOptions - - TicketEncryptionType - - Computer - - service - - service_id - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/kerberoasting_spn_request_with_rc4_encryption/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/kerberoasting_spn_request_with_rc4_encryption/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml b/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml index ce485d7acb..f5d8ed8cf8 100644 --- a/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml +++ b/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml @@ -1,15 +1,26 @@ name: Kerberos Pre-Authentication Flag Disabled in UserAccountControl id: 0cb847ee-9423-11ec-b2df-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects when the Kerberos Pre-Authentication flag is disabled in a user account, using Windows Security Event 4738. This event indicates a change in the UserAccountControl property of a domain user object. Disabling this flag allows adversaries to perform offline brute force attacks on the user's password using the AS-REP Roasting technique. This activity is significant as it can be used by attackers with existing privileges to escalate their access or maintain persistence. If confirmed malicious, this could lead to unauthorized access and potential compromise of sensitive information. +description: The following analytic detects when the Kerberos Pre-Authentication flag + is disabled in a user account, using Windows Security Event 4738. This event indicates + a change in the UserAccountControl property of a domain user object. Disabling this + flag allows adversaries to perform offline brute force attacks on the user's password + using the AS-REP Roasting technique. This activity is significant as it can be used + by attackers with existing privileges to escalate their access or maintain persistence. + If confirmed malicious, this could lead to unauthorized access and potential compromise + of sensitive information. data_source: - Windows Event Log Security 4738 -search: '`wineventlog_security` EventCode=4738 MSADChangedAttributes="*Don''t Require Preauth'' - Enabled*" |rename Account_Name as user | table EventCode, user, dest, Security_ID, MSADChangedAttributes | `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `User Account Management` within `Account Management` needs to be enabled. +search: > + `wineventlog_security` EventCode=4738 MSADChangedAttributes="*\'Don\'t Require Preauth\' - Enabled*" |rename Account_Name as user | table EventCode, user, dest, Security_ID, + MSADChangedAttributes | `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter` +how_to_implement: To successfully implement this search, you need to be ingesting + Domain Controller events. The Advanced Security Audit policy setting `User Account + Management` within `Account Management` needs to be enabled. known_false_positives: Unknown. references: - https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties @@ -21,41 +32,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Kerberos Pre Authentication was Disabled for $user$ + risk_objects: + - field: user + type: user + score: 45 + threat_objects: [] tags: analytic_story: - Active Directory Kerberos Attacks - BlackSuit Ransomware asset_type: Endpoint - confidence: 90 - impact: 50 - message: Kerberos Pre Authentication was Disabled for $user$ mitre_attack_id: - T1558 - T1558.004 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Account_Name - - Security_ID - - MSADChangedAttributes - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/powershell/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/powershell/windows-security.log source: WinEventLog:Security sourcetype: WinEventLog - update_timestamp: true + diff --git a/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml b/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml index 79786485f4..bc3d94ee68 100644 --- a/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml +++ b/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml @@ -1,16 +1,30 @@ name: Kerberos Pre-Authentication Flag Disabled with PowerShell id: 59b51620-94c9-11ec-b3d5-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the use of the `Set-ADAccountControl` PowerShell cmdlet with parameters that disable Kerberos Pre-Authentication. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this specific command execution. Disabling Kerberos Pre-Authentication is significant because it allows adversaries to perform offline brute force attacks against user passwords using the AS-REP Roasting technique. If confirmed malicious, this activity could enable attackers to escalate privileges or maintain persistence within an Active Directory environment, posing a severe security risk. +description: The following analytic detects the use of the `Set-ADAccountControl` + PowerShell cmdlet with parameters that disable Kerberos Pre-Authentication. It leverages + PowerShell Script Block Logging (EventCode=4104) to identify this specific command + execution. Disabling Kerberos Pre-Authentication is significant because it allows + adversaries to perform offline brute force attacks against user passwords using + the AS-REP Roasting technique. If confirmed malicious, this activity could enable + attackers to escalate privileges or maintain persistence within an Active Directory + environment, posing a severe security risk. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText = "*Set-ADAccountControl*" AND ScriptBlockText="*DoesNotRequirePreAuth:$true*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kerberos_pre_authentication_flag_disabled_with_powershell_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Although unlikely, Administrators may need to set this flag for legitimate purposes. +search: '`powershell` EventCode=4104 (ScriptBlockText = "*Set-ADAccountControl*" AND + ScriptBlockText="*DoesNotRequirePreAuth:$true*") | stats count min(_time) as firstTime + max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer + as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `kerberos_pre_authentication_flag_disabled_with_powershell_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Although unlikely, Administrators may need to set this flag + for legitimate purposes. references: - https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html @@ -21,40 +35,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Kerberos Pre Authentication was Disabled using PowerShell on $dest$ + risk_objects: + - field: dest + type: system + score: 45 + threat_objects: [] tags: analytic_story: - Active Directory Kerberos Attacks asset_type: Endpoint - confidence: 90 - impact: 50 - message: Kerberos Pre Authentication was Disabled using PowerShell on $dest$ mitre_attack_id: - T1558 - T1558.004 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ScriptBlockText - - Computer - - user_id - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/powershell/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/powershell/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml b/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml index daf6a40448..d667d529f4 100644 --- a/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml +++ b/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml @@ -1,16 +1,33 @@ name: Kerberos Service Ticket Request Using RC4 Encryption id: 7d90f334-a482-11ec-908c-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: 'The following analytic detects Kerberos service ticket requests using RC4 encryption, leveraging Kerberos Event 4769. This method identifies potential Golden Ticket attacks, where adversaries forge Kerberos Granting Tickets (TGT) using the Krbtgt account NTLM password hash to gain unrestricted access to an Active Directory environment. Monitoring for RC4 encryption usage is significant as it is rare in modern networks, indicating possible malicious activity. If confirmed malicious, attackers could move laterally and execute code on remote systems, compromising the entire network. Note: This detection may be bypassed if attackers use the AES key instead of the NTLM hash.' +description: 'The following analytic detects Kerberos service ticket requests using + RC4 encryption, leveraging Kerberos Event 4769. This method identifies potential + Golden Ticket attacks, where adversaries forge Kerberos Granting Tickets (TGT) using + the Krbtgt account NTLM password hash to gain unrestricted access to an Active Directory + environment. Monitoring for RC4 encryption usage is significant as it is rare in + modern networks, indicating possible malicious activity. If confirmed malicious, + attackers could move laterally and execute code on remote systems, compromising + the entire network. Note: This detection may be bypassed if attackers use the AES + key instead of the NTLM hash.' data_source: - Windows Event Log Security 4769 -search: '`wineventlog_security` EventCode=4769 ServiceName="*$" (TicketOptions=0x40810000 OR TicketOptions=0x40800000 OR TicketOptions=0x40810010) TicketEncryptionType=0x17 | stats count min(_time) as firstTime max(_time) as lastTime by dest, service, service_id, TicketEncryptionType, TicketOptions | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `kerberos_service_ticket_request_using_rc4_encryption_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -known_false_positives: Based on Microsoft documentation, legacy systems or applications will use RC4-HMAC as the default encryption for Kerberos Service Ticket requests. Specifically, systems before Windows Server 2008 and Windows Vista. Newer systems will use AES128 or AES256. +search: '`wineventlog_security` EventCode=4769 ServiceName="*$" (TicketOptions=0x40810000 + OR TicketOptions=0x40800000 OR TicketOptions=0x40810010) TicketEncryptionType=0x17 + | stats count min(_time) as firstTime max(_time) as lastTime by dest, service, service_id, + TicketEncryptionType, TicketOptions | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` + | `kerberos_service_ticket_request_using_rc4_encryption_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + Domain Controller and Kerberos events. The Advanced Security Audit policy setting + `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. +known_false_positives: Based on Microsoft documentation, legacy systems or applications + will use RC4-HMAC as the default encryption for Kerberos Service Ticket requests. + Specifically, systems before Windows Server 2008 and Windows Vista. Newer systems + will use AES128 or AES256. references: - https://attack.mitre.org/techniques/T1558/001/ - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 @@ -23,42 +40,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A Kerberos Service TTicket request with RC4 encryption was requested from + $dest$ + risk_objects: + - field: dest + type: system + score: 45 + threat_objects: [] tags: analytic_story: - Active Directory Kerberos Attacks - Active Directory Privilege Escalation asset_type: Endpoint - confidence: 50 - impact: 90 - message: A Kerberos Service TTicket request with RC4 encryption was requested from $dest$ mitre_attack_id: - T1558 - T1558.001 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Ticket_Options - - Ticket_Encryption_Type - - dest - - service - - service_id - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.001/kerberos_service_ticket_request_using_rc4_encryption/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.001/kerberos_service_ticket_request_using_rc4_encryption/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml b/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml index 63dcabc878..f823b00797 100644 --- a/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml +++ b/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml @@ -1,16 +1,29 @@ name: Kerberos TGT Request Using RC4 Encryption id: 18916468-9c04-11ec-bdc6-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects a Kerberos Ticket Granting Ticket (TGT) request using RC4-HMAC encryption (type 0x17) by leveraging Event 4768. This encryption type is outdated and its presence may indicate an OverPass The Hash attack. Monitoring this activity is crucial as it can signify credential theft, allowing adversaries to authenticate to the Kerberos Distribution Center (KDC) using a stolen NTLM hash. If confirmed malicious, this could enable unauthorized access to systems and resources, potentially leading to lateral movement and further compromise within the network. +description: The following analytic detects a Kerberos Ticket Granting Ticket (TGT) + request using RC4-HMAC encryption (type 0x17) by leveraging Event 4768. This encryption + type is outdated and its presence may indicate an OverPass The Hash attack. Monitoring + this activity is crucial as it can signify credential theft, allowing adversaries + to authenticate to the Kerberos Distribution Center (KDC) using a stolen NTLM hash. + If confirmed malicious, this could enable unauthorized access to systems and resources, + potentially leading to lateral movement and further compromise within the network. data_source: - Windows Event Log Security 4768 -search: '`wineventlog_security` EventCode=4768 TicketEncryptionType=0x17 ServiceName!=*$ | stats count min(_time) as firstTime max(_time) as lastTime by ServiceName src_ip dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kerberos_tgt_request_using_rc4_encryption_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -known_false_positives: Based on Microsoft documentation, legacy systems or applications will use RC4-HMAC as the default encryption for TGT requests. Specifically, systems before Windows Server 2008 and Windows Vista. Newer systems will use AES128 or AES256. +search: '`wineventlog_security` EventCode=4768 TicketEncryptionType=0x17 ServiceName!=*$ + | stats count min(_time) as firstTime max(_time) as lastTime by ServiceName src_ip + dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `kerberos_tgt_request_using_rc4_encryption_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + Domain Controller and Kerberos events. The Advanced Security Audit policy setting + `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. +known_false_positives: Based on Microsoft documentation, legacy systems or applications + will use RC4-HMAC as the default encryption for TGT requests. Specifically, systems + before Windows Server 2008 and Windows Vista. Newer systems will use AES128 or AES256. references: - https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/ - https://www.thehacker.recipes/ad/movement/kerberos/ptk @@ -21,37 +34,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src_ip$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A Kerberos TGT request with RC4 encryption was requested for $ServiceName$ + from $src_ip$ + risk_objects: + - field: src_ip + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Active Directory Kerberos Attacks asset_type: Endpoint - confidence: 50 - impact: 50 - message: A Kerberos TGT request with RC4 encryption was requested for $ServiceName$ from $src_ip$ mitre_attack_id: - T1550 - observable: - - name: src_ip - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - TicketEncryptionType - - ServiceName - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550/kerberos_tgt_request_using_rc4_encryption/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550/kerberos_tgt_request_using_rc4_encryption/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/kerberos_user_enumeration.yml b/detections/endpoint/kerberos_user_enumeration.yml index d8b386f4a2..570a014a73 100644 --- a/detections/endpoint/kerberos_user_enumeration.yml +++ b/detections/endpoint/kerberos_user_enumeration.yml @@ -1,16 +1,30 @@ name: Kerberos User Enumeration id: d82d4af4-a0bd-11ec-9445-3e22fbd008af -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: Anomaly -description: The following analytic detects an unusual number of Kerberos Ticket Granting Ticket (TGT) requests for non-existing users from a single source endpoint. It leverages Event ID 4768 and identifies anomalies using the 3-sigma statistical rule. This behavior is significant as it may indicate an adversary performing a user enumeration attack against Active Directory. If confirmed malicious, the attacker could validate a list of usernames, potentially leading to further attacks such as brute force or credential stuffing, compromising the security of the environment. +description: The following analytic detects an unusual number of Kerberos Ticket Granting + Ticket (TGT) requests for non-existing users from a single source endpoint. It leverages + Event ID 4768 and identifies anomalies using the 3-sigma statistical rule. This + behavior is significant as it may indicate an adversary performing a user enumeration + attack against Active Directory. If confirmed malicious, the attacker could validate + a list of usernames, potentially leading to further attacks such as brute force + or credential stuffing, compromising the security of the environment. data_source: - Windows Event Log Security 4768 -search: '`wineventlog_security` EventCode=4768 Status=0x6 TargetUserName!="*$" | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, src_ip | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by src_ip | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1| `kerberos_user_enumeration_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -known_false_positives: Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. +search: '`wineventlog_security` EventCode=4768 Status=0x6 TargetUserName!="*$" | bucket + span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) + as tried_accounts by _time, src_ip | eventstats avg(unique_accounts) as comp_avg + , stdev(unique_accounts) as comp_std by src_ip | eval upperBound=(comp_avg+comp_std*3) + | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) + | search isOutlier=1| `kerberos_user_enumeration_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + Domain Controller and Kerberos events. The Advanced Security Audit policy setting + `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. +known_false_positives: Possible false positive scenarios include but are not limited + to vulnerability scanners and missconfigured systems. references: - https://github.com/ropnop/kerbrute - https://attack.mitre.org/techniques/T1589/002/ @@ -21,39 +35,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src_ip$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potential Kerberos based user enumeration attack $src_ip$ + risk_objects: + - field: src_ip + type: system + score: 24 + threat_objects: [] tags: analytic_story: - Active Directory Kerberos Attacks asset_type: Endpoint - confidence: 80 - impact: 30 - message: Potential Kerberos based user enumeration attack $src_ip$ mitre_attack_id: - T1589 - T1589.002 - observable: - - name: src_ip - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Result_Code - - Account_Name - - Client_Address - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1589.002/kerberos_user_enumeration/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1589.002/kerberos_user_enumeration/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/known_services_killed_by_ransomware.yml b/detections/endpoint/known_services_killed_by_ransomware.yml index a23a218e59..38760a26ef 100644 --- a/detections/endpoint/known_services_killed_by_ransomware.yml +++ b/detections/endpoint/known_services_killed_by_ransomware.yml @@ -1,7 +1,7 @@ name: Known Services Killed by Ransomware id: 3070f8e0-c528-11eb-b2a0-acde48001122 version: 7 -date: '2024-12-09' +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: TTP @@ -19,11 +19,10 @@ search: '`wineventlog_system` EventCode=7036 param1 IN ("*Volume Shadow Copy*"," "*backup*", "*sophos*", "*sql*", "*memtas*", "*mepocs*", "*veeam*", "*svc$*", "DefWatch", "ccEvtMgr", "ccSetMgr", "SavRoam", "RTVscan", "QBFCService", "QBIDPService", "Intuit.QuickBooks.FCS", "QBCFMonitorService", "YooBackup", "YooIT", "*Veeam*", "PDVFSService", "BackupExec*", - "WdBoot", "WdFilter", "WdNisDrv", "WdNisSvc", - "WinDefend", "wscsvc", "Sense", "sppsvc", "SecurityHealthService") param2="stopped" - | stats count min(_time) as firstTime max(_time) as lastTime by EventCode param1 - dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` - | `known_services_killed_by_ransomware_filter`' + "WdBoot", "WdFilter", "WdNisDrv", "WdNisSvc", "WinDefend", "wscsvc", "Sense", "sppsvc", + "SecurityHealthService") param2="stopped" | stats count min(_time) as firstTime + max(_time) as lastTime by EventCode param1 dest | `security_content_ctime(lastTime)` + | `security_content_ctime(firstTime)` | `known_services_killed_by_ransomware_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the 7036 EventCode ScManager in System audit Logs from your endpoints. known_false_positives: Admin activities or installing related updates may do a sudden @@ -47,6 +46,15 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Known services $param1$ terminated by a potential ransomware on $dest$ + risk_objects: + - field: dest + type: system + score: 72 + threat_objects: + - field: param1 + type: service tags: analytic_story: - LockBit Ransomware @@ -54,35 +62,17 @@ tags: - Compromised Windows Host - BlackMatter Ransomware asset_type: Endpoint - confidence: 80 - impact: 90 - message: Known services $param1$ terminated by a potential ransomware on $dest$ mitre_attack_id: - T1490 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: param1 - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Message - - dest - - Type - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/known_services_killed_by_ransomware/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/known_services_killed_by_ransomware/windows-xml.log source: XmlWinEventLog:System sourcetype: XmlWinEventLog diff --git a/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml b/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml index ead82abba3..70069801ef 100644 --- a/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml +++ b/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml @@ -1,16 +1,32 @@ name: Linux Account Manipulation Of SSH Config and Keys id: 73a56508-1cf5-4df7-b8d9-5737fbdc27d2 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the deletion of SSH keys on a Linux machine. It leverages filesystem event logs to identify when files within "/etc/ssh/*" or "~/.ssh/*" are deleted. This activity is significant because attackers may delete or modify SSH keys to evade security measures or as part of a destructive payload, similar to the AcidRain malware. If confirmed malicious, this behavior could lead to impaired security features, hindered forensic investigations, or further unauthorized access, necessitating immediate investigation to identify the responsible process and user. +description: The following analytic detects the deletion of SSH keys on a Linux machine. + It leverages filesystem event logs to identify when files within "/etc/ssh/*" or + "~/.ssh/*" are deleted. This activity is significant because attackers may delete + or modify SSH keys to evade security measures or as part of a destructive payload, + similar to the AcidRain malware. If confirmed malicious, this behavior could lead + to impaired security features, hindered forensic investigations, or further unauthorized + access, necessitating immediate investigation to identify the responsible process + and user. data_source: - Sysmon for Linux EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted AND Filesystem.file_path IN ("/etc/ssh/*", "~/.ssh/*") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_account_manipulation_of_ssh_config_and_keys_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted AND + Filesystem.file_path IN ("/etc/ssh/*", "~/.ssh/*") by _time span=1h Filesystem.file_name + Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | + `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_account_manipulation_of_ssh_config_and_keys_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from + Splunkbase. +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/ drilldown_searches: @@ -19,42 +35,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: SSH Config and keys are deleted on $dest$ by Process GUID - $process_guid$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - AcidRain asset_type: Endpoint - confidence: 70 - impact: 70 - message: SSH Config and keys are deleted on $dest$ by Process GUID - $process_guid$ mitre_attack_id: - T1485 - T1070.004 - T1070 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.dest - - Filesystem.file_create_time - - Filesystem.file_name - - Filesystem.process_guid - - Filesystem.file_path - - Filesystem.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_add_files_in_known_crontab_directories.yml b/detections/endpoint/linux_add_files_in_known_crontab_directories.yml index 4fce6e32be..5ac49389a5 100644 --- a/detections/endpoint/linux_add_files_in_known_crontab_directories.yml +++ b/detections/endpoint/linux_add_files_in_known_crontab_directories.yml @@ -1,7 +1,7 @@ name: Linux Add Files In Known Crontab Directories id: 023f3452-5f27-11ec-bf00-acde48001122 -version: '4' -date: '2024-12-17' +version: 5 +date: '2024-12-19' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -42,6 +42,13 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a file $file_name$ is created in $file_path$ on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - XorDDos @@ -50,33 +57,18 @@ tags: - Scheduled Tasks - Linux Persistence Techniques asset_type: Endpoint - confidence: 50 - impact: 50 - message: a file $file_name$ is created in $file_path$ on $dest$ mitre_attack_id: - T1053.003 - T1053 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.dest - - Filesystem.file_create_time - - Filesystem.file_name - - Filesystem.process_guid - - Filesystem.file_path - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_add_user_account.yml b/detections/endpoint/linux_add_user_account.yml index 33840facfb..3685c49b94 100644 --- a/detections/endpoint/linux_add_user_account.yml +++ b/detections/endpoint/linux_add_user_account.yml @@ -1,16 +1,36 @@ name: Linux Add User Account id: 51fbcaf2-6259-11ec-b0f3-acde48001122 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the creation of new user accounts on Linux systems using commands like "useradd" or "adduser." It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries often create new user accounts to establish persistence on compromised hosts. If confirmed malicious, this could allow attackers to maintain access, escalate privileges, and further compromise the system, posing a severe security risk. +description: The following analytic detects the creation of new user accounts on Linux + systems using commands like "useradd" or "adduser." It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names and command-line + executions. This activity is significant as adversaries often create new user accounts + to establish persistence on compromised hosts. If confirmed malicious, this could + allow attackers to maintain access, escalate privileges, and further compromise + the system, posing a severe security risk. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process_name IN ("useradd", "adduser") OR Processes.process IN ("*useradd *", "*adduser *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_add_user_account_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes + where Processes.process_name IN ("useradd", "adduser") OR Processes.process IN ("*useradd + *", "*adduser *") by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `linux_add_user_account_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://linuxize.com/post/how-to-create-users-in-linux-using-the-useradd-command/ tags: @@ -18,35 +38,18 @@ tags: - Linux Privilege Escalation - Linux Persistence Techniques asset_type: Endpoint - confidence: 50 - impact: 50 - message: A commandline $process$ that may create user account on $dest$ mitre_attack_id: - T1136.001 - T1136 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_adduser/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_adduser/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_adding_crontab_using_list_parameter.yml b/detections/endpoint/linux_adding_crontab_using_list_parameter.yml index 336fefcd17..8bdc8a8822 100644 --- a/detections/endpoint/linux_adding_crontab_using_list_parameter.yml +++ b/detections/endpoint/linux_adding_crontab_using_list_parameter.yml @@ -1,16 +1,37 @@ name: Linux Adding Crontab Using List Parameter id: 52f6d751-1fd4-4c74-a4c9-777ecfeb5c58 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects suspicious modifications to cron jobs on Linux systems using the crontab command with list parameters. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt to establish persistence or execute malicious code on a schedule. If confirmed malicious, the impact could include unauthorized code execution, data destruction, or other damaging outcomes. Further investigation should analyze the added cron job, its associated command, and any related processes. +description: The following analytic detects suspicious modifications to cron jobs + on Linux systems using the crontab command with list parameters. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process names and + command-line executions. This activity is significant as it may indicate an attempt + to establish persistence or execute malicious code on a schedule. If confirmed malicious, + the impact could include unauthorized code execution, data destruction, or other + damaging outcomes. Further investigation should analyze the added cron job, its + associated command, and any related processes. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "crontab" Processes.process= "* -l*" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_adding_crontab_using_list_parameter_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "crontab" + Processes.process= "* -l*" by Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id Processes.dest + Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `linux_adding_crontab_using_list_parameter_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ - https://cert.gov.ua/article/39518 @@ -24,35 +45,18 @@ tags: - Scheduled Tasks - Gomir asset_type: Endpoint - confidence: 50 - impact: 50 - message: A possible crontab list command $process$ executed on $dest$ mitre_attack_id: - T1053.003 - T1053 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/crontab_list_parameter/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/crontab_list_parameter/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_apt_get_privilege_escalation.yml b/detections/endpoint/linux_apt_get_privilege_escalation.yml index acdb068472..086b376e70 100644 --- a/detections/endpoint/linux_apt_get_privilege_escalation.yml +++ b/detections/endpoint/linux_apt_get_privilege_escalation.yml @@ -1,15 +1,36 @@ name: Linux apt-get Privilege Escalation id: d870ce3b-e796-402f-b2af-cab4da1223f2 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: The following analytic detects the execution of the 'apt-get' command with elevated privileges using 'sudo' on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a user may be attempting to escalate privileges to root, which could lead to unauthorized system control. If confirmed malicious, an attacker could gain root access, allowing them to execute arbitrary commands, install or remove software, and potentially compromise the entire system. +description: The following analytic detects the execution of the 'apt-get' command + with elevated privileges using 'sudo' on a Linux system. It leverages data from + Endpoint Detection and Response (EDR) agents, focusing on process execution logs + that include command-line details. This activity is significant because it indicates + a user may be attempting to escalate privileges to root, which could lead to unauthorized + system control. If confirmed malicious, an attacker could gain root access, allowing + them to execute arbitrary commands, install or remove software, and potentially + compromise the entire system. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*apt-get*" AND Processes.process="*APT::Update::Pre-Invoke::*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_apt_get_privilege_escalation_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process="*apt-get*" + AND Processes.process="*APT::Update::Pre-Invoke::*" AND Processes.process="*sudo*" + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_apt_get_privilege_escalation_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/apt-get/ @@ -20,52 +41,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ + risk_objects: + - field: dest + type: system + score: 10 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Linux Privilege Escalation - Linux Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 20 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/apt_get/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/apt_get/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_apt_privilege_escalation.yml b/detections/endpoint/linux_apt_privilege_escalation.yml index 47211d30dd..4466f0e3e7 100644 --- a/detections/endpoint/linux_apt_privilege_escalation.yml +++ b/detections/endpoint/linux_apt_privilege_escalation.yml @@ -1,15 +1,36 @@ name: Linux APT Privilege Escalation id: 4d5a05fa-77d9-4fd0-af9c-05704f9f9a88 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: The following analytic detects the use of the Advanced Package Tool (APT) with elevated privileges via sudo on Linux systems. It leverages Endpoint Detection and Response (EDR) telemetry to identify processes where APT commands are executed with sudo rights. This activity is significant because it indicates a user can run system commands as root, potentially leading to unauthorized root shell access. If confirmed malicious, this could allow an attacker to escalate privileges, execute arbitrary commands, and gain full control over the affected system, posing a severe security risk. +description: The following analytic detects the use of the Advanced Package Tool (APT) + with elevated privileges via sudo on Linux systems. It leverages Endpoint Detection + and Response (EDR) telemetry to identify processes where APT commands are executed + with sudo rights. This activity is significant because it indicates a user can run + system commands as root, potentially leading to unauthorized root shell access. + If confirmed malicious, this could allow an attacker to escalate privileges, execute + arbitrary commands, and gain full control over the affected system, posing a severe + security risk. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*apt*" AND Processes.process="*APT::Update::Pre-Invoke::*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_apt_privilege_escalation_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process="*apt*" AND + Processes.process="*APT::Update::Pre-Invoke::*" AND Processes.process="*sudo*" by + Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_apt_privilege_escalation_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/apt/ @@ -20,52 +41,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ + risk_objects: + - field: dest + type: system + score: 10 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Linux Privilege Escalation - Linux Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 20 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/apt/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/apt/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_at_allow_config_file_creation.yml b/detections/endpoint/linux_at_allow_config_file_creation.yml index 5519e8672e..732c20f5b7 100644 --- a/detections/endpoint/linux_at_allow_config_file_creation.yml +++ b/detections/endpoint/linux_at_allow_config_file_creation.yml @@ -1,16 +1,31 @@ name: Linux At Allow Config File Creation id: 977b3082-5f3d-11ec-b954-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the creation of the /etc/at.allow or /etc/at.deny configuration files in Linux. It leverages file creation events from the Endpoint datamodel to identify when these files are created. This activity is significant as these files control user permissions for the "at" scheduling application and can be abused by attackers to establish persistence. If confirmed malicious, this could allow unauthorized execution of malicious code, leading to potential data theft or further system compromise. Analysts should review the file path, creation time, and associated processes to assess the threat. +description: The following analytic detects the creation of the /etc/at.allow or /etc/at.deny + configuration files in Linux. It leverages file creation events from the Endpoint + datamodel to identify when these files are created. This activity is significant + as these files control user permissions for the "at" scheduling application and + can be abused by attackers to establish persistence. If confirmed malicious, this + could allow unauthorized execution of malicious code, leading to potential data + theft or further system compromise. Analysts should review the file path, creation + time, and associated processes to assess the threat. data_source: - Sysmon for Linux EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/etc/at.allow", "*/etc/at.deny") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_at_allow_config_file_creation_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -known_false_positives: Administrator or network operator can create this file for automation purposes. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/etc/at.allow", + "*/etc/at.deny") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name + Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` + | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_at_allow_config_file_creation_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the file name, file path, and process_guid executions from your endpoints + into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for + Linux Sysmon from Splunkbase. +known_false_positives: Administrator or network operator can create this file for + automation purposes. Please update the filter macros to remove false positives. references: - https://linuxize.com/post/at-command-in-linux/ drilldown_searches: @@ -19,9 +34,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A file $file_name$ is created in $file_path$ on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation @@ -29,33 +56,18 @@ tags: - Linux Living Off The Land - Scheduled Tasks asset_type: Endpoint - confidence: 50 - impact: 50 - message: A file $file_name$ is created in $file_path$ on $dest$ mitre_attack_id: - T1053.003 - T1053 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.dest - - Filesystem.file_create_time - - Filesystem.file_name - - Filesystem.process_guid - - Filesystem.file_path - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/at_execution/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/at_execution/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_at_application_execution.yml b/detections/endpoint/linux_at_application_execution.yml index 90fd6f0483..3cd126c6ca 100644 --- a/detections/endpoint/linux_at_application_execution.yml +++ b/detections/endpoint/linux_at_application_execution.yml @@ -1,16 +1,38 @@ name: Linux At Application Execution id: bf0a378e-5f3c-11ec-a6de-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the execution of the "At" application in Linux, which can be used by attackers to create persistence entries on a compromised host. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent process names associated with "at" or "atd". This activity is significant because the "At" application can be exploited to maintain unauthorized access or deliver additional malicious payloads. If confirmed malicious, this behavior could lead to data theft, ransomware attacks, or other severe consequences. Immediate investigation is required to determine the legitimacy of the execution and mitigate potential risks. +description: The following analytic detects the execution of the "At" application + in Linux, which can be used by attackers to create persistence entries on a compromised + host. This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process names and parent process names associated with "at" or "atd". + This activity is significant because the "At" application can be exploited to maintain + unauthorized access or deliver additional malicious payloads. If confirmed malicious, + this behavior could lead to data theft, ransomware attacks, or other severe consequences. + Immediate investigation is required to determine the legitimacy of the execution + and mitigate potential risks. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process_name IN ("at", "atd") OR Processes.parent_process_name IN ("at", "atd") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_at_application_execution_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes + where Processes.process_name IN ("at", "atd") OR Processes.parent_process_name + IN ("at", "atd") by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `linux_at_application_execution_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://attack.mitre.org/techniques/T1053/001/ - https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/ @@ -20,9 +42,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: At application was executed on $dest$ + risk_objects: + - field: dest + type: system + score: 9 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation @@ -30,35 +64,18 @@ tags: - Linux Living Off The Land - Scheduled Tasks asset_type: Endpoint - confidence: 30 - impact: 30 - message: At application was executed in $dest$ mitre_attack_id: - T1053.002 - T1053 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/at_execution/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/at_execution/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_auditd_add_user_account.yml b/detections/endpoint/linux_auditd_add_user_account.yml index 3fd4de81ce..900f4b6a4e 100644 --- a/detections/endpoint/linux_auditd_add_user_account.yml +++ b/detections/endpoint/linux_auditd_add_user_account.yml @@ -1,16 +1,35 @@ name: Linux Auditd Add User Account id: aae66dc0-74b4-4807-b480-b35f8027abb4 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the creation of new user accounts on Linux systems using commands like "useradd" or "adduser." It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries often create new user accounts to establish persistence on compromised hosts. If confirmed malicious, this could allow attackers to maintain access, escalate privileges, and further compromise the system, posing a severe security risk. +description: The following analytic detects the creation of new user accounts on Linux + systems using commands like "useradd" or "adduser." It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names and command-line + executions. This activity is significant as adversaries often create new user accounts + to establish persistence on compromised hosts. If confirmed malicious, this could + allow attackers to maintain access, escalate privileges, and further compromise + the system, posing a severe security risk. data_source: - Linux Auditd Proctitle -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process`| rename host as dest | where LIKE (process_exec, "%useradd%") OR LIKE (process_exec, "%adduser%") | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_add_user_account_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process`| rename host as + dest | where LIKE (process_exec, "%useradd%") OR LIKE (process_exec, "%adduser%") + | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle + dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_add_user_account_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://linuxize.com/post/how-to-create-users-in-linux-using-the-useradd-command/ drilldown_searches: @@ -19,38 +38,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to add a user account. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 50 - impact: 50 - message: A [$process_exec$] event occurred on host - [$dest$] to add a user account. mitre_attack_id: - T1136.001 - T1136 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - proctitle - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/linux_auditd_add_user/linux_auditd_add_user.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/linux_auditd_add_user/linux_auditd_add_user.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_add_user_account_type.yml b/detections/endpoint/linux_auditd_add_user_account_type.yml index 19e183e33c..929dd08741 100644 --- a/detections/endpoint/linux_auditd_add_user_account_type.yml +++ b/detections/endpoint/linux_auditd_add_user_account_type.yml @@ -1,16 +1,33 @@ name: Linux Auditd Add User Account Type id: f8c325ea-506e-4105-8ccf-da1492e90115 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents. +description: The following analytic detects the suspicious add user account type. + This behavior is critical for a SOC to monitor because it may indicate attempts + to gain unauthorized access or maintain control over a system. Such actions could + be signs of malicious activity. If confirmed, this could lead to serious consequences, + including a compromised system, unauthorized access to sensitive data, or even a + wider breach affecting the entire network. Detecting and responding to these signs + early is essential to prevent potential security incidents. data_source: - Linux Auditd Add User -search: '`linux_auditd` type=ADD_USER | rename hostname as dest| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_add_user_account_type_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=ADD_USER | rename hostname as dest| stats count min(_time) + as firstTime max(_time) as lastTime by exe pid dest res UID type | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `linux_auditd_add_user_account_type_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: @@ -19,9 +36,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: New [$type$] event on host - [$dest$] to add a user account type. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land @@ -29,34 +58,18 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 50 - impact: 50 - message: New [$type$] event on host - [$dest$] to add a user account type. mitre_attack_id: - T1136 - T1136.001 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - exe - - pid - - hostname - - res - - UID - - type - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/linux_auditd_add_user_type.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/linux_auditd_add_user_type.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_at_application_execution.yml b/detections/endpoint/linux_auditd_at_application_execution.yml index e142bdd4cf..da29fe7c02 100644 --- a/detections/endpoint/linux_auditd_at_application_execution.yml +++ b/detections/endpoint/linux_auditd_at_application_execution.yml @@ -1,16 +1,36 @@ name: Linux Auditd At Application Execution id: 9f306e0a-1c36-469e-8892-968ca12470dd -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the execution of the "At" application in Linux, which can be used by attackers to create persistence entries on a compromised host. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent process names associated with "at" or "atd". This activity is significant because the "At" application can be exploited to maintain unauthorized access or deliver additional malicious payloads. If confirmed malicious, this behavior could lead to data theft, ransomware attacks, or other severe consequences. Immediate investigation is required to determine the legitimacy of the execution and mitigate potential risks. +description: The following analytic detects the execution of the "At" application + in Linux, which can be used by attackers to create persistence entries on a compromised + host. This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process names and parent process names associated with "at" or "atd". + This activity is significant because the "At" application can be exploited to maintain + unauthorized access or deliver additional malicious payloads. If confirmed malicious, + this behavior could lead to data theft, ransomware attacks, or other severe consequences. + Immediate investigation is required to determine the legitimacy of the execution + and mitigate potential risks. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL comm IN ("at", "atd") OR exe IN ("/usr/bin/at","/usr/bin/atd") AND NOT (UID IN("daemon")) | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_at_application_execution_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=SYSCALL comm IN ("at", "atd") OR exe IN ("/usr/bin/at","/usr/bin/atd") + AND NOT (UID IN("daemon")) | rename host as dest | stats count min(_time) as firstTime + max(_time) as lastTime by comm exe SYSCALL UID ppid pid dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `linux_auditd_at_application_execution_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://attack.mitre.org/techniques/T1053/001/ - https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/ @@ -20,9 +40,22 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to execute the + "at" application. + risk_objects: + - field: dest + type: system + score: 9 + threat_objects: [] tags: analytic_story: - Scheduled Tasks @@ -31,34 +64,18 @@ tags: - Linux Living Off The Land - Compromised Linux Host asset_type: Endpoint - confidence: 30 - impact: 30 - message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to execute the "at" application. mitre_attack_id: - T1053.002 - T1053 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - comm - - exe - - SYSCALL - - UID - - ppid - - pid - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/linux_auditd_at/linux_auditd_at_execution.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/linux_auditd_at/linux_auditd_at_execution.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_auditd_service_stop.yml b/detections/endpoint/linux_auditd_auditd_service_stop.yml index e90f3fec26..8efe47b2f9 100644 --- a/detections/endpoint/linux_auditd_auditd_service_stop.yml +++ b/detections/endpoint/linux_auditd_auditd_service_stop.yml @@ -1,16 +1,34 @@ name: Linux Auditd Auditd Service Stop id: 6cb9d0e1-eabe-41de-a11a-5efade354e9d -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the suspicious auditd service stop. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents. +description: The following analytic detects the suspicious auditd service stop. This + behavior is critical for a SOC to monitor because it may indicate attempts to gain + unauthorized access or maintain control over a system. Such actions could be signs + of malicious activity. If confirmed, this could lead to serious consequences, including + a compromised system, unauthorized access to sensitive data, or even a wider breach + affecting the entire network. Detecting and responding to these signs early is essential + to prevent potential security incidents. data_source: - Linux Auditd Service Stop -search: '`linux_auditd` type=SERVICE_STOP unit IN ("auditd") | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by type pid UID comm exe unit dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_auditd_service_stop_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=SERVICE_STOP unit IN ("auditd") | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by type pid UID comm + exe unit dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_auditd_service_stop_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: @@ -19,9 +37,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A service event - [$type$] event occurred on host - [$dest$]. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land @@ -29,32 +59,17 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 50 - impact: 50 - message: A service event - [$type$] event occured on host - [$dest$]. mitre_attack_id: - T1489 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - type - - pid - - UID - - comm - - exe - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/linux_auditd_auditd_service_stop.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/linux_auditd_auditd_service_stop.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_base64_decode_files.yml b/detections/endpoint/linux_auditd_base64_decode_files.yml index 907eb58b78..57b3c91b7f 100644 --- a/detections/endpoint/linux_auditd_base64_decode_files.yml +++ b/detections/endpoint/linux_auditd_base64_decode_files.yml @@ -1,16 +1,36 @@ name: Linux Auditd Base64 Decode Files id: 5890ba10-4e48-4dc0-8a40-3e1ebe75e737 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects suspicious Base64 decode operations that may indicate malicious activity, such as data exfiltration or execution of encoded commands. Base64 is commonly used to encode data for safe transmission, but attackers may abuse it to conceal malicious payloads. This detection focuses on identifying unusual or unexpected Base64 decoding processes, particularly when associated with critical files or directories. By monitoring these activities, the analytic helps uncover potential threats, enabling security teams to respond promptly and mitigate risks associated with encoded malware or unauthorized data access. +description: The following analytic detects suspicious Base64 decode operations that + may indicate malicious activity, such as data exfiltration or execution of encoded + commands. Base64 is commonly used to encode data for safe transmission, but attackers + may abuse it to conceal malicious payloads. This detection focuses on identifying + unusual or unexpected Base64 decoding processes, particularly when associated with + critical files or directories. By monitoring these activities, the analytic helps + uncover potential threats, enabling security teams to respond promptly and mitigate + risks associated with encoded malware or unauthorized data access. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where LIKE(process_exec, "%base64%") AND (LIKE(process_exec, "%-d %") OR LIKE(process_exec, "% --d%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_base64_decode_files_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as + dest | where LIKE(process_exec, "%base64%") AND (LIKE(process_exec, "%-d %") OR + LIKE(process_exec, "% --d%")) | stats count min(_time) as firstTime max(_time) as + lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_base64_decode_files_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html - https://gtfobins.github.io/gtfobins/dd/ @@ -20,9 +40,22 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to decode a file using + base64. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land @@ -30,29 +63,17 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 50 - impact: 50 - message: A [$process_exec$] event occurred on host - [$dest$] to decode a file using base64. mitre_attack_id: - T1140 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/linux_auditd_base64/linux_auditd_base64.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/linux_auditd_base64/linux_auditd_base64.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_change_file_owner_to_root.yml b/detections/endpoint/linux_auditd_change_file_owner_to_root.yml index 3c8eba210c..a45a65d0f8 100644 --- a/detections/endpoint/linux_auditd_change_file_owner_to_root.yml +++ b/detections/endpoint/linux_auditd_change_file_owner_to_root.yml @@ -1,7 +1,7 @@ name: Linux Auditd Change File Owner To Root id: 7b87c556-0ca4-47e0-b84c-6cd62a0a3e90 -version: 3 -date: '2024-10-17' +version: 4 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: TTP @@ -9,7 +9,7 @@ description: The following analytic detects the use of the 'chown' command to ch data_source: - Linux Auditd Proctitle search: '`linux_auditd` `linux_auditd_normalized_proctitle_process`| rename host as dest | where LIKE (process_exec, "%chown %root%") | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_change_file_owner_to_root_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: - https://unix.stackexchange.com/questions/101073/how-to-change-permissions-from-root-user-to-all-users @@ -23,6 +23,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to change a file owner + to root. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land @@ -30,25 +38,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: A [$process_exec$] event occurred on host - [$dest$] to change a file owner to root. mitre_attack_id: - T1222.002 - T1222 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - proctitle - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_clipboard_data_copy.yml b/detections/endpoint/linux_auditd_clipboard_data_copy.yml index 8970534501..0a32d1b5d3 100644 --- a/detections/endpoint/linux_auditd_clipboard_data_copy.yml +++ b/detections/endpoint/linux_auditd_clipboard_data_copy.yml @@ -1,15 +1,15 @@ name: Linux Auditd Clipboard Data Copy id: 9ddfe470-c4d0-4e60-8668-7337bd699edd -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-16' author: Teoderick Contreras, Splunk status: production type: Anomaly description: The following analytic detects the use of the Linux 'xclip' command to copy data from the clipboard. It leverages Linux Auditd telemetry, focusing on process names and command-line arguments related to clipboard operations. This activity is significant because adversaries can exploit clipboard data to capture sensitive information such as passwords or IP addresses. If confirmed malicious, this technique could lead to unauthorized data exfiltration, compromising sensitive information and potentially aiding further attacks within the environment. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where LIKE(process_exec, "%xclip%") AND (LIKE(process_exec, "%clipboard%") OR LIKE(process_exec, "%-o%") OR LIKE(process_exec, "%clip %") OR LIKE(process_exec, "%-selection %") OR LIKE(process_exec, "%sel %")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_clipboard_data_copy_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where LIKE(process_exec, "%xclip%") AND (LIKE(process_exec, "%clipboard%") OR LIKE(process_exec, "%-o%") OR LIKE(process_exec, "%clip %") OR LIKE(process_exec, "%-selection %") OR LIKE(process_exec, "%sel %")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_clipboard_data_copy_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: False positives may be present on Linux desktop as it may commonly be used by administrators or end users. Filter as needed. references: - https://attack.mitre.org/techniques/T1115/ @@ -23,30 +23,25 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to copy data from + the clipboard. + risk_objects: + - field: dest + type: system + score: 16 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land - Compromised Linux Host asset_type: Endpoint - confidence: 40 - impact: 40 - message: A [$process_exec$] event occurred on host - [$dest$] to copy data from the clipboard. mitre_attack_id: - T1115 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 16 security_domain: endpoint tests: - name: True Positive Test @@ -54,4 +49,3 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1115/linux_auditd_xclip/linux_auditd_xclip.log source: /var/log/audit/audit.log sourcetype: linux:audit - update_timestamp: true diff --git a/detections/endpoint/linux_auditd_data_destruction_command.yml b/detections/endpoint/linux_auditd_data_destruction_command.yml index e67774b5c1..94d554eb0a 100644 --- a/detections/endpoint/linux_auditd_data_destruction_command.yml +++ b/detections/endpoint/linux_auditd_data_destruction_command.yml @@ -1,15 +1,15 @@ name: Linux Auditd Data Destruction Command id: 4da5ce1a-f71b-4e71-bb73-c0a3c73f3c3c -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-15' author: Teoderick Contreras, Splunk status: production type: TTP description: The following analytic detects the execution of a Unix shell command designed to wipe root directories on a Linux host. It leverages data from Linux Auditd, focusing on the 'rm' command with force recursive deletion and the '--no-preserve-root' option. This activity is significant as it indicates potential data destruction attempts, often associated with malware like Awfulshred. If confirmed malicious, this behavior could lead to severe data loss, system instability, and compromised integrity of the affected Linux host. Immediate investigation and response are crucial to mitigate potential damage. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where LIKE (process_exec, "%rm %") AND LIKE (process_exec, "% -rf %") AND LIKE (process_exec, "%--no-preserve-root%") | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_data_destruction_command_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where LIKE (process_exec, "%rm %") AND LIKE (process_exec, "% -rf %") AND LIKE (process_exec, "%--no-preserve-root%") | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_data_destruction_command_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: unknown references: - https://cert.gov.ua/article/3718487 @@ -23,31 +23,25 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to destroy data. + risk_objects: + - field: dest + type: system + score: 90 + threat_objects: [] tags: analytic_story: - Data Destruction - AwfulShred - Compromised Linux Host asset_type: Endpoint - confidence: 90 - impact: 100 - message: A [$process_exec$] event occurred on host - [$dest$] to destroy data. mitre_attack_id: - T1485 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test @@ -55,4 +49,3 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/linux_auditd_no_preserve_root.log source: /var/log/audit/audit.log sourcetype: linux:audit - update_timestamp: true diff --git a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml index 820564df65..2c7f2eee4e 100644 --- a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml +++ b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml @@ -1,15 +1,15 @@ name: Linux Auditd Data Transfer Size Limits Via Split id: 4669561d-3bbd-44e3-857c-0e3c6ef2120c -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-15' author: Teoderick Contreras, Splunk status: production type: Anomaly description: The following analytic detects suspicious data transfer activities that involve the use of the `split` syscall, potentially indicating an attempt to evade detection by breaking large files into smaller parts. Attackers may use this technique to bypass size-based security controls, facilitating the covert exfiltration of sensitive data. By monitoring for unusual or unauthorized use of the `split` syscall, this analytic helps identify potential data exfiltration attempts, allowing security teams to intervene and prevent the unauthorized transfer of critical information from the network. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where LIKE(process_exec, "%split %") AND LIKE(process_exec, "% -b %") | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_data_transfer_size_limits_via_split_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where LIKE(process_exec, "%split %") AND LIKE(process_exec, "% -b %") | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_data_transfer_size_limits_via_split_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html @@ -22,6 +22,13 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to split a file. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land @@ -29,25 +36,12 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 70 - impact: 70 - message: A [$process_exec$] event occurred on host - [$dest$] to split a file. mitre_attack_id: - T1030 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml index 9684772de3..835309e3f6 100644 --- a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml +++ b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml @@ -1,16 +1,35 @@ name: Linux Auditd Data Transfer Size Limits Via Split Syscall id: c03d4a49-cf9d-435b-86e9-c6f8c9b6c42e -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects suspicious data transfer activities that involve the use of the `split` syscall, potentially indicating an attempt to evade detection by breaking large files into smaller parts. Attackers may use this technique to bypass size-based security controls, facilitating the covert exfiltration of sensitive data. By monitoring for unusual or unauthorized use of the `split` syscall, this analytic helps identify potential data exfiltration attempts, allowing security teams to intervene and prevent the unauthorized transfer of critical information from the network. +description: The following analytic detects suspicious data transfer activities that + involve the use of the `split` syscall, potentially indicating an attempt to evade + detection by breaking large files into smaller parts. Attackers may use this technique + to bypass size-based security controls, facilitating the covert exfiltration of + sensitive data. By monitoring for unusual or unauthorized use of the `split` syscall, + this analytic helps identify potential data exfiltration attempts, allowing security + teams to intervene and prevent the unauthorized transfer of critical information + from the network. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL comm=split OR exe= "*/split" | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid success dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_data_transfer_size_limits_via_split_syscall_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=SYSCALL comm=split OR exe= "*/split" | rename host as + dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL + UID ppid pid success dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_data_transfer_size_limits_via_split_syscall_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: @@ -19,9 +38,22 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A SYSCALL - [$comm$] event was executed on host - [$dest$] that limits + the size of data transfer. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land @@ -29,33 +61,17 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 50 - impact: 50 - message: A SYSCALL - [$comm$] event was executed on host - [$dest$] that limits the size of data transfer. mitre_attack_id: - T1030 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - comm - - exe - - SYSCALL - - UID - - ppid - - pid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1030/linux_auditd_split_syscall/linux_auditd_split_syscall.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1030/linux_auditd_split_syscall/linux_auditd_split_syscall.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml index da49b339d6..d9643341cb 100644 --- a/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml @@ -1,15 +1,15 @@ name: Linux Auditd Database File And Directory Discovery id: f616c4f3-bde9-41cf-856c-019b65f668bb -version: 3 -date: '2024-09-30' +version: 4 +date: '2025-01-15' author: Teoderick Contreras, Splunk status: production type: Anomaly description: The following analytic detects suspicious database file and directory discovery activities, which may signal an attacker attempt to locate and assess critical database assets on a compromised system. This behavior is often a precursor to data theft, unauthorized access, or privilege escalation, as attackers seek to identify valuable information stored in databases. By monitoring for unusual or unauthorized attempts to locate database files and directories, this analytic aids in early detection of potential reconnaissance or data breach efforts, enabling security teams to respond swiftly and mitigate the risk of further compromise. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.db%") OR LIKE (process_exec, "%.sql%") OR LIKE (process_exec, "%.sqlite%") OR LIKE (process_exec, "%.mdb%")OR LIKE (process_exec, "%.accdb%")OR LIKE (process_exec, "%.mdf%")OR LIKE (process_exec, "%.ndf%")OR LIKE (process_exec, "%.ldf%")OR LIKE (process_exec, "%.frm%")OR LIKE (process_exec, "%.idb%")OR LIKE (process_exec, "%.myd%")OR LIKE (process_exec, "%.myi%")OR LIKE (process_exec, "%.dbf%")OR LIKE (process_exec, "%.db2%")OR LIKE (process_exec, "%.dbc%")OR LIKE (process_exec, "%.fpt%")OR LIKE (process_exec, "%.ora%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_database_file_and_directory_discovery_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.db%") OR LIKE (process_exec, "%.sql%") OR LIKE (process_exec, "%.sqlite%") OR LIKE (process_exec, "%.mdb%")OR LIKE (process_exec, "%.accdb%")OR LIKE (process_exec, "%.mdf%")OR LIKE (process_exec, "%.ndf%")OR LIKE (process_exec, "%.ldf%")OR LIKE (process_exec, "%.frm%")OR LIKE (process_exec, "%.idb%")OR LIKE (process_exec, "%.myd%")OR LIKE (process_exec, "%.myi%")OR LIKE (process_exec, "%.dbf%")OR LIKE (process_exec, "%.db2%")OR LIKE (process_exec, "%.dbc%")OR LIKE (process_exec, "%.fpt%")OR LIKE (process_exec, "%.ora%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_database_file_and_directory_discovery_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html @@ -23,6 +23,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to discover database + files and directories. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land @@ -30,25 +38,12 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 50 - impact: 50 - message: A [$process_exec$] event occurred on host - [$dest$] to discover database files and directories. mitre_attack_id: - T1083 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_dd_file_overwrite.yml b/detections/endpoint/linux_auditd_dd_file_overwrite.yml index 3a60721624..a37c14e655 100644 --- a/detections/endpoint/linux_auditd_dd_file_overwrite.yml +++ b/detections/endpoint/linux_auditd_dd_file_overwrite.yml @@ -1,16 +1,35 @@ name: Linux Auditd Dd File Overwrite id: d1b74420-4cea-4752-a123-9b40dfcca49a -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the use of the 'dd' command to overwrite files on a Linux system. It leverages data from Linux Auditd telemetry, focusing on process execution logs that include command-line details. This activity is significant because adversaries often use the 'dd' command to destroy or irreversibly overwrite files, disrupting system availability and services. If confirmed malicious, this behavior could lead to data destruction, making recovery difficult and potentially causing significant operational disruptions. +description: The following analytic detects the use of the 'dd' command to overwrite + files on a Linux system. It leverages data from Linux Auditd telemetry, focusing + on process execution logs that include command-line details. This activity is significant + because adversaries often use the 'dd' command to destroy or irreversibly overwrite + files, disrupting system availability and services. If confirmed malicious, this + behavior could lead to data destruction, making recovery difficult and potentially + causing significant operational disruptions. data_source: - Linux Auditd Proctitle -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | where LIKE(process_exec, "%dd %") AND LIKE(process_exec, "% of=%") | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_dd_file_overwrite_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host + as dest | where LIKE(process_exec, "%dd %") AND LIKE(process_exec, "% of=%") | stats + count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter + dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_dd_file_overwrite_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://gtfobins.github.io/gtfobins/dd/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md @@ -20,37 +39,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$]. + risk_objects: + - field: dest + type: system + score: 81 + threat_objects: [] tags: analytic_story: - Industroyer2 - Data Destruction - Compromised Linux Host asset_type: Endpoint - confidence: 90 - impact: 90 - message: A [$process_exec$] event occurred on host - [$dest$]. mitre_attack_id: - T1485 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - proctitle - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/linux_auditd_dd_overwrite.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/linux_auditd_dd_overwrite.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml b/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml index 84510717a5..5dfd17febc 100644 --- a/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml +++ b/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml @@ -1,16 +1,34 @@ name: Linux Auditd Disable Or Modify System Firewall id: 07052556-d4b5-4bae-89aa-cbdc1bb11250 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the suspicious disable or modify system firewall. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents. +description: The following analytic detects the suspicious disable or modify system + firewall. This behavior is critical for a SOC to monitor because it may indicate + attempts to gain unauthorized access or maintain control over a system. Such actions + could be signs of malicious activity. If confirmed, this could lead to serious consequences, + including a compromised system, unauthorized access to sensitive data, or even a + wider breach affecting the entire network. Detecting and responding to these signs + early is essential to prevent potential security incidents. data_source: - Linux Auditd Service Stop -search: '`linux_auditd` type=SERVICE_STOP unit IN ("firewalld", "ufw") | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by type pid UID comm exe unit dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_disable_or_modify_system_firewall_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=SERVICE_STOP unit IN ("firewalld", "ufw") | rename host + as dest | stats count min(_time) as firstTime max(_time) as lastTime by type pid + UID comm exe unit dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_disable_or_modify_system_firewall_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: @@ -19,9 +37,22 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A service event - [$type$] to disable or modify system firewall occurred + on host - [$dest$] . + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land @@ -29,33 +60,18 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: A service event - [$type$] to disable or modify system firewall occured on host - [$dest$] . mitre_attack_id: - T1562.004 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - type - - pid - - UID - - comm - - exe - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/linux_auditd_disable_firewall/linux_auditd_disable_firewall.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/linux_auditd_disable_firewall/linux_auditd_disable_firewall.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_doas_conf_file_creation.yml b/detections/endpoint/linux_auditd_doas_conf_file_creation.yml index 50a5fde6ec..6eea3f2bdf 100644 --- a/detections/endpoint/linux_auditd_doas_conf_file_creation.yml +++ b/detections/endpoint/linux_auditd_doas_conf_file_creation.yml @@ -1,16 +1,34 @@ name: Linux Auditd Doas Conf File Creation id: 61059783-574b-40d2-ac2f-69b898afd6b4 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the creation of the doas.conf file on a Linux host. This file is used by the doas utility to allow standard users to perform tasks as root, similar to sudo. The detection leverages Linux Auditd data, focusing on the creation of the doas.conf file. This activity is significant because it can indicate an attempt to gain elevated privileges, potentially by an adversary. If confirmed malicious, this could allow an attacker to execute commands with root commands with root privileges, leading to full system compromise. +description: The following analytic detects the creation of the doas.conf file on + a Linux host. This file is used by the doas utility to allow standard users to perform + tasks as root, similar to sudo. The detection leverages Linux Auditd data, focusing + on the creation of the doas.conf file. This activity is significant because it can + indicate an attempt to gain elevated privileges, potentially by an adversary. If + confirmed malicious, this could allow an attacker to execute commands with root + commands with root privileges, leading to full system compromise. data_source: - Linux Auditd Path -search: '`linux_auditd` type=PATH name ="/etc/doas.conf*" | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by name nametype OGID type dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_doas_conf_file_creation_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=PATH name ="/etc/doas.conf*" | rename host as dest | + stats count min(_time) as firstTime max(_time) as lastTime by name nametype OGID + type dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_doas_conf_file_creation_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://wiki.gentoo.org/wiki/Doas - https://www.makeuseof.com/how-to-install-and-use-doas/ @@ -20,40 +38,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$type$] event occurred on host - [$dest$] to create a doas.conf file. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: A [$type$] event occured on host - [$dest$] to create a doas.conf file. mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - name - - nametype - - OGID - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_audited_doas_conf/linux_audited_doas_conf.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_audited_doas_conf/linux_audited_doas_conf.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_doas_tool_execution.yml b/detections/endpoint/linux_auditd_doas_tool_execution.yml index 934aa7c17d..14483461ca 100644 --- a/detections/endpoint/linux_auditd_doas_tool_execution.yml +++ b/detections/endpoint/linux_auditd_doas_tool_execution.yml @@ -1,16 +1,34 @@ name: Linux Auditd Doas Tool Execution id: 91b8ca78-f205-4826-a3ef-cd8d6b24e97b -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the execution of the 'doas' tool on a Linux host. This tool allows standard users to perform tasks with root privileges, similar to 'sudo'. The detection leverages data from Linux Auditd, focusing on process names and command-line executions. This activity is significant as 'doas' can be exploited by adversaries to gain elevated privileges on a compromised host. If confirmed malicious, this could lead to unauthorized administrative access, potentially compromising the entire system. +description: The following analytic detects the execution of the 'doas' tool on a + Linux host. This tool allows standard users to perform tasks with root privileges, + similar to 'sudo'. The detection leverages data from Linux Auditd, focusing on process + names and command-line executions. This activity is significant as 'doas' can be + exploited by adversaries to gain elevated privileges on a compromised host. If confirmed + malicious, this could lead to unauthorized administrative access, potentially compromising + the entire system. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL comm=doas | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid success dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_doas_tool_execution_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=SYSCALL comm=doas | rename host as dest | stats count + min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid + success dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_doas_tool_execution_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://wiki.gentoo.org/wiki/Doas - https://www.makeuseof.com/how-to-install-and-use-doas/ @@ -20,43 +38,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to execute the + "doas" tool. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 70 - impact: 70 - message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to execute the "doas" tool. mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - comm - - exe - - SYSCALL - - UID - - ppid - - pid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_doas/linux_auditd_doas.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_doas/linux_auditd_doas.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml index 07d145ef1b..abcf36a2c5 100644 --- a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml +++ b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml @@ -1,16 +1,35 @@ name: Linux Auditd Edit Cron Table Parameter id: f4bb7321-7e64-4d1e-b1aa-21f8b019a91f -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the suspicious editing of cron jobs in Linux using the crontab command-line parameter (-e). It identifies this activity by monitoring command-line executions involving 'crontab' and the edit parameter. This behavior is significant for a SOC as cron job manipulations can indicate unauthorized persistence attempts or scheduled malicious actions. If confirmed malicious, this activity could lead to system compromise, unauthorized access, or broader network compromise. +description: The following analytic detects the suspicious editing of cron jobs in + Linux using the crontab command-line parameter (-e). It identifies this activity + by monitoring command-line executions involving 'crontab' and the edit parameter. + This behavior is significant for a SOC as cron job manipulations can indicate unauthorized + persistence attempts or scheduled malicious actions. If confirmed malicious, this + activity could lead to system compromise, unauthorized access, or broader network + compromise. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL SYSCALL=rename (comm IN ("crontab") OR exe IN ("*/crontab")) success=yes AND NOT (UID IN("daemon")) | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_edit_cron_table_parameter_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=SYSCALL SYSCALL=rename (comm IN ("crontab") OR exe IN + ("*/crontab")) success=yes AND NOT (UID IN("daemon")) | rename host as dest | stats + count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid + pid dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_edit_cron_table_parameter_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://attack.mitre.org/techniques/T1053/003/ drilldown_searches: @@ -19,9 +38,22 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to edit the + cron table. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Scheduled Tasks @@ -30,34 +62,18 @@ tags: - Linux Living Off The Land - Compromised Linux Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to edit the cron table. mitre_attack_id: - T1053.003 - T1053 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - comm - - exe - - SYSCALL - - UID - - ppid - - pid - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/linux_auditd_crontab_edit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/linux_auditd_crontab_edit.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_file_and_directory_discovery.yml index 408246dd45..f117d9113f 100644 --- a/detections/endpoint/linux_auditd_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_file_and_directory_discovery.yml @@ -1,15 +1,15 @@ name: Linux Auditd File And Directory Discovery id: 0bbfb79c-a755-49a5-a38a-1128d0a452f1 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-15' author: Teoderick Contreras, Splunk status: production type: Anomaly description: The following analytic detects suspicious file and directory discovery activities, which may indicate an attacker's effort to locate sensitive documents and files on a compromised system. This behavior often precedes data exfiltration, as adversaries seek to identify valuable or confidential information for theft. By identifying unusual or unauthorized attempts to browse or enumerate files and directories, this analytic helps security teams detect potential reconnaissance or preparatory actions by an attacker, enabling timely intervention to prevent data breaches or unauthorized access. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.tif%") OR LIKE (process_exec, "%.tiff%") OR LIKE (process_exec, "%.gif%") OR LIKE (process_exec, "%.jpeg%")OR LIKE (process_exec, "%.jpg%")OR LIKE (process_exec, "%.jif%")OR LIKE (process_exec, "%.jfif%")OR LIKE (process_exec, "%.jp2%")OR LIKE (process_exec, "%.jpx%")OR LIKE (process_exec, "%.j2k%")OR LIKE (process_exec, "%.j2c%")OR LIKE (process_exec, "%.fpx%")OR LIKE (process_exec, "%.pcd%")OR LIKE (process_exec, "%.png%")OR LIKE (process_exec, "%.flv%") OR LIKE (process_exec, "%.pdf%")OR LIKE (process_exec, "%.mp4%")OR LIKE (process_exec, "%.mp3%")OR LIKE (process_exec, "%.gifv%")OR LIKE (process_exec, "%.avi%")OR LIKE (process_exec, "%.mov%")OR LIKE (process_exec, "%.mpeg%")OR LIKE (process_exec, "%.wav%")OR LIKE (process_exec, "%.doc%")OR LIKE (process_exec, "%.docx%")OR LIKE (process_exec, "%.xls%")OR LIKE (process_exec, "%.xlsx%")OR LIKE (process_exec, "%.svg%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_file_and_directory_discovery_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.tif%") OR LIKE (process_exec, "%.tiff%") OR LIKE (process_exec, "%.gif%") OR LIKE (process_exec, "%.jpeg%")OR LIKE (process_exec, "%.jpg%")OR LIKE (process_exec, "%.jif%")OR LIKE (process_exec, "%.jfif%")OR LIKE (process_exec, "%.jp2%")OR LIKE (process_exec, "%.jpx%")OR LIKE (process_exec, "%.j2k%")OR LIKE (process_exec, "%.j2c%")OR LIKE (process_exec, "%.fpx%")OR LIKE (process_exec, "%.pcd%")OR LIKE (process_exec, "%.png%")OR LIKE (process_exec, "%.flv%") OR LIKE (process_exec, "%.pdf%")OR LIKE (process_exec, "%.mp4%")OR LIKE (process_exec, "%.mp3%")OR LIKE (process_exec, "%.gifv%")OR LIKE (process_exec, "%.avi%")OR LIKE (process_exec, "%.mov%")OR LIKE (process_exec, "%.mpeg%")OR LIKE (process_exec, "%.wav%")OR LIKE (process_exec, "%.doc%")OR LIKE (process_exec, "%.docx%")OR LIKE (process_exec, "%.xls%")OR LIKE (process_exec, "%.xlsx%")OR LIKE (process_exec, "%.svg%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_file_and_directory_discovery_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html @@ -23,6 +23,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to discover files + and directories. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land @@ -30,25 +38,12 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 50 - impact: 50 - message: A [$process_exec$] event occurred on host - [$dest$] to discover files and directories. mitre_attack_id: - T1083 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml b/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml index c0930c2ab8..f33b95fed5 100644 --- a/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml +++ b/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml @@ -1,7 +1,7 @@ name: Linux Auditd File Permission Modification Via Chmod id: 5f1d2ea7-eec0-4790-8b24-6875312ad492 -version: '4' -date: '2024-12-17' +version: 6 +date: '2025-01-27' author: "Teoderick Contreras, Splunk, Ivar Nyg\xE5rd" status: production type: Anomaly @@ -22,9 +22,9 @@ search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename hos max(_time) as lastTime by process_exec proctitle dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_file_permission_modification_via_chmod_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd - data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line - executions and process details on Unix/Linux systems. These logs should be ingested - and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures + command-line executions and process details on Unix/Linux systems. These logs should + be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources @@ -48,34 +48,31 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A $process_exec$ event occurred on host $dest$ to modify file permissions + using the "chmod" command. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - - XorDDos + - Linux Privilege Escalation - Linux Living Off The Land - Compromised Linux Host - - Linux Privilege Escalation - Linux Persistence Techniques + - XorDDos + - Nexus APT Threat Activity + - Earth Estries asset_type: Endpoint - confidence: 50 - impact: 50 - message: A [$process_exec$] event occurred on host - [$dest$] to modify file permissions - using the "chmod" command. mitre_attack_id: - T1222.002 - T1222 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - proctitle - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml b/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml index fbbd639de3..84bb8beef4 100644 --- a/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml +++ b/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml @@ -1,15 +1,15 @@ name: Linux Auditd File Permissions Modification Via Chattr id: f2d1110d-b01c-4a58-9975-90a9edeb083a -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-16' author: Teoderick Contreras, Splunk status: production type: TTP description: The following analytic detects suspicious file permissions modifications using the chattr command, which may indicate an attacker attempting to manipulate file attributes to evade detection or prevent alteration. The chattr command can be used to make files immutable or restrict deletion, which can be leveraged to protect malicious files or disrupt system operations. By monitoring for unusual or unauthorized chattr usage, this analytic helps identify potential tampering with critical files, enabling security teams to quickly respond to and mitigate threats associated with unauthorized file attribute changes. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | where LIKE(process_exec, "%chattr %") AND LIKE(process_exec, "% -i%") | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_file_permissions_modification_via_chattr_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | rename comm as process_name | rename exe as process | where LIKE(process_exec, "%chattr %") AND LIKE(process_exec, "% -i%") | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_file_permissions_modification_via_chattr_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html @@ -22,6 +22,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to modify file permissions + using the "chattr" command. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land @@ -29,26 +37,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 70 - impact: 70 - message: A [$process_exec$] event occurred on host - [$dest$] to modify file permissions using the "chattr" command. mitre_attack_id: - T1222.002 - T1222 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml b/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml index d4897a6360..f42a173862 100644 --- a/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml +++ b/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml @@ -1,15 +1,15 @@ name: Linux Auditd Find Credentials From Password Managers id: 784241aa-85a5-4782-a503-d071bd3446f9 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-16' author: Teoderick Contreras, Splunk status: production type: TTP description: The following analytic detects suspicious attempts to find credentials stored in password managers, which may indicate an attacker's effort to retrieve sensitive login information. Password managers are often targeted by adversaries seeking to access stored passwords for further compromise or lateral movement within a network. By monitoring for unusual or unauthorized access to password manager files or processes, this analytic helps identify potential credential theft attempts, enabling security teams to respond quickly to protect critical accounts and prevent further unauthorized access. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.kdbx%") OR LIKE (process_exec, "%KeePass%") OR LIKE (process_exec, "%KeePass\.enforced%") OR LIKE (process_exec, "%.lpdb%")OR LIKE (process_exec, "%.opvault%")OR LIKE (process_exec, "%.agilekeychain%")OR LIKE (process_exec, "%.dashlane%")OR LIKE (process_exec, "%.rfx%")OR LIKE (process_exec, "%passbolt%")OR LIKE (process_exec, "%.spdb%")OR LIKE (process_exec, "%StickyPassword%")OR LIKE (process_exec, "%.walletx%")OR LIKE (process_exec, "%enpass%")OR LIKE (process_exec, "%vault%")OR LIKE (process_exec, "%.kdb%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_find_credentials_from_password_managers_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.kdbx%") OR LIKE (process_exec, "%KeePass%") OR LIKE (process_exec, "%KeePass\.enforced%") OR LIKE (process_exec, "%.lpdb%")OR LIKE (process_exec, "%.opvault%")OR LIKE (process_exec, "%.agilekeychain%")OR LIKE (process_exec, "%.dashlane%")OR LIKE (process_exec, "%.rfx%")OR LIKE (process_exec, "%passbolt%")OR LIKE (process_exec, "%.spdb%")OR LIKE (process_exec, "%StickyPassword%")OR LIKE (process_exec, "%.walletx%")OR LIKE (process_exec, "%enpass%")OR LIKE (process_exec, "%vault%")OR LIKE (process_exec, "%.kdb%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_find_credentials_from_password_managers_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html @@ -23,6 +23,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to find credentials + stored in password managers. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land @@ -30,26 +38,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: A [$process_exec$] event occurred on host - [$dest$] to find credentials stored in password managers. mitre_attack_id: - T1555.005 - T1555 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml b/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml index 9adac7eebd..6332592a94 100644 --- a/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml +++ b/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml @@ -1,15 +1,15 @@ name: Linux Auditd Find Credentials From Password Stores id: 4de73044-9a1d-4a51-a1c2-85267d8dcab3 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-16' author: Teoderick Contreras, Splunk status: production type: TTP description: The following analytic detects suspicious attempts to find credentials stored in password stores, indicating a potential attacker's effort to access sensitive login information. Password stores are critical repositories that contain valuable credentials, and unauthorized access to them can lead to significant security breaches. By monitoring for unusual or unauthorized activities related to password store access, this analytic helps identify potential credential theft attempts, allowing security teams to respond promptly and prevent unauthorized access to critical systems and data. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%password%") OR LIKE (process_exec, "%pass %") OR LIKE (process_exec, "%credential%")OR LIKE (process_exec, "%creds%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_find_credentials_from_password_stores_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%password%") OR LIKE (process_exec, "%pass %") OR LIKE (process_exec, "%credential%")OR LIKE (process_exec, "%creds%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_find_credentials_from_password_stores_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html @@ -23,6 +23,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to find credentials + stored in password managers. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land @@ -30,26 +38,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: A [$process_exec$] event occurred on host - [$dest$] to find credentials stored in password managers. mitre_attack_id: - T1555.005 - T1555 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_find_ssh_private_keys.yml b/detections/endpoint/linux_auditd_find_ssh_private_keys.yml index 03daf2d62b..8788828cc2 100644 --- a/detections/endpoint/linux_auditd_find_ssh_private_keys.yml +++ b/detections/endpoint/linux_auditd_find_ssh_private_keys.yml @@ -1,15 +1,15 @@ name: Linux Auditd Find Ssh Private Keys id: e2d2bd10-dcd1-4b2f-8a76-0198eab32ba5 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-16' author: Teoderick Contreras, Splunk status: production type: Anomaly description: The following analytic detects suspicious attempts to find SSH private keys, which may indicate an attacker's effort to compromise secure access to systems. SSH private keys are essential for secure authentication, and unauthorized access to these keys can enable attackers to gain unauthorized access to servers and other critical infrastructure. By monitoring for unusual or unauthorized searches for SSH private keys, this analytic helps identify potential threats to network security, allowing security teams to quickly respond and safeguard against unauthorized access and potential breaches. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%id_rsa%") OR LIKE (process_exec, "%id_dsa%")OR LIKE (process_exec, "%.key%") OR LIKE (process_exec, "%ssh_key%")OR LIKE (process_exec, "%authorized_keys%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_find_ssh_private_keys_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%id_rsa%") OR LIKE (process_exec, "%id_dsa%")OR LIKE (process_exec, "%.key%") OR LIKE (process_exec, "%ssh_key%")OR LIKE (process_exec, "%authorized_keys%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_find_ssh_private_keys_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html @@ -23,6 +23,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to find SSH private + keys. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land @@ -30,26 +38,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 70 - impact: 70 - message: A [$process_exec$] event occurred on host - [$dest$] to find SSH private keys. mitre_attack_id: - T1552.004 - T1552 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml b/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml index b6b196b857..11a767918e 100644 --- a/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml +++ b/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml @@ -1,15 +1,15 @@ name: Linux Auditd Hardware Addition Swapoff id: 5728bb16-1a0b-4b66-bce2-0074ac839770 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-16' author: Teoderick Contreras, Splunk status: production type: Anomaly description: The following analytic detects the execution of the "swapoff" command, which disables the swapping of paging devices on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because disabling swap can be a tactic used by malware, such as Awfulshred, to evade detection and hinder forensic analysis. If confirmed malicious, this action could allow an attacker to manipulate system memory management, potentially leading to data corruption, system instability, or evasion of memory-based detection mechanisms. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | where LIKE(process_exec, "%swapoff %") AND LIKE(process_exec, "% -a%") | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_hardware_addition_swapoff_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | rename comm as process_name | rename exe as process | where LIKE(process_exec, "%swapoff %") AND LIKE(process_exec, "% -a%") | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_hardware_addition_swapoff_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: administrator may disable swapping of devices in a linux host. Filter is needed. references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/ @@ -22,31 +22,26 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to disable the swapping + of paging devices on a Linux system. + risk_objects: + - field: dest + type: system + score: 36 + threat_objects: [] tags: analytic_story: - Data Destruction - AwfulShred - Compromised Linux Host asset_type: Endpoint - confidence: 60 - impact: 60 - message: A [$process_exec$] event occurred on host - [$dest$] to disable the swapping of paging devices on a Linux system. mitre_attack_id: - T1200 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test @@ -54,4 +49,3 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1200/linux_auditd_swapoff/linux_auditd_swapoff.log source: /var/log/audit/audit.log sourcetype: linux:audit - update_timestamp: true diff --git a/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml b/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml index f4b313e1ab..f888933bba 100644 --- a/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml +++ b/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml @@ -1,15 +1,15 @@ name: Linux Auditd Hidden Files And Directories Creation id: 555cc358-bf16-4e05-9b3a-0f89c73b7261 -version: 3 -date: '2024-09-30' +version: 4 +date: '2025-01-16' author: Teoderick Contreras, Splunk status: production type: TTP description: The following analytic detects suspicious creation of hidden files and directories, which may indicate an attacker's attempt to conceal malicious activities or unauthorized data. Hidden files and directories are often used to evade detection by security tools and administrators, providing a stealthy means for storing malware, logs, or sensitive information. By monitoring for unusual or unauthorized creation of hidden files and directories, this analytic helps identify potential attempts to hide or unauthorized creation of hidden files and directories, this analytic helps identify potential attempts to hide malicious operations, enabling security teams to uncover and address hidden threats effectively. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where (LIKE (process_exec,"%touch %") OR LIKE (process_exec,"%mkdir %")OR LIKE (process_exec,"%vim %") OR LIKE (process_exec,"%vi %") OR LIKE (process_exec,"%nano %")) AND (LIKE (process_exec,"% ./.%") OR LIKE (process_exec," .%")OR LIKE (process_exec," /.%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_hidden_files_and_directories_creation_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec,"%touch %") OR LIKE (process_exec,"%mkdir %")OR LIKE (process_exec,"%vim %") OR LIKE (process_exec,"%vi %") OR LIKE (process_exec,"%nano %")) AND (LIKE (process_exec,"% ./.%") OR LIKE (process_exec," .%")OR LIKE (process_exec," /.%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_hidden_files_and_directories_creation_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html @@ -23,6 +23,13 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$]. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land @@ -30,25 +37,12 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: A [$process_exec$] event occurred on host - [$dest$]. mitre_attack_id: - T1083 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml b/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml index c2c9ccc05c..10a1cc21ad 100644 --- a/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml +++ b/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml @@ -1,7 +1,7 @@ name: Linux Auditd Insert Kernel Module Using Insmod Utility id: bc0ca53f-dea6-4906-9b12-09c396fdf1d3 -version: '3' -date: '2024-12-17' +version: 4 +date: '2024-12-19' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -19,7 +19,7 @@ search: '`linux_auditd` type=SYSCALL comm=insmod | rename host as dest | stats c success dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_insert_kernel_module_using_insmod_utility_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd - data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step @@ -47,6 +47,14 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to insert a + Linux kernel module using the insmod utility. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - XorDDos @@ -55,35 +63,18 @@ tags: - Linux Privilege Escalation - Linux Persistence Techniques asset_type: Endpoint - confidence: 80 - impact: 80 - message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to insert a - Linux kernel module using the insmod utility. mitre_attack_id: - T1547.006 - T1547 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - comm - - exe - - SYSCALL - - UID - - ppid - - pid - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_insmod/linux_auditd_insmod.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_insmod/linux_auditd_insmod.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml b/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml index 9751b854ce..29a1db8488 100644 --- a/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml +++ b/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml @@ -1,7 +1,7 @@ name: Linux Auditd Install Kernel Module Using Modprobe Utility id: 95165985-ace5-4d42-9c42-93a89a5af901 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -9,7 +9,7 @@ description: The following analytic detects the installation of a Linux kernel m data_source: - Linux Auditd Syscall search: '`linux_auditd` type=SYSCALL comm=modprobe | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid success dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_install_kernel_module_using_modprobe_utility_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: - https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/ @@ -24,6 +24,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to install a + Linux kernel module using the modprobe utility. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation @@ -31,30 +39,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to install a Linux kernel module using the modprobe utility. mitre_attack_id: - T1547.006 - T1547 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - comm - - exe - - SYSCALL - - UID - - ppid - - pid - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_kernel_module_enumeration.yml b/detections/endpoint/linux_auditd_kernel_module_enumeration.yml index c65b5ad0ef..266495693a 100644 --- a/detections/endpoint/linux_auditd_kernel_module_enumeration.yml +++ b/detections/endpoint/linux_auditd_kernel_module_enumeration.yml @@ -1,6 +1,6 @@ name: Linux Auditd Kernel Module Enumeration id: d1b088de-c47a-4572-9339-bdcc26493b32 -version: '3' +version: 4 date: '2024-12-17' author: Teoderick Contreras, Splunk status: production @@ -19,7 +19,7 @@ search: '`linux_auditd` type=SYSCALL comm=lsmod | rename host as dest | stats c success dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `linux_auditd_kernel_module_enumeration_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd - data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step @@ -45,42 +45,32 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to list kernel + modules. + risk_objects: + - field: dest + type: system + score: 15 + threat_objects: [] tags: analytic_story: - Compromised Linux Host - XorDDos - Linux Rootkit asset_type: Endpoint - confidence: 50 - impact: 30 - message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to list kernel - modules. mitre_attack_id: - T1082 - T1014 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - comm - - exe - - SYSCALL - - UID - - ppid - - pid - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/linux_auditd_lsmod/linux_auditd_lsmod.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/linux_auditd_lsmod/linux_auditd_lsmod.log source: /var/log/audit/audit.log sourcetype: linux:audit - update_timestamp: true diff --git a/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml b/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml index 6c4145b1ef..85736a7952 100644 --- a/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml +++ b/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml @@ -1,16 +1,35 @@ name: Linux Auditd Kernel Module Using Rmmod Utility id: 31810b7a-0abe-42be-a210-0dec8106afee -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects suspicious use of the `rmmod` utility for kernel module removal, which may indicate an attacker attempt to unload critical or security-related kernel modules. The `rmmod` command is used to remove modules from the Linux kernel, and unauthorized use can be a tactic to disable security features, conceal malicious activities, or disrupt system operations. By monitoring for unusual or unauthorized `rmmod` activity, this analytic helps identify potential tampering with kernel modules, enabling security teams to take proactive measures to protect system integrity and security. +description: The following analytic detects suspicious use of the `rmmod` utility + for kernel module removal, which may indicate an attacker attempt to unload critical + or security-related kernel modules. The `rmmod` command is used to remove modules + from the Linux kernel, and unauthorized use can be a tactic to disable security + features, conceal malicious activities, or disrupt system operations. By monitoring + for unusual or unauthorized `rmmod` activity, this analytic helps identify potential + tampering with kernel modules, enabling security teams to take proactive measures + to protect system integrity and security. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL comm=rmmod | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid success dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_kernel_module_using_rmmod_utility_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=SYSCALL comm=rmmod | rename host as dest | stats count + min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid + success dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_kernel_module_using_rmmod_utility_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: @@ -19,9 +38,22 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to remove a + Linux kernel module using the rmmod utility. + risk_objects: + - field: dest + type: system + score: 72 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land @@ -29,34 +61,18 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 80 - impact: 90 - message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to remove a Linux kernel module using the rmmod utility. mitre_attack_id: - T1547.006 - T1547 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - comm - - exe - - SYSCALL - - UID - - ppid - - pid - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_rmmod/linux_auditd_rmmod.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_rmmod/linux_auditd_rmmod.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml b/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml index 37a7748495..b0d9f8aa6c 100644 --- a/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml +++ b/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml @@ -1,16 +1,35 @@ name: Linux Auditd Nopasswd Entry In Sudoers File id: 651df959-ad17-4b73-a323-90cb96d5fa1b -version: 2 -date: '2024-09-30' +version: 4 +date: '2025-01-27' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the addition of NOPASSWD entries to the /etc/sudoers file on Linux systems. It leverages Linux Auditd data to identify command lines containing "NOPASSWD:". This activity is significant because it allows users to execute commands with elevated privileges without requiring a password, which can be exploited by adversaries to maintain persistent, privileged access. If confirmed malicious, this could lead to unauthorized privilege escalation, persistent access, and potential compromise of sensitive data and system integrity. +description: The following analytic detects the addition of NOPASSWD entries to the + /etc/sudoers file on Linux systems. It leverages Linux Auditd data to identify command + lines containing "NOPASSWD:". This activity is significant because it allows users + to execute commands with elevated privileges without requiring a password, which + can be exploited by adversaries to maintain persistent, privileged access. If confirmed + malicious, this could lead to unauthorized privilege escalation, persistent access, + and potential compromise of sensitive data and system integrity. data_source: - Linux Auditd Proctitle -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | where LIKE (process_exec, "%NOPASSWD%") | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_nopasswd_entry_in_sudoers_file_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host + as dest | where LIKE (process_exec, "%NOPASSWD%") | stats count min(_time) as firstTime + max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter + dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_nopasswd_entry_in_sudoers_file_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://askubuntu.com/questions/334318/sudoers-file-enable-nopasswd-for-user-all-commands - https://help.ubuntu.com/community/Sudoers @@ -20,34 +39,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to add NOPASSWD entry + in sudoers file. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation - - Linux Persistence Techniques - Compromised Linux Host + - Linux Persistence Techniques + - Nexus APT Threat Activity + - Earth Estries asset_type: Endpoint - confidence: 80 - impact: 80 - message: A [$process_exec$] event occurred on host - [$dest$] to add NOPASSWD entry in sudoers file. mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - proctitle - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_osquery_service_stop.yml b/detections/endpoint/linux_auditd_osquery_service_stop.yml index f8218b50a6..edf2a44c84 100644 --- a/detections/endpoint/linux_auditd_osquery_service_stop.yml +++ b/detections/endpoint/linux_auditd_osquery_service_stop.yml @@ -1,16 +1,35 @@ name: Linux Auditd Osquery Service Stop id: 0c320fea-6e87-4b99-a884-74d09d4b655d -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects suspicious stopping of the `osquery` service, which may indicate an attempt to disable monitoring and evade detection. `Osquery` is a powerful tool used for querying system information and detecting anomalies, and stopping its service can be a sign that an attacker is trying to disrupt security monitoring or hide malicious activities. By monitoring for unusual or unauthorized stops of the `osquery` service, this analytic helps identify potential efforts to bypass security controls, enabling security teams to investigate and respond to possible threats effectively. +description: The following analytic detects suspicious stopping of the `osquery` service, + which may indicate an attempt to disable monitoring and evade detection. `Osquery` + is a powerful tool used for querying system information and detecting anomalies, + and stopping its service can be a sign that an attacker is trying to disrupt security + monitoring or hide malicious activities. By monitoring for unusual or unauthorized + stops of the `osquery` service, this analytic helps identify potential efforts to + bypass security controls, enabling security teams to investigate and respond to + possible threats effectively. data_source: - Linux Auditd Service Stop -search: '`linux_auditd` type=SERVICE_STOP unit IN ("osqueryd") | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by type pid UID comm exe unit dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_osquery_service_stop_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=SERVICE_STOP unit IN ("osqueryd") | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by type pid UID comm + exe unit dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_osquery_service_stop_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: @@ -19,9 +38,22 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A service event - [$type$] event occurred on host - [$dest$] to stop the + osquery service. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land @@ -29,32 +61,17 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: A service event - [$type$] event occured on host - [$dest$] to stop the osquery service. mitre_attack_id: - T1489 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - type - - pid - - UID - - comm - - exe - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_osquerd_service_stop/linux_auditd_osquerd_service_stop.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_osquerd_service_stop/linux_auditd_osquerd_service_stop.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml index 5b1bb8f93a..965112d606 100644 --- a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml +++ b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml @@ -1,16 +1,35 @@ name: Linux Auditd Possible Access Or Modification Of Sshd Config File id: acb3ea33-70f7-47aa-b335-643b3aebcb2f -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects suspicious access or modification of the sshd_config file on Linux systems. It leverages data from Linux Auditd, focusing on command-line executions involving processes like "cat," "nano," "vim," and "vi" accessing the sshd_config file. This activity is significant because unauthorized changes to sshd_config can allow threat actors to redirect port connections or use unauthorized keys, potentially compromising the system. If confirmed malicious, this could lead to unauthorized access, privilege escalation, or persistent backdoor access, posing a severe security risk. +description: The following analytic detects suspicious access or modification of the + sshd_config file on Linux systems. It leverages data from Linux Auditd, focusing + on command-line executions involving processes like "cat," "nano," "vim," and "vi" + accessing the sshd_config file. This activity is significant because unauthorized + changes to sshd_config can allow threat actors to redirect port connections or use + unauthorized keys, potentially compromising the system. If confirmed malicious, + this could lead to unauthorized access, privilege escalation, or persistent backdoor + access, posing a severe security risk. data_source: - Linux Auditd Path -search: '`linux_auditd` type=PATH name="/etc/ssh/ssh_config*" | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by name nametype OGID type dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_possible_access_or_modification_of_sshd_config_file_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=PATH name="/etc/ssh/ssh_config*" | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by name nametype OGID + type dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_possible_access_or_modification_of_sshd_config_file_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this commandline + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.hackingarticles.in/ssh-penetration-testing-port-22/ - https://attack.mitre.org/techniques/T1098/004/ @@ -20,9 +39,22 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$type$] has been accessed/modified on host - [$dest$] to modify the + sshd_config file. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land @@ -30,31 +62,18 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 50 - impact: 50 - message: A [$type$] has been accessed/modified on host - [$dest$] to modify the sshd_config file. mitre_attack_id: - T1098.004 - T1098 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - name - - nametype - - OGID - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/linux_auditd_ssh_config.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/linux_auditd_ssh_config.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml index 7a393d7dc3..499e0a23bb 100644 --- a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml +++ b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml @@ -1,16 +1,37 @@ name: Linux Auditd Possible Access To Credential Files id: 0419cb7a-57ea-467b-974f-77c303dfe2a3 -version: 2 -date: '2024-09-30' +version: 4 +date: '2025-01-27' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects attempts to access or dump the contents of /etc/passwd and /etc/shadow files on Linux systems. It leverages data from Linux Auditd, focusing on processes like 'cat', 'nano', 'vim', and 'vi' accessing these files. This activity is significant as it may indicate credential dumping, a technique used by adversaries to gain persistence or escalate privileges. If confirmed malicious, privileges. If confirmed malicious, attackers could obtain hashed passwords for offline cracking, leading to unauthorized access and potential system compromise. +description: The following analytic detects attempts to access or dump the contents + of /etc/passwd and /etc/shadow files on Linux systems. It leverages data from Linux + Auditd, focusing on processes like 'cat', 'nano', 'vim', and 'vi' accessing these + files. This activity is significant as it may indicate credential dumping, a technique + used by adversaries to gain persistence or escalate privileges. If confirmed malicious, + privileges. If confirmed malicious, attackers could obtain hashed passwords for + offline cracking, leading to unauthorized access and potential system compromise. data_source: - Linux Auditd Proctitle -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | where (LIKE (process_exec, "%shadow%") OR LIKE (process_exec, "%passwd%")) AND (LIKE (process_exec, "%cat %") OR LIKE (process_exec, "%nano %")OR LIKE (process_exec, "%vim %") OR LIKE (process_exec, "%vi %")) | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_possible_access_to_credential_files_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host + as dest | where (LIKE (process_exec, "%shadow%") OR LIKE (process_exec, "%passwd%")) + AND (LIKE (process_exec, "%cat %") OR LIKE (process_exec, "%nano %")OR LIKE (process_exec, + "%vim %") OR LIKE (process_exec, "%vi %")) | stats count min(_time) as firstTime + max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter + dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_possible_access_to_credential_files_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://askubuntu.com/questions/445361/what-is-difference-between-etc-shadow-and-etc-passwd - https://attack.mitre.org/techniques/T1003/008/ @@ -20,34 +41,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to access or dump + the contents of /etc/passwd and /etc/shadow files. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation - - Linux Persistence Techniques - Compromised Linux Host + - Linux Persistence Techniques + - Nexus APT Threat Activity + - Earth Estries asset_type: Endpoint - confidence: 50 - impact: 50 - message: A [$process_exec$] event occurred on host - [$dest$] to access or dump the contents of /etc/passwd and /etc/shadow files. mitre_attack_id: - T1003.008 - T1003 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - proctitle - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml index 19ab4be8f0..8dda7e5e89 100644 --- a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml +++ b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml @@ -1,16 +1,34 @@ name: Linux Auditd Possible Access To Sudoers File id: 8be88f46-f7e8-4ae6-b15e-cf1b13392834 -version: 2 -date: '2024-09-30' +version: 4 +date: '2025-01-27' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects potential access or modification of the /etc/sudoers file on a Linux system. It leverages data from Linux Auditd, focusing on processes like "cat," "nano," "vim," and "vi" accessing the /etc/sudoers file. This activity is significant because the sudoers file controls user permissions for executing commands with elevated privileges. If confirmed malicious, an attacker could gain persistence or escalate privileges, compromising the security of the targeted host. +description: The following analytic detects potential access or modification of the + /etc/sudoers file on a Linux system. It leverages data from Linux Auditd, focusing + on processes like "cat," "nano," "vim," and "vi" accessing the /etc/sudoers file. + This activity is significant because the sudoers file controls user permissions + for executing commands with elevated privileges. If confirmed malicious, an attacker + could gain persistence or escalate privileges, compromising the security of the + targeted host. data_source: - Linux Auditd Path -search: '`linux_auditd` type=PATH name="/etc/sudoers*" | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by name nametype OGID type dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_possible_access_to_sudoers_file_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=PATH name="/etc/sudoers*" | rename host as dest | stats + count min(_time) as firstTime max(_time) as lastTime by name nametype OGID type + dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_possible_access_to_sudoers_file_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://attack.mitre.org/techniques/T1548/003/ - https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf @@ -20,36 +38,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$type$] has been accessed/modified on host - [$dest$] to access or modify + the sudoers file. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation - - Linux Persistence Techniques - Compromised Linux Host + - Linux Persistence Techniques + - Nexus APT Threat Activity + - Earth Estries asset_type: Endpoint - confidence: 50 - impact: 50 - message: A [$type$] has been accessed/modified on host - [$dest$] to access or modify the sudoers file. mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - name - - nametype - - OGID - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml b/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml index 93646f121e..d80e3059c5 100644 --- a/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml +++ b/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml @@ -1,7 +1,7 @@ name: Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File id: fea71cf0-fa10-4ef6-9202-9682b2e0c477 -version: '3' -date: '2024-12-17' +version: 4 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: Hunting @@ -19,7 +19,7 @@ search: '`linux_auditd` type=PATH name IN("*/etc/cron*", "*/var/spool/cron/*", " by name nametype OGID dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd - data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step @@ -43,32 +43,18 @@ tags: - Scheduled Tasks - Linux Persistence Techniques asset_type: Endpoint - confidence: 70 - impact: 70 - message: A [$type$] event has occured on host - [$dest$] to append a cronjob entry - on an existing cronjob file. mitre_attack_id: - T1053.003 - T1053 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - name - - nametype - - OGID - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/linux_auditd_cron_file_audited2.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/linux_auditd_cron_file_audited2.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml b/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml index b0b87780b3..fdfa38e184 100644 --- a/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml +++ b/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml @@ -1,16 +1,36 @@ name: Linux Auditd Preload Hijack Library Calls id: 35c50572-a70b-452f-afa9-bebdf3c3ce36 -version: 2 -date: '2024-09-30' +version: 4 +date: '2025-01-27' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the use of the LD_PRELOAD environment variable to hijack or hook library functions on a Linux platform. It leverages data from Linux Auditd, focusing on process execution logs that include command-line details. This activity is significant because adversaries, malware authors, and red teamers commonly use this technique to gain elevated privileges and establish persistence on a compromised machine. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, and maintain long-term access to the system. +description: The following analytic detects the use of the LD_PRELOAD environment + variable to hijack or hook library functions on a Linux platform. It leverages data + from Linux Auditd, focusing on process execution logs that include command-line + details. This activity is significant because adversaries, malware authors, and + red teamers commonly use this technique to gain elevated privileges and establish + persistence on a compromised machine. If confirmed malicious, this behavior could + allow attackers to execute arbitrary code, escalate privileges, and maintain long-term + access to the system. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where LIKE (process_exec, "%LD_PRELOAD%")| stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_preload_hijack_library_calls_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as + dest | rename comm as process_name | rename exe as process | where LIKE (process_exec, + "%LD_PRELOAD%")| stats count min(_time) as firstTime max(_time) as lastTime by argc + process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_preload_hijack_library_calls_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures + command-line executions and process details on Unix/Linux systems. These logs should + be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://compilepeace.medium.com/memory-malware-part-0x2-writing-userland-rootkits-via-ld-preload-30121c8343d5 drilldown_searches: @@ -19,35 +39,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to hijack or hook + library functions using the LD_PRELOAD environment variable. + risk_objects: + - field: dest + type: system + score: 81 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation - - Linux Persistence Techniques - Compromised Linux Host + - Linux Persistence Techniques + - Nexus APT Threat Activity + - Earth Estries asset_type: Endpoint - confidence: 90 - impact: 90 - message: A [$process_exec$] event occurred on host - [$dest$] to hijack or hook library functions using the LD_PRELOAD environment variable. mitre_attack_id: - T1574.006 - T1574 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml index ed9d9ff948..2d5b8c3d5e 100644 --- a/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml +++ b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml @@ -1,16 +1,35 @@ name: Linux Auditd Preload Hijack Via Preload File id: c1b7abca-55cb-4a39-bdfb-e28c1c12745f -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects suspicious preload hijacking via the `preload` file, which may indicate an attacker's attempt to intercept or manipulate library loading processes. The `preload` file can be used to force the loading of specific libraries before others, potentially allowing malicious code to execute or alter application behavior. By monitoring for unusual or unauthorized modifications to the `preload` file, this analytic helps identify attempts to hijack preload mechanisms, enabling security teams to investigate and address potential threats to system integrity and security. +description: The following analytic detects suspicious preload hijacking via the `preload` + file, which may indicate an attacker's attempt to intercept or manipulate library + loading processes. The `preload` file can be used to force the loading of specific + libraries before others, potentially allowing malicious code to execute or alter + application behavior. By monitoring for unusual or unauthorized modifications to + the `preload` file, this analytic helps identify attempts to hijack preload mechanisms, + enabling security teams to investigate and address potential threats to system integrity + and security. data_source: - Linux Auditd Path -search: '`linux_auditd` type=PATH name="/etc/ld.so.preload*" | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by name nametype OGID type dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_preload_hijack_via_preload_file_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=PATH name="/etc/ld.so.preload*" | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by name nametype OGID + type dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_preload_hijack_via_preload_file_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: @@ -19,9 +38,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$type$] event has occurred on host - [$dest$] to modify the preload file. + risk_objects: + - field: dest + type: system + score: 81 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land @@ -29,31 +60,18 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 90 - impact: 90 - message: A [$type$] event has occured on host - [$dest$] to modify the preload file. mitre_attack_id: - T1574.006 - T1574 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - name - - nametype - - OGID - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/linux_auditd_preload_file/linux_auditd_preload_file.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/linux_auditd_preload_file/linux_auditd_preload_file.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_find_private_keys.yml b/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml similarity index 62% rename from detections/endpoint/linux_auditd_find_private_keys.yml rename to detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml index 713ccc03a2..29d3189d49 100644 --- a/detections/endpoint/linux_auditd_find_private_keys.yml +++ b/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml @@ -1,15 +1,15 @@ -name: Linux Auditd Find Private Keys -id: 80bb9988-190b-4ee0-a3c3-509545a8f678 -version: 3 -date: '2024-09-30' +name: Linux Auditd Private Keys and Certificate Enumeration +id: 892eb674-3344-4143-8e52-4775b1daf3f1 +version: 1 +date: '2025-01-15' author: Teoderick Contreras, Splunk status: production -type: TTP +type: Anomaly description: The following analytic detects suspicious attempts to find private keys, which may indicate an attacker's effort to access sensitive cryptographic information. Private keys are crucial for securing encrypted communications and data, and unauthorized access to them can lead to severe security breaches, including data decryption and identity theft. By monitoring for unusual or unauthorized searches for private keys, this analytic helps identify potential threats to cryptographic security, enabling security teams to take swift action to protect the integrity and confidentiality of encrypted information. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.pem%") OR LIKE (process_exec, "%.cer%") OR LIKE (process_exec, "%.crt%") OR LIKE (process_exec, "%.pgp%") OR LIKE (process_exec, "%.key%") OR LIKE (process_exec, "%.gpg%")OR LIKE (process_exec, "%.ppk%") OR LIKE (process_exec, "%.p12%")OR LIKE (process_exec, "%.pfx%")OR LIKE (process_exec, "%.p7b%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_find_private_keys_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.pem%") OR LIKE (process_exec, "%.cer%") OR LIKE (process_exec, "%.crt%") OR LIKE (process_exec, "%.pgp%") OR LIKE (process_exec, "%.key%") OR LIKE (process_exec, "%.gpg%")OR LIKE (process_exec, "%.ppk%") OR LIKE (process_exec, "%.p12%") OR LIKE (process_exec, "%.pfx%")OR LIKE (process_exec, "%.p7b%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_private_keys_and_certificate_enumeration_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html @@ -23,6 +23,13 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to find private keys. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land @@ -30,26 +37,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: A [$process_exec$] event occurred on host - [$dest$] to find private keys. mitre_attack_id: - T1552.004 - T1552 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_service_restarted.yml b/detections/endpoint/linux_auditd_service_restarted.yml index 87bbb2e1ec..a619b94f79 100644 --- a/detections/endpoint/linux_auditd_service_restarted.yml +++ b/detections/endpoint/linux_auditd_service_restarted.yml @@ -1,16 +1,36 @@ name: Linux Auditd Service Restarted id: 8eb3e858-18d3-44a4-a514-52cfa39f154a -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the restarting or re-enabling of services on Linux systems using the `systemctl` or `service` commands. It leverages data from Linux Auditd, focusing on process and command-line execution logs. This activity is significant as adversaries may use it to maintain persistence or execute unauthorized actions. If confirmed malicious, this behavior could lead to repeated execution of malicious payloads, unauthorized access, or data destruction. Security analysts should investigate these events to mitigate risks and prevent further compromise. +description: The following analytic detects the restarting or re-enabling of services + on Linux systems using the `systemctl` or `service` commands. It leverages data + from Linux Auditd, focusing on process and command-line execution logs. This activity + is significant as adversaries may use it to maintain persistence or execute unauthorized + actions. If confirmed malicious, this behavior could lead to repeated execution + of malicious payloads, unauthorized access, or data destruction. Security analysts + should investigate these events to mitigate risks and prevent further compromise. data_source: - Linux Auditd Proctitle -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | where (LIKE(process_exec, "%systemctl %") OR LIKE(process_exec, "%service %") ) AND(LIKE(process_exec, "%restart%") OR LIKE(process_exec, "%reenable%") OR LIKE(process_exec, "%reload%")) | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_service_restarted_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host + as dest | where (LIKE(process_exec, "%systemctl %") OR LIKE(process_exec, "%service + %") ) AND(LIKE(process_exec, "%restart%") OR LIKE(process_exec, "%reenable%") OR + LIKE(process_exec, "%reload%")) | stats count min(_time) as firstTime max(_time) + as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)`| `linux_auditd_service_restarted_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this commandline + for automation purposes. Please update the filter macros to remove false positives. references: - https://attack.mitre.org/techniques/T1543/003/ drilldown_searches: @@ -19,9 +39,22 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to restart or re-enable + a service. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - AwfulShred @@ -33,29 +66,18 @@ tags: - Gomir - Compromised Linux Host asset_type: Endpoint - confidence: 50 - impact: 50 - message: A [$process_exec$] event occurred on host - [$dest$] to restart or re-enable a service. mitre_attack_id: - T1053.006 - T1053 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - proctitle - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/linux_services_restart/linux_services_restart.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/linux_services_restart/linux_services_restart.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_service_started.yml b/detections/endpoint/linux_auditd_service_started.yml index 127d703220..2e878c1779 100644 --- a/detections/endpoint/linux_auditd_service_started.yml +++ b/detections/endpoint/linux_auditd_service_started.yml @@ -1,16 +1,36 @@ name: Linux Auditd Service Started id: b5eed06d-5c97-4092-a3a1-fa4b7e77c71a -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the suspicious service started. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents. +description: The following analytic detects the suspicious service started. This behavior + is critical for a SOC to monitor because it may indicate attempts to gain unauthorized + access or maintain control over a system. Such actions could be signs of malicious + activity. If confirmed, this could lead to serious consequences, including a compromised + system, unauthorized access to sensitive data, or even a wider breach affecting + the entire network. Detecting and responding to these signs early is essential to + prevent potential security incidents. data_source: - Linux Auditd Proctitle -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | where (LIKE(process_exec, "%systemctl %") OR LIKE(process_exec, "%service %") ) AND(LIKE(process_exec, "% start %") OR LIKE(process_exec, "% enable %")) | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_service_started_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host + as dest | where (LIKE(process_exec, "%systemctl %") OR LIKE(process_exec, "%service + %") ) AND(LIKE(process_exec, "% start %") OR LIKE(process_exec, "% enable %")) | + stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle + normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_service_started_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: @@ -19,9 +39,22 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to start or enable + a service. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land @@ -29,29 +62,18 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: A [$process_exec$] event occurred on host - [$dest$] to start or enable a service. mitre_attack_id: - T1569.002 - T1569 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - proctitle - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/linux_service_start/linux_service_start.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/linux_service_start/linux_service_start.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml b/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml index c8ade3e08d..7c32e22160 100644 --- a/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml +++ b/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml @@ -1,16 +1,36 @@ name: Linux Auditd Setuid Using Chmod Utility id: 8230c407-1b47-4d95-ac2e-718bd6381386 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the execution of the chmod utility to set the SUID or SGID bit on files, which can allow users to temporarily gain root or group-level access. This detection leverages data from Linux Auditd, focusing on process names and command-line arguments related to chmod. This activity is significant as it can indicate an attempt to escalate privileges or maintain persistence on a system. If confirmed malicious, an attacker could gain elevated access, potentially compromising sensitive data or critical system functions. +description: The following analytic detects the execution of the chmod utility to + set the SUID or SGID bit on files, which can allow users to temporarily gain root + or group-level access. This detection leverages data from Linux Auditd, focusing + on process names and command-line arguments related to chmod. This activity is significant + as it can indicate an attempt to escalate privileges or maintain persistence on + a system. If confirmed malicious, an attacker could gain elevated access, potentially + compromising sensitive data or critical system functions. data_source: - Linux Auditd Proctitle -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | where LIKE (process_exec, "%chmod %") AND (LIKE (process_exec, "% u+s %") OR LIKE (process_exec, "% g+s %") OR LIKE (process_exec, "% 4777 %") OR LIKE (process_exec, "% 4577 %")) | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_setuid_using_chmod_utility_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host + as dest | where LIKE (process_exec, "%chmod %") AND (LIKE (process_exec, "% u+s + %") OR LIKE (process_exec, "% g+s %") OR LIKE (process_exec, "% 4777 %") OR LIKE + (process_exec, "% 4577 %")) | stats count min(_time) as firstTime max(_time) as + lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `linux_auditd_setuid_using_chmod_utility_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/ drilldown_searches: @@ -19,9 +39,22 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to set the SUID or + SGID bit on files using the chmod utility. + risk_objects: + - field: dest + type: system + score: 81 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land @@ -29,29 +62,18 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 90 - impact: 90 - message: A [$process_exec$] event occurred on host - [$dest$] to set the SUID or SGID bit on files using the chmod utility. mitre_attack_id: - T1548.001 - T1548 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - proctitle - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/linux_auditd_setuid/linux_auditd_setuid.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/linux_auditd_setuid/linux_auditd_setuid.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml b/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml index dab576f585..df8cc3f4ae 100644 --- a/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml +++ b/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml @@ -1,15 +1,15 @@ name: Linux Auditd Setuid Using Setcap Utility id: 1474459a-302b-4255-8add-d82f96d14cd9 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-16' author: Teoderick Contreras, Splunk status: production type: TTP description: The following analytic detects the execution of the 'setcap' utility to enable the SUID bit on Linux systems. It leverages Linux Auditd data, focusing on process names and command-line arguments that indicate the use of 'setcap' with specific capabilities. This activity is significant because setting the SUID bit allows a user to temporarily gain root access, posing a substantial security risk. If confirmed malicious, an attacker could escalate privileges, execute arbitrary commands with elevated permissions, and potentially compromise the entire system. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where LIKE (process_exec, "%setcap %") AND (LIKE (process_exec, "% cap_setuid+ep %") OR LIKE (process_exec, "% cap_setuid=ep %") OR LIKE (process_exec, "% cap_net_bind_service+p %") OR LIKE (process_exec, "% cap_net_raw+ep %") OR LIKE (process_exec, "% cap_dac_read_search+ep %")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_setuid_using_setcap_utility_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where LIKE (process_exec, "%setcap %") AND (LIKE (process_exec, "% cap_setuid+ep %") OR LIKE (process_exec, "% cap_setuid=ep %") OR LIKE (process_exec, "% cap_net_bind_service+p %") OR LIKE (process_exec, "% cap_net_raw+ep %") OR LIKE (process_exec, "% cap_dac_read_search+ep %")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_setuid_using_setcap_utility_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: - https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/ @@ -22,32 +22,27 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to set the SUID or + SGID bit on files using the setcap utility. + risk_objects: + - field: dest + type: system + score: 81 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 90 - impact: 90 - message: A [$process_exec$] event occurred on host - [$dest$] to set the SUID or SGID bit on files using the setcap utility. mitre_attack_id: - T1548.001 - T1548 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_shred_overwrite_command.yml b/detections/endpoint/linux_auditd_shred_overwrite_command.yml index 21220aebad..6d09005763 100644 --- a/detections/endpoint/linux_auditd_shred_overwrite_command.yml +++ b/detections/endpoint/linux_auditd_shred_overwrite_command.yml @@ -1,16 +1,36 @@ name: Linux Auditd Shred Overwrite Command id: ce2bde4d-a1d4-4452-8c87-98440e5adfb3 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the execution of the 'shred' command on a Linux machine, which is used to overwrite files to make them unrecoverable. It leverages data from Linux Auditd, focusing on process names and command-line arguments. This activity is significant because the 'shred' command can be used in destructive attacks, such as those seen in the Industroyer2 malware targeting energy facilities. If confirmed malicious, this activity could lead to the permanent destruction of critical files, severely impacting system integrity and data availability. +description: The following analytic detects the execution of the 'shred' command on + a Linux machine, which is used to overwrite files to make them unrecoverable. It + leverages data from Linux Auditd, focusing on process names and command-line arguments. + This activity is significant because the 'shred' command can be used in destructive + attacks, such as those seen in the Industroyer2 malware targeting energy facilities. + If confirmed malicious, this activity could lead to the permanent destruction of + critical files, severely impacting system integrity and data availability. data_source: - Linux Auditd Proctitle -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | where LIKE (process_exec, "%shred%") AND (LIKE (process_exec, "%-n%") OR LIKE (process_exec, "%-z%") OR LIKE (process_exec, "%-u%") OR LIKE (process_exec, "%-s%")) | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_shred_overwrite_command_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host + as dest | where LIKE (process_exec, "%shred%") AND (LIKE (process_exec, "%-n%") + OR LIKE (process_exec, "%-z%") OR LIKE (process_exec, "%-u%") OR LIKE (process_exec, + "%-s%")) | stats count min(_time) as firstTime max(_time) as lastTime by process_exec + proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)`| `linux_auditd_shred_overwrite_command_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ - https://cert.gov.ua/article/39518 @@ -20,9 +40,22 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to overwrite files + using the shred utility. + risk_objects: + - field: dest + type: system + score: 81 + threat_objects: [] tags: analytic_story: - AwfulShred @@ -32,28 +65,17 @@ tags: - Industroyer2 - Compromised Linux Host asset_type: Endpoint - confidence: 90 - impact: 90 - message: A [$process_exec$] event occurred on host - [$dest$] to overwrite files using the shred utility. mitre_attack_id: - T1485 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - proctitle - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_auditd_shred/linux_auditd_shred.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_auditd_shred/linux_auditd_shred.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_stop_services.yml b/detections/endpoint/linux_auditd_stop_services.yml index 745186a07a..23004f47e1 100644 --- a/detections/endpoint/linux_auditd_stop_services.yml +++ b/detections/endpoint/linux_auditd_stop_services.yml @@ -1,15 +1,15 @@ name: Linux Auditd Stop Services id: 43bc9281-753b-4743-b4b7-60af84f085f3 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-12-16' author: Teoderick Contreras, Splunk status: production -type: TTP -description: The following analytic detects attempts to stop or clear a service on Linux systems. It leverages data from Linux Auditd, focusing on processes like "systemctl," "service," and "svcadm" executing stop commands. This activity is significant as adversaries often terminate security or critical services to disable defenses or disrupt operations, as seen in malware like Industroyer2. If confirmed malicious, this could lead to the disabling of security mechanisms, allowing attackers to persist, escalate privileges, or deploy destructive payloads, severely impacting system integrity and availability. +type: Hunting +description: The following analytic detects attempts to stop a service on Linux systems. It leverages data from Linux Auditd. This activity is significant as adversaries often stop or terminate security or critical services to disable defenses or disrupt operations, as seen in malware like Industroyer2. If confirmed malicious, this could lead to the disabling of security mechanisms, allowing attackers to persist, escalate privileges, or deploy destructive payloads, severely impacting system integrity and availability. data_source: - Linux Auditd Service Stop search: '`linux_auditd` type=SERVICE_STOP | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by type pid UID comm exe dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_stop_services_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ @@ -30,28 +30,12 @@ tags: - AwfulShred - Compromised Linux Host asset_type: Endpoint - confidence: 70 - impact: 70 - message: A service event - [$type$] event occured on host - [$dest$] to stop or disable a service. mitre_attack_id: - T1489 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - type - - pid - - UID - - comm - - exe - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_sudo_or_su_execution.yml b/detections/endpoint/linux_auditd_sudo_or_su_execution.yml index eb9bd249f1..b53ed7ef6c 100644 --- a/detections/endpoint/linux_auditd_sudo_or_su_execution.yml +++ b/detections/endpoint/linux_auditd_sudo_or_su_execution.yml @@ -1,7 +1,7 @@ name: Linux Auditd Sudo Or Su Execution id: 817a5c89-5b92-4818-a22d-aa35e1361afe -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -9,7 +9,7 @@ description: The following analytic detects the execution of the "sudo" or "su" data_source: - Linux Auditd Proctitle search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | where LIKE(process_exec, "%sudo %") OR LIKE(process_exec, "%su %") | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_sudo_or_su_execution_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: - https://attack.mitre.org/techniques/T1548/003/ @@ -22,31 +22,27 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to execute the sudo + or su command. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 50 - impact: 50 - message: A [$process_exec$] event occurred on host - [$dest$] to execute the sudo or su command. mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - proctitle - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_sysmon_service_stop.yml b/detections/endpoint/linux_auditd_sysmon_service_stop.yml index fe72f91575..64021b8def 100644 --- a/detections/endpoint/linux_auditd_sysmon_service_stop.yml +++ b/detections/endpoint/linux_auditd_sysmon_service_stop.yml @@ -1,16 +1,34 @@ name: Linux Auditd Sysmon Service Stop id: 20901256-633a-40de-8753-7b88811a460f -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the suspicious sysmon service stop. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents. +description: The following analytic detects the suspicious sysmon service stop. This + behavior is critical for a SOC to monitor because it may indicate attempts to gain + unauthorized access or maintain control over a system. Such actions could be signs + of malicious activity. If confirmed, this could lead to serious consequences, including + a compromised system, unauthorized access to sensitive data, or even a wider breach + affecting the entire network. Detecting and responding to these signs early is essential + to prevent potential security incidents. data_source: - Linux Auditd Service Stop -search: '`linux_auditd` type=SERVICE_STOP unit IN ("sysmon") | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by type pid UID comm exe unit dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_sysmon_service_stop_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=SERVICE_STOP unit IN ("sysmon") | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by type pid UID comm + exe unit dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_sysmon_service_stop_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: @@ -19,9 +37,22 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A service event - [$type$] event occurred on host - [$dest$] to stop or + disable the sysmon service. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land @@ -29,32 +60,17 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: A service event - [$type$] event occured on host - [$dest$] to stop or disable the sysmon service. mitre_attack_id: - T1489 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - type - - pid - - UID - - comm - - exe - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop.log/linux_auditd_sysmon_service_stop.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop.log/linux_auditd_sysmon_service_stop.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml b/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml index 2aa7efb626..b518e8fa93 100644 --- a/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml +++ b/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml @@ -1,16 +1,38 @@ name: Linux Auditd System Network Configuration Discovery id: 5db16825-81bd-4923-a8d6-d6a13a59832a -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects suspicious system network configuration discovery activities, which may indicate an adversary's attempt to gather information about the network environment. Such actions typically involve commands or tools used to identify network interfaces, routing tables, and active connections. Detecting these activities is crucial, as they often precede more targeted attacks like lateral movement or data exfiltration. By identifying unusual or unauthorized network discovery efforts, this analytic helps security teams to swiftly detect and respond to potential reconnaissance operations, mitigating the risk of further compromise. +description: The following analytic detects suspicious system network configuration + discovery activities, which may indicate an adversary's attempt to gather information + about the network environment. Such actions typically involve commands or tools + used to identify network interfaces, routing tables, and active connections. Detecting + these activities is crucial, as they often precede more targeted attacks like lateral + movement or data exfiltration. By identifying unusual or unauthorized network discovery + efforts, this analytic helps security teams to swiftly detect and respond to potential + reconnaissance operations, mitigating the risk of further compromise. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL comm IN ("arp", "ifconfig", "ip", "netstat", "firewall-cmd", "ufw", "iptables", "ss", "route") | bucket _time span=15m | rename host as dest | stats dc(comm) as unique_commands, values(comm) as comm, values(exe) as exe, values(SYSCALL) as SYSCALL, values(UID) as UID, values(ppid) as ppid, values(pid) as pid, count, min(_time) as firstTime, max(_time) as lastTime by success dest | where unique_commands >= 4 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_auditd_system_network_configuration_discovery_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=SYSCALL comm IN ("arp", "ifconfig", "ip", "netstat", + "firewall-cmd", "ufw", "iptables", "ss", "route") | bucket _time span=15m | rename + host as dest | stats dc(comm) as unique_commands, values(comm) as comm, values(exe) + as exe, values(SYSCALL) as SYSCALL, values(UID) as UID, values(ppid) as ppid, values(pid) + as pid, count, min(_time) as firstTime, max(_time) as lastTime by success dest | + where unique_commands >= 4 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_auditd_system_network_configuration_discovery_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: @@ -19,9 +41,22 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to discover + system network configuration. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land @@ -29,33 +64,17 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 50 - impact: 50 - message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to discover system network configuration. mitre_attack_id: - T1016 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - comm - - exe - - SYSCALL - - UID - - ppid - - pid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/linux_auditd_net_tool/linux_auditd_net_tool.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/linux_auditd_net_tool/linux_auditd_net_tool.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml index 2d75516cb6..50d90725bc 100644 --- a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml +++ b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml @@ -1,16 +1,40 @@ name: Linux Auditd Unix Shell Configuration Modification id: 66f737c6-3f7f-46ed-8e9b-cc0e5bf01f04 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects suspicious modifications to Unix shell configuration files, which may indicate an attempt to alter system behavior or gain unauthorized access. Unix shell configuration files, such as `.bashrc` or `.profile`, control user environment settings and command execution. Unauthorized changes to these files can be used to execute malicious commands, escalate privileges, or hide malicious activities. By monitoring for unusual or unauthorized modifications to shell configuration files, this analytic helps identify potential security threats, allowing security teams to respond quickly and mitigate risks. +description: The following analytic detects suspicious modifications to Unix shell + configuration files, which may indicate an attempt to alter system behavior or gain + unauthorized access. Unix shell configuration files, such as `.bashrc` or `.profile`, + control user environment settings and command execution. Unauthorized changes to + these files can be used to execute malicious commands, escalate privileges, or hide + malicious activities. By monitoring for unusual or unauthorized modifications to + shell configuration files, this analytic helps identify potential security threats, + allowing security teams to respond quickly and mitigate risks. data_source: - Linux Auditd Path -search: '`linux_auditd` type=PATH name IN ("/etc/profile", "/etc/shells", "/etc/profile.d", "/etc/bash.bashrc", "/etc/bashrc", "/etc/zsh/zprofile", "/etc/zsh/zshrc", "/etc/zsh/zlogin", "/etc/zsh/zlogout", "/etc/csh.cshrc", "/etc/csh.login", "/root/.bashrc", "/root/.bash_profile", "root/.profile", "/root/.zshrc", "/root/.zprofile", "/home/*/.bashrc", "/home/*/.zshrc", "/home/*/.bash_profile", "/home/*/.zprofile", "/home/*/.profile", "/home/*/.bash_login", "/home/*/.bash_logout", "/home/*/.zlogin", "/home/*/.zlogout") | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by name nametype OGID type dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_unix_shell_configuration_modification_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=PATH name IN ("/etc/profile", "/etc/shells", "/etc/profile.d", + "/etc/bash.bashrc", "/etc/bashrc", "/etc/zsh/zprofile", "/etc/zsh/zshrc", "/etc/zsh/zlogin", + "/etc/zsh/zlogout", "/etc/csh.cshrc", "/etc/csh.login", "/root/.bashrc", "/root/.bash_profile", + "root/.profile", "/root/.zshrc", "/root/.zprofile", "/home/*/.bashrc", "/home/*/.zshrc", + "/home/*/.bash_profile", "/home/*/.zprofile", "/home/*/.profile", "/home/*/.bash_login", + "/home/*/.bash_logout", "/home/*/.zlogin", "/home/*/.zlogout") | rename host as + dest | stats count min(_time) as firstTime max(_time) as lastTime by name nametype + OGID type dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_unix_shell_configuration_modification_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html - https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS @@ -20,9 +44,22 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$type$] event occurred on host - [$dest$] to modify the unix shell configuration + file. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land @@ -30,31 +67,18 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: A [$type$] event occured on host - [$dest$] to modify the unix shell configuration file. mitre_attack_id: - T1546.004 - T1546 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - name - - nametype - - OGID - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/linux_auditd_unix_shell_mod_config.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/linux_auditd_unix_shell_mod_config.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml b/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml index f34589900d..d3f5d76e2e 100644 --- a/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml +++ b/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml @@ -1,15 +1,15 @@ name: Linux Auditd Unload Module Via Modprobe id: 90964d6a-4b5f-409a-85bd-95e261e03fe9 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-16' author: Teoderick Contreras, Splunk status: production type: TTP description: The following analytic detects suspicious use of the `modprobe` command to unload kernel modules, which may indicate an attempt to disable critical system components or evade detection. The `modprobe` utility manages kernel modules, and unauthorized unloading of modules can disrupt system security features, remove logging capabilities, or conceal malicious activities. By monitoring for unusual or unauthorized `modprobe` operations involving module unloading, this analytic helps identify potential tampering with kernel functionality, enabling security teams to investigate and address possible threats to system integrity. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where LIKE (process_exec, "%modprobe%") AND LIKE (process_exec, "%-r %") | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_unload_module_via_modprobe_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where LIKE (process_exec, "%modprobe%") AND LIKE (process_exec, "%-r %") | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_unload_module_via_modprobe_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html @@ -22,6 +22,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to unload a kernel + module via the modprobe command. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land @@ -29,26 +37,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 70 - impact: 70 - message: A [$process_exec$] event occurred on host - [$dest$] to unload a kernel module via the modprobe command. mitre_attack_id: - T1547.006 - T1547 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml index cabae614c3..59da2a56d4 100644 --- a/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml @@ -1,15 +1,15 @@ name: Linux Auditd Virtual Disk File And Directory Discovery id: eec78cef-d4c8-4b35-8f5b-6922102a4a41 -version: 3 -date: '2024-09-30' +version: 4 +date: '2025-01-16' author: Teoderick Contreras, Splunk status: production type: Anomaly description: The following analytic detects suspicious discovery of virtual disk files and directories, which may indicate an attacker's attempt to locate and access virtualized storage environments. Virtual disks can contain sensitive data or critical system configurations, and unauthorized discovery attempts could signify preparatory actions for data exfiltration or further compromise. By monitoring for unusual or unauthorized searches for virtual disk files and directories, this analytic helps identify potential reconnaissance activities, enabling security teams to respond promptly and safeguard against unauthorized access and data breaches. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.vhd%") OR LIKE (process_exec, "%.vhdx%") OR LIKE (process_exec, "%.vmdk%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_virtual_disk_file_and_directory_discovery_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.vhd%") OR LIKE (process_exec, "%.vhdx%") OR LIKE (process_exec, "%.vmdk%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_virtual_disk_file_and_directory_discovery_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html @@ -23,6 +23,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to discover virtual + disk files and directories. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land @@ -30,25 +38,12 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 50 - impact: 50 - message: A [$process_exec$] event occurred on host - [$dest$] to discover virtual disk files and directories. mitre_attack_id: - T1083 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_whoami_user_discovery.yml b/detections/endpoint/linux_auditd_whoami_user_discovery.yml index d2bf0d74d7..275d9ac8f4 100644 --- a/detections/endpoint/linux_auditd_whoami_user_discovery.yml +++ b/detections/endpoint/linux_auditd_whoami_user_discovery.yml @@ -1,16 +1,35 @@ name: Linux Auditd Whoami User Discovery id: d1ff2e22-310d-446a-80b3-faedaa7b3b52 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the suspicious use of the whoami command, which may indicate an attacker trying to gather information about the current user account on a compromised system. The whoami command is commonly used to verify user privileges and identity, especially during initial stages of an attack to assess the level of access. By monitoring for unusual or unauthorized executions of whoami, this analytic helps in identifying potential reconnaissance activities, enabling security teams to take action before the attacker escalates privileges or conducts further malicious operations. +description: The following analytic detects the suspicious use of the whoami command, + which may indicate an attacker trying to gather information about the current user + account on a compromised system. The whoami command is commonly used to verify user + privileges and identity, especially during initial stages of an attack to assess + the level of access. By monitoring for unusual or unauthorized executions of whoami, + this analytic helps in identifying potential reconnaissance activities, enabling + security teams to take action before the attacker escalates privileges or conducts + further malicious operations. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL comm=whoami OR exe= "*/whoami" | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid dest success | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_whoami_user_discovery_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=SYSCALL comm=whoami OR exe= "*/whoami" | rename host + as dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL + UID ppid pid dest success | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_whoami_user_discovery_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html - https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS @@ -20,9 +39,22 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to discover + virtual disk files and directories. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land @@ -30,33 +62,17 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 50 - impact: 50 - message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to discover virtual disk files and directories. mitre_attack_id: - T1033 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - comm - - exe - - SYSCALL - - UID - - ppid - - pid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/linux_auditd_whoami/linux_auditd_whoami.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/linux_auditd_whoami/linux_auditd_whoami.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_awk_privilege_escalation.yml b/detections/endpoint/linux_awk_privilege_escalation.yml index 818dc533a5..f7a4f975d6 100644 --- a/detections/endpoint/linux_awk_privilege_escalation.yml +++ b/detections/endpoint/linux_awk_privilege_escalation.yml @@ -1,16 +1,37 @@ name: Linux AWK Privilege Escalation id: 4510cae0-96a2-4840-9919-91d262db210a -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: The following analytic detects the use of the AWK command with elevated privileges to execute system commands. It leverages Endpoint Detection and Response (EDR) telemetry, specifically monitoring processes that include "sudo," "awk," and "BEGIN*system" in their command lines. This activity is significant because it indicates a potential privilege escalation attempt, where a user could gain root access by executing commands as the root user. If confirmed malicious, this could allow an attacker to fully compromise the system, execute arbitrary commands, and maintain persistent control over the affected endpoint. +description: The following analytic detects the use of the AWK command with elevated + privileges to execute system commands. It leverages Endpoint Detection and Response + (EDR) telemetry, specifically monitoring processes that include "sudo," "awk," and + "BEGIN*system" in their command lines. This activity is significant because it indicates + a potential privilege escalation attempt, where a user could gain root access by + executing commands as the root user. If confirmed malicious, this could allow an + attacker to fully compromise the system, execute arbitrary commands, and maintain + persistent control over the affected endpoint. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*sudo*" AND Processes.process="*awk*" AND Processes.process="*BEGIN*system*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_awk_privilege_escalation_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives are present based on automated tooling or system administrative usage. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process="*sudo*" AND + Processes.process="*awk*" AND Processes.process="*BEGIN*system*" by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_awk_privilege_escalation_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives are present based on automated tooling or system + administrative usage. Filter as needed. references: - https://www.hacknos.com/awk-privilege-escalation/ drilldown_searches: @@ -19,52 +40,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ + risk_objects: + - field: dest + type: system + score: 30 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Linux Privilege Escalation - Linux Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 60 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/awk/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/awk/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_busybox_privilege_escalation.yml b/detections/endpoint/linux_busybox_privilege_escalation.yml index 4d836fa5bb..4f7d70ec4a 100644 --- a/detections/endpoint/linux_busybox_privilege_escalation.yml +++ b/detections/endpoint/linux_busybox_privilege_escalation.yml @@ -1,15 +1,35 @@ name: Linux Busybox Privilege Escalation id: 387c4e78-f4a4-413d-ad44-e9f7bc4642c9 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: The following analytic detects the execution of BusyBox with sudo privileges, which can lead to privilege escalation on Linux systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where BusyBox is executed with both 'sh' and 'sudo' commands. This activity is significant because it indicates a user may be attempting to gain root access, bypassing standard security controls. If confirmed malicious, this could allow an attacker to execute arbitrary commands as root, leading to full system compromise and potential persistence within the environment. +description: The following analytic detects the execution of BusyBox with sudo privileges, + which can lead to privilege escalation on Linux systems. It leverages data from + Endpoint Detection and Response (EDR) agents, focusing on process creation events + where BusyBox is executed with both 'sh' and 'sudo' commands. This activity is significant + because it indicates a user may be attempting to gain root access, bypassing standard + security controls. If confirmed malicious, this could allow an attacker to execute + arbitrary commands as root, leading to full system compromise and potential persistence + within the environment. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*busybox*" AND Processes.process="*sh*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_busybox_privilege_escalation_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process="*busybox*" + AND Processes.process="*sh*" AND Processes.process="*sudo*" by Processes.dest Processes.user + Processes.parent_process_name Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_busybox_privilege_escalation_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/busybox/ @@ -20,52 +40,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ + risk_objects: + - field: dest + type: system + score: 10 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Linux Privilege Escalation - Linux Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 20 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/busybox/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/busybox/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_c89_privilege_escalation.yml b/detections/endpoint/linux_c89_privilege_escalation.yml index 80ebe84edf..9e9c19688c 100644 --- a/detections/endpoint/linux_c89_privilege_escalation.yml +++ b/detections/endpoint/linux_c89_privilege_escalation.yml @@ -1,15 +1,35 @@ name: Linux c89 Privilege Escalation id: 54c95f4d-3e5d-44be-9521-ea19ba62f7a8 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: The following analytic detects the execution of the 'c89' command with elevated privileges, which can be used to compile and execute C programs as root. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events that include command-line arguments. This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to execute arbitrary commands as root. If confirmed malicious, this could lead to full system compromise, enabling the attacker to gain root access and execute any command with elevated privileges. +description: The following analytic detects the execution of the 'c89' command with + elevated privileges, which can be used to compile and execute C programs as root. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process creation events that include command-line arguments. This activity + is significant because it indicates a potential privilege escalation attempt, allowing + a user to execute arbitrary commands as root. If confirmed malicious, this could + lead to full system compromise, enabling the attacker to gain root access and execute + any command with elevated privileges. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*c89*" AND Processes.process="*-wrapper*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_c89_privilege_escalation_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process="*c89*" AND + Processes.process="*-wrapper*" AND Processes.process="*sudo*" by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_c89_privilege_escalation_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/c89/ @@ -20,52 +40,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ + risk_objects: + - field: dest + type: system + score: 30 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Linux Privilege Escalation - Linux Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 60 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/c89/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/c89/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_c99_privilege_escalation.yml b/detections/endpoint/linux_c99_privilege_escalation.yml index 54ec5b893a..2b4cc5888a 100644 --- a/detections/endpoint/linux_c99_privilege_escalation.yml +++ b/detections/endpoint/linux_c99_privilege_escalation.yml @@ -1,15 +1,35 @@ name: Linux c99 Privilege Escalation id: e1c6dec5-2249-442d-a1f9-99a4bd228183 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: The following analytic detects the execution of the c99 utility with sudo privileges, which can lead to privilege escalation on Linux systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a potential misuse of the c99 utility to gain root access, which is critical for maintaining system security. If confirmed malicious, this could allow an attacker to execute commands as root, potentially compromising the entire system and accessing sensitive information. +description: The following analytic detects the execution of the c99 utility with + sudo privileges, which can lead to privilege escalation on Linux systems. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process execution + logs that include command-line details. This activity is significant because it + indicates a potential misuse of the c99 utility to gain root access, which is critical + for maintaining system security. If confirmed malicious, this could allow an attacker + to execute commands as root, potentially compromising the entire system and accessing + sensitive information. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*c99*" AND Processes.process="*-wrapper*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_c99_privilege_escalation_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process="*c99*" AND + Processes.process="*-wrapper*" AND Processes.process="*sudo*" by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_c99_privilege_escalation_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/c99/ @@ -20,52 +40,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ + risk_objects: + - field: dest + type: system + score: 30 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Linux Privilege Escalation - Linux Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 60 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/c99/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/c99/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_change_file_owner_to_root.yml b/detections/endpoint/linux_change_file_owner_to_root.yml index c9adc9f578..89b8695a26 100644 --- a/detections/endpoint/linux_change_file_owner_to_root.yml +++ b/detections/endpoint/linux_change_file_owner_to_root.yml @@ -1,16 +1,36 @@ name: Linux Change File Owner To Root id: c1400ea2-6257-11ec-ad49-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the use of the 'chown' command to change a file owner to 'root' on a Linux system. It leverages Endpoint Detection and Response (EDR) telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment. +description: The following analytic detects the use of the 'chown' command to change + a file owner to 'root' on a Linux system. It leverages Endpoint Detection and Response + (EDR) telemetry, specifically monitoring command-line executions and process details. + This activity is significant as it may indicate an attempt to escalate privileges + by adversaries, malware, or red teamers. If confirmed malicious, this action could + allow an attacker to gain root-level access, leading to full control over the compromised + host and potential persistence within the environment. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = chown OR Processes.process = "*chown *") AND Processes.process = "* root *" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_change_file_owner_to_root_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = chown + OR Processes.process = "*chown *") AND Processes.process = "* root *" by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_change_file_owner_to_root_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://unix.stackexchange.com/questions/101073/how-to-change-permissions-from-root-user-to-all-users - https://askubuntu.com/questions/617850/changing-from-user-to-superuser @@ -20,44 +40,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A commandline $process$ that may change ownership to root on $dest$ + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation - Linux Persistence Techniques - Linux Living Off The Land asset_type: Endpoint - confidence: 80 - impact: 80 - message: A commandline $process$ that may change ownership to root on $dest$ mitre_attack_id: - T1222.002 - T1222 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/chmod_uid/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/chmod_uid/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_clipboard_data_copy.yml b/detections/endpoint/linux_clipboard_data_copy.yml index 8e65848fec..cfbfb74782 100644 --- a/detections/endpoint/linux_clipboard_data_copy.yml +++ b/detections/endpoint/linux_clipboard_data_copy.yml @@ -1,16 +1,36 @@ name: Linux Clipboard Data Copy id: 7173b2ad-6146-418f-85ae-c3479e4515fc -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic detects the use of the Linux 'xclip' command to copy data from the clipboard. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and command-line arguments related to clipboard operations. This activity is significant because adversaries can exploit clipboard data to capture sensitive information such as passwords or IP addresses. If confirmed malicious, this technique could lead to unauthorized data exfiltration, compromising sensitive information and potentially aiding further attacks within the environment. +description: The following analytic detects the use of the Linux 'xclip' command to + copy data from the clipboard. It leverages Endpoint Detection and Response (EDR) + telemetry, focusing on process names and command-line arguments related to clipboard + operations. This activity is significant because adversaries can exploit clipboard + data to capture sensitive information such as passwords or IP addresses. If confirmed + malicious, this technique could lead to unauthorized data exfiltration, compromising + sensitive information and potentially aiding further attacks within the environment. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=xclip Processes.process IN ("*-o *", "*-sel *", "*-selection *", "*clip *","*clipboard*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_clipboard_data_copy_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be present on Linux desktop as it may commonly be used by administrators or end users. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=xclip + Processes.process IN ("*-o *", "*-sel *", "*-selection *", "*clip *","*clipboard*") + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_clipboard_data_copy_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present on Linux desktop as it may commonly + be used by administrators or end users. Filter as needed. references: - https://attack.mitre.org/techniques/T1115/ - https://linux.die.net/man/1/xclip @@ -20,54 +40,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $process_name$ was identified on endpoint $dest$ by user + $user$ adding or removing content from the clipboard. + risk_objects: + - field: user + type: user + score: 16 + - field: dest + type: system + score: 16 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Linux Living Off The Land asset_type: Endpoint - confidence: 40 - impact: 40 - message: An instance of $process_name$ was identified on endpoint $dest$ by user $user$ adding or removing content from the clipboard. mitre_attack_id: - T1115 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 16 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1115/atomic_red_team/linux-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1115/atomic_red_team/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_common_process_for_elevation_control.yml b/detections/endpoint/linux_common_process_for_elevation_control.yml index a7a5dcea78..9bcb78b36d 100644 --- a/detections/endpoint/linux_common_process_for_elevation_control.yml +++ b/detections/endpoint/linux_common_process_for_elevation_control.yml @@ -1,16 +1,42 @@ name: Linux Common Process For Elevation Control id: 66ab15c0-63d0-11ec-9e70-acde48001122 -version: 3 -date: '2024-10-17' +version: 5 +date: '2025-01-27' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic identifies the execution of common Linux processes used for elevation control, such as `chmod`, `chown`, and `setuid`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because these processes are often abused by adversaries to gain persistence or escalate privileges on compromised hosts. If confirmed malicious, this behavior could allow attackers to modify file attributes, change file ownership, or set user IDs, potentially leading to unauthorized access and control over critical system resources. +description: The following analytic identifies the execution of common Linux processes + used for elevation control, such as `chmod`, `chown`, and `setuid`. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process names + and command-line executions. This activity is significant because these processes + are often abused by adversaries to gain persistence or escalate privileges on compromised + hosts. If confirmed malicious, this behavior could allow attackers to modify file + attributes, change file ownership, or set user IDs, potentially leading to unauthorized + access and control over critical system resources. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("chmod", "chown", "fchmod", "fchmodat", "fchown", "fchownat", "fremovexattr", "fsetxattr", "lchown", "lremovexattr", "lsetxattr", "removexattr", "setuid", "setgid", "setreuid", "setregid", "chattr") OR Processes.process IN ("*chmod *", "*chown *", "*fchmod *", "*fchmodat *", "*fchown *", "*fchownat *", "*fremovexattr *", "*fsetxattr *", "*lchown *", "*lremovexattr *", "*lsetxattr *", "*removexattr *", "*setuid *", "*setgid *", "*setreuid *", "*setregid *", "*setcap *", "*chattr *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_common_process_for_elevation_control_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("chmod", + "chown", "fchmod", "fchmodat", "fchown", "fchownat", "fremovexattr", "fsetxattr", + "lchown", "lremovexattr", "lsetxattr", "removexattr", "setuid", "setgid", "setreuid", + "setregid", "chattr") OR Processes.process IN ("*chmod *", "*chown *", "*fchmod + *", "*fchmodat *", "*fchown *", "*fchownat *", "*fremovexattr *", "*fsetxattr *", + "*lchown *", "*lremovexattr *", "*lsetxattr *", "*removexattr *", "*setuid *", "*setgid + *", "*setreuid *", "*setregid *", "*setcap *", "*chattr *") by Processes.dest Processes.user + Processes.parent_process_name Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_common_process_for_elevation_control_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://attack.mitre.org/techniques/T1548/001/ - https://github.com/Neo23x0/auditd/blob/master/audit.rules#L285-L297 @@ -19,34 +45,18 @@ references: tags: analytic_story: - Linux Privilege Escalation - - Linux Persistence Techniques - Linux Living Off The Land + - Linux Persistence Techniques + - Nexus APT Threat Activity + - Earth Estries asset_type: Endpoint - confidence: 30 - impact: 30 - message: A commandline $process$ with process $process_name$ on $dest$ mitre_attack_id: - T1548.001 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_composer_privilege_escalation.yml b/detections/endpoint/linux_composer_privilege_escalation.yml index 5b5b73996a..5753643b61 100644 --- a/detections/endpoint/linux_composer_privilege_escalation.yml +++ b/detections/endpoint/linux_composer_privilege_escalation.yml @@ -1,15 +1,36 @@ name: Linux Composer Privilege Escalation id: a3bddf71-6ba3-42ab-a6b2-396929b16d92 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: The following analytic detects the execution of the Composer tool with elevated privileges on a Linux system. It identifies instances where Composer is run with the 'sudo' command, allowing the user to execute system commands as root. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because it can indicate an attempt to escalate privileges, potentially leading to unauthorized root access. If confirmed malicious, an attacker could gain full control over the system, execute arbitrary commands, and compromise sensitive data. +description: The following analytic detects the execution of the Composer tool with + elevated privileges on a Linux system. It identifies instances where Composer is + run with the 'sudo' command, allowing the user to execute system commands as root. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process execution logs and command-line arguments. This activity is + significant because it can indicate an attempt to escalate privileges, potentially + leading to unauthorized root access. If confirmed malicious, an attacker could gain + full control over the system, execute arbitrary commands, and compromise sensitive + data. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*composer*" AND Processes.process="*run-script*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_composer_privilege_escalation_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process="*composer*" + AND Processes.process="*run-script*" AND Processes.process="*sudo*" by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_composer_privilege_escalation_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/composer/ @@ -20,52 +41,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ + risk_objects: + - field: dest + type: system + score: 10 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Linux Privilege Escalation - Linux Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 20 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/composer/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/composer/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_cpulimit_privilege_escalation.yml b/detections/endpoint/linux_cpulimit_privilege_escalation.yml index 41562aee25..655e36cbef 100644 --- a/detections/endpoint/linux_cpulimit_privilege_escalation.yml +++ b/detections/endpoint/linux_cpulimit_privilege_escalation.yml @@ -1,15 +1,35 @@ name: Linux Cpulimit Privilege Escalation id: d4e40b7e-aad3-4a7d-aac8-550ea5222be5 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: The following analytic detects the use of the 'cpulimit' command with specific flags ('-l', '-f') executed with 'sudo' privileges. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments and execution details. This activity is significant because if 'cpulimit' is granted sudo rights, a user can potentially execute system commands as root, leading to privilege escalation. If confirmed malicious, this could allow an attacker to gain root access, execute arbitrary commands, and fully compromise the affected system. +description: The following analytic detects the use of the 'cpulimit' command with + specific flags ('-l', '-f') executed with 'sudo' privileges. It leverages data from + Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments + and execution details. This activity is significant because if 'cpulimit' is granted + sudo rights, a user can potentially execute system commands as root, leading to + privilege escalation. If confirmed malicious, this could allow an attacker to gain + root access, execute arbitrary commands, and fully compromise the affected system. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*cpulimit*" AND Processes.process="*-l*" AND Processes.process="*-f*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_cpulimit_privilege_escalation_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process="*cpulimit*" + AND Processes.process="*-l*" AND Processes.process="*-f*" AND Processes.process="*sudo*" + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_cpulimit_privilege_escalation_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/cpulimit/ @@ -20,52 +40,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ + risk_objects: + - field: dest + type: system + score: 20 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Linux Privilege Escalation - Linux Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 40 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 20 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/cpulimit/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/cpulimit/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_csvtool_privilege_escalation.yml b/detections/endpoint/linux_csvtool_privilege_escalation.yml index 0104e41822..ed76fcb05a 100644 --- a/detections/endpoint/linux_csvtool_privilege_escalation.yml +++ b/detections/endpoint/linux_csvtool_privilege_escalation.yml @@ -1,15 +1,35 @@ name: Linux Csvtool Privilege Escalation id: f8384f9e-1a5c-4c3a-96d6-8a7e5a38a8b8 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: The following analytic detects the execution of the 'csvtool' command with 'sudo' privileges, which can allow a user to run system commands as root. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a potential privilege escalation attempt, where a user could gain unauthorized root access. If confirmed malicious, this could lead to full system compromise, allowing an attacker to execute arbitrary commands, escalate privileges, and maintain persistent access. +description: The following analytic detects the execution of the 'csvtool' command + with 'sudo' privileges, which can allow a user to run system commands as root. This + detection leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process execution logs that include command-line details. This activity is significant + because it indicates a potential privilege escalation attempt, where a user could + gain unauthorized root access. If confirmed malicious, this could lead to full system + compromise, allowing an attacker to execute arbitrary commands, escalate privileges, + and maintain persistent access. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*csvtool*" AND Processes.process="*call*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_csvtool_privilege_escalation_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process="*csvtool*" + AND Processes.process="*call*" AND Processes.process="*sudo*" by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_csvtool_privilege_escalation_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/csvtool/ @@ -19,52 +39,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ + risk_objects: + - field: dest + type: system + score: 10 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Linux Privilege Escalation - Linux Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 20 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/csvtool/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/csvtool/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_curl_upload_file.yml b/detections/endpoint/linux_curl_upload_file.yml index 8e0e4a459f..eb53b86301 100644 --- a/detections/endpoint/linux_curl_upload_file.yml +++ b/detections/endpoint/linux_curl_upload_file.yml @@ -1,16 +1,40 @@ name: Linux Curl Upload File id: c1de2d9a-0c02-4bb4-a49a-510c6e9cf2bf -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the use of the curl command with specific switches (-F, --form, --upload-file, -T, -d, --data, --data-raw, -I, --head) to upload AWS credentials or configuration files to a remote destination. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it may indicate an attempt to exfiltrate sensitive AWS credentials, a technique known to be used by the TeamTNT group. If confirmed malicious, this could lead to unauthorized access and potential compromise of AWS resources. +description: The following analytic detects the use of the curl command with specific + switches (-F, --form, --upload-file, -T, -d, --data, --data-raw, -I, --head) to + upload AWS credentials or configuration files to a remote destination. This detection + leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line + executions and process details. This activity is significant as it may indicate + an attempt to exfiltrate sensitive AWS credentials, a technique known to be used + by the TeamTNT group. If confirmed malicious, this could lead to unauthorized access + and potential compromise of AWS resources. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process IN ("*-F *", "*--form *","*--upload-file *","*-T *","*-d *","*--data *","*--data-raw *", "*-I *", "*--head *") AND Processes.process IN ("*.aws/credentials*". "*.aws/config*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_curl_upload_file_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Filtering may be required. In addition to AWS credentials, add other important files and monitor. The inverse would be to look for _all_ -F behavior and tune from there. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl + Processes.process IN ("*-F *", "*--form *","*--upload-file *","*-T *","*-d *","*--data + *","*--data-raw *", "*-I *", "*--head *") AND Processes.process IN ("*.aws/credentials*". + "*.aws/config*") by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_curl_upload_file_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Filtering may be required. In addition to AWS credentials, + add other important files and monitor. The inverse would be to look for _all_ -F + behavior and tune from there. references: - https://curl.se/docs/manpage.html - https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/ @@ -21,56 +45,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $process_name$ was identified on endpoint $dest$ by user + $user$ attempting to upload important files to a remote destination. + risk_objects: + - field: user + type: user + score: 64 + - field: dest + type: system + score: 64 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Linux Living Off The Land - Data Exfiltration - Ingress Tool Transfer asset_type: Endpoint - confidence: 80 - impact: 80 - message: An instance of $process_name$ was identified on endpoint $dest$ by user $user$ attempting to upload important files to a remote destination. mitre_attack_id: - T1105 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_data_destruction_command.yml b/detections/endpoint/linux_data_destruction_command.yml index de61188fb8..d995933ae4 100644 --- a/detections/endpoint/linux_data_destruction_command.yml +++ b/detections/endpoint/linux_data_destruction_command.yml @@ -1,15 +1,35 @@ name: Linux Data Destruction Command id: b11d3979-b2f7-411b-bb1a-bd00e642173b -version: 3 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the execution of a Unix shell command designed to wipe root directories on a Linux host. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on the 'rm' command with force recursive deletion and the '--no-preserve-root' option. This activity is significant as it indicates potential data destruction attempts, often associated with malware like Awfulshred. If confirmed malicious, this behavior could lead to severe data loss, system instability, and compromised integrity of the affected Linux host. Immediate investigation and response are crucial to mitigate potential damage. +description: The following analytic detects the execution of a Unix shell command + designed to wipe root directories on a Linux host. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on the 'rm' command with force recursive + deletion and the '--no-preserve-root' option. This activity is significant as it + indicates potential data destruction attempts, often associated with malware like + Awfulshred. If confirmed malicious, this behavior could lead to severe data loss, + system instability, and compromised integrity of the affected Linux host. Immediate + investigation and response are crucial to mitigate potential damage. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "rm" AND Processes.process IN ("* -rf*", "* -fr*") AND Processes.process = "* --no-preserve-root" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_data_destruction_command_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "rm" AND + Processes.process IN ("* -rf*", "* -fr*") AND Processes.process = "* --no-preserve-root" + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_data_destruction_command_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://cert.gov.ua/article/3718487 @@ -20,47 +40,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a $process_name$ execute rm command with --no-preserve-root parmeter that + can wipe root files on $dest$ + risk_objects: + - field: dest + type: system + score: 90 + - field: user + type: user + score: 90 + threat_objects: [] tags: analytic_story: - AwfulShred - Data Destruction asset_type: Endpoint - confidence: 90 - impact: 100 - message: a $process_name$ execute rm command with --no-preserve-root parmeter that can wipe root files in $dest$ mitre_attack_id: - T1485 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_dd_file_overwrite.yml b/detections/endpoint/linux_dd_file_overwrite.yml index bbec4a58d0..cf03a71a84 100644 --- a/detections/endpoint/linux_dd_file_overwrite.yml +++ b/detections/endpoint/linux_dd_file_overwrite.yml @@ -1,16 +1,36 @@ name: Linux DD File Overwrite id: 9b6aae5e-8d85-11ec-b2ae-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the use of the 'dd' command to overwrite files on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because adversaries often use the 'dd' command to destroy or irreversibly overwrite files, disrupting system availability and services. If confirmed malicious, this behavior could lead to data destruction, making recovery difficult and potentially causing significant operational disruptions. +description: The following analytic detects the use of the 'dd' command to overwrite + files on a Linux system. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process execution logs that include command-line details. + This activity is significant because adversaries often use the 'dd' command to destroy + or irreversibly overwrite files, disrupting system availability and services. If + confirmed malicious, this behavior could lead to data destruction, making recovery + difficult and potentially causing significant operational disruptions. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "dd" AND Processes.process = "*of=*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_dd_file_overwrite_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "dd" + AND Processes.process = "*of=*" by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `linux_dd_file_overwrite_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://gtfobins.github.io/gtfobins/dd/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md @@ -20,42 +40,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A commandline $process$ executed on $dest$ + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Data Destruction - Industroyer2 asset_type: Endpoint - confidence: 80 - impact: 80 - message: A commandline $process$ executed on $dest$ mitre_attack_id: - T1485 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_dd_file_overwrite/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_dd_file_overwrite/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_decode_base64_to_shell.yml b/detections/endpoint/linux_decode_base64_to_shell.yml index 98ca08285b..a332d7535a 100644 --- a/detections/endpoint/linux_decode_base64_to_shell.yml +++ b/detections/endpoint/linux_decode_base64_to_shell.yml @@ -1,16 +1,39 @@ name: Linux Decode Base64 to Shell id: 637b603e-1799-40fd-bf87-47ecbd551b66 -version: 5 -date: '2024-09-30' +version: 7 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the behavior of decoding base64-encoded data and passing it to a Linux shell. Additionally, it mitigates the potential damage and protects the organization's systems and data.The detection is made by searching for specific commands in the Splunk query, namely "base64 -d" and "base64 --decode", within the Endpoint.Processes data model. The analytic also includes a filter for Linux shells. The detection is important because it indicates the presence of malicious activity since Base64 encoding is commonly used to obfuscate malicious commands or payloads, and decoding it can be a step in running those commands. It suggests that an attacker is attempting to run malicious commands on a Linux system to gain unauthorized access, for data exfiltration, or perform other malicious actions. +description: The following analytic detects the behavior of decoding base64-encoded + data and passing it to a Linux shell. Additionally, it mitigates the potential damage + and protects the organization's systems and data.The detection is made by searching + for specific commands in the Splunk query, namely "base64 -d" and "base64 --decode", + within the Endpoint.Processes data model. The analytic also includes a filter for + Linux shells. The detection is important because it indicates the presence of malicious + activity since Base64 encoding is commonly used to obfuscate malicious commands + or payloads, and decoding it can be a step in running those commands. It suggests + that an attacker is attempting to run malicious commands on a Linux system to gain + unauthorized access, for data exfiltration, or perform other malicious actions. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*|*" `linux_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | rex field=process "base64\s+(?-{1,2}d\w*)" | where isnotnull(decode_flag) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_decode_base64_to_shell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be present based on legitimate software being utilized. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process="*|*" `linux_shells` + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | rex field=process "base64\s+(?-{1,2}d\w*)" | where isnotnull(decode_flag) + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_decode_base64_to_shell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present based on legitimate software + being utilized. Filter as needed. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md#atomic-test-1---decode-base64-data-into-script - https://redcanary.com/blog/lateral-movement-with-secure-shell/ @@ -21,59 +44,45 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ decoding base64 and passing it to a shell. + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Linux Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 50 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ decoding base64 and passing it to a shell. mitre_attack_id: - T1027 - T1059.004 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml b/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml index b4ccc41d19..2108f87769 100644 --- a/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml +++ b/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml @@ -1,16 +1,38 @@ name: Linux Deleting Critical Directory Using RM Command id: 33f89303-cc6f-49ad-921d-2eaea38a6f7a -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the deletion of critical directories on a Linux machine using the `rm` command with argument rf. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions targeting directories like /boot, /var/log, /etc, and /dev. This activity is significant because deleting these directories can severely disrupt system operations and is often associated with destructive campaigns like Industroyer2. If confirmed malicious, this action could lead to system instability, data loss, and potential downtime, making it crucial for immediate investigation and response. +description: The following analytic detects the deletion of critical directories on + a Linux machine using the `rm` command with argument rf. It leverages data from + Endpoint Detection and Response (EDR) agents, focusing on command-line executions + targeting directories like /boot, /var/log, /etc, and /dev. This activity is significant + because deleting these directories can severely disrupt system operations and is + often associated with destructive campaigns like Industroyer2. If confirmed malicious, + this action could lead to system instability, data loss, and potential downtime, + making it crucial for immediate investigation and response. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name =rm AND Processes.process= "* -rf *" AND Processes.process IN ("*/boot/*", "*/var/log/*", "*/etc/*", "*/dev/*") by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_deleting_critical_directory_using_rm_command_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name =rm AND + Processes.process= "* -rf *" AND Processes.process IN ("*/boot/*", "*/var/log/*", + "*/etc/*", "*/dev/*") by Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest + Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `linux_deleting_critical_directory_using_rm_command_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ - https://cert.gov.ua/article/39518 @@ -20,43 +42,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A deletion in known critical list of folder using rm command $process$ + executed on $dest$ + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - AwfulShred - Data Destruction - Industroyer2 asset_type: Endpoint - confidence: 80 - impact: 80 - message: A deletion in known critical list of folder using rm command $process$ executed on $dest$ mitre_attack_id: - T1485 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/rm_shred_critical_dir/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/rm_shred_critical_dir/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_deletion_of_cron_jobs.yml b/detections/endpoint/linux_deletion_of_cron_jobs.yml index 372beef4cd..6c57aa65d9 100644 --- a/detections/endpoint/linux_deletion_of_cron_jobs.yml +++ b/detections/endpoint/linux_deletion_of_cron_jobs.yml @@ -1,16 +1,30 @@ name: Linux Deletion Of Cron Jobs id: 3b132a71-9335-4f33-9932-00bb4f6ac7e8 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the deletion of cron jobs on a Linux machine. It leverages filesystem event logs to identify when files within the "/etc/cron.*" directory are deleted. This activity is significant because attackers or malware may delete cron jobs to disable scheduled security tasks or evade detection mechanisms. If confirmed malicious, this action could allow an attacker to disrupt system operations, evade security measures, or facilitate further malicious activities such as data wiping, as seen with the acidrain malware. +description: The following analytic detects the deletion of cron jobs on a Linux machine. + It leverages filesystem event logs to identify when files within the "/etc/cron.*" + directory are deleted. This activity is significant because attackers or malware + may delete cron jobs to disable scheduled security tasks or evade detection mechanisms. + If confirmed malicious, this action could allow an attacker to disrupt system operations, + evade security measures, or facilitate further malicious activities such as data + wiping, as seen with the acidrain malware. data_source: - Sysmon for Linux EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path="/etc/cron.*" by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_cron_jobs_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path="/etc/cron.*" + by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid + Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `linux_deletion_of_cron_jobs_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from + Splunkbase. +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/ drilldown_searches: @@ -19,48 +33,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Linux cron jobs are deleted on host $dest$ by process GUID- $process_guid$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: + - field: file_name + type: file_name tags: analytic_story: - AcidRain - Data Destruction - AcidPour asset_type: Endpoint - confidence: 70 - impact: 70 - message: Linux cron jobs are deleted on host $dest$ by process GUID- $process_guid$ mitre_attack_id: - T1485 - T1070.004 - T1070 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: file_name - type: File Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.dest - - Filesystem.file_create_time - - Filesystem.file_name - - Filesystem.process_guid - - Filesystem.file_path - - Filesystem.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_deletion_of_init_daemon_script.yml b/detections/endpoint/linux_deletion_of_init_daemon_script.yml index 964c68d38d..98d166fbbf 100644 --- a/detections/endpoint/linux_deletion_of_init_daemon_script.yml +++ b/detections/endpoint/linux_deletion_of_init_daemon_script.yml @@ -1,16 +1,30 @@ name: Linux Deletion Of Init Daemon Script id: 729aab57-d26f-4156-b97f-ab8dda8f44b1 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the deletion of init daemon scripts on a Linux machine. It leverages filesystem event logs to identify when files within the /etc/init.d/ directory are deleted. This activity is significant because init daemon scripts control the start and stop of critical services, and their deletion can indicate an attempt to impair security features or evade defenses. If confirmed malicious, this behavior could allow an attacker to disrupt essential services, execute destructive payloads, or persist undetected in the environment. +description: The following analytic detects the deletion of init daemon scripts on + a Linux machine. It leverages filesystem event logs to identify when files within + the /etc/init.d/ directory are deleted. This activity is significant because init + daemon scripts control the start and stop of critical services, and their deletion + can indicate an attempt to impair security features or evade defenses. If confirmed + malicious, this behavior could allow an attacker to disrupt essential services, + execute destructive payloads, or persist undetected in the environment. data_source: - Sysmon for Linux EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path IN ( "/etc/init.d/*") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_init_daemon_script_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path + IN ( "/etc/init.d/*") by _time span=1h Filesystem.file_name Filesystem.file_path + Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_init_daemon_script_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from + Splunkbase. +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/ drilldown_searches: @@ -19,48 +33,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Init daemon script deleted on host $dest$ by process GUID- $process_guid$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: + - field: file_name + type: file_name tags: analytic_story: - AcidRain - Data Destruction - AcidPour asset_type: Endpoint - confidence: 70 - impact: 70 - message: Init daemon script deleted on host $dest$ by process GUID- $process_guid$ mitre_attack_id: - T1485 - T1070.004 - T1070 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: file_name - type: File Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.dest - - Filesystem.file_create_time - - Filesystem.file_name - - Filesystem.process_guid - - Filesystem.file_path - - Filesystem.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_deletion_of_services.yml b/detections/endpoint/linux_deletion_of_services.yml index 675a8a64f5..0105dcf5c9 100644 --- a/detections/endpoint/linux_deletion_of_services.yml +++ b/detections/endpoint/linux_deletion_of_services.yml @@ -1,16 +1,32 @@ name: Linux Deletion Of Services id: b509bbd3-0331-4aaa-8e4a-d2affe100af6 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the deletion of services on a Linux machine. It leverages filesystem event logs to identify when service files within system directories (e.g., /etc/systemd/, /lib/systemd/, /run/systemd/) are deleted. This activity is significant because attackers may delete or modify services to disable security features or evade defenses. If confirmed malicious, this behavior could indicate an attempt to impair system functionality or execute a destructive payload, potentially leading to system instability or data loss. Immediate investigation is required to determine the responsible process and user. +description: The following analytic detects the deletion of services on a Linux machine. + It leverages filesystem event logs to identify when service files within system + directories (e.g., /etc/systemd/, /lib/systemd/, /run/systemd/) are deleted. This + activity is significant because attackers may delete or modify services to disable + security features or evade defenses. If confirmed malicious, this behavior could + indicate an attempt to impair system functionality or execute a destructive payload, + potentially leading to system instability or data loss. Immediate investigation + is required to determine the responsible process and user. data_source: - Sysmon for Linux EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path IN ( "/etc/systemd/*", "*/lib/systemd/*", "*/run/systemd/*") Filesystem.file_path = "*.service" by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_services_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path + IN ( "/etc/systemd/*", "*/lib/systemd/*", "*/run/systemd/*") Filesystem.file_path + = "*.service" by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest + Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | + `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_services_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from + Splunkbase. +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/ - https://unix.stackexchange.com/questions/224992/where-do-i-put-my-systemd-unit-file @@ -21,9 +37,23 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A services file $file_name$ deteted on host $dest$ by process GUID - $process_guid$ + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: + - field: file_name + type: file_name tags: analytic_story: - AwfulShred @@ -31,39 +61,19 @@ tags: - Data Destruction - AcidPour asset_type: Endpoint - confidence: 80 - impact: 80 - message: A services file $file_name$ deteted on host $dest$ by process GUID - $process_guid$ mitre_attack_id: - T1485 - T1070.004 - T1070 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: file_name - type: File Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.dest - - Filesystem.file_create_time - - Filesystem.file_name - - Filesystem.process_guid - - Filesystem.file_path - - Filesystem.action - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_deletion_of_ssl_certificate.yml b/detections/endpoint/linux_deletion_of_ssl_certificate.yml index 27cfec49ed..3742f9eeed 100644 --- a/detections/endpoint/linux_deletion_of_ssl_certificate.yml +++ b/detections/endpoint/linux_deletion_of_ssl_certificate.yml @@ -1,16 +1,32 @@ name: Linux Deletion of SSL Certificate id: 839ab790-a60a-4f81-bfb3-02567063f615 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the deletion of SSL certificates on a Linux machine. It leverages filesystem event logs to identify when files with extensions .pem or .crt are deleted from the /etc/ssl/certs/ directory. This activity is significant because attackers may delete or modify SSL certificates to disable security features or evade defenses on a compromised system. If confirmed malicious, this behavior could indicate an attempt to disrupt secure communications, evade detection, or execute a destructive payload, potentially leading to significant security breaches and data loss. +description: The following analytic detects the deletion of SSL certificates on a + Linux machine. It leverages filesystem event logs to identify when files with extensions + .pem or .crt are deleted from the /etc/ssl/certs/ directory. This activity is significant + because attackers may delete or modify SSL certificates to disable security features + or evade defenses on a compromised system. If confirmed malicious, this behavior + could indicate an attempt to disrupt secure communications, evade detection, or + execute a destructive payload, potentially leading to significant security breaches + and data loss. data_source: - Sysmon for Linux EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = "/etc/ssl/certs/*" Filesystem.file_path IN ("*.pem", "*.crt") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_ssl_certificate_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path + = "/etc/ssl/certs/*" Filesystem.file_path IN ("*.pem", "*.crt") by _time span=1h + Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid + Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `linux_deletion_of_ssl_certificate_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from + Splunkbase. +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/ drilldown_searches: @@ -19,47 +35,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: SSL certificate deleted on host $dest$ by process GUID- $process_guid$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: + - field: file_name + type: file_name tags: analytic_story: - AcidRain - AcidPour asset_type: Endpoint - confidence: 70 - impact: 70 - message: SSL certificate deleted on host $dest$ by process GUID- $process_guid$ mitre_attack_id: - T1485 - T1070.004 - T1070 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: file_name - type: File Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.dest - - Filesystem.file_create_time - - Filesystem.file_name - - Filesystem.process_guid - - Filesystem.file_path - - Filesystem.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_disable_services.yml b/detections/endpoint/linux_disable_services.yml index 6493dfe15e..61d16f3040 100644 --- a/detections/endpoint/linux_disable_services.yml +++ b/detections/endpoint/linux_disable_services.yml @@ -1,16 +1,37 @@ name: Linux Disable Services id: f2e08a38-6689-4df4-ad8c-b51c16262316 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects attempts to disable a service on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like "systemctl," "service," and "svcadm" with commands containing "disable." This activity is significant as adversaries may disable security or critical services to evade detection and facilitate further malicious actions, such as deploying destructive payloads. If confirmed malicious, this could lead to the termination of essential security services, allowing attackers to persist undetected and potentially cause significant damage to the system. +description: The following analytic detects attempts to disable a service on a Linux + system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing + on processes like "systemctl," "service," and "svcadm" with commands containing + "disable." This activity is significant as adversaries may disable security or critical + services to evade detection and facilitate further malicious actions, such as deploying + destructive payloads. If confirmed malicious, this could lead to the termination + of essential security services, allowing attackers to persist undetected and potentially + cause significant damage to the system. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("systemctl", "service", "svcadm") Processes.process = "* disable*" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_disable_services_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("systemctl", + "service", "svcadm") Processes.process = "* disable*" by Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_disable_services_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ - https://cert.gov.ua/article/39518 @@ -20,43 +41,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + attempting to disable services on endpoint $dest$ by $user$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - AwfulShred - Data Destruction - Industroyer2 asset_type: Endpoint - confidence: 70 - impact: 70 - message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable services on endpoint $dest$ by $user$. mitre_attack_id: - T1489 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_service_stop_disable/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_service_stop_disable/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_doas_conf_file_creation.yml b/detections/endpoint/linux_doas_conf_file_creation.yml index 69ebf10e4d..5acb1dff95 100644 --- a/detections/endpoint/linux_doas_conf_file_creation.yml +++ b/detections/endpoint/linux_doas_conf_file_creation.yml @@ -1,16 +1,30 @@ name: Linux Doas Conf File Creation id: f6343e86-6e09-11ec-9376-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the creation of the doas.conf file on a Linux host. This file is used by the doas utility to allow standard users to perform tasks as root, similar to sudo. The detection leverages filesystem data from the Endpoint data model, focusing on the creation of the doas.conf file. This activity is significant because it can indicate an attempt to gain elevated privileges, potentially by an adversary. If confirmed malicious, this could allow an attacker to execute commands with root privileges, leading to full system compromise. +description: The following analytic detects the creation of the doas.conf file on + a Linux host. This file is used by the doas utility to allow standard users to perform + tasks as root, similar to sudo. The detection leverages filesystem data from the + Endpoint data model, focusing on the creation of the doas.conf file. This activity + is significant because it can indicate an attempt to gain elevated privileges, potentially + by an adversary. If confirmed malicious, this could allow an attacker to execute + commands with root privileges, leading to full system compromise. data_source: - Sysmon for Linux EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/etc/doas.conf") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_doas_conf_file_creation_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/etc/doas.conf") + by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid + Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` + | `security_content_ctime(firstTime)` | `linux_doas_conf_file_creation_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from + Splunkbase. +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://wiki.gentoo.org/wiki/Doas - https://www.makeuseof.com/how-to-install-and-use-doas/ @@ -20,41 +34,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A file $file_name$ is created in $file_path$ on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation - Linux Persistence Techniques asset_type: Endpoint - confidence: 70 - impact: 70 - message: A file $file_name$ is created in $file_path$ on $dest$ mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.dest - - Filesystem.file_create_time - - Filesystem.file_name - - Filesystem.process_guid - - Filesystem.file_path - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/doas/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/doas/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_doas_tool_execution.yml b/detections/endpoint/linux_doas_tool_execution.yml index 9fbd372be8..3c242194f3 100644 --- a/detections/endpoint/linux_doas_tool_execution.yml +++ b/detections/endpoint/linux_doas_tool_execution.yml @@ -1,16 +1,36 @@ name: Linux Doas Tool Execution id: d5a62490-6e09-11ec-884e-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the execution of the 'doas' tool on a Linux host. This tool allows standard users to perform tasks with root privileges, similar to 'sudo'. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as 'doas' can be exploited by adversaries to gain elevated privileges on a compromised host. If confirmed malicious, this could lead to unauthorized administrative access, potentially compromising the entire system. +description: The following analytic detects the execution of the 'doas' tool on a + Linux host. This tool allows standard users to perform tasks with root privileges, + similar to 'sudo'. The detection leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process names and command-line executions. This activity + is significant as 'doas' can be exploited by adversaries to gain elevated privileges + on a compromised host. If confirmed malicious, this could lead to unauthorized administrative + access, potentially compromising the entire system. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "doas" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_doas_tool_execution_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "doas" + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_doas_tool_execution_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://wiki.gentoo.org/wiki/Doas - https://www.makeuseof.com/how-to-install-and-use-doas/ @@ -20,43 +40,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A doas $process_name$ with commandline $process$ was executed on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation - Linux Persistence Techniques asset_type: Endpoint - confidence: 70 - impact: 70 - message: A doas $process_name$ with commandline $process$ was executed on $dest$ mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/doas_exec/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/doas_exec/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_docker_privilege_escalation.yml b/detections/endpoint/linux_docker_privilege_escalation.yml index ab6b0d3dc4..5b3c7f3d26 100644 --- a/detections/endpoint/linux_docker_privilege_escalation.yml +++ b/detections/endpoint/linux_docker_privilege_escalation.yml @@ -1,16 +1,37 @@ name: Linux Docker Privilege Escalation id: 2e7bfb78-85f6-47b5-bc2f-15813a4ef2b3 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: The following analytic detects attempts to escalate privileges on a Linux system using Docker. It identifies processes where Docker commands are used to mount the root directory or execute shell commands within a container. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names, command-line arguments, and parent processes. This activity is significant because it can allow an attacker with Docker privileges to modify critical system files, such as /etc/passwd, to create a superuser. If confirmed malicious, this could lead to full system compromise and persistent unauthorized access. +description: The following analytic detects attempts to escalate privileges on a Linux + system using Docker. It identifies processes where Docker commands are used to mount + the root directory or execute shell commands within a container. This detection + leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names, + command-line arguments, and parent processes. This activity is significant because + it can allow an attacker with Docker privileges to modify critical system files, + such as /etc/passwd, to create a superuser. If confirmed malicious, this could lead + to full system compromise and persistent unauthorized access. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN("*docker*-v*/*:*","*docker*--volume*/*:*") OR Processes.process IN("*docker*exec*sh*","*docker*exec*bash*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_docker_privilege_escalation_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives are present based on automated tooling or system administrative usage. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process IN("*docker*-v*/*:*","*docker*--volume*/*:*") + OR Processes.process IN("*docker*exec*sh*","*docker*exec*bash*") by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_docker_privilege_escalation_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives are present based on automated tooling or system + administrative usage. Filter as needed. references: - https://gtfobins.github.io/gtfobins/docker/ drilldown_searches: @@ -19,52 +40,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ + risk_objects: + - field: dest + type: system + score: 5 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Linux Privilege Escalation - Linux Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 10 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 5 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/docker/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/docker/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_edit_cron_table_parameter.yml b/detections/endpoint/linux_edit_cron_table_parameter.yml index 7d46839e16..9283c0bbfb 100644 --- a/detections/endpoint/linux_edit_cron_table_parameter.yml +++ b/detections/endpoint/linux_edit_cron_table_parameter.yml @@ -1,16 +1,36 @@ name: Linux Edit Cron Table Parameter id: 0d370304-5f26-11ec-a4bb-acde48001122 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the suspicious editing of cron jobs in Linux using the crontab command-line parameter (-e). It identifies this activity by monitoring command-line executions involving 'crontab' and the edit parameter. This behavior is significant for a SOC as cron job manipulations can indicate unauthorized persistence attempts or scheduled malicious actions. If confirmed malicious, this activity could lead to system compromise, unauthorized access, or broader network compromise. +description: The following analytic detects the suspicious editing of cron jobs in + Linux using the crontab command-line parameter (-e). It identifies this activity + by monitoring command-line executions involving 'crontab' and the edit parameter. + This behavior is significant for a SOC as cron job manipulations can indicate unauthorized + persistence attempts or scheduled malicious actions. If confirmed malicious, this + activity could lead to system compromise, unauthorized access, or broader network + compromise. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = crontab Processes.process = "*crontab *" Processes.process = "* -e*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_edit_cron_table_parameter_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name = crontab + Processes.process = "*crontab *" Processes.process = "* -e*" by Processes.dest Processes.user + Processes.parent_process_name Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `linux_edit_cron_table_parameter_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://attack.mitre.org/techniques/T1053/003/ tags: @@ -20,35 +40,18 @@ tags: - Linux Living Off The Land - Scheduled Tasks asset_type: Endpoint - confidence: 30 - impact: 30 - message: A possible crontab edit command $process$ executed on $dest$ mitre_attack_id: - T1053.003 - T1053 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/crontab_edit_parameter/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/crontab_edit_parameter/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_emacs_privilege_escalation.yml b/detections/endpoint/linux_emacs_privilege_escalation.yml index c44f6370a0..1bdef39406 100644 --- a/detections/endpoint/linux_emacs_privilege_escalation.yml +++ b/detections/endpoint/linux_emacs_privilege_escalation.yml @@ -1,15 +1,35 @@ name: Linux Emacs Privilege Escalation id: 92033cab-1871-483d-a03b-a7ce98665cfc -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: The following analytic detects the execution of Emacs with elevated privileges using the `sudo` command and the `--eval` option. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line arguments. This activity is significant because it indicates a potential privilege escalation attempt, where a user could gain root access by running Emacs with elevated permissions. If confirmed malicious, this could allow an attacker to execute arbitrary commands as root, leading to full system compromise and unauthorized access to sensitive information. +description: The following analytic detects the execution of Emacs with elevated privileges + using the `sudo` command and the `--eval` option. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process execution logs that include + command-line arguments. This activity is significant because it indicates a potential + privilege escalation attempt, where a user could gain root access by running Emacs + with elevated permissions. If confirmed malicious, this could allow an attacker + to execute arbitrary commands as root, leading to full system compromise and unauthorized + access to sensitive information. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*emacs*" AND Processes.process="*--eval*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_emacs_privilege_escalation_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process="*emacs*" + AND Processes.process="*--eval*" AND Processes.process="*sudo*" by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_emacs_privilege_escalation_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/emacs/ @@ -20,52 +40,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ + risk_objects: + - field: dest + type: system + score: 20 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Linux Privilege Escalation - Linux Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 40 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 20 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/emacs/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/emacs/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml b/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml index 14976063c1..2b4da8e0f3 100644 --- a/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml +++ b/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml @@ -1,16 +1,28 @@ name: Linux File Created In Kernel Driver Directory id: b85bbeec-6326-11ec-9311-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the creation of files in the Linux kernel/driver directory. It leverages filesystem data to identify new files in this critical directory. This activity is significant because the kernel/driver directory is typically reserved for kernel modules, and unauthorized file creation here can indicate a rootkit installation. If confirmed malicious, this could allow an attacker to gain high-level privileges, potentially compromising the entire system by executing code at the kernel level. +description: The following analytic detects the creation of files in the Linux kernel/driver + directory. It leverages filesystem data to identify new files in this critical directory. + This activity is significant because the kernel/driver directory is typically reserved + for kernel modules, and unauthorized file creation here can indicate a rootkit installation. + If confirmed malicious, this could allow an attacker to gain high-level privileges, + potentially compromising the entire system by executing code at the kernel level. data_source: - Sysmon for Linux EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/kernel/drivers/*") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_file_created_in_kernel_driver_directory_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -known_false_positives: Administrator or network operator can create file in this folders for automation purposes. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/kernel/drivers/*") + by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path + | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` + | `linux_file_created_in_kernel_driver_directory_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the file name, file path, and process_guid executions from your endpoints. + If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. +known_false_positives: Administrator or network operator can create file in this folders + for automation purposes. Please update the filter macros to remove false positives. references: - https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/ - https://security.stackexchange.com/questions/175953/how-to-load-a-malicious-lkm-at-startup @@ -21,42 +33,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A file $file_name$ is created in $file_path$ on $dest$ + risk_objects: + - field: dest + type: system + score: 72 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation - Linux Persistence Techniques - Linux Rootkit asset_type: Endpoint - confidence: 90 - impact: 80 - message: A file $file_name$ is created in $file_path$ on $dest$ mitre_attack_id: - T1547.006 - T1547 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.dest - - Filesystem.file_create_time - - Filesystem.file_name - - Filesystem.process_guid - - Filesystem.file_path - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_file_creation_in_init_boot_directory.yml b/detections/endpoint/linux_file_creation_in_init_boot_directory.yml index d7d99eb191..810914e4f3 100644 --- a/detections/endpoint/linux_file_creation_in_init_boot_directory.yml +++ b/detections/endpoint/linux_file_creation_in_init_boot_directory.yml @@ -1,7 +1,7 @@ name: Linux File Creation In Init Boot Directory id: 97d9cfb2-61ad-11ec-bb2d-acde48001122 -version: '4' -date: '2024-12-17' +version: 6 +date: '2025-01-27' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -40,35 +40,28 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A file $file_name$ is created in $file_path$ on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: + - Linux Privilege Escalation + - Backdoor Pingpong - Linux Persistence Techniques - XorDDos - - Linux Privilege Escalation + - Nexus APT Threat Activity asset_type: Endpoint - confidence: 70 - impact: 70 - message: A file $file_name$ is created in $file_path$ on $dest$ mitre_attack_id: - T1037.004 - T1037 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.dest - - Filesystem.file_create_time - - Filesystem.file_name - - Filesystem.process_guid - - Filesystem.file_path - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_file_creation_in_profile_directory.yml b/detections/endpoint/linux_file_creation_in_profile_directory.yml index 9c75f75660..c35c743ea6 100644 --- a/detections/endpoint/linux_file_creation_in_profile_directory.yml +++ b/detections/endpoint/linux_file_creation_in_profile_directory.yml @@ -1,16 +1,30 @@ name: Linux File Creation In Profile Directory id: 46ba0082-61af-11ec-9826-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the creation of files in the /etc/profile.d directory on Linux systems. It leverages filesystem data to identify new files in this directory, which is often used by adversaries for persistence by executing scripts upon system boot. This activity is significant as it may indicate an attempt to maintain long-term access to the compromised host. If confirmed malicious, this could allow attackers to execute arbitrary code with elevated privileges each time the system boots, potentially leading to further compromise and data exfiltration. +description: The following analytic detects the creation of files in the /etc/profile.d + directory on Linux systems. It leverages filesystem data to identify new files in + this directory, which is often used by adversaries for persistence by executing + scripts upon system boot. This activity is significant as it may indicate an attempt + to maintain long-term access to the compromised host. If confirmed malicious, this + could allow attackers to execute arbitrary code with elevated privileges each time + the system boots, potentially leading to further compromise and data exfiltration. data_source: - Sysmon for Linux EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/etc/profile.d/*") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_file_creation_in_profile_directory_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -known_false_positives: Administrator or network operator can create file in profile.d folders for automation purposes. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/etc/profile.d/*") + by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid + Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` + | `security_content_ctime(firstTime)` | `linux_file_creation_in_profile_directory_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the file name, file path, and process_guid executions from your endpoints. + If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. +known_false_positives: Administrator or network operator can create file in profile.d + folders for automation purposes. Please update the filter macros to remove false + positives. references: - https://attack.mitre.org/techniques/T1546/004/ - https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ @@ -20,41 +34,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A file $file_name$ is created in $file_path$ on $dest$ + risk_objects: + - field: dest + type: system + score: 56 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation - Linux Persistence Techniques asset_type: Endpoint - confidence: 80 - impact: 70 - message: A file $file_name$ is created in $file_path$ on $dest$ mitre_attack_id: - T1546.004 - T1546 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.dest - - Filesystem.file_create_time - - Filesystem.file_name - - Filesystem.process_guid - - Filesystem.file_path - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_find_privilege_escalation.yml b/detections/endpoint/linux_find_privilege_escalation.yml index 3f4af49715..ea4a8f3b0d 100644 --- a/detections/endpoint/linux_find_privilege_escalation.yml +++ b/detections/endpoint/linux_find_privilege_escalation.yml @@ -1,16 +1,37 @@ name: Linux Find Privilege Escalation id: 2ff4e0c2-8256-4143-9c07-1e39c7231111 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: The following analytic detects the use of the 'find' command with 'sudo' and '-exec' options, which can indicate an attempt to escalate privileges on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line arguments. This activity is significant because it can allow a user to execute system commands as root, potentially leading to a root shell. If confirmed malicious, this could enable an attacker to gain full control over the system, leading to severe security breaches and unauthorized access to sensitive data. +description: The following analytic detects the use of the 'find' command with 'sudo' + and '-exec' options, which can indicate an attempt to escalate privileges on a Linux + system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process execution logs that include command-line arguments. This activity is + significant because it can allow a user to execute system commands as root, potentially + leading to a root shell. If confirmed malicious, this could enable an attacker to + gain full control over the system, leading to severe security breaches and unauthorized + access to sensitive data. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*find*" AND Processes.process="*-exec*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_find_privilege_escalation_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives are present based on automated tooling or system administrative usage. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process="*find*" AND + Processes.process="*-exec*" AND Processes.process="*sudo*" by Processes.dest Processes.user + Processes.parent_process_name Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_find_privilege_escalation_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives are present based on automated tooling or system + administrative usage. Filter as needed. references: - https://gtfobins.github.io/gtfobins/find/ - https://en.wikipedia.org/wiki/Find_(Unix) @@ -20,52 +41,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ + risk_objects: + - field: dest + type: system + score: 5 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Linux Privilege Escalation - Linux Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 10 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 5 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/find/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/find/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_gdb_privilege_escalation.yml b/detections/endpoint/linux_gdb_privilege_escalation.yml index 48a4050581..3e0b7e05d0 100644 --- a/detections/endpoint/linux_gdb_privilege_escalation.yml +++ b/detections/endpoint/linux_gdb_privilege_escalation.yml @@ -1,15 +1,35 @@ name: Linux GDB Privilege Escalation id: 310b7da2-ab52-437f-b1bf-0bd458674308 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: The following analytic detects the execution of the GNU Debugger (GDB) with specific flags that indicate an attempt to escalate privileges on a Linux system. It leverages Endpoint Detection and Response (EDR) telemetry to identify processes where GDB is run with the `-nx`, `-ex`, and `sudo` flags. This activity is significant because it can allow a user to execute system commands as root, potentially leading to a root shell. If confirmed malicious, this could result in full system compromise, allowing an attacker to gain complete control over the affected endpoint. +description: The following analytic detects the execution of the GNU Debugger (GDB) + with specific flags that indicate an attempt to escalate privileges on a Linux system. + It leverages Endpoint Detection and Response (EDR) telemetry to identify processes + where GDB is run with the `-nx`, `-ex`, and `sudo` flags. This activity is significant + because it can allow a user to execute system commands as root, potentially leading + to a root shell. If confirmed malicious, this could result in full system compromise, + allowing an attacker to gain complete control over the affected endpoint. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*gdb*" AND Processes.process="*-nx*" AND Processes.process="*-ex*!*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_gdb_privilege_escalation_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process="*gdb*" AND + Processes.process="*-nx*" AND Processes.process="*-ex*!*" AND Processes.process="*sudo*" + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_gdb_privilege_escalation_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/gdb/ @@ -19,52 +39,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ + risk_objects: + - field: dest + type: system + score: 10 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Linux Privilege Escalation - Linux Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 20 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gdb/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gdb/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_gem_privilege_escalation.yml b/detections/endpoint/linux_gem_privilege_escalation.yml index 89e7b80e14..848b8f393f 100644 --- a/detections/endpoint/linux_gem_privilege_escalation.yml +++ b/detections/endpoint/linux_gem_privilege_escalation.yml @@ -1,15 +1,35 @@ name: Linux Gem Privilege Escalation id: 0115482a-5dcb-4bb0-bcca-5d095d224236 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: The following analytic detects the execution of the RubyGems utility with elevated privileges, specifically when it is used to run system commands as root. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include "gem open -e" and "sudo". This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to execute commands as the root user. If confirmed malicious, this could lead to full system compromise, enabling the attacker to gain root access and execute arbitrary commands with elevated privileges. +description: The following analytic detects the execution of the RubyGems utility + with elevated privileges, specifically when it is used to run system commands as + root. This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on command-line executions that include "gem open -e" and "sudo". This + activity is significant because it indicates a potential privilege escalation attempt, + allowing a user to execute commands as the root user. If confirmed malicious, this + could lead to full system compromise, enabling the attacker to gain root access + and execute arbitrary commands with elevated privileges. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*gem*open*-e*" AND Processes.process="*-c*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_gem_privilege_escalation_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process="*gem*open*-e*" + AND Processes.process="*-c*" AND Processes.process="*sudo*" by Processes.dest Processes.user + Processes.parent_process_name Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_gem_privilege_escalation_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/gem/ @@ -20,52 +40,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ + risk_objects: + - field: dest + type: system + score: 10 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Linux Privilege Escalation - Linux Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 20 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gem/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gem/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_gnu_awk_privilege_escalation.yml b/detections/endpoint/linux_gnu_awk_privilege_escalation.yml index 18efeb3b06..f7fc077d77 100644 --- a/detections/endpoint/linux_gnu_awk_privilege_escalation.yml +++ b/detections/endpoint/linux_gnu_awk_privilege_escalation.yml @@ -1,15 +1,34 @@ name: Linux GNU Awk Privilege Escalation id: 0dcf43b9-50d8-42a6-acd9-d1c9201fe6ae -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: The following analytic detects the execution of the 'gawk' command with elevated privileges on a Linux system. It leverages Endpoint Detection and Response (EDR) telemetry to identify command-line executions where 'gawk' is used with 'sudo' and 'BEGIN{system' patterns. This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to execute system commands as root. If confirmed malicious, this could lead to full root access, enabling the attacker to control the system, modify critical files, and maintain persistent access. +description: The following analytic detects the execution of the 'gawk' command with + elevated privileges on a Linux system. It leverages Endpoint Detection and Response + (EDR) telemetry to identify command-line executions where 'gawk' is used with 'sudo' + and 'BEGIN{system' patterns. This activity is significant because it indicates a + potential privilege escalation attempt, allowing a user to execute system commands + as root. If confirmed malicious, this could lead to full root access, enabling the + attacker to control the system, modify critical files, and maintain persistent access. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*gawk*" AND Processes.process="*BEGIN*{system*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_gnu_awk_privilege_escalation_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process="*gawk*" AND + Processes.process="*BEGIN*{system*" AND Processes.process="*sudo*" by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `linux_gnu_awk_privilege_escalation_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/gawk/ @@ -20,52 +39,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ + risk_objects: + - field: dest + type: system + score: 30 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Linux Privilege Escalation - Linux Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 60 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gawk/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gawk/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_hardware_addition_swapoff.yml b/detections/endpoint/linux_hardware_addition_swapoff.yml index 645b98b69f..be49f67540 100644 --- a/detections/endpoint/linux_hardware_addition_swapoff.yml +++ b/detections/endpoint/linux_hardware_addition_swapoff.yml @@ -1,16 +1,36 @@ name: Linux Hardware Addition SwapOff id: c1eea697-99ed-44c2-9b70-d8935464c499 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the execution of the "swapoff" command, which disables the swapping of paging devices on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because disabling swap can be a tactic used by malware, such as Awfulshred, to evade detection and hinder forensic analysis. If confirmed malicious, this action could allow an attacker to manipulate system memory management, potentially leading to data corruption, system instability, or evasion of memory-based detection mechanisms. +description: The following analytic detects the execution of the "swapoff" command, + which disables the swapping of paging devices on a Linux system. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process execution + logs. This activity is significant because disabling swap can be a tactic used by + malware, such as Awfulshred, to evade detection and hinder forensic analysis. If + confirmed malicious, this action could allow an attacker to manipulate system memory + management, potentially leading to data corruption, system instability, or evasion + of memory-based detection mechanisms. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "swapoff" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_hardware_addition_swapoff_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: administrator may disable swapping of devices in a linux host. Filter is needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "swapoff" + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_hardware_addition_swapoff_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: administrator may disable swapping of devices in a linux host. + Filter is needed. references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/ drilldown_searches: @@ -19,47 +39,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a $process_name$ swap off paging device on $dest$ + risk_objects: + - field: dest + type: system + score: 36 + - field: user + type: user + score: 36 + threat_objects: [] tags: analytic_story: - AwfulShred - Data Destruction asset_type: Endpoint - confidence: 60 - impact: 60 - message: a $process_name$ swap off paging device in $dest$ mitre_attack_id: - T1200 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml b/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml index 077434def8..49948ef473 100644 --- a/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml +++ b/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml @@ -1,16 +1,32 @@ name: Linux High Frequency Of File Deletion In Boot Folder id: e27fbc5d-0445-4c4a-bc39-87f060d5c602 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects a high frequency of file deletions in the /boot/ folder on Linux systems. It leverages filesystem event logs to identify when 200 or more files are deleted within an hour by the same process. This behavior is significant as it may indicate the presence of wiper malware, such as Industroyer2, which targets critical system directories. If confirmed malicious, this activity could lead to system instability or failure, hindering the boot process and potentially causing a complete system compromise. +description: The following analytic detects a high frequency of file deletions in + the /boot/ folder on Linux systems. It leverages filesystem event logs to identify + when 200 or more files are deleted within an hour by the same process. This behavior + is significant as it may indicate the presence of wiper malware, such as Industroyer2, + which targets critical system directories. If confirmed malicious, this activity + could lead to system instability or failure, hindering the boot process and potentially + causing a complete system compromise. data_source: - Sysmon for Linux EventID 11 -search: '| tstats `security_content_summariesonly` values(Filesystem.file_name) as deletedFileNames values(Filesystem.file_path) as deletedFilePath dc(Filesystem.file_path) as numOfDelFilePath count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = "/boot/*" by _time span=1h Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | where numOfDelFilePath >= 200 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_high_frequency_of_file_deletion_in_boot_folder_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -known_false_positives: linux package installer/uninstaller may cause this event. Please update you filter macro to remove false positives. +search: '| tstats `security_content_summariesonly` values(Filesystem.file_name) as + deletedFileNames values(Filesystem.file_path) as deletedFilePath dc(Filesystem.file_path) + as numOfDelFilePath count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem + where Filesystem.action=deleted Filesystem.file_path = "/boot/*" by _time span=1h Filesystem.dest + Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | + where numOfDelFilePath >= 200 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_high_frequency_of_file_deletion_in_boot_folder_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from + Splunkbase. +known_false_positives: linux package installer/uninstaller may cause this event. Please + update you filter macro to remove false positives. references: - https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ - https://cert.gov.ua/article/39518 @@ -20,44 +36,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Multiple files detection in /boot/ folder on $dest$ by process GUID - $process_guid$ + risk_objects: + - field: dest + type: system + score: 80 + threat_objects: [] tags: analytic_story: - Data Destruction - Industroyer2 - AcidPour asset_type: Endpoint - confidence: 80 - impact: 100 - message: Multiple files detection in /boot/ folder on $dest$ by process GUID - $process_guid$ mitre_attack_id: - T1485 - T1070.004 - T1070 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.dest - - Filesystem.file_create_time - - Filesystem.file_name - - Filesystem.process_guid - - Filesystem.file_path - - Filesystem.action - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/rm_boot_dir/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/rm_boot_dir/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml b/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml index e3b8105ac3..c783597e9c 100644 --- a/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml +++ b/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml @@ -1,16 +1,32 @@ name: Linux High Frequency Of File Deletion In Etc Folder id: 9d867448-2aff-4d07-876c-89409a752ff8 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects a high frequency of file deletions in the /etc/ folder on Linux systems. It leverages the Endpoint.Filesystem data model to identify instances where 200 or more files are deleted within an hour, grouped by process name and process ID. This behavior is significant as it may indicate the presence of wiper malware, such as AcidRain, which aims to delete critical system files. If confirmed malicious, this activity could lead to severe system instability, data loss, and potential disruption of services. +description: The following analytic detects a high frequency of file deletions in + the /etc/ folder on Linux systems. It leverages the Endpoint.Filesystem data model + to identify instances where 200 or more files are deleted within an hour, grouped + by process name and process ID. This behavior is significant as it may indicate + the presence of wiper malware, such as AcidRain, which aims to delete critical system + files. If confirmed malicious, this activity could lead to severe system instability, + data loss, and potential disruption of services. data_source: - Sysmon for Linux EventID 11 -search: '| tstats `security_content_summariesonly` values(Filesystem.file_name) as deletedFileNames values(Filesystem.file_path) as deletedFilePath dc(Filesystem.file_path) as numOfDelFilePath count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = "/etc/*" by _time span=1h Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | where numOfDelFilePath >= 200 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_high_frequency_of_file_deletion_in_etc_folder_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -known_false_positives: linux package installer/uninstaller may cause this event. Please update you filter macro to remove false positives. +search: '| tstats `security_content_summariesonly` values(Filesystem.file_name) as + deletedFileNames values(Filesystem.file_path) as deletedFilePath dc(Filesystem.file_path) + as numOfDelFilePath count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem + where Filesystem.action=deleted Filesystem.file_path = "/etc/*" by _time span=1h Filesystem.dest + Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | + where numOfDelFilePath >= 200 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_high_frequency_of_file_deletion_in_etc_folder_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from + Splunkbase. +known_false_positives: linux package installer/uninstaller may cause this event. Please + update you filter macro to remove false positives. references: - https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/ drilldown_searches: @@ -19,43 +35,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Multiple files delted in /etc/ folder on $dest$ by process GUID - $process_guid$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - AcidRain - Data Destruction asset_type: Endpoint - confidence: 70 - impact: 70 - message: Multiple files delted in /etc/ folder on $dest$ by process GUID - $process_guid$ mitre_attack_id: - T1485 - T1070.004 - T1070 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.dest - - Filesystem.file_create_time - - Filesystem.file_name - - Filesystem.process_guid - - Filesystem.file_path - - Filesystem.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_impair_defenses_process_kill.yml b/detections/endpoint/linux_impair_defenses_process_kill.yml index a4cdc259aa..095729c786 100644 --- a/detections/endpoint/linux_impair_defenses_process_kill.yml +++ b/detections/endpoint/linux_impair_defenses_process_kill.yml @@ -1,16 +1,37 @@ name: Linux Impair Defenses Process Kill id: 435c6b33-adf9-47fe-be87-8e29fd6654f5 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic identifies the execution of the 'pkill' command, which is used to terminate processes on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because threat actors often use 'pkill' to disable security defenses or terminate critical processes, facilitating further malicious actions. If confirmed malicious, this behavior could lead to the disruption of security applications, enabling attackers to evade detection and potentially corrupt or destroy files on the targeted system. +description: The following analytic identifies the execution of the 'pkill' command, + which is used to terminate processes on a Linux system. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names and command-line + executions. This activity is significant because threat actors often use 'pkill' + to disable security defenses or terminate critical processes, facilitating further + malicious actions. If confirmed malicious, this behavior could lead to the disruption + of security applications, enabling attackers to evade detection and potentially + corrupt or destroy files on the targeted system. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ( "pgrep", "pkill") Processes.process = "*pkill *" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_impair_defenses_process_kill_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: network admin can terminate a process using this linux command. Filter is needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ( + "pgrep", "pkill") Processes.process = "*pkill *" by Processes.dest Processes.user + Processes.parent_process_name Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `linux_impair_defenses_process_kill_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: network admin can terminate a process using this linux command. + Filter is needed. references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/ - https://cert.gov.ua/article/3718487 @@ -19,40 +40,18 @@ tags: - AwfulShred - Data Destruction asset_type: Endpoint - confidence: 30 - impact: 30 - message: a $process_name$ tries to execute pkill commandline to terminate process in $dest$ mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_indicator_removal_clear_cache.yml b/detections/endpoint/linux_indicator_removal_clear_cache.yml index 3d4e6fe939..c775e76997 100644 --- a/detections/endpoint/linux_indicator_removal_clear_cache.yml +++ b/detections/endpoint/linux_indicator_removal_clear_cache.yml @@ -1,15 +1,35 @@ name: Linux Indicator Removal Clear Cache id: e0940505-0b73-4719-84e6-cb94c44a5245 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects processes that clear or free page cache on a Linux system. It leverages Endpoint Detection and Response (EDR) data, focusing on specific command-line executions involving the kernel system request `drop_caches`. This activity is significant as it may indicate an attempt to delete forensic evidence or the presence of wiper malware like Awfulshred. If confirmed malicious, this behavior could allow an attacker to cover their tracks, making it difficult to investigate other malicious activities or system compromises. +description: The following analytic detects processes that clear or free page cache + on a Linux system. It leverages Endpoint Detection and Response (EDR) data, focusing + on specific command-line executions involving the kernel system request `drop_caches`. + This activity is significant as it may indicate an attempt to delete forensic evidence + or the presence of wiper malware like Awfulshred. If confirmed malicious, this behavior + could allow an attacker to cover their tracks, making it difficult to investigate + other malicious activities or system compromises. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("dash", "sudo", "bash") AND Processes.process IN("* echo 3 > *", "* echo 2 > *","* echo 1 > *") AND Processes.process = "*/proc/sys/vm/drop_caches" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_indicator_removal_clear_cache_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("dash", + "sudo", "bash") AND Processes.process IN("* echo 3 > *", "* echo 2 > *","* + echo 1 > *") AND Processes.process = "*/proc/sys/vm/drop_caches" by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `linux_indicator_removal_clear_cache_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/ @@ -20,47 +40,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a $process_name$ clear cache using kernel drop cache system request in + $dest$ + risk_objects: + - field: dest + type: system + score: 49 + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - AwfulShred - Data Destruction asset_type: Endpoint - confidence: 70 - impact: 70 - message: a $process_name$ clear cache using kernel drop cache system request in $dest$ mitre_attack_id: - T1070 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test3/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test3/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_indicator_removal_service_file_deletion.yml b/detections/endpoint/linux_indicator_removal_service_file_deletion.yml index e7bfe7bcba..917a6f8fb6 100644 --- a/detections/endpoint/linux_indicator_removal_service_file_deletion.yml +++ b/detections/endpoint/linux_indicator_removal_service_file_deletion.yml @@ -1,16 +1,37 @@ name: Linux Indicator Removal Service File Deletion id: 6c077f81-2a83-4537-afbc-0e62e3215d55 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the deletion of Linux service unit configuration files by suspicious processes. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on processes executing the 'rm' command targeting '.service' files. This activity is significant as it may indicate malware attempting to disable critical services or security products, a common defense evasion tactic. If confirmed malicious, this behavior could lead to service disruption, security tool incapacitation, or complete system compromise, severely impacting the integrity and availability of the affected Linux host. +description: The following analytic detects the deletion of Linux service unit configuration + files by suspicious processes. It leverages Endpoint Detection and Response (EDR) + telemetry, focusing on processes executing the 'rm' command targeting '.service' + files. This activity is significant as it may indicate malware attempting to disable + critical services or security products, a common defense evasion tactic. If confirmed + malicious, this behavior could lead to service disruption, security tool incapacitation, + or complete system compromise, severely impacting the integrity and availability + of the affected Linux host. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "rm" AND Processes.process = "*rm *" AND Processes.process = "*.service" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_indicator_removal_service_file_deletion_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: network admin can delete services unit configuration file as part of normal software installation. Filter is needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "rm" AND + Processes.process = "*rm *" AND Processes.process = "*.service" by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `linux_indicator_removal_service_file_deletion_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: network admin can delete services unit configuration file as + part of normal software installation. Filter is needed. references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/ - https://cert.gov.ua/article/3718487 @@ -20,48 +41,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a $process_name$ has a commandline $process$ to delete service configuration + file on $dest$ + risk_objects: + - field: dest + type: system + score: 36 + - field: user + type: user + score: 36 + threat_objects: [] tags: analytic_story: - AwfulShred - Data Destruction asset_type: Endpoint - confidence: 60 - impact: 60 - message: a $process_name$ has a commandline $process$ to delete service configuration file in $dest$ mitre_attack_id: - T1070.004 - T1070 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_ingress_tool_transfer_hunting.yml b/detections/endpoint/linux_ingress_tool_transfer_hunting.yml index 2eb30df1c2..488c3e3cfd 100644 --- a/detections/endpoint/linux_ingress_tool_transfer_hunting.yml +++ b/detections/endpoint/linux_ingress_tool_transfer_hunting.yml @@ -1,7 +1,7 @@ name: Linux Ingress Tool Transfer Hunting id: 52fd468b-cb6d-48f5-b16a-92f1c9bb10cf -version: '5' -date: '2024-12-17' +version: 6 +date: '2024-12-19' author: Michael Haag, Splunk status: production type: Hunting @@ -43,48 +43,17 @@ tags: - Linux Living Off The Land - XorDDos asset_type: Endpoint - confidence: 10 - impact: 10 - message: An instance of $process_name$ was identified on endpoint $dest$ by user - $user$ utilizing curl or wget. mitre_attack_id: - T1105 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 1 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml b/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml index a69318910e..e21c8f57e5 100644 --- a/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml +++ b/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml @@ -1,7 +1,7 @@ name: Linux Ingress Tool Transfer with Curl id: 8c1de57d-abc1-4b41-a727-a7a8fc5e0857 -version: '5' -date: '2024-12-17' +version: 6 +date: '2024-12-19' author: Michael Haag, Splunk status: production type: Anomaly @@ -50,54 +50,36 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $process_name$ was identified on endpoint $dest$ by user + $user$ to download a remote file. Review activity for further details. + risk_objects: + - field: user + type: user + score: 12 + - field: dest + type: system + score: 12 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Ingress Tool Transfer - Linux Living Off The Land - XorDDos asset_type: Endpoint - confidence: 30 - impact: 40 - message: An instance of $process_name$ was identified on endpoint $dest$ by user - $user$ to download a remote file. Review activity for further details. mitre_attack_id: - T1105 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 12 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml b/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml index ac0fe30632..cb4fd7b694 100644 --- a/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml +++ b/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml @@ -1,6 +1,6 @@ name: Linux Insert Kernel Module Using Insmod Utility id: 18b5a1a0-6326-11ec-943a-acde48001122 -version: '4' +version: 5 date: '2024-12-17' author: Teoderick Contreras, Splunk status: production @@ -50,6 +50,13 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A commandline $process$ that may install kernel module on $dest$ + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Linux Persistence Techniques @@ -57,35 +64,18 @@ tags: - Linux Rootkit - Linux Privilege Escalation asset_type: Endpoint - confidence: 80 - impact: 80 - message: A commandline $process$ that may install kernel module on $dest$ mitre_attack_id: - T1547.006 - T1547 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml b/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml index 5beb8ec250..7668cca286 100644 --- a/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml +++ b/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml @@ -1,16 +1,37 @@ name: Linux Install Kernel Module Using Modprobe Utility id: 387b278a-6326-11ec-aa2c-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the installation of a Linux kernel module using the modprobe utility. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because installing a kernel module can indicate an attempt to deploy a rootkit or other malicious kernel-level code, potentially leading to elevated privileges and bypassing security detections. If confirmed malicious, this could allow an attacker to gain persistent, high-level access to the system, compromising its integrity and security. +description: The following analytic detects the installation of a Linux kernel module + using the modprobe utility. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process names and command-line executions. This activity + is significant because installing a kernel module can indicate an attempt to deploy + a rootkit or other malicious kernel-level code, potentially leading to elevated + privileges and bypassing security detections. If confirmed malicious, this could + allow an attacker to gain persistent, high-level access to the system, compromising + its integrity and security. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN("kmod", "sudo") AND Processes.process = *modprobe* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_install_kernel_module_using_modprobe_utility_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN("kmod", + "sudo") AND Processes.process = *modprobe* by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `linux_install_kernel_module_using_modprobe_utility_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/ - https://security.stackexchange.com/questions/175953/how-to-load-a-malicious-lkm-at-startup @@ -21,44 +42,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A commandline $process$ that may install kernel module on $dest$ + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation - Linux Persistence Techniques - Linux Rootkit asset_type: Endpoint - confidence: 80 - impact: 80 - message: A commandline $process$ that may install kernel module on $dest$ mitre_attack_id: - T1547.006 - T1547 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_iptables_firewall_modification.yml b/detections/endpoint/linux_iptables_firewall_modification.yml index a4834c41fc..3107d907e2 100644 --- a/detections/endpoint/linux_iptables_firewall_modification.yml +++ b/detections/endpoint/linux_iptables_firewall_modification.yml @@ -1,18 +1,45 @@ name: Linux Iptables Firewall Modification id: 309d59dc-1e1b-49b2-9800-7cf18d12f7b7 -version: 5 -date: '2024-09-30' +version: 7 +date: '2025-01-27' author: Teoderick Contreras, Splunk status: production type: Anomaly -datamodel: -- Endpoint -description: The following analytic detects suspicious command-line activity that modifies the iptables firewall settings on a Linux machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command patterns that alter firewall rules to accept traffic on certain TCP ports. This activity is significant as it can indicate malware, such as CyclopsBlink, modifying firewall settings to allow communication with a Command and Control (C2) server. If confirmed malicious, this could enable attackers to maintain persistent access and exfiltrate data, posing a severe security risk. +description: The following analytic detects suspicious command-line activity that + modifies the iptables firewall settings on a Linux machine. It leverages data from + Endpoint Detection and Response (EDR) agents, focusing on specific command patterns + that alter firewall rules to accept traffic on certain TCP ports. This activity + is significant as it can indicate malware, such as CyclopsBlink, modifying firewall + settings to allow communication with a Command and Control (C2) server. If confirmed + malicious, this could enable attackers to maintain persistent access and exfiltrate + data, posing a severe security risk. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*iptables *" AND Processes.process = "* --dport *" AND Processes.process = "* ACCEPT*" AND Processes.process = "*&>/dev/null*" AND Processes.process = "* tcp *" AND NOT(Processes.parent_process_path IN("/bin/*", "/lib/*", "/usr/bin/*", "/sbin/*")) by Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest _time span=10s Processes.user Processes.parent_process_name Processes.parent_process_path Processes.process_path | rex field=Processes.process "--dport (?3269|636|989|994|995|8443)" | stats values(Processes.process) as processes_exec values(port) as ports values(Processes.process_guid) as guids values(Processes.process_id) as pids dc(port) as port_count count by Processes.process_name Processes.parent_process_name Processes.parent_process_id Processes.dest Processes.user Processes.parent_process_path Processes.process_path | where port_count >=3 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_iptables_firewall_modification_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: administrator may do this commandline for auditing and testing purposes. In this scenario filter is needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process = "*iptables + *" AND Processes.process = "* --dport *" AND Processes.process = "* ACCEPT*" AND + Processes.process = "*&>/dev/null*" AND Processes.process = "* tcp *" AND + NOT(Processes.parent_process_path IN("/bin/*", "/lib/*", "/usr/bin/*", "/sbin/*")) + by Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + Processes.process_guid Processes.dest _time span=10s Processes.user Processes.parent_process_name + Processes.parent_process_path Processes.process_path | rex field=Processes.process + "--dport (?3269|636|989|994|995|8443)" | stats values(Processes.process) as + processes_exec values(port) as ports values(Processes.process_guid) as guids values(Processes.process_id) + as pids dc(port) as port_count count by Processes.process_name Processes.parent_process_name + Processes.parent_process_id Processes.dest Processes.user Processes.parent_process_path + Processes.process_path | where port_count >=3 | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_iptables_firewall_modification_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: administrator may do this commandline for auditing and testing + purposes. In this scenario filter is needed. references: - https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf - https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html @@ -22,39 +49,35 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A process name - $process_name$ that may modify iptables firewall on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Sandworm Tools + - Backdoor Pingpong + - Nexus APT Threat Activity - Cyclops Blink asset_type: Endpoint - confidence: 50 - impact: 50 - message: A process name - $process_name$ that may modify iptables firewall on $dest$ mitre_attack_id: - T1562.004 - T1562 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_java_spawning_shell.yml b/detections/endpoint/linux_java_spawning_shell.yml index f07fe010ea..a13f0d306e 100644 --- a/detections/endpoint/linux_java_spawning_shell.yml +++ b/detections/endpoint/linux_java_spawning_shell.yml @@ -1,16 +1,37 @@ name: Linux Java Spawning Shell id: 7b09db8a-5c20-11ec-9945-acde48001122 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects instances where Java, Apache, or Tomcat processes spawn a Linux shell, which may indicate exploitation attempts, such as those related to CVE-2021-44228 (Log4Shell). This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and parent-child process relationships. This activity is significant as it can signify a compromised Java application, potentially leading to unauthorized shell access. If confirmed malicious, attackers could execute arbitrary commands, escalate privileges, or maintain persistent access, posing a severe threat to the environment. +description: The following analytic detects instances where Java, Apache, or Tomcat + processes spawn a Linux shell, which may indicate exploitation attempts, such as + those related to CVE-2021-44228 (Log4Shell). This detection leverages Endpoint Detection + and Response (EDR) telemetry, focusing on process names and parent-child process + relationships. This activity is significant as it can signify a compromised Java + application, potentially leading to unauthorized shell access. If confirmed malicious, + attackers could execute arbitrary commands, escalate privileges, or maintain persistent + access, posing a severe threat to the environment. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=java OR Processes.parent_process_name=apache OR Processes.parent_process_name=tomcat `linux_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_java_spawning_shell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Filtering may be required on internal developer build systems or classify assets as web facing and restrict the analytic based on asset type. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=java + OR Processes.parent_process_name=apache OR Processes.parent_process_name=tomcat + `linux_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_java_spawning_shell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Filtering may be required on internal developer build systems + or classify assets as web facing and restrict the analytic based on asset type. references: - https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/ - https://gist.github.com/olafhartong/916ebc673ba066537740164f7e7e1d72 @@ -20,9 +41,26 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ spawning a Linux shell, potentially indicative of exploitation. + risk_objects: + - field: dest + type: system + score: 40 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Data Destruction @@ -30,49 +68,20 @@ tags: - Hermetic Wiper - Log4Shell CVE-2021-44228 asset_type: Endpoint - confidence: 50 cve: - CVE-2021-44228 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ spawning a Linux shell, potentially indicative of exploitation. mitre_attack_id: - T1190 - T1133 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/java_spawn_shell_nix.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/java_spawn_shell_nix.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_kernel_module_enumeration.yml b/detections/endpoint/linux_kernel_module_enumeration.yml index 7594d5e8a8..157f255449 100644 --- a/detections/endpoint/linux_kernel_module_enumeration.yml +++ b/detections/endpoint/linux_kernel_module_enumeration.yml @@ -1,7 +1,7 @@ name: Linux Kernel Module Enumeration id: 6df99886-0e04-4c11-8b88-325747419278 -version: '5' -date: '2024-12-17' +version: 7 +date: '2024-11-17' author: Michael Haag, Splunk status: production type: Anomaly @@ -47,58 +47,38 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ enumeration kernel modules. + risk_objects: + - field: user + type: user + score: 15 + - field: dest + type: system + score: 15 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - XorDDos - Linux Rootkit asset_type: Endpoint - confidence: 50 - impact: 30 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ enumeration kernel modules. mitre_attack_id: - T1082 - T1014 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/atomic_red_team/linux-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/atomic_red_team/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_kworker_process_in_writable_process_path.yml b/detections/endpoint/linux_kworker_process_in_writable_process_path.yml index f113377782..0672ad7b93 100644 --- a/detections/endpoint/linux_kworker_process_in_writable_process_path.yml +++ b/detections/endpoint/linux_kworker_process_in_writable_process_path.yml @@ -1,17 +1,37 @@ name: Linux Kworker Process In Writable Process Path id: 1cefb270-74a5-4e27-aa0c-2b6fa7c5b4ed -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting -datamodel: -- Endpoint -description: The following analytic detects the execution of a kworker process with a command line in writable directories such as /home/, /var/log, and /tmp on a Linux machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process paths. This activity is significant as kworker processes are typically kernel threads, and their presence in writable directories is unusual and indicative of potential malware, such as CyclopsBlink. If confirmed malicious, this could allow attackers to blend malicious processes with legitimate ones, leading to persistent access and further system compromise. +description: The following analytic detects the execution of a kworker process with + a command line in writable directories such as /home/, /var/log, and /tmp on a Linux + machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process and parent process paths. This activity is significant as kworker processes + are typically kernel threads, and their presence in writable directories is unusual + and indicative of potential malware, such as CyclopsBlink. If confirmed malicious, + this could allow attackers to blend malicious processes with legitimate ones, leading + to persistent access and further system compromise. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process = "*[kworker/*" Processes.parent_process_path IN ("/home/*", "/tmp/*", "/var/log/*") Processes.process="*iptables*" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_path Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_kworker_process_in_writable_process_path_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process = + "*[kworker/*" Processes.parent_process_path IN ("/home/*", "/tmp/*", "/var/log/*") + Processes.process="*iptables*" by Processes.parent_process_name Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + Processes.parent_process_path Processes.process_guid Processes.dest Processes.user + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_kworker_process_in_writable_process_path_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf @@ -21,37 +41,18 @@ tags: - Sandworm Tools - Cyclops Blink asset_type: Endpoint - confidence: 60 - impact: 60 - message: a $process_name$ with kworker commandline in $dest$ mitre_attack_id: - T1036.004 - T1036 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - - Processes.parent_process_path - - Processes.process_path - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/cyclopsblink/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/cyclopsblink/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_make_privilege_escalation.yml b/detections/endpoint/linux_make_privilege_escalation.yml index 94b18226a5..9d81cbaa3d 100644 --- a/detections/endpoint/linux_make_privilege_escalation.yml +++ b/detections/endpoint/linux_make_privilege_escalation.yml @@ -1,15 +1,34 @@ name: Linux Make Privilege Escalation id: 80b22836-5091-4944-80ee-f733ac443f4f -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: The following analytic detects the use of the 'make' command with elevated privileges to execute system commands as root, potentially leading to a root shell. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include 'make', '--eval', and 'sudo'. This activity is significant because it indicates a possible privilege escalation attempt, allowing a user to gain root access. If confirmed malicious, an attacker could achieve full control over the system, execute arbitrary commands, and compromise the entire environment. +description: The following analytic detects the use of the 'make' command with elevated + privileges to execute system commands as root, potentially leading to a root shell. + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on + command-line executions that include 'make', '--eval', and 'sudo'. This activity + is significant because it indicates a possible privilege escalation attempt, allowing + a user to gain root access. If confirmed malicious, an attacker could achieve full + control over the system, execute arbitrary commands, and compromise the entire environment. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*make*-s*" AND Processes.process="*--eval*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_make_privilege_escalation_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process="*make*-s*" + AND Processes.process="*--eval*" AND Processes.process="*sudo*" by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_make_privilege_escalation_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/make/ @@ -20,52 +39,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ + risk_objects: + - field: dest + type: system + score: 20 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Linux Privilege Escalation - Linux Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 40 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 20 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/make/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/make/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_mysql_privilege_escalation.yml b/detections/endpoint/linux_mysql_privilege_escalation.yml index 0cc85e74cb..77ade04a7d 100644 --- a/detections/endpoint/linux_mysql_privilege_escalation.yml +++ b/detections/endpoint/linux_mysql_privilege_escalation.yml @@ -1,16 +1,37 @@ name: Linux MySQL Privilege Escalation id: c0d810f4-230c-44ea-b703-989da02ff145 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: The following analytic detects the execution of MySQL commands with elevated privileges using sudo, which can lead to privilege escalation. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a potential misuse of MySQL to execute system commands as root, which could allow an attacker to gain root shell access. If confirmed malicious, this could result in full control over the affected system, leading to severe security breaches and unauthorized access to sensitive data. +description: The following analytic detects the execution of MySQL commands with elevated + privileges using sudo, which can lead to privilege escalation. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process execution + logs that include command-line details. This activity is significant because it + indicates a potential misuse of MySQL to execute system commands as root, which + could allow an attacker to gain root shell access. If confirmed malicious, this + could result in full control over the affected system, leading to severe security + breaches and unauthorized access to sensitive data. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*mysql*-e*" AND Processes.process="*\!**" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_mysql_privilege_escalation_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives are present based on automated tooling or system administrative usage. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process="*mysql*-e*" + AND Processes.process="*\!**" AND Processes.process="*sudo*" by Processes.dest Processes.user + Processes.parent_process_name Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_mysql_privilege_escalation_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives are present based on automated tooling or system + administrative usage. Filter as needed. references: - https://gtfobins.github.io/gtfobins/mysql/ drilldown_searches: @@ -19,52 +40,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ + risk_objects: + - field: dest + type: system + score: 30 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Linux Privilege Escalation - Linux Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 60 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/mysql/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/mysql/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml b/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml index 430384539f..ace58aa7ad 100644 --- a/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml +++ b/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml @@ -1,16 +1,37 @@ name: Linux Ngrok Reverse Proxy Usage id: bc84d574-708c-467d-b78a-4c1e20171f97 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic detects the use of Ngrok on a Linux operating system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments associated with Ngrok. This activity is significant because Ngrok can be used by adversaries to establish reverse proxies, potentially bypassing network defenses. If confirmed malicious, this could allow attackers to create persistent, unauthorized access channels, facilitating data exfiltration or further exploitation of the compromised system. +description: The following analytic detects the use of Ngrok on a Linux operating + system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process names and command-line arguments associated with Ngrok. This activity + is significant because Ngrok can be used by adversaries to establish reverse proxies, + potentially bypassing network defenses. If confirmed malicious, this could allow + attackers to create persistent, unauthorized access channels, facilitating data + exfiltration or further exploitation of the compromised system. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ngrok Processes.process IN ("*start*", "*--config*","*http*","*authtoken*", "*http*", "*tcp*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ngrok_reverse_proxy_usage_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be present if Ngrok is an authorized utility. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ngrok + Processes.process IN ("*start*", "*--config*","*http*","*authtoken*", "*http*", + "*tcp*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_ngrok_reverse_proxy_usage_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present if Ngrok is an authorized utility. + Filter as needed. references: - https://ngrok.com - https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf @@ -20,60 +41,46 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A reverse proxy was identified spawning from $parent_process_name$ - $process_name$ + on endpoint $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 50 + - field: dest + type: system + score: 50 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Reverse Network Proxy asset_type: Endpoint - confidence: 100 - impact: 50 - message: A reverse proxy was identified spawning from $parent_process_name$ - $process_name$ on endpoint $dest$ by user $user$. mitre_attack_id: - T1572 - T1090 - T1102 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 50 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ngrok/ngrok_linux-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ngrok/ngrok_linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_node_privilege_escalation.yml b/detections/endpoint/linux_node_privilege_escalation.yml index 96a6304aff..09569d3dd1 100644 --- a/detections/endpoint/linux_node_privilege_escalation.yml +++ b/detections/endpoint/linux_node_privilege_escalation.yml @@ -1,16 +1,38 @@ name: Linux Node Privilege Escalation id: 2e58a4ff-398f-42f4-8fd0-e01ebfe2a8ce -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: The following analytic identifies the execution of Node.js with elevated privileges using sudo, specifically when spawning child processes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include specific Node.js commands. This activity is significant because running Node.js as a superuser without dropping privileges can allow unauthorized access to the file system and potential privilege escalation. If confirmed malicious, this could enable an attacker to maintain privileged access, execute arbitrary code, and compromise sensitive data within the environment. +description: The following analytic identifies the execution of Node.js with elevated + privileges using sudo, specifically when spawning child processes. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on command-line + executions that include specific Node.js commands. This activity is significant + because running Node.js as a superuser without dropping privileges can allow unauthorized + access to the file system and potential privilege escalation. If confirmed malicious, + this could enable an attacker to maintain privileged access, execute arbitrary code, + and compromise sensitive data within the environment. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*sudo*node*" AND Processes.process="*-e*" AND Processes.process="*child_process.spawn*" AND Processes.process="*stdio*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_node_privilege_escalation_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives are present based on automated tooling or system administrative usage. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process="*sudo*node*" + AND Processes.process="*-e*" AND Processes.process="*child_process.spawn*" AND Processes.process="*stdio*" + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_node_privilege_escalation_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives are present based on automated tooling or system + administrative usage. Filter as needed. references: - https://gtfobins.github.io/gtfobins/docker/ - https://en.wikipedia.org/wiki/Node.js @@ -20,52 +42,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ + risk_objects: + - field: dest + type: system + score: 40 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Linux Privilege Escalation - Linux Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/node/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/node/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml b/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml index 95d100074f..15ca07070f 100644 --- a/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml +++ b/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml @@ -1,16 +1,37 @@ name: Linux NOPASSWD Entry In Sudoers File id: ab1e0d52-624a-11ec-8e0b-acde48001122 -version: 3 -date: '2024-09-30' +version: 5 +date: '2025-01-27' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the addition of NOPASSWD entries to the /etc/sudoers file on Linux systems. It leverages Endpoint Detection and Response (EDR) telemetry to identify command lines containing "NOPASSWD:". This activity is significant because it allows users to execute commands with elevated privileges without requiring a password, which can be exploited by adversaries to maintain persistent, privileged access. If confirmed malicious, this could lead to unauthorized privilege escalation, persistent access, and potential compromise of sensitive data and system integrity. +description: The following analytic detects the addition of NOPASSWD entries to the + /etc/sudoers file on Linux systems. It leverages Endpoint Detection and Response + (EDR) telemetry to identify command lines containing "NOPASSWD:". This activity + is significant because it allows users to execute commands with elevated privileges + without requiring a password, which can be exploited by adversaries to maintain + persistent, privileged access. If confirmed malicious, this could lead to unauthorized + privilege escalation, persistent access, and potential compromise of sensitive data + and system integrity. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*NOPASSWD:*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_nopasswd_entry_in_sudoers_file_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process = "*NOPASSWD:*" + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_nopasswd_entry_in_sudoers_file_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://askubuntu.com/questions/334318/sudoers-file-enable-nopasswd-for-user-all-commands - https://help.ubuntu.com/community/Sudoers @@ -20,39 +41,35 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a commandline $process$ executed on $dest$ + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation + - Earth Estries + - Nexus APT Threat Activity - Linux Persistence Techniques asset_type: Endpoint - confidence: 80 - impact: 80 - message: a commandline $process$ executed on $dest$ mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml b/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml index 3909f1243b..eeb2fe21ba 100644 --- a/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml +++ b/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml @@ -1,16 +1,37 @@ name: Linux Obfuscated Files or Information Base64 Decode id: 303b38b2-c03f-44e2-8f41-4594606fcfc7 -version: 5 -date: '2024-09-30' +version: 7 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic detects the use of the base64 decode command on Linux systems, which is often used to deobfuscate files. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include "base64 -d" or "base64 --decode". This activity is significant as it may indicate an attempt to hide malicious payloads or scripts. If confirmed malicious, an attacker could use this technique to execute hidden code, potentially leading to unauthorized access, data exfiltration, or further system compromise. +description: The following analytic detects the use of the base64 decode command on + Linux systems, which is often used to deobfuscate files. It leverages data from + Endpoint Detection and Response (EDR) agents, focusing on command-line executions + that include "base64 -d" or "base64 --decode". This activity is significant as it + may indicate an attempt to hide malicious payloads or scripts. If confirmed malicious, + an attacker could use this technique to execute hidden code, potentially leading + to unauthorized access, data exfiltration, or further system compromise. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_path="*/base64" Processes.process="*-d*" by Processes.process Processes.dest Processes.process_current_directory Processes.process_name Processes.process_integrity_level Processes.parent_process_name Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id Processes.process_guid Processes.process_id Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_obfuscated_files_or_information_base64_decode_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be present and will require some tuning based on processes. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_path="*/base64" + Processes.process="*-d*" by Processes.process Processes.dest Processes.process_current_directory + Processes.process_name Processes.process_integrity_level Processes.parent_process_name + Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id + Processes.process_guid Processes.process_id Processes.user | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_obfuscated_files_or_information_base64_decode_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present and will require some tuning + based on processes. Filter as needed. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md#atomic-test-1---decode-base64-data-into-script - https://redcanary.com/blog/lateral-movement-with-secure-shell/ @@ -21,58 +42,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ decoding base64. + risk_objects: + - field: user + type: user + score: 15 + - field: dest + type: system + score: 15 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Linux Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 30 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ decoding base64. mitre_attack_id: - T1027 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_octave_privilege_escalation.yml b/detections/endpoint/linux_octave_privilege_escalation.yml index d92df168f8..748265ca07 100644 --- a/detections/endpoint/linux_octave_privilege_escalation.yml +++ b/detections/endpoint/linux_octave_privilege_escalation.yml @@ -1,15 +1,36 @@ name: Linux Octave Privilege Escalation id: 78f7487d-42ce-4f7f-8685-2159b25fb477 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: The following analytic detects the execution of GNU Octave with elevated privileges, specifically when it runs system commands via sudo. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments that include "octave-cli," "--eval," "system," and "sudo." This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to execute commands as root. If confirmed malicious, this could lead to full system compromise, enabling an attacker to gain root access and execute arbitrary commands, severely impacting system security and integrity. +description: The following analytic detects the execution of GNU Octave with elevated + privileges, specifically when it runs system commands via sudo. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process command-line + arguments that include "octave-cli," "--eval," "system," and "sudo." This activity + is significant because it indicates a potential privilege escalation attempt, allowing + a user to execute commands as root. If confirmed malicious, this could lead to full + system compromise, enabling an attacker to gain root access and execute arbitrary + commands, severely impacting system security and integrity. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*octave-cli*" AND Processes.process="*--eval*" AND Processes.process="*system*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_octave_privilege_escalation_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process="*octave-cli*" + AND Processes.process="*--eval*" AND Processes.process="*system*" AND Processes.process="*sudo*" + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_octave_privilege_escalation_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/octave/ @@ -20,52 +41,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ + risk_objects: + - field: dest + type: system + score: 20 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Linux Privilege Escalation - Linux Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 40 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 20 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/octave/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/octave/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_openvpn_privilege_escalation.yml b/detections/endpoint/linux_openvpn_privilege_escalation.yml index 20546d4dab..dac490faf9 100644 --- a/detections/endpoint/linux_openvpn_privilege_escalation.yml +++ b/detections/endpoint/linux_openvpn_privilege_escalation.yml @@ -1,15 +1,36 @@ name: Linux OpenVPN Privilege Escalation id: d25feebe-fa1c-4754-8a1e-afb03bedc0f2 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: The following analytic detects the execution of OpenVPN with elevated privileges, specifically when combined with the `--dev`, `--script-security`, `--up`, and `sudo` options. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments and execution details. This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to execute system commands as root. If confirmed malicious, this could lead to full system compromise, enabling an attacker to gain root access and execute arbitrary commands with elevated privileges. +description: The following analytic detects the execution of OpenVPN with elevated + privileges, specifically when combined with the `--dev`, `--script-security`, `--up`, + and `sudo` options. This detection leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process command-line arguments and execution details. + This activity is significant because it indicates a potential privilege escalation + attempt, allowing a user to execute system commands as root. If confirmed malicious, + this could lead to full system compromise, enabling an attacker to gain root access + and execute arbitrary commands with elevated privileges. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*openvpn*" AND Processes.process="*--dev*" AND Processes.process="*--script-security*" AND Processes.process="*--up*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_openvpn_privilege_escalation_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process="*openvpn*" + AND Processes.process="*--dev*" AND Processes.process="*--script-security*" AND + Processes.process="*--up*" AND Processes.process="*sudo*" by Processes.dest Processes.user + Processes.parent_process_name Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_openvpn_privilege_escalation_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/openvpn/ @@ -20,52 +41,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ + risk_objects: + - field: dest + type: system + score: 30 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Linux Privilege Escalation - Linux Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 60 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/openvpn/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/openvpn/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml b/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml index 50eae30781..5062079c03 100644 --- a/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml +++ b/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml @@ -1,15 +1,40 @@ name: Linux Persistence and Privilege Escalation Risk Behavior id: ad5ac21b-3b1e-492c-8e19-ea5d5e8e5cf1 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Correlation -description: The following analytic identifies potential Linux persistence and privilege escalation activities. It leverages risk scores and event counts from various Linux-related data sources, focusing on tactics associated with persistence and privilege escalation. This activity is significant for a SOC because it highlights behaviors that could allow an attacker to maintain access or gain elevated privileges on a Linux system. If confirmed malicious, this activity could enable an attacker to execute code with higher privileges, persist in the environment, and potentially access sensitive information, posing a severe security risk. +description: The following analytic identifies potential Linux persistence and privilege + escalation activities. It leverages risk scores and event counts from various Linux-related + data sources, focusing on tactics associated with persistence and privilege escalation. + This activity is significant for a SOC because it highlights behaviors that could + allow an attacker to maintain access or gain elevated privileges on a Linux system. + If confirmed malicious, this activity could enable an attacker to execute code with + higher privileges, persist in the environment, and potentially access sensitive + information, posing a severe security risk. data_source: [] -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where (All_Risk.analyticstories IN ("Linux Privilege Escalation", "Linux Persistence Techniques") OR source = "*Linux*") All_Risk.annotations.mitre_attack.mitre_tactic IN ("persistence", "privilege-escalation") All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `linux_persistence_and_privilege_escalation_risk_behavior_filter`' -how_to_implement: Ensure Linux anomaly and TTP analytics are enabled. TTP may be set to Notables for point detections, anomaly should not be notables but risk generators. The correlation relies on more than x amount of distict detection names generated before generating a notable. Modify the value as needed. Default value is set to 4. This value may need to be increased based on activity in your environment. -known_false_positives: False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) + as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as + annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) + as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) + as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) + as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, + dc(source) as source_count from datamodel=Risk.All_Risk where (All_Risk.analyticstories + IN ("Linux Privilege Escalation", "Linux Persistence Techniques") OR source = "*Linux*") + All_Risk.annotations.mitre_attack.mitre_tactic IN ("persistence", "privilege-escalation") + All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type + All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where + source_count >= 4 | `linux_persistence_and_privilege_escalation_risk_behavior_filter`' +how_to_implement: Ensure Linux anomaly and TTP analytics are enabled. TTP may be set + to finding for point detections, anomaly should not be findings but risk generators. + The correlation relies on more than x amount of distict detection names generated + before generating a finding. Modify the value as needed. Default value is set to + 4. This value may need to be increased based on activity in your environment. +known_false_positives: False positives will be present based on many factors. Tune + the correlation as needed to reduce too many triggers. references: - https://attack.mitre.org/tactics/TA0004/ drilldown_searches: @@ -18,7 +43,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$risk_object$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: @@ -26,33 +56,17 @@ tags: - Linux Privilege Escalation - Linux Persistence Techniques asset_type: Endpoint - confidence: 80 - impact: 70 - message: Privilege escalation and persistence behaviors have been identified on $risk_object$. mitre_attack_id: - T1548 - observable: - - name: risk_object - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Risk.analyticstories - - All_Risk.risk_object_type - - All_Risk.risk_object - - All_Risk.annotations.mitre_attack.mitre_tactic - - source - risk_score: 56 security_domain: audit tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/linux_risk/linuxrisk.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/linux_risk/linuxrisk.log source: linuxrisk sourcetype: stash - update_timestamp: true diff --git a/detections/endpoint/linux_php_privilege_escalation.yml b/detections/endpoint/linux_php_privilege_escalation.yml index ad00906f2f..4ca46b1699 100644 --- a/detections/endpoint/linux_php_privilege_escalation.yml +++ b/detections/endpoint/linux_php_privilege_escalation.yml @@ -1,15 +1,35 @@ name: Linux PHP Privilege Escalation id: 4fc4c031-e5be-4cc0-8cf9-49f9f507bcb5 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: The following analytic detects the execution of PHP commands with elevated privileges on a Linux system. It identifies instances where PHP is used in conjunction with 'sudo' and 'system' commands, indicating an attempt to run system commands as the root user. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments. This activity is significant because it can indicate an attempt to escalate privileges, potentially leading to full root access. If confirmed malicious, this could allow an attacker to execute arbitrary commands with root privileges, compromising the entire system. +description: The following analytic detects the execution of PHP commands with elevated + privileges on a Linux system. It identifies instances where PHP is used in conjunction + with 'sudo' and 'system' commands, indicating an attempt to run system commands + as the root user. This detection leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process command-line arguments. This activity is significant + because it can indicate an attempt to escalate privileges, potentially leading to + full root access. If confirmed malicious, this could allow an attacker to execute + arbitrary commands with root privileges, compromising the entire system. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*php*-r*" AND Processes.process="*system*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_php_privilege_escalation_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process="*php*-r*" + AND Processes.process="*system*" AND Processes.process="*sudo*" by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_php_privilege_escalation_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/php/ @@ -20,52 +40,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ + risk_objects: + - field: dest + type: system + score: 30 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Linux Privilege Escalation - Linux Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 60 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/php/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/php/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_pkexec_privilege_escalation.yml b/detections/endpoint/linux_pkexec_privilege_escalation.yml index c28dc03619..81844e155e 100644 --- a/detections/endpoint/linux_pkexec_privilege_escalation.yml +++ b/detections/endpoint/linux_pkexec_privilege_escalation.yml @@ -1,15 +1,34 @@ name: Linux pkexec Privilege Escalation id: 03e22c1c-8086-11ec-ac2e-acde48001122 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the execution of `pkexec` without any command-line arguments. This behavior leverages data from Endpoint Detection and Response (EDR) agents, focusing on process telemetry. The significance lies in the fact that this pattern is associated with the exploitation of CVE-2021-4034 (PwnKit), a critical vulnerability in Polkit's pkexec component. If confirmed malicious, this activity could allow an attacker to gain full root privileges on the affected Linux system, leading to complete system compromise and potential unauthorized access to sensitive information. +description: The following analytic detects the execution of `pkexec` without any + command-line arguments. This behavior leverages data from Endpoint Detection and + Response (EDR) agents, focusing on process telemetry. The significance lies in the + fact that this pattern is associated with the exploitation of CVE-2021-4034 (PwnKit), + a critical vulnerability in Polkit's pkexec component. If confirmed malicious, this + activity could allow an attacker to gain full root privileges on the affected Linux + system, leading to complete system compromise and potential unauthorized access + to sensitive information. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=pkexec by _time Processes.dest Processes.user Processes.process_id Processes.parent_process_name Processes.process_name Processes.process Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(^.{1}$)" | `linux_pkexec_privilege_escalation_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes + where Processes.process_name=pkexec by _time Processes.dest Processes.user Processes.process_id + Processes.parent_process_name Processes.process_name Processes.process Processes.process_path + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | regex process="(^.{1}$)" | `linux_pkexec_privilege_escalation_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://www.reddit.com/r/crowdstrike/comments/sdfeig/20220126_cool_query_friday_hunting_pwnkit_local/ @@ -22,60 +41,48 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ related to a local privilege escalation in polkit + pkexec. + risk_objects: + - field: user + type: user + score: 56 + - field: dest + type: system + score: 56 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Linux Privilege Escalation - Linux Living Off The Land asset_type: Endpoint - confidence: 70 cve: - CVE-2021-4034 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ related to a local privilege escalation in polkit pkexec. mitre_attack_id: - T1068 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/pkexec/linux-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/pkexec/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml b/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml index 9eb0ae41d0..a7f1ec3741 100644 --- a/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml +++ b/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml @@ -1,16 +1,37 @@ name: Linux Possible Access Or Modification Of sshd Config File id: 7a85eb24-72da-11ec-ac76-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects suspicious access or modification of the sshd_config file on Linux systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving processes like "cat," "nano," "vim," and "vi" accessing the sshd_config file. This activity is significant because unauthorized changes to sshd_config can allow threat actors to redirect port connections or use unauthorized keys, potentially compromising the system. If confirmed malicious, this could lead to unauthorized access, privilege escalation, or persistent backdoor access, posing a severe security risk. +description: The following analytic detects suspicious access or modification of the + sshd_config file on Linux systems. It leverages data from Endpoint Detection and + Response (EDR) agents, focusing on command-line executions involving processes like + "cat," "nano," "vim," and "vi" accessing the sshd_config file. This activity is + significant because unauthorized changes to sshd_config can allow threat actors + to redirect port connections or use unauthorized keys, potentially compromising + the system. If confirmed malicious, this could lead to unauthorized access, privilege + escalation, or persistent backdoor access, posing a severe security risk. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN("cat", "nano*","vim*", "vi*") AND Processes.process IN("*/etc/ssh/sshd_config") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_or_modification_of_sshd_config_file_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN("cat", + "nano*","vim*", "vi*") AND Processes.process IN("*/etc/ssh/sshd_config") by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_or_modification_of_sshd_config_file_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrator or network operator can use this commandline + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.hackingarticles.in/ssh-penetration-testing-port-22/ - https://attack.mitre.org/techniques/T1098/004/ @@ -20,44 +41,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a commandline $process$ executed on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation - Linux Persistence Techniques - Linux Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 50 - message: a commandline $process$ executed on $dest$ mitre_attack_id: - T1098.004 - T1098 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/ssh_authorized_keys/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/ssh_authorized_keys/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_possible_access_to_credential_files.yml b/detections/endpoint/linux_possible_access_to_credential_files.yml index 16eeb8e4f4..e5f2c33dce 100644 --- a/detections/endpoint/linux_possible_access_to_credential_files.yml +++ b/detections/endpoint/linux_possible_access_to_credential_files.yml @@ -1,7 +1,7 @@ name: Linux Possible Access To Credential Files id: 16107e0e-71fc-11ec-b862-acde48001122 -version: '4' -date: '2024-12-17' +version: 6 +date: '2025-01-27' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -48,37 +48,28 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A commandline $process$ executed on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: + - Linux Privilege Escalation - Linux Persistence Techniques - XorDDos - - Linux Privilege Escalation + - Nexus APT Threat Activity + - Earth Estries asset_type: Endpoint - confidence: 50 - impact: 50 - message: A commandline $process$ executed on $dest$ mitre_attack_id: - T1003.008 - T1003 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_possible_access_to_sudoers_file.yml b/detections/endpoint/linux_possible_access_to_sudoers_file.yml index 4136db1b8b..2be5685254 100644 --- a/detections/endpoint/linux_possible_access_to_sudoers_file.yml +++ b/detections/endpoint/linux_possible_access_to_sudoers_file.yml @@ -1,16 +1,36 @@ name: Linux Possible Access To Sudoers File id: 4479539c-71fc-11ec-b2e2-acde48001122 -version: 3 -date: '2024-09-30' +version: 5 +date: '2025-01-27' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects potential access or modification of the /etc/sudoers file on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like "cat," "nano," "vim," and "vi" accessing the /etc/sudoers file. This activity is significant because the sudoers file controls user permissions for executing commands with elevated privileges. If confirmed malicious, an attacker could gain persistence or escalate privileges, compromising the security of the targeted host. +description: The following analytic detects potential access or modification of the + /etc/sudoers file on a Linux system. It leverages data from Endpoint Detection and + Response (EDR) agents, focusing on processes like "cat," "nano," "vim," and "vi" + accessing the /etc/sudoers file. This activity is significant because the sudoers + file controls user permissions for executing commands with elevated privileges. + If confirmed malicious, an attacker could gain persistence or escalate privileges, + compromising the security of the targeted host. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN("cat", "nano*","vim*", "vi*") AND Processes.process IN("*/etc/sudoers*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_to_sudoers_file_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN("cat", + "nano*","vim*", "vi*") AND Processes.process IN("*/etc/sudoers*") by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_to_sudoers_file_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://attack.mitre.org/techniques/T1548/003/ - https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf @@ -20,39 +40,35 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A commandline $process$ executed on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation + - Earth Estries + - Nexus APT Threat Activity - Linux Persistence Techniques asset_type: Endpoint - confidence: 50 - impact: 50 - message: A commandline $process$ executed on $dest$ mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml b/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml index a1a9856643..928b9536fa 100644 --- a/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml +++ b/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml @@ -1,16 +1,37 @@ name: Linux Possible Append Command To At Allow Config File id: 7bc20606-5f40-11ec-a586-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects suspicious command lines that append user entries to /etc/at.allow or /etc/at.deny files. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving these files. This activity is significant because altering these configuration files can allow attackers to schedule tasks with elevated permissions, facilitating persistence on a compromised Linux host. If confirmed malicious, this could enable attackers to execute arbitrary code at scheduled intervals, potentially leading to further system compromise and unauthorized access to sensitive information. +description: The following analytic detects suspicious command lines that append user + entries to /etc/at.allow or /etc/at.deny files. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on command-line executions involving + these files. This activity is significant because altering these configuration files + can allow attackers to schedule tasks with elevated permissions, facilitating persistence + on a compromised Linux host. If confirmed malicious, this could enable attackers + to execute arbitrary code at scheduled intervals, potentially leading to further + system compromise and unauthorized access to sensitive information. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process = "*echo*" AND Processes.process IN("*/etc/at.allow", "*/etc/at.deny") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_append_command_to_at_allow_config_file_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes + where Processes.process = "*echo*" AND Processes.process IN("*/etc/at.allow", "*/etc/at.deny") + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_possible_append_command_to_at_allow_config_file_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrator or network operator can use this commandline + for automation purposes. Please update the filter macros to remove false positives. references: - https://linuxize.com/post/at-command-in-linux/ - https://attack.mitre.org/techniques/T1053/001/ @@ -20,44 +41,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A commandline $process$ that may modify at allow config file on $dest$ + risk_objects: + - field: dest + type: system + score: 9 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation - Linux Persistence Techniques - Scheduled Tasks asset_type: Endpoint - confidence: 30 - impact: 30 - message: A commandline $process$ that may modify at allow config file in $dest$ mitre_attack_id: - T1053.002 - T1053 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/at_execution/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/at_execution/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml b/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml index 02cfba25df..bf67c01e6a 100644 --- a/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml +++ b/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml @@ -1,16 +1,38 @@ name: Linux Possible Append Command To Profile Config File id: 9c94732a-61af-11ec-91e3-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects suspicious command-lines that modify user profile files to automatically execute scripts or executables upon system reboot. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving profile files like ~/.bashrc and /etc/profile. This activity is significant as it indicates potential persistence mechanisms used by adversaries to maintain access to compromised hosts. If confirmed malicious, this could allow attackers to execute arbitrary code upon reboot, leading to persistent control over the system and potential further exploitation. +description: The following analytic detects suspicious command-lines that modify user + profile files to automatically execute scripts or executables upon system reboot. + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on + command-line executions involving profile files like ~/.bashrc and /etc/profile. + This activity is significant as it indicates potential persistence mechanisms used + by adversaries to maintain access to compromised hosts. If confirmed malicious, + this could allow attackers to execute arbitrary code upon reboot, leading to persistent + control over the system and potential further exploitation. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*echo*" AND Processes.process IN("*~/.bashrc", "*~/.bash_profile", "*/etc/profile", "~/.bash_login", "*~/.profile", "~/.bash_logout") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_append_command_to_profile_config_file_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process = "*echo*" + AND Processes.process IN("*~/.bashrc", "*~/.bash_profile", "*/etc/profile", "~/.bash_login", + "*~/.profile", "~/.bash_logout") by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `linux_possible_append_command_to_profile_config_file_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrator or network operator can use this commandline + for automation purposes. Please update the filter macros to remove false positives. references: - https://unix.stackexchange.com/questions/129143/what-is-the-purpose-of-bashrc-and-how-does-it-work - https://attack.mitre.org/techniques/T1546/004/ @@ -20,43 +42,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a commandline $process$ that may modify profile files on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation - Linux Persistence Techniques asset_type: Endpoint - confidence: 70 - impact: 70 - message: a commandline $process$ that may modify profile files in $dest$ mitre_attack_id: - T1546.004 - T1546 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml b/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml index 6be01cc353..5dc3a73b3b 100644 --- a/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml +++ b/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml @@ -1,7 +1,7 @@ name: Linux Possible Append Cronjob Entry on Existing Cronjob File id: b5b91200-5f27-11ec-bb4e-acde48001122 -version: '4' -date: '2024-12-17' +version: 5 +date: '2024-12-19' author: Teoderick Contreras, Splunk status: production type: Hunting @@ -45,35 +45,18 @@ tags: - Scheduled Tasks - Linux Persistence Techniques asset_type: Endpoint - confidence: 70 - impact: 70 - message: A commandline $process$ that may modify cronjob file in $dest$ mitre_attack_id: - T1053.003 - T1053 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml b/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml index fc8aa7241e..859463e22c 100644 --- a/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml +++ b/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml @@ -1,7 +1,7 @@ name: Linux Possible Cronjob Modification With Editor id: dcc89bde-5f24-11ec-87ca-acde48001122 -version: '4' -date: '2024-12-17' +version: 5 +date: '2024-12-19' author: Teoderick Contreras, Splunk status: production type: Hunting @@ -42,35 +42,18 @@ tags: - Scheduled Tasks - Linux Persistence Techniques asset_type: Endpoint - confidence: 30 - impact: 20 - message: A commandline $process$ that may modify cronjob file using editor in $dest$ mitre_attack_id: - T1053.003 - T1053 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 6 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_possible_ssh_key_file_creation.yml b/detections/endpoint/linux_possible_ssh_key_file_creation.yml index 699db7117d..a67d49a356 100644 --- a/detections/endpoint/linux_possible_ssh_key_file_creation.yml +++ b/detections/endpoint/linux_possible_ssh_key_file_creation.yml @@ -1,16 +1,29 @@ name: Linux Possible Ssh Key File Creation id: c04ef40c-72da-11ec-8eac-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the creation of SSH key files in the ~/.ssh/ directory. It leverages filesystem data to identify new files in this specific path. This activity is significant because threat actors often create SSH keys to gain persistent access and escalate privileges on a compromised host. If confirmed malicious, this could allow attackers to remotely access the machine using the OpenSSH daemon service, leading to potential unauthorized control and data exfiltration. +description: The following analytic detects the creation of SSH key files in the ~/.ssh/ + directory. It leverages filesystem data to identify new files in this specific path. + This activity is significant because threat actors often create SSH keys to gain + persistent access and escalate privileges on a compromised host. If confirmed malicious, + this could allow attackers to remotely access the machine using the OpenSSH daemon + service, leading to potential unauthorized control and data exfiltration. data_source: - Sysmon for Linux EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/.ssh*") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_possible_ssh_key_file_creation_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -known_false_positives: Administrator or network operator can create file in ~/.ssh folders for automation purposes. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/.ssh*") + by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path + | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` + | `linux_possible_ssh_key_file_creation_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the file name, file path, and process_guid executions from your endpoints. + If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. +known_false_positives: Administrator or network operator can create file in ~/.ssh + folders for automation purposes. Please update the filter macros to remove false + positives. references: - https://www.hackingarticles.in/ssh-penetration-testing-port-22/ - https://attack.mitre.org/techniques/T1098/004/ @@ -20,42 +33,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A file $file_name$ is created in $file_path$ on $dest$ + risk_objects: + - field: dest + type: system + score: 36 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation - Linux Persistence Techniques - Linux Living Off The Land asset_type: Endpoint - confidence: 60 - impact: 60 - message: A file $file_name$ is created in $file_path$ on $dest$ mitre_attack_id: - T1098.004 - T1098 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.dest - - Filesystem.file_create_time - - Filesystem.file_name - - Filesystem.process_guid - - Filesystem.file_path - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/ssh_authorized_keys/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/ssh_authorized_keys/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_preload_hijack_library_calls.yml b/detections/endpoint/linux_preload_hijack_library_calls.yml index f1a87bdcf5..9ad2401c00 100644 --- a/detections/endpoint/linux_preload_hijack_library_calls.yml +++ b/detections/endpoint/linux_preload_hijack_library_calls.yml @@ -1,16 +1,37 @@ name: Linux Preload Hijack Library Calls id: cbe2ca30-631e-11ec-8670-acde48001122 -version: 3 -date: '2024-09-30' +version: 5 +date: '2025-01-27' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the use of the LD_PRELOAD environment variable to hijack or hook library functions on a Linux platform. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because adversaries, malware authors, and red teamers commonly use this technique to gain elevated privileges and establish persistence on a compromised machine. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, and maintain long-term access to the system. +description: The following analytic detects the use of the LD_PRELOAD environment + variable to hijack or hook library functions on a Linux platform. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process execution + logs that include command-line details. This activity is significant because adversaries, + malware authors, and red teamers commonly use this technique to gain elevated privileges + and establish persistence on a compromised machine. If confirmed malicious, this + behavior could allow attackers to execute arbitrary code, escalate privileges, and + maintain long-term access to the system. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*LD_PRELOAD*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_preload_hijack_library_calls_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process = "*LD_PRELOAD*" + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_preload_hijack_library_calls_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://compilepeace.medium.com/memory-malware-part-0x2-writing-userland-rootkits-via-ld-preload-30121c8343d5 drilldown_searches: @@ -19,39 +40,35 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A commandline $process$ that may hijack library function on $dest$ + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation + - Earth Estries + - Nexus APT Threat Activity - Linux Persistence Techniques asset_type: Endpoint - confidence: 80 - impact: 80 - message: A commandline $process$ that may hijack library function on $dest$ mitre_attack_id: - T1574.006 - T1574 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_proxy_socks_curl.yml b/detections/endpoint/linux_proxy_socks_curl.yml index d6bf1cd352..2501295d79 100644 --- a/detections/endpoint/linux_proxy_socks_curl.yml +++ b/detections/endpoint/linux_proxy_socks_curl.yml @@ -1,16 +1,38 @@ name: Linux Proxy Socks Curl id: bd596c22-ad1e-44fc-b242-817253ce8b08 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the use of the `curl` command with proxy-related arguments such as `-x`, `socks`, `--preproxy`, and `--proxy`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it may indicate an adversary attempting to use a proxy to evade network monitoring and obscure their actions. If confirmed malicious, this behavior could allow attackers to bypass security controls, making it difficult to track their activities and potentially leading to unauthorized data access or exfiltration. +description: The following analytic detects the use of the `curl` command with proxy-related + arguments such as `-x`, `socks`, `--preproxy`, and `--proxy`. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on command-line + executions and process details. This activity is significant as it may indicate + an adversary attempting to use a proxy to evade network monitoring and obscure their + actions. If confirmed malicious, this behavior could allow attackers to bypass security + controls, making it difficult to track their activities and potentially leading + to unauthorized data access or exfiltration. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process IN ("*-x *", "*socks4a://*", "*socks5h://*", "*socks4://*","*socks5://*", "*--preproxy *", "--proxy*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_proxy_socks_curl_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be present based on proxy usage internally. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl + Processes.process IN ("*-x *", "*socks4a://*", "*socks5h://*", "*socks4://*","*socks5://*", + "*--preproxy *", "--proxy*") by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_proxy_socks_curl_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present based on proxy usage internally. + Filter as needed. references: - https://www.offensive-security.com/metasploit-unleashed/proxytunnels/ - https://curl.se/docs/manpage.html @@ -24,56 +46,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $process_name$ was identified on endpoint $dest$ by user + $user$ utilizing a proxy. Review activity for further details. + risk_objects: + - field: user + type: user + score: 56 + - field: dest + type: system + score: 56 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Linux Living Off The Land - Ingress Tool Transfer asset_type: Endpoint - confidence: 80 - impact: 70 - message: An instance of $process_name$ was identified on endpoint $dest$ by user $user$ utilizing a proxy. Review activity for further details. mitre_attack_id: - T1090 - T1095 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_puppet_privilege_escalation.yml b/detections/endpoint/linux_puppet_privilege_escalation.yml index 6990a1c32b..ee0c832bfc 100644 --- a/detections/endpoint/linux_puppet_privilege_escalation.yml +++ b/detections/endpoint/linux_puppet_privilege_escalation.yml @@ -1,15 +1,36 @@ name: Linux Puppet Privilege Escalation id: 1d19037f-466e-4d56-8d87-36fafd9aa3ce -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: The following analytic detects the execution of Puppet commands with elevated privileges, specifically when Puppet is used to apply configurations with sudo rights. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a potential privilege escalation attempt, where a user could gain root access and execute system commands as the root user. If confirmed malicious, this could allow an attacker to fully compromise the system, execute arbitrary commands, and maintain persistent control. +description: The following analytic detects the execution of Puppet commands with + elevated privileges, specifically when Puppet is used to apply configurations with + sudo rights. This detection leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process execution logs that include command-line details. + This activity is significant because it indicates a potential privilege escalation + attempt, where a user could gain root access and execute system commands as the + root user. If confirmed malicious, this could allow an attacker to fully compromise + the system, execute arbitrary commands, and maintain persistent control. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*puppet*" AND Processes.process="*apply*" AND Processes.process="*-e*" AND Processes.process="*exec*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_puppet_privilege_escalation_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process="*puppet*" + AND Processes.process="*apply*" AND Processes.process="*-e*" AND Processes.process="*exec*" + AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `linux_puppet_privilege_escalation_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/puppet/ @@ -20,52 +41,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ + risk_objects: + - field: dest + type: system + score: 5 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Linux Privilege Escalation - Linux Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 10 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 5 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/puppet/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/puppet/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_rpm_privilege_escalation.yml b/detections/endpoint/linux_rpm_privilege_escalation.yml index 0a6abe1396..1535df3087 100644 --- a/detections/endpoint/linux_rpm_privilege_escalation.yml +++ b/detections/endpoint/linux_rpm_privilege_escalation.yml @@ -1,16 +1,37 @@ name: Linux RPM Privilege Escalation id: f8e58a23-cecd-495f-9c65-6c76b4cb9774 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: The following analytic detects the execution of the RPM Package Manager with elevated privileges, specifically when it is used to run system commands as root via the `--eval` and `lua:os.execute` options. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to gain root access. If confirmed malicious, this could lead to full system compromise, unauthorized access to sensitive data, and further exploitation of the environment. +description: The following analytic detects the execution of the RPM Package Manager + with elevated privileges, specifically when it is used to run system commands as + root via the `--eval` and `lua:os.execute` options. This detection leverages data + from Endpoint Detection and Response (EDR) agents, focusing on command-line executions + and process metadata. This activity is significant because it indicates a potential + privilege escalation attempt, allowing a user to gain root access. If confirmed + malicious, this could lead to full system compromise, unauthorized access to sensitive + data, and further exploitation of the environment. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*rpm*--eval*" AND Processes.process="*lua:os.execute*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_rpm_privilege_escalation_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives are present based on automated tooling or system administrative usage. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process="*rpm*--eval*" + AND Processes.process="*lua:os.execute*" AND Processes.process="*sudo*" by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_rpm_privilege_escalation_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives are present based on automated tooling or system + administrative usage. Filter as needed. references: - https://gtfobins.github.io/gtfobins/rpm/ - https://en.wikipedia.org/wiki/RPM_Package_Manager @@ -20,52 +41,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ + risk_objects: + - field: dest + type: system + score: 30 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Linux Privilege Escalation - Linux Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 60 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/rpm/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/rpm/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_ruby_privilege_escalation.yml b/detections/endpoint/linux_ruby_privilege_escalation.yml index 4532ef9607..340e46c341 100644 --- a/detections/endpoint/linux_ruby_privilege_escalation.yml +++ b/detections/endpoint/linux_ruby_privilege_escalation.yml @@ -1,16 +1,36 @@ name: Linux Ruby Privilege Escalation id: 097b28b5-7004-4d40-a715-7e390501788b -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: The following analytic detects the execution of Ruby commands with elevated privileges on a Linux system. It identifies processes where Ruby is used with the `-e` flag to execute commands via `sudo`, leveraging Endpoint Detection and Response (EDR) telemetry. This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to execute commands as root. If confirmed malicious, this could lead to full system compromise, enabling an attacker to gain root access, execute arbitrary commands, and maintain persistent control over the affected system. +description: The following analytic detects the execution of Ruby commands with elevated + privileges on a Linux system. It identifies processes where Ruby is used with the + `-e` flag to execute commands via `sudo`, leveraging Endpoint Detection and Response + (EDR) telemetry. This activity is significant because it indicates a potential privilege + escalation attempt, allowing a user to execute commands as root. If confirmed malicious, + this could lead to full system compromise, enabling an attacker to gain root access, + execute arbitrary commands, and maintain persistent control over the affected system. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*ruby*-e*" AND Processes.process="*exec*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ruby_privilege_escalation_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives are present based on automated tooling or system administrative usage. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process="*ruby*-e*" + AND Processes.process="*exec*" AND Processes.process="*sudo*" by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ruby_privilege_escalation_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives are present based on automated tooling or system + administrative usage. Filter as needed. references: - https://gtfobins.github.io/gtfobins/ruby/ drilldown_searches: @@ -19,52 +39,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ + risk_objects: + - field: dest + type: system + score: 30 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Linux Privilege Escalation - Linux Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 60 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/ruby/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/ruby/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_service_file_created_in_systemd_directory.yml b/detections/endpoint/linux_service_file_created_in_systemd_directory.yml index 46e38fcbbc..5d09d54a8e 100644 --- a/detections/endpoint/linux_service_file_created_in_systemd_directory.yml +++ b/detections/endpoint/linux_service_file_created_in_systemd_directory.yml @@ -1,16 +1,35 @@ name: Linux Service File Created In Systemd Directory id: c7495048-61b6-11ec-9a37-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the creation of suspicious service files within the systemd directories on Linux platforms. It leverages logs containing file name, file path, and process GUID data from endpoints. This activity is significant for a SOC as it may indicate an adversary attempting to establish persistence on a compromised host. If confirmed malicious, this could lead to system compromise or data exfiltration, allowing attackers to maintain control over the system and execute further malicious activities. +description: The following analytic detects the creation of suspicious service files + within the systemd directories on Linux platforms. It leverages logs containing + file name, file path, and process GUID data from endpoints. This activity is significant + for a SOC as it may indicate an adversary attempting to establish persistence on + a compromised host. If confirmed malicious, this could lead to system compromise + or data exfiltration, allowing attackers to maintain control over the system and + execute further malicious activities. data_source: - Sysmon for Linux EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name = *.service Filesystem.file_path IN ("*/etc/systemd/system*", "*/lib/systemd/system*", "*/usr/lib/systemd/system*", "*/run/systemd/system*", "*~/.config/systemd/*", "*~/.local/share/systemd/*","*/etc/systemd/user*", "*/lib/systemd/user*", "*/usr/lib/systemd/user*", "*/run/systemd/user*") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_service_file_created_in_systemd_directory_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -known_false_positives: False positives may arise when administrators or network operators create files in systemd directories for legitimate automation tasks. Therefore, it's important to adjust filter macros to account for valid activities. To implement this search successfully, it's crucial to ingest appropriate logs, preferably using the Linux Sysmon Add-on from Splunkbase for those using Sysmon. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name = *.service + Filesystem.file_path IN ("*/etc/systemd/system*", "*/lib/systemd/system*", "*/usr/lib/systemd/system*", + "*/run/systemd/system*", "*~/.config/systemd/*", "*~/.local/share/systemd/*","*/etc/systemd/user*", + "*/lib/systemd/user*", "*/usr/lib/systemd/user*", "*/run/systemd/user*") by Filesystem.dest + Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path + | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` + | `linux_service_file_created_in_systemd_directory_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the file name, file path, and process_guid executions from your endpoints. + If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. +known_false_positives: False positives may arise when administrators or network operators + create files in systemd directories for legitimate automation tasks. Therefore, + it's important to adjust filter macros to account for valid activities. To implement + this search successfully, it's crucial to ingest appropriate logs, preferably using + the Linux Sysmon Add-on from Splunkbase for those using Sysmon. references: - https://attack.mitre.org/techniques/T1053/006/ - https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ @@ -22,9 +41,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A service file named as $file_path$ is created in systemd folder on $dest$ + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation @@ -33,33 +64,18 @@ tags: - Scheduled Tasks - Gomir asset_type: Endpoint - confidence: 80 - impact: 80 - message: A service file named as $file_path$ is created in systemd folder on $dest$ mitre_attack_id: - T1053.006 - T1053 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.dest - - Filesystem.file_create_time - - Filesystem.file_name - - Filesystem.process_guid - - Filesystem.file_path - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/service_systemd/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/service_systemd/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_service_restarted.yml b/detections/endpoint/linux_service_restarted.yml index 90236f3737..b51395a490 100644 --- a/detections/endpoint/linux_service_restarted.yml +++ b/detections/endpoint/linux_service_restarted.yml @@ -1,16 +1,38 @@ name: Linux Service Restarted id: 084275ba-61b8-11ec-8d64-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the restarting or re-enabling of services on Linux systems using the `systemctl` or `service` commands. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line execution logs. This activity is significant as adversaries may use it to maintain persistence or execute unauthorized actions. If confirmed malicious, this behavior could lead to repeated execution of malicious payloads, unauthorized access, or data destruction. Security analysts should investigate these events to mitigate risks and prevent further compromise. +description: The following analytic detects the restarting or re-enabling of services + on Linux systems using the `systemctl` or `service` commands. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process and command-line + execution logs. This activity is significant as adversaries may use it to maintain + persistence or execute unauthorized actions. If confirmed malicious, this behavior + could lead to repeated execution of malicious payloads, unauthorized access, or + data destruction. Security analysts should investigate these events to mitigate + risks and prevent further compromise. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("systemctl", "service") OR Processes.process IN ("*systemctl *", "*service *")) Processes.process IN ("*restart*", "*reload*", "*reenable*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_service_restarted_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("systemctl", + "service") OR Processes.process IN ("*systemctl *", "*service *")) Processes.process + IN ("*restart*", "*reload*", "*reenable*") by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `linux_service_restarted_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrator or network operator can use this commandline + for automation purposes. Please update the filter macros to remove false positives. references: - https://attack.mitre.org/techniques/T1543/003/ drilldown_searches: @@ -19,9 +41,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A commandline $process$ that may create or start a service on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - AwfulShred @@ -32,35 +66,18 @@ tags: - Scheduled Tasks - Gomir asset_type: Endpoint - confidence: 50 - impact: 50 - message: A commandline $process$ that may create or start a service on $dest$ mitre_attack_id: - T1053.006 - T1053 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/service_systemd/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/service_systemd/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_service_started_or_enabled.yml b/detections/endpoint/linux_service_started_or_enabled.yml index a49bd4387a..ca91f33339 100644 --- a/detections/endpoint/linux_service_started_or_enabled.yml +++ b/detections/endpoint/linux_service_started_or_enabled.yml @@ -1,16 +1,39 @@ name: Linux Service Started Or Enabled id: e0428212-61b7-11ec-88a3-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the creation or enabling of services on Linux platforms using the systemctl or service tools. It leverages Endpoint Detection and Response (EDR) logs, focusing on process names, parent processes, and command-line executions. This activity is significant as adversaries may create or modify services to maintain persistence or execute malicious payloads. If confirmed malicious, this behavior could lead to persistent access, data theft, ransomware deployment, or other damaging outcomes. Monitoring and investigating such activities are crucial for maintaining the security and integrity of the environment. +description: The following analytic detects the creation or enabling of services on + Linux platforms using the systemctl or service tools. It leverages Endpoint Detection + and Response (EDR) logs, focusing on process names, parent processes, and command-line + executions. This activity is significant as adversaries may create or modify services + to maintain persistence or execute malicious payloads. If confirmed malicious, this + behavior could lead to persistent access, data theft, ransomware deployment, or + other damaging outcomes. Monitoring and investigating such activities are crucial + for maintaining the security and integrity of the environment. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("systemctl", "service") OR Processes.process IN ("*systemctl *", "*service *")) Processes.process IN ("* start *", "* enable *") AND NOT (Processes.os="Microsoft Windows" OR Processes.vendor_product="Microsoft Windows") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_service_started_or_enabled_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("systemctl", + "service") OR Processes.process IN ("*systemctl *", "*service *")) Processes.process + IN ("* start *", "* enable *") AND NOT (Processes.os="Microsoft Windows" OR Processes.vendor_product="Microsoft + Windows") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_service_started_or_enabled_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrator or network operator can use this commandline + for automation purposes. Please update the filter macros to remove false positives. references: - https://attack.mitre.org/techniques/T1543/003/ drilldown_searches: @@ -19,9 +42,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a commandline $process$ that may create or start a service on $dest + risk_objects: + - field: dest + type: system + score: 42 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation @@ -30,35 +65,18 @@ tags: - Scheduled Tasks - Gomir asset_type: Endpoint - confidence: 70 - impact: 60 - message: a commandline $process$ that may create or start a service on $dest mitre_attack_id: - T1053.006 - T1053 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/service_systemd/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/service_systemd/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_setuid_using_chmod_utility.yml b/detections/endpoint/linux_setuid_using_chmod_utility.yml index e90b59d135..4355cf7209 100644 --- a/detections/endpoint/linux_setuid_using_chmod_utility.yml +++ b/detections/endpoint/linux_setuid_using_chmod_utility.yml @@ -1,16 +1,38 @@ name: Linux Setuid Using Chmod Utility id: bf0304b6-6250-11ec-9d7c-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the execution of the chmod utility to set the SUID or SGID bit on files, which can allow users to temporarily gain root or group-level access. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments related to chmod. This activity is significant as it can indicate an attempt to escalate privileges or maintain persistence on a system. If confirmed malicious, an attacker could gain elevated access, potentially compromising sensitive data or critical system functions. +description: The following analytic detects the execution of the chmod utility to + set the SUID or SGID bit on files, which can allow users to temporarily gain root + or group-level access. This detection leverages data from Endpoint Detection and + Response (EDR) agents, focusing on process names and command-line arguments related + to chmod. This activity is significant as it can indicate an attempt to escalate + privileges or maintain persistence on a system. If confirmed malicious, an attacker + could gain elevated access, potentially compromising sensitive data or critical + system functions. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes WHERE (Processes.process_name = chmod OR Processes.process = "*chmod *") AND Processes.process IN("* g+s *", "* u+s *", "* 4777 *", "* 4577 *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_setuid_using_chmod_utility_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes WHERE (Processes.process_name = chmod + OR Processes.process = "*chmod *") AND Processes.process IN("* g+s *", "* u+s *", + "* 4777 *", "* 4577 *") by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `linux_setuid_using_chmod_utility_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/ drilldown_searches: @@ -19,44 +41,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a commandline $process$ that may set suid or sgid on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation - Linux Persistence Techniques - Linux Living Off The Land asset_type: Endpoint - confidence: 70 - impact: 70 - message: a commandline $process$ that may set suid or sgid on $dest$ mitre_attack_id: - T1548.001 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/chmod_uid/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/chmod_uid/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_setuid_using_setcap_utility.yml b/detections/endpoint/linux_setuid_using_setcap_utility.yml index 63a9d339f9..7092cc2521 100644 --- a/detections/endpoint/linux_setuid_using_setcap_utility.yml +++ b/detections/endpoint/linux_setuid_using_setcap_utility.yml @@ -1,16 +1,39 @@ name: Linux Setuid Using Setcap Utility id: 9d96022e-6250-11ec-9a19-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the execution of the 'setcap' utility to enable the SUID bit on Linux systems. It leverages Endpoint Detection and Response (EDR) data, focusing on process names and command-line arguments that indicate the use of 'setcap' with specific capabilities. This activity is significant because setting the SUID bit allows a user to temporarily gain root access, posing a substantial security risk. If confirmed malicious, an attacker could escalate privileges, execute arbitrary commands with elevated permissions, and potentially compromise the entire system. +description: The following analytic detects the execution of the 'setcap' utility + to enable the SUID bit on Linux systems. It leverages Endpoint Detection and Response + (EDR) data, focusing on process names and command-line arguments that indicate the + use of 'setcap' with specific capabilities. This activity is significant because + setting the SUID bit allows a user to temporarily gain root access, posing a substantial + security risk. If confirmed malicious, an attacker could escalate privileges, execute + arbitrary commands with elevated permissions, and potentially compromise the entire + system. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = setcap OR Processes.process = "*setcap *") AND Processes.process IN ("* cap_setuid=ep *", "* cap_setuid+ep *", "* cap_net_bind_service+p *", "* cap_net_raw+ep *", "* cap_dac_read_search+ep *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_setuid_using_setcap_utility_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = setcap + OR Processes.process = "*setcap *") AND Processes.process IN ("* cap_setuid=ep *", + "* cap_setuid+ep *", "* cap_net_bind_service+p *", "* cap_net_raw+ep *", "* cap_dac_read_search+ep + *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_setuid_using_setcap_utility_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/ drilldown_searches: @@ -19,43 +42,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A commandline $process$ that may set suid or sgid on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation - Linux Persistence Techniques asset_type: Endpoint - confidence: 70 - impact: 70 - message: A commandline $process$ that may set suid or sgid on $dest$ mitre_attack_id: - T1548.001 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/linux_setcap/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/linux_setcap/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_shred_overwrite_command.yml b/detections/endpoint/linux_shred_overwrite_command.yml index 043bdd0526..9906adaea1 100644 --- a/detections/endpoint/linux_shred_overwrite_command.yml +++ b/detections/endpoint/linux_shred_overwrite_command.yml @@ -1,16 +1,37 @@ name: Linux Shred Overwrite Command id: c1952cf1-643c-4965-82de-11c067cbae76 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the execution of the 'shred' command on a Linux machine, which is used to overwrite files to make them unrecoverable. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because the 'shred' command can be used in destructive attacks, such as those seen in the Industroyer2 malware targeting energy facilities. If confirmed malicious, this activity could lead to the permanent destruction of critical files, severely impacting system integrity and data availability. +description: The following analytic detects the execution of the 'shred' command on + a Linux machine, which is used to overwrite files to make them unrecoverable. It + leverages data from Endpoint Detection and Response (EDR) agents, focusing on process + names and command-line arguments. This activity is significant because the 'shred' + command can be used in destructive attacks, such as those seen in the Industroyer2 + malware targeting energy facilities. If confirmed malicious, this activity could + lead to the permanent destruction of critical files, severely impacting system integrity + and data availability. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name =shred AND Processes.process IN ("*-n*", "*-u*", "*-z*", "*-s*") by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_shred_overwrite_command_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name =shred + AND Processes.process IN ("*-n*", "*-u*", "*-z*", "*-s*") by Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_shred_overwrite_command_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ - https://cert.gov.ua/article/39518 @@ -20,9 +41,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A possible shred overwrite command $process$ executed on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Industroyer2 @@ -31,34 +64,17 @@ tags: - Data Destruction - Linux Persistence Techniques asset_type: Endpoint - confidence: 70 - impact: 70 - message: A possible shred overwrite command $process$ executed on $dest$ mitre_attack_id: - T1485 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/rm_shred_critical_dir/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/rm_shred_critical_dir/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_sqlite3_privilege_escalation.yml b/detections/endpoint/linux_sqlite3_privilege_escalation.yml index 48c8281336..dd00c643bd 100644 --- a/detections/endpoint/linux_sqlite3_privilege_escalation.yml +++ b/detections/endpoint/linux_sqlite3_privilege_escalation.yml @@ -1,15 +1,35 @@ name: Linux Sqlite3 Privilege Escalation id: ab75dbb7-c3ba-4689-9c1b-8d2717bdcba1 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: The following analytic detects the execution of the sqlite3 command with elevated privileges, which can be exploited for privilege escalation. It leverages Endpoint Detection and Response (EDR) telemetry to identify instances where sqlite3 is used in conjunction with shell commands and sudo. This activity is significant because it indicates a potential attempt to gain root access, which could lead to full system compromise. If confirmed malicious, an attacker could execute arbitrary commands as root, leading to unauthorized access, data exfiltration, or further lateral movement within the network. +description: The following analytic detects the execution of the sqlite3 command with + elevated privileges, which can be exploited for privilege escalation. It leverages + Endpoint Detection and Response (EDR) telemetry to identify instances where sqlite3 + is used in conjunction with shell commands and sudo. This activity is significant + because it indicates a potential attempt to gain root access, which could lead to + full system compromise. If confirmed malicious, an attacker could execute arbitrary + commands as root, leading to unauthorized access, data exfiltration, or further + lateral movement within the network. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*sqlite3*" AND Processes.process="*.shell*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_sqlite3_privilege_escalation_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process="*sqlite3*" + AND Processes.process="*.shell*" AND Processes.process="*sudo*" by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_sqlite3_privilege_escalation_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/sqlite3/ @@ -20,52 +40,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ + risk_objects: + - field: dest + type: system + score: 30 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Linux Privilege Escalation - Linux Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 60 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/sqlite3/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/sqlite3/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_ssh_authorized_keys_modification.yml b/detections/endpoint/linux_ssh_authorized_keys_modification.yml index 1852f70c3e..d513ccb7c5 100644 --- a/detections/endpoint/linux_ssh_authorized_keys_modification.yml +++ b/detections/endpoint/linux_ssh_authorized_keys_modification.yml @@ -1,16 +1,37 @@ name: Linux SSH Authorized Keys Modification id: f5ab595e-28e5-4327-8077-5008ba97c850 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic detects the modification of SSH Authorized Keys on Linux systems. It leverages process execution data from Endpoint Detection and Response (EDR) agents, specifically monitoring commands like "bash" and "cat" interacting with "authorized_keys" files. This activity is significant as adversaries often modify SSH Authorized Keys to establish persistent access to compromised endpoints. If confirmed malicious, this behavior could allow attackers to maintain unauthorized access, bypassing traditional authentication mechanisms and potentially leading to further exploitation or data exfiltration. +description: The following analytic detects the modification of SSH Authorized Keys + on Linux systems. It leverages process execution data from Endpoint Detection and + Response (EDR) agents, specifically monitoring commands like "bash" and "cat" interacting + with "authorized_keys" files. This activity is significant as adversaries often + modify SSH Authorized Keys to establish persistent access to compromised endpoints. + If confirmed malicious, this behavior could allow attackers to maintain unauthorized + access, bypassing traditional authentication mechanisms and potentially leading + to further exploitation or data exfiltration. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("bash","cat") Processes.process IN ("*/authorized_keys*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ssh_authorized_keys_modification_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Filtering will be required as system administrators will add and remove. One way to filter query is to add "echo". +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("bash","cat") + Processes.process IN ("*/authorized_keys*") by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_ssh_authorized_keys_modification_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Filtering will be required as system administrators will add + and remove. One way to filter query is to add "echo". references: - https://redcanary.com/blog/lateral-movement-with-secure-shell/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md @@ -20,58 +41,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ modifying SSH Authorized Keys. + risk_objects: + - field: user + type: user + score: 15 + - field: dest + type: system + score: 15 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Linux Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 30 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ modifying SSH Authorized Keys. mitre_attack_id: - T1098.004 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/ssh_authorized_keys/authkey_linux-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/ssh_authorized_keys/authkey_linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_ssh_remote_services_script_execute.yml b/detections/endpoint/linux_ssh_remote_services_script_execute.yml index 4d6dadc793..cddd81fa59 100644 --- a/detections/endpoint/linux_ssh_remote_services_script_execute.yml +++ b/detections/endpoint/linux_ssh_remote_services_script_execute.yml @@ -1,15 +1,36 @@ name: Linux SSH Remote Services Script Execute id: aa1748dd-4a5c-457a-9cf6-ca7b4eb711b3 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the use of SSH to move laterally and execute a script or file on a remote host. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific SSH command-line parameters and URLs. This activity is significant as it may indicate an attacker attempting to execute remote commands or scripts, potentially leading to unauthorized access or control over additional systems. If confirmed malicious, this could result in lateral movement, privilege escalation, or the execution of malicious payloads, compromising the security of the network. +description: The following analytic detects the use of SSH to move laterally and execute + a script or file on a remote host. It leverages data from Endpoint Detection and + Response (EDR) agents, focusing on specific SSH command-line parameters and URLs. + This activity is significant as it may indicate an attacker attempting to execute + remote commands or scripts, potentially leading to unauthorized access or control + over additional systems. If confirmed malicious, this could result in lateral movement, + privilege escalation, or the execution of malicious payloads, compromising the security + of the network. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ssh Processes.process IN ("*oStrictHostKeyChecking*", "*oConnectTimeout*", "*oBatchMode*") AND Processes.process IN ("*http:*","*https:*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ssh_remote_services_script_execute_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ssh + Processes.process IN ("*oStrictHostKeyChecking*", "*oConnectTimeout*", "*oBatchMode*") + AND Processes.process IN ("*http:*","*https:*") by Processes.dest Processes.user + Processes.parent_process_name Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `linux_ssh_remote_services_script_execute_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: This is not a common command to be executed. Filter as needed. references: - https://redcanary.com/blog/lateral-movement-with-secure-shell/ @@ -19,54 +40,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $process_name$ was identified on endpoint $dest$ by user + $user$ attempting to move laterally and download a file. + risk_objects: + - field: user + type: user + score: 56 + - field: dest + type: system + score: 56 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Linux Living Off The Land asset_type: Endpoint - confidence: 70 - impact: 80 - message: An instance of $process_name$ was identified on endpoint $dest$ by user $user$ attempting to move laterally and download a file. mitre_attack_id: - T1021.004 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.004/atomic_red_team/linux-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.004/atomic_red_team/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml b/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml index 4ecd70c6ba..ce2ed01432 100644 --- a/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml +++ b/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml @@ -1,54 +1,64 @@ name: Linux Stdout Redirection To Dev Null File id: de62b809-a04d-46b5-9a15-8298d330f0c8 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: experimental type: Anomaly -description: The following analytic detects command-line activities that redirect stdout or stderr to the /dev/null file. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This behavior is significant as it can indicate attempts to hide command outputs, a technique observed in the CyclopsBlink malware to conceal modifications to iptables firewall settings. If confirmed malicious, this activity could allow an attacker to stealthily alter system configurations, potentially leading to unauthorized access or persistent control over the compromised machine. +description: The following analytic detects command-line activities that redirect + stdout or stderr to the /dev/null file. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process execution logs. This behavior is + significant as it can indicate attempts to hide command outputs, a technique observed + in the CyclopsBlink malware to conceal modifications to iptables firewall settings. + If confirmed malicious, this activity could allow an attacker to stealthily alter + system configurations, potentially leading to unauthorized access or persistent + control over the compromised machine. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*&>/dev/null*" by Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_stdout_redirection_to_dev_null_file_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process = "*&>/dev/null*" + by Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + Processes.process_guid Processes.dest Processes.user Processes.parent_process_name + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_stdout_redirection_to_dev_null_file_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf - https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html +rba: + message: a commandline $process$ that redirect stdout to dev/null on $dest$ + risk_objects: + - field: dest + type: system + score: 36 + threat_objects: [] tags: analytic_story: - Cyclops Blink - Data Destruction - Industroyer2 asset_type: Endpoint - confidence: 60 - impact: 60 - message: a commandline $process$ that redirect stdout to dev/null in $dest$ mitre_attack_id: - T1562.004 - T1562 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/cyclopsblink/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/cyclopsblink/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_stop_services.yml b/detections/endpoint/linux_stop_services.yml index 2fb07d40eb..ba2750e653 100644 --- a/detections/endpoint/linux_stop_services.yml +++ b/detections/endpoint/linux_stop_services.yml @@ -1,16 +1,37 @@ name: Linux Stop Services id: d05204a5-9f1c-4946-a7f3-4fa58d76d5fd -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects attempts to stop or clear a service on Linux systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like "systemctl," "service," and "svcadm" executing stop commands. This activity is significant as adversaries often terminate security or critical services to disable defenses or disrupt operations, as seen in malware like Industroyer2. If confirmed malicious, this could lead to the disabling of security mechanisms, allowing attackers to persist, escalate privileges, or deploy destructive payloads, severely impacting system integrity and availability. +description: The following analytic detects attempts to stop or clear a service on + Linux systems. It leverages data from Endpoint Detection and Response (EDR) agents, + focusing on processes like "systemctl," "service," and "svcadm" executing stop commands. + This activity is significant as adversaries often terminate security or critical + services to disable defenses or disrupt operations, as seen in malware like Industroyer2. + If confirmed malicious, this could lead to the disabling of security mechanisms, + allowing attackers to persist, escalate privileges, or deploy destructive payloads, + severely impacting system integrity and availability. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("systemctl", "service", "svcadm") Processes.process ="*stop*" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_stop_services_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("systemctl", + "service", "svcadm") Processes.process ="*stop*" by Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_stop_services_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ - https://cert.gov.ua/article/39518 @@ -20,43 +41,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + attempting to stop services on endpoint $dest$ by $user$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - AwfulShred - Data Destruction - Industroyer2 asset_type: Endpoint - confidence: 70 - impact: 70 - message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to stop services on endpoint $dest$ by $user$. mitre_attack_id: - T1489 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_service_stop_disable/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_service_stop_disable/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_sudo_or_su_execution.yml b/detections/endpoint/linux_sudo_or_su_execution.yml index 17326375d8..4d09a93bfb 100644 --- a/detections/endpoint/linux_sudo_or_su_execution.yml +++ b/detections/endpoint/linux_sudo_or_su_execution.yml @@ -1,16 +1,37 @@ name: Linux Sudo OR Su Execution id: 4b00f134-6d6a-11ec-a90c-acde48001122 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the execution of the "sudo" or "su" command on a Linux operating system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent process names. This activity is significant because "sudo" and "su" commands are commonly used by adversaries to elevate privileges, potentially leading to unauthorized access or control over the system. If confirmed malicious, this activity could allow attackers to execute commands with root privileges, leading to severe security breaches, data exfiltration, or further system compromise. +description: The following analytic detects the execution of the "sudo" or "su" command + on a Linux operating system. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process names and parent process names. This activity + is significant because "sudo" and "su" commands are commonly used by adversaries + to elevate privileges, potentially leading to unauthorized access or control over + the system. If confirmed malicious, this activity could allow attackers to execute + commands with root privileges, leading to severe security breaches, data exfiltration, + or further system compromise. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("sudo", "su") OR Processes.parent_process_name IN ("sudo", "su") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_sudo_or_su_execution_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("sudo", + "su") OR Processes.parent_process_name IN ("sudo", "su") by Processes.dest Processes.user + Processes.parent_process_name Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_sudo_or_su_execution_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://attack.mitre.org/techniques/T1548/003/ tags: @@ -18,35 +39,18 @@ tags: - Linux Privilege Escalation - Linux Persistence Techniques asset_type: Endpoint - confidence: 30 - impact: 30 - message: A commandline $process$ that execute sudo or su in $dest$ mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/sudo_su/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/sudo_su/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_sudoers_tmp_file_creation.yml b/detections/endpoint/linux_sudoers_tmp_file_creation.yml index 44357a9747..838f432cab 100644 --- a/detections/endpoint/linux_sudoers_tmp_file_creation.yml +++ b/detections/endpoint/linux_sudoers_tmp_file_creation.yml @@ -1,16 +1,31 @@ name: Linux Sudoers Tmp File Creation id: be254a5c-63e7-11ec-89da-acde48001122 -version: 3 -date: '2024-09-30' +version: 5 +date: '2025-01-27' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the creation of the "sudoers.tmp" file, which occurs when editing the /etc/sudoers file using visudo or another editor on a Linux platform. This detection leverages filesystem data to identify the presence of "sudoers.tmp" files. Monitoring this activity is crucial as adversaries may exploit it to gain elevated privileges on a compromised host. If confirmed malicious, this activity could allow attackers to modify sudoers configurations, potentially granting them unauthorized access to execute commands as other users, including root, thereby compromising the system's security. +description: The following analytic detects the creation of the "sudoers.tmp" file, + which occurs when editing the /etc/sudoers file using visudo or another editor on + a Linux platform. This detection leverages filesystem data to identify the presence + of "sudoers.tmp" files. Monitoring this activity is crucial as adversaries may exploit + it to gain elevated privileges on a compromised host. If confirmed malicious, this + activity could allow attackers to modify sudoers configurations, potentially granting + them unauthorized access to execute commands as other users, including root, thereby + compromising the system's security. data_source: - Sysmon for Linux EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*sudoers.tmp*") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_sudoers_tmp_file_creation_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -known_false_positives: administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*sudoers.tmp*") + by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path + | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` + | `linux_sudoers_tmp_file_creation_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from + Splunkbase. +known_false_positives: administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://forum.ubuntuusers.de/topic/sudo-visudo-gibt-etc-sudoers-tmp/ drilldown_searches: @@ -19,37 +34,35 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A file $file_name$ is created in $file_path$ on $dest$ + risk_objects: + - field: dest + type: system + score: 72 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation + - Earth Estries + - Nexus APT Threat Activity - Linux Persistence Techniques asset_type: Endpoint - confidence: 90 - impact: 80 - message: A file $file_name$ is created in $file_path$ on $dest$ mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.dest - - Filesystem.file_create_time - - Filesystem.file_name - - Filesystem.process_guid - - Filesystem.file_path - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_system_network_discovery.yml b/detections/endpoint/linux_system_network_discovery.yml index 9f00dcba56..26d64b1efc 100644 --- a/detections/endpoint/linux_system_network_discovery.yml +++ b/detections/endpoint/linux_system_network_discovery.yml @@ -1,16 +1,39 @@ name: Linux System Network Discovery id: 535cb214-8b47-11ec-a2c7-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies potential enumeration of local network configuration on Linux systems. It detects this activity by monitoring processes such as "arp," "ifconfig," "ip," "netstat," "firewall-cmd," "ufw," "iptables," "ss," and "route" within a 30-minute window. This behavior is significant as it often indicates reconnaissance efforts by adversaries to gather network information for subsequent attacks. If confirmed malicious, this activity could enable attackers to map the network, identify vulnerabilities, and plan further exploitation or lateral movement within the environment. +description: The following analytic identifies potential enumeration of local network + configuration on Linux systems. It detects this activity by monitoring processes + such as "arp," "ifconfig," "ip," "netstat," "firewall-cmd," "ufw," "iptables," "ss," + and "route" within a 30-minute window. This behavior is significant as it often + indicates reconnaissance efforts by adversaries to gather network information for + subsequent attacks. If confirmed malicious, this activity could enable attackers + to map the network, identify vulnerabilities, and plan further exploitation or lateral + movement within the environment. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name_list values(Processes.process) as process_list values(Processes.process_id) as process_id_list values(Processes.parent_process_id) as parent_process_id_list values(Processes.process_guid) as process_guid_list dc(Processes.process_name) as process_name_count from datamodel=Endpoint.Processes where Processes.process_name IN ("arp", "ifconfig", "ip", "netstat", "firewall-cmd", "ufw", "iptables", "ss", "route") by _time span=30m Processes.dest Processes.user | where process_name_count >=4 | `drop_dm_object_name(Processes)`| `linux_system_network_discovery_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count values(Processes.process_name) + as process_name_list values(Processes.process) as process_list values(Processes.process_id) + as process_id_list values(Processes.parent_process_id) as parent_process_id_list + values(Processes.process_guid) as process_guid_list dc(Processes.process_name) as + process_name_count from datamodel=Endpoint.Processes where Processes.process_name + IN ("arp", "ifconfig", "ip", "netstat", "firewall-cmd", "ufw", "iptables", "ss", + "route") by _time span=30m Processes.dest Processes.user | where process_name_count + >=4 | `drop_dm_object_name(Processes)`| `linux_system_network_discovery_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md drilldown_searches: @@ -19,43 +42,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Network discovery process $process_name_list$ executed on $dest$ + risk_objects: + - field: dest + type: system + score: 9 + threat_objects: [] tags: analytic_story: - Data Destruction - Network Discovery - Industroyer2 asset_type: Endpoint - confidence: 30 - impact: 30 - message: Network discovery process $process_name_list$ executed on $dest$ mitre_attack_id: - T1016 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/atomic_red_team/linux_net_discovery/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/atomic_red_team/linux_net_discovery/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_system_reboot_via_system_request_key.yml b/detections/endpoint/linux_system_reboot_via_system_request_key.yml index 9788d771c7..dbf98825e2 100644 --- a/detections/endpoint/linux_system_reboot_via_system_request_key.yml +++ b/detections/endpoint/linux_system_reboot_via_system_request_key.yml @@ -1,15 +1,34 @@ name: Linux System Reboot Via System Request Key id: e1912b58-ed9c-422c-bbb0-2dbc70398345 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the execution of the SysReq hack to reboot a Linux system host. It leverages Endpoint Detection and Response (EDR) data to identify processes executing the command to pipe 'b' to /proc/sysrq-trigger. This activity is significant as it is an uncommon method to reboot a system and was observed in the Awfulshred malware wiper. If confirmed malicious, this technique could indicate the presence of suspicious processes and potential system compromise, leading to unauthorized reboots and disruption of services. +description: The following analytic detects the execution of the SysReq hack to reboot + a Linux system host. It leverages Endpoint Detection and Response (EDR) data to + identify processes executing the command to pipe 'b' to /proc/sysrq-trigger. This + activity is significant as it is an uncommon method to reboot a system and was observed + in the Awfulshred malware wiper. If confirmed malicious, this technique could indicate + the presence of suspicious processes and potential system compromise, leading to + unauthorized reboots and disruption of services. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("dash", "sudo", "bash") Processes.process = "* echo b > *" Processes.process = "*/proc/sysrq-trigger" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_system_reboot_via_system_request_key_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("dash", + "sudo", "bash") Processes.process = "* echo b > *" Processes.process = "*/proc/sysrq-trigger" + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_system_reboot_via_system_request_key_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html @@ -21,45 +40,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a $process_name$ execute sysrq command $process$ to reboot $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - AwfulShred - Data Destruction asset_type: Endpoint - confidence: 70 - impact: 70 - message: a $process_name$ execute sysrq command $process$ to reboot $dest$ mitre_attack_id: - T1529 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_name - - Processes.process_path - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test2/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test2/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml b/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml index 432f98c3d1..e6fab0a962 100644 --- a/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml +++ b/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml @@ -1,15 +1,35 @@ name: Linux Unix Shell Enable All SysRq Functions id: e7a96937-3b58-4962-8dce-538e4763cf15 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the execution of a command to enable all SysRq functions on a Linux system, a technique associated with the AwfulShred malware. It leverages Endpoint Detection and Response (EDR) data to identify processes executing the command to pipe bitmask '1' to /proc/sys/kernel/sysrq. This activity is significant as it can indicate an attempt to manipulate kernel system requests, which is uncommon and potentially malicious. If confirmed, this could allow an attacker to reboot the system or perform other critical actions, leading to system instability or further compromise. +description: The following analytic detects the execution of a command to enable all + SysRq functions on a Linux system, a technique associated with the AwfulShred malware. + It leverages Endpoint Detection and Response (EDR) data to identify processes executing + the command to pipe bitmask '1' to /proc/sys/kernel/sysrq. This activity is significant + as it can indicate an attempt to manipulate kernel system requests, which is uncommon + and potentially malicious. If confirmed, this could allow an attacker to reboot + the system or perform other critical actions, leading to system instability or further + compromise. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("dash", "sudo", "bash") Processes.process = "* echo 1 > *" Processes.process = "*/proc/sys/kernel/sysrq" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_unix_shell_enable_all_sysrq_functions_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("dash", + "sudo", "bash") Processes.process = "* echo 1 > *" Processes.process = "*/proc/sys/kernel/sysrq" + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_unix_shell_enable_all_sysrq_functions_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html @@ -21,46 +41,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a $process_name$ execute sysrq command $process$ to enable all function + of system request on $dest$ + risk_objects: + - field: dest + type: system + score: 36 + threat_objects: [] tags: analytic_story: - AwfulShred - Data Destruction asset_type: Endpoint - confidence: 60 - impact: 60 - message: a $process_name$ execute sysrq command $process$ to enable all function of system request in $dest$ mitre_attack_id: - T1059.004 - T1059 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_name - - Processes.process_path - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test2/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test2/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux - update_timestamp: true diff --git a/detections/endpoint/linux_visudo_utility_execution.yml b/detections/endpoint/linux_visudo_utility_execution.yml index 20fb83eac5..93adeaf905 100644 --- a/detections/endpoint/linux_visudo_utility_execution.yml +++ b/detections/endpoint/linux_visudo_utility_execution.yml @@ -1,16 +1,37 @@ name: Linux Visudo Utility Execution id: 08c41040-624c-11ec-a71f-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the execution of the 'visudo' utility to modify the /etc/sudoers file on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because unauthorized changes to the /etc/sudoers file can grant elevated privileges to users, potentially allowing adversaries to execute commands as root. If confirmed malicious, this could lead to full system compromise, privilege escalation, and persistent unauthorized access, severely impacting the security posture of the affected host. +description: The following analytic detects the execution of the 'visudo' utility + to modify the /etc/sudoers file on a Linux system. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process execution logs. This activity + is significant because unauthorized changes to the /etc/sudoers file can grant elevated + privileges to users, potentially allowing adversaries to execute commands as root. + If confirmed malicious, this could lead to full system compromise, privilege escalation, + and persistent unauthorized access, severely impacting the security posture of the + affected host. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = visudo by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_visudo_utility_execution_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name = visudo + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_visudo_utility_execution_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://askubuntu.com/questions/334318/sudoers-file-enable-nopasswd-for-user-all-commands drilldown_searches: @@ -19,43 +40,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A commandline $process$ executed on $dest$ + risk_objects: + - field: dest + type: system + score: 16 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation - Linux Persistence Techniques asset_type: Endpoint - confidence: 40 - impact: 40 - message: A commandline $process$ executed on $dest$ mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 16 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/visudo/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/visudo/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/living_off_the_land_detection.yml b/detections/endpoint/living_off_the_land_detection.yml index 35658e70a0..40894b9d82 100644 --- a/detections/endpoint/living_off_the_land_detection.yml +++ b/detections/endpoint/living_off_the_land_detection.yml @@ -1,15 +1,40 @@ name: Living Off The Land Detection id: 1be30d80-3a39-4df9-9102-64a467b24abc -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Correlation -description: The following correlation identifies multiple risk events associated with the "Living Off The Land" analytic story, indicating potentially suspicious behavior. It leverages the Risk data model to aggregate and correlate events tagged under this story, focusing on systems with a high count of distinct sources. This activity is significant as it often involves the use of legitimate tools for malicious purposes, making detection challenging. If confirmed malicious, this behavior could allow attackers to execute code, escalate privileges, or persist within the environment using trusted system utilities. +description: The following correlation identifies multiple risk events associated + with the "Living Off The Land" analytic story, indicating potentially suspicious + behavior. It leverages the Risk data model to aggregate and correlate events tagged + under this story, focusing on systems with a high count of distinct sources. This + activity is significant as it often involves the use of legitimate tools for malicious + purposes, making detection challenging. If confirmed malicious, this behavior could + allow attackers to execute code, escalate privileges, or persist within the environment + using trusted system utilities. data_source: [] -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Living Off The Land" All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 5 | `living_off_the_land_detection_filter`' -how_to_implement: To implement this correlation search a user needs to enable all detections in the Living Off The Land Analytic Story and confirm it is generating risk events. A simple search `index=risk analyticstories="Living Off The Land"` should contain events. -known_false_positives: There are no known false positive for this search, but it could contain false positives as multiple detections can trigger and not have successful exploitation. Modify the static value distinct_detection_name to a higher value. It is also required to tune analytics that are also tagged to ensure volume is never too much. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) + as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as + annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) + as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) + as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) + as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, + dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Living + Off The Land" All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type + All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where + source_count >= 5 | `living_off_the_land_detection_filter`' +how_to_implement: To implement this correlation search a user needs to enable all + detections in the Living Off The Land Analytic Story and confirm it is generating + risk events. A simple search `index=risk analyticstories="Living Off The Land"` + should contain events. +known_false_positives: There are no known false positive for this search, but it could + contain false positives as multiple detections can trigger and not have successful + exploitation. Modify the static value distinct_detection_name to a higher value. + It is also required to tune analytics that are also tagged to ensure volume is never + too much. references: - https://www.splunk.com/en_us/blog/security/living-off-the-land-threat-research-february-2022-release.html - https://research.splunk.com/stories/living_off_the_land/ @@ -19,42 +44,32 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$risk_object$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: analytic_story: - Living Off The Land asset_type: Endpoint - confidence: 70 - impact: 90 - message: An increase of Living Off The Land behavior has been detected on $risk_object$ mitre_attack_id: - T1105 - T1190 - T1059 - T1133 - observable: - - name: risk_object - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Risk.analyticstories - - All_Risk.risk_object_type - - All_Risk.risk_object - - All_Risk.annotations.mitre_attack.mitre_tactic - - source - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1218/living_off_the_land/lolbinrisk.log + - data: + https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1218/living_off_the_land/lolbinrisk.log source: lotl sourcetype: stash diff --git a/detections/endpoint/loading_of_dynwrapx_module.yml b/detections/endpoint/loading_of_dynwrapx_module.yml index 7891f30eab..4b57f8a939 100644 --- a/detections/endpoint/loading_of_dynwrapx_module.yml +++ b/detections/endpoint/loading_of_dynwrapx_module.yml @@ -1,16 +1,34 @@ name: Loading Of Dynwrapx Module id: eac5e8ba-4857-11ec-9371-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the loading of the dynwrapx.dll module, which is associated with the DynamicWrapperX ActiveX component. This detection leverages Sysmon EventCode 7 to identify processes that load or register dynwrapx.dll. This activity is significant because DynamicWrapperX can be used to call Windows API functions in scripts, making it a potential tool for malicious actions. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence on the host. Immediate investigation of parallel processes and registry modifications is recommended. +description: The following analytic detects the loading of the dynwrapx.dll module, + which is associated with the DynamicWrapperX ActiveX component. This detection leverages + Sysmon EventCode 7 to identify processes that load or register dynwrapx.dll. This + activity is significant because DynamicWrapperX can be used to call Windows API + functions in scripts, making it a potential tool for malicious actions. If confirmed + malicious, this could allow an attacker to execute arbitrary code, escalate privileges, + or maintain persistence on the host. Immediate investigation of parallel processes + and registry modifications is recommended. data_source: - Sysmon EventID 7 -search: '`sysmon` EventCode=7 (ImageLoaded = "*\\dynwrapx.dll" OR OriginalFileName = "dynwrapx.dll" OR Product = "DynamicWrapperX") | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName Product process_name dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `loading_of_dynwrapx_module_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on processes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: False positives should be limited, however it is possible to filter by Processes.process_name and specific processes (ex. wscript.exe). Filter as needed. This may need modification based on EDR telemetry and how it brings in registry data. For example, removal of (Default). +search: '`sysmon` EventCode=7 (ImageLoaded = "*\\dynwrapx.dll" OR OriginalFileName + = "dynwrapx.dll" OR Product = "DynamicWrapperX") | stats count min(_time) as firstTime + max(_time) as lastTime by Image ImageLoaded OriginalFileName Product process_name + dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `loading_of_dynwrapx_module_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on processes that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` + node. In addition, confirm the latest CIM App 4.20 or higher is installed and the + latest TA for the endpoint product. +known_false_positives: False positives should be limited, however it is possible to + filter by Processes.process_name and specific processes (ex. wscript.exe). Filter + as needed. This may need modification based on EDR telemetry and how it brings in + registry data. For example, removal of (Default). references: - https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/ - https://www.script-coding.com/dynwrapx_eng.html @@ -24,45 +42,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: dynwrapx.dll loaded by process $process_name$ on $dest$ + risk_objects: + - field: dest + type: system + score: 80 + threat_objects: [] tags: analytic_story: - Remcos - AsyncRAT asset_type: Endpoint - confidence: 100 - impact: 80 - message: dynwrapx.dll loaded by process $process_name$ on $dest$ mitre_attack_id: - T1055 - T1055.001 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Image - - ImageLoaded - - OriginalFileName - - Product - - process_name - - dest - - EventCode - - Signed - - ProcessId - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_dynwrapx/sysmon_dynwraper.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_dynwrapx/sysmon_dynwraper.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/local_account_discovery_with_wmic.yml b/detections/endpoint/local_account_discovery_with_wmic.yml index d849689ed8..7a5da713bb 100644 --- a/detections/endpoint/local_account_discovery_with_wmic.yml +++ b/detections/endpoint/local_account_discovery_with_wmic.yml @@ -1,17 +1,36 @@ name: Local Account Discovery With Wmic id: 4902d7aa-0134-11ec-9d65-acde48001122 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of `wmic.exe` with command-line arguments used to query local user accounts, specifically the `useraccount` argument. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate local users, which is a common step in situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further targeted attacks, privilege escalation, or lateral movement within the network. +description: The following analytic detects the execution of `wmic.exe` with command-line + arguments used to query local user accounts, specifically the `useraccount` argument. + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on + process execution logs that include command-line details. This activity is significant + as it indicates potential reconnaissance efforts by adversaries to enumerate local + users, which is a common step in situational awareness and Active Directory discovery. + If confirmed malicious, this behavior could lead to further targeted attacks, privilege + escalation, or lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` (Processes.process=*useraccount*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `local_account_discovery_with_wmic_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_wmic` (Processes.process=*useraccount*) + by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `local_account_discovery_with_wmic_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1087/001/ @@ -19,28 +38,18 @@ tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 30 - message: Local user discovery enumeration on $dest$ by $user$ mitre_attack_id: - T1087 - T1087.001 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml b/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml index 3153b8f737..f678107a88 100644 --- a/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml +++ b/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml @@ -1,15 +1,39 @@ name: Log4Shell CVE-2021-44228 Exploitation id: 9be30d80-3a39-4df9-9102-64a467b24eac -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Jose Hernandez, Splunk status: production type: Correlation -description: The following analytic identifies potential exploitation of Log4Shell CVE-2021-44228 by correlating multiple MITRE ATT&CK tactics detected in risk events. It leverages Splunk's risk data model to calculate the distinct count of MITRE ATT&CK tactics from Log4Shell-related detections. This activity is significant because it indicates a high probability of exploitation if two or more distinct tactics are observed. If confirmed malicious, this activity could lead to initial payload delivery, callback to a malicious server, and post-exploitation activities, potentially resulting in unauthorized access, lateral movement, and further compromise of the affected systems. +description: The following analytic identifies potential exploitation of Log4Shell + CVE-2021-44228 by correlating multiple MITRE ATT&CK tactics detected in risk events. + It leverages Splunk's risk data model to calculate the distinct count of MITRE ATT&CK + tactics from Log4Shell-related detections. This activity is significant because + it indicates a high probability of exploitation if two or more distinct tactics + are observed. If confirmed malicious, this activity could lead to initial payload + delivery, callback to a malicious server, and post-exploitation activities, potentially + resulting in unauthorized access, lateral movement, and further compromise of the + affected systems. data_source: [] -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Log4Shell CVE-2021-44228" All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 2 | `log4shell_cve_2021_44228_exploitation_filter`' -how_to_implement: To implement this correlation search a user needs to enable all detections in the Log4Shell Analytic Story and confirm it is generation risk events. A simple search `index=risk analyticstories="Log4Shell CVE-2021-44228"` should contain events. -known_false_positives: There are no known false positive for this search, but it could contain false positives as multiple detections can trigger and not have successful exploitation. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) + as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as + annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) + as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) + as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) + as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, + dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Log4Shell + CVE-2021-44228" All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type + All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where + source_count >= 2 | `log4shell_cve_2021_44228_exploitation_filter`' +how_to_implement: To implement this correlation search a user needs to enable all + detections in the Log4Shell Analytic Story and confirm it is generation risk events. + A simple search `index=risk analyticstories="Log4Shell CVE-2021-44228"` should contain + events. +known_false_positives: There are no known false positive for this search, but it could + contain false positives as multiple detections can trigger and not have successful + exploitation. references: - https://research.splunk.com/stories/log4shell_cve-2021-44228/ - https://www.splunk.com/en_us/blog/security/simulating-detecting-and-responding-to-log4shell-with-splunk.html @@ -19,7 +43,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$risk_object$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: @@ -27,35 +56,20 @@ tags: - Log4Shell CVE-2021-44228 - CISA AA22-320A asset_type: Endpoint - confidence: 70 - impact: 90 - message: Log4Shell Exploitation detected against $risk_object$. mitre_attack_id: - T1105 - T1190 - T1059 - T1133 - observable: - - name: risk_object - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Risk.analyticstories - - All_Risk.risk_object_type - - All_Risk.risk_object - - All_Risk.annotations.mitre_attack.mitre_tactic - - source - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://raw.githubusercontent.com/splunk/attack_data/master/datasets/suspicious_behaviour/log4shell_exploitation/log4shell_correlation.txt + - data: + https://raw.githubusercontent.com/splunk/attack_data/master/datasets/suspicious_behaviour/log4shell_exploitation/log4shell_correlation.txt source: log4shell sourcetype: stash diff --git a/detections/endpoint/logon_script_event_trigger_execution.yml b/detections/endpoint/logon_script_event_trigger_execution.yml index 9b9dd4313c..78ab8e9852 100644 --- a/detections/endpoint/logon_script_event_trigger_execution.yml +++ b/detections/endpoint/logon_script_event_trigger_execution.yml @@ -1,15 +1,31 @@ name: Logon Script Event Trigger Execution id: 4c38c264-1f74-11ec-b5fa-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the modification of the UserInitMprLogonScript registry entry, which is often used by attackers to establish persistence and gain privilege escalation upon system boot. It leverages data from the Endpoint.Registry data model, focusing on changes to the specified registry path. This activity is significant because it is a common technique used by APT groups and malware to ensure their payloads execute automatically when the system starts. If confirmed malicious, this could allow attackers to maintain persistent access and potentially escalate their privileges on the compromised host. +description: The following analytic detects the modification of the UserInitMprLogonScript + registry entry, which is often used by attackers to establish persistence and gain + privilege escalation upon system boot. It leverages data from the Endpoint.Registry + data model, focusing on changes to the specified registry path. This activity is + significant because it is a common technique used by APT groups and malware to ensure + their payloads execute automatically when the system starts. If confirmed malicious, + this could allow attackers to maintain persistent access and potentially escalate + their privileges on the compromised host. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path IN ("*\\Environment\\UserInitMprLogonScript") by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `logon_script_event_trigger_execution_filter`' -how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime + max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path + IN ("*\\Environment\\UserInitMprLogonScript") by Registry.dest Registry.user Registry.registry_path + Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` + | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `logon_script_event_trigger_execution_filter`' +how_to_implement: To successfully implement this search, you must be ingesting data + that records registry activity from your hosts to populate the endpoint data model + in the registry node. This is typically populated via endpoint detection-and-response + product, such as Carbon Black or endpoint data sources, such as Sysmon. The data + used for this search is typically generated via logs that report reads and writes + to the registry. known_false_positives: unknown references: - https://attack.mitre.org/techniques/T1037/001/ @@ -19,9 +35,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Registry path $registry_path$ was modified, added, or deleted on $dest$. + risk_objects: + - field: dest + type: system + score: 80 + - field: user + type: user + score: 80 + threat_objects: [] tags: analytic_story: - Data Destruction @@ -29,37 +60,18 @@ tags: - Hermetic Wiper - Windows Persistence Techniques asset_type: Endpoint - confidence: 100 - impact: 80 - message: Registry path $registry_path$ was modified, added, or deleted on $dest$. mitre_attack_id: - T1037 - T1037.001 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.registry_key_name - - Registry.registry_value_name - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1037.001/logonscript_reg/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1037.001/logonscript_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/lolbas_with_network_traffic.yml b/detections/endpoint/lolbas_with_network_traffic.yml index 392d16e309..785a6006ef 100644 --- a/detections/endpoint/lolbas_with_network_traffic.yml +++ b/detections/endpoint/lolbas_with_network_traffic.yml @@ -1,16 +1,45 @@ name: LOLBAS With Network Traffic id: 2820f032-19eb-497e-8642-25b04a880359 -version: 5 -date: '2024-12-07' +version: 6 +date: '2024-12-16' author: Steven Dick status: production type: TTP -description: The following analytic identifies the use of Living Off the Land Binaries and Scripts (LOLBAS) with network traffic. It leverages data from the Network Traffic data model to detect when native Windows binaries, often abused by adversaries, initiate network connections. This activity is significant as LOLBAS are frequently used to download malicious payloads, enabling lateral movement, command-and-control, or data exfiltration. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to organizational security. +description: The following analytic identifies the use of Living Off the Land Binaries + and Scripts (LOLBAS) with network traffic. It leverages data from the Network Traffic + data model to detect when native Windows binaries, often abused by adversaries, + initiate network connections. This activity is significant as LOLBAS are frequently + used to download malicious payloads, enabling lateral movement, command-and-control, + or data exfiltration. If confirmed malicious, this behavior could allow attackers + to execute arbitrary code, escalate privileges, or maintain persistence within the + environment, posing a severe threat to organizational security. data_source: - Sysmon EventID 3 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic where (All_Traffic.app IN ("*Regsvcs.exe", "*\\Ftp.exe", "*OfflineScannerShell.exe", "*Rasautou.exe", "*Schtasks.exe", "*Xwizard.exe", "*Pnputil.exe", "*Atbroker.exe", "*Pcwrun.exe", "*Ttdinject.exe", "*Mshta.exe", "*Bitsadmin.exe", "*Certoc.exe", "*Ieexec.exe", "*Microsoft.Workflow.Compiler.exe", "*Runscripthelper.exe", "*Forfiles.exe", "*Msbuild.exe", "*Register-cimprovider.exe", "*Tttracer.exe", "*Ie4uinit.exe", "*Bash.exe", "*Hh.exe", "*SettingSyncHost.exe", "*Cmstp.exe", "*Stordiag.exe", "*Scriptrunner.exe", "*Odbcconf.exe", "*Extexport.exe", "*Msdt.exe", "*WorkFolders.exe", "*Diskshadow.exe", "*Mavinject.exe", "*Regasm.exe", "*Gpscript.exe", "*Regsvr32.exe", "*Msiexec.exe", "*Wuauclt.exe", "*Presentationhost.exe", "*Wmic.exe", "*Runonce.exe", "*Syncappvpublishingserver.exe", "*Verclsid.exe", "*Infdefaultinstall.exe", "*Installutil.exe", "*Netsh.exe", "*Wab.exe", "*Dnscmd.exe", "*\\At.exe", "*Pcalua.exe", "*Msconfig.exe", "*makecab.exe", "*cscript.exe", "*notepad.exe", "*\\cmd.exe", "*certutil.exe", "*\\powershell.exe", "*powershell_ise.exe", "*\\pwsh.exe")) by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rex field=app ".*\\\(?.*)$" | rename app as process | `lolbas_with_network_traffic_filter`' -how_to_implement: To successfully implement this detection you must ingest events into the Network traffic data model that contain the source, destination, and communicating process in the app field. Relevant processes must also be ingested in the Endpoint data model with matching process_id field. Sysmon EID1 and EID3 are good examples of this type this data type. -known_false_positives: Legitimate usage of internal automation or scripting, especially powershell.exe or pwsh.exe, internal to internal or logon scripts. It may be necessary to omit internal IP ranges if extremely noisy. ie NOT dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","170.98.0.0/16","0:0:0:0:0:0:0:1") +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Network_Traffic.All_Traffic where (All_Traffic.app IN + ("*Regsvcs.exe", "*\\Ftp.exe", "*OfflineScannerShell.exe", "*Rasautou.exe", "*Schtasks.exe", + "*Xwizard.exe", "*Pnputil.exe", "*Atbroker.exe", "*Pcwrun.exe", "*Ttdinject.exe", + "*Mshta.exe", "*Bitsadmin.exe", "*Certoc.exe", "*Ieexec.exe", "*Microsoft.Workflow.Compiler.exe", + "*Runscripthelper.exe", "*Forfiles.exe", "*Msbuild.exe", "*Register-cimprovider.exe", + "*Tttracer.exe", "*Ie4uinit.exe", "*Bash.exe", "*Hh.exe", "*SettingSyncHost.exe", + "*Cmstp.exe", "*Stordiag.exe", "*Scriptrunner.exe", "*Odbcconf.exe", "*Extexport.exe", + "*Msdt.exe", "*WorkFolders.exe", "*Diskshadow.exe", "*Mavinject.exe", "*Regasm.exe", + "*Gpscript.exe", "*Regsvr32.exe", "*Msiexec.exe", "*Wuauclt.exe", "*Presentationhost.exe", + "*Wmic.exe", "*Runonce.exe", "*Syncappvpublishingserver.exe", "*Verclsid.exe", "*Infdefaultinstall.exe", + "*Installutil.exe", "*Netsh.exe", "*Wab.exe", "*Dnscmd.exe", "*\\At.exe", "*Pcalua.exe", + "*Msconfig.exe", "*makecab.exe", "*cscript.exe", "*notepad.exe", "*\\cmd.exe", "*certutil.exe", + "*\\powershell.exe", "*powershell_ise.exe", "*\\pwsh.exe")) by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip + | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | rex field=app ".*\\\(?.*)$" | rename app as process | `lolbas_with_network_traffic_filter`' +how_to_implement: To successfully implement this detection you must ingest events + into the Network traffic data model that contain the source, destination, and communicating + process in the app field. Relevant processes must also be ingested in the Endpoint + data model with matching process_id field. Sysmon EID1 and EID3 are good examples + of this type this data type. +known_false_positives: Legitimate usage of internal automation or scripting, especially + powershell.exe or pwsh.exe, internal to internal or logon scripts. It may be necessary + to omit internal IP ranges if extremely noisy. ie NOT dest_ip IN + ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","170.98.0.0/16","0:0:0:0:0:0:0:1") references: - https://lolbas-project.github.io/# - https://www.sans.org/presentations/lolbin-detection-methods-seven-common-attacks-revealed/ @@ -20,56 +49,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The LOLBAS $process_name$ on device $src$ was seen communicating with $dest$. + risk_objects: + - field: src + type: system + score: 25 + threat_objects: + - field: dest_ip + type: ip_address tags: analytic_story: - Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 50 - message: The LOLBAS $process_name$ on device $src$ was seen communicating with $dest$. mitre_attack_id: - T1105 - T1567 - T1218 - observable: - - name: src - type: Hostname - role: - - Victim - - name: dest - type: Hostname - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.user - - Processes.process_id - - Processes.process_name - - Processes.process - - Processes.process_path - - Processes.dest - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_guid - - All_Traffic.app - - All_Traffic.src - - All_Traffic.src_ip - - All_Traffic.dest - - All_Traffic.dest_ip - - All_Traffic.process_id - risk_score: 25 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/lolbas_with_network_traffic/lolbas_with_network_traffic.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/lolbas_with_network_traffic/lolbas_with_network_traffic.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/macos___re_opened_applications.yml b/detections/endpoint/macos___re_opened_applications.yml index c4ddf24cba..fee3852b93 100644 --- a/detections/endpoint/macos___re_opened_applications.yml +++ b/detections/endpoint/macos___re_opened_applications.yml @@ -1,44 +1,59 @@ name: MacOS - Re-opened Applications id: 40bb64f9-f619-4e3d-8732-328d40377c4b -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Jamie Windley, Splunk status: experimental type: TTP -description: The following analytic identifies processes referencing plist files that determine which applications are re-opened when a user reboots their MacOS machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes related to "com.apple.loginwindow." This activity is significant because it can indicate attempts to persist across reboots, a common tactic used by attackers to maintain access. If confirmed malicious, this could allow an attacker to execute code or maintain persistence on the affected system, potentially leading to further compromise. +description: The following analytic identifies processes referencing plist files that + determine which applications are re-opened when a user reboots their MacOS machine. + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on + process names and parent processes related to "com.apple.loginwindow." This activity + is significant because it can indicate attempts to persist across reboots, a common + tactic used by attackers to maintain access. If confirmed malicious, this could + allow an attacker to execute code or maintain persistence on the affected system, + potentially leading to further compromise. data_source: - Sysmon EventID 1 -search: '| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*com.apple.loginwindow*" by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `macos___re_opened_applications_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: At this stage, there are no known false positives. During testing, no process events refering the com.apple.loginwindow.plist files were observed during normal operation of re-opening applications on reboot. Therefore, it can be asumed that any occurences of this in the process events would be worth investigating. In the event that the legitimate modification by the system of these files is in fact logged to the process log, then the process_name of that process can be added to an allow list. +search: '| tstats `security_content_summariesonly` count values(Processes.process) + as process values(Processes.parent_process) as parent_process min(_time) as firstTime + max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*com.apple.loginwindow*" + by Processes.user Processes.process_name Processes.parent_process_name Processes.dest + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `macos___re_opened_applications_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: At this stage, there are no known false positives. During testing, + no process events refering the com.apple.loginwindow.plist files were observed during + normal operation of re-opening applications on reboot. Therefore, it can be asumed + that any occurences of this in the process events would be worth investigating. + In the event that the legitimate modification by the system of these files is in + fact logged to the process log, then the process_name of that process can be added + to an allow list. references: [] +rba: + message: Possible persistence mechanism via plists on $dest$ + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - ColdRoot MacOS RAT asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process - - Processes.parent_process - - Processes.user - - Processes.process_name - - Processes.parent_process_name - - Processes.dest - risk_score: 25 security_domain: threat diff --git a/detections/endpoint/macos_lolbin.yml b/detections/endpoint/macos_lolbin.yml index edd386462c..57a2ca77ce 100644 --- a/detections/endpoint/macos_lolbin.yml +++ b/detections/endpoint/macos_lolbin.yml @@ -1,14 +1,30 @@ name: MacOS LOLbin id: 58d270fb-5b39-418e-a855-4b8ac046805e -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Patrick Bareiss, Splunk status: production type: TTP -description: The following analytic detects multiple executions of Living off the Land (LOLbin) binaries on macOS within a short period. It leverages osquery to monitor process events and identifies commands such as "find", "crontab", "screencapture", "openssl", "curl", "wget", "killall", and "funzip". This activity is significant as LOLbins are often used by attackers to perform malicious actions while evading detection. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or persist within the environment, posing a significant security risk. +description: The following analytic detects multiple executions of Living off the + Land (LOLbin) binaries on macOS within a short period. It leverages osquery to monitor + process events and identifies commands such as "find", "crontab", "screencapture", + "openssl", "curl", "wget", "killall", and "funzip". This activity is significant + as LOLbins are often used by attackers to perform malicious actions while evading + detection. If confirmed malicious, this behavior could allow attackers to execute + arbitrary code, escalate privileges, or persist within the environment, posing a + significant security risk. data_source: [] -search: '`osquery_macro` name=es_process_events columns.cmdline IN ("find*", "crontab*", "screencapture*", "openssl*", "curl*", "wget*", "killall*", "funzip*") | rename columns.* as * | stats min(_time) as firstTime max(_time) as lastTime values(cmdline) as cmdline, values(pid) as pid, values(parent) as parent, values(path) as path, values(signing_id) as signing_id, dc(path) as dc_path by username host | rename username as user, cmdline as process, path as process_path, host as dest | where dc_path > 3 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `macos_lolbin_filter`' -how_to_implement: This detection uses osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery. +search: '`osquery_macro` name=es_process_events columns.cmdline IN ("find*", "crontab*", + "screencapture*", "openssl*", "curl*", "wget*", "killall*", "funzip*") | rename + columns.* as * | stats min(_time) as firstTime max(_time) as lastTime values(cmdline) + as cmdline, values(pid) as pid, values(parent) as parent, values(path) as path, + values(signing_id) as signing_id, dc(path) as dc_path by username host | rename + username as user, cmdline as process, path as process_path, host as dest | where + dc_path > 3 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `macos_lolbin_filter`' +how_to_implement: This detection uses osquery and endpoint security on MacOS. Follow + the link in references, which describes how to setup process auditing in MacOS with + endpoint security and osquery. known_false_positives: None identified. references: - https://osquery.readthedocs.io/en/stable/deployment/process-auditing/ @@ -18,46 +34,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Multiplle LOLbin are executed on host $dest$ by user $user$ + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 50 - message: Multiplle LOLbin are executed on host $dest$ by user $user$ mitre_attack_id: - T1059.004 - T1059 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - columns.cmdline - - columns.pid - - columns.parent - - columns.path - - columns.signing_id - - columns.username - - host - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.004/macos_lolbin/osquery.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.004/macos_lolbin/osquery.log source: osquery sourcetype: osquery:results diff --git a/detections/endpoint/macos_plutil.yml b/detections/endpoint/macos_plutil.yml index e06373a131..295d560c63 100644 --- a/detections/endpoint/macos_plutil.yml +++ b/detections/endpoint/macos_plutil.yml @@ -1,15 +1,28 @@ name: MacOS plutil id: c11f2b57-92c1-4cd2-b46c-064eafb833ac -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Patrick Bareiss, Splunk status: production type: TTP -description: The following analytic detects the usage of the `plutil` command to modify plist files on macOS systems. It leverages osquery to monitor process events, specifically looking for executions of `/usr/bin/plutil`. This activity is significant because adversaries can use `plutil` to alter plist files, potentially adding malicious binaries or command-line arguments that execute upon user logon or system startup. If confirmed malicious, this could allow attackers to achieve persistence, execute arbitrary code, or escalate privileges, posing a significant threat to the system's security. +description: The following analytic detects the usage of the `plutil` command to modify + plist files on macOS systems. It leverages osquery to monitor process events, specifically + looking for executions of `/usr/bin/plutil`. This activity is significant because + adversaries can use `plutil` to alter plist files, potentially adding malicious + binaries or command-line arguments that execute upon user logon or system startup. + If confirmed malicious, this could allow attackers to achieve persistence, execute + arbitrary code, or escalate privileges, posing a significant threat to the system's + security. data_source: - osquery -search: '`osquery_macro` name=es_process_events columns.path=/usr/bin/plutil | rename columns.* as * | stats count min(_time) as firstTime max(_time) as lastTime by username host cmdline pid path parent signing_id | rename username as user, cmdline as process, path as process_path, host as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `macos_plutil_filter`' -how_to_implement: This detection uses osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery. +search: '`osquery_macro` name=es_process_events columns.path=/usr/bin/plutil | rename + columns.* as * | stats count min(_time) as firstTime max(_time) as lastTime by + username host cmdline pid path parent signing_id | rename username as user, cmdline + as process, path as process_path, host as dest | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)` | `macos_plutil_filter`' +how_to_implement: This detection uses osquery and endpoint security on MacOS. Follow + the link in references, which describes how to setup process auditing in MacOS with + endpoint security and osquery. known_false_positives: Administrators using plutil to change plist files. references: - https://osquery.readthedocs.io/en/stable/deployment/process-auditing/ @@ -19,45 +32,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: plutil are executed on $dest$ from $user$ + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 50 - message: plutil are executed on $dest$ from $user$ mitre_attack_id: - T1647 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - columns.cmdline - - columns.pid - - columns.parent - - columns.path - - columns.signing_id - - columns.username - - host - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1647/atomic_red_team/osquery.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1647/atomic_red_team/osquery.log source: osquery sourcetype: osquery:results diff --git a/detections/endpoint/mailsniper_invoke_functions.yml b/detections/endpoint/mailsniper_invoke_functions.yml index 45bf77c8e1..c61b356b5d 100644 --- a/detections/endpoint/mailsniper_invoke_functions.yml +++ b/detections/endpoint/mailsniper_invoke_functions.yml @@ -1,15 +1,29 @@ name: Mailsniper Invoke functions id: a36972c8-b894-11eb-9f78-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the execution of known MailSniper PowerShell functions on a machine. It leverages PowerShell logs (EventCode 4104) to identify specific script block text associated with MailSniper activities. This behavior is significant as MailSniper is often used by attackers to harvest sensitive emails from compromised Exchange servers. If confirmed malicious, this activity could lead to unauthorized access to sensitive email data, credential theft, and further compromise of the email infrastructure. +description: The following analytic detects the execution of known MailSniper PowerShell + functions on a machine. It leverages PowerShell logs (EventCode 4104) to identify + specific script block text associated with MailSniper activities. This behavior + is significant as MailSniper is often used by attackers to harvest sensitive emails + from compromised Exchange servers. If confirmed malicious, this activity could lead + to unauthorized access to sensitive email data, credential theft, and further compromise + of the email infrastructure. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText IN ("*Invoke-GlobalO365MailSearch*", "*Invoke-GlobalMailSearch*", "*Invoke-SelfSearch*", "*Invoke-PasswordSprayOWA*", "*Invoke-PasswordSprayEWS*","*Invoke-DomainHarvestOWA*", "*Invoke-UsernameHarvestOWA*","*Invoke-OpenInboxFinder*","*Invoke-InjectGEventAPI*","*Invoke-InjectGEvent*","*Invoke-SearchGmail*", "*Invoke-MonitorCredSniper*", "*Invoke-AddGmailRule*","*Invoke-PasswordSprayEAS*","*Invoke-UsernameHarvestEAS*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mailsniper_invoke_functions_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event. +search: '`powershell` EventCode=4104 ScriptBlockText IN ("*Invoke-GlobalO365MailSearch*", + "*Invoke-GlobalMailSearch*", "*Invoke-SelfSearch*", "*Invoke-PasswordSprayOWA*", + "*Invoke-PasswordSprayEWS*","*Invoke-DomainHarvestOWA*", "*Invoke-UsernameHarvestOWA*","*Invoke-OpenInboxFinder*","*Invoke-InjectGEventAPI*","*Invoke-InjectGEvent*","*Invoke-SearchGmail*", + "*Invoke-MonitorCredSniper*", "*Invoke-AddGmailRule*","*Invoke-PasswordSprayEAS*","*Invoke-UsernameHarvestEAS*") + | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer + UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mailsniper_invoke_functions_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the powershell logs from your endpoints. make sure you enable needed + registry to monitor this event. known_false_positives: unknown references: - https://www.blackhillsinfosec.com/introducing-mailsniper-a-tool-for-searching-every-users-email-for-sensitive-data/ @@ -19,44 +33,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potential mailsniper.ps1 functions executed on dest $dest$ by user $user$. + risk_objects: + - field: dest + type: system + score: 72 + - field: user + type: user + score: 72 + threat_objects: [] tags: analytic_story: - Data Exfiltration asset_type: Endpoint - confidence: 80 - impact: 90 - message: Potential mailsniper.ps1 functions executed on dest $dest$ by user $user$. mitre_attack_id: - T1114 - T1114.001 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCode - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/malicious_inprocserver32_modification.yml b/detections/endpoint/malicious_inprocserver32_modification.yml index 6deaff154a..d6476bf1a3 100644 --- a/detections/endpoint/malicious_inprocserver32_modification.yml +++ b/detections/endpoint/malicious_inprocserver32_modification.yml @@ -1,17 +1,44 @@ name: Malicious InProcServer32 Modification id: 127c8d08-25ff-11ec-9223-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects a process modifying the registry with a known malicious CLSID under InProcServer32. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications within the HKLM or HKCU Software Classes CLSID paths. This activity is significant as it may indicate an attempt to load a malicious DLL, potentially leading to code execution. If confirmed malicious, this could allow an attacker to persist in the environment, execute arbitrary code, or escalate privileges, posing a severe threat to system integrity and security. +description: The following analytic detects a process modifying the registry with + a known malicious CLSID under InProcServer32. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on registry modifications within the HKLM or + HKCU Software Classes CLSID paths. This activity is significant as it may indicate + an attempt to load a malicious DLL, potentially leading to code execution. If confirmed + malicious, this could allow an attacker to persist in the environment, execute arbitrary + code, or escalate privileges, posing a severe threat to system integrity and security. data_source: - Sysmon EventID 1 AND Sysmon EventID 12 - Sysmon EventID 1 AND Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest Registry.process_guid Registry.user | `drop_dm_object_name(Registry)` | fields _time dest registry_path registry_key_name registry_value_name process_name process_path process process_guid user] | stats count min(_time) as firstTime max(_time) as lastTime by dest, process_name registry_path registry_key_name registry_value_name user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_inprocserver32_modification_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives should be limited, filter as needed. In our test case, Remcos used regsvr32.exe to modify the registry. It may be required, dependent upon the EDR tool producing registry events, to remove (Default) from the command-line. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes + by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid + Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats + `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path= + "*\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)" by + Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest + Registry.process_guid Registry.user | `drop_dm_object_name(Registry)` | fields _time + dest registry_path registry_key_name registry_value_name process_name process_path + process process_guid user] | stats count min(_time) as firstTime max(_time) as lastTime + by dest, process_name registry_path registry_key_name registry_value_name user | + `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_inprocserver32_modification_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives should be limited, filter as needed. In our + test case, Remcos used regsvr32.exe to modify the registry. It may be required, + dependent upon the EDR tool producing registry events, to remove (Default) from + the command-line. references: - https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/ - https://tria.ge/210929-ap75vsddan @@ -22,46 +49,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The $process_name$ was identified on endpoint $dest$ modifying the registry + with a known malicious clsid under InProcServer32. + risk_objects: + - field: dest + type: system + score: 80 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Suspicious Regsvr32 Activity - Remcos asset_type: Endpoint - confidence: 100 - impact: 80 - message: The $process_name$ was identified on endpoint $dest$ modifying the registry with a known malicious clsid under InProcServer32. mitre_attack_id: - T1218.010 - T1112 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - process_name - - registry_path - - registry_key_name - - registry_value_name - - user - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/malicious_powershell_executed_as_a_service.yml b/detections/endpoint/malicious_powershell_executed_as_a_service.yml index a0832bcf6d..a846b2b6d5 100644 --- a/detections/endpoint/malicious_powershell_executed_as_a_service.yml +++ b/detections/endpoint/malicious_powershell_executed_as_a_service.yml @@ -1,7 +1,7 @@ name: Malicious Powershell Executed As A Service id: 8e204dfd-cae0-4ea8-a61d-e972a1ff2ff8 -version: '6' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Ryan Becwar status: production type: TTP @@ -44,46 +44,35 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Identifies the abuse the Windows SC.exe to execute malicious powerShell + as a service $ImagePath$ by $user$ on $dest$ + risk_objects: + - field: dest + type: system + score: 72 + - field: user + type: user + score: 72 + threat_objects: [] tags: analytic_story: - Compromised Windows Host - Rhysida Ransomware - Malicious PowerShell asset_type: Endpoint - confidence: 80 - impact: 90 - message: Identifies the abuse the Windows SC.exe to execute malicious powerShell - as a service $ImagePath$ by $user$ on $dest$ mitre_attack_id: - T1569 - T1569.002 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - EventCode - - Service_File_Name - - Service_Type - - _time - - Service_Name - - Service_Start_Type - - Service_Account - - user - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/malicious_powershell_executed_as_a_service/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/malicious_powershell_executed_as_a_service/windows-xml.log source: XmlWinEventLog:System sourcetype: XmlWinEventLog diff --git a/detections/endpoint/malicious_powershell_process___encoded_command.yml b/detections/endpoint/malicious_powershell_process___encoded_command.yml index 2b22f40390..23f7cc2670 100644 --- a/detections/endpoint/malicious_powershell_process___encoded_command.yml +++ b/detections/endpoint/malicious_powershell_process___encoded_command.yml @@ -1,17 +1,38 @@ name: Malicious PowerShell Process - Encoded Command id: c4db14d9-7909-48b4-a054-aa14d89dbb19 -version: 11 -date: '2024-10-17' +version: 12 +date: '2024-11-22' author: David Dorsey, Michael Haag, Splunk, SirDuckly, GitHub Community status: production type: Hunting -description: The following analytic detects the use of the EncodedCommand parameter in PowerShell processes. It leverages Endpoint Detection and Response (EDR) data to identify variations of the EncodedCommand parameter, including shortened forms and different command switch types. This activity is significant because adversaries often use encoded commands to obfuscate malicious scripts, making detection harder. If confirmed malicious, this behavior could allow attackers to execute hidden code, potentially leading to unauthorized access, privilege escalation, or persistent threats within the environment. Review parallel events to determine legitimacy and tune based on known administrative scripts. +description: The following analytic detects the use of the EncodedCommand parameter + in PowerShell processes. It leverages Endpoint Detection and Response (EDR) data + to identify variations of the EncodedCommand parameter, including shortened forms + and different command switch types. This activity is significant because adversaries + often use encoded commands to obfuscate malicious scripts, making detection harder. + If confirmed malicious, this behavior could allow attackers to execute hidden code, + potentially leading to unauthorized access, privilege escalation, or persistent + threats within the environment. Review parallel events to determine legitimacy and + tune based on known administrative scripts. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|\u2013|\u2014|\u2015][Ee^]{1,2}[NnCcOoDdEeMmAa^]+\\s+[\\\"]?[A-Za-z0-9+/=]{5,}[\\\"]?\") | `malicious_powershell_process___encoded_command_filter`" -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user + Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name + Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | where match(process,"(?i)[\-|\/|–|—|―][Ee^]{1,2}[NnCcOoDdEeMmAa^]+\s+[\"]?[A-Za-z0-9+/=]{5,}[\"]?") + | `malicious_powershell_process___encoded_command_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: System administrators may use this option, but it's not common. references: - https://regexr.com/662ov @@ -22,45 +43,30 @@ references: - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ tags: analytic_story: - - Hermetic Wiper - - Malicious PowerShell - - NOBELIUM Group - - WhisperGate - - DarkCrystal RAT - - Qakbot - CISA AA22-320A + - Hermetic Wiper - Sandworm Tools - - Data Destruction + - Qakbot - Volt Typhoon + - NOBELIUM Group + - Data Destruction - Lumma Stealer + - Malicious PowerShell + - DarkCrystal RAT + - WhisperGate + - Crypto Stealer asset_type: Endpoint - confidence: 50 - impact: 70 - message: Powershell.exe running potentially malicious encoded commands on $dest$ mitre_attack_id: - T1027 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_name - - Processes.process - - Processes.user - - Processes.parent_process_name - - Processes.dest - - Processes.process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml index 4bf7f6a5b3..228765bed3 100644 --- a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml +++ b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml @@ -1,18 +1,40 @@ name: Malicious PowerShell Process - Execution Policy Bypass id: 9be56c82-b1cc-4318-87eb-d138afaaca39 -version: 7 -date: '2024-09-30' +version: 9 +date: '2025-01-27' author: Rico Valdez, Mauricio Velazco, Splunk status: production -type: TTP -description: The following analytic detects PowerShell processes initiated with parameters that bypass the local execution policy for scripts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing specific flags like "-ex" or "bypass." This activity is significant because bypassing execution policies is a common tactic used by attackers to run malicious scripts undetected. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to further system compromise, data exfiltration, or persistent access within the environment. +type: Anomaly +description: The following analytic detects PowerShell processes initiated with parameters + that bypass the local execution policy for scripts. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on command-line executions containing + specific flags like "-ex" or "bypass." This activity is significant because bypassing + execution policies is a common tactic used by attackers to run malicious scripts + undetected. If confirmed malicious, this could allow an attacker to execute arbitrary + code, potentially leading to further system compromise, data exfiltration, or persistent + access within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process_id) as process_id, values(Processes.parent_process_id) as parent_process_id values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process="* -ex*" OR Processes.process="* bypass *") by Processes.process_id, Processes.user, Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_process___execution_policy_bypass_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: There may be legitimate reasons to bypass the PowerShell execution policy. The PowerShell script being run with this parameter should be validated to ensure that it is legitimate. +search: '| tstats `security_content_summariesonly` values(Processes.process_id) as + process_id, values(Processes.parent_process_id) as parent_process_id values(Processes.process) + as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where `process_powershell` (Processes.process="* -ex*" AND Processes.process="* + bypass *") by Processes.process_id, Processes.user, Processes.dest | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_process___execution_policy_bypass_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: There may be legitimate reasons to bypass the PowerShell execution + policy. The PowerShell script being run with this parameter should be validated + to ensure that it is legitimate. references: - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ drilldown_searches: @@ -21,46 +43,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: PowerShell local execution policy bypass attempt on $dest$ + risk_objects: + - field: dest + type: system + score: 42 + threat_objects: [] tags: analytic_story: - DHS Report TA18-074A - - HAFNIUM Group - - DarkCrystal RAT - AsyncRAT + - DarkCrystal RAT + - HAFNIUM Group + - Nexus APT Threat Activity + - Earth Estries - Volt Typhoon asset_type: Endpoint - confidence: 60 - impact: 70 - message: PowerShell local execution policy bypass attempt on $dest$ mitre_attack_id: - T1059 - T1059.001 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml b/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml index f5bcfd7458..4e23a604b3 100644 --- a/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml +++ b/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml @@ -1,16 +1,40 @@ name: Malicious PowerShell Process With Obfuscation Techniques id: cde75cf6-3c7a-4dd6-af01-27cdb4511fd4 -version: 8 -date: '2024-09-30' +version: 9 +date: '2024-11-13' author: David Dorsey, Splunk status: production type: TTP -description: The following analytic detects PowerShell processes launched with command-line arguments indicative of obfuscation techniques. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and complete command-line executions. This activity is significant because obfuscated PowerShell commands are often used by attackers to evade detection and execute malicious scripts. If confirmed malicious, this activity could lead to unauthorized code execution, privilege escalation, or persistent access within the environment, posing a significant security risk. +description: The following analytic detects PowerShell processes launched with command-line + arguments indicative of obfuscation techniques. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names, parent processes, + and complete command-line executions. This activity is significant because obfuscated + PowerShell commands are often used by attackers to evade detection and execute malicious + scripts. If confirmed malicious, this activity could lead to unauthorized code execution, + privilege escalation, or persistent access within the environment, posing a significant + security risk. data_source: - Sysmon EventID 1 -search: '| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval num_obfuscation = (mvcount(split(process,"`"))-1) + (mvcount(split(process, "^"))-1) + (mvcount(split(process, "''"))-1) | `malicious_powershell_process_with_obfuscation_techniques_filter` | search num_obfuscation > 10' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: These characters might be legitimately on the command-line, but it is not common. +search: "| tstats `security_content_summariesonly` count values(Processes.process) + as process values(Processes.parent_process) as parent_process min(_time) as firstTime + max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` + by Processes.user Processes.process_name Processes.original_file_name Processes.parent_process_name + Processes.dest Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)`| eval num_obfuscation = (mvcount(split(process,\"\ + `\"))-1) + (mvcount(split(process, \"^\"))-1) + (mvcount(split(process, \"'\"))-1) + | `malicious_powershell_process_with_obfuscation_techniques_filter` | search num_obfuscation + > 10" +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: These characters might be legitimately on the command-line, + but it is not common. references: [] drilldown_searches: - name: View the detection results for - "$dest$" @@ -18,48 +42,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Powershell.exe running with potential obfuscated arguments on $dest$ + risk_objects: + - field: dest + type: system + score: 42 + threat_objects: [] tags: analytic_story: - Malicious PowerShell - Hermetic Wiper - Data Destruction asset_type: Endpoint - confidence: 60 - impact: 70 - message: Powershell.exe running with potential obfuscated arguments on $dest$ mitre_attack_id: - T1059 - T1059.001 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/obfuscated_powershell/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/obfuscated_powershell/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/microsoft_defender_atp_alerts.yml b/detections/endpoint/microsoft_defender_atp_alerts.yml index 20bd0b9e37..eba3aaecd3 100644 --- a/detections/endpoint/microsoft_defender_atp_alerts.yml +++ b/detections/endpoint/microsoft_defender_atp_alerts.yml @@ -1,7 +1,7 @@ name: Microsoft Defender ATP Alerts id: 38f034ed-1598-46c8-95e8-14edf05fdf5d -version: 1 -date: '2024-10-30' +version: 3 +date: '2025-01-20' author: Bryan Pluta, Bhavin Patel, Splunk status: production type: TTP @@ -15,7 +15,7 @@ search: ' `ms_defender_atp_alerts` (dest=* OR user=*)| eval tmp_evidence=json_ex | stats count min(_time) as firstTime max(_time) as lastTime values(fileName) as file_name values(severity) as severity values(processCommandLine) as process values(ipAddress) as ip_address values(registryKey) as registry_key values(url) as url values(mitreTechniques{}) as annotations.mitre_attack.mitre_technique_id values(signature) as signature values(user) as user values(risk_score) as risk_score by id description src | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `microsoft_defender_atp_alerts_filter`' -how_to_implement: In order to properly run this search, you need to ingest alerts data from Microsoft Defender, specifcally using the Splunk add-on for Microsoft Security. This add-on will collect alerts using the ms:defender:atp:alerts sourcetype. You will need to define the `ms_defender_atp_alerts` macro to point to the proper index that contains the ms:defender:atp:alerts sourcetype. **NOTE** - We also have a detection named `Detect Critical Alerts from Security Tools` that triggers on the same data and is written against the Alerts datamodel. Enabling both of these detections will result in duplicate risk/notable events, we recommend enabling only one of these detections. +how_to_implement: In order to properly run this search, you need to ingest alerts data from Microsoft Defender, specifcally using the Splunk add-on for Microsoft Security. This add-on will collect alerts using the ms:defender:atp:alerts sourcetype. You will need to define the `ms_defender_atp_alerts` macro to point to the proper index that contains the ms:defender:atp:alerts sourcetype. known_false_positives: False positives may vary based on Microsfot Defender configuration; monitor and filter out the alerts that are not relevant to your environment. references: - https://learn.microsoft.com/en-us/defender-xdr/api-list-incidents?view=o365-worldwide @@ -31,66 +31,36 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $severity$ alert for $src$ - $signature$ + risk_objects: + - field: src + type: system + score: 81 + - field: user + type: user + score: 81 + threat_objects: + - field: file_name + type: file_name + - field: process + type: process_name + - field: ip_address + type: ip_address + - field: registry_key + type: registry_path + - field: url + type: url tags: analytic_story: - Critical Alerts asset_type: Endpoint atomic_guid: [] - confidence: 90 - impact: 90 - message: $severity$ alert for $src$ - $signature$ mitre_attack_id: [] - observable: - - name: src - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim - - name: file_name - type: File Name - role: - - Attacker - - name: process - type: Process Name - role: - - Attacker - - name: ip_address - type: IP Address - role: - - Attacker - - name: registry_key - type: Registry Key - role: - - Attacker - - name: url - type: URL String - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - entityType - - filePath - - processCommandLine - - ipAddress - - registryKey - - url - - fileName - - risk_score - - firstTime - - lastTime - - src - - severity - - annotations.mitre_attack - - signature - - user - risk_score: 81 security_domain: endpoint manual_test: We are dynamically creating the risk_score field based on the severity of the alert in the SPL and that supersedes the risk score set in the detection. Setting these to manual test since otherwise we fail integration testing. The detection is also failing on unit-testing as some of the fields set in the observables are empty. tests: diff --git a/detections/endpoint/microsoft_defender_incident_alerts.yml b/detections/endpoint/microsoft_defender_incident_alerts.yml index 324d8b7573..4cae1ede0f 100644 --- a/detections/endpoint/microsoft_defender_incident_alerts.yml +++ b/detections/endpoint/microsoft_defender_incident_alerts.yml @@ -1,7 +1,7 @@ name: Microsoft Defender Incident Alerts id: 13435b55-afd8-46d4-9045-7d5457f430a5 -version: 1 -date: '2024-10-30' +version: 3 +date: '2025-01-20' author: Bryan Pluta, Bhavin Patel, Splunk status: production type: TTP @@ -21,7 +21,7 @@ url = mvmap(tmp_filtered_mv, spath(tmp_filtered_mv, "url")) | eval tmp_filtered_mv=mvfilter(json_extract(tmp_filtered_mv, "entityType") = "File"), fileName = mvmap(tmp_filtered_mv, spath(tmp_filtered_mv, "fileName")) | eval risk_score=case(severity="informational", 5, severity="low", 15, severity="medium", 25, severity="high", 50, true(), 2) | stats count min(_time) as firstTime max(_time) as lastTime values(fileName) as file_name values(severity) as severity values(processCommandLine) as process values(ipAddress) as ip_address values(registryKey) as registry_key values(url) as url values(mitreTechniques{}) as annotations.mitre_attack.mitre_technique_id values(signature) as signature values(user) as user values(risk_score) as risk_score by id description dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `microsoft_defender_incident_alerts_filter`' -how_to_implement: In order to properly run this search, you need to ingest alerts data from Microsoft Defender, specifcally using the Splunk add-on for Microsfot Security. This add-on will collect alerts using the ms365:defender:incident:alerts sourcetype. You will need to define the `ms365_defender_incident_alerts` macro to point to the proper index that contains the ms365:defender:incident:alerts sourcetype. **NOTE** - We also have a detection named `Detect Critical Alerts from Security Tools` that triggers on the same data and is written against the Alerts datamodel. Enabling both of these detections will result in duplicate risk/notable events, we recommend enabling only one of these detections. +how_to_implement: In order to properly run this search, you need to ingest alerts data from Microsoft Defender, specifcally using the Splunk add-on for Microsfot Security. This add-on will collect alerts using the ms365:defender:incident:alerts sourcetype. You will need to define the `ms365_defender_incident_alerts` macro to point to the proper index that contains the ms365:defender:incident:alerts sourcetype. known_false_positives: False positives may vary based on Microsfot Defender configuration; monitor and filter out the alerts that are not relevant to your environment. references: - https://learn.microsoft.com/en-us/defender-xdr/api-list-incidents?view=o365-worldwide @@ -37,66 +37,36 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $severity$ alert for $dest$ - $signature$ + risk_objects: + - field: dest + type: system + score: 81 + - field: user + type: user + score: 81 + threat_objects: + - field: file_name + type: file_name + - field: process + type: process_name + - field: ip_address + type: ip_address + - field: registry_key + type: registry_path + - field: url + type: url tags: analytic_story: - Critical Alerts asset_type: Endpoint atomic_guid: [] - confidence: 90 - impact: 90 - message: $severity$ alert for $dest$ - $signature$ mitre_attack_id: [] - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim - - name: file_name - type: File Name - role: - - Attacker - - name: process - type: Process Name - role: - - Attacker - - name: ip_address - type: IP Address - role: - - Attacker - - name: registry_key - type: Registry Key - role: - - Attacker - - name: url - type: URL String - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - entityType - - filePath - - processCommandLine - - ipAddress - - registryKey - - url - - fileName - - risk_score - - firstTime - - lastTime - - src - - severity - - annotations.mitre_attack.mitre_technique_id - - signature - - user - risk_score: 81 security_domain: endpoint manual_test: We are dynamically creating the risk_score field based on the severity of the alert in the SPL and that supersedes the risk score set in the detection. Setting these to manual test since otherwise we fail integration testing. The detection is also failing on unit-testing as some of the fields set in the observables are empty. tests: diff --git a/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml b/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml index 6f353879fa..5a6def368f 100644 --- a/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml +++ b/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml @@ -1,18 +1,39 @@ name: Mimikatz PassTheTicket CommandLine Parameters id: 13bbd574-83ac-11ec-99d4-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the use of Mimikatz command line parameters associated with pass-the-ticket attacks. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns related to Kerberos ticket manipulation. This activity is significant because pass-the-ticket attacks allow adversaries to move laterally within an environment using stolen Kerberos tickets, bypassing normal access controls. If confirmed malicious, this could enable attackers to escalate privileges, access sensitive information, and maintain persistence within the network. +description: The following analytic detects the use of Mimikatz command line parameters + associated with pass-the-ticket attacks. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on specific command-line patterns related to + Kerberos ticket manipulation. This activity is significant because pass-the-ticket + attacks allow adversaries to move laterally within an environment using stolen Kerberos + tickets, bypassing normal access controls. If confirmed malicious, this could enable + attackers to escalate privileges, access sensitive information, and maintain persistence + within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process = "*sekurlsa::tickets /export*" OR Processes.process = "*kerberos::ptt*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mimikatz_passtheticket_commandline_parameters_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Although highly unlikely, legitimate applications may use the same command line parameters as Mimikatz. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process = "*sekurlsa::tickets + /export*" OR Processes.process = "*kerberos::ptt*") by Processes.dest Processes.user + Processes.parent_process Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mimikatz_passtheticket_commandline_parameters_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Although highly unlikely, legitimate applications may use the + same command line parameters as Mimikatz. references: - https://github.com/gentilkiwi/mimikatz - https://attack.mitre.org/techniques/T1550/003/ @@ -22,9 +43,27 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Mimikatz command line parameters for pass the ticket attacks were used + on $dest$ + risk_objects: + - field: user + type: user + score: 36 + - field: dest + type: system + score: 36 + threat_objects: + - field: parent_process_name + type: parent_process_name tags: analytic_story: - Sandworm Tools @@ -32,44 +71,18 @@ tags: - CISA AA22-320A - Active Directory Kerberos Attacks asset_type: Endpoint - confidence: 60 - impact: 60 - message: Mimikatz command line parameters for pass the ticket attacks were used on $dest$ mitre_attack_id: - T1550 - T1550.003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - - Processes.parent_process_name - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.003/mimikatz/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.003/mimikatz/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/mmc_lolbas_execution_process_spawn.yml b/detections/endpoint/mmc_lolbas_execution_process_spawn.yml index 5fc4f7cb38..a3e11e7507 100644 --- a/detections/endpoint/mmc_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/mmc_lolbas_execution_process_spawn.yml @@ -1,18 +1,49 @@ name: Mmc LOLBAS Execution Process Spawn id: f6601940-4c74-11ec-b9b7-3e22fbd008af -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies `mmc.exe` spawning a LOLBAS execution process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where `mmc.exe` is the parent process. This activity is significant because adversaries can abuse the DCOM protocol and MMC20 COM object to execute malicious code, using Windows native binaries documented by the LOLBAS project. If confirmed malicious, this behavior could indicate lateral movement, allowing attackers to execute code remotely, potentially leading to further compromise and persistence within the environment. +description: The following analytic identifies `mmc.exe` spawning a LOLBAS execution + process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process creation events where `mmc.exe` is the parent process. This activity + is significant because adversaries can abuse the DCOM protocol and MMC20 COM object + to execute malicious code, using Windows native binaries documented by the LOLBAS + project. If confirmed malicious, this behavior could indicate lateral movement, + allowing attackers to execute code remotely, potentially leading to further compromise + and persistence within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=mmc.exe) (Processes.process_name IN ("Regsvcs.exe", "Ftp.exe", "OfflineScannerShell.exe", "Rasautou.exe", "Schtasks.exe", "Xwizard.exe", "Dllhost.exe", "Pnputil.exe", "Atbroker.exe", "Pcwrun.exe", "Ttdinject.exe","Mshta.exe", "Bitsadmin.exe", "Certoc.exe", "Ieexec.exe", "Microsoft.Workflow.Compiler.exe", "Runscripthelper.exe", "Forfiles.exe", "Msbuild.exe", "Register-cimprovider.exe", "Tttracer.exe", "Ie4uinit.exe", "Bash.exe", "Hh.exe", "SettingSyncHost.exe", "Cmstp.exe", "Mmc.exe", "Stordiag.exe", "Scriptrunner.exe", "Odbcconf.exe", "Extexport.exe", "Msdt.exe", "WorkFolders.exe", "Diskshadow.exe", "Mavinject.exe", "Regasm.exe", "Gpscript.exe", "Rundll32.exe", "Regsvr32.exe", "Msiexec.exe", "Wuauclt.exe", "Presentationhost.exe", "Wmic.exe", "Runonce.exe", "Syncappvpublishingserver.exe", "Verclsid.exe", "Infdefaultinstall.exe", "Explorer.exe", "Installutil.exe", "Netsh.exe", "Wab.exe", "Dnscmd.exe", "At.exe", "Pcalua.exe", "Msconfig.exe")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mmc_lolbas_execution_process_spawn_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Legitimate applications may trigger this behavior, filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=mmc.exe) + (Processes.process_name IN ("Regsvcs.exe", "Ftp.exe", "OfflineScannerShell.exe", + "Rasautou.exe", "Schtasks.exe", "Xwizard.exe", "Dllhost.exe", "Pnputil.exe", "Atbroker.exe", + "Pcwrun.exe", "Ttdinject.exe","Mshta.exe", "Bitsadmin.exe", "Certoc.exe", "Ieexec.exe", + "Microsoft.Workflow.Compiler.exe", "Runscripthelper.exe", "Forfiles.exe", "Msbuild.exe", + "Register-cimprovider.exe", "Tttracer.exe", "Ie4uinit.exe", "Bash.exe", "Hh.exe", + "SettingSyncHost.exe", "Cmstp.exe", "Mmc.exe", "Stordiag.exe", "Scriptrunner.exe", + "Odbcconf.exe", "Extexport.exe", "Msdt.exe", "WorkFolders.exe", "Diskshadow.exe", + "Mavinject.exe", "Regasm.exe", "Gpscript.exe", "Rundll32.exe", "Regsvr32.exe", "Msiexec.exe", + "Wuauclt.exe", "Presentationhost.exe", "Wmic.exe", "Runonce.exe", "Syncappvpublishingserver.exe", + "Verclsid.exe", "Infdefaultinstall.exe", "Explorer.exe", "Installutil.exe", "Netsh.exe", + "Wab.exe", "Dnscmd.exe", "At.exe", "Pcalua.exe", "Msconfig.exe")) by Processes.dest + Processes.user Processes.parent_process Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mmc_lolbas_execution_process_spawn_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Legitimate applications may trigger this behavior, filter as + needed. references: - https://attack.mitre.org/techniques/T1021/003/ - https://www.cybereason.com/blog/dcom-lateral-movement-techniques @@ -23,48 +54,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Mmc.exe spawned a LOLBAS process on $dest$. + risk_objects: + - field: dest + type: system + score: 54 + threat_objects: [] tags: analytic_story: - Active Directory Lateral Movement - Living Off The Land asset_type: Endpoint - confidence: 60 - impact: 90 - message: Mmc.exe spawned a LOLBAS process on $dest$. mitre_attack_id: - T1021 - T1021.003 - T1218.014 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/lateral_movement_lolbas/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/lateral_movement_lolbas/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/modification_of_wallpaper.yml b/detections/endpoint/modification_of_wallpaper.yml index 78e25a989f..e51be7f390 100644 --- a/detections/endpoint/modification_of_wallpaper.yml +++ b/detections/endpoint/modification_of_wallpaper.yml @@ -1,15 +1,31 @@ name: Modification Of Wallpaper id: accb0712-c381-11eb-8e5b-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the modification of registry keys related to the desktop wallpaper settings. It leverages Sysmon EventCode 13 to identify changes to the "Control Panel\\Desktop\\Wallpaper" and "Control Panel\\Desktop\\WallpaperStyle" registry keys, especially when the modifying process is not explorer.exe or involves suspicious file paths like temp or public directories. This activity is significant as it can indicate ransomware behavior, such as the REVIL ransomware, which changes the wallpaper to display a ransom note. If confirmed malicious, this could signify a compromised machine and the presence of ransomware, leading to potential data encryption and extortion. +description: The following analytic detects the modification of registry keys related + to the desktop wallpaper settings. It leverages Sysmon EventCode 13 to identify + changes to the "Control Panel\\Desktop\\Wallpaper" and "Control Panel\\Desktop\\WallpaperStyle" + registry keys, especially when the modifying process is not explorer.exe or involves + suspicious file paths like temp or public directories. This activity is significant + as it can indicate ransomware behavior, such as the REVIL ransomware, which changes + the wallpaper to display a ransom note. If confirmed malicious, this could signify + a compromised machine and the presence of ransomware, leading to potential data + encryption and extortion. data_source: - Sysmon EventID 13 -search: '`sysmon` EventCode =13 (TargetObject IN ("*\\Control Panel\\Desktop\\Wallpaper","*\\Control Panel\\Desktop\\WallpaperStyle") AND Image != "*\\explorer.exe") OR (TargetObject IN ("*\\Control Panel\\Desktop\\Wallpaper","*\\Control Panel\\Desktop\\WallpaperStyle") AND Details IN ("*\\temp\\*", "*\\users\\public\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Image TargetObject Details Computer process_guid process_id user_id | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `modification_of_wallpaper_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the Image, TargetObject registry key, registry Details from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +search: '`sysmon` EventCode =13 (TargetObject IN ("*\\Control Panel\\Desktop\\Wallpaper","*\\Control + Panel\\Desktop\\WallpaperStyle") AND Image != "*\\explorer.exe") OR (TargetObject + IN ("*\\Control Panel\\Desktop\\Wallpaper","*\\Control Panel\\Desktop\\WallpaperStyle") + AND Details IN ("*\\temp\\*", "*\\users\\public\\*")) | stats count min(_time) as + firstTime max(_time) as lastTime by EventCode Image TargetObject Details Computer + process_guid process_id user_id | rename Computer as dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `modification_of_wallpaper_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the Image, TargetObject registry key, registry Details from your endpoints. + If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. known_false_positives: 3rd party tool may used to changed the wallpaper of the machine references: - https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/ @@ -21,9 +37,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Wallpaper modification on $dest$ + risk_objects: + - field: dest + type: system + score: 54 + threat_objects: [] tags: analytic_story: - Ransomware @@ -34,35 +62,17 @@ tags: - LockBit Ransomware - Rhysida Ransomware asset_type: Endpoint - confidence: 90 - impact: 60 - message: Wallpaper modification on $dest$ mitre_attack_id: - T1491 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Image - - TargetObject - - Details - - dest - - process_guid - - process_id - - user_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/revil/inf1/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/revil/inf1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/modify_acl_permission_to_files_or_folder.yml b/detections/endpoint/modify_acl_permission_to_files_or_folder.yml index eb0eb14dc1..247e54e6b3 100644 --- a/detections/endpoint/modify_acl_permission_to_files_or_folder.yml +++ b/detections/endpoint/modify_acl_permission_to_files_or_folder.yml @@ -1,17 +1,39 @@ name: Modify ACL permission To Files Or Folder id: 7e8458cc-acca-11eb-9e3f-acde48001122 -version: 5 -date: '2024-12-06' +version: 6 +date: '2024-12-16' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the modification of ACL permissions to files or folders, making them accessible to everyone. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like "cacls.exe," "icacls.exe," and "xcacls.exe" with specific command-line arguments. This activity is significant as it may indicate an adversary attempting to evade ACLs or access protected files. If confirmed malicious, this could allow unauthorized access to sensitive data, potentially leading to data breaches or further system compromise. +description: The following analytic detects the modification of ACL permissions to + files or folders, making them accessible to everyone or to system account. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on processes like + "cacls.exe," "icacls.exe," and "xcacls.exe" with specific command-line arguments. + This activity is significant as it may indicate an adversary attempting to evade + ACLs or access protected files. If confirmed malicious, this could allow unauthorized + access to sensitive data, potentially leading to data breaches or further system + compromise. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = "cacls.exe" OR Processes.process_name = "icacls.exe" OR Processes.process_name = "xcacls.exe") AND Processes.process = "*/G*" AND (Processes.process = "* everyone:*" OR Processes.process = "* SYSTEM:*" OR Processes.process = "* S-1-1-0:*") by Processes.parent_process_name Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `modify_acl_permission_to_files_or_folder_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = "cacls.exe" + OR Processes.process_name = "icacls.exe" OR Processes.process_name = "xcacls.exe") + AND Processes.process = "*/G*" AND (Processes.process = "* everyone:*" OR Processes.process + = "* SYSTEM:*" OR Processes.process = "* S-1-1-0:*") by Processes.parent_process_name + Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `modify_acl_permission_to_files_or_folder_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: administrators may use this command. Filter as needed. references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ @@ -21,41 +43,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious ACL permission modification on $dest$ + risk_objects: + - field: dest + type: system + score: 32 + threat_objects: [] tags: analytic_story: + - Crypto Stealer - XMRig - Defense Evasion or Unauthorized Access Via SDDL Tampering asset_type: Endpoint - confidence: 80 - impact: 40 - message: Suspicious ACL permission modification on $dest$ mitre_attack_id: - T1222 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.parent_process_name - - Processes.process_name - - Processes.dest - - Processes.user - - Processes.process - - Processes.process_id - risk_score: 32 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/monitor_registry_keys_for_print_monitors.yml b/detections/endpoint/monitor_registry_keys_for_print_monitors.yml index 7bf15e10d3..bc0d9747d8 100644 --- a/detections/endpoint/monitor_registry_keys_for_print_monitors.yml +++ b/detections/endpoint/monitor_registry_keys_for_print_monitors.yml @@ -5,15 +5,21 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick, Bhavin Patel status: production type: TTP -description: The following analytic detects modifications to the registry key `HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors`. It leverages data from the Endpoint.Registry data model, focusing on events where the registry path is modified. This activity is significant because attackers can exploit this registry key to load arbitrary .dll files, which will execute with elevated SYSTEM permissions and persist after a reboot. If confirmed malicious, this could allow attackers to maintain persistence, execute code with high privileges, and potentially compromise the entire system. +description: The following analytic detects modifications to the registry key `HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors`. + It leverages data from the Endpoint.Registry data model, focusing on events where + the registry path is modified. This activity is significant because attackers can + exploit this registry key to load arbitrary .dll files, which will execute with + elevated SYSTEM permissions and persist after a reboot. If confirmed malicious, + this could allow attackers to maintain persistence, execute code with high privileges, + and potentially compromise the entire system. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.action=modified AND Registry.registry_path="*CurrentControlSet\\Control\\Print\\Monitors*") - BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name - Registry.registry_value_name Registry.registry_value_data Registry.process_guid - | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `monitor_registry_keys_for_print_monitors_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.action=modified AND + Registry.registry_path="*CurrentControlSet\\Control\\Print\\Monitors*") BY Registry.dest + Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name + Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `monitor_registry_keys_for_print_monitors_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official @@ -27,43 +33,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: New print monitor added on $dest$ + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Suspicious Windows Registry Activities - Windows Persistence Techniques - Windows Registry Abuse asset_type: Endpoint - confidence: 80 - impact: 80 - message: New print monitor added on $dest$ mitre_attack_id: - T1547.010 - T1547 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.010/atomic_red_team/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.010/atomic_red_team/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/moveit_certificate_store_access_failure.yml b/detections/endpoint/moveit_certificate_store_access_failure.yml index 92d9a4dd6b..c37a366f9a 100644 --- a/detections/endpoint/moveit_certificate_store_access_failure.yml +++ b/detections/endpoint/moveit_certificate_store_access_failure.yml @@ -1,45 +1,45 @@ name: MOVEit Certificate Store Access Failure id: d61292d5-46e4-49ea-b23b-8049ea70b525 -version: 2 -date: '2024-10-17' +version: 3 +date: '2024-11-13' author: Michael Haag, Splunk data_source: [] type: Hunting status: production -description: This detection identifies potential exploitation attempts of the CVE-2024-5806 vulnerability in Progress MOVEit Transfer. It looks for log entries indicating failures to access the certificate store, which can occur when an attacker attempts to exploit the authentication bypass vulnerability. This behavior is a key indicator of attempts to impersonate valid users without proper credentials. While certificate store access failures can occur during normal operations, an unusual increase in such events, especially from unexpected sources, may indicate malicious activity. -search: '`moveit_sftp_logs` "IpWorksKeyService: Caught exception of type IPWorksSSHException: The certificate store could not be opened"| stats count by source _raw | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `moveit_certificate_store_access_failure_filter`' -how_to_implement: The MOVEit logs must be collected in Splunk. Currently, there is no TA available for MOVEit. Modify the analytic as needed to match the log format of your environment. -known_false_positives: False positives may occur, therefore utilize the analytic as a jump off point to identifiy potential certificate store errors. +description: This detection identifies potential exploitation attempts of the CVE-2024-5806 + vulnerability in Progress MOVEit Transfer. It looks for log entries indicating failures + to access the certificate store, which can occur when an attacker attempts to exploit + the authentication bypass vulnerability. This behavior is a key indicator of attempts + to impersonate valid users without proper credentials. While certificate store access + failures can occur during normal operations, an unusual increase in such events, + especially from unexpected sources, may indicate malicious activity. +search: '`moveit_sftp_logs` "IpWorksKeyService: Caught exception of type IPWorksSSHException: + The certificate store could not be opened"| stats count by source _raw | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `moveit_certificate_store_access_failure_filter`' +how_to_implement: The MOVEit logs must be collected in Splunk. Currently, there is + no TA available for MOVEit. Modify the analytic as needed to match the log format + of your environment. +known_false_positives: False positives may occur, therefore utilize the analytic as + a jump off point to identifiy potential certificate store errors. references: - https://labs.watchtowr.com/auth-bypass-in-un-limited-scenarios-progress-moveit-transfer-cve-2024-5806/ tags: analytic_story: - MOVEit Transfer Authentication Bypass asset_type: Web Server - confidence: 30 - impact: 30 - message: Potential exploitation of the CVE-2024-5806 vulnerability in Progress MOVEit Transfer, causing certificate store access failure on $source$. mitre_attack_id: - T1190 - observable: - - name: source - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - source - - _raw - risk_score: 9 security_domain: endpoint cve: - CVE-2024-5806 tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/moveit/SftpServer.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/moveit/SftpServer.log sourcetype: sftp_server_logs source: sftp_server_logs diff --git a/detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml b/detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml index d4e208c985..9c09f92946 100644 --- a/detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml +++ b/detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml @@ -1,45 +1,47 @@ name: MOVEit Empty Key Fingerprint Authentication Attempt id: 1a537acc-199f-4713-b5d7-3d98c05ab932 -version: 2 -date: '2024-10-17' +version: 3 +date: '2024-11-13' author: Michael Haag, Splunk data_source: [] type: Hunting status: production -description: This detection identifies attempts to authenticate with an empty public key fingerprint in Progress MOVEit Transfer, which is a key indicator of potential exploitation of the CVE-2024-5806 vulnerability. Such attempts are characteristic of the authentication bypass technique used in this vulnerability, where attackers try to impersonate valid users without providing proper credentials. While occasional empty key fingerprint authentication attempts might occur due to misconfigurations, a sudden increase or attempts from unexpected sources could signify malicious activity. This analytic helps security teams identify and investigate potential exploitation attempts of the MOVEit Transfer authentication bypass vulnerability. -search: '`moveit_sftp_logs` "UserAuthRequestHandler: SftpPublicKeyAuthenticator: Attempted to authenticate empty public key fingerprint" | stats count by source _raw | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `moveit_empty_key_fingerprint_authentication_attempt_filter`' -how_to_implement: The MOVEit logs must be collected in Splunk. Currently, there is no TA available for MOVEit. Modify the analytic as needed to match the log format of your environment. -known_false_positives: False positives may occur, therefore utilize the analytic as a jump off point to identify potential empty key fingerprint authentication attempts. +description: This detection identifies attempts to authenticate with an empty public + key fingerprint in Progress MOVEit Transfer, which is a key indicator of potential + exploitation of the CVE-2024-5806 vulnerability. Such attempts are characteristic + of the authentication bypass technique used in this vulnerability, where attackers + try to impersonate valid users without providing proper credentials. While occasional + empty key fingerprint authentication attempts might occur due to misconfigurations, + a sudden increase or attempts from unexpected sources could signify malicious activity. + This analytic helps security teams identify and investigate potential exploitation + attempts of the MOVEit Transfer authentication bypass vulnerability. +search: '`moveit_sftp_logs` "UserAuthRequestHandler: SftpPublicKeyAuthenticator: Attempted + to authenticate empty public key fingerprint" | stats count by source _raw | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `moveit_empty_key_fingerprint_authentication_attempt_filter`' +how_to_implement: The MOVEit logs must be collected in Splunk. Currently, there is + no TA available for MOVEit. Modify the analytic as needed to match the log format + of your environment. +known_false_positives: False positives may occur, therefore utilize the analytic as + a jump off point to identify potential empty key fingerprint authentication attempts. references: - https://labs.watchtowr.com/auth-bypass-in-un-limited-scenarios-progress-moveit-transfer-cve-2024-5806/ tags: analytic_story: - MOVEit Transfer Authentication Bypass asset_type: Web Server - confidence: 30 - impact: 30 - message: Potential exploitation of the CVE-2024-5806 vulnerability in Progress MOVEit Transfer, causing empty key fingerprint authentication attempts via $source$. mitre_attack_id: - T1190 - observable: - - name: source - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - source - - _raw - risk_score: 9 security_domain: endpoint cve: - CVE-2024-5806 tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/moveit/SftpServer.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/moveit/SftpServer.log sourcetype: sftp_server_logs source: sftp_server_logs diff --git a/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml b/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml index f69f8a4952..df154acdcd 100644 --- a/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml +++ b/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml @@ -1,60 +1,67 @@ name: MS Exchange Mailbox Replication service writing Active Server Pages id: 985f322c-57a5-11ec-b9ac-acde48001122 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: experimental type: TTP -description: The following analytic identifies the creation of suspicious .aspx files in specific directories associated with Exchange exploitation by the HAFNIUM group and the ProxyShell vulnerability. It detects this activity by monitoring the MSExchangeMailboxReplication.exe process, which typically does not write .aspx files. This behavior is significant as it may indicate an active exploitation attempt on Exchange servers. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, or maintain persistence within the environment. Immediate investigation and remediation are crucial to prevent further compromise. +description: The following analytic identifies the creation of suspicious .aspx files + in specific directories associated with Exchange exploitation by the HAFNIUM group + and the ProxyShell vulnerability. It detects this activity by monitoring the MSExchangeMailboxReplication.exe + process, which typically does not write .aspx files. This behavior is significant + as it may indicate an active exploitation attempt on Exchange servers. If confirmed + malicious, attackers could gain unauthorized access, execute arbitrary code, or + maintain persistence within the environment. Immediate investigation and remediation + are crucial to prevent further compromise. data_source: - Sysmon EventID 1 AND Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=MSExchangeMailboxReplication.exe by _time span=1h Processes.process_id Processes.process_name Processes.process_guid Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\HttpProxy\\owa\\auth\\*", "*\\inetpub\\wwwroot\\aspnet_client\\*", "*\\HttpProxy\\OAB\\*") Filesystem.file_name="*.aspx" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process process_guid] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name | `ms_exchange_mailbox_replication_service_writing_active_server_pages_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. -known_false_positives: The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes + where Processes.process_name=MSExchangeMailboxReplication.exe by _time span=1h + Processes.process_id Processes.process_name Processes.process_guid Processes.dest + | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` + count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem + where Filesystem.file_path IN ("*\\HttpProxy\\owa\\auth\\*", "*\\inetpub\\wwwroot\\aspnet_client\\*", + "*\\HttpProxy\\OAB\\*") Filesystem.file_name="*.aspx" by _time span=1h Filesystem.dest + Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` + | fields _time dest file_create_time file_name file_path process_name process_path + process process_guid] | dedup file_create_time | table dest file_create_time, file_name, + file_path, process_name | `ms_exchange_mailbox_replication_service_writing_active_server_pages_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` + node. +known_false_positives: The query is structured in a way that `action` (read, create) + is not defined. Review the results of this query, filter, and tune as necessary. + It may be necessary to generate this query specific to your endpoint product. references: - https://redcanary.com/blog/blackbyte-ransomware/ +rba: + message: A file - $file_name$ was written to disk that is related to IIS exploitation + related to ProxyShell. Review further file modifications on endpoint $dest$ by + user $user$. + risk_objects: + - field: user + type: user + score: 81 + - field: dest + type: system + score: 81 + threat_objects: + - field: file_name + type: file_name tags: analytic_story: - ProxyShell - Ransomware - BlackByte Ransomware asset_type: Endpoint - confidence: 90 - impact: 90 - message: A file - $file_name$ was written to disk that is related to IIS exploitation related to ProxyShell. Review further file modifications on endpoint $dest$ by user $user$. mitre_attack_id: - T1505 - T1505.003 - T1190 - T1133 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: file_name - type: File Name - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.file_path - - Filesystem.process_id - - Filesystem.file_name - - Filesystem.file_hash - - Filesystem.user - - Filesystem.process_guid - - Processes.process_name - - Processes.process_id - - Processes.process_name - - Processes.process_guid - risk_score: 81 security_domain: endpoint diff --git a/detections/endpoint/ms_scripting_process_loading_ldap_module.yml b/detections/endpoint/ms_scripting_process_loading_ldap_module.yml index 4857190da7..f6c51367ef 100644 --- a/detections/endpoint/ms_scripting_process_loading_ldap_module.yml +++ b/detections/endpoint/ms_scripting_process_loading_ldap_module.yml @@ -1,16 +1,30 @@ name: MS Scripting Process Loading Ldap Module id: 0b0c40dc-14a6-11ec-b267-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the execution of MS scripting processes (wscript.exe or cscript.exe) loading LDAP-related modules (Wldap32.dll, adsldp.dll, adsldpc.dll). It leverages Sysmon EventCode 7 to identify these specific DLL loads. This activity is significant as it may indicate an attempt to query LDAP for host information, a behavior observed in FIN7 implants. If confirmed malicious, this could allow attackers to gather detailed Active Directory information, potentially leading to further exploitation or data exfiltration. +description: The following analytic detects the execution of MS scripting processes + (wscript.exe or cscript.exe) loading LDAP-related modules (Wldap32.dll, adsldp.dll, + adsldpc.dll). It leverages Sysmon EventCode 7 to identify these specific DLL loads. + This activity is significant as it may indicate an attempt to query LDAP for host + information, a behavior observed in FIN7 implants. If confirmed malicious, this + could allow attackers to gather detailed Active Directory information, potentially + leading to further exploitation or data exfiltration. data_source: - Sysmon EventID 7 -search: '`sysmon` EventCode =7 Image IN ("*\\wscript.exe", "*\\cscript.exe") ImageLoaded IN ("*\\Wldap32.dll", "*\\adsldp.dll", "*\\adsldpc.dll") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventCode process_name ProcessId ProcessGuid Computer ImageLoaded | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ms_scripting_process_loading_ldap_module_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. -known_false_positives: automation scripting language may used by network operator to do ldap query. +search: '`sysmon` EventCode =7 Image IN ("*\\wscript.exe", "*\\cscript.exe") ImageLoaded + IN ("*\\Wldap32.dll", "*\\adsldp.dll", "*\\adsldpc.dll") | stats min(_time) as firstTime + max(_time) as lastTime count by Image EventCode process_name ProcessId ProcessGuid + Computer ImageLoaded | rename Computer as dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `ms_scripting_process_loading_ldap_module_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. +known_false_positives: automation scripting language may used by network operator + to do ldap query. references: - https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation - https://attack.mitre.org/groups/G0046/ @@ -20,42 +34,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $process_name$ loading ldap modules $ImageLoaded$ on $dest$ + risk_objects: + - field: dest + type: system + score: 9 + threat_objects: [] tags: analytic_story: - FIN7 asset_type: Endpoint - confidence: 30 - impact: 30 - message: $process_name$ loading ldap modules $ImageLoaded$ in $dest$ mitre_attack_id: - T1059 - T1059.007 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Image - - EventCode - - process_name - - ProcessId - - ProcessGuid - - dest - - ImageLoaded - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_js_2/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_js_2/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/ms_scripting_process_loading_wmi_module.yml b/detections/endpoint/ms_scripting_process_loading_wmi_module.yml index 0aa5fcf4a0..58ecca447c 100644 --- a/detections/endpoint/ms_scripting_process_loading_wmi_module.yml +++ b/detections/endpoint/ms_scripting_process_loading_wmi_module.yml @@ -1,16 +1,32 @@ name: MS Scripting Process Loading WMI Module id: 2eba3d36-14a6-11ec-a682-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the loading of WMI modules by Microsoft scripting processes like wscript.exe or cscript.exe. It leverages Sysmon EventCode 7 to identify instances where these scripting engines load specific WMI-related DLLs. This activity is significant because it can indicate the presence of malware, such as the FIN7 implant, which uses JavaScript to execute WMI queries for gathering host information to send to a C2 server. If confirmed malicious, this behavior could allow attackers to collect sensitive system information and maintain persistence within the environment. +description: The following analytic detects the loading of WMI modules by Microsoft + scripting processes like wscript.exe or cscript.exe. It leverages Sysmon EventCode + 7 to identify instances where these scripting engines load specific WMI-related + DLLs. This activity is significant because it can indicate the presence of malware, + such as the FIN7 implant, which uses JavaScript to execute WMI queries for gathering + host information to send to a C2 server. If confirmed malicious, this behavior could + allow attackers to collect sensitive system information and maintain persistence + within the environment. data_source: - Sysmon EventID 7 -search: '`sysmon` EventCode =7 Image IN ("*\\wscript.exe", "*\\cscript.exe") ImageLoaded IN ("*\\fastprox.dll", "*\\wbemdisp.dll", "*\\wbemprox.dll", "*\\wbemsvc.dll" , "*\\wmiutils.dll", "*\\wbemcomn.dll") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventCode process_name ProcessId ProcessGuid Computer ImageLoaded | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ms_scripting_process_loading_wmi_module_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. -known_false_positives: automation scripting language may used by network operator to do ldap query. +search: '`sysmon` EventCode =7 Image IN ("*\\wscript.exe", "*\\cscript.exe") ImageLoaded + IN ("*\\fastprox.dll", "*\\wbemdisp.dll", "*\\wbemprox.dll", "*\\wbemsvc.dll" , + "*\\wmiutils.dll", "*\\wbemcomn.dll") | stats min(_time) as firstTime max(_time) + as lastTime count by Image EventCode process_name ProcessId ProcessGuid Computer + ImageLoaded | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `ms_scripting_process_loading_wmi_module_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. +known_false_positives: automation scripting language may used by network operator + to do ldap query. references: - https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation - https://attack.mitre.org/groups/G0046/ @@ -20,42 +36,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $process_name$ loading wmi modules $ImageLoaded$ on $dest$ + risk_objects: + - field: dest + type: system + score: 9 + threat_objects: [] tags: analytic_story: - FIN7 asset_type: Endpoint - confidence: 30 - impact: 30 - message: $process_name$ loading wmi modules $ImageLoaded$ in $dest$ mitre_attack_id: - T1059 - T1059.007 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Image - - EventCode - - process_name - - ProcessId - - ProcessGuid - - dest - - ImageLoaded - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_js_2/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_js_2/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml b/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml index 2fe2f15916..05fa46f331 100644 --- a/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml +++ b/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml @@ -1,18 +1,41 @@ name: MSBuild Suspicious Spawned By Script Process id: 213b3148-24ea-11ec-93a2-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the suspicious spawning of MSBuild.exe by Windows Script Host processes (cscript.exe or wscript.exe). This behavior is often associated with malware or adversaries executing malicious MSBuild processes via scripts on compromised hosts. The detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where MSBuild is a child of script hosts. This activity is significant as it may indicate an attempt to execute malicious code. If confirmed malicious, it could lead to unauthorized code execution, potentially compromising the host and allowing further malicious activities. +description: The following analytic detects the suspicious spawning of MSBuild.exe + by Windows Script Host processes (cscript.exe or wscript.exe). This behavior is + often associated with malware or adversaries executing malicious MSBuild processes + via scripts on compromised hosts. The detection leverages Endpoint Detection and + Response (EDR) telemetry, focusing on process creation events where MSBuild is a + child of script hosts. This activity is significant as it may indicate an attempt + to execute malicious code. If confirmed malicious, it could lead to unauthorized + code execution, potentially compromising the host and allowing further malicious + activities. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("wscript.exe", "cscript.exe") AND `process_msbuild` by Processes.dest Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `msbuild_suspicious_spawned_by_script_process_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives should be limited as developers do not spawn MSBuild via a WSH. +search: '| tstats `security_content_summariesonly` count values(Processes.process_name) + as process_name values(Processes.process) as process min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name + IN ("wscript.exe", "cscript.exe") AND `process_msbuild` by Processes.dest Processes.parent_process + Processes.parent_process_name Processes.process_name Processes.original_file_name + Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `msbuild_suspicious_spawned_by_script_process_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives should be limited as developers do not spawn + MSBuild via a WSH. references: - https://app.any.run/tasks/dc93ee63-050c-4ff8-b07e-8277af9ab939/ drilldown_searches: @@ -21,45 +44,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Msbuild.exe process spawned by $parent_process_name$ on $dest$ executed + by $user$ + risk_objects: + - field: dest + type: system + score: 49 + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - Trusted Developer Utilities Proxy Execution MSBuild asset_type: Endpoint - confidence: 70 - impact: 70 - message: Msbuild.exe process spawned by $parent_process_name$ on $dest$ executed by $user$ mitre_attack_id: - T1127.001 - T1127 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.parent_process - - Processes.parent_process_name - - Processes.process_name - - Processes.original_file_name - - Processes.user - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/regsvr32_silent/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/regsvr32_silent/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml b/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml index 9962d69728..1d9de05366 100644 --- a/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml +++ b/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml @@ -1,18 +1,38 @@ name: Mshta spawning Rundll32 OR Regsvr32 Process id: 4aa5d062-e893-11eb-9eb2-acde48001122 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects a suspicious mshta.exe process spawning rundll32 or regsvr32 child processes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUID, process name, and parent process fields. This activity is significant as it is a known technique used by malware like Trickbot to load malicious DLLs and execute payloads. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or download additional malware, posing a severe threat to the environment. +description: The following analytic detects a suspicious mshta.exe process spawning + rundll32 or regsvr32 child processes. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process GUID, process name, and parent process + fields. This activity is significant as it is a known technique used by malware + like Trickbot to load malicious DLLs and execute payloads. If confirmed malicious, + this behavior could allow attackers to execute arbitrary code, escalate privileges, + or download additional malware, posing a severe threat to the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = "mshta.exe" `process_rundll32` OR `process_regsvr32` by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `mshta_spawning_rundll32_or_regsvr32_process_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: limitted. this anomaly behavior is not commonly seen in clean host. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name + = "mshta.exe" `process_rundll32` OR `process_regsvr32` by Processes.parent_process_name + Processes.parent_process Processes.process_name Processes.process Processes.process_id + Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name("Processes")` + | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `mshta_spawning_rundll32_or_regsvr32_process_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: limitted. this anomaly behavior is not commonly seen in clean + host. references: - https://twitter.com/cyb3rops/status/1416050325870587910?s=21 drilldown_searches: @@ -21,52 +41,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a mshta parent process $parent_process_name$ spawn child process $process_name$ + in host $dest$ + risk_objects: + - field: dest + type: system + score: 56 + - field: user + type: user + score: 56 + threat_objects: [] tags: analytic_story: - Trickbot - IcedID - Living Off The Land asset_type: Endpoint - confidence: 80 - impact: 70 - message: a mshta parent process $parent_process_name$ spawn child process $process_name$ in host $dest$ mitre_attack_id: - T1218 - T1218.005 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/spear_phish/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/spear_phish/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/msi_module_loaded_by_non_system_binary.yml b/detections/endpoint/msi_module_loaded_by_non_system_binary.yml index b9f668e0df..22fa5c3e01 100644 --- a/detections/endpoint/msi_module_loaded_by_non_system_binary.yml +++ b/detections/endpoint/msi_module_loaded_by_non_system_binary.yml @@ -1,16 +1,28 @@ name: MSI Module Loaded by Non-System Binary id: ccb98a66-5851-11ec-b91c-acde48001122 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic detects the loading of `msi.dll` by a binary not located in `system32`, `syswow64`, `winsxs`, or `windows` directories. This is identified using Sysmon EventCode 7, which logs DLL loads, and filters out legitimate system paths. This activity is significant as it may indicate exploitation of CVE-2021-41379 or DLL side-loading attacks, both of which can lead to unauthorized system modifications. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or persist within the environment. +description: The following analytic detects the loading of `msi.dll` by a binary not + located in `system32`, `syswow64`, `winsxs`, or `windows` directories. This is identified + using Sysmon EventCode 7, which logs DLL loads, and filters out legitimate system + paths. This activity is significant as it may indicate exploitation of CVE-2021-41379 + or DLL side-loading attacks, both of which can lead to unauthorized system modifications. + If confirmed malicious, this could allow an attacker to execute arbitrary code, + escalate privileges, or persist within the environment. data_source: - Sysmon EventID 7 -search: '`sysmon` EventCode=7 ImageLoaded="*\\msi.dll" NOT (Image IN ("*\\System32\\*","*\\syswow64\\*","*\\windows\\*", "*\\winsxs\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `msi_module_loaded_by_non_system_binary_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: It is possible some Administrative utilities will load msi.dll outside of normal system paths, filter as needed. +search: '`sysmon` EventCode=7 ImageLoaded="*\\msi.dll" NOT (Image IN ("*\\System32\\*","*\\syswow64\\*","*\\windows\\*", + "*\\winsxs\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by + Image ImageLoaded process_name dest EventCode ProcessId | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `msi_module_loaded_by_non_system_binary_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name and imageloaded executions from your endpoints. If you + are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +known_false_positives: It is possible some Administrative utilities will load msi.dll + outside of normal system paths, filter as needed. references: - https://attackerkb.com/topics/7LstI2clmF/cve-2021-41379/rapid7-analysis - https://github.com/AlexandrVIvanov/InstallerFileTakeOver @@ -21,40 +33,20 @@ tags: - Hermetic Wiper - Windows Privilege Escalation asset_type: Endpoint - confidence: 70 cve: - CVE-2021-41379 - impact: 80 - message: The following module $ImageLoaded$ was loaded by $Image$ outside of the normal system paths on endpoint $dest$, potentally related to DLL side-loading. mitre_attack_id: - T1574.002 - T1574 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Image - - ImageLoaded - - process_name - - dest - - EventCode - - ProcessId - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/msi_module_load/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/msi_module_load/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/msmpeng_application_dll_side_loading.yml b/detections/endpoint/msmpeng_application_dll_side_loading.yml index 8b7744f9af..c6a910d2c8 100644 --- a/detections/endpoint/msmpeng_application_dll_side_loading.yml +++ b/detections/endpoint/msmpeng_application_dll_side_loading.yml @@ -1,17 +1,31 @@ name: Msmpeng Application DLL Side Loading id: 8bb3f280-dd9b-11eb-84d5-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Teoderick Contreras, Splunk, Sanjay Govind status: production type: TTP -description: The following analytic detects the suspicious creation of msmpeng.exe or mpsvc.dll in non-default Windows Defender folders. It leverages the Endpoint.Filesystem datamodel to identify instances where these files are created outside their expected directories. This activity is significant because it is associated with the REvil ransomware, which uses DLL side-loading to execute malicious payloads. If confirmed malicious, this could lead to ransomware deployment, resulting in data encryption, system compromise, and potential data loss or extortion. +description: The following analytic detects the suspicious creation of msmpeng.exe + or mpsvc.dll in non-default Windows Defender folders. It leverages the Endpoint.Filesystem + datamodel to identify instances where these files are created outside their expected + directories. This activity is significant because it is associated with the REvil + ransomware, which uses DLL side-loading to execute malicious payloads. If confirmed + malicious, this could lead to ransomware deployment, resulting in data encryption, + system compromise, and potential data loss or extortion. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '|tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name = "msmpeng.exe" OR Filesystem.file_name = "mpsvc.dll") AND NOT (Filesystem.file_path IN ("*\\Program Files\\windows defender\\*","*\\WinSxS\\*defender-service*","*\\WinSxS\\Temp\\*defender-service*")) by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `msmpeng_application_dll_side_loading_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. +search: '|tstats `security_content_summariesonly` values(Filesystem.file_path) as + file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem + where (Filesystem.file_name = "msmpeng.exe" OR Filesystem.file_name = "mpsvc.dll") AND + NOT (Filesystem.file_path IN ("*\\Program Files\\windows defender\\*","*\\WinSxS\\*defender-service*","*\\WinSxS\\Temp\\*defender-service*")) + by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user + Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `msmpeng_application_dll_side_loading_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the Filesystem responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Filesystem` node. known_false_positives: quite minimal false positive expected. references: - https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers @@ -21,41 +35,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious creation of msmpeng.exe or mpsvc.dll in non default windows + defender folder on host - $dest$ + risk_objects: + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Ransomware - Revil Ransomware asset_type: Endpoint - confidence: 50 - impact: 50 - message: Suspicious creation of msmpeng.exe or mpsvc.dll in non default windows defender folder on host - $dest$ mitre_attack_id: - T1574.002 - T1574 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.file_create_time - - Filesystem.process_id - - Filesystem.file_name - - Filesystem.user - - Filesystem.file_path - risk_score: 25.0 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets//malware/revil/msmpeng_side/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets//malware/revil/msmpeng_side/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/net_profiler_uac_bypass.yml b/detections/endpoint/net_profiler_uac_bypass.yml index a3e9a90f2d..6a048385da 100644 --- a/detections/endpoint/net_profiler_uac_bypass.yml +++ b/detections/endpoint/net_profiler_uac_bypass.yml @@ -1,16 +1,31 @@ name: NET Profiler UAC bypass id: 0252ca80-e30d-11eb-8aa3-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects modifications to the registry aimed at bypassing the User Account Control (UAC) feature in Windows. It identifies changes to the .NET COR_PROFILER_PATH registry key, which can be exploited to load a malicious DLL via mmc.exe. This detection leverages data from the Endpoint.Registry datamodel, focusing on specific registry paths and values. Monitoring this activity is crucial as it can indicate an attempt to escalate privileges or persist within the environment. If confirmed malicious, this could allow an attacker to execute arbitrary code with elevated privileges, compromising system integrity. +description: The following analytic detects modifications to the registry aimed at + bypassing the User Account Control (UAC) feature in Windows. It identifies changes + to the .NET COR_PROFILER_PATH registry key, which can be exploited to load a malicious + DLL via mmc.exe. This detection leverages data from the Endpoint.Registry datamodel, + focusing on specific registry paths and values. Monitoring this activity is crucial + as it can indicate an attempt to escalate privileges or persist within the environment. + If confirmed malicious, this could allow an attacker to execute arbitrary code with + elevated privileges, compromising system integrity. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path= "*\\Environment\\COR_PROFILER_PATH" Registry.registry_value_data = "*.dll" by Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `net_profiler_uac_bypass_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -known_false_positives: limited false positive. It may trigger by some windows update that will modify this registry. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path= "*\\Environment\\COR_PROFILER_PATH" + Registry.registry_value_data = "*.dll" by Registry.registry_path Registry.registry_key_name + Registry.registry_value_data Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `net_profiler_uac_bypass_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure + that this registry was included in your config files ex. sysmon config to be monitored. +known_false_positives: limited false positive. It may trigger by some windows update + that will modify this registry. references: - https://offsec.almond.consulting/UAC-bypass-dotnet.html drilldown_searches: @@ -19,39 +34,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious modification of registry $registry_path$ with possible payload + path $registry_path$ and key $registry_key_name$ on $dest$ + risk_objects: + - field: dest + type: system + score: 63 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics asset_type: Endpoint - confidence: 90 - impact: 70 - message: Suspicious modification of registry $registry_path$ with possible payload path $registry_path$ and key $registry_key_name$ in $dest$ mitre_attack_id: - T1548.002 - T1548 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_path - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.dest - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon2.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon2.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/network_connection_discovery_with_arp.yml b/detections/endpoint/network_connection_discovery_with_arp.yml index 848beeb1af..0d917ab5f9 100644 --- a/detections/endpoint/network_connection_discovery_with_arp.yml +++ b/detections/endpoint/network_connection_discovery_with_arp.yml @@ -1,17 +1,37 @@ name: Network Connection Discovery With Arp id: ae008c0f-83bd-4ed4-9350-98d4328e15d2 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of `arp.exe` with the `-a` flag, which is used to list network connections on a compromised system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and related telemetry. Monitoring this activity is significant because both Red Teams and adversaries use `arp.exe` for situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to map the network, identify active devices, and plan further lateral movement or attacks. +description: The following analytic detects the execution of `arp.exe` with the `-a` + flag, which is used to list network connections on a compromised system. This detection + leverages data from Endpoint Detection and Response (EDR) agents, focusing on process + names, command-line executions, and related telemetry. Monitoring this activity + is significant because both Red Teams and adversaries use `arp.exe` for situational + awareness and Active Directory discovery. If confirmed malicious, this activity + could allow attackers to map the network, identify active devices, and plan further + lateral movement or attacks. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="arp.exe") (Processes.process=*-a*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_arp_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="arp.exe") + (Processes.process=*-a*) by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `network_connection_discovery_with_arp_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1049/ @@ -26,37 +46,17 @@ tags: - Volt Typhoon - IcedID asset_type: Endpoint - confidence: 50 - impact: 30 - message: Network Connection discovery on $dest$ by $user$ mitre_attack_id: - T1049 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/network_connection_discovery_with_netstat.yml b/detections/endpoint/network_connection_discovery_with_netstat.yml index 41e5e1a4cd..1422b94323 100644 --- a/detections/endpoint/network_connection_discovery_with_netstat.yml +++ b/detections/endpoint/network_connection_discovery_with_netstat.yml @@ -1,17 +1,36 @@ name: Network Connection Discovery With Netstat id: 2cf5cc25-f39a-436d-a790-4857e5995ede -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of `netstat.exe` with command-line arguments to list network connections on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and parent processes. This activity is significant as both Red Teams and adversaries use `netstat.exe` for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map network connections, identify critical systems, and plan further lateral movement or data exfiltration. +description: The following analytic detects the execution of `netstat.exe` with command-line + arguments to list network connections on a system. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names, command-line executions, + and parent processes. This activity is significant as both Red Teams and adversaries + use `netstat.exe` for situational awareness and Active Directory discovery. If confirmed + malicious, this behavior could allow attackers to map network connections, identify + critical systems, and plan further lateral movement or data exfiltration. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="netstat.exe") (Processes.process=*-a*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_netstat_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="netstat.exe") + (Processes.process=*-a*) by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `network_connection_discovery_with_netstat_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1049/ @@ -27,37 +46,17 @@ tags: - CISA AA23-347A - PlugX asset_type: Endpoint - confidence: 50 - impact: 30 - message: Network Connection discovery on $dest$ by $user$ mitre_attack_id: - T1049 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/network_discovery_using_route_windows_app.yml b/detections/endpoint/network_discovery_using_route_windows_app.yml index f603950937..cf9e62d47b 100644 --- a/detections/endpoint/network_discovery_using_route_windows_app.yml +++ b/detections/endpoint/network_discovery_using_route_windows_app.yml @@ -1,18 +1,39 @@ name: Network Discovery Using Route Windows App id: dd83407e-439f-11ec-ab8e-acde48001122 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the execution of the `route.exe` Windows application, commonly used for network discovery. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events. This activity is significant because adversaries often use `route.exe` to map network routes and identify potential targets within a network. If confirmed malicious, this behavior could allow attackers to gain insights into network topology, facilitating lateral movement and further exploitation. Note that false positives may occur due to legitimate administrative tasks or automated scripts. +description: The following analytic detects the execution of the `route.exe` Windows + application, commonly used for network discovery. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process creation events. This activity + is significant because adversaries often use `route.exe` to map network routes and + identify potential targets within a network. If confirmed malicious, this behavior + could allow attackers to gain insights into network topology, facilitating lateral + movement and further exploitation. Note that false positives may occur due to legitimate + administrative tasks or automated scripts. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_route` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_discovery_using_route_windows_app_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: A network operator or systems administrator may utilize an automated host discovery application that may generate false positives or an amazon ec2 script that uses this application. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_route` by Processes.dest + Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_discovery_using_route_windows_app_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: A network operator or systems administrator may utilize an + automated host discovery application that may generate false positives or an amazon + ec2 script that uses this application. Filter as needed. references: - https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/ tags: @@ -23,36 +44,18 @@ tags: - Windows Post-Exploitation - Prestige Ransomware asset_type: Endpoint - confidence: 30 - impact: 30 - message: Network Connection discovery on $dest$ by $user$ mitre_attack_id: - T1016 - T1016.001 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/network_share_discovery_via_dir_command.yml b/detections/endpoint/network_share_discovery_via_dir_command.yml index 36665cccf4..a087016641 100644 --- a/detections/endpoint/network_share_discovery_via_dir_command.yml +++ b/detections/endpoint/network_share_discovery_via_dir_command.yml @@ -1,16 +1,31 @@ name: Network Share Discovery Via Dir Command id: dc1457d0-1d9b-422e-b5a7-db46c184d9aa -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting data_source: - Windows Event Log Security 5140 -description: The following analytic detects access to Windows administrative SMB shares (Admin$, IPC$, C$) using the 'dir' command. It leverages Windows Security Event Logs with EventCode 5140 to identify this activity. This behavior is significant as it is commonly used by tools like PsExec/PaExec for staging binaries before creating and starting services on remote endpoints, a technique often employed by adversaries for lateral movement and remote code execution. If confirmed malicious, this activity could allow attackers to propagate malware, such as IcedID, across the network, leading to widespread infection and potential data breaches. -search: '`wineventlog_security` EventCode=5140 ShareName IN("\\\\*\\ADMIN$","\\\\*\\C$","*\\\\*\\IPC$") AccessMask= 0x1 | stats min(_time) as firstTime max(_time) as lastTime count by ShareName IpAddress ObjectType SubjectUserName SubjectDomainName IpPort AccessMask Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_share_discovery_via_dir_command_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5140 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy. -known_false_positives: System Administrators may use looks like net.exe or "dir commandline" for troubleshooting or administrations tasks. However, this will typically come only from certain users and certain systems that can be added to an allow list. +description: The following analytic detects access to Windows administrative SMB shares + (Admin$, IPC$, C$) using the 'dir' command. It leverages Windows Security Event + Logs with EventCode 5140 to identify this activity. This behavior is significant + as it is commonly used by tools like PsExec/PaExec for staging binaries before creating + and starting services on remote endpoints, a technique often employed by adversaries + for lateral movement and remote code execution. If confirmed malicious, this activity + could allow attackers to propagate malware, such as IcedID, across the network, + leading to widespread infection and potential data breaches. +search: '`wineventlog_security` EventCode=5140 ShareName IN("\\\\*\\ADMIN$","\\\\*\\C$","*\\\\*\\IPC$") + AccessMask= 0x1 | stats min(_time) as firstTime max(_time) as lastTime count by + ShareName IpAddress ObjectType SubjectUserName SubjectDomainName IpPort AccessMask + Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `network_share_discovery_via_dir_command_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + Windows Security Event Logs with 5140 EventCode enabled. The Windows TA is also + required. Also enable the object Audit access success/failure in your group policy. +known_false_positives: System Administrators may use looks like net.exe or "dir commandline" + for troubleshooting or administrations tasks. However, this will typically come + only from certain users and certain systems that can be added to an allow list. references: - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ tags: @@ -19,35 +34,17 @@ tags: asset_type: Endpoint atomic_guid: - 13daa2cf-195a-43df-a8bd-7dd5ffb607b5 - confidence: 50 - impact: 50 - message: $user$ list executable files or directory in known sensitive SMB share. Share name=$ShareName$, Access mask=$AccessMask$ mitre_attack_id: - T1135 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 25 - required_fields: - - _time - - ShareName - - IpAddress - - ObjectType - - SubjectUserName - - SubjectDomainName - - IpPort - - AccessMask - - Computer security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/net_share_discovery_via_dir/smb_access_security_xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/net_share_discovery_via_dir/smb_access_security_xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml b/detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml index feb85ebb05..5a05f52cd4 100644 --- a/detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml +++ b/detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml @@ -1,16 +1,34 @@ name: Network Traffic to Active Directory Web Services Protocol id: 68a0056c-34cb-455f-b03d-df935ea62c4f -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting data_source: - Sysmon EventID 3 -description: The following analytic identifies network traffic directed to the Active Directory Web Services Protocol (ADWS) on port 9389. It leverages network traffic logs, focusing on source and destination IP addresses, application names, and destination ports. This activity is significant as ADWS is used to manage Active Directory, and unauthorized access could indicate malicious intent. If confirmed malicious, an attacker could manipulate Active Directory, potentially leading to privilege escalation, unauthorized access, or persistent control over the environment. -search: '| tstats count from datamodel=Network_Traffic where All_Traffic.dest_port=9389 by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.user, All_Traffic.dest_port | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` | `network_traffic_to_active_directory_web_services_protocol_filter`' -how_to_implement: The detection is based on data that originates from network traffic logs. The logs must contain the source and destination IP addresses, the application name, and the destination port. The logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the network traffic data source. The logs must also be mapped to the `Network_Traffic` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives should be limited as the destination port is specific to Active Directory Web Services Protocol, however we recommend utilizing this analytic to hunt for non-standard processes querying the ADWS port. Filter by App or dest_ip to AD servers and remove known proceses querying ADWS. +description: The following analytic identifies network traffic directed to the Active + Directory Web Services Protocol (ADWS) on port 9389. It leverages network traffic + logs, focusing on source and destination IP addresses, application names, and destination + ports. This activity is significant as ADWS is used to manage Active Directory, + and unauthorized access could indicate malicious intent. If confirmed malicious, + an attacker could manipulate Active Directory, potentially leading to privilege + escalation, unauthorized access, or persistent control over the environment. +search: '| tstats count from datamodel=Network_Traffic where All_Traffic.dest_port=9389 + by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.user, All_Traffic.dest_port + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` + | `network_traffic_to_active_directory_web_services_protocol_filter`' +how_to_implement: The detection is based on data that originates from network traffic + logs. The logs must contain the source and destination IP addresses, the application + name, and the destination port. The logs must be processed using the appropriate + Splunk Technology Add-ons that are specific to the network traffic data source. + The logs must also be mapped to the `Network_Traffic` data model. Use the Splunk + Common Information Model (CIM) to normalize the field names and speed up the data + modeling process. +known_false_positives: False positives should be limited as the destination port is + specific to Active Directory Web Services Protocol, however we recommend utilizing + this analytic to hunt for non-standard processes querying the ADWS port. Filter + by App or dest_ip to AD servers and remove known proceses querying ADWS. references: - https://github.com/FalconForceTeam/SOAPHound tags: @@ -18,9 +36,6 @@ tags: - Windows Discovery Techniques asset_type: Network atomic_guid: [] - confidence: 50 - impact: 20 - message: Network traffic to Active Directory Web Services Protocol was identified on $dest_ip$ by $src_ip$. mitre_attack_id: - T1087.002 - T1069.001 @@ -29,30 +44,15 @@ tags: - T1087 - T1069.002 - T1069 - observable: - - name: src_ip - type: IP Address - role: - - Attacker - - name: dest_ip - type: IP Address - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 10 - required_fields: - - All_Traffic.src_ip - - All_Traffic.dest_ip - - All_Traffic.app - - All_Traffic.user - - All_Traffic.dest_port security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/soaphound/sysmon_soaphound.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/soaphound/sysmon_soaphound.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/nishang_powershelltcponeline.yml b/detections/endpoint/nishang_powershelltcponeline.yml index 419a824738..3bca3b340a 100644 --- a/detections/endpoint/nishang_powershelltcponeline.yml +++ b/detections/endpoint/nishang_powershelltcponeline.yml @@ -1,18 +1,38 @@ name: Nishang PowershellTCPOneLine id: 1a382c6c-7c2e-11eb-ac69-acde48001122 -version: 5 -date: '2024-12-11' +version: 6 +date: '2024-12-16' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the use of the Nishang Invoke-PowerShellTCPOneLine utility, which initiates a callback to a remote Command and Control (C2) server. It leverages Endpoint Detection and Response (EDR) data, focusing on PowerShell processes that include specific .NET classes like Net.Sockets.TCPClient and System.Text.ASCIIEncoding. This activity is significant as it indicates potential remote control or data exfiltration attempts by an attacker. If confirmed malicious, this could lead to unauthorized remote access, data theft, or further compromise of the affected system. +description: The following analytic detects the use of the Nishang Invoke-PowerShellTCPOneLine + utility, which initiates a callback to a remote Command and Control (C2) server. + It leverages Endpoint Detection and Response (EDR) data, focusing on PowerShell + processes that include specific .NET classes like Net.Sockets.TCPClient and System.Text.ASCIIEncoding. + This activity is significant as it indicates potential remote control or data exfiltration + attempts by an attacker. If confirmed malicious, this could lead to unauthorized + remote access, data theft, or further compromise of the affected system. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=*Net.Sockets.TCPClient* AND Processes.process=*System.Text.ASCIIEncoding*) by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `nishang_powershelltcponeline_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Limited false positives may be present. Filter as needed based on initial analysis. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=*Net.Sockets.TCPClient* + AND Processes.process=*System.Text.ASCIIEncoding*) by Processes.dest Processes.user + Processes.parent_process Processes.original_file_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `nishang_powershelltcponeline_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Limited false positives may be present. Filter as needed based + on initial analysis. references: - https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1 - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ @@ -24,47 +44,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Possible Nishang Invoke-PowerShellTCPOneLine behavior on $dest$ + risk_objects: + - field: dest + type: system + score: 42 + threat_objects: [] tags: analytic_story: - HAFNIUM Group - Cleo File Transfer Software asset_type: Endpoint - confidence: 60 - impact: 70 - message: Possible Nishang Invoke-PowerShellTCPOneLine behavior on $dest$ mitre_attack_id: - T1059 - T1059.001 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/nltest_domain_trust_discovery.yml b/detections/endpoint/nltest_domain_trust_discovery.yml index 4082dd1384..d62704a59b 100644 --- a/detections/endpoint/nltest_domain_trust_discovery.yml +++ b/detections/endpoint/nltest_domain_trust_discovery.yml @@ -1,18 +1,39 @@ name: NLTest Domain Trust Discovery id: c3e05466-5f22-11eb-ae93-0242ac130002 -version: 5 -date: '2024-12-11' +version: 6 +date: '2024-12-16' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the execution of `nltest.exe` with command-line arguments `/domain_trusts` or `/all_trusts` to query Domain Trust information. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it indicates potential reconnaissance efforts by adversaries to understand domain trust relationships, which can inform their lateral movement strategies. If confirmed malicious, this activity could enable attackers to map out trusted domains, facilitating further compromise and pivoting within the network. +description: The following analytic identifies the execution of `nltest.exe` with + command-line arguments `/domain_trusts` or `/all_trusts` to query Domain Trust information. + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on + process execution logs and command-line arguments. This activity is significant + as it indicates potential reconnaissance efforts by adversaries to understand domain + trust relationships, which can inform their lateral movement strategies. If confirmed + malicious, this activity could enable attackers to map out trusted domains, facilitating + further compromise and pivoting within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_nltest` (Processes.process=*/domain_trusts* OR Processes.process=*/all_trusts*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `nltest_domain_trust_discovery_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrators may use nltest for troubleshooting purposes, otherwise, rarely used. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_nltest` (Processes.process=*/domain_trusts* + OR Processes.process=*/all_trusts*) by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `nltest_domain_trust_discovery_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators may use nltest for troubleshooting purposes, + otherwise, rarely used. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md - https://malware.news/t/lets-learn-trickbot-implements-network-collector-module-leveraging-cmd-wmi-ldap/19104 @@ -27,9 +48,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Domain trust discovery execution on $dest$ + risk_objects: + - field: dest + type: system + score: 15 + threat_objects: [] tags: analytic_story: - Ryuk Ransomware @@ -40,34 +73,17 @@ tags: - Rhysida Ransomware - Cleo File Transfer Software asset_type: Endpoint - confidence: 50 - impact: 30 - message: Domain trust discovery execution on $dest$ mitre_attack_id: - T1482 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_name - - Processes.process - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_id - - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml index 637f868354..fa4c8d036a 100644 --- a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml +++ b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml @@ -1,16 +1,30 @@ name: Non Chrome Process Accessing Chrome Default Dir id: 81263de4-160a-11ec-944f-acde48001122 -version: 4 -date: '2024-09-30' +version: 6 +date: '2025-01-27' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects a non-Chrome process accessing files in the Chrome user default folder. It leverages Windows Security Event logs, specifically event code 4663, to identify unauthorized access attempts. This activity is significant because the Chrome default folder contains sensitive user data such as login credentials, browsing history, and cookies. If confirmed malicious, this behavior could indicate an attempt to exfiltrate sensitive information, often associated with RATs, trojans, and advanced persistent threats like FIN7. Such access could lead to data theft and further compromise of the affected system. +description: The following analytic detects a non-Chrome process accessing files in + the Chrome user default folder. It leverages Windows Security Event logs, specifically + event code 4663, to identify unauthorized access attempts. This activity is significant + because the Chrome default folder contains sensitive user data such as login credentials, + browsing history, and cookies. If confirmed malicious, this behavior could indicate + an attempt to exfiltrate sensitive information, often associated with RATs, trojans, + and advanced persistent threats like FIN7. Such access could lead to data theft + and further compromise of the affected system. data_source: - Windows Event Log Security 4663 -search: '`wineventlog_security` EventCode=4663 NOT (ProcessName IN ("*\\chrome.exe", "*\\explorer.exe", "*sql*")) ObjectName="*\\Google\\Chrome\\User Data\\Default*" | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType ProcessName AccessMask EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `non_chrome_process_accessing_chrome_default_dir_filter`' -how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -known_false_positives: other browser not listed related to chrome may catch by this rule. +search: '`wineventlog_security` EventCode=4663 NOT (ProcessName IN ("*\\chrome.exe", + "*\\explorer.exe", "*sql*")) ObjectName="*\\Google\\Chrome\\User Data\\Default*" + | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType + ProcessName AccessMask EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `non_chrome_process_accessing_chrome_default_dir_filter`' +how_to_implement: To successfully implement this search, you must ingest Windows Security + Event logs and track event code 4663. For 4663, enable "Audit Object Access" in + Group Policy. Then check the two boxes listed for both "Success" and "Failure." +known_false_positives: other browser not listed related to chrome may catch by this + rule. references: [] drilldown_searches: - name: View the detection results for - "$dest$" @@ -18,50 +32,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a non chrome browser process $ProcessName$ accessing $ObjectName$ + risk_objects: + - field: dest + type: system + score: 35 + threat_objects: [] tags: analytic_story: - - Remcos - - NjRAT - - Warzone RAT + - Snake Keylogger + - CISA AA23-347A - 3CX Supply Chain Attack - - RedLine Stealer - - FIN7 - - DarkGate Malware + - Warzone RAT + - Remcos - AgentTesla - - CISA AA23-347A - Phemedrone Stealer - - Snake Keylogger + - FIN7 + - DarkGate Malware + - Nexus APT Threat Activity + - Earth Estries + - NjRAT + - RedLine Stealer asset_type: Endpoint - confidence: 70 - impact: 50 - message: a non chrome browser process $ProcessName$ accessing $ObjectName$ mitre_attack_id: - T1555 - T1555.003 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Object_Name - - Object_Type - - process_name - - Access_Mask - - Accesses - - process_id - - EventCode - - dest - - user - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml index 2a16ca2ff8..abc2b0fc09 100644 --- a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml +++ b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml @@ -1,16 +1,29 @@ name: Non Firefox Process Access Firefox Profile Dir id: e6fc13b0-1609-11ec-b533-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects non-Firefox processes accessing the Firefox profile directory, which contains sensitive user data such as login credentials, browsing history, and cookies. It leverages Windows Security Event logs, specifically event code 4663, to monitor access attempts. This activity is significant because it may indicate attempts by malware, such as RATs or trojans, to harvest user information. If confirmed malicious, this behavior could lead to data exfiltration, unauthorized access to user accounts, and further compromise of the affected system. +description: The following analytic detects non-Firefox processes accessing the Firefox + profile directory, which contains sensitive user data such as login credentials, + browsing history, and cookies. It leverages Windows Security Event logs, specifically + event code 4663, to monitor access attempts. This activity is significant because + it may indicate attempts by malware, such as RATs or trojans, to harvest user information. + If confirmed malicious, this behavior could lead to data exfiltration, unauthorized + access to user accounts, and further compromise of the affected system. data_source: - Windows Event Log Security 4663 -search: '`wineventlog_security` EventCode=4663 NOT (ProcessName IN ("*\\firefox.exe", "*\\explorer.exe", "*sql*")) ObjectName="*\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles*" | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType ProcessName AccessMask EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `non_firefox_process_access_firefox_profile_dir_filter`' -how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -known_false_positives: other browser not listed related to firefox may catch by this rule. +search: '`wineventlog_security` EventCode=4663 NOT (ProcessName IN ("*\\firefox.exe", + "*\\explorer.exe", "*sql*")) ObjectName="*\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles*" + | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType + ProcessName AccessMask EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `non_firefox_process_access_firefox_profile_dir_filter`' +how_to_implement: To successfully implement this search, you must ingest Windows Security + Event logs and track event code 4663. For 4663, enable "Audit Object Access" in + Group Policy. Then check the two boxes listed for both "Success" and "Failure." +known_false_positives: other browser not listed related to firefox may catch by this + rule. references: [] drilldown_searches: - name: View the detection results for - "$dest$" @@ -18,9 +31,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a non firefox browser process $ProcessName$ accessing $ObjectName$ + risk_objects: + - field: dest + type: system + score: 35 + threat_objects: [] tags: analytic_story: - Azorult @@ -36,37 +61,18 @@ tags: - Phemedrone Stealer - Snake Keylogger asset_type: Endpoint - confidence: 70 - impact: 50 - message: a non firefox browser process $ProcessName$ accessing $ObjectName$ mitre_attack_id: - T1555 - T1555.003 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Object_Name - - Object_Type - - process_name - - Access_Mask - - Accesses - - process_id - - EventCode - - dest - - user - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/non_chrome_process_accessing_chrome_default_dir/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/non_chrome_process_accessing_chrome_default_dir/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/notepad_with_no_command_line_arguments.yml b/detections/endpoint/notepad_with_no_command_line_arguments.yml index 3abe3a0f92..9598488359 100644 --- a/detections/endpoint/notepad_with_no_command_line_arguments.yml +++ b/detections/endpoint/notepad_with_no_command_line_arguments.yml @@ -1,7 +1,7 @@ name: Notepad with no Command Line Arguments id: 5adbc5f1-9a2f-41c1-a810-f37e015f8179 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk type: TTP status: production @@ -9,10 +9,32 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic identifies instances where Notepad.exe is launched without any command line arguments, a behavior commonly associated with the SliverC2 framework. This detection leverages process creation events from Endpoint Detection and Response (EDR) agents, focusing on processes initiated by Notepad.exe within a short time frame. This activity is significant as it may indicate an attempt to inject malicious code into Notepad.exe, a known tactic for evading detection. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise and unauthorized access. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=notepad.exe AND Processes.action!="blocked" by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(notepad\.exe.{0,4}$)" | `notepad_with_no_command_line_arguments_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be present and filtering may need to occur based on organization endpoint behavior. +description: The following analytic identifies instances where Notepad.exe is launched + without any command line arguments, a behavior commonly associated with the SliverC2 + framework. This detection leverages process creation events from Endpoint Detection + and Response (EDR) agents, focusing on processes initiated by Notepad.exe within + a short time frame. This activity is significant as it may indicate an attempt to + inject malicious code into Notepad.exe, a known tactic for evading detection. If + confirmed malicious, this could allow an attacker to execute arbitrary code, potentially + leading to system compromise and unauthorized access. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=notepad.exe + AND Processes.action!="blocked" by host _time span=1h Processes.process_id Processes.process_name + Processes.dest Processes.process_path Processes.process Processes.parent_process_name + Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | regex process="(?i)(notepad\.exe.{0,4}$)" + | `notepad_with_no_command_line_arguments_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present and filtering may need to occur + based on organization endpoint behavior. references: - https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/ - https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors#Purple-Team-Section @@ -22,53 +44,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ with no command line arguments. + risk_objects: + - field: dest + type: system + score: 35 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - BishopFox Sliver Adversary Emulation Framework asset_type: Endpoint - confidence: 70 - impact: 50 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ with no command line arguments. mitre_attack_id: - T1055 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/notepad_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/notepad_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/ntdsutil_export_ntds.yml b/detections/endpoint/ntdsutil_export_ntds.yml index 207cbf7944..fee86a72ef 100644 --- a/detections/endpoint/ntdsutil_export_ntds.yml +++ b/detections/endpoint/ntdsutil_export_ntds.yml @@ -1,18 +1,38 @@ name: Ntdsutil Export NTDS id: da63bc76-61ae-11eb-ae93-0242ac130002 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Patrick Bareiss, Splunk status: production type: TTP -description: The following analytic detects the use of Ntdsutil to export the Active Directory database (NTDS.dit). It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because exporting NTDS.dit can be a precursor to offline password cracking, posing a severe security risk. If confirmed malicious, an attacker could gain access to sensitive credentials, potentially leading to unauthorized access and privilege escalation within the network. +description: The following analytic detects the use of Ntdsutil to export the Active + Directory database (NTDS.dit). It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process names and command-line arguments. This activity + is significant because exporting NTDS.dit can be a precursor to offline password + cracking, posing a severe security risk. If confirmed malicious, an attacker could + gain access to sensitive credentials, potentially leading to unauthorized access + and privilege escalation within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=ntdsutil.exe Processes.process=*ntds* Processes.process=*create*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `ntdsutil_export_ntds_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Highly possible Server Administrators will troubleshoot with ntdsutil.exe, generating false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=ntdsutil.exe + Processes.process=*ntds* Processes.process=*create*) by Processes.dest Processes.user + Processes.parent_process Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)` | `ntdsutil_export_ntds_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Highly possible Server Administrators will troubleshoot with + ntdsutil.exe, generating false positives. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md#atomic-test-3---dump-active-directory-database-with-ntdsutil - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc753343(v=ws.11) @@ -25,9 +45,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Active Directory NTDS export on $dest$ + risk_objects: + - field: dest + type: system + score: 50 + threat_objects: [] tags: analytic_story: - Credential Dumping @@ -37,35 +69,18 @@ tags: - Volt Typhoon - Rhysida Ransomware asset_type: Endpoint - confidence: 50 - impact: 100 - message: Active Directory NTDS export on $dest$ mitre_attack_id: - T1003.003 - T1003 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_name - - Processes.process - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_id - - Processes.parent_process_id - risk_score: 50 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/office_product_spawn_cmd_process.yml b/detections/endpoint/office_product_spawn_cmd_process.yml deleted file mode 100644 index f095e1101c..0000000000 --- a/detections/endpoint/office_product_spawn_cmd_process.yml +++ /dev/null @@ -1,83 +0,0 @@ -name: Office Product Spawn CMD Process -id: b8b19420-e892-11eb-9244-acde48001122 -version: 7 -date: '2024-09-30' -author: Teoderick Contreras, Splunk -status: production -type: TTP -description: The following analytic detects an Office product spawning a CMD process, which is indicative of a macro executing shell commands to download or run malicious code. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names. This activity is significant as it often signals the execution of malicious payloads, such as those seen in Trickbot spear-phishing campaigns. If confirmed malicious, this behavior could lead to unauthorized code execution, potentially compromising the system and allowing further malicious activities. -data_source: -- Sysmon EventID 1 -- Windows Event Log Security 4688 -- CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = "winword.exe" OR Processes.parent_process_name= "excel.exe" OR Processes.parent_process_name = "powerpnt.exe" OR Processes.parent_process_name= "onenote.exe" OR Processes.parent_process_name = "onenotem.exe" OR Processes.parent_process_name = "onenoteviewer.exe" OR Processes.parent_process_name = "onenoteim.exe" OR Processes.parent_process_name = "msaccess.exe" OR Processes.parent_process_name="Graph.exe" OR Processes.parent_process_name="winproj.exe") `process_cmd` by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest Processes.original_file_name | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `office_product_spawn_cmd_process_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: IT or network admin may create an document automation that will run shell script. -references: -- https://twitter.com/cyb3rops/status/1416050325870587910?s=21 -- https://bazaar.abuse.ch/sample/02cbc1ab80695fc12ff8822b926957c3a600247b9ca412a137f69cb5716c8781/ -- https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing -- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/ -drilldown_searches: -- name: View the detection results for - "$dest$" and "$user$" - search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -tags: - analytic_story: - - Trickbot - - DarkCrystal RAT - - Azorult - - Remcos - - Qakbot - - AgentTesla - - CVE-2023-21716 Word RTF Heap Corruption - - CVE-2023-36884 Office and Windows HTML RCE Vulnerability - - Warzone RAT - - PlugX - - NjRAT - asset_type: Endpoint - confidence: 80 - impact: 70 - message: an office product parent process $parent_process_name$ spawn child process $process_name$ in host $dest$ - mitre_attack_id: - - T1566 - - T1566.001 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 56 - security_domain: endpoint -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/spear_phish/windows-sysmon.log - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog diff --git a/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml b/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml index 244d9c25b3..6d61ce22e9 100644 --- a/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml +++ b/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml @@ -1,16 +1,41 @@ name: Outbound Network Connection from Java Using Default Ports id: d2c14d28-5c47-11ec-9892-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Lou Stella, Splunk status: production type: TTP -description: "The following analytic detects outbound network connections from Java processes to default ports used by LDAP and RMI protocols, which may indicate exploitation of the CVE-2021-44228-Log4j vulnerability. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and network traffic logs. Monitoring this activity is crucial as it can signify an attacker\u2019s attempt to perform JNDI lookups and retrieve malicious payloads. If confirmed malicious, this activity could lead to remote code execution and further compromise of the affected server." +description: The following analytic detects outbound network connections from Java + processes to default ports used by LDAP and RMI protocols, which may indicate exploitation + of the CVE-2021-44228-Log4j vulnerability. This detection leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process and network traffic logs. + Monitoring this activity is crucial as it can signify an attacker’s attempt to perform + JNDI lookups and retrieve malicious payloads. If confirmed malicious, this activity + could lead to remote code execution and further compromise of the affected server. data_source: - Sysmon EventID 1 AND Sysmon EventID 3 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where (Processes.process_name="java.exe" OR Processes.process_name=javaw.exe OR Processes.process_name=javaw.exe) by _time Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where (All_Traffic.dest_port= 389 OR All_Traffic.dest_port= 636 OR All_Traffic.dest_port = 1389 OR All_Traffic.dest_port = 1099 ) by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as connection_to_CNC] | table _time dest parent_process_name process_name process_path process connection_to_CNC dest_port| `outbound_network_connection_from_java_using_default_ports_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Legitimate Java applications may use perform outbound connections to these ports. Filter as needed +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes + where (Processes.process_name="java.exe" OR Processes.process_name=javaw.exe OR + Processes.process_name=javaw.exe) by _time Processes.process_id Processes.process_name + Processes.dest Processes.process_path Processes.process Processes.parent_process_name + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic + where (All_Traffic.dest_port= 389 OR All_Traffic.dest_port= 636 OR All_Traffic.dest_port + = 1389 OR All_Traffic.dest_port = 1099 ) by All_Traffic.process_id All_Traffic.dest + All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as connection_to_CNC] + | table _time dest parent_process_name process_name process_path process connection_to_CNC + dest_port| `outbound_network_connection_from_java_using_default_ports_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Legitimate Java applications may use perform outbound connections + to these ports. Filter as needed references: - https://www.lunasec.io/docs/blog/log4j-zero-day/ - https://www.govcert.admin.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/ @@ -20,46 +45,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Java performed outbound connections to default ports of LDAP or RMI on + $dest$ + risk_objects: + - field: dest + type: system + score: 54 + threat_objects: [] tags: analytic_story: - Log4Shell CVE-2021-44228 asset_type: Endpoint - confidence: 60 cve: - CVE-2021-44228 - impact: 90 - message: Java performed outbound connections to default ports of LDAP or RMI on $dest$ mitre_attack_id: - T1190 - T1133 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_id - - Processes.process_name - - Processes.dest - - Processes.process_path - - Processes.process - - Processes.parent_process_name - - All_Traffic.process_id - - All_Traffic.dest - - All_Traffic.dest_port - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/outbound_java/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/outbound_java/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/overwriting_accessibility_binaries.yml b/detections/endpoint/overwriting_accessibility_binaries.yml index 597f133ad0..cf10053592 100644 --- a/detections/endpoint/overwriting_accessibility_binaries.yml +++ b/detections/endpoint/overwriting_accessibility_binaries.yml @@ -1,16 +1,34 @@ name: Overwriting Accessibility Binaries id: 13c2f6c3-10c5-4deb-9ba1-7c4460ebe4ae -version: 6 -date: '2024-09-30' +version: 7 +date: '2024-11-13' author: David Dorsey, Splunk status: production type: TTP -description: The following analytic detects modifications to Windows accessibility binaries such as sethc.exe, utilman.exe, osk.exe, Magnify.exe, Narrator.exe, DisplaySwitch.exe, and AtBroker.exe. It leverages filesystem activity data from the Endpoint.Filesystem data model to identify changes to these specific files. This activity is significant because adversaries can exploit these binaries to gain unauthorized access or execute commands without logging in. If confirmed malicious, this could allow attackers to bypass authentication mechanisms, potentially leading to unauthorized system access and further compromise of the environment. +description: The following analytic detects modifications to Windows accessibility + binaries such as sethc.exe, utilman.exe, osk.exe, Magnify.exe, Narrator.exe, DisplaySwitch.exe, + and AtBroker.exe. It leverages filesystem activity data from the Endpoint.Filesystem + data model to identify changes to these specific files. This activity is significant + because adversaries can exploit these binaries to gain unauthorized access or execute + commands without logging in. If confirmed malicious, this could allow attackers + to bypass authentication mechanisms, potentially leading to unauthorized system + access and further compromise of the environment. data_source: - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem where (Filesystem.file_path=*\\Windows\\System32\\sethc.exe* OR Filesystem.file_path=*\\Windows\\System32\\utilman.exe* OR Filesystem.file_path=*\\Windows\\System32\\osk.exe* OR Filesystem.file_path=*\\Windows\\System32\\Magnify.exe* OR Filesystem.file_path=*\\Windows\\System32\\Narrator.exe* OR Filesystem.file_path=*\\Windows\\System32\\DisplaySwitch.exe* OR Filesystem.file_path=*\\Windows\\System32\\AtBroker.exe*) by Filesystem.file_name Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `overwriting_accessibility_binaries_filter`' -how_to_implement: You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. -known_false_positives: Microsoft may provide updates to these binaries. Verify that these changes do not correspond with your normal software update cycle. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) + as file_path from datamodel=Endpoint.Filesystem where (Filesystem.file_path=*\\Windows\\System32\\sethc.exe* + OR Filesystem.file_path=*\\Windows\\System32\\utilman.exe* OR Filesystem.file_path=*\\Windows\\System32\\osk.exe* + OR Filesystem.file_path=*\\Windows\\System32\\Magnify.exe* OR Filesystem.file_path=*\\Windows\\System32\\Narrator.exe* + OR Filesystem.file_path=*\\Windows\\System32\\DisplaySwitch.exe* OR Filesystem.file_path=*\\Windows\\System32\\AtBroker.exe*) + by Filesystem.file_name Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` + | `security_content_ctime(firstTime)` | `overwriting_accessibility_binaries_filter`' +how_to_implement: You must be ingesting data that records the filesystem activity + from your hosts to populate the Endpoint file-system data model node. If you are + using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which + you want to collect data. +known_false_positives: Microsoft may provide updates to these binaries. Verify that + these changes do not correspond with your normal software update cycle. references: [] drilldown_searches: - name: View the detection results for - "$dest$" @@ -18,9 +36,23 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A suspicious file modification or replace in $file_path$ in host $dest$ + risk_objects: + - field: dest + type: system + score: 72 + threat_objects: + - field: file_name + type: file_name tags: analytic_story: - Data Destruction @@ -28,36 +60,18 @@ tags: - Windows Privilege Escalation - Flax Typhoon asset_type: Endpoint - confidence: 90 - impact: 80 - message: A suspicious file modification or replace in $file_path$ in host $dest$ mitre_attack_id: - T1546 - T1546.008 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: file_name - type: File - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.dest - - Filesystem.file_path - - Filesystem.file_name - - Filesystem.dest - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.008/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.008/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml b/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml index 00a84a51cf..b028cdc825 100644 --- a/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml +++ b/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml @@ -1,15 +1,30 @@ name: PaperCut NG Suspicious Behavior Debug Log id: 395163b8-689b-444b-86c7-9fe9ad624734 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: experimental type: Hunting data_source: [] -description: The following analytic identifies potential exploitation attempts on a PaperCut NG server by analyzing its debug log data. It detects unauthorized or suspicious access attempts from public IP addresses and searches for specific URIs associated with known exploits. The detection leverages regex to parse unstructured log data, focusing on admin login activities. This activity is significant as it can indicate an active exploitation attempt on the server. If confirmed malicious, attackers could gain unauthorized access, potentially leading to data breaches or further compromise of the server. -search: '`papercutng` (loginType=Admin OR userName=admin) | eval uri_match=if(match(_raw, "(?i)(\/app\?service=page\/SetupCompleted|\/app|\/app\?service=page\/PrinterList|\/app\?service=direct\/1\/PrinterList\/selectPrinter&sp=l1001|\/app\?service=direct\/1\/PrinterDetails\/printerOptionsTab\.tab)"), "URI matches", null()) | eval ip_match=if(match(_raw, "(?i)((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))") AND NOT match(_raw, "(?i)(10\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(172\.(1[6-9]|2[0-9]|3[0-1])\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(192\.168\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))"), "IP matches", null()) | where (isnotnull(uri_match) OR isnotnull(ip_match)) | stats sparkline, count, values(uri_match) AS uri_match, values(ip_match) AS ip_match latest(_raw) BY host, index, sourcetype | `papercut_ng_suspicious_behavior_debug_log_filter`' -how_to_implement: Debug logs must be enabled and shipped to Splunk in order to properly identify behavior with this analytic. -known_false_positives: False positives may be present, as this is based on the admin user accessing the Papercut NG instance from a public IP address. Filter as needed. +description: The following analytic identifies potential exploitation attempts on + a PaperCut NG server by analyzing its debug log data. It detects unauthorized or + suspicious access attempts from public IP addresses and searches for specific URIs + associated with known exploits. The detection leverages regex to parse unstructured + log data, focusing on admin login activities. This activity is significant as it + can indicate an active exploitation attempt on the server. If confirmed malicious, + attackers could gain unauthorized access, potentially leading to data breaches or + further compromise of the server. +search: '`papercutng` (loginType=Admin OR userName=admin) | eval uri_match=if(match(_raw, + "(?i)(\/app\?service=page\/SetupCompleted|\/app|\/app\?service=page\/PrinterList|\/app\?service=direct\/1\/PrinterList\/selectPrinter&sp=l1001|\/app\?service=direct\/1\/PrinterDetails\/printerOptionsTab\.tab)"), + "URI matches", null()) | eval ip_match=if(match(_raw, "(?i)((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))") + AND NOT match(_raw, "(?i)(10\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(172\.(1[6-9]|2[0-9]|3[0-1])\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(192\.168\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))"), + "IP matches", null()) | where (isnotnull(uri_match) OR isnotnull(ip_match)) | stats + sparkline, count, values(uri_match) AS uri_match, values(ip_match) AS ip_match latest(_raw) + BY host, index, sourcetype | `papercut_ng_suspicious_behavior_debug_log_filter`' +how_to_implement: Debug logs must be enabled and shipped to Splunk in order to properly + identify behavior with this analytic. +known_false_positives: False positives may be present, as this is based on the admin + user accessing the Papercut NG instance from a public IP address. Filter as needed. references: - https://www.papercut.com/kb/Main/HowToCollectApplicationServerDebugLogs - https://github.com/inodee/threathunting-spl/blob/master/hunt-queries/HAFNIUM.md @@ -23,32 +38,18 @@ tags: - PaperCut MF NG Vulnerability asset_type: Web Server atomic_guid: [] - confidence: 80 - impact: 80 - message: Behavior related to exploitation of PaperCut NG has been identified on $host$. mitre_attack_id: - T1190 - T1133 - observable: - - name: host - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 - required_fields: - - uri_match - - ip_match - - index - - sourcetype - - host security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/papercut/server.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/papercut/server.log source: papercutng sourcetype: papercutng diff --git a/detections/endpoint/password_policy_discovery_with_net.yml b/detections/endpoint/password_policy_discovery_with_net.yml deleted file mode 100644 index 669229a3a3..0000000000 --- a/detections/endpoint/password_policy_discovery_with_net.yml +++ /dev/null @@ -1,61 +0,0 @@ -name: Password Policy Discovery with Net -id: 09336538-065a-11ec-8665-acde48001122 -version: 5 -date: '2024-11-26' -author: Teoderick Contreras, Mauricio Velazco, Splunk -status: production -type: Hunting -description: The following analytic identifies the execution of `net.exe` or `net1.exe` with command line arguments aimed at obtaining the domain password policy. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to gather information about Active Directory password policies. If confirmed malicious, this behavior could allow attackers to understand password complexity requirements, aiding in brute-force or password-guessing attacks, ultimately compromising user accounts and gaining unauthorized access to the network. -data_source: -- Sysmon EventID 1 -- Windows Event Log Security 4688 -- CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process = "*accounts*" AND Processes.process = "*/domain*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `password_policy_discovery_with_net_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrators or power users may use this command for troubleshooting. -references: -- https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet -tags: - analytic_story: - - Active Directory Discovery - asset_type: Endpoint - confidence: 30 - impact: 30 - message: an instance of process $process_name$ with commandline $process$ in $dest$ - mitre_attack_id: - - T1201 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - - Processes.parent_process_name - risk_score: 9 - security_domain: endpoint -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog diff --git a/detections/endpoint/permission_modification_using_takeown_app.yml b/detections/endpoint/permission_modification_using_takeown_app.yml index 9f41a164a9..8beee2753c 100644 --- a/detections/endpoint/permission_modification_using_takeown_app.yml +++ b/detections/endpoint/permission_modification_using_takeown_app.yml @@ -1,18 +1,39 @@ name: Permission Modification using Takeown App id: fa7ca5c6-c9d8-11eb-bce9-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the modification of file or directory permissions using the takeown.exe Windows application. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include process GUID, process name, and command-line details. This activity is significant because it is a common technique used by ransomware to take ownership of files or folders for encryption or deletion. If confirmed malicious, this could lead to unauthorized access, data encryption, or data destruction, severely impacting the integrity and availability of critical data. +description: The following analytic detects the modification of file or directory + permissions using the takeown.exe Windows application. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process execution logs that include + process GUID, process name, and command-line details. This activity is significant + because it is a common technique used by ransomware to take ownership of files or + folders for encryption or deletion. If confirmed malicious, this could lead to unauthorized + access, data encryption, or data destruction, severely impacting the integrity and + availability of critical data. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "takeown.exe" Processes.process = "*/f*" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `permission_modification_using_takeown_app_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: takeown.exe is a normal windows application that may used by network operator. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "takeown.exe" + Processes.process = "*/f*" by Processes.parent_process_name Processes.parent_process + Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id + Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `permission_modification_using_takeown_app_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: takeown.exe is a normal windows application that may used by + network operator. references: - https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/ drilldown_searches: @@ -21,47 +42,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A suspicious of execution of $process_name$ with process id $process_id$ + and commandline $process$ to modify permission of directory or files in host $dest$ + risk_objects: + - field: dest + type: system + score: 56 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - - Ransomware - Sandworm Tools + - Ransomware + - Crypto Stealer asset_type: Endpoint - confidence: 80 - impact: 70 - message: A suspicious of execution of $process_name$ with process id $process_id$ and commandline $process$ to modify permission of directory or files in host $dest$ mitre_attack_id: - T1222 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.dest - - Processes.user - - Processes.process_id - - Processes.process_guid - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/petitpotam_network_share_access_request.yml b/detections/endpoint/petitpotam_network_share_access_request.yml index 3524d98894..570cd8997d 100644 --- a/detections/endpoint/petitpotam_network_share_access_request.yml +++ b/detections/endpoint/petitpotam_network_share_access_request.yml @@ -1,16 +1,28 @@ name: PetitPotam Network Share Access Request id: 95b8061a-0a67-11ec-85ec-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects network share access requests indicative of the PetitPotam attack (CVE-2021-36942). It leverages Windows Event Code 5145, which logs attempts to access network share objects. This detection is significant as PetitPotam can coerce authentication from domain controllers, potentially leading to unauthorized access. If confirmed malicious, this activity could allow attackers to escalate privileges or move laterally within the network, posing a severe security risk. Ensure Event Code 5145 is enabled via Group Policy to utilize this analytic effectively. +description: The following analytic detects network share access requests indicative + of the PetitPotam attack (CVE-2021-36942). It leverages Windows Event Code 5145, + which logs attempts to access network share objects. This detection is significant + as PetitPotam can coerce authentication from domain controllers, potentially leading + to unauthorized access. If confirmed malicious, this activity could allow attackers + to escalate privileges or move laterally within the network, posing a severe security + risk. Ensure Event Code 5145 is enabled via Group Policy to utilize this analytic + effectively. data_source: - Windows Event Log Security 5145 -search: '`wineventlog_security` SubjectUserName="ANONYMOUS LOGON" EventCode=5145 RelativeTargetName=lsarpc | stats count min(_time) as firstTime max(_time) as lastTime by dest, SubjectUserSid, ShareName, src, AccessMask, AccessReason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `petitpotam_network_share_access_request_filter`' -how_to_implement: Windows Event Code 5145 is required to utilize this analytic and it may not be enabled in most environments. -known_false_positives: False positives have been limited when the Anonymous Logon is used for Account Name. +search: '`wineventlog_security` SubjectUserName="ANONYMOUS LOGON" EventCode=5145 RelativeTargetName=lsarpc + | stats count min(_time) as firstTime max(_time) as lastTime by dest, SubjectUserSid, + ShareName, src, AccessMask, AccessReason | `security_content_ctime(firstTime)` | + `security_content_ctime(lastTime)` | `petitpotam_network_share_access_request_filter`' +how_to_implement: Windows Event Code 5145 is required to utilize this analytic and + it may not be enabled in most environments. +known_false_positives: False positives have been limited when the Anonymous Logon + is used for Account Name. references: - https://attack.mitre.org/techniques/T1187/ - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5145 @@ -21,42 +33,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A remote host is enumerating a $dest$ to identify permissions. This is + a precursor event to CVE-2021-36942, PetitPotam. + risk_objects: + - field: dest + type: system + score: 56 + threat_objects: [] tags: analytic_story: - PetitPotam NTLM Relay on Active Directory Certificate Services asset_type: Endpoint - confidence: 70 cve: - CVE-2021-36942 - impact: 80 - message: A remote host is enumerating a $dest$ to identify permissions. This is a precursor event to CVE-2021-36942, PetitPotam. mitre_attack_id: - T1187 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - SubjectUserSid - - Share_Name - - src - - AccessMask - - AccessReason - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1187/petitpotam/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1187/petitpotam/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml b/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml index dbdc5d10a2..a871ceeb31 100644 --- a/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml +++ b/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml @@ -1,16 +1,28 @@ name: PetitPotam Suspicious Kerberos TGT Request id: e3ef244e-0a67-11ec-abf2-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects a suspicious Kerberos Ticket Granting Ticket (TGT) request, identified by Event Code 4768. This detection leverages Windows Security Event Logs to identify TGT requests with unusual fields, which may indicate the use of tools like Rubeus following the exploitation of CVE-2021-36942 (PetitPotam). This activity is significant as it can signal an attacker leveraging a compromised certificate to request Kerberos tickets, potentially leading to unauthorized access. If confirmed malicious, this could allow attackers to escalate privileges and persist within the environment, posing a severe security risk. +description: The following analytic detects a suspicious Kerberos Ticket Granting + Ticket (TGT) request, identified by Event Code 4768. This detection leverages Windows + Security Event Logs to identify TGT requests with unusual fields, which may indicate + the use of tools like Rubeus following the exploitation of CVE-2021-36942 (PetitPotam). + This activity is significant as it can signal an attacker leveraging a compromised + certificate to request Kerberos tickets, potentially leading to unauthorized access. + If confirmed malicious, this could allow attackers to escalate privileges and persist + within the environment, posing a severe security risk. data_source: - Windows Event Log Security 4768 -search: '`wineventlog_security` EventCode=4768 src!="::1" TargetUserName=*$ CertThumbprint!="" | stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetUserName, src, action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `petitpotam_suspicious_kerberos_tgt_request_filter`' -how_to_implement: The following analytic requires Event Code 4768. Ensure that it is logging no Domain Controllers and appearing in Splunk. -known_false_positives: False positives are possible if the environment is using certificates for authentication. +search: '`wineventlog_security` EventCode=4768 src!="::1" TargetUserName=*$ CertThumbprint!="" + | stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetUserName, + src, action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `petitpotam_suspicious_kerberos_tgt_request_filter`' +how_to_implement: The following analytic requires Event Code 4768. Ensure that it + is logging no Domain Controllers and appearing in Splunk. +known_false_positives: False positives are possible if the environment is using certificates + for authentication. references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4768 - https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/ @@ -20,42 +32,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A Kerberos TGT was requested in a non-standard manner against $dest$, potentially + related to CVE-2021-36942, PetitPotam. + risk_objects: + - field: dest + type: system + score: 56 + threat_objects: [] tags: analytic_story: - PetitPotam NTLM Relay on Active Directory Certificate Services - Active Directory Kerberos Attacks asset_type: Endpoint - confidence: 70 cve: - CVE-2021-36942 - impact: 80 - message: A Kerberos TGT was requested in a non-standard manner against $dest$, potentially related to CVE-2021-36942, PetitPotam. mitre_attack_id: - T1003 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - Account_Name - - Client_Address - - action - - Message - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1187/petitpotam/windows-xml-1.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1187/petitpotam/windows-xml-1.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/ping_sleep_batch_command.yml b/detections/endpoint/ping_sleep_batch_command.yml index 402bb5d7ad..0b164dcc22 100644 --- a/detections/endpoint/ping_sleep_batch_command.yml +++ b/detections/endpoint/ping_sleep_batch_command.yml @@ -1,18 +1,41 @@ name: Ping Sleep Batch Command id: ce058d6c-79f2-11ec-b476-acde48001122 -version: 4 -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies the execution of ping sleep batch commands. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process command-line details. This activity is significant as it indicates an attempt to delay malicious code execution, potentially evading detection or sandbox analysis. If confirmed malicious, this technique allows attackers to bypass security measures, making it harder to detect and analyze their activities, thereby increasing the risk of prolonged unauthorized access and potential data exfiltration. +description: The following analytic identifies the execution of ping sleep batch commands. + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on + process and parent process command-line details. This activity is significant as + it indicates an attempt to delay malicious code execution, potentially evading detection + or sandbox analysis. If confirmed malicious, this technique allows attackers to + bypass security measures, making it harder to detect and analyze their activities, + thereby increasing the risk of prolonged unauthorized access and potential data + exfiltration. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_ping` (Processes.parent_process = "*ping*" Processes.parent_process = *-n* Processes.parent_process="* Nul*"Processes.parent_process="*>*") OR (Processes.process = "*ping*" Processes.process = *-n* Processes.process="* Nul*"Processes.process="*>*") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `ping_sleep_batch_command_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrator or network operator may execute this command. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_ping` (Processes.parent_process + = "*ping*" Processes.parent_process = *-n* Processes.parent_process="* Nul*"Processes.parent_process="*>*") + OR (Processes.process = "*ping*" Processes.process = *-n* Processes.process="* Nul*"Processes.process="*>*") + by Processes.parent_process_name Processes.parent_process Processes.process_name + Processes.original_file_name Processes.process Processes.process_id Processes.process_guid + Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` + |`security_content_ctime(lastTime)` | `ping_sleep_batch_command_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrator or network operator may execute this command. + Please update the filter macros to remove false positives. references: - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ drilldown_searches: @@ -21,9 +44,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: suspicious $process$ commandline run on $dest$ + risk_objects: + - field: user + type: user + score: 36 + - field: dest + type: system + score: 36 + threat_objects: [] tags: analytic_story: - Data Destruction @@ -32,43 +70,18 @@ tags: - Warzone RAT - Meduza Stealer asset_type: Endpoint - confidence: 60 - impact: 60 - message: suspicious $process$ commandline run in $dest$ mitre_attack_id: - T1497 - T1497.003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1497.003/ping_sleep/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1497.003/ping_sleep/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/possible_browser_pass_view_parameter.yml b/detections/endpoint/possible_browser_pass_view_parameter.yml index 0857e14423..5a2fdbcd71 100644 --- a/detections/endpoint/possible_browser_pass_view_parameter.yml +++ b/detections/endpoint/possible_browser_pass_view_parameter.yml @@ -1,17 +1,41 @@ name: Possible Browser Pass View Parameter id: 8ba484e8-4b97-11ec-b19a-acde48001122 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic identifies processes with command-line parameters associated with web browser credential dumping tools, specifically targeting behaviors used by Remcos RAT malware. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and specific file paths. This activity is significant as it indicates potential credential theft, a common tactic in broader cyber-espionage campaigns. If confirmed malicious, attackers could gain unauthorized access to sensitive web credentials, leading to further system compromise and data breaches. +description: The following analytic identifies processes with command-line parameters + associated with web browser credential dumping tools, specifically targeting behaviors + used by Remcos RAT malware. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on command-line executions and specific file paths. This + activity is significant as it indicates potential credential theft, a common tactic + in broader cyber-espionage campaigns. If confirmed malicious, attackers could gain + unauthorized access to sensitive web credentials, leading to further system compromise + and data breaches. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*/stext *", "*/shtml *", "*/LoadPasswordsIE*", "*/LoadPasswordsFirefox*", "*/LoadPasswordsChrome*", "*/LoadPasswordsOpera*", "*/LoadPasswordsSafari*" , "*/UseOperaPasswordFile*", "*/OperaPasswordFile*","*/stab*", "*/scomma*", "*/stabular*", "*/shtml*", "*/sverhtml*", "*/sxml*", "*/skeepass*" ) AND Processes.process IN ("*\\temp\\*", "*\\users\\public\\*", "*\\programdata\\*") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `possible_browser_pass_view_parameter_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*/stext + *", "*/shtml *", "*/LoadPasswordsIE*", "*/LoadPasswordsFirefox*", "*/LoadPasswordsChrome*", + "*/LoadPasswordsOpera*", "*/LoadPasswordsSafari*" , "*/UseOperaPasswordFile*", "*/OperaPasswordFile*","*/stab*", + "*/scomma*", "*/stabular*", "*/shtml*", "*/sverhtml*", "*/sxml*", "*/skeepass*" + ) AND Processes.process IN ("*\\temp\\*", "*\\users\\public\\*", "*\\programdata\\*") + by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `possible_browser_pass_view_parameter_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positive is quite limited. Filter is needed references: - https://www.nirsoft.net/utils/web_browser_password.html @@ -20,43 +44,18 @@ tags: analytic_story: - Remcos asset_type: Endpoint - confidence: 40 - impact: 40 - message: suspicious process $process_name$ contains commandline $process$ on $dest$ mitre_attack_id: - T1555.003 - T1555 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 16 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/web_browser_pass_view/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/web_browser_pass_view/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml index b52b6e0dbb..a5e4e662a0 100644 --- a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml +++ b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml @@ -1,18 +1,43 @@ name: Possible Lateral Movement PowerShell Spawn id: cb909b3e-512b-11ec-aa31-3e22fbd008af -version: 7 -date: '2024-10-17' +version: 8 +date: '2024-11-13' author: Mauricio Velazco, Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the spawning of a PowerShell process as a child or grandchild of commonly abused processes like services.exe, wmiprsve.exe, svchost.exe, wsmprovhost.exe, and mmc.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names, as well as command-line executions. This activity is significant as it often indicates lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this behavior could allow attackers to execute code remotely, escalate privileges, or persist within the environment. +description: The following analytic detects the spawning of a PowerShell process as + a child or grandchild of commonly abused processes like services.exe, wmiprsve.exe, + svchost.exe, wsmprovhost.exe, and mmc.exe. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process and parent process names, as well + as command-line executions. This activity is significant as it often indicates lateral + movement or remote code execution attempts by adversaries. If confirmed malicious, + this behavior could allow attackers to execute code remotely, escalate privileges, + or persist within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe OR Processes.parent_process_name=services.exe OR Processes.parent_process_name=svchost.exe OR Processes.parent_process_name=wsmprovhost.exe OR Processes.parent_process_name=mmc.exe) (Processes.process_name=powershell.exe OR (Processes.process_name=cmd.exe AND Processes.process=*powershell.exe*) OR Processes.process_name=pwsh.exe OR (Processes.process_name=cmd.exe AND Processes.process=*pwsh.exe*)) NOT (Processes.process IN ("*c:\\windows\\ccm\\*")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `possible_lateral_movement_powershell_spawn_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Legitimate applications may spawn PowerShell as a child process of the the identified processes. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe + OR Processes.parent_process_name=services.exe OR Processes.parent_process_name=svchost.exe + OR Processes.parent_process_name=wsmprovhost.exe OR Processes.parent_process_name=mmc.exe) + (Processes.process_name=powershell.exe OR (Processes.process_name=cmd.exe AND Processes.process=*powershell.exe*) + OR Processes.process_name=pwsh.exe OR (Processes.process_name=cmd.exe AND Processes.process=*pwsh.exe*)) + NOT (Processes.process IN ("*c:\\windows\\ccm\\*")) by Processes.dest Processes.user + Processes.parent_process_name Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `possible_lateral_movement_powershell_spawn_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Legitimate applications may spawn PowerShell as a child process + of the the identified processes. Filter as needed. references: - https://attack.mitre.org/techniques/T1021/003/ - https://attack.mitre.org/techniques/T1021/006/ @@ -25,9 +50,22 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A PowerShell process was spawned as a child process of typically abused + processes on $dest$ + risk_objects: + - field: dest + type: system + score: 45 + threat_objects: [] tags: analytic_story: - Active Directory Lateral Movement @@ -37,9 +75,6 @@ tags: - Scheduled Tasks - CISA AA24-241A asset_type: Endpoint - confidence: 50 - impact: 90 - message: A PowerShell process was spawned as a child process of typically abused processes on $dest$ mitre_attack_id: - T1021 - T1021.003 @@ -49,33 +84,15 @@ tags: - T1543.003 - T1059.001 - T1218.014 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement_powershell/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement_powershell/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/potential_password_in_username.yml b/detections/endpoint/potential_password_in_username.yml index 737b295ebe..cac9f26b90 100644 --- a/detections/endpoint/potential_password_in_username.yml +++ b/detections/endpoint/potential_password_in_username.yml @@ -1,16 +1,41 @@ name: Potential password in username id: 5ced34b4-ab32-4bb0-8f22-3b8f186f0a38 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Mikael Bjerkeland, Splunk status: production type: Hunting -description: The following analytic identifies instances where users may have mistakenly entered their passwords in the username field during authentication attempts. It detects this by analyzing failed authentication events with usernames longer than 7 characters and high Shannon entropy, followed by a successful authentication from the same source to the same destination. This activity is significant as it can indicate potential security risks, such as password exposure. If confirmed malicious, attackers could exploit this to gain unauthorized access, leading to potential data breaches or further compromise of the system. +description: The following analytic identifies instances where users may have mistakenly + entered their passwords in the username field during authentication attempts. It + detects this by analyzing failed authentication events with usernames longer than + 7 characters and high Shannon entropy, followed by a successful authentication from + the same source to the same destination. This activity is significant as it can + indicate potential security risks, such as password exposure. If confirmed malicious, + attackers could exploit this to gain unauthorized access, leading to potential data + breaches or further compromise of the system. data_source: - Linux Secure -search: '| tstats `security_content_summariesonly` earliest(_time) AS starttime latest(_time) AS endtime latest(sourcetype) AS sourcetype values(Authentication.src) AS src values(Authentication.dest) AS dest count FROM datamodel=Authentication WHERE nodename=Authentication.Failed_Authentication BY "Authentication.user" | `drop_dm_object_name(Authentication)` | lookup ut_shannon_lookup word AS user | where ut_shannon>3 AND len(user)>=8 AND mvcount(src) == 1 | sort count, - ut_shannon | eval incorrect_cred=user | eval endtime=endtime+1000 | map maxsearches=70 search="| tstats `security_content_summariesonly` earliest(_time) AS starttime latest(_time) AS endtime latest(sourcetype) AS sourcetype values(Authentication.src) AS src values(Authentication.dest) AS dest count FROM datamodel=Authentication WHERE nodename=Authentication.Successful_Authentication Authentication.src=\"$src$\" Authentication.dest=\"$dest$\" sourcetype IN (\"$sourcetype$\") earliest=\"$starttime$\" latest=\"$endtime$\" BY \"Authentication.user\" | `drop_dm_object_name(\"Authentication\")` | `potential_password_in_username_false_positive_reduction` | eval incorrect_cred=\"$incorrect_cred$\" | eval ut_shannon=\"$ut_shannon$\" | sort count" | where user!=incorrect_cred | outlier action=RM count | `potential_password_in_username_filter`' -how_to_implement: To successfully implement this search, you need to have relevant authentication logs mapped to the Authentication data model. You also need to have the Splunk TA URL Toolbox (https://splunkbase.splunk.com/app/2734/) installed. The detection must run with a time interval shorter than endtime+1000. -known_false_positives: Valid usernames with high entropy or source/destination system pairs with multiple authenticating users will make it difficult to identify the real user authenticating. +search: '| tstats `security_content_summariesonly` earliest(_time) AS starttime latest(_time) + AS endtime latest(sourcetype) AS sourcetype values(Authentication.src) AS src values(Authentication.dest) + AS dest count FROM datamodel=Authentication WHERE nodename=Authentication.Failed_Authentication + BY "Authentication.user" | `drop_dm_object_name(Authentication)` | lookup ut_shannon_lookup + word AS user | where ut_shannon>3 AND len(user)>=8 AND mvcount(src) == 1 | sort + count, - ut_shannon | eval incorrect_cred=user | eval endtime=endtime+1000 | map + maxsearches=70 search="| tstats `security_content_summariesonly` earliest(_time) + AS starttime latest(_time) AS endtime latest(sourcetype) AS sourcetype values(Authentication.src) + AS src values(Authentication.dest) AS dest count FROM datamodel=Authentication WHERE + nodename=Authentication.Successful_Authentication Authentication.src=\"$src$\" Authentication.dest=\"$dest$\" + sourcetype IN (\"$sourcetype$\") earliest=\"$starttime$\" latest=\"$endtime$\" BY + \"Authentication.user\" | `drop_dm_object_name(\"Authentication\")` | `potential_password_in_username_false_positive_reduction` + | eval incorrect_cred=\"$incorrect_cred$\" | eval ut_shannon=\"$ut_shannon$\" | + sort count" | where user!=incorrect_cred | outlier action=RM count | `potential_password_in_username_filter`' +how_to_implement: To successfully implement this search, you need to have relevant + authentication logs mapped to the Authentication data model. You also need to have + the Splunk TA URL Toolbox (https://splunkbase.splunk.com/app/2734/) installed. The + detection must run with a time interval shorter than endtime+1000. +known_false_positives: Valid usernames with high entropy or source/destination system + pairs with multiple authenticating users will make it difficult to identify the + real user authenticating. references: - https://medium.com/@markmotig/search-for-passwords-accidentally-typed-into-the-username-field-975f1a389928 tags: @@ -18,39 +43,18 @@ tags: - Credential Dumping - Insider Threat asset_type: Endpoint - confidence: 70 - impact: 30 - message: Potential password in username ($user$) with Shannon entropy ($ut_shannon$) mitre_attack_id: - T1078.003 - T1552.001 - observable: - - name: user - type: User - role: - - Victim - - name: src - type: IP Address - role: - - Attacker - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Authentication.user - - Authentication.src - - Authentication.dest - - sourcetype - risk_score: 21 security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.001/password_in_username/linux_secure.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.001/password_in_username/linux_secure.log source: /var/log/secure sourcetype: linux_secure diff --git a/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml b/detections/endpoint/potential_system_network_configuration_discovery_activity.yml similarity index 70% rename from detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml rename to detections/endpoint/potential_system_network_configuration_discovery_activity.yml index 2c66b755db..7939bcde78 100644 --- a/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml +++ b/detections/endpoint/potential_system_network_configuration_discovery_activity.yml @@ -1,16 +1,16 @@ -name: Detect processes used for System Network Configuration Discovery -id: a51bfe1a-94f0-48cc-b1e4-16ae10145893 -version: 5 -date: '2024-09-30' +name: Potential System Network Configuration Discovery Activity +id: 3f0b95e3-3195-46ac-bea3-84fb59e7fac5 +version: 2 +date: '2025-01-20' author: Bhavin Patel, Splunk status: production -type: TTP -description: The following analytic identifies the rapid execution of processes used for system network configuration discovery on an endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, parent processes, and command-line executions. This activity is significant as it may indicate an attacker attempting to map the network, which is a common precursor to lateral movement or further exploitation. If confirmed malicious, this behavior could allow an attacker to gain insights into the network topology, identify critical systems, and plan subsequent attacks, potentially leading to data exfiltration or system compromise. +type: Anomaly +description: The following analytic identifies the rapid execution of processes used for system network configuration discovery on an endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, parent processes, and command-line executions. This activity can be significant as it may indicate an attacker attempting to map the network, which is a common precursor to lateral movement or further exploitation. If confirmed malicious, this behavior could allow an attacker to gain insights into the network topology, identify critical systems, and plan subsequent attacks, potentially leading to data exfiltration or system compromise. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT Processes.user IN ("","unknown") by Processes.dest Processes.process_name Processes.parent_process_name Processes.user _time | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | search `system_network_configuration_discovery_tools` | transaction dest connected=false maxpause=5m |where eventcount>=5 | table firstTime lastTime dest user process_name process parent_process parent_process_name eventcount | `detect_processes_used_for_system_network_configuration_discovery_filter`' +search: '| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT Processes.user IN ("","unknown") by Processes.dest Processes.process_name Processes.parent_process_name Processes.user _time | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | search `system_network_configuration_discovery_tools` | transaction dest connected=false maxpause=5m |where eventcount>=5 | table firstTime lastTime dest user process_name process parent_process parent_process_name eventcount | `potential_system_network_configuration_discovery_activity_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: It is uncommon for normal users to execute a series of commands used for network discovery. System administrators often use scripts to execute these commands. These can generate false positives. references: [] @@ -23,50 +23,32 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning multiple $process_name$ was + identified on endpoint $dest$ by user $user$ typically not a normal behavior of + the process. + risk_objects: + - field: user + type: user + score: 32 + - field: dest + type: system + score: 32 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Unusual Processes asset_type: Endpoint - confidence: 80 - impact: 40 - message: An instance of $parent_process_name$ spawning multiple $process_name$ was identified on endpoint $dest$ by user $user$ typically not a normal behavior of the process. mitre_attack_id: - T1016 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 32 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/potentially_malicious_code_on_commandline.yml b/detections/endpoint/potentially_malicious_code_on_commandline.yml index 8a75deedf3..d436c3465a 100644 --- a/detections/endpoint/potentially_malicious_code_on_commandline.yml +++ b/detections/endpoint/potentially_malicious_code_on_commandline.yml @@ -1,18 +1,44 @@ name: Potentially malicious code on commandline id: 9c53c446-757e-11ec-871d-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Hart, Splunk status: production type: Anomaly -description: The following analytic detects potentially malicious command lines using a pretrained machine learning text classifier. It identifies unusual keyword combinations in command lines, such as "streamreader," "webclient," "mutex," "function," and "computehash," which are often associated with adversarial PowerShell code execution for C2 communication. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command lines longer than 200 characters. This activity is significant as it can indicate an attempt to execute malicious scripts, potentially leading to unauthorized code execution, data exfiltration, or further system compromise. +description: The following analytic detects potentially malicious command lines using + a pretrained machine learning text classifier. It identifies unusual keyword combinations + in command lines, such as "streamreader," "webclient," "mutex," "function," and + "computehash," which are often associated with adversarial PowerShell code execution + for C2 communication. This detection leverages data from Endpoint Detection and + Response (EDR) agents, focusing on command lines longer than 200 characters. This + activity is significant as it can indicate an attempt to execute malicious scripts, + potentially leading to unauthorized code execution, data exfiltration, or further + system compromise. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel="Endpoint.Processes" by Processes.parent_process_name Processes.process_name Processes.process Processes.user Processes.dest | `drop_dm_object_name(Processes)` | where len(process) > 200 | `potentially_malicious_code_on_cmdline_tokenize_score` | apply unusual_commandline_detection | eval score=''predicted(unusual_cmdline_logits)'', process=orig_process | fields - unusual_cmdline* predicted(unusual_cmdline_logits) orig_process | where score > 0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `potentially_malicious_code_on_commandline_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: This model is an anomaly detector that identifies usage of APIs and scripting constructs that are correllated with malicious activity. These APIs and scripting constructs are part of the programming langauge and advanced scripts may generate false positives. +search: "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=\"Endpoint.Processes\" by Processes.parent_process_name + Processes.process_name Processes.process Processes.user Processes.dest | `drop_dm_object_name(Processes)`\ + \ | where len(process) > 200 | `potentially_malicious_code_on_cmdline_tokenize_score` + | apply unusual_commandline_detection | eval score='predicted(unusual_cmdline_logits)', + process=orig_process | fields - unusual_cmdline* predicted(unusual_cmdline_logits) + orig_process | where score > 0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `potentially_malicious_code_on_commandline_filter`" +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: This model is an anomaly detector that identifies usage of + APIs and scripting constructs that are correllated with malicious activity. These + APIs and scripting constructs are part of the programming langauge and advanced + scripts may generate false positives. references: - https://attack.mitre.org/techniques/T1059/003/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md @@ -22,44 +48,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Unusual command-line execution with command line length greater than 200 + found on $dest$ with commandline value - [$process$] + risk_objects: + - field: dest + type: system + score: 12 + - field: user + type: user + score: 12 + threat_objects: [] tags: analytic_story: - Suspicious Command-Line Executions asset_type: Endpoint - confidence: 20 - impact: 60 - message: Unusual command-line execution with command line length greater than 200 found on $dest$ with commandline value - [$process$] mitre_attack_id: - T1059.003 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process - - Processes.parent_process_name - - Processes.process_name - - Processes.parent_process - - Processes.user - - Processes.dest - risk_score: 12 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/malicious_cmd_line_samples/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/malicious_cmd_line_samples/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/powershell_4104_hunting.yml b/detections/endpoint/powershell_4104_hunting.yml index 2d721ea6d0..bdf4328edc 100644 --- a/detections/endpoint/powershell_4104_hunting.yml +++ b/detections/endpoint/powershell_4104_hunting.yml @@ -1,15 +1,51 @@ name: PowerShell 4104 Hunting id: d6f2b006-0041-11ec-8885-acde48001122 -version: 8 -date: '2024-12-11' +version: 10 +date: '2025-01-27' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies suspicious PowerShell execution using Script Block Logging (EventCode 4104). It leverages specific patterns and keywords within the ScriptBlockText field to detect potentially malicious activities. This detection is significant for SOC analysts as PowerShell is commonly used by attackers for various malicious purposes, including code execution, privilege escalation, and persistence. If confirmed malicious, this activity could allow attackers to execute arbitrary commands, exfiltrate data, or maintain long-term access to the compromised system, posing a severe threat to the organization's security. +description: The following analytic identifies suspicious PowerShell execution using + Script Block Logging (EventCode 4104). It leverages specific patterns and keywords + within the ScriptBlockText field to detect potentially malicious activities. This + detection is significant for SOC analysts as PowerShell is commonly used by attackers + for various malicious purposes, including code execution, privilege escalation, + and persistence. If confirmed malicious, this activity could allow attackers to + execute arbitrary commands, exfiltrate data, or maintain long-term access to the + compromised system, posing a severe threat to the organization's security. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 | eval DoIt = if(match(ScriptBlockText,"(?i)(\$doit)"), "4", 0) | eval enccom=if(match(ScriptBlockText,"[A-Za-z0-9+\/]{44,}([A-Za-z0-9+\/]{4}|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{2}==)") OR match(ScriptBlockText, "(?i)[-]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\s+[^-]"),4,0) | eval suspcmdlet=if(match(ScriptBlockText, "(?i)Add-Exfiltration|Add-Persistence|Add-RegBackdoor|Add-ScrnSaveBackdoor|Check-VM|Do-Exfiltration|Enabled-DuplicateToken|Exploit-Jboss|Find-Fruit|Find-GPOLocation|Find-TrustedDocuments|Get-ApplicationHost|Get-ChromeDump|Get-ClipboardContents|Get-FoxDump|Get-GPPPassword|Get-IndexedItem|Get-Keystrokes|LSASecret|Get-PassHash|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-RickAstley|Get-Screenshot|Get-SecurityPackages|Get-ServiceFilePermission|Get-ServicePermission|Get-ServiceUnquoted|Get-SiteListPassword|Get-System|Get-TimedScreenshot|Get-UnattendedInstallFile|Get-Unconstrained|Get-VaultCredential|Get-VulnAutoRun|Get-VulnSchTask|Gupt-Backdoor|HTTP-Login|Install-SSP|Install-ServiceBinary|Invoke-ACLScanner|Invoke-ADSBackdoor|Invoke-ARPScan|Invoke-AllChecks|Invoke-BackdoorLNK|Invoke-BypassUAC|Invoke-CredentialInjection|Invoke-DCSync|Invoke-DllInjection|Invoke-DowngradeAccount|Invoke-EgressCheck|Invoke-Inveigh|Invoke-InveighRelay|Invoke-Mimikittenz|Invoke-NetRipper|Invoke-NinjaCopy|Invoke-PSInject|Invoke-Paranoia|Invoke-PortScan|Invoke-PoshRat|Invoke-PostExfil|Invoke-PowerDump|Invoke-PowerShellTCP|Invoke-PsExec|Invoke-PsUaCme|Invoke-ReflectivePEInjection|Invoke-ReverseDNSLookup|Invoke-RunAs|Invoke-SMBScanner|Invoke-SSHCommand|Invoke-Service|Invoke-Shellcode|Invoke-Tater|Invoke-ThunderStruck|Invoke-Token|Invoke-UserHunter|Invoke-VoiceTroll|Invoke-WScriptBypassUAC|Invoke-WinEnum|MailRaider|New-HoneyHash|Out-Minidump|Port-Scan|PowerBreach|PowerUp|PowerView|Remove-Update|Set-MacAttribute|Set-Wallpaper|Show-TargetScreen|Start-CaptureServer|VolumeShadowCopyTools|NEEEEWWW|(Computer|User)Property|CachedRDPConnection|get-net\S+|invoke-\S+hunter|Install-Service|get-\S+(credent|password)|remoteps|Kerberos.*(policy|ticket)|netfirewall|Uninstall-Windows|Verb\s+Runas|AmsiBypass|nishang|Invoke-Interceptor|EXEonRemote|NetworkRelay|PowerShelludp|PowerShellIcmp|CreateShortcut|copy-vss|invoke-dll|invoke-mass|out-shortcut|Invoke-ShellCommand"),1,0) | eval base64 = if(match(lower(ScriptBlockText),"frombase64"), "4", 0) | eval empire=if(match(lower(ScriptBlockText),"system.net.webclient") AND match(lower(ScriptBlockText), "frombase64string") ,5,0) | eval mimikatz=if(match(lower(ScriptBlockText),"mimikatz") OR match(lower(ScriptBlockText), "-dumpcr") OR match(lower(ScriptBlockText), "SEKURLSA::Pth") OR match(lower(ScriptBlockText), "kerberos::ptt") OR match(lower(ScriptBlockText), "kerberos::golden") ,5,0) | eval iex=if(match(ScriptBlockText, "(?i)iex|invoke-expression"),2,0) | eval webclient=if(match(lower(ScriptBlockText),"http") OR match(lower(ScriptBlockText),"web(client|request)") OR match(lower(ScriptBlockText),"socket") OR match(lower(ScriptBlockText),"download(file|string)") OR match(lower(ScriptBlockText),"bitstransfer") OR match(lower(ScriptBlockText),"internetexplorer.application") OR match(lower(ScriptBlockText),"xmlhttp"),5,0) | eval get = if(match(lower(ScriptBlockText),"get-"), "1", 0) | eval rundll32 = if(match(lower(ScriptBlockText),"rundll32"), "4", 0) | eval suspkeywrd=if(match(ScriptBlockText, "(?i)(bitstransfer|mimik|metasp|AssemblyBuilderAccess|Reflection\.Assembly|shellcode|injection|cnvert|shell\.application|start-process|Rc4ByteStream|System\.Security\.Cryptography|lsass\.exe|localadmin|LastLoggedOn|hijack|BackupPrivilege|ngrok|comsvcs|backdoor|brute.?force|Port.?Scan|Exfiltration|exploit|DisableRealtimeMonitoring|beacon)"),1,0) | eval syswow64 = if(match(lower(ScriptBlockText),"syswow64"), "3", 0) | eval httplocal = if(match(lower(ScriptBlockText),"http://127.0.0.1"), "4", 0) | eval reflection = if(match(lower(ScriptBlockText),"reflection"), "1", 0) | eval invokewmi=if(match(lower(ScriptBlockText), "(?i)(wmiobject|WMIMethod|RemoteWMI|PowerShellWmi|wmicommand)"),5,0) | eval downgrade=if(match(ScriptBlockText, "(?i)([-]ve*r*s*i*o*n*\s+2)") OR match(lower(ScriptBlockText),"powershell -version"),3,0) | eval compressed=if(match(ScriptBlockText, "(?i)GZipStream|::Decompress|IO.Compression|write-zip|(expand|compress)-Archive"),5,0) | eval invokecmd = if(match(lower(ScriptBlockText),"invoke-command"), "4", 0) | addtotals fieldname=Score DoIt, enccom, suspcmdlet, suspkeywrd, compressed, downgrade, mimikatz, iex, empire, rundll32, webclient, syswow64, httplocal, reflection, invokewmi, invokecmd, base64, get | stats values(Score) by UserID, Computer, DoIt, enccom, compressed, downgrade, iex, mimikatz, rundll32, empire, webclient, syswow64, httplocal, reflection, invokewmi, invokecmd, base64, get, suspcmdlet, suspkeywrd | rename Computer as dest, UserID as user | `powershell_4104_hunting_filter`' -how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +search: '`powershell` EventCode=4104 | eval DoIt = if(match(ScriptBlockText,"(?i)(\$doit)"), + "4", 0) | eval enccom=if(match(ScriptBlockText,"[A-Za-z0-9+\/]{44,}([A-Za-z0-9+\/]{4}|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{2}==)") + OR match(ScriptBlockText, "(?i)[-]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\s+[^-]"),4,0) | + eval suspcmdlet=if(match(ScriptBlockText, "(?i)Add-Exfiltration|Add-Persistence|Add-RegBackdoor|Add-ScrnSaveBackdoor|Check-VM|Do-Exfiltration|Enabled-DuplicateToken|Exploit-Jboss|Find-Fruit|Find-GPOLocation|Find-TrustedDocuments|Get-ApplicationHost|Get-ChromeDump|Get-ClipboardContents|Get-FoxDump|Get-GPPPassword|Get-IndexedItem|Get-Keystrokes|LSASecret|Get-PassHash|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-RickAstley|Get-Screenshot|Get-SecurityPackages|Get-ServiceFilePermission|Get-ServicePermission|Get-ServiceUnquoted|Get-SiteListPassword|Get-System|Get-TimedScreenshot|Get-UnattendedInstallFile|Get-Unconstrained|Get-VaultCredential|Get-VulnAutoRun|Get-VulnSchTask|Gupt-Backdoor|HTTP-Login|Install-SSP|Install-ServiceBinary|Invoke-ACLScanner|Invoke-ADSBackdoor|Invoke-ARPScan|Invoke-AllChecks|Invoke-BackdoorLNK|Invoke-BypassUAC|Invoke-CredentialInjection|Invoke-DCSync|Invoke-DllInjection|Invoke-DowngradeAccount|Invoke-EgressCheck|Invoke-Inveigh|Invoke-InveighRelay|Invoke-Mimikittenz|Invoke-NetRipper|Invoke-NinjaCopy|Invoke-PSInject|Invoke-Paranoia|Invoke-PortScan|Invoke-PoshRat|Invoke-PostExfil|Invoke-PowerDump|Invoke-PowerShellTCP|Invoke-PsExec|Invoke-PsUaCme|Invoke-ReflectivePEInjection|Invoke-ReverseDNSLookup|Invoke-RunAs|Invoke-SMBScanner|Invoke-SSHCommand|Invoke-Service|Invoke-Shellcode|Invoke-Tater|Invoke-ThunderStruck|Invoke-Token|Invoke-UserHunter|Invoke-VoiceTroll|Invoke-WScriptBypassUAC|Invoke-WinEnum|MailRaider|New-HoneyHash|Out-Minidump|Port-Scan|PowerBreach|PowerUp|PowerView|Remove-Update|Set-MacAttribute|Set-Wallpaper|Show-TargetScreen|Start-CaptureServer|VolumeShadowCopyTools|NEEEEWWW|(Computer|User)Property|CachedRDPConnection|get-net\S+|invoke-\S+hunter|Install-Service|get-\S+(credent|password)|remoteps|Kerberos.*(policy|ticket)|netfirewall|Uninstall-Windows|Verb\s+Runas|AmsiBypass|nishang|Invoke-Interceptor|EXEonRemote|NetworkRelay|PowerShelludp|PowerShellIcmp|CreateShortcut|copy-vss|invoke-dll|invoke-mass|out-shortcut|Invoke-ShellCommand"),1,0) + | eval base64 = if(match(lower(ScriptBlockText),"frombase64"), "4", 0) | eval empire=if(match(lower(ScriptBlockText),"system.net.webclient") + AND match(lower(ScriptBlockText), "frombase64string") ,5,0) | eval mimikatz=if(match(lower(ScriptBlockText),"mimikatz") + OR match(lower(ScriptBlockText), "-dumpcr") OR match(lower(ScriptBlockText), "SEKURLSA::Pth") + OR match(lower(ScriptBlockText), "kerberos::ptt") OR match(lower(ScriptBlockText), + "kerberos::golden") ,5,0) | eval iex=if(match(ScriptBlockText, "(?i)iex|invoke-expression"),2,0) + | eval webclient=if(match(lower(ScriptBlockText),"http") OR match(lower(ScriptBlockText),"web(client|request)") + OR match(lower(ScriptBlockText),"socket") OR match(lower(ScriptBlockText),"download(file|string)") + OR match(lower(ScriptBlockText),"bitstransfer") OR match(lower(ScriptBlockText),"internetexplorer.application") + OR match(lower(ScriptBlockText),"xmlhttp"),5,0) | eval get = if(match(lower(ScriptBlockText),"get-"), + "1", 0) | eval rundll32 = if(match(lower(ScriptBlockText),"rundll32"), "4", 0) | + eval suspkeywrd=if(match(ScriptBlockText, "(?i)(bitstransfer|mimik|metasp|AssemblyBuilderAccess|Reflection\.Assembly|shellcode|injection|cnvert|shell\.application|start-process|Rc4ByteStream|System\.Security\.Cryptography|lsass\.exe|localadmin|LastLoggedOn|hijack|BackupPrivilege|ngrok|comsvcs|backdoor|brute.?force|Port.?Scan|Exfiltration|exploit|DisableRealtimeMonitoring|beacon)"),1,0) + | eval syswow64 = if(match(lower(ScriptBlockText),"syswow64"), "3", 0) | eval httplocal + = if(match(lower(ScriptBlockText),"http://127.0.0.1"), "4", 0) | eval reflection + = if(match(lower(ScriptBlockText),"reflection"), "1", 0) | eval invokewmi=if(match(lower(ScriptBlockText), + "(?i)(wmiobject|WMIMethod|RemoteWMI|PowerShellWmi|wmicommand)"),5,0) | eval downgrade=if(match(ScriptBlockText, + "(?i)([-]ve*r*s*i*o*n*\s+2)") OR match(lower(ScriptBlockText),"powershell -version"),3,0) + | eval compressed=if(match(ScriptBlockText, "(?i)GZipStream|::Decompress|IO.Compression|write-zip|(expand|compress)-Archive"),5,0) + | eval invokecmd = if(match(lower(ScriptBlockText),"invoke-command"), "4", 0) | + addtotals fieldname=Score DoIt, enccom, suspcmdlet, suspkeywrd, compressed, downgrade, + mimikatz, iex, empire, rundll32, webclient, syswow64, httplocal, reflection, invokewmi, + invokecmd, base64, get | stats values(Score) by UserID, Computer, DoIt, enccom, + compressed, downgrade, iex, mimikatz, rundll32, empire, webclient, syswow64, httplocal, + reflection, invokewmi, invokecmd, base64, get, suspcmdlet, suspkeywrd | rename Computer + as dest, UserID as user | `powershell_4104_hunting_filter`' +how_to_implement: The following Hunting analytic requires PowerShell operational logs + to be imported. Modify the powershell macro as needed to match the sourcetype or + add index. This analytic is specific to 4104, or PowerShell Script Block Logging. known_false_positives: Limited false positives. May filter as needed. references: - https://github.com/inodee/threathunting-spl/blob/master/hunt-queries/powershell_qualifiers.md @@ -23,45 +59,27 @@ references: - https://adlumin.com/post/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry/ tags: analytic_story: - - Malicious PowerShell - - Hermetic Wiper - - Rhysida Ransomware - - DarkGate Malware + - Data Destruction - Flax Typhoon - CISA AA23-347A - - Data Destruction - - CISA AA24-241A - Braodo Stealer - - Lumma Stealer - Cleo File Transfer Software + - Malicious PowerShell + - Hermetic Wiper + - DarkGate Malware + - Lumma Stealer + - Nexus APT Threat Activity + - Earth Estries + - Rhysida Ransomware + - CISA AA24-241A asset_type: Endpoint - confidence: 100 - impact: 80 - message: Powershell was identified on endpoint $host$ by user $user$ executing suspicious commands. mitre_attack_id: - T1059 - T1059.001 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCode - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml b/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml index 228b80e665..4448706801 100644 --- a/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml +++ b/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml @@ -1,18 +1,40 @@ name: PowerShell - Connect To Internet With Hidden Window id: ee18ed37-0802-4268-9435-b3b91aaa18db -version: 10 -date: '2024-10-17' +version: 11 +date: '2024-11-13' author: David Dorsey, Michael Haag Splunk status: production type: Hunting -description: The following analytic detects PowerShell commands using the WindowStyle parameter to hide the window while connecting to the Internet. This behavior is identified through Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions that include variations of the WindowStyle parameter. This activity is significant because it attempts to bypass default PowerShell execution policies and conceal its actions, which is often indicative of malicious intent. If confirmed malicious, this could allow an attacker to execute commands stealthily, potentially leading to unauthorized data exfiltration or further compromise of the endpoint. +description: The following analytic detects PowerShell commands using the WindowStyle + parameter to hide the window while connecting to the Internet. This behavior is + identified through Endpoint Detection and Response (EDR) telemetry, focusing on + command-line executions that include variations of the WindowStyle parameter. This + activity is significant because it attempts to bypass default PowerShell execution + policies and conceal its actions, which is often indicative of malicious intent. + If confirmed malicious, this could allow an attacker to execute commands stealthily, + potentially leading to unauthorized data exfiltration or further compromise of the + endpoint. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|\u2013 |\u2014|\u2015]w(in*d*o*w*s*t*y*l*e*)*\\s+[^-]\") | `powershell___connect_to_internet_with_hidden_window_filter`" -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Legitimate process can have this combination of command-line options, but it's not common. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user + Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name + Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | where match(process,"(?i)[\-|\/|– |—|―]w(in*d*o*w*s*t*y*l*e*)*\s+[^-]") + | `powershell___connect_to_internet_with_hidden_window_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Legitimate process can have this combination of command-line + options, but it's not common. references: - https://regexr.com/663rr - https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/Windows/TestHarnesses/T1059.001_PowerShell/OutPowerShellCommandLineParameter.ps1 @@ -29,43 +51,20 @@ tags: - Data Destruction - Log4Shell CVE-2021-44228 asset_type: Endpoint - confidence: 90 cve: - CVE-2021-44228 - impact: 90 - message: PowerShell processes $process$ started with parameters to modify the execution policy of the run, run in a hidden window, and connect to the Internet on host $dest$ executed by user $user$. mitre_attack_id: - T1059.001 - T1059 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process - - Processes.process_name - - Processes.user - - Processes.parent_process_name - - Processes.dest - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/hidden_powershell/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/hidden_powershell/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/powershell_com_hijacking_inprocserver32_modification.yml b/detections/endpoint/powershell_com_hijacking_inprocserver32_modification.yml index 6b2d83fe19..568bb5677c 100644 --- a/detections/endpoint/powershell_com_hijacking_inprocserver32_modification.yml +++ b/detections/endpoint/powershell_com_hijacking_inprocserver32_modification.yml @@ -1,16 +1,29 @@ name: Powershell COM Hijacking InprocServer32 Modification id: ea61e291-af05-4716-932a-67faddb6ae6f -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects attempts to modify or add a Component Object Model (COM) entry to the InProcServer32 path within the registry using PowerShell. It leverages PowerShell ScriptBlock Logging (EventCode 4104) to identify suspicious script blocks that target the InProcServer32 registry path. This activity is significant because modifying COM objects can be used for persistence or privilege escalation by attackers. If confirmed malicious, this could allow an attacker to execute arbitrary code or maintain persistent access to the compromised system, posing a severe security risk. +description: The following analytic detects attempts to modify or add a Component + Object Model (COM) entry to the InProcServer32 path within the registry using PowerShell. + It leverages PowerShell ScriptBlock Logging (EventCode 4104) to identify suspicious + script blocks that target the InProcServer32 registry path. This activity is significant + because modifying COM objects can be used for persistence or privilege escalation + by attackers. If confirmed malicious, this could allow an attacker to execute arbitrary + code or maintain persistent access to the compromised system, posing a severe security + risk. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText = "*Software\\Classes\\CLSID\\*\\InProcServer32*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_com_hijacking_inprocserver32_modification_filter`' -how_to_implement: The following analytic requires PowerShell operational logs to be imported. Modify the PowerShell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -known_false_positives: False positives will be present if any scripts are adding to inprocserver32. Filter as needed. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Software\\Classes\\CLSID\\*\\InProcServer32*" + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `powershell_com_hijacking_inprocserver32_modification_filter`' +how_to_implement: The following analytic requires PowerShell operational logs to be + imported. Modify the PowerShell macro as needed to match the sourcetype or add index. + This analytic is specific to 4104, or PowerShell Script Block Logging. +known_false_positives: False positives will be present if any scripts are adding to + inprocserver32. Filter as needed. references: - https://attack.mitre.org/techniques/T1546/015/ - https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html @@ -22,42 +35,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$Computer$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A PowerShell script has been identified with InProcServer32 within the + script code on $Computer$. + risk_objects: + - field: Computer + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Malicious PowerShell asset_type: Endpoint - confidence: 80 - impact: 80 - message: A PowerShell script has been identified with InProcServer32 within the script code on $Computer$. mitre_attack_id: - T1546.015 - T1059 - T1059.001 - observable: - - name: Computer - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCode - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/atomic_red_team/windows-powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/atomic_red_team/windows-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/powershell_creating_thread_mutex.yml b/detections/endpoint/powershell_creating_thread_mutex.yml index 87d87ec658..636784f5f6 100644 --- a/detections/endpoint/powershell_creating_thread_mutex.yml +++ b/detections/endpoint/powershell_creating_thread_mutex.yml @@ -1,16 +1,29 @@ name: Powershell Creating Thread Mutex id: 637557ec-ca08-11eb-bd0a-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the execution of PowerShell scripts using the `mutex` function via EventCode 4104. This detection leverages PowerShell Script Block Logging to identify scripts that create thread mutexes, a technique often used in obfuscated scripts to ensure only one instance runs on a compromised machine. This activity is significant as it may indicate the presence of sophisticated malware or persistence mechanisms. If confirmed malicious, the attacker could maintain exclusive control over a process, potentially leading to further exploitation or persistence within the environment. +description: The following analytic detects the execution of PowerShell scripts using + the `mutex` function via EventCode 4104. This detection leverages PowerShell Script + Block Logging to identify scripts that create thread mutexes, a technique often + used in obfuscated scripts to ensure only one instance runs on a compromised machine. + This activity is significant as it may indicate the presence of sophisticated malware + or persistence mechanisms. If confirmed malicious, the attacker could maintain exclusive + control over a process, potentially leading to further exploitation or persistence + within the environment. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText = "*Threading.Mutex*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_creating_thread_mutex_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: powershell developer may used this function in their script for instance checking too. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Threading.Mutex*" | stats + count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer UserID | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `powershell_creating_thread_mutex_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: powershell developer may used this function in their script + for instance checking too. references: - https://isc.sans.edu/forums/diary/Some+Powershell+Malicious+Code/22988/ - https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -23,44 +36,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A suspicious powershell script contains Thread Mutex on host $dest$ + risk_objects: + - field: dest + type: system + score: 40 + - field: user + type: user + score: 40 + threat_objects: [] tags: analytic_story: - Malicious PowerShell asset_type: Endpoint - confidence: 80 - impact: 50 - message: A suspicious powershell script contains Thread Mutex on host $dest$ mitre_attack_id: - T1027 - T1027.005 - T1059.001 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ScriptBlockText - - Computer - - UserID - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/powershell_disable_security_monitoring.yml b/detections/endpoint/powershell_disable_security_monitoring.yml index 50d76278d5..acf1715048 100644 --- a/detections/endpoint/powershell_disable_security_monitoring.yml +++ b/detections/endpoint/powershell_disable_security_monitoring.yml @@ -1,18 +1,40 @@ name: Powershell Disable Security Monitoring id: c148a894-dd93-11eb-bf2a-acde48001122 -version: 6 -date: '2024-11-26' +version: 7 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies attempts to disable Windows Defender real-time behavior monitoring via PowerShell commands. It detects the use of specific `Set-MpPreference` parameters that disable various security features. This activity is significant as it is commonly used by malware such as RATs, bots, or Trojans to evade detection by disabling antivirus protections. If confirmed malicious, this action could allow an attacker to operate undetected, leading to potential data exfiltration, further system compromise, or persistent access within the environment. +description: The following analytic identifies attempts to disable Windows Defender + real-time behavior monitoring via PowerShell commands. It detects the use of specific + `Set-MpPreference` parameters that disable various security features. This activity + is significant as it is commonly used by malware such as RATs, bots, or Trojans + to evade detection by disabling antivirus protections. If confirmed malicious, this + action could allow an attacker to operate undetected, leading to potential data + exfiltration, further system compromise, or persistent access within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process="*set-mppreference*" AND Processes.process IN ("*disablerealtimemonitoring*","*DisableScanningNetworkFiles*","*DisableScanningMappedNetworkDrivesForFullScan*","*DisableRemovableDriveScanning*","*DisableArchiveScanning*","*DisableCatchupFullScan*","*DisableCatchupQuickScan*","*disableioavprotection*","*disableintrusionpreventionsystem*","*disablescriptscanning*","*disableblockatfirstseen*","*DisableBehaviorMonitoring*","*MAPSReporting*","*drdsc *","*dsnf *","*drtm *","*dioavp *","*dscrptsc *","*dbaf *","*dbm *","*dips *") by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_disable_security_monitoring_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Limited false positives. However, tune based on scripts that may perform this action. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process="*set-mppreference*" + AND Processes.process IN ("*disablerealtimemonitoring*","*DisableScanningNetworkFiles*","*DisableScanningMappedNetworkDrivesForFullScan*","*DisableRemovableDriveScanning*","*DisableArchiveScanning*","*DisableCatchupFullScan*","*DisableCatchupQuickScan*","*disableioavprotection*","*disableintrusionpreventionsystem*","*disablescriptscanning*","*disableblockatfirstseen*","*DisableBehaviorMonitoring*","*MAPSReporting*","*drdsc + *","*dsnf *","*drtm *","*dioavp *","*dscrptsc *","*dbaf *","*dbm *","*dips *") by + Processes.dest Processes.user Processes.parent_process Processes.original_file_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `powershell_disable_security_monitoring_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Limited false positives. However, tune based on scripts that + may perform this action. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-15---tamper-with-windows-defender-atp-powershell - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps @@ -22,48 +44,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows Defender Real-time Behavior Monitoring disabled on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Ransomware - Revil Ransomware - CISA AA24-241A asset_type: Endpoint - confidence: 50 - impact: 50 - message: Windows Defender Real-time Behavior Monitoring disabled on $dest$ mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 25.0 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/pwh_defender_disabling/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/pwh_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/powershell_domain_enumeration.yml b/detections/endpoint/powershell_domain_enumeration.yml index d926d66286..f0d3a6b92e 100644 --- a/detections/endpoint/powershell_domain_enumeration.yml +++ b/detections/endpoint/powershell_domain_enumeration.yml @@ -1,15 +1,28 @@ name: PowerShell Domain Enumeration id: e1866ce2-ca22-11eb-8e44-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the execution of PowerShell commands used for domain enumeration, such as `get-netdomaintrust` and `get-adgroupmember`. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command sent to PowerShell. This activity is significant as it often indicates reconnaissance efforts by an attacker to map out the domain structure and identify key users and groups. If confirmed malicious, this behavior could lead to further targeted attacks, privilege escalation, and unauthorized access to sensitive information within the domain. +description: The following analytic detects the execution of PowerShell commands used + for domain enumeration, such as `get-netdomaintrust` and `get-adgroupmember`. It + leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze + the full command sent to PowerShell. This activity is significant as it often indicates + reconnaissance efforts by an attacker to map out the domain structure and identify + key users and groups. If confirmed malicious, this behavior could lead to further + targeted attacks, privilege escalation, and unauthorized access to sensitive information + within the domain. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText IN (*get-netdomaintrust*, *get-netforesttrust*, *get-addomain*, *get-adgroupmember*, *get-domainuser*) | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_domain_enumeration_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +search: '`powershell` EventCode=4104 ScriptBlockText IN (*get-netdomaintrust*, *get-netforesttrust*, + *get-addomain*, *get-adgroupmember*, *get-domainuser*) | stats count min(_time) + as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText UserID + | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `powershell_domain_enumeration_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: It is possible there will be false positives, filter as needed. references: - https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -23,9 +36,25 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A suspicious powershell script contains domain enumeration command in $ScriptBlockText$ + with EventCode $EventCode$ in host $dest$ + risk_objects: + - field: dest + type: system + score: 42 + - field: user + type: user + score: 42 + threat_objects: [] tags: analytic_story: - Hermetic Wiper @@ -33,37 +62,18 @@ tags: - CISA AA23-347A - Data Destruction asset_type: Endpoint - confidence: 70 - impact: 60 - message: A suspicious powershell script contains domain enumeration command in $ScriptBlockText$ with EventCode $EventCode$ in host $dest$ mitre_attack_id: - T1059 - T1059.001 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCode - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/enumeration.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/enumeration.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/powershell_enable_powershell_remoting.yml b/detections/endpoint/powershell_enable_powershell_remoting.yml index addfdecfe0..8cfdb6a12c 100644 --- a/detections/endpoint/powershell_enable_powershell_remoting.yml +++ b/detections/endpoint/powershell_enable_powershell_remoting.yml @@ -1,16 +1,29 @@ name: PowerShell Enable PowerShell Remoting id: 40e3b299-19a5-4460-96e9-e1467f714f8e -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk type: Anomaly status: production data_source: - Powershell Script Block Logging 4104 -description: The following analytic detects the use of the Enable-PSRemoting cmdlet, which allows PowerShell remoting on a local or remote computer. This detection leverages PowerShell Script Block Logging (EventCode 4104) to identify when this cmdlet is executed. Monitoring this activity is crucial as it can indicate an attacker enabling remote command execution capabilities on a compromised system. If confirmed malicious, this activity could allow an attacker to take control of the system remotely, execute commands, and potentially pivot to other systems within the network, leading to further compromise and lateral movement. -search: '`powershell` EventCode=4104 ScriptBlockText="*Enable-PSRemoting*" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `powershell_enable_powershell_remoting_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Note that false positives may occur due to the use of the Enable-PSRemoting cmdlet by legitimate users, such as system administrators. It is recommended to apply appropriate filters as needed to minimize the number of false positives. +description: The following analytic detects the use of the Enable-PSRemoting cmdlet, + which allows PowerShell remoting on a local or remote computer. This detection leverages + PowerShell Script Block Logging (EventCode 4104) to identify when this cmdlet is + executed. Monitoring this activity is crucial as it can indicate an attacker enabling + remote command execution capabilities on a compromised system. If confirmed malicious, + this activity could allow an attacker to take control of the system remotely, execute + commands, and potentially pivot to other systems within the network, leading to + further compromise and lateral movement. +search: '`powershell` EventCode=4104 ScriptBlockText="*Enable-PSRemoting*" | stats + count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `powershell_enable_powershell_remoting_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Note that false positives may occur due to the use of the Enable-PSRemoting + cmdlet by legitimate users, such as system administrators. It is recommended to + apply appropriate filters as needed to minimize the number of false positives. references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.3 drilldown_searches: @@ -19,38 +32,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$Computer$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: PowerShell was identified running a Invoke-PSremoting on $Computer$. + risk_objects: + - field: Computer + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Malicious PowerShell asset_type: Endpoint - confidence: 50 - impact: 50 - message: PowerShell was identified running a Invoke-PSremoting on $Computer$. mitre_attack_id: - T1059.001 - T1059 - observable: - - name: Computer - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ScriptBlockText - - Computer - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/4104-psremoting-windows-powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/4104-psremoting-windows-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/powershell_enable_smb1protocol_feature.yml b/detections/endpoint/powershell_enable_smb1protocol_feature.yml index 68bab1f2bd..5778e667c4 100644 --- a/detections/endpoint/powershell_enable_smb1protocol_feature.yml +++ b/detections/endpoint/powershell_enable_smb1protocol_feature.yml @@ -1,15 +1,26 @@ name: Powershell Enable SMB1Protocol Feature id: afed80b2-d34b-11eb-a952-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the enabling of the SMB1 protocol via `powershell.exe`. It leverages PowerShell script block logging (EventCode 4104) to identify the execution of the `Enable-WindowsOptionalFeature` cmdlet with the `SMB1Protocol` parameter. This activity is significant because enabling SMB1 can facilitate lateral movement and file encryption by ransomware, such as RedDot. If confirmed malicious, this action could allow an attacker to propagate through the network, encrypt files, and potentially disrupt business operations. +description: The following analytic detects the enabling of the SMB1 protocol via + `powershell.exe`. It leverages PowerShell script block logging (EventCode 4104) + to identify the execution of the `Enable-WindowsOptionalFeature` cmdlet with the + `SMB1Protocol` parameter. This activity is significant because enabling SMB1 can + facilitate lateral movement and file encryption by ransomware, such as RedDot. If + confirmed malicious, this action could allow an attacker to propagate through the + network, encrypt files, and potentially disrupt business operations. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText = "*Enable-WindowsOptionalFeature*" ScriptBlockText = "*SMB1Protocol*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_enable_smb1protocol_feature_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Enable-WindowsOptionalFeature*" + ScriptBlockText = "*SMB1Protocol*" | stats count min(_time) as firstTime max(_time) + as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `powershell_enable_smb1protocol_feature_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the powershell logs from your endpoints. make sure you enable needed + registry to monitor this event. known_false_positives: network operator may enable or disable this windows feature. references: - https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/ @@ -20,9 +31,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$Computer$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Powershell Enable SMB1Protocol Feature on $Computer$ + risk_objects: + - field: Computer + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Ransomware @@ -30,32 +53,18 @@ tags: - Hermetic Wiper - Data Destruction asset_type: Endpoint - confidence: 50 - impact: 50 - message: Powershell Enable SMB1Protocol Feature on $Computer$ mitre_attack_id: - T1027 - T1027.005 - observable: - - name: Computer - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ScriptBlockText - - Computer - - UserID - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/powershell_execute_com_object.yml b/detections/endpoint/powershell_execute_com_object.yml index 3b1df0d04c..afa898ec22 100644 --- a/detections/endpoint/powershell_execute_com_object.yml +++ b/detections/endpoint/powershell_execute_com_object.yml @@ -1,15 +1,27 @@ name: Powershell Execute COM Object id: 65711630-f9bf-11eb-8d72-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the execution of a COM CLSID through PowerShell. It leverages EventCode 4104 and searches for specific script block text indicating the creation of a COM object. This activity is significant as it is commonly used by adversaries and malware, such as the Conti ransomware, to execute commands, potentially for privilege escalation or bypassing User Account Control (UAC). If confirmed malicious, this technique could allow attackers to gain elevated privileges or persist within the environment, posing a significant security risk. +description: The following analytic detects the execution of a COM CLSID through PowerShell. + It leverages EventCode 4104 and searches for specific script block text indicating + the creation of a COM object. This activity is significant as it is commonly used + by adversaries and malware, such as the Conti ransomware, to execute commands, potentially + for privilege escalation or bypassing User Account Control (UAC). If confirmed malicious, + this technique could allow attackers to gain elevated privileges or persist within + the environment, posing a significant security risk. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText = "*CreateInstance([type]::GetTypeFromCLSID*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_execute_com_object_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +search: '`powershell` EventCode=4104 ScriptBlockText = "*CreateInstance([type]::GetTypeFromCLSID*" + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `powershell_execute_com_object_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. known_false_positives: network operrator may use this command. references: - https://threadreaderapp.com/thread/1423361119926816776.html @@ -20,9 +32,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A suspicious powershell script contains COM CLSID command on host $dest$ + risk_objects: + - field: dest + type: system + score: 5 + threat_objects: [] tags: analytic_story: - Ransomware @@ -30,32 +54,19 @@ tags: - Hermetic Wiper - Data Destruction asset_type: Endpoint - confidence: 50 - impact: 10 - message: A suspicious powershell script contains COM CLSID command on host $dest$ mitre_attack_id: - T1546.015 - T1546 - T1059.001 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Computer - - EventCode - risk_score: 5 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/pwh_com_object/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/pwh_com_object/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml b/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml index e3e7d2a05a..d57deb4a84 100644 --- a/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml +++ b/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml @@ -1,15 +1,27 @@ name: Powershell Fileless Process Injection via GetProcAddress id: a26d9db4-c883-11eb-9d75-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the use of `GetProcAddress` in PowerShell script blocks, leveraging PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, which is then logged in Windows event logs. The presence of `GetProcAddress` is unusual for typical PowerShell scripts and often indicates malicious activity, as many attack toolkits use it to achieve code execution. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, potentially leading to system compromise. Analysts should review parallel processes and the entire logged script block for further investigation. +description: The following analytic detects the use of `GetProcAddress` in PowerShell + script blocks, leveraging PowerShell Script Block Logging (EventCode=4104). This + method captures the full command sent to PowerShell, which is then logged in Windows + event logs. The presence of `GetProcAddress` is unusual for typical PowerShell scripts + and often indicates malicious activity, as many attack toolkits use it to achieve + code execution. If confirmed malicious, this activity could allow an attacker to + execute arbitrary code, potentially leading to system compromise. Analysts should + review parallel processes and the entire logged script block for further investigation. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText=*getprocaddress* | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_fileless_process_injection_via_getprocaddress_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +search: '`powershell` EventCode=4104 ScriptBlockText=*getprocaddress* | stats count + min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode + ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `powershell_fileless_process_injection_via_getprocaddress_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: Limited false positives. Filter as needed. references: - https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -23,43 +35,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A suspicious powershell script contains GetProcAddress API on host $dest$ + risk_objects: + - field: dest + type: system + score: 48 + threat_objects: [] tags: analytic_story: - Malicious PowerShell - Hermetic Wiper - Data Destruction asset_type: Endpoint - confidence: 80 - impact: 60 - message: A suspicious powershell script contains GetProcAddress API on host $dest$ mitre_attack_id: - T1059 - T1055 - T1059.001 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCode - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml index 4b7ab4b0b3..220cb14ad7 100644 --- a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml +++ b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml @@ -1,15 +1,27 @@ name: Powershell Fileless Script Contains Base64 Encoded Content id: 8acbc04c-c882-11eb-b060-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP data_source: - Powershell Script Block Logging 4104 -description: The following analytic detects the execution of PowerShell scripts containing Base64 encoded content, specifically identifying the use of `FromBase64String`. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command sent to PowerShell. This activity is significant as Base64 encoding is often used by attackers to obfuscate malicious payloads, making it harder to detect. If confirmed malicious, this could lead to code execution, allowing attackers to run arbitrary commands and potentially compromise the system. -search: '`powershell` EventCode=4104 ScriptBlockText = "*frombase64string*" OR ScriptBlockText = "*gnirtS46esaBmorF*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_fileless_script_contains_base64_encoded_content_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +description: The following analytic detects the execution of PowerShell scripts containing + Base64 encoded content, specifically identifying the use of `FromBase64String`. + It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze + the full command sent to PowerShell. This activity is significant as Base64 encoding + is often used by attackers to obfuscate malicious payloads, making it harder to + detect. If confirmed malicious, this could lead to code execution, allowing attackers + to run arbitrary commands and potentially compromise the system. +search: '`powershell` EventCode=4104 ScriptBlockText = "*frombase64string*" OR ScriptBlockText + = "*gnirtS46esaBmorF*" | stats count min(_time) as firstTime max(_time) as lastTime + by EventCode ScriptBlockText Computer UserID | rename Computer as dest |rename UserID + as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `powershell_fileless_script_contains_base64_encoded_content_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: False positives should be limited. Filter as needed. references: - https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -23,9 +35,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A suspicious powershell script contains base64 command on host $dest$ + risk_objects: + - field: dest + type: system + score: 56 + threat_objects: [] tags: analytic_story: - Hermetic Wiper @@ -35,35 +59,20 @@ tags: - Data Destruction - IcedID - NjRAT - confidence: 80 - impact: 70 - message: A suspicious powershell script contains base64 command on host $dest$ mitre_attack_id: - T1059 - T1027 - T1059.001 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCode - risk_score: 56 security_domain: endpoint asset_type: Endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/frombase64string.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/frombase64string.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/powershell_get_localgroup_discovery.yml b/detections/endpoint/powershell_get_localgroup_discovery.yml index c6c96be263..cf5e6ada50 100644 --- a/detections/endpoint/powershell_get_localgroup_discovery.yml +++ b/detections/endpoint/powershell_get_localgroup_discovery.yml @@ -1,17 +1,37 @@ name: PowerShell Get LocalGroup Discovery id: b71adfcc-155b-11ec-9413-acde48001122 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies the use of the `get-localgroup` command executed via PowerShell or cmd.exe to enumerate local groups on an endpoint. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is significant as it may indicate an attacker attempting to gather information about local group memberships, which can be a precursor to privilege escalation. If confirmed malicious, this activity could allow an attacker to identify and target privileged accounts, potentially leading to unauthorized access and control over the system. +description: The following analytic identifies the use of the `get-localgroup` command + executed via PowerShell or cmd.exe to enumerate local groups on an endpoint. This + detection leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process names and command-line arguments. Monitoring this activity is significant + as it may indicate an attacker attempting to gather information about local group + memberships, which can be a precursor to privilege escalation. If confirmed malicious, + this activity could allow an attacker to identify and target privileged accounts, + potentially leading to unauthorized access and control over the system. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=powershell.exe OR Processes.process_name=cmd.exe) (Processes.process="*get-localgroup*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `powershell_get_localgroup_discovery_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=powershell.exe + OR Processes.process_name=cmd.exe) (Processes.process="*get-localgroup*") by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `powershell_get_localgroup_discovery_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present. Tune as needed. references: - https://attack.mitre.org/techniques/T1069/001/ @@ -20,43 +40,18 @@ tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 30 - message: Local group discovery on $dest$ by $user$. mitre_attack_id: - T1069 - T1069.001 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml b/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml index bc59cd4802..09e77be336 100644 --- a/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml +++ b/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml @@ -1,15 +1,27 @@ name: Powershell Get LocalGroup Discovery with Script Block Logging id: d7c6ad22-155c-11ec-bb64-acde48001122 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic detects the execution of the PowerShell cmdlet `get-localgroup` using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, providing detailed visibility into script execution. Monitoring this activity is significant as it can indicate an attempt to enumerate local groups, which may be a precursor to privilege escalation or lateral movement. If confirmed malicious, an attacker could gain insights into group memberships, potentially leading to unauthorized access or privilege abuse. Review parallel processes and the entire script block for comprehensive analysis. +description: The following analytic detects the execution of the PowerShell cmdlet + `get-localgroup` using PowerShell Script Block Logging (EventCode=4104). This method + captures the full command sent to PowerShell, providing detailed visibility into + script execution. Monitoring this activity is significant as it can indicate an + attempt to enumerate local groups, which may be a precursor to privilege escalation + or lateral movement. If confirmed malicious, an attacker could gain insights into + group memberships, potentially leading to unauthorized access or privilege abuse. + Review parallel processes and the entire script block for comprehensive analysis. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText = "*get-localgroup*" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `powershell_get_localgroup_discovery_with_script_block_logging_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +search: '`powershell` EventCode=4104 ScriptBlockText = "*get-localgroup*" | stats + count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode + ScriptBlockText | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` + |`security_content_ctime(lastTime)` | `powershell_get_localgroup_discovery_with_script_block_logging_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: False positives may be present. Tune as needed. references: - https://www.splunk.com/en_us/blog/security/powershell-detections-threat-research-release-august-2021.html @@ -22,37 +34,18 @@ tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 30 - message: Local group discovery on endpoint $dest$ by user $user$. mitre_attack_id: - T1069 - T1069.001 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCode - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/getlocalgroup.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/getlocalgroup.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml b/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml index 953bf9262b..3d21b2281b 100644 --- a/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml +++ b/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml @@ -1,16 +1,29 @@ name: PowerShell Invoke CIMMethod CIMSession id: 651ee958-a433-471c-b264-39725b788b83 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk type: Anomaly status: production data_source: - Powershell Script Block Logging 4104 -description: The following analytic detects the creation of a New-CIMSession cmdlet followed by the use of the Invoke-CIMMethod cmdlet within PowerShell. It leverages PowerShell Script Block Logging to identify these specific cmdlets in the ScriptBlockText field. This activity is significant because it mirrors the behavior of the Invoke-WMIMethod cmdlet, often used for remote code execution via NTLMv2 pass-the-hash authentication. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to unauthorized access and control over targeted systems. -search: '`powershell` EventCode=4104 ScriptBlockText IN ("*invoke-CIMMethod*", "*New-CimSession*") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_invoke_cimmethod_cimsession_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: False positives may be present based on third-party applications or administrators using CIM. It is recommended to apply appropriate filters as needed to minimize the number of false positives. +description: The following analytic detects the creation of a New-CIMSession cmdlet + followed by the use of the Invoke-CIMMethod cmdlet within PowerShell. It leverages + PowerShell Script Block Logging to identify these specific cmdlets in the ScriptBlockText + field. This activity is significant because it mirrors the behavior of the Invoke-WMIMethod + cmdlet, often used for remote code execution via NTLMv2 pass-the-hash authentication. + If confirmed malicious, this could allow an attacker to execute commands remotely, + potentially leading to unauthorized access and control over targeted systems. +search: '`powershell` EventCode=4104 ScriptBlockText IN ("*invoke-CIMMethod*", "*New-CimSession*") + | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode + ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `powershell_invoke_cimmethod_cimsession_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: False positives may be present based on third-party applications + or administrators using CIM. It is recommended to apply appropriate filters as needed + to minimize the number of false positives. references: - https://learn.microsoft.com/en-us/powershell/module/cimcmdlets/invoke-cimmethod?view=powershell-7.3 drilldown_searches: @@ -19,38 +32,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$Computer$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: PowerShell was identified running a Invoke-CIMMethod Invoke-CIMSession + on $Computer$. + risk_objects: + - field: Computer + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Malicious PowerShell - Active Directory Lateral Movement asset_type: Endpoint - confidence: 50 - impact: 50 - message: PowerShell was identified running a Invoke-CIMMethod Invoke-CIMSession on $Computer$. mitre_attack_id: - T1047 - observable: - - name: Computer - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ScriptBlockText - - Computer - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/4104-cimmethod-windows-powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/4104-cimmethod-windows-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/powershell_invoke_wmiexec_usage.yml b/detections/endpoint/powershell_invoke_wmiexec_usage.yml index d3fb6c0092..054bf73300 100644 --- a/detections/endpoint/powershell_invoke_wmiexec_usage.yml +++ b/detections/endpoint/powershell_invoke_wmiexec_usage.yml @@ -1,16 +1,28 @@ name: PowerShell Invoke WmiExec Usage id: 0734bd21-2769-4972-a5f1-78bb1e011224 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk type: TTP status: production data_source: - Powershell Script Block Logging 4104 -description: The following analytic detects the execution of the Invoke-WMIExec utility within PowerShell Script Block Logging (EventCode 4104). This detection leverages PowerShell script block logs to identify instances where the Invoke-WMIExec command is used. Monitoring this activity is crucial as it indicates potential lateral movement using WMI commands with NTLMv2 pass-the-hash authentication. If confirmed malicious, this activity could allow an attacker to execute commands remotely on target systems, potentially leading to further compromise and lateral spread within the network. -search: '`powershell` EventCode=4104 ScriptBlockText IN ("*invoke-wmiexec*") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_invoke_wmiexec_usage_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: False positives should be limited as this analytic is designed to detect a specific utility. It is recommended to apply appropriate filters as needed to minimize the number of false positives. +description: The following analytic detects the execution of the Invoke-WMIExec utility + within PowerShell Script Block Logging (EventCode 4104). This detection leverages + PowerShell script block logs to identify instances where the Invoke-WMIExec command + is used. Monitoring this activity is crucial as it indicates potential lateral movement + using WMI commands with NTLMv2 pass-the-hash authentication. If confirmed malicious, + this activity could allow an attacker to execute commands remotely on target systems, + potentially leading to further compromise and lateral spread within the network. +search: '`powershell` EventCode=4104 ScriptBlockText IN ("*invoke-wmiexec*") | stats + count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_invoke_wmiexec_usage_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: False positives should be limited as this analytic is designed + to detect a specific utility. It is recommended to apply appropriate filters as + needed to minimize the number of false positives. references: - https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-WMIExec.ps1 drilldown_searches: @@ -19,37 +31,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$Computer$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: PowerShell was identified running a Invoke-WmiExec on $Computer$. + risk_objects: + - field: Computer + type: system + score: 100 + threat_objects: [] tags: analytic_story: - Suspicious WMI Use asset_type: Endpoint - confidence: 100 - impact: 100 - message: PowerShell was identified running a Invoke-WmiExec on $Computer$. mitre_attack_id: - T1047 - observable: - - name: Computer - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ScriptBlockText - - Computer - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/invokewmiexec_windows-powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/invokewmiexec_windows-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/powershell_load_module_in_meterpreter.yml b/detections/endpoint/powershell_load_module_in_meterpreter.yml index 39b2094dd4..7f8f0917d4 100644 --- a/detections/endpoint/powershell_load_module_in_meterpreter.yml +++ b/detections/endpoint/powershell_load_module_in_meterpreter.yml @@ -1,62 +1,73 @@ name: Powershell Load Module in Meterpreter id: d5905da5-d050-48db-9259-018d8f034fcf -version: 3 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the execution of suspicious PowerShell commands associated with Meterpreter modules, such as "MSF.Powershell" and "MSF.Powershell.Meterpreter". It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command sent to PowerShell. This activity is significant as it indicates potential post-exploitation actions, including credential dumping and persistence mechanisms. If confirmed malicious, an attacker could gain extensive control over the compromised system, escalate privileges, and maintain long-term access, posing a severe threat to the environment. +description: The following analytic detects the execution of suspicious PowerShell + commands associated with Meterpreter modules, such as "MSF.Powershell" and "MSF.Powershell.Meterpreter". + It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze + the full command sent to PowerShell. This activity is significant as it indicates + potential post-exploitation actions, including credential dumping and persistence + mechanisms. If confirmed malicious, an attacker could gain extensive control over + the compromised system, escalate privileges, and maintain long-term access, posing + a severe threat to the environment. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText IN ("*MSF.Powershell*","*MSF.Powershell.Meterpreter*","*MSF.Powershell.Meterpreter.Kiwi*","*MSF.Powershell.Meterpreter.Transport*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_load_module_in_meterpreter_filter`' -how_to_implement: The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -known_false_positives: False positives should be very limited as this is strict to MetaSploit behavior. +search: '`powershell` EventCode=4104 ScriptBlockText IN ("*MSF.Powershell*","*MSF.Powershell.Meterpreter*","*MSF.Powershell.Meterpreter.Kiwi*","*MSF.Powershell.Meterpreter.Transport*") + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `powershell_load_module_in_meterpreter_filter`' +how_to_implement: The following analytic requires PowerShell operational logs to be + imported. Modify the powershell macro as needed to match the sourcetype or add index. + This analytic is specific to 4104, or PowerShell Script Block Logging. +known_false_positives: False positives should be very limited as this is strict to + MetaSploit behavior. references: - https://github.com/OJ/metasploit-payloads/blob/master/powershell/MSF.Powershell/Scripts.cs drilldown_searches: - name: View the detection results for - "$user_id$" and "$Computer$" - search: '%original_detection_search% | search user_id = "$user_id$" Computer = "$Computer$"' + search: '%original_detection_search% | search user_id = "$user_id$" Computer = + "$Computer$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user_id$" and "$Computer$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$", "$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$", + "$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: PowerShell was identified running a script utilized by Meterpreter from + MetaSploit on endpoint $Computer$ by user $user_id$. + risk_objects: + - field: user_id + type: user + score: 100 + - field: Computer + type: system + score: 100 + threat_objects: [] tags: analytic_story: - MetaSploit asset_type: Endpoint - confidence: 100 - impact: 100 - message: PowerShell was identified running a script utilized by Meterpreter from MetaSploit on endpoint $Computer$ by user $user_id$. mitre_attack_id: - T1059 - T1059.001 - observable: - - name: user_id - type: User - role: - - Victim - - name: Computer - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ScriptBlockText - - Computer - - User_id - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/metasploit/msf.powershell.powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/metasploit/msf.powershell.powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml index 35211ae96d..8c3ae5d352 100644 --- a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml +++ b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml @@ -1,14 +1,14 @@ name: PowerShell Loading DotNET into Memory via Reflection id: 85bc3f30-ca28-11eb-bd21-acde48001122 -version: 5 -date: '2024-09-30' +version: 7 +date: '2025-01-16' author: Michael Haag, Splunk status: production -type: TTP +type: Anomaly data_source: - Powershell Script Block Logging 4104 -description: The following analytic detects the use of PowerShell to load .NET assemblies into memory via reflection, a technique often used in malicious activities such as those by Empire and Cobalt Strike. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command executed. This behavior is significant as it can indicate advanced attack techniques aiming to execute code in memory, bypassing traditional defenses. If confirmed malicious, this activity could lead to unauthorized code execution, privilege escalation, and persistent access within the environment. -search: '`powershell` EventCode=4104 ScriptBlockText IN ("*[system.reflection.assembly]::load(*","*[reflection.assembly]*", "*reflection.assembly*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_loading_dotnet_into_memory_via_reflection_filter`' +description: The following analytic detects the use of PowerShell scripts to load .NET assemblies into memory via reflection, a technique often used in malicious activities such as those by Empire and Cobalt Strike. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command executed. This behavior is significant as it can indicate advanced attack techniques aiming to execute code in memory, bypassing traditional defenses. If confirmed malicious, this activity could lead to unauthorized code execution, privilege escalation, and persistent access within the environment. +search: '`powershell` EventCode=4104 ScriptBlockText IN ("*Reflection.Assembly]::Load*", "*Reflection.Assembly.Load*", "*UnsafeLoadFrom*", "*.LoadFrom(*", "*.LoadModule(*", "*.LoadWithPartialName*", "*ReflectionOnlyLoad*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest, UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_loading_dotnet_into_memory_via_reflection_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: False positives should be limited as day to day scripts do not use this method. references: @@ -18,14 +18,26 @@ references: - https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf - https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/ drilldown_searches: -- name: View the detection results for - "$Computer$" and "$UserID$" - search: '%original_detection_search% | search Computer = "$Computer$" UserID = "$UserID$"' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$Computer$" and "$UserID$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$UserID$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A suspicious powershell script contains reflective class assembly command + in $ScriptBlockText$ to load .net code in memory with EventCode $EventCode$ in + host $dest$ + risk_objects: + - field: dest + type: system + score: 56 + - field: user + type: user + score: 56 + threat_objects: [] tags: analytic_story: - Winter Vivern @@ -35,37 +47,17 @@ tags: - Malicious PowerShell - Data Destruction asset_type: Endpoint - confidence: 80 - impact: 70 - message: A suspicious powershell script contains reflective class assembly command in $ScriptBlockText$ to load .net code in memory with EventCode $EventCode$ in host $Computer$ mitre_attack_id: - T1059 - T1059.001 - observable: - - name: Computer - type: Hostname - role: - - Victim - - name: UserID - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCode - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/reflection.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational - sourcetype: XmlWinEventLog + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/powershell_processing_stream_of_data.yml b/detections/endpoint/powershell_processing_stream_of_data.yml index 14fe3c500d..3f4244f0ca 100644 --- a/detections/endpoint/powershell_processing_stream_of_data.yml +++ b/detections/endpoint/powershell_processing_stream_of_data.yml @@ -1,15 +1,27 @@ name: Powershell Processing Stream Of Data id: 0d718b52-c9f1-11eb-bc61-acde48001122 -version: 5 -date: '2024-09-30' +version: 7 +date: '2024-11-22' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects suspicious PowerShell script execution involving compressed stream data processing, identified via EventCode 4104. It leverages PowerShell Script Block Logging to flag scripts using `IO.Compression`, `IO.StreamReader`, or decompression methods. This activity is significant as it often indicates obfuscated PowerShell or embedded .NET/binary execution, which are common tactics for evading detection. If confirmed malicious, this behavior could allow attackers to execute hidden code, escalate privileges, or maintain persistence within the environment. +description: The following analytic detects suspicious PowerShell script execution + involving compressed stream data processing, identified via EventCode 4104. It leverages + PowerShell Script Block Logging to flag scripts using `IO.Compression`, `IO.StreamReader`, + or decompression methods. This activity is significant as it often indicates obfuscated + PowerShell or embedded .NET/binary execution, which are common tactics for evading + detection. If confirmed malicious, this behavior could allow attackers to execute + hidden code, escalate privileges, or maintain persistence within the environment. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText = "*IO.Compression.*" OR ScriptBlockText = "*IO.StreamReader*" OR ScriptBlockText = "*]::Decompress*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_processing_stream_of_data_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +search: '`powershell` EventCode=4104 ScriptBlockText = "*IO.Compression.*" OR ScriptBlockText + = "*IO.StreamReader*" OR ScriptBlockText = "*]::Decompress*" | stats count min(_time) + as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID + | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `powershell_processing_stream_of_data_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: powershell may used this function to process compressed data. references: - https://medium.com/@ahmedjouini99/deobfuscating-emotets-powershell-payload-e39fb116f7b9 @@ -20,14 +32,31 @@ references: - https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ drilldown_searches: -- name: View the detection results for - "$Computer$" and "$UserID$" - search: '%original_detection_search% | search Computer = "$Computer$" UserID = "$UserID$"' +- name: View the detection results for - "$Computer$" and "$user$" + search: '%original_detection_search% | search Computer = "$Computer$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$Computer$" and "$UserID$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$UserID$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A suspicious powershell script contains stream command in $ScriptBlockText$ + commonly for processing compressed or to decompressed binary file with EventCode + $EventCode$ in host $Computer$ + risk_objects: + - field: Computer + type: system + score: 40 + - field: user + type: user + score: 40 + threat_objects: [] tags: analytic_story: - Malicious PowerShell @@ -39,37 +68,18 @@ tags: - Braodo Stealer - PXA Stealer asset_type: Endpoint - confidence: 80 - impact: 50 - message: A suspicious powershell script contains stream command in $ScriptBlockText$ commonly for processing compressed or to decompressed binary file with EventCode $EventCode$ in host $Computer$ mitre_attack_id: - T1059 - T1059.001 - observable: - - name: Computer - type: Hostname - role: - - Victim - - name: UserID - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ScriptBlockText - - Computer - - UserID - - Score - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/streamreader.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/streamreader.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/powershell_remote_services_add_trustedhost.yml b/detections/endpoint/powershell_remote_services_add_trustedhost.yml index 816ed014db..f8535f004f 100644 --- a/detections/endpoint/powershell_remote_services_add_trustedhost.yml +++ b/detections/endpoint/powershell_remote_services_add_trustedhost.yml @@ -1,16 +1,30 @@ name: Powershell Remote Services Add TrustedHost id: bef21d24-297e-45e3-9b9a-c6ac45450474 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Powershell Script Block Logging 4104 -description: The following analytic detects the execution of a PowerShell script that modifies the 'TrustedHosts' configuration via EventCode 4104. It leverages PowerShell Script Block Logging to identify commands targeting WSMan settings, specifically those altering or concatenating trusted hosts. This activity is significant as it can indicate attempts to manipulate remote connection settings, potentially allowing unauthorized remote access. If confirmed malicious, this could enable attackers to establish persistent remote connections, bypass security protocols, and gain unauthorized access to sensitive systems and data. -search: '`powershell` EventCode=4104 ScriptBlockText = "*WSMan:\\localhost\\Client\\TrustedHosts*" ScriptBlockText IN ("* -Value *", "* -Concatenate *") | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_remote_services_add_trustedhost_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: user and network administrator may used this function to add trusted host. +description: The following analytic detects the execution of a PowerShell script that + modifies the 'TrustedHosts' configuration via EventCode 4104. It leverages PowerShell + Script Block Logging to identify commands targeting WSMan settings, specifically + those altering or concatenating trusted hosts. This activity is significant as it + can indicate attempts to manipulate remote connection settings, potentially allowing + unauthorized remote access. If confirmed malicious, this could enable attackers + to establish persistent remote connections, bypass security protocols, and gain + unauthorized access to sensitive systems and data. +search: '`powershell` EventCode=4104 ScriptBlockText = "*WSMan:\\localhost\\Client\\TrustedHosts*" + ScriptBlockText IN ("* -Value *", "* -Concatenate *") | rename Computer as dest, + UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode + ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `powershell_remote_services_add_trustedhost_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: user and network administrator may used this function to add + trusted host. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate drilldown_searches: @@ -19,44 +33,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a powershell script adding a remote trustedhost on $dest$ . + risk_objects: + - field: dest + type: system + score: 64 + - field: user + type: user + score: 64 + threat_objects: [] tags: analytic_story: - DarkGate Malware asset_type: Endpoint - confidence: 80 - impact: 80 - message: a powershell script adding a remote trustedhost on $dest$ . mitre_attack_id: - T1021.006 - T1021 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 - required_fields: - - _time - - EventCode - - ScriptBlockText - - Computer - - UserID - - Score security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/wsman_trustedhost/wsman_pwh.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/wsman_trustedhost/wsman_pwh.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml b/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml index 842a83a2a7..b342e7fea3 100644 --- a/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml +++ b/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml @@ -1,15 +1,30 @@ name: Powershell Remote Thread To Known Windows Process id: ec102cb2-a0f5-11eb-9b38-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects suspicious PowerShell processes attempting to inject code into critical Windows processes using CreateRemoteThread. It leverages Sysmon EventCode 8 to identify instances where PowerShell spawns threads in processes like svchost.exe, csrss.exe, and others. This activity is significant as it is commonly used by malware such as TrickBot and offensive tools like Cobalt Strike to execute malicious payloads, establish reverse shells, or download additional malware. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, and persistent access within the environment. +description: The following analytic detects suspicious PowerShell processes attempting + to inject code into critical Windows processes using CreateRemoteThread. It leverages + Sysmon EventCode 8 to identify instances where PowerShell spawns threads in processes + like svchost.exe, csrss.exe, and others. This activity is significant as it is commonly + used by malware such as TrickBot and offensive tools like Cobalt Strike to execute + malicious payloads, establish reverse shells, or download additional malware. If + confirmed malicious, this behavior could lead to unauthorized code execution, privilege + escalation, and persistent access within the environment. data_source: - Sysmon EventID 8 -search: '`sysmon` EventCode = 8 parent_process_name IN ("powershell_ise.exe", "powershell.exe") TargetImage IN ("*\\svchost.exe","*\\csrss.exe" "*\\gpupdate.exe", "*\\explorer.exe","*\\services.exe","*\\winlogon.exe","*\\smss.exe","*\\wininit.exe","*\\userinit.exe","*\\spoolsv.exe","*\\taskhost.exe") | stats min(_time) as firstTime max(_time) as lastTime count by SourceImage process_name SourceProcessId SourceProcessGuid TargetImage TargetProcessId NewThreadId StartAddress dest EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_remote_thread_to_known_windows_process_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, Create Remote thread from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of create remote thread may be used. +search: '`sysmon` EventCode = 8 parent_process_name IN ("powershell_ise.exe", "powershell.exe") + TargetImage IN ("*\\svchost.exe","*\\csrss.exe" "*\\gpupdate.exe", "*\\explorer.exe","*\\services.exe","*\\winlogon.exe","*\\smss.exe","*\\wininit.exe","*\\userinit.exe","*\\spoolsv.exe","*\\taskhost.exe") + | stats min(_time) as firstTime max(_time) as lastTime count by SourceImage process_name + SourceProcessId SourceProcessGuid TargetImage TargetProcessId NewThreadId StartAddress + dest EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `powershell_remote_thread_to_known_windows_process_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, Create Remote thread from your endpoints. If you are + using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter + known instances of create remote thread may be used. known_false_positives: unknown references: - https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/ @@ -19,48 +34,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A suspicious powershell process $process_name$ that tries to create a remote + thread on target process $TargetImage$ with eventcode $EventCode$ in host $dest$ + risk_objects: + - field: dest + type: system + score: 63 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Trickbot asset_type: Endpoint - confidence: 90 - impact: 70 - message: A suspicious powershell process $process_name$ that tries to create a remote thread on target process $TargetImage$ with eventcode $EventCode$ in host $dest$ mitre_attack_id: - T1055 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - SourceImage - - process_name - - SourceProcessId - - SourceProcessGuid - - TargetImage - - TargetProcessId - - NewThreadId - - StartAddress - - dest - - EventCode - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/powershell_remove_windows_defender_directory.yml b/detections/endpoint/powershell_remove_windows_defender_directory.yml index 3e9f9bcc03..118090ab0d 100644 --- a/detections/endpoint/powershell_remove_windows_defender_directory.yml +++ b/detections/endpoint/powershell_remove_windows_defender_directory.yml @@ -1,63 +1,71 @@ name: Powershell Remove Windows Defender Directory id: adf47620-79fa-11ec-b248-acde48001122 -version: 5 -date: '2024-09-30' +version: 7 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects a suspicious PowerShell command attempting to delete the Windows Defender directory. It leverages PowerShell Script Block Logging to identify commands containing "rmdir" and targeting the Windows Defender path. This activity is significant as it may indicate an attempt to disable or corrupt Windows Defender, a key security component. If confirmed malicious, this action could allow an attacker to bypass endpoint protection, facilitating further malicious activities without detection. +description: The following analytic detects a suspicious PowerShell command attempting + to delete the Windows Defender directory. It leverages PowerShell Script Block Logging + to identify commands containing "rmdir" and targeting the Windows Defender path. + This activity is significant as it may indicate an attempt to disable or corrupt + Windows Defender, a key security component. If confirmed malicious, this action + could allow an attacker to bypass endpoint protection, facilitating further malicious + activities without detection. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText = "*rmdir *" AND ScriptBlockText = "*\\Microsoft\\Windows Defender*" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_remove_windows_defender_directory_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +search: '`powershell` EventCode=4104 ScriptBlockText = "*rmdir *" AND ScriptBlockText + = "*\\Microsoft\\Windows Defender*" | stats count min(_time) as firstTime max(_time) + as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename UserID + as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `powershell_remove_windows_defender_directory_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: unknown references: - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ drilldown_searches: -- name: View the detection results for - "$Computer$" and "$UserID$" - search: '%original_detection_search% | search Computer = "$Computer$" UserID = "$UserID$"' +- name: View the detection results for - "$Computer$" and "$user$" + search: '%original_detection_search% | search Computer = "$Computer$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$Computer$" and "$UserID$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$UserID$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: suspicious powershell script $ScriptBlockText$ was executed on the $Computer$ + risk_objects: + - field: Computer + type: system + score: 90 + - field: user + type: user + score: 90 + threat_objects: [] tags: analytic_story: - Data Destruction - WhisperGate asset_type: Endpoint - confidence: 90 - impact: 100 - message: suspicious powershell script $ScriptBlockText$ was executed on the $Computer$ mitre_attack_id: - T1562.001 - T1562 - observable: - - name: Computer - type: Hostname - role: - - Victim - - name: UserID - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCode - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/powershell_script_block_with_url_chain.yml b/detections/endpoint/powershell_script_block_with_url_chain.yml index be52270ead..12c23a7a46 100644 --- a/detections/endpoint/powershell_script_block_with_url_chain.yml +++ b/detections/endpoint/powershell_script_block_with_url_chain.yml @@ -1,15 +1,31 @@ name: PowerShell Script Block With URL Chain id: 4a3f2a7d-6402-4e64-a76a-869588ec3b57 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Steven Dick status: production type: TTP -description: The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that contains multiple URLs within a function or array. It leverages PowerShell operational logs to detect script blocks with embedded URLs, often indicative of obfuscated scripts or those attempting to download secondary payloads. This activity is significant as it may signal an attempt to execute malicious code or download additional malware. If confirmed malicious, this could lead to code execution, further system compromise, or data exfiltration. Review parallel processes and the full script block for additional context and related artifacts. +description: The following analytic identifies suspicious PowerShell script execution + via EventCode 4104 that contains multiple URLs within a function or array. It leverages + PowerShell operational logs to detect script blocks with embedded URLs, often indicative + of obfuscated scripts or those attempting to download secondary payloads. This activity + is significant as it may signal an attempt to execute malicious code or download + additional malware. If confirmed malicious, this could lead to code execution, further + system compromise, or data exfiltration. Review parallel processes and the full + script block for additional context and related artifacts. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText IN ("*http:*","*https:*") | regex ScriptBlockText="(\"?(https?:\/\/(?:www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b(?:[-a-zA-Z0-9()@:%_\+.~#?&\/=]*))\"?(?:,|\))?){2,}" | rex max_match=20 field=ScriptBlockText "(?https?:\/\/(?:www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b(?:[-a-zA-Z0-9()@:%_\+.~#?&\/=]*))" | eval Path = case(isnotnull(Path),Path,true(),"unknown") | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command values(Path) as file_name values(UserID) as user values(url) as url dc(url) as url_count by ActivityID, Computer, EventCode | rename Computer as dest, EventCode as signature_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_script_block_with_url_chain_filter`' -how_to_implement: The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +search: '`powershell` EventCode=4104 ScriptBlockText IN ("*http:*","*https:*") | regex + ScriptBlockText="(\"?(https?:\/\/(?:www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b(?:[-a-zA-Z0-9()@:%_\+.~#?&\/=]*))\"?(?:,|\))?){2,}" + | rex max_match=20 field=ScriptBlockText "(?https?:\/\/(?:www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b(?:[-a-zA-Z0-9()@:%_\+.~#?&\/=]*))" + | eval Path = case(isnotnull(Path),Path,true(),"unknown") | stats count min(_time) + as firstTime max(_time) as lastTime list(ScriptBlockText) as command values(Path) + as file_name values(UserID) as user values(url) as url dc(url) as url_count by ActivityID, + Computer, EventCode | rename Computer as dest, EventCode as signature_id | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `powershell_script_block_with_url_chain_filter`' +how_to_implement: The following analytic requires PowerShell operational logs to be + imported. Modify the powershell macro as needed to match the sourcetype or add index. + This analytic is specific to 4104, or PowerShell Script Block Logging. known_false_positives: Unknown, possible custom scripting. references: - https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations @@ -21,51 +37,45 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A suspicious powershell script used by $user$ on host $dest$ contains $url_count$ + URLs in an array, this is commonly used for malware. + risk_objects: + - field: dest + type: system + score: 80 + - field: user + type: user + score: 80 + threat_objects: + - field: file_name + type: file_name + - field: url + type: url tags: analytic_story: - Malicious PowerShell asset_type: Endpoint - confidence: 80 - impact: 100 - message: A suspicious powershell script used by $user$ on host $dest$ contains $url_count$ URLs in an array, this is commonly used for malware. mitre_attack_id: - T1059.001 - T1105 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim - - name: file_name - type: File Name - role: - - Attacker - - name: url - type: URL String - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ActivityID - - Computer - - ScriptBlockText - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/gootloader/partial_ttps/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/gootloader/partial_ttps/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/powershell_start_bitstransfer.yml b/detections/endpoint/powershell_start_bitstransfer.yml index 6299496bbb..6b50ec5b4f 100644 --- a/detections/endpoint/powershell_start_bitstransfer.yml +++ b/detections/endpoint/powershell_start_bitstransfer.yml @@ -1,18 +1,40 @@ name: PowerShell Start-BitsTransfer id: 39e2605a-90d8-11eb-899e-acde48001122 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the execution of the PowerShell command `Start-BitsTransfer`, which can be used for file transfers, including potential data exfiltration. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line arguments. This activity is significant because `Start-BitsTransfer` can be abused by adversaries to upload sensitive files to remote locations, posing a risk of data loss. If confirmed malicious, this could lead to unauthorized data exfiltration, compromising sensitive information and potentially leading to further exploitation of the network. +description: The following analytic detects the execution of the PowerShell command + `Start-BitsTransfer`, which can be used for file transfers, including potential + data exfiltration. It leverages data from Endpoint Detection and Response (EDR) + agents, focusing on process creation events and command-line arguments. This activity + is significant because `Start-BitsTransfer` can be abused by adversaries to upload + sensitive files to remote locations, posing a risk of data loss. If confirmed malicious, + this could lead to unauthorized data exfiltration, compromising sensitive information + and potentially leading to further exploitation of the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*start-bitstransfer* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_start_bitstransfer_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Limited false positives. It is possible administrators will utilize Start-BitsTransfer for administrative tasks, otherwise filter based parent process or command-line arguments. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*start-bitstransfer* + by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `powershell_start_bitstransfer_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Limited false positives. It is possible administrators will + utilize Start-BitsTransfer for administrative tasks, otherwise filter based parent + process or command-line arguments. references: - https://isc.sans.edu/diary/Investigating+Microsoft+BITS+Activity/23281 - https://docs.microsoft.com/en-us/windows/win32/bits/using-windows-powershell-to-create-bits-transfer-jobs @@ -22,50 +44,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A suspicious process $process_name$ with commandline $process$ that are + related to bittransfer functionality in host $dest$ + risk_objects: + - field: dest + type: system + score: 56 + - field: user + type: user + score: 56 + threat_objects: [] tags: analytic_story: - BITS Jobs - Gozi Malware asset_type: Endpoint - confidence: 80 - impact: 70 - message: A suspicious process $process_name$ with commandline $process$ that are related to bittransfer functionality in host $dest$ mitre_attack_id: - T1197 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/powershell_start_or_stop_service.yml b/detections/endpoint/powershell_start_or_stop_service.yml index 0bc5074d26..4779e1c10c 100644 --- a/detections/endpoint/powershell_start_or_stop_service.yml +++ b/detections/endpoint/powershell_start_or_stop_service.yml @@ -1,16 +1,31 @@ name: PowerShell Start or Stop Service id: 04207f8a-e08d-4ee6-be26-1e0c4488b04a -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk type: Anomaly status: production data_source: - Powershell Script Block Logging 4104 -description: The following analytic identifies the use of PowerShell's Start-Service or Stop-Service cmdlets on an endpoint. It leverages PowerShell Script Block Logging to detect these commands. This activity is significant because attackers can manipulate services to disable or stop critical functions, causing system instability or disrupting business operations. If confirmed malicious, this behavior could allow attackers to disable security services, evade detection, or disrupt essential services, leading to potential system downtime and compromised security. -search: '`powershell` EventCode=4104 ScriptBlockText IN ("*start-service*", "*stop-service*") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_start_or_stop_service_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: This behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. Therefore, it is recommended not to enable this analytic as a direct notable or TTP. Instead, it should be used as part of a broader set of security controls to detect and investigate potential threats. +description: The following analytic identifies the use of PowerShell's Start-Service + or Stop-Service cmdlets on an endpoint. It leverages PowerShell Script Block Logging + to detect these commands. This activity is significant because attackers can manipulate + services to disable or stop critical functions, causing system instability or disrupting + business operations. If confirmed malicious, this behavior could allow attackers + to disable security services, evade detection, or disrupt essential services, leading + to potential system downtime and compromised security. +search: '`powershell` EventCode=4104 ScriptBlockText IN ("*start-service*", "*stop-service*") + | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode + ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `powershell_start_or_stop_service_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: This behavior may be noisy, as these cmdlets are commonly used + by system administrators or other legitimate users to manage services. Therefore, + it is recommended not to enable this analytic as a direct finding Instead, + it should be used as part of a broader set of security controls to detect and investigate + potential threats. references: - https://learn-powershell.net/2012/01/15/startingstopping-and-restarting-remote-services-with-powershell/ - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/start-service?view=powershell-7.3 @@ -20,37 +35,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$Computer$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: PowerShell was identified attempting to start or stop a service on $Computer$. + risk_objects: + - field: Computer + type: system + score: 10 + threat_objects: [] tags: analytic_story: - Active Directory Lateral Movement asset_type: Endpoint - confidence: 20 - impact: 50 - message: PowerShell was identified attempting to start or stop a service on $Computer$. mitre_attack_id: - T1059.001 - observable: - - name: Computer - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ScriptBlockText - - Computer - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/start_stop_service_windows-powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/start_stop_service_windows-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/powershell_using_memory_as_backing_store.yml b/detections/endpoint/powershell_using_memory_as_backing_store.yml index 7a7331ee9b..a57cf47628 100644 --- a/detections/endpoint/powershell_using_memory_as_backing_store.yml +++ b/detections/endpoint/powershell_using_memory_as_backing_store.yml @@ -1,16 +1,30 @@ name: Powershell Using memory As Backing Store id: c396a0c4-c9f2-11eb-b4f5-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects suspicious PowerShell script execution using memory streams as a backing store, identified via EventCode 4104. It leverages PowerShell Script Block Logging to capture scripts that create new objects with memory streams, often used to decompress and execute payloads in memory. This activity is significant as it indicates potential in-memory execution of malicious code, bypassing traditional file-based detection. If confirmed malicious, this technique could allow attackers to execute arbitrary code, maintain persistence, or escalate privileges without leaving a trace on the disk. +description: The following analytic detects suspicious PowerShell script execution + using memory streams as a backing store, identified via EventCode 4104. It leverages + PowerShell Script Block Logging to capture scripts that create new objects with + memory streams, often used to decompress and execute payloads in memory. This activity + is significant as it indicates potential in-memory execution of malicious code, + bypassing traditional file-based detection. If confirmed malicious, this technique + could allow attackers to execute arbitrary code, maintain persistence, or escalate + privileges without leaving a trace on the disk. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText = *New-Object* ScriptBlockText = *IO.MemoryStream* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_using_memory_as_backing_store_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: powershell may used this function to store out object into memory. +search: '`powershell` EventCode=4104 ScriptBlockText = *New-Object* ScriptBlockText + = *IO.MemoryStream* | stats count min(_time) as firstTime max(_time) as lastTime + by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename + UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `powershell_using_memory_as_backing_store_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: powershell may used this function to store out object into + memory. references: - https://web.archive.org/web/20201112031711/https://www.carbonblack.com/blog/decoding-malicious-powershell-streams/ - https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -24,9 +38,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A PowerShell script contains memorystream command on host $dest$. + risk_objects: + - field: dest + type: system + score: 40 + - field: user + type: user + score: 40 + threat_objects: [] tags: analytic_story: - Malicious PowerShell @@ -35,36 +64,18 @@ tags: - IcedID - MoonPeak asset_type: Endpoint - confidence: 80 - impact: 50 - message: A PowerShell script contains memorystream command on host $dest$. mitre_attack_id: - T1059.001 - T1059 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ScriptBlockText - - Computer - - UserID - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/honeypots/pwsh/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/honeypots/pwsh/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/powershell_webrequest_using_memory_stream.yml b/detections/endpoint/powershell_webrequest_using_memory_stream.yml index 9d4027e600..2c0fa1ba0d 100644 --- a/detections/endpoint/powershell_webrequest_using_memory_stream.yml +++ b/detections/endpoint/powershell_webrequest_using_memory_stream.yml @@ -1,15 +1,29 @@ name: PowerShell WebRequest Using Memory Stream id: 103affa6-924a-4b53-aff4-1d5075342aab -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Steven Dick status: production type: TTP -description: The following analytic detects the use of .NET classes in PowerShell to download a URL payload directly into memory, a common fileless malware staging technique. It leverages PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell commands involving `system.net.webclient`, `system.net.webrequest`, and `IO.MemoryStream`. This activity is significant as it indicates potential fileless malware execution, which is harder to detect and can bypass traditional file-based defenses. If confirmed malicious, this technique could allow attackers to execute code in memory, evade detection, and maintain persistence in the environment. +description: The following analytic detects the use of .NET classes in PowerShell + to download a URL payload directly into memory, a common fileless malware staging + technique. It leverages PowerShell Script Block Logging (EventCode=4104) to identify + suspicious PowerShell commands involving `system.net.webclient`, `system.net.webrequest`, + and `IO.MemoryStream`. This activity is significant as it indicates potential fileless + malware execution, which is harder to detect and can bypass traditional file-based + defenses. If confirmed malicious, this technique could allow attackers to execute + code in memory, evade detection, and maintain persistence in the environment. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText IN ("*system.net.webclient*","*system.net.webrequest*") AND ScriptBlockText="*IO.MemoryStream*" | eval Path = case(isnotnull(Path),Path,true(),"unknown") | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command values(Path) as file_name values(UserID) as user by ActivityID, Computer, EventCode | rename Computer as dest, EventCode as signature_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_webrequest_using_memory_stream_filter`' -how_to_implement: The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +search: '`powershell` EventCode=4104 ScriptBlockText IN ("*system.net.webclient*","*system.net.webrequest*") + AND ScriptBlockText="*IO.MemoryStream*" | eval Path = case(isnotnull(Path),Path,true(),"unknown") + | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) + as command values(Path) as file_name values(UserID) as user by ActivityID, Computer, + EventCode | rename Computer as dest, EventCode as signature_id | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `powershell_webrequest_using_memory_stream_filter`' +how_to_implement: The following analytic requires PowerShell operational logs to be + imported. Modify the powershell macro as needed to match the sourcetype or add index. + This analytic is specific to 4104, or PowerShell Script Block Logging. known_false_positives: Unknown, possible custom scripting. references: - https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations @@ -21,49 +35,45 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Powershell webrequest to memory stream behavior. Possible fileless malware + staging on $dest$ by $user$. + risk_objects: + - field: dest + type: system + score: 80 + - field: user + type: user + score: 80 + threat_objects: + - field: file_name + type: file_name tags: analytic_story: - Malicious PowerShell - MoonPeak asset_type: Endpoint - confidence: 80 - impact: 100 - message: Powershell webrequest to memory stream behavior. Possible fileless malware staging on $dest$ by $user$. mitre_attack_id: - T1059.001 - T1105 - T1027.011 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim - - name: file_name - type: File Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ActivityID - - Computer - - ScriptBlockText - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/gootloader/partial_ttps/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/gootloader/partial_ttps/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/powershell_windows_defender_exclusion_commands.yml b/detections/endpoint/powershell_windows_defender_exclusion_commands.yml index 87a85983b1..7e80adf439 100644 --- a/detections/endpoint/powershell_windows_defender_exclusion_commands.yml +++ b/detections/endpoint/powershell_windows_defender_exclusion_commands.yml @@ -1,15 +1,28 @@ name: Powershell Windows Defender Exclusion Commands id: 907ac95c-4dd9-11ec-ba2c-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the use of PowerShell commands to add or set Windows Defender exclusions. It leverages EventCode 4104 to identify suspicious `Add-MpPreference` or `Set-MpPreference` commands with exclusion parameters. This activity is significant because adversaries often use it to bypass Windows Defender, allowing malicious code to execute without detection. If confirmed malicious, this behavior could enable attackers to evade antivirus defenses, maintain persistence, and execute further malicious activities undetected. +description: The following analytic detects the use of PowerShell commands to add + or set Windows Defender exclusions. It leverages EventCode 4104 to identify suspicious + `Add-MpPreference` or `Set-MpPreference` commands with exclusion parameters. This + activity is significant because adversaries often use it to bypass Windows Defender, + allowing malicious code to execute without detection. If confirmed malicious, this + behavior could enable attackers to evade antivirus defenses, maintain persistence, + and execute further malicious activities undetected. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText = "*Add-MpPreference *" OR ScriptBlockText = "*Set-MpPreference *") AND ScriptBlockText = "*-exclusion*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_windows_defender_exclusion_commands_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. +search: '`powershell` EventCode=4104 (ScriptBlockText = "*Add-MpPreference *" OR ScriptBlockText + = "*Set-MpPreference *") AND ScriptBlockText = "*-exclusion*" | stats count min(_time) + as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID + | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `powershell_windows_defender_exclusion_commands_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure + that this registry was included in your config files ex. sysmon config to be monitored. known_false_positives: admin or user may choose to use this windows features. references: - https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html @@ -21,9 +34,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Exclusion command $ScriptBlockText$ executed on $dest$ + risk_objects: + - field: user + type: user + score: 64 + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - CISA AA22-320A @@ -34,36 +62,18 @@ tags: - WhisperGate - Warzone RAT asset_type: Endpoint - confidence: 80 - impact: 80 - message: Exclusion command $ScriptBlockText$ executed on $dest$ mitre_attack_id: - T1562.001 - T1562 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ScriptBlockText - - Computer - - UserID - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/powershell_windows_defender_exclusion_commands/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/powershell_windows_defender_exclusion_commands/windows-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml b/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml index da6f900e38..06ea69848f 100644 --- a/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml +++ b/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml @@ -1,18 +1,40 @@ name: Prevent Automatic Repair Mode using Bcdedit id: 7742aa92-c9d9-11eb-bbfc-acde48001122 -version: 3 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the execution of "bcdedit.exe" with parameters to set the boot status policy to ignore all failures. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it can indicate an attempt by ransomware to prevent a compromised machine from booting into automatic repair mode, thereby hindering recovery efforts. If confirmed malicious, this action could allow attackers to maintain control over the infected system, complicating remediation and potentially leading to further damage. +description: The following analytic detects the execution of "bcdedit.exe" with parameters + to set the boot status policy to ignore all failures. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names and command-line + arguments. This activity is significant because it can indicate an attempt by ransomware + to prevent a compromised machine from booting into automatic repair mode, thereby + hindering recovery efforts. If confirmed malicious, this action could allow attackers + to maintain control over the infected system, complicating remediation and potentially + leading to further damage. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "bcdedit.exe" Processes.process = "*bootstatuspolicy*" Processes.process = "*ignoreallfailures*" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `prevent_automatic_repair_mode_using_bcdedit_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrators may modify the boot configuration ignore failure during testing and debugging. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "bcdedit.exe" + Processes.process = "*bootstatuspolicy*" Processes.process = "*ignoreallfailures*" + by Processes.parent_process_name Processes.parent_process Processes.process_name + Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `prevent_automatic_repair_mode_using_bcdedit_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators may modify the boot configuration ignore failure + during testing and debugging. references: - https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf drilldown_searches: @@ -21,47 +43,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A suspicious process $process_name$ with process id $process_id$ contains + commandline $process$ to ignore all bcdedit execution failure in host $dest$ + risk_objects: + - field: dest + type: system + score: 56 + - field: user + type: user + score: 56 + threat_objects: [] tags: analytic_story: - Ransomware - Chaos Ransomware asset_type: Endpoint - confidence: 80 - impact: 70 - message: A suspicious process $process_name$ with process id $process_id$ contains commandline $process$ to ignore all bcdedit execution failure in host $dest$ mitre_attack_id: - T1490 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.dest - - Processes.user - - Processes.process_id - - Processes.process_guid - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/print_processor_registry_autostart.yml b/detections/endpoint/print_processor_registry_autostart.yml index c0a6766b2f..b61f5a4105 100644 --- a/detections/endpoint/print_processor_registry_autostart.yml +++ b/detections/endpoint/print_processor_registry_autostart.yml @@ -1,19 +1,46 @@ name: Print Processor Registry Autostart id: 1f5b68aa-2037-11ec-898e-acde48001122 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: experimental type: TTP -description: The following analytic detects suspicious modifications or new entries in the Print Processor registry path. It leverages registry activity data from the Endpoint data model to identify changes in the specified registry path. This activity is significant because the Print Processor registry is known to be exploited by APT groups like Turla for persistence and privilege escalation. If confirmed malicious, this could allow an attacker to execute a malicious DLL payload by restarting the spoolsv.exe process, leading to potential control over the compromised machine. +description: The following analytic detects suspicious modifications or new entries + in the Print Processor registry path. It leverages registry activity data from the + Endpoint data model to identify changes in the specified registry path. This activity + is significant because the Print Processor registry is known to be exploited by + APT groups like Turla for persistence and privilege escalation. If confirmed malicious, + this could allow an attacker to execute a malicious DLL payload by restarting the + spoolsv.exe process, leading to potential control over the compromised machine. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path ="*\\Control\\Print\\Environments\\Windows x64\\Print Processors*" by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `print_processor_registry_autostart_filter`' -how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -known_false_positives: possible new printer installation may add driver component on this registry. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime + max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path + ="*\\Control\\Print\\Environments\\Windows x64\\Print Processors*" by Registry.dest Registry.user + Registry.registry_path Registry.registry_key_name Registry.registry_value_name | + `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` + | `print_processor_registry_autostart_filter`' +how_to_implement: To successfully implement this search, you must be ingesting data + that records registry activity from your hosts to populate the endpoint data model + in the registry node. This is typically populated via endpoint detection-and-response + product, such as Carbon Black or endpoint data sources, such as Sysmon. The data + used for this search is typically generated via logs that report reads and writes + to the registry. +known_false_positives: possible new printer installation may add driver component + on this registry. references: - https://attack.mitre.org/techniques/T1547/012/ - https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/ +rba: + message: modified/added/deleted registry entry $Registry.registry_path$ on $dest$ + risk_objects: + - field: dest + type: system + score: 80 + - field: user + type: user + score: 80 + threat_objects: [] tags: analytic_story: - Data Destruction @@ -21,37 +48,18 @@ tags: - Hermetic Wiper - Windows Persistence Techniques asset_type: Endpoint - confidence: 100 - impact: 80 - message: modified/added/deleted registry entry $Registry.registry_path$ in $dest$ mitre_attack_id: - T1547.012 - T1547 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.registry_key_name - - Registry.registry_value_name - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/1f5b68aa-2037-11ec-898e-acde48001122.txt + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/1f5b68aa-2037-11ec-898e-acde48001122.txt source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/print_spooler_adding_a_printer_driver.yml b/detections/endpoint/print_spooler_adding_a_printer_driver.yml index 9de2400d2e..1c47ffd8df 100644 --- a/detections/endpoint/print_spooler_adding_a_printer_driver.yml +++ b/detections/endpoint/print_spooler_adding_a_printer_driver.yml @@ -1,15 +1,27 @@ name: Print Spooler Adding A Printer Driver id: 313681a2-da8e-11eb-adad-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the addition of new printer drivers by monitoring Windows PrintService operational logs, specifically EventCode 316. This detection leverages log data to identify messages indicating the addition or update of printer drivers, such as "kernelbase.dll" and "UNIDRV.DLL." This activity is significant as it may indicate exploitation attempts related to vulnerabilities like CVE-2021-34527 (PrintNightmare). If confirmed malicious, attackers could gain code execution or escalate privileges, potentially compromising the affected system. Immediate isolation and investigation of the endpoint are recommended. +description: The following analytic detects the addition of new printer drivers by + monitoring Windows PrintService operational logs, specifically EventCode 316. This + detection leverages log data to identify messages indicating the addition or update + of printer drivers, such as "kernelbase.dll" and "UNIDRV.DLL." This activity is + significant as it may indicate exploitation attempts related to vulnerabilities + like CVE-2021-34527 (PrintNightmare). If confirmed malicious, attackers could gain + code execution or escalate privileges, potentially compromising the affected system. + Immediate isolation and investigation of the endpoint are recommended. data_source: - Windows Event Log Printservice 316 -search: '`printservice` EventCode=316 category = "Adding a printer driver" Message = "*kernelbase.dll,*" Message = "*UNIDRV.DLL,*" Message = "*.DLL.*" | stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `print_spooler_adding_a_printer_driver_filter`' -how_to_implement: You will need to ensure PrintService Admin and Operational logs are being logged to Splunk from critical or all systems. +search: '`printservice` EventCode=316 category = "Adding a printer driver" Message + = "*kernelbase.dll,*" Message = "*UNIDRV.DLL,*" Message = "*.DLL.*" | stats count + min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName + Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `print_spooler_adding_a_printer_driver_filter`' +how_to_implement: You will need to ensure PrintService Admin and Operational logs + are being logged to Splunk from critical or all systems. known_false_positives: Unknown. This may require filtering. references: - https://twitter.com/MalwareJake/status/1410421445608476679?s=20 @@ -22,42 +34,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$ComputerName$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$ComputerName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$ComputerName$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious print driver was loaded on endpoint $ComputerName$. + risk_objects: + - field: ComputerName + type: system + score: 72 + threat_objects: [] tags: analytic_story: - PrintNightmare CVE-2021-34527 asset_type: Endpoint - confidence: 90 cve: - CVE-2021-34527 - CVE-2021-1675 - impact: 80 - message: Suspicious print driver was loaded on endpoint $ComputerName$. mitre_attack_id: - T1547.012 - T1547 - observable: - - name: ComputerName - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - OpCode - - EventCode - - ComputerName - - Message - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-printservice_operational.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-printservice_operational.log source: WinEventLog:Microsoft-Windows-PrintService/Operational sourcetype: WinEventLog diff --git a/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml b/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml index 6724c98beb..5e37c7894e 100644 --- a/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml +++ b/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml @@ -1,16 +1,28 @@ name: Print Spooler Failed to Load a Plug-in id: 1adc9548-da7c-11eb-8f13-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Mauricio Velazco, Michael Haag, Splunk status: production type: TTP -description: The following analytic detects driver load errors in the Windows PrintService Admin logs, specifically identifying issues related to CVE-2021-34527 (PrintNightmare). It triggers on error messages indicating the print spooler failed to load a plug-in module, such as "meterpreter.dll," with error code 0x45A. This detection method leverages specific event codes and error messages. This activity is significant as it may indicate an exploitation attempt of a known vulnerability. If confirmed malicious, an attacker could gain unauthorized code execution on the affected system, leading to potential system compromise. +description: The following analytic detects driver load errors in the Windows PrintService + Admin logs, specifically identifying issues related to CVE-2021-34527 (PrintNightmare). + It triggers on error messages indicating the print spooler failed to load a plug-in + module, such as "meterpreter.dll," with error code 0x45A. This detection method + leverages specific event codes and error messages. This activity is significant + as it may indicate an exploitation attempt of a known vulnerability. If confirmed + malicious, an attacker could gain unauthorized code execution on the affected system, + leading to potential system compromise. data_source: - Windows Event Log Printservice 808 - Windows Event Log Printservice 4909 -search: '`printservice` ((ErrorCode="0x45A" (EventCode="808" OR EventCode="4909")) OR ("The print spooler failed to load a plug-in module" OR "\\drivers\\x64\\")) | stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `print_spooler_failed_to_load_a_plug_in_filter`' -how_to_implement: You will need to ensure PrintService Admin and Operational logs are being logged to Splunk from critical or all systems. +search: '`printservice` ((ErrorCode="0x45A" (EventCode="808" OR EventCode="4909")) + OR ("The print spooler failed to load a plug-in module" OR "\\drivers\\x64\\")) + | stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode + ComputerName Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `print_spooler_failed_to_load_a_plug_in_filter`' +how_to_implement: You will need to ensure PrintService Admin and Operational logs + are being logged to Splunk from critical or all systems. known_false_positives: False positives are unknown and filtering may be required. references: - https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available @@ -22,42 +34,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$ComputerName$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$ComputerName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$ComputerName$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious printer spooler errors have occurred on endpoint $ComputerName$ + with EventCode $EventCode$. + risk_objects: + - field: ComputerName + type: system + score: 72 + threat_objects: [] tags: analytic_story: - PrintNightmare CVE-2021-34527 asset_type: Endpoint - confidence: 90 cve: - CVE-2021-34527 - CVE-2021-1675 - impact: 80 - message: Suspicious printer spooler errors have occured on endpoint $ComputerName$ with EventCode $EventCode$. mitre_attack_id: - T1547.012 - T1547 - observable: - - name: ComputerName - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - OpCode - - EventCode - - ComputerName - - Message - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-printservice_admin.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-printservice_admin.log source: WinEventLog:Microsoft-Windows-PrintService/Admin sourcetype: WinEventLog diff --git a/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml b/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml index b7c72ed01a..4cf346c8fa 100644 --- a/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml +++ b/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml @@ -1,16 +1,37 @@ name: Process Creating LNK file in Suspicious Location id: 5d814af1-1041-47b5-a9ac-d754e82e9a26 -version: 8 -date: '2024-09-30' +version: 9 +date: '2024-11-13' author: Jose Hernandez, Michael Haag, Splunk status: production type: TTP -description: The following analytic detects a process creating a `.lnk` file in suspicious locations such as `C:\User*` or `*\Local\Temp\*`. It leverages filesystem and process activity data from the Endpoint data model to identify this behavior. This activity is significant because creating `.lnk` files in these directories is a common tactic used by spear phishing tools to establish persistence or execute malicious payloads. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary code, or further compromise the system. +description: The following analytic detects a process creating a `.lnk` file in suspicious + locations such as `C:\User*` or `*\Local\Temp\*`. It leverages filesystem and process + activity data from the Endpoint data model to identify this behavior. This activity + is significant because creating `.lnk` files in these directories is a common tactic + used by spear phishing tools to establish persistence or execute malicious payloads. + If confirmed malicious, this could allow an attacker to maintain persistence, execute + arbitrary code, or further compromise the system. data_source: - Sysmon EventID 11 AND Sysmon EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name="*.lnk" AND (Filesystem.file_path="C:\\Users\\*" OR Filesystem.file_path="*\\Temp\\*") by _time span=1h Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.file_hash Filesystem.user | `drop_dm_object_name(Filesystem)` | rename process_guid as lnk_guid | join lnk_guid _time [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=* by _time span=1h Processes.parent_process_name Processes.parent_process_guid Processes.process_name Processes.dest Processes.process Processes.path | `drop_dm_object_name(Processes)` | rename parent_process_guid as lnk_guid] | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime, lastTime, lnk_guid, user, dest, file_name, file_path, process_name, process, process_path, file_hash | `process_creating_lnk_file_in_suspicious_location_filter`' -how_to_implement: You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon. -known_false_positives: This detection should yield little or no false positive results. It is uncommon for LNK files to be executed from temporary or user directories. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name="*.lnk" + AND (Filesystem.file_path="C:\\Users\\*" OR Filesystem.file_path="*\\Temp\\*") by + _time span=1h Filesystem.process_guid Filesystem.file_name Filesystem.file_path + Filesystem.file_hash Filesystem.user | `drop_dm_object_name(Filesystem)` | rename + process_guid as lnk_guid | join lnk_guid _time [| tstats `security_content_summariesonly` + count FROM datamodel=Endpoint.Processes where Processes.process_name=* by _time + span=1h Processes.parent_process_name Processes.parent_process_guid Processes.process_name + Processes.dest Processes.process Processes.path | `drop_dm_object_name(Processes)` + | rename parent_process_guid as lnk_guid] | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | table firstTime, lastTime, lnk_guid, user, + dest, file_name, file_path, process_name, process, process_path, file_hash | `process_creating_lnk_file_in_suspicious_location_filter`' +how_to_implement: You must be ingesting data that records filesystem and process activity + from your hosts to populate the Endpoint data model. This is typically populated + via endpoint detection-and-response product, such as Carbon Black, or endpoint data + sources, such as Sysmon. +known_false_positives: This detection should yield little or no false positive results. + It is uncommon for LNK files to be executed from temporary or user directories. references: - https://attack.mitre.org/techniques/T1566/001/ - https://www.trendmicro.com/en_us/research/17/e/rising-trend-attackers-using-lnk-files-download-malware.html @@ -21,9 +42,25 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A process $process_name$ that launching .lnk file in $file_path$ in host + $dest$ + risk_objects: + - field: dest + type: system + score: 63 + - field: user + type: user + score: 63 + threat_objects: [] tags: analytic_story: - Spearphishing Attachments @@ -32,39 +69,18 @@ tags: - Amadey - Gozi Malware asset_type: Endpoint - confidence: 90 - impact: 70 - message: A process $process_name$ that launching .lnk file in $file_path$ in host $dest$ mitre_attack_id: - T1566 - T1566.002 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.file_name - - Filesystem.file_path - - Filesystem.process_id - - Filesystem.file_name - - Filesystem.file_path - - Filesystem.file_hash - - Filesystem.user - risk_score: 63 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/lnk_file_temp_folder/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/lnk_file_temp_folder/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/process_deleting_its_process_file_path.yml b/detections/endpoint/process_deleting_its_process_file_path.yml index cc20a0c14b..bec4822fbf 100644 --- a/detections/endpoint/process_deleting_its_process_file_path.yml +++ b/detections/endpoint/process_deleting_its_process_file_path.yml @@ -1,17 +1,37 @@ name: Process Deleting Its Process File Path id: f7eda4bc-871c-11eb-b110-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras status: production type: TTP -description: The following analytic identifies a process attempting to delete its own file path, a behavior often associated with defense evasion techniques. This detection leverages Sysmon EventCode 1 logs, focusing on command lines executed via cmd.exe that include deletion commands. This activity is significant as it may indicate malware, such as Clop ransomware, trying to evade detection by removing its executable file if certain conditions are met. If confirmed malicious, this could allow the attacker to persist undetected, complicating incident response and remediation efforts. +description: The following analytic identifies a process attempting to delete its + own file path, a behavior often associated with defense evasion techniques. This + detection leverages Sysmon EventCode 1 logs, focusing on command lines executed + via cmd.exe that include deletion commands. This activity is significant as it may + indicate malware, such as Clop ransomware, trying to evade detection by removing + its executable file if certain conditions are met. If confirmed malicious, this + could allow the attacker to persist undetected, complicating incident response and + remediation efforts. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '`sysmon` EventCode=1 CommandLine = "* /c *" CommandLine = "* del*" Image = "*\\cmd.exe" | eval result = if(like(process,"%".parent_process."%"), "Found", "Not Found") | stats min(_time) as firstTime max(_time) as lastTime count by dest user ParentImage ParentCommandLine Image CommandLine EventCode ProcessID result | where result = "Found" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_deleting_its_process_file_path_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '`sysmon` EventCode=1 CommandLine = "* /c *" CommandLine = "* del*" Image + = "*\\cmd.exe" | eval result = if(like(process,"%".parent_process."%"), "Found", + "Not Found") | stats min(_time) as firstTime max(_time) as lastTime count by dest + user ParentImage ParentCommandLine Image CommandLine EventCode ProcessID result + | where result = "Found" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `process_deleting_its_process_file_path_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft @@ -23,9 +43,25 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A process $Image$ tries to delete its process path in commandline $CommandLine$ + as part of defense evasion in host $dest$ by user $user$ + risk_objects: + - field: dest + type: system + score: 60 + - field: user + type: user + score: 60 + threat_objects: [] tags: analytic_story: - Clop Ransomware @@ -33,40 +69,17 @@ tags: - WhisperGate - Remcos asset_type: Endpoint - confidence: 100 - impact: 60 - message: A process $Image$ tries to delete its process path in commandline $CommandLine$ as part of defense evasion in host $dest$ by user $user$ mitre_attack_id: - T1070 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - EventCode - - dest - - user - - ParentImage - - ParentCommandLine - - Image - - cmdline - - ProcessID - - result - - _time - risk_score: 60 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/process_execution_via_wmi.yml b/detections/endpoint/process_execution_via_wmi.yml index 12abf7bc4c..2c46069609 100644 --- a/detections/endpoint/process_execution_via_wmi.yml +++ b/detections/endpoint/process_execution_via_wmi.yml @@ -1,18 +1,39 @@ name: Process Execution via WMI id: 24869767-8579-485d-9a4f-d9ddfd8f0cac -version: 7 -date: '2024-09-30' +version: 8 +date: '2024-11-13' author: Rico Valdez, Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the execution of a process by `WmiPrvSE.exe`, indicating potential use of WMI (Windows Management Instrumentation) for process creation. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant as WMI can be used for lateral movement, remote code execution, or persistence by attackers. If confirmed malicious, this could allow an attacker to execute arbitrary commands or scripts, potentially leading to further compromise of the affected system or network. +description: The following analytic detects the execution of a process by `WmiPrvSE.exe`, + indicating potential use of WMI (Windows Management Instrumentation) for process + creation. This detection leverages data from Endpoint Detection and Response (EDR) + agents, focusing on process and parent process relationships. This activity is significant + as WMI can be used for lateral movement, remote code execution, or persistence by + attackers. If confirmed malicious, this could allow an attacker to execute arbitrary + commands or scripts, potentially leading to further compromise of the affected system + or network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=WmiPrvSE.exe NOT (Processes.process IN ("*\\dismhost.exe*")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_execution_via_wmi_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Although unlikely, administrators may use wmi to execute commands for legitimate purposes. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=WmiPrvSE.exe + NOT (Processes.process IN ("*\\dismhost.exe*")) by Processes.dest Processes.user + Processes.parent_process Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `process_execution_via_wmi_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Although unlikely, administrators may use wmi to execute commands + for legitimate purposes. references: [] drilldown_searches: - name: View the detection results for - "$dest$" and "$user$" @@ -20,43 +41,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A remote instance execution of wmic.exe by WmiPrvSE.exe detected on host + - $dest$ + risk_objects: + - field: dest + type: system + score: 49 + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - Suspicious WMI Use asset_type: Endpoint - confidence: 70 - impact: 70 - message: A remote instance execution of wmic.exe by WmiPrvSE.exe detected on host - $dest$ mitre_attack_id: - T1047 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process - - Processes.parent_process_name - - Processes.user - - Processes.dest - - Processes.process_name - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/process_kill_base_on_file_path.yml b/detections/endpoint/process_kill_base_on_file_path.yml index 51df2c0834..bb4f8eb862 100644 --- a/detections/endpoint/process_kill_base_on_file_path.yml +++ b/detections/endpoint/process_kill_base_on_file_path.yml @@ -1,17 +1,38 @@ name: Process Kill Base On File Path id: 5ffaa42c-acdb-11eb-9ad3-acde48001122 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the use of `wmic.exe` with the `delete` command to remove an executable path. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because it often indicates the initial stages of an adversary setting up malicious activities, such as cryptocurrency mining, on an endpoint. If confirmed malicious, this behavior could allow an attacker to disable security tools or other critical processes, facilitating further compromise and persistence within the environment. +description: The following analytic detects the use of `wmic.exe` with the `delete` + command to remove an executable path. This detection leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names, parent processes, + and command-line executions. This activity is significant because it often indicates + the initial stages of an adversary setting up malicious activities, such as cryptocurrency + mining, on an endpoint. If confirmed malicious, this behavior could allow an attacker + to disable security tools or other critical processes, facilitating further compromise + and persistence within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` AND Processes.process="*process*" AND Processes.process="*executablepath*" AND Processes.process="*delete*" by Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_kill_base_on_file_path_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_wmic` AND Processes.process="*process*" + AND Processes.process="*executablepath*" AND Processes.process="*delete*" by Processes.parent_process_name + Processes.process_name Processes.original_file_name Processes.dest Processes.user + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `process_kill_base_on_file_path_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Unknown. references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ @@ -21,50 +42,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A process $process_name$ attempt to kill process by its file path using + commandline $process$ in host $dest$ + risk_objects: + - field: dest + type: system + score: 56 + - field: user + type: user + score: 56 + threat_objects: [] tags: analytic_story: - XMRig asset_type: Endpoint - confidence: 80 - impact: 70 - message: A process $process_name$ attempt to kill process by its file path using commandline $process$ in host $dest$ mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/process_writing_dynamicwrapperx.yml b/detections/endpoint/process_writing_dynamicwrapperx.yml index b74d603909..a76100c545 100644 --- a/detections/endpoint/process_writing_dynamicwrapperx.yml +++ b/detections/endpoint/process_writing_dynamicwrapperx.yml @@ -1,16 +1,40 @@ name: Process Writing DynamicWrapperX id: b0a078e4-2601-11ec-9aec-acde48001122 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic detects a process writing the dynwrapx.dll file to disk and registering it in the registry. It leverages data from the Endpoint datamodel, specifically monitoring process and filesystem events. This activity is significant because DynamicWrapperX is an ActiveX component often used in scripts to call Windows API functions, and its presence in non-standard locations is highly suspicious. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment. Immediate investigation of parallel processes and registry modifications is recommended. +description: The following analytic detects a process writing the dynwrapx.dll file + to disk and registering it in the registry. It leverages data from the Endpoint + datamodel, specifically monitoring process and filesystem events. This activity + is significant because DynamicWrapperX is an ActiveX component often used in scripts + to call Windows API functions, and its presence in non-standard locations is highly + suspicious. If confirmed malicious, this could allow an attacker to execute arbitrary + code, escalate privileges, or maintain persistence within the environment. Immediate + investigation of parallel processes and registry modifications is recommended. data_source: - Sysmon EventID 1 AND Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_name="dynwrapx.dll" by _time Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.user | `drop_dm_object_name(Filesystem)` | fields _time process_guid file_path file_name file_create_time user dest process_name] | stats count min(_time) as firstTime max(_time) as lastTime by dest process_name process_guid file_name file_path file_create_time user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_writing_dynamicwrapperx_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: False positives should be limited, however it is possible to filter by Processes.process_name and specific processes (ex. wscript.exe). Filter as needed. This may need modification based on EDR telemetry and how it brings in registry data. For example, removal of (Default). +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes + by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid + Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats + `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where + Filesystem.file_name="dynwrapx.dll" by _time Filesystem.dest Filesystem.file_create_time + Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.user + | `drop_dm_object_name(Filesystem)` | fields _time process_guid file_path file_name + file_create_time user dest process_name] | stats count min(_time) as firstTime max(_time) + as lastTime by dest process_name process_guid file_name file_path file_create_time + user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `process_writing_dynamicwrapperx_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` + node. In addition, confirm the latest CIM App 4.20 or higher is installed and the + latest TA for the endpoint product. +known_false_positives: False positives should be limited, however it is possible to + filter by Processes.process_name and specific processes (ex. wscript.exe). Filter + as needed. This may need modification based on EDR telemetry and how it brings in + registry data. For example, removal of (Default). references: - https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/ - https://www.script-coding.com/dynwrapx_eng.html @@ -21,42 +45,18 @@ tags: analytic_story: - Remcos asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of $process_name$ was identified on endpoint $dest$ downloading the DynamicWrapperX dll. mitre_attack_id: - T1059 - T1559.001 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - process_name - - process_guid - - file_name - - file_path - - file_create_time user - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/processes_launching_netsh.yml b/detections/endpoint/processes_launching_netsh.yml index 15388aa291..e719a57984 100644 --- a/detections/endpoint/processes_launching_netsh.yml +++ b/detections/endpoint/processes_launching_netsh.yml @@ -1,18 +1,40 @@ name: Processes launching netsh id: b89919ed-fe5f-492c-b139-95dbb162040e -version: 6 -date: '2024-09-30' +version: 7 +date: '2024-11-13' author: Michael Haag, Josef Kuepker, Splunk status: production type: Anomaly -description: The following analytic identifies processes launching netsh.exe, a command-line utility used to modify network configurations. It detects this activity by analyzing data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, parent processes, and command-line executions. This behavior is significant because netsh.exe can be exploited to execute malicious helper DLLs, serving as a persistence mechanism. If confirmed malicious, an attacker could gain persistent access, modify network settings, and potentially escalate privileges, posing a severe threat to the network's integrity and security. +description: The following analytic identifies processes launching netsh.exe, a command-line + utility used to modify network configurations. It detects this activity by analyzing + data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, + names, parent processes, and command-line executions. This behavior is significant + because netsh.exe can be exploited to execute malicious helper DLLs, serving as + a persistence mechanism. If confirmed malicious, an attacker could gain persistent + access, modify network settings, and potentially escalate privileges, posing a severe + threat to the network's integrity and security. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count values(Processes.process) AS Processes.process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` by Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.user Processes.dest |`drop_dm_object_name("Processes")` |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`processes_launching_netsh_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Some VPN applications are known to launch netsh.exe. Outside of these instances, it is unusual for an executable to launch netsh.exe and run commands. +search: '| tstats `security_content_summariesonly` count values(Processes.process) + AS Processes.process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where `process_netsh` by Processes.parent_process_name Processes.parent_process + Processes.original_file_name Processes.process_name Processes.user Processes.dest + |`drop_dm_object_name("Processes")` |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` + |`processes_launching_netsh_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Some VPN applications are known to launch netsh.exe. Outside + of these instances, it is unusual for an executable to launch netsh.exe and run + commands. references: - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ drilldown_searches: @@ -21,9 +43,25 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A process $process_name$ has launched netsh with command-line $process$ + on $dest$. + risk_objects: + - field: dest + type: system + score: 14 + - field: user + type: user + score: 14 + threat_objects: [] tags: analytic_story: - Netsh Abuse @@ -34,38 +72,18 @@ tags: - Snake Keylogger - ShrinkLocker asset_type: Endpoint - confidence: 70 - impact: 20 - message: A process $process_name$ has launched netsh with command-line $process$ on $dest$. mitre_attack_id: - T1562.004 - T1562 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_name - - Processes.user - - Processes.dest - risk_score: 14 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/processes_tapping_keyboard_events.yml b/detections/endpoint/processes_tapping_keyboard_events.yml index fbf470d945..718d164344 100644 --- a/detections/endpoint/processes_tapping_keyboard_events.yml +++ b/detections/endpoint/processes_tapping_keyboard_events.yml @@ -1,39 +1,46 @@ name: Processes Tapping Keyboard Events id: 2a371608-331d-4034-ae2c-21dda8f1d0ec -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Jose Hernandez, Splunk status: experimental type: TTP -description: The following analytic detects processes on macOS systems that are tapping keyboard events, potentially monitoring all keystrokes made by a user. It leverages data from osquery results within the Alerts data model, focusing on specific process names and command lines. This activity is significant as it is a common technique used by Remote Access Trojans (RATs) to log keystrokes, posing a serious security risk. If confirmed malicious, this could lead to unauthorized access to sensitive information, including passwords and personal data, compromising the integrity and confidentiality of the system. +description: The following analytic detects processes on macOS systems that are tapping + keyboard events, potentially monitoring all keystrokes made by a user. It leverages + data from osquery results within the Alerts data model, focusing on specific process + names and command lines. This activity is significant as it is a common technique + used by Remote Access Trojans (RATs) to log keystrokes, posing a serious security + risk. If confirmed malicious, this could lead to unauthorized access to sensitive + information, including passwords and personal data, compromising the integrity and + confidentiality of the system. data_source: [] -search: '| from datamodel Alerts.Alerts | search app=osquery:results name=pack_osx-attacks_Keyboard_Event_Taps | rename columns.cmdline as cmd, columns.name as process_name, columns.pid as process_id| dedup host,process_name | table host,process_name, cmd, process_id | `processes_tapping_keyboard_events_filter`' -how_to_implement: In order to properly run this search, Splunk needs to ingest data from your osquery deployed agents with the [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) pack enabled. Also the [TA-OSquery](https://github.com/d1vious/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the Alerts data model. -known_false_positives: There might be some false positives as keyboard event taps are used by processes like Siri and Zoom video chat, for some good examples of processes to exclude please see [this](https://github.com/facebook/osquery/pull/5345#issuecomment-454639161) comment. +search: '| from datamodel Alerts.Alerts | search app=osquery:results name=pack_osx-attacks_Keyboard_Event_Taps + | rename columns.cmdline as cmd, columns.name as process_name, columns.pid as process_id| + dedup host,process_name | table host,process_name, cmd, process_id | `processes_tapping_keyboard_events_filter`' +how_to_implement: In order to properly run this search, Splunk needs to ingest data + from your osquery deployed agents with the + [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) + pack enabled. Also the [TA-OSquery](https://github.com/d1vious/TA-osquery) must + be deployed across your indexers and universal forwarders in order to have the osquery + data populate the Alerts data model. +known_false_positives: There might be some false positives as keyboard event taps + are used by processes like Siri and Zoom video chat, for some good examples of processes + to exclude please see [this](https://github.com/facebook/osquery/pull/5345#issuecomment-454639161) + comment. references: [] +rba: + message: Keyboard Event Tapping observed on $host$ + risk_objects: + - field: host + type: system + score: 25 + threat_objects: [] tags: analytic_story: - ColdRoot MacOS RAT asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd - observable: - - name: dest - type: Other - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - app - - name - - columns.cmdline - - columns.name - - columns.pid - - host - risk_score: 25 security_domain: threat diff --git a/detections/endpoint/randomly_generated_scheduled_task_name.yml b/detections/endpoint/randomly_generated_scheduled_task_name.yml index 2520f7ecd4..ddca4c00e3 100644 --- a/detections/endpoint/randomly_generated_scheduled_task_name.yml +++ b/detections/endpoint/randomly_generated_scheduled_task_name.yml @@ -1,15 +1,26 @@ name: Randomly Generated Scheduled Task Name id: 9d22a780-5165-11ec-ad4f-3e22fbd008af -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: experimental type: Hunting -description: The following analytic detects the creation of a Scheduled Task with a high entropy, randomly generated name, leveraging Event ID 4698. It uses the `ut_shannon` function from the URL ToolBox Splunk application to measure the entropy of the Task Name. This activity is significant as adversaries often use randomly named Scheduled Tasks for lateral movement and remote code execution, employing tools like Impacket or CrackMapExec. If confirmed malicious, this could allow attackers to execute arbitrary code remotely, potentially leading to further compromise and persistence within the network. +description: The following analytic detects the creation of a Scheduled Task with + a high entropy, randomly generated name, leveraging Event ID 4698. It uses the `ut_shannon` + function from the URL ToolBox Splunk application to measure the entropy of the Task + Name. This activity is significant as adversaries often use randomly named Scheduled + Tasks for lateral movement and remote code execution, employing tools like Impacket + or CrackMapExec. If confirmed malicious, this could allow attackers to execute arbitrary + code remotely, potentially leading to further compromise and persistence within + the network. data_source: - Windows Event Log Security 4698 -search: '`wineventlog_security` EventCode=4698 | xmlkv Message | lookup ut_shannon_lookup word as Task_Name | where ut_shannon > 3 | table _time, dest, Task_Name, ut_shannon, Command, Author, Enabled, Hidden | `randomly_generated_scheduled_task_name_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA as well as the URL ToolBox application are also required. +search: '`wineventlog_security` EventCode=4698 | xmlkv Message | lookup ut_shannon_lookup + word as Task_Name | where ut_shannon > 3 | table _time, dest, Task_Name, ut_shannon, + Command, Author, Enabled, Hidden | `randomly_generated_scheduled_task_name_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + Windows Security Event Logs with 4698 EventCode enabled. The Windows TA as well + as the URL ToolBox application are also required. known_false_positives: Legitimate applications may use random Scheduled Task names. references: - https://attack.mitre.org/techniques/T1053/005/ @@ -21,26 +32,11 @@ tags: - CISA AA22-257A - Scheduled Tasks asset_type: Endpoint - confidence: 50 - impact: 90 - message: A windows scheduled task with a suspicious task name was created on $dest$ mitre_attack_id: - T1053 - T1053.005 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - Task_Name - - Description - - Command - risk_score: 45 security_domain: endpoint diff --git a/detections/endpoint/randomly_generated_windows_service_name.yml b/detections/endpoint/randomly_generated_windows_service_name.yml index b1c573d7c5..da693af615 100644 --- a/detections/endpoint/randomly_generated_windows_service_name.yml +++ b/detections/endpoint/randomly_generated_windows_service_name.yml @@ -1,15 +1,26 @@ name: Randomly Generated Windows Service Name id: 2032a95a-5165-11ec-a2c3-3e22fbd008af -version: 5 -date: '2024-10-17' +version: 6 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: experimental type: Hunting -description: The following analytic detects the installation of a Windows Service with a suspicious, high-entropy name, indicating potential malicious activity. It leverages Event ID 7045 and the `ut_shannon` function from the URL ToolBox Splunk application to identify services with random names. This behavior is significant as adversaries often use randomly named services for lateral movement and remote code execution. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment. +description: The following analytic detects the installation of a Windows Service + with a suspicious, high-entropy name, indicating potential malicious activity. It + leverages Event ID 7045 and the `ut_shannon` function from the URL ToolBox Splunk + application to identify services with random names. This behavior is significant + as adversaries often use randomly named services for lateral movement and remote + code execution. If confirmed malicious, this activity could allow attackers to execute + arbitrary code, escalate privileges, or maintain persistence within the environment. data_source: - Windows Event Log System 7045 -search: '`wineventlog_system` EventCode=7045 | lookup ut_shannon_lookup word as Service_Name | where ut_shannon > 3 | table EventCode ComputerName Service_Name ut_shannon Service_Start_Type Service_Type Service_File_Name | `randomly_generated_windows_service_name_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. The Windows TA as well as the URL ToolBox application are also required. +search: '`wineventlog_system` EventCode=7045 | lookup ut_shannon_lookup word as Service_Name + | where ut_shannon > 3 | table EventCode ComputerName Service_Name ut_shannon Service_Start_Type + Service_Type Service_File_Name | `randomly_generated_windows_service_name_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the Service name, Service File Name Service Start type, and Service Type + from your endpoints. The Windows TA as well as the URL ToolBox application are also + required. known_false_positives: Legitimate applications may use random Windows Service names. references: - https://attack.mitre.org/techniques/T1543/003/ @@ -18,28 +29,11 @@ tags: - Active Directory Lateral Movement - BlackSuit Ransomware asset_type: Endpoint - confidence: 50 - impact: 90 - message: A Windows Service with a suspicious service name was installed on $ComputerName$ mitre_attack_id: - T1543 - T1543.003 - observable: - - name: ComputerName - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ComputerName - - Service_File_Name - - Service_Type - - Service_Name - - Service_Start_Type - risk_score: 45 security_domain: endpoint diff --git a/detections/endpoint/ransomware_notes_bulk_creation.yml b/detections/endpoint/ransomware_notes_bulk_creation.yml index ee96c13600..61d4c21f17 100644 --- a/detections/endpoint/ransomware_notes_bulk_creation.yml +++ b/detections/endpoint/ransomware_notes_bulk_creation.yml @@ -1,15 +1,28 @@ name: Ransomware Notes bulk creation id: eff7919a-8330-11eb-83f8-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras status: production type: Anomaly -description: The following analytic identifies the bulk creation of ransomware notes (e.g., .txt, .html, .hta files) on an infected machine. It leverages Sysmon EventCode 11 to detect multiple instances of these file types being created within a short time frame. This activity is significant as it often indicates an active ransomware attack, where the attacker is notifying the victim of the encryption. If confirmed malicious, this behavior could lead to widespread data encryption, rendering critical files inaccessible and potentially causing significant operational disruption. +description: The following analytic identifies the bulk creation of ransomware notes + (e.g., .txt, .html, .hta files) on an infected machine. It leverages Sysmon EventCode + 11 to detect multiple instances of these file types being created within a short + time frame. This activity is significant as it often indicates an active ransomware + attack, where the attacker is notifying the victim of the encryption. If confirmed + malicious, this behavior could lead to widespread data encryption, rendering critical + files inaccessible and potentially causing significant operational disruption. data_source: - Sysmon EventID 11 -search: '`sysmon` EventCode=11 file_name IN ("*\.txt","*\.html","*\.hta") |bin _time span=10s | stats min(_time) as firstTime max(_time) as lastTime dc(TargetFilename) as unique_readme_path_count values(TargetFilename) as list_of_readme_path by Computer Image file_name | rename Computer as dest | where unique_readme_path_count >= 15 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ransomware_notes_bulk_creation_filter`' -how_to_implement: You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. +search: '`sysmon` EventCode=11 file_name IN ("*\.txt","*\.html","*\.hta") |bin _time + span=10s | stats min(_time) as firstTime max(_time) as lastTime dc(TargetFilename) + as unique_readme_path_count values(TargetFilename) as list_of_readme_path by Computer + Image file_name | rename Computer as dest | where unique_readme_path_count >= 15 + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ransomware_notes_bulk_creation_filter`' +how_to_implement: You must be ingesting data that records the filesystem activity + from your hosts to populate the Endpoint file-system data model node. If you are + using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which + you want to collect data. known_false_positives: unknown references: - https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft @@ -20,9 +33,22 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A high frequency file creation of $file_name$ in different file path in + host $dest$ + risk_objects: + - field: dest + type: system + score: 81 + threat_objects: [] tags: analytic_story: - Clop Ransomware @@ -32,33 +58,17 @@ tags: - LockBit Ransomware - Rhysida Ransomware asset_type: Endpoint - confidence: 90 - impact: 90 - message: A high frequency file creation of $file_name$ in different file path in host $dest$ mitre_attack_id: - T1486 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - EventCode - - file_name - - _time - - TargetFilename - - dest - - Image - - user - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml b/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml index dd186cde58..b217c5d2a0 100644 --- a/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml +++ b/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml @@ -1,15 +1,28 @@ name: Recon AVProduct Through Pwh or WMI id: 28077620-c9f6-11eb-8785-acde48001122 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects suspicious PowerShell script execution via EventCode 4104, specifically targeting checks for installed anti-virus products using WMI or PowerShell commands. This detection leverages PowerShell Script Block Logging to identify scripts containing keywords like "SELECT," "WMIC," "AntiVirusProduct," or "AntiSpywareProduct." This activity is significant as it is commonly used by malware and APT actors to map running security applications or services, potentially aiding in evasion techniques. If confirmed malicious, this could allow attackers to disable or bypass security measures, leading to further compromise of the endpoint. +description: The following analytic detects suspicious PowerShell script execution + via EventCode 4104, specifically targeting checks for installed anti-virus products + using WMI or PowerShell commands. This detection leverages PowerShell Script Block + Logging to identify scripts containing keywords like "SELECT," "WMIC," "AntiVirusProduct," + or "AntiSpywareProduct." This activity is significant as it is commonly used by + malware and APT actors to map running security applications or services, potentially + aiding in evasion techniques. If confirmed malicious, this could allow attackers + to disable or bypass security measures, leading to further compromise of the endpoint. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText = "*SELECT*" OR ScriptBlockText = "*WMIC*") AND (ScriptBlockText = "*AntiVirusProduct*" OR ScriptBlockText = "*AntiSpywareProduct*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recon_avproduct_through_pwh_or_wmi_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +search: '`powershell` EventCode=4104 (ScriptBlockText = "*SELECT*" OR ScriptBlockText + = "*WMIC*") AND (ScriptBlockText = "*AntiVirusProduct*" OR ScriptBlockText = "*AntiSpywareProduct*") + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `recon_avproduct_through_pwh_or_wmi_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: network administrator may used this command for checking purposes references: - https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/ @@ -24,9 +37,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A suspicious powershell script contains AV recon command on host $dest$ + risk_objects: + - field: dest + type: system + score: 56 + - field: user + type: user + score: 56 + threat_objects: [] tags: analytic_story: - Qakbot @@ -38,35 +66,17 @@ tags: - Data Destruction - MoonPeak asset_type: Endpoint - confidence: 80 - impact: 70 - message: A suspicious powershell script contains AV recon command on host $dest$ mitre_attack_id: - T1592 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ScriptBlockText - - Computer - - UserID - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1592/pwh_av_recon/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1592/pwh_av_recon/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/recon_using_wmi_class.yml b/detections/endpoint/recon_using_wmi_class.yml index 674be0bb50..45443c4674 100644 --- a/detections/endpoint/recon_using_wmi_class.yml +++ b/detections/endpoint/recon_using_wmi_class.yml @@ -1,15 +1,31 @@ name: Recon Using WMI Class id: 018c1972-ca07-11eb-9473-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects suspicious PowerShell activity via EventCode 4104, where WMI performs event queries to gather information on running processes or services. This detection leverages PowerShell Script Block Logging to identify specific WMI queries targeting system information classes like Win32_Bios and Win32_OperatingSystem. This activity is significant as it often indicates reconnaissance efforts by an adversary to profile the compromised machine. If confirmed malicious, the attacker could gain detailed system information, aiding in further exploitation or lateral movement within the network. +description: The following analytic detects suspicious PowerShell activity via EventCode + 4104, where WMI performs event queries to gather information on running processes + or services. This detection leverages PowerShell Script Block Logging to identify + specific WMI queries targeting system information classes like Win32_Bios and Win32_OperatingSystem. + This activity is significant as it often indicates reconnaissance efforts by an + adversary to profile the compromised machine. If confirmed malicious, the attacker + could gain detailed system information, aiding in further exploitation or lateral + movement within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText= "*SELECT*" OR ScriptBlockText= "*Get-WmiObject*") AND (ScriptBlockText= "*Win32_Bios*" OR ScriptBlockText= "*Win32_OperatingSystem*" OR ScriptBlockText= "*Win32_Processor*" OR ScriptBlockText= "*Win32_ComputerSystem*" OR ScriptBlockText= "*Win32_PnPEntity*" OR ScriptBlockText= "*Win32_ShadowCopy*" OR ScriptBlockText= "*Win32_DiskDrive*" OR ScriptBlockText= "*Win32_PhysicalMemory*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recon_using_wmi_class_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +search: '`powershell` EventCode=4104 (ScriptBlockText= "*SELECT*" OR ScriptBlockText= + "*Get-WmiObject*") AND (ScriptBlockText= "*Win32_Bios*" OR ScriptBlockText= "*Win32_OperatingSystem*" + OR ScriptBlockText= "*Win32_Processor*" OR ScriptBlockText= "*Win32_ComputerSystem*" + OR ScriptBlockText= "*Win32_PnPEntity*" OR ScriptBlockText= "*Win32_ShadowCopy*" + OR ScriptBlockText= "*Win32_DiskDrive*" OR ScriptBlockText= "*Win32_PhysicalMemory*") + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `recon_using_wmi_class_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: network administrator may used this command for checking purposes references: - https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/ @@ -26,9 +42,25 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A suspicious powershell script contains host recon commands detected on + host $dest$ + risk_objects: + - field: dest + type: system + score: 60 + - field: user + type: user + score: 60 + threat_objects: [] tags: analytic_story: - AsyncRAT @@ -40,36 +72,18 @@ tags: - Data Destruction - MoonPeak asset_type: Endpoint - confidence: 80 - impact: 75 - message: A suspicious powershell script contains host recon commands detected on host $dest$ mitre_attack_id: - T1592 - T1059.001 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ScriptBlockText - - Computer - - UserID - risk_score: 60 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/reconusingwmi.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/reconusingwmi.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml b/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml index 8679099227..3ba5e16d48 100644 --- a/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml +++ b/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml @@ -1,18 +1,39 @@ name: Recursive Delete of Directory In Batch CMD id: ba570b3a-d356-11eb-8358-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the execution of a batch command designed to recursively delete files or directories, a technique often used by ransomware like Reddot to delete files in the recycle bin and prevent recovery. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include specific flags for recursive and quiet deletions. This activity is significant as it indicates potential ransomware behavior aimed at data destruction. If confirmed malicious, it could lead to significant data loss and hinder recovery efforts, severely impacting business operations. +description: The following analytic detects the execution of a batch command designed + to recursively delete files or directories, a technique often used by ransomware + like Reddot to delete files in the recycle bin and prevent recovery. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on command-line + executions that include specific flags for recursive and quiet deletions. This activity + is significant as it indicates potential ransomware behavior aimed at data destruction. + If confirmed malicious, it could lead to significant data loss and hinder recovery + efforts, severely impacting business operations. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` Processes.process=*/c* Processes.process="* rd *" Processes.process="*/s*" Processes.process="*/q*" by Processes.user Processes.process_name Processes.parent_process_name Processes.parent_process Processes.process Processes.process_id Processes.dest |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recursive_delete_of_directory_in_batch_cmd_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: network operator may use this batch command to delete recursively a directory or files within directory +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_cmd` Processes.process=*/c* Processes.process="* + rd *" Processes.process="*/s*" Processes.process="*/q*" by Processes.user Processes.process_name + Processes.parent_process_name Processes.parent_process Processes.process Processes.process_id + Processes.dest |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `recursive_delete_of_directory_in_batch_cmd_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: network operator may use this batch command to delete recursively + a directory or files within directory references: - https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/ drilldown_searches: @@ -21,46 +42,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Recursive Delete of Directory In Batch CMD by $user$ on $dest$ + risk_objects: + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Ransomware asset_type: Endpoint - confidence: 50 - impact: 50 - message: Recursive Delete of Directory In Batch CMD by $user$ on $dest$ mitre_attack_id: - T1070.004 - T1070 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 25.0 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml b/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml index 9cae91bde8..033abc60c4 100644 --- a/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml +++ b/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml @@ -1,18 +1,41 @@ name: Reg exe Manipulating Windows Services Registry Keys id: 8470d755-0c13-45b3-bd63-387a373c10cf -version: 7 -date: '2024-09-30' +version: 9 +date: '2024-11-13' author: Rico Valdez, Splunk status: production type: TTP -description: The following analytic detects the use of reg.exe to modify registry keys associated with Windows services and their configurations. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because unauthorized changes to service registry keys can indicate an attempt to establish persistence or escalate privileges. If confirmed malicious, this could allow an attacker to control service behavior, potentially leading to unauthorized code execution or system compromise. +description: The following analytic detects the use of reg.exe to modify registry + keys associated with Windows services and their configurations. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process names, parent + processes, and command-line executions. This activity is significant because unauthorized + changes to service registry keys can indicate an attempt to establish persistence + or escalate privileges. If confirmed malicious, this could allow an attacker to + control service behavior, potentially leading to unauthorized code execution or + system compromise. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name values(Processes.user) as user FROM datamodel=Endpoint.Processes where Processes.process_name=reg.exe Processes.process=*reg* Processes.process=*add* Processes.process=*Services* by Processes.process_id Processes.dest Processes.process | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `reg_exe_manipulating_windows_services_registry_keys_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: It is unusual for a service to be created or modified by directly manipulating the registry. However, there may be legitimate instances of this behavior. It is important to validate and investigate, as appropriate. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) + as parent_process_name values(Processes.user) as user FROM datamodel=Endpoint.Processes + where Processes.process_name=reg.exe Processes.process=*reg* Processes.process=*add* + Processes.process=*Services* by Processes.process_id Processes.dest Processes.process + | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `reg_exe_manipulating_windows_services_registry_keys_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: It is unusual for a service to be created or modified by directly + manipulating the registry. However, there may be legitimate instances of this behavior. + It is important to validate and investigate, as appropriate. references: [] drilldown_searches: - name: View the detection results for - "$dest$" and "$user$" @@ -20,47 +43,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A reg.exe process $process_name$ with commandline $process$ in host $dest$ + risk_objects: + - field: dest + type: system + score: 45 + - field: user + type: user + score: 45 + threat_objects: [] tags: analytic_story: - Windows Service Abuse - Windows Persistence Techniques - Living Off The Land asset_type: Endpoint - confidence: 60 - impact: 75 - message: A reg.exe process $process_name$ with commandline $process$ in host $dest$ mitre_attack_id: - T1574.011 - T1574 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_name - - Processes.parent_process_name - - Processes.user - - Processes.process - - Processes.process_id - - Processes.dest - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.011/change_registry_path_service/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.011/change_registry_path_service/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/registry_keys_for_creating_shim_databases.yml b/detections/endpoint/registry_keys_for_creating_shim_databases.yml index a06f72591a..b83d67aaf2 100644 --- a/detections/endpoint/registry_keys_for_creating_shim_databases.yml +++ b/detections/endpoint/registry_keys_for_creating_shim_databases.yml @@ -1,19 +1,27 @@ name: Registry Keys for Creating SHIM Databases id: f5f6af30-7aa7-4295-bfe9-07fe87c01bbb -version: 10 +version: 11 date: '2024-12-08' author: Patrick Bareiss, Teoderick Contreras, Splunk, Steven Dick, Bhavin Patel status: production type: TTP -description: The following analytic detects registry activity related to the creation of application compatibility shims. It leverages data from the Endpoint.Registry data model, specifically monitoring registry paths associated with AppCompatFlags. This activity is significant because attackers can use shims to bypass security controls, achieve persistence, or escalate privileges. If confirmed malicious, this could allow an attacker to maintain long-term access, execute arbitrary code, or manipulate application behavior, posing a severe risk to the integrity and security of the affected systems. +description: The following analytic detects registry activity related to the creation + of application compatibility shims. It leverages data from the Endpoint.Registry + data model, specifically monitoring registry paths associated with AppCompatFlags. + This activity is significant because attackers can use shims to bypass security + controls, achieve persistence, or escalate privileges. If confirmed malicious, this + could allow an attacker to maintain long-term access, execute arbitrary code, or + manipulate application behavior, posing a severe risk to the integrity and security + of the affected systems. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path=*CurrentVersion\\AppCompatFlags\\Custom* OR Registry.registry_path=*CurrentVersion\\AppCompatFlags\\InstalledSDB*) - BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name - Registry.registry_value_name Registry.registry_value_data Registry.process_guid - | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `registry_keys_for_creating_shim_databases_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=*CurrentVersion\\AppCompatFlags\\Custom* + OR Registry.registry_path=*CurrentVersion\\AppCompatFlags\\InstalledSDB*) BY Registry.dest + Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name + Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` + | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `registry_keys_for_creating_shim_databases_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official @@ -27,47 +35,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A registry activity in $registry_path$ related to shim modication in host + $dest$ + risk_objects: + - field: dest + type: system + score: 56 + - field: user + type: user + score: 56 + threat_objects: [] tags: analytic_story: - Suspicious Windows Registry Activities - Windows Persistence Techniques - Windows Registry Abuse asset_type: Endpoint - confidence: 80 - impact: 70 - message: A registry activity in $registry_path$ related to shim modication in host $dest$ mitre_attack_id: - T1546.011 - T1546 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.011/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.011/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml index d7260009ab..a468b6bf0a 100644 --- a/detections/endpoint/registry_keys_used_for_persistence.yml +++ b/detections/endpoint/registry_keys_used_for_persistence.yml @@ -1,16 +1,54 @@ name: Registry Keys Used For Persistence id: f5f6af30-7aa7-4295-bfe9-07fe87c01a4b -version: 12 -date: '2024-12-03' +version: 15 +date: '2025-01-27' author: Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk status: production type: TTP -description: The following analytic identifies modifications to registry keys commonly used for persistence mechanisms. It leverages data from endpoint detection sources like Sysmon or Carbon Black, focusing on specific registry paths known to initiate applications or services during system startup. This activity is significant as unauthorized changes to these keys can indicate attempts to maintain persistence or execute malicious actions upon system boot. If confirmed malicious, this could allow attackers to achieve persistent access, execute arbitrary code, or maintain control over compromised systems, posing a severe threat to system integrity and security. +description: The following analytic identifies modifications to registry keys commonly + used for persistence mechanisms. It leverages data from endpoint detection sources + like Sysmon or Carbon Black, focusing on specific registry paths known to initiate + applications or services during system startup. This activity is significant as + unauthorized changes to these keys can indicate attempts to maintain persistence + or execute malicious actions upon system boot. If confirmed malicious, this could + allow attackers to achieve persistent access, execute arbitrary code, or maintain + control over compromised systems, posing a severe threat to system integrity and + security. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce OR Registry.registry_path=*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\*" OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\*" OR Registry.registry_path=*\\currentversion\\run* OR Registry.registry_path=*\\currentVersion\\Windows\\Appinit_Dlls* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Shell* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Notify* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Userinit* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\VmApplet* OR Registry.registry_path=*\\currentversion\\policies\\explorer\\run* OR Registry.registry_path=*\\currentversion\\runservices* OR Registry.registry_path=*\\SOFTWARE\\Microsoft\\Netsh\\* OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Startup" OR Registry.registry_path= *\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler OR Registry.registry_path= *\\Classes\\htmlfile\\shell\\open\\command OR (Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*" AND Registry.registry_key_name=Debugger) OR (Registry.registry_path="*\\CurrentControlSet\\Control\\Lsa" AND Registry.registry_key_name="Security Packages") OR (Registry.registry_path="*\\CurrentControlSet\\Control\\Lsa\\OSConfig" AND Registry.registry_key_name="Security Packages") OR (Registry.registry_path="*\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*") OR (Registry.registry_path="*currentVersion\\Windows" AND Registry.registry_key_name="Load") OR (Registry.registry_path="*\\CurrentVersion" AND Registry.registry_key_name="Svchost") OR (Registry.registry_path="*\\CurrentControlSet\Control\Session Manager"AND Registry.registry_key_name="BootExecute") OR (Registry.registry_path="*\\Software\\Run" AND Registry.registry_key_name="auto_update")) by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_persistence_filter`' -how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -known_false_positives: There are many legitimate applications that must execute on system startup and will use these registry keys to accomplish that task. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce + OR Registry.registry_path=*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run + OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User + Shell Folders\\*" OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell + Folders\\*" OR Registry.registry_path=*\\currentversion\\run* OR Registry.registry_path=*\\currentVersion\\Windows\\Appinit_Dlls* + OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Shell* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Notify* + OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Userinit* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\VmApplet* + OR Registry.registry_path=*\\currentversion\\policies\\explorer\\run* OR Registry.registry_path=*\\currentversion\\runservices* + OR Registry.registry_path=*\\SOFTWARE\\Microsoft\\Netsh\\* OR Registry.registry_path= + "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common + Startup" OR Registry.registry_path= *\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler + OR Registry.registry_path= *\\Classes\\htmlfile\\shell\\open\\command OR (Registry.registry_path="*Microsoft\\Windows + NT\\CurrentVersion\\Image File Execution Options*" AND Registry.registry_key_name=Debugger) + OR (Registry.registry_path="*\\CurrentControlSet\\Control\\Lsa" AND Registry.registry_key_name="Security + Packages") OR (Registry.registry_path="*\\CurrentControlSet\\Control\\Lsa\\OSConfig" + AND Registry.registry_key_name="Security Packages") OR (Registry.registry_path="*\\Microsoft\\Windows + NT\\CurrentVersion\\SilentProcessExit\\*") OR (Registry.registry_path="*currentVersion\\Windows" + AND Registry.registry_key_name="Load") OR (Registry.registry_path="*\\CurrentVersion" + AND Registry.registry_key_name="Svchost") OR (Registry.registry_path="*\\CurrentControlSet\Control\Session + Manager"AND Registry.registry_key_name="BootExecute") OR (Registry.registry_path="*\\Software\\Run" + AND Registry.registry_key_name="auto_update")) by Registry.dest Registry.user Registry.registry_path + Registry.registry_value_name Registry.registry_value_data Registry.process_guid + Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `registry_keys_used_for_persistence_filter`' +how_to_implement: To successfully implement this search, you must be ingesting data + that records registry activity from your hosts to populate the endpoint data model + in the registry node. This is typically populated via endpoint detection-and-response + product, such as Carbon Black or endpoint data sources, such as Sysmon. The data + used for this search is typically generated via logs that report reads and writes + to the registry. +known_false_positives: There are many legitimate applications that must execute on + system startup and will use these registry keys to accomplish that task. references: [] drilldown_searches: - name: View the detection results for - "$dest$" and "$user$" @@ -18,64 +56,63 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A registry activity in $registry_path$ related to persistence in host $dest$ + risk_objects: + - field: dest + type: system + score: 76 + - field: user + type: user + score: 76 + threat_objects: [] tags: analytic_story: - - AsyncRAT - - Ransomware - - Windows Persistence Techniques - - DarkGate Malware - - NjRAT - - RedLine Stealer - - IcedID - - Sneaky Active Directory Persistence Tricks - Chaos Ransomware - - Azorult + - Windows Persistence Techniques - DHS Report TA18-074A - - Emotet Malware DHS Report TA18-201A - - Remcos - - Windows Registry Abuse + - Snake Keylogger + - CISA AA23-347A + - WinDealer RAT - Qakbot - - Suspicious MSHTA Activity - - Suspicious Windows Registry Activities - Warzone RAT + - IcedID + - Azorult + - Suspicious Windows Registry Activities + - AsyncRAT + - Derusbi - Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns - - Amadey + - DarkGate Malware + - NjRAT - BlackByte Ransomware - - CISA AA23-347A - - Snake Keylogger + - Ransomware - MoonPeak - BlackSuit Ransomware + - Emotet Malware DHS Report TA18-201A + - Sneaky Active Directory Persistence Tricks + - Amadey + - Remcos - Braodo Stealer + - Windows Registry Abuse + - Nexus APT Threat Activity + - Suspicious MSHTA Activity + - RedLine Stealer asset_type: Endpoint - confidence: 95 - impact: 80 - message: A registry activity in $registry_path$ related to persistence in host $dest$ mitre_attack_id: - T1547.001 - T1547 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.dest - - Registry.user - risk_score: 76 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/registry_keys_used_for_privilege_escalation.yml b/detections/endpoint/registry_keys_used_for_privilege_escalation.yml index 890bda6db4..4ca750000e 100644 --- a/detections/endpoint/registry_keys_used_for_privilege_escalation.yml +++ b/detections/endpoint/registry_keys_used_for_privilege_escalation.yml @@ -5,16 +5,23 @@ date: '2024-12-08' author: David Dorsey, Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects modifications to registry keys under "Image File Execution Options" that can be used for privilege escalation. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths and values like GlobalFlag and Debugger. This activity is significant because attackers can use these modifications to intercept executable calls and attach malicious binaries to legitimate system binaries. If confirmed malicious, this could allow attackers to execute arbitrary code with elevated privileges, leading to potential system compromise and persistent access. +description: The following analytic detects modifications to registry keys under "Image + File Execution Options" that can be used for privilege escalation. It leverages + data from the Endpoint.Registry data model, specifically monitoring changes to registry + paths and values like GlobalFlag and Debugger. This activity is significant because + attackers can use these modifications to intercept executable calls and attach malicious + binaries to legitimate system binaries. If confirmed malicious, this could allow + attackers to execute arbitrary code with elevated privileges, leading to potential + system compromise and persistent access. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE ((Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File - Execution Options*") AND (Registry.registry_value_name=GlobalFlag OR Registry.registry_value_name=Debugger)) - BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name - Registry.registry_value_name Registry.registry_value_data Registry.process_guid - | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `registry_keys_used_for_privilege_escalation_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path="*Microsoft\\Windows + NT\\CurrentVersion\\Image File Execution Options*") AND (Registry.registry_value_name=GlobalFlag + OR Registry.registry_value_name=Debugger)) BY Registry.dest Registry.user Registry.registry_path + Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_privilege_escalation_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official @@ -29,9 +36,25 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A registry activity in $registry_path$ related to privilege escalation + in host $dest$ + risk_objects: + - field: dest + type: system + score: 76 + - field: user + type: user + score: 76 + threat_objects: [] tags: analytic_story: - Cloud Federated Credential Abuse @@ -41,38 +64,18 @@ tags: - Data Destruction - Suspicious Windows Registry Activities asset_type: Endpoint - confidence: 95 - impact: 80 - message: A registry activity in $registry_path$ related to privilege escalation in host $dest$ mitre_attack_id: - T1546.012 - T1546 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 76 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.012/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.012/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml b/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml index e9b532ab4f..ccdeb39f99 100644 --- a/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml +++ b/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml @@ -1,18 +1,38 @@ name: Regsvr32 Silent and Install Param Dll Loading id: f421c250-24e7-11ec-bc43-acde48001122 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the loading of a DLL using the regsvr32 application with the silent parameter and DLLInstall execution. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments and parent process details. This activity is significant as it is commonly used by RAT malware like Remcos and njRAT to load malicious DLLs on compromised machines. If confirmed malicious, this technique could allow attackers to execute arbitrary code, maintain persistence, and further compromise the system. +description: The following analytic detects the loading of a DLL using the regsvr32 + application with the silent parameter and DLLInstall execution. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process command-line + arguments and parent process details. This activity is significant as it is commonly + used by RAT malware like Remcos and njRAT to load malicious DLLs on compromised + machines. If confirmed malicious, this technique could allow attackers to execute + arbitrary code, maintain persistence, and further compromise the system. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` AND Processes.process="*/i*" by Processes.dest Processes.parent_process Processes.process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,"(?i)[\-|\/][Ss]{1}") | `regsvr32_silent_and_install_param_dll_loading_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Other third part application may used this parameter but not so common in base windows environment. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` AND Processes.process="*/i*" + by Processes.dest Processes.parent_process Processes.process Processes.parent_process_name + Processes.process_name Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where + match(process,"(?i)[\-|\/][Ss]{1}") | `regsvr32_silent_and_install_param_dll_loading_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Other third part application may used this parameter but not + so common in base windows environment. references: - https://app.any.run/tasks/dc93ee63-050c-4ff8-b07e-8277af9ab939/ - https://attack.mitre.org/techniques/T1218/010/ @@ -22,9 +42,30 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to load a DLL using the silent and + dllinstall parameter. + risk_objects: + - field: user + type: user + score: 36 + - field: dest + type: system + score: 36 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - AsyncRAT @@ -34,51 +75,18 @@ tags: - Remcos - Suspicious Regsvr32 Activity asset_type: Endpoint - confidence: 60 - impact: 60 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a DLL using the silent and dllinstall parameter. mitre_attack_id: - T1218 - T1218.010 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/vbs_wscript/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/vbs_wscript/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml b/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml index 1f32b81a7d..1726b73a91 100644 --- a/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml +++ b/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml @@ -1,18 +1,39 @@ name: Regsvr32 with Known Silent Switch Cmdline id: c9ef7dc4-eeaf-11eb-b2b6-acde48001122 -version: 5 -date: '2024-09-30' +version: 7 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the execution of Regsvr32.exe with the silent switch to load DLLs. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions containing the `-s` or `/s` switches. This activity is significant as it is commonly used in malware campaigns, such as IcedID, to stealthily load malicious DLLs. If confirmed malicious, this could allow an attacker to execute arbitrary code, download additional payloads, and potentially compromise the system further. Immediate investigation and endpoint isolation are recommended. +description: The following analytic detects the execution of Regsvr32.exe with the + silent switch to load DLLs. This behavior is identified using Endpoint Detection + and Response (EDR) telemetry, focusing on command-line executions containing the + `-s` or `/s` switches. This activity is significant as it is commonly used in malware + campaigns, such as IcedID, to stealthily load malicious DLLs. If confirmed malicious, + this could allow an attacker to execute arbitrary code, download additional payloads, + and potentially compromise the system further. Immediate investigation and endpoint + isolation are recommended. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,"(?i)[\-|\/][Ss]{1}") | `regsvr32_with_known_silent_switch_cmdline_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: minimal. but network operator can use this application to load dll. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` by Processes.user + Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name + Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | where match(process,"(?i)[\-|\/][Ss]{1}") + | `regsvr32_with_known_silent_switch_cmdline_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: minimal. but network operator can use this application to load + dll. references: - https://app.any.run/tasks/56680cba-2bbc-4b34-8633-5f7878ddf858/ - https://regexr.com/699e2 @@ -22,9 +43,29 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to load a DLL using the silent parameter. + risk_objects: + - field: user + type: user + score: 56 + - field: dest + type: system + score: 56 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - IcedID @@ -34,51 +75,18 @@ tags: - Qakbot - AsyncRAT asset_type: Endpoint - confidence: 80 - impact: 70 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a DLL using the silent parameter. mitre_attack_id: - T1218 - T1218.010 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/remcos_client_registry_install_entry.yml b/detections/endpoint/remcos_client_registry_install_entry.yml index cdc03cbb07..6a33393f9a 100644 --- a/detections/endpoint/remcos_client_registry_install_entry.yml +++ b/detections/endpoint/remcos_client_registry_install_entry.yml @@ -1,19 +1,44 @@ name: Remcos client registry install entry id: f2a1615a-1d63-11ec-97d2-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Steven Dick, Bhavin Patel, Rod Soto, Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the presence of a registry key associated with the Remcos RAT agent on a host. It leverages data from the Endpoint.Processes and Endpoint.Registry data models in Splunk, focusing on instances where the "license" key is found in the "Software\Remcos" path. This behavior is significant as it indicates potential compromise by the Remcos RAT, a remote access Trojan used for unauthorized access and data exfiltration. If confirmed malicious, the attacker could gain control over the system, steal sensitive information, or use the compromised host for further attacks. Immediate investigation and remediation are required. +description: The following analytic detects the presence of a registry key associated + with the Remcos RAT agent on a host. It leverages data from the Endpoint.Processes + and Endpoint.Registry data models in Splunk, focusing on instances where the "license" + key is found in the "Software\Remcos" path. This behavior is significant as it indicates + potential compromise by the Remcos RAT, a remote access Trojan used for unauthorized + access and data exfiltration. If confirmed malicious, the attacker could gain control + over the system, steal sensitive information, or use the compromised host for further + attacks. Immediate investigation and remediation are required. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_key_name=*\\Software\\Remcos*) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`remcos_client_registry_install_entry_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) + AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id + Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name + Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` + | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry + WHERE (Registry.registry_key_name=*\\Software\\Remcos*) BY _time span=1h Registry.registry_path + Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime + dest user parent_process_name parent_process process_name process_path process registry_key_name + registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`remcos_client_registry_install_entry_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://attack.mitre.org/software/S0332/ @@ -23,50 +48,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A registry entry $registry_path$ with registry keyname $registry_key_name$ + related to Remcos RAT in host $dest$ + risk_objects: + - field: dest + type: system + score: 90 + threat_objects: [] tags: analytic_story: - Remcos - Windows Registry Abuse asset_type: Endpoint - confidence: 100 - impact: 90 - message: A registry entry $registry_path$ with registry keyname $registry_key_name$ related to Remcos RAT in host $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.user - - Processes.dest - - Processes.process_id - - Processes.process_name - - Processes.process - - Processes.process_path - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_guid - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_registry/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml b/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml index c392d80bd1..82a0d3c39b 100644 --- a/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml +++ b/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml @@ -1,15 +1,28 @@ name: Remcos RAT File Creation in Remcos Folder id: 25ae862a-1ac3-11ec-94a1-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk, Sanjay Govind status: production type: TTP -description: The following analytic detects the creation of files in the Remcos folder within the AppData directory, specifically targeting keylog and clipboard log files. It leverages the Endpoint.Filesystem data model to identify .dat files created in paths containing "remcos." This activity is significant as it indicates the presence of the Remcos RAT, which performs keylogging, clipboard capturing, and audio recording. If confirmed malicious, this could lead to unauthorized data exfiltration and extensive surveillance capabilities for the attacker. +description: The following analytic detects the creation of files in the Remcos folder + within the AppData directory, specifically targeting keylog and clipboard log files. + It leverages the Endpoint.Filesystem data model to identify .dat files created in + paths containing "remcos." This activity is significant as it indicates the presence + of the Remcos RAT, which performs keylogging, clipboard capturing, and audio recording. + If confirmed malicious, this could lead to unauthorized data exfiltration and extensive + surveillance capabilities for the attacker. data_source: - Sysmon EventID 11 -search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.dat") Filesystem.file_path = "*\\remcos\\*" by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remcos_rat_file_creation_in_remcos_folder_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.dat") + Filesystem.file_path = "*\\remcos\\*" by _time Filesystem.file_name Filesystem.file_path + Filesystem.dest Filesystem.file_create_time | `drop_dm_object_name(Filesystem)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remcos_rat_file_creation_in_remcos_folder_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. known_false_positives: unknown references: - https://success.trendmicro.com/dcx/s/solution/1123281-remcos-malware-information?language=en_US @@ -20,38 +33,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: file $file_name$ created in $file_path$ of $dest$ + risk_objects: + - field: dest + type: system + score: 100 + threat_objects: [] tags: analytic_story: - Remcos asset_type: Endpoint - confidence: 100 - impact: 100 - message: file $file_name$ created in $file_path$ of $dest$ mitre_attack_id: - T1113 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - file_create_time - - file_name - - file_path - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_agent/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_agent/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/remote_desktop_process_running_on_system.yml b/detections/endpoint/remote_desktop_process_running_on_system.yml index ae2c77d13d..98b7d2a398 100644 --- a/detections/endpoint/remote_desktop_process_running_on_system.yml +++ b/detections/endpoint/remote_desktop_process_running_on_system.yml @@ -1,17 +1,36 @@ name: Remote Desktop Process Running On System id: f5939373-8054-40ad-8c64-cec478a22a4a -version: 7 -date: '2024-10-17' +version: 8 +date: '2024-11-13' author: David Dorsey, Splunk status: experimental type: Hunting -description: The following analytic detects the execution of the remote desktop process (mstsc.exe) on systems where it is not typically run. This detection leverages data from Endpoint Detection and Response (EDR) agents, filtering out systems categorized as common RDP sources. This activity is significant because unauthorized use of mstsc.exe can indicate lateral movement or unauthorized remote access attempts. If confirmed malicious, this could allow an attacker to gain remote control of a system, potentially leading to data exfiltration, privilege escalation, or further network compromise. +description: The following analytic detects the execution of the remote desktop process + (mstsc.exe) on systems where it is not typically run. This detection leverages data + from Endpoint Detection and Response (EDR) agents, filtering out systems categorized + as common RDP sources. This activity is significant because unauthorized use of + mstsc.exe can indicate lateral movement or unauthorized remote access attempts. + If confirmed malicious, this could allow an attacker to gain remote control of a + system, potentially leading to data exfiltration, privilege escalation, or further + network compromise. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=*mstsc.exe AND Processes.dest_category!=common_rdp_source by Processes.dest Processes.user Processes.process | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `remote_desktop_process_running_on_system_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process=*mstsc.exe + AND Processes.dest_category!=common_rdp_source by Processes.dest Processes.user + Processes.process | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `drop_dm_object_name(Processes)` | `remote_desktop_process_running_on_system_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Remote Desktop may be used legitimately by users on the network. references: [] tags: @@ -19,30 +38,11 @@ tags: - Hidden Cobra Malware - Active Directory Lateral Movement asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1021.001 - T1021 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process - - Processes.dest_category - - Processes.dest - - Processes.user - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml index 50ccc1bc57..538d923090 100644 --- a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml +++ b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml @@ -1,7 +1,7 @@ name: Remote Process Instantiation via DCOM and PowerShell id: d4f42098-4680-11ec-ad07-3e22fbd008af -version: '5' -date: '2024-11-28' +version: 6 +date: '2024-12-10' author: Mauricio Velazco, Splunk status: production type: TTP @@ -52,45 +52,31 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A process was started on a remote endpoint from $dest$ by abusing DCOM + using PowerShell.exe + risk_objects: + - field: dest + type: system + score: 63 + threat_objects: [] tags: analytic_story: - Active Directory Lateral Movement - Compromised Windows Host asset_type: Endpoint - confidence: 70 - impact: 90 - message: A process was started on a remote endpoint from $dest$ by abusing DCOM - using PowerShell.exe mitre_attack_id: - T1021 - T1021.003 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/lateral_movement/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml index 2cf26f5598..4f4648445b 100644 --- a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml +++ b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml @@ -1,16 +1,29 @@ name: Remote Process Instantiation via DCOM and PowerShell Script Block id: fa1c3040-4680-11ec-a618-3e22fbd008af -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the execution of PowerShell commands that initiate a process on a remote endpoint via the DCOM protocol. It leverages PowerShell Script Block Logging (EventCode=4104) to identify the use of ShellExecute and ExecuteShellCommand. This activity is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this behavior could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and persistence within the network. +description: The following analytic detects the execution of PowerShell commands that + initiate a process on a remote endpoint via the DCOM protocol. It leverages PowerShell + Script Block Logging (EventCode=4104) to identify the use of ShellExecute and ExecuteShellCommand. + This activity is significant as it may indicate lateral movement or remote code + execution attempts by adversaries. If confirmed malicious, this behavior could allow + attackers to execute arbitrary code on remote systems, potentially leading to further + compromise and persistence within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText="*Document.Application.ShellExecute*" OR ScriptBlockText="*Document.ActiveView.ExecuteShellCommand*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_dcom_and_powershell_script_block_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Administrators may leverage DCOM to start a process on remote systems, but this activity is usually limited to a small set of hosts or users. +search: '`powershell` EventCode=4104 (ScriptBlockText="*Document.Application.ShellExecute*" + OR ScriptBlockText="*Document.ActiveView.ExecuteShellCommand*") | stats count min(_time) + as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_dcom_and_powershell_script_block_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup instructions + can be found + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Administrators may leverage DCOM to start a process on remote + systems, but this activity is usually limited to a small set of hosts or users. references: - https://attack.mitre.org/techniques/T1021/003/ - https://www.cybereason.com/blog/dcom-lateral-movement-techniques @@ -20,39 +33,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$Computer$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A process was started on a remote endpoint from $Computer$ by abusing WMI + using PowerShell.exe + risk_objects: + - field: Computer + type: system + score: 63 + threat_objects: [] tags: analytic_story: - Active Directory Lateral Movement asset_type: Endpoint - confidence: 70 - impact: 90 - message: A process was started on a remote endpoint from $Computer$ by abusing WMI using PowerShell.exe mitre_attack_id: - T1021 - T1021.003 - observable: - - name: Computer - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ScriptBlockText - - Computer - - user_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml index b3be60908b..8b574d9bb7 100644 --- a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml +++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml @@ -1,18 +1,40 @@ name: Remote Process Instantiation via WinRM and PowerShell id: ba24cda8-4716-11ec-8009-3e22fbd008af -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the execution of `powershell.exe` with arguments used to start a process on a remote endpoint via the WinRM protocol, specifically targeting the `Invoke-Command` cmdlet. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process telemetry. This activity is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and lateral spread within the network. +description: The following analytic detects the execution of `powershell.exe` with + arguments used to start a process on a remote endpoint via the WinRM protocol, specifically + targeting the `Invoke-Command` cmdlet. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on command-line executions and process telemetry. + This activity is significant as it may indicate lateral movement or remote code + execution attempts by adversaries. If confirmed malicious, this could allow attackers + to execute arbitrary code on remote systems, potentially leading to further compromise + and lateral spread within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process="*Invoke-Command*" AND Processes.process="*-ComputerName*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_winrm_and_powershell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrators may leverage WinRM and `Invoke-Command` to start a process on remote systems for system administration or automation use cases. However, this activity is usually limited to a small set of hosts or users. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process="*Invoke-Command*" + AND Processes.process="*-ComputerName*") by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `remote_process_instantiation_via_winrm_and_powershell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators may leverage WinRM and `Invoke-Command` to start + a process on remote systems for system administration or automation use cases. However, + this activity is usually limited to a small set of hosts or users. references: - https://attack.mitre.org/techniques/T1021/006/ - https://pentestlab.blog/2018/05/15/lateral-movement-winrm/ @@ -22,46 +44,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A process was started on a remote endpoint from $dest$ by abusing WinRM + using PowerShell.exe + risk_objects: + - field: dest + type: system + score: 45 + threat_objects: [] tags: analytic_story: - Active Directory Lateral Movement asset_type: Endpoint - confidence: 50 - impact: 90 - message: A process was started on a remote endpoint from $dest$ by abusing WinRM using PowerShell.exe mitre_attack_id: - T1021 - T1021.006 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml index 9c282dec8a..d2cff18278 100644 --- a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml +++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml @@ -1,16 +1,31 @@ name: Remote Process Instantiation via WinRM and PowerShell Script Block id: 7d4c618e-4716-11ec-951c-3e22fbd008af -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the execution of PowerShell commands that use the `Invoke-Command` cmdlet to start a process on a remote endpoint via the WinRM protocol. It leverages PowerShell Script Block Logging (EventCode=4104) to identify such activities. This behavior is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this activity could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and persistence within the network. +description: The following analytic detects the execution of PowerShell commands that + use the `Invoke-Command` cmdlet to start a process on a remote endpoint via the + WinRM protocol. It leverages PowerShell Script Block Logging (EventCode=4104) to + identify such activities. This behavior is significant as it may indicate lateral + movement or remote code execution attempts by adversaries. If confirmed malicious, + this activity could allow attackers to execute arbitrary code on remote systems, + potentially leading to further compromise and persistence within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText="*Invoke-Command*" AND ScriptBlockText="*-ComputerName*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_winrm_and_powershell_script_block_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Administrators may leverage WinRM and `Invoke-Command` to start a process on remote systems for system administration or automation use cases. This activity is usually limited to a small set of hosts or users. In certain environments, tuning may not be possible. +search: '`powershell` EventCode=4104 (ScriptBlockText="*Invoke-Command*" AND ScriptBlockText="*-ComputerName*") + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `remote_process_instantiation_via_winrm_and_powershell_script_block_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup instructions + can be found + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Administrators may leverage WinRM and `Invoke-Command` to start + a process on remote systems for system administration or automation use cases. This + activity is usually limited to a small set of hosts or users. In certain environments, + tuning may not be possible. references: - https://attack.mitre.org/techniques/T1021/006/ - https://pentestlab.blog/2018/05/15/lateral-movement-winrm/ @@ -20,40 +35,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$Computer$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A process was started on a remote endpoint from $Computer$ by abusing WinRM + using PowerShell.exe + risk_objects: + - field: Computer + type: system + score: 45 + threat_objects: [] tags: analytic_story: - Active Directory Lateral Movement asset_type: Endpoint - confidence: 50 - impact: 90 - message: A process was started on a remote endpoint from $Computer$ by abusing WinRM using PowerShell.exe mitre_attack_id: - T1021 - T1021.006 - observable: - - name: Computer - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCode - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml index cd7996a4cd..4d5ae43729 100644 --- a/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml +++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml @@ -1,18 +1,40 @@ name: Remote Process Instantiation via WinRM and Winrs id: 0dd296a2-4338-11ec-ba02-3e22fbd008af -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the execution of `winrs.exe` with command-line arguments used to start a process on a remote endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions mapped to the `Processes` node of the `Endpoint` data model. This activity is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and lateral spread within the network. +description: The following analytic detects the execution of `winrs.exe` with command-line + arguments used to start a process on a remote endpoint. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names and command-line + executions mapped to the `Processes` node of the `Endpoint` data model. This activity + is significant as it may indicate lateral movement or remote code execution attempts + by adversaries. If confirmed malicious, this could allow attackers to execute arbitrary + code on remote systems, potentially leading to further compromise and lateral spread + within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=winrs.exe OR Processes.original_file_name=winrs.exe) (Processes.process="*-r:*" OR Processes.process="*-remote:*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_winrm_and_winrs_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrators may leverage WinRM and WinRs to start a process on remote systems, but this activity is usually limited to a small set of hosts or users. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=winrs.exe + OR Processes.original_file_name=winrs.exe) (Processes.process="*-r:*" OR Processes.process="*-remote:*") + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_winrm_and_winrs_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators may leverage WinRM and WinRs to start a process + on remote systems, but this activity is usually limited to a small set of hosts + or users. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/winrs - https://attack.mitre.org/techniques/T1021/006/ @@ -22,46 +44,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A process was started on a remote endpoint from $dest$ + risk_objects: + - field: dest + type: system + score: 54 + threat_objects: [] tags: analytic_story: - Active Directory Lateral Movement asset_type: Endpoint - confidence: 60 - impact: 90 - message: A process was started on a remote endpoint from $dest$ mitre_attack_id: - T1021 - T1021.006 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/remote_process_instantiation_via_wmi.yml b/detections/endpoint/remote_process_instantiation_via_wmi.yml index 2ff3c358b4..45d08b0f06 100644 --- a/detections/endpoint/remote_process_instantiation_via_wmi.yml +++ b/detections/endpoint/remote_process_instantiation_via_wmi.yml @@ -1,18 +1,40 @@ name: Remote Process Instantiation via WMI id: d25d2c3d-d9d8-40ec-8fdf-e86fe155a3da -version: 9 -date: '2024-09-30' +version: 11 +date: '2025-01-27' author: Rico Valdez, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the execution of wmic.exe with parameters to spawn a process on a remote system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process telemetry mapped to the `Processes` node of the `Endpoint` data model. This activity is significant as WMI can be abused for lateral movement and remote code execution, often used by adversaries and Red Teams. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, facilitating further compromise and lateral spread within the network. +description: The following analytic detects the execution of wmic.exe with parameters + to spawn a process on a remote system. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on command-line executions and process telemetry + mapped to the `Processes` node of the `Endpoint` data model. This activity is significant + as WMI can be abused for lateral movement and remote code execution, often used + by adversaries and Red Teams. If confirmed malicious, this could allow attackers + to execute arbitrary code on remote systems, facilitating further compromise and + lateral spread within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` (Processes.process="*/node:*" AND Processes.process="*process*" AND Processes.process="*call*" AND Processes.process="*create*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: The wmic.exe utility is a benign Windows application. It may be used legitimately by Administrators with these parameters for remote system administration, but it's relatively uncommon. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_wmic` (Processes.process="*/node:*" + AND Processes.process="*process*" AND Processes.process="*call*" AND Processes.process="*create*") + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: The wmic.exe utility is a benign Windows application. It may + be used legitimately by Administrators with these parameters for remote system administration, + but it's relatively uncommon. references: - https://attack.mitre.org/techniques/T1047/ - https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/create-method-in-class-win32-process @@ -22,48 +44,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A wmic.exe process $process$ contain process spawn commandline $process$ + in host $dest$ + risk_objects: + - field: dest + type: system + score: 49 + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - - Ransomware - CISA AA23-347A - - Active Directory Lateral Movement + - Ransomware - Suspicious WMI Use + - Active Directory Lateral Movement + - Nexus APT Threat Activity + - Earth Estries asset_type: Endpoint - confidence: 70 - impact: 70 - message: A wmic.exe process $process$ contain process spawn commandline $process$ in host $dest$ mitre_attack_id: - T1047 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml index 543213b94e..5ece97d2c9 100644 --- a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml +++ b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml @@ -1,7 +1,7 @@ name: Remote Process Instantiation via WMI and PowerShell id: 112638b4-4634-11ec-b9ab-3e22fbd008af -version: '4' -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Mauricio Velazco, Splunk status: production type: TTP @@ -51,44 +51,30 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A process was started on a remote endpoint from $dest$ by abusing WMI using + PowerShell.exe + risk_objects: + - field: dest + type: system + score: 63 + threat_objects: [] tags: analytic_story: - Active Directory Lateral Movement - Compromised Windows Host asset_type: Endpoint - confidence: 70 - impact: 90 - message: A process was started on a remote endpoint from $dest by abusing WMI using - PowerShell.exe mitre_attack_id: - T1047 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/lateral_movement/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell_script_block.yml b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell_script_block.yml index 542c97e39c..2338ea88f3 100644 --- a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell_script_block.yml +++ b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell_script_block.yml @@ -1,16 +1,32 @@ name: Remote Process Instantiation via WMI and PowerShell Script Block id: 2a048c14-4634-11ec-a618-3e22fbd008af -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the execution of the `Invoke-WmiMethod` commandlet with parameters used to start a process on a remote endpoint via WMI, leveraging PowerShell Script Block Logging (EventCode=4104). This method identifies specific script block text patterns associated with remote process instantiation. This activity is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and persistence within the network. +description: The following analytic detects the execution of the `Invoke-WmiMethod` + commandlet with parameters used to start a process on a remote endpoint via WMI, + leveraging PowerShell Script Block Logging (EventCode=4104). This method identifies + specific script block text patterns associated with remote process instantiation. + This activity is significant as it may indicate lateral movement or remote code + execution attempts by adversaries. If confirmed malicious, this could allow attackers + to execute arbitrary code on remote systems, potentially leading to further compromise + and persistence within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText="*Invoke-WmiMethod*" AND (ScriptBlockText="*-CN*" OR ScriptBlockText="*-ComputerName*") AND ScriptBlockText="*-Class Win32_Process*" AND ScriptBlockText="*-Name create*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_and_powershell_script_block_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Administrators may leverage WWMI and powershell.exe to start a process on remote systems, but this activity is usually limited to a small set of hosts or users. +search: '`powershell` EventCode=4104 ScriptBlockText="*Invoke-WmiMethod*" AND (ScriptBlockText="*-CN*" + OR ScriptBlockText="*-ComputerName*") AND ScriptBlockText="*-Class Win32_Process*" + AND ScriptBlockText="*-Name create*" | stats count min(_time) as firstTime max(_time) + as lastTime by EventCode ScriptBlockText Computer UserID| `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_and_powershell_script_block_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup instructions + can be found + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Administrators may leverage WWMI and powershell.exe to start + a process on remote systems, but this activity is usually limited to a small set + of hosts or users. references: - https://attack.mitre.org/techniques/T1047/ - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/invoke-wmimethod?view=powershell-5.1 @@ -20,38 +36,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$Computer$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A process was started on a remote endpoint from $Computer$ by abusing WMI + using PowerShell.exe + risk_objects: + - field: Computer + type: system + score: 63 + threat_objects: [] tags: analytic_story: - Active Directory Lateral Movement asset_type: Endpoint - confidence: 70 - impact: 90 - message: A process was started on a remote endpoint from $Computer$ by abusing WMI using PowerShell.exe mitre_attack_id: - T1047 - observable: - - name: Computer - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Message - - Computer - - UserID - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/lateral_movement/wmi_remote_process_powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/lateral_movement/wmi_remote_process_powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/remote_system_discovery_with_adsisearcher.yml b/detections/endpoint/remote_system_discovery_with_adsisearcher.yml index d52b53a37a..33bc7de3b8 100644 --- a/detections/endpoint/remote_system_discovery_with_adsisearcher.yml +++ b/detections/endpoint/remote_system_discovery_with_adsisearcher.yml @@ -1,15 +1,28 @@ name: Remote System Discovery with Adsisearcher id: 70803451-0047-4e12-9d63-77fa7eb8649c -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell scripts to query Active Directory for domain computers. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific script blocks containing `adsisearcher` and `objectcategory=computer` with methods like `findAll()` or `findOne()`. This activity is significant as it may indicate an attempt by adversaries or Red Teams to perform Active Directory discovery and gain situational awareness. If confirmed malicious, this could lead to further reconnaissance and potential lateral movement within the network. +description: The following analytic detects the use of the `[Adsisearcher]` type accelerator + in PowerShell scripts to query Active Directory for domain computers. It leverages + PowerShell Script Block Logging (EventCode=4104) to identify specific script blocks + containing `adsisearcher` and `objectcategory=computer` with methods like `findAll()` + or `findOne()`. This activity is significant as it may indicate an attempt by adversaries + or Red Teams to perform Active Directory discovery and gain situational awareness. + If confirmed malicious, this could lead to further reconnaissance and potential + lateral movement within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText = "*adsisearcher*" AND ScriptBlockText = "*objectcategory=computer*" AND ScriptBlockText IN ("*findAll()*","*findOne()*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `remote_system_discovery_with_adsisearcher_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +search: '`powershell` EventCode=4104 ScriptBlockText = "*adsisearcher*" AND ScriptBlockText + = "*objectcategory=computer*" AND ScriptBlockText IN ("*findAll()*","*findOne()*") + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer UserID | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` + | `remote_system_discovery_with_adsisearcher_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: Administrators or power users may use Adsisearcher for troubleshooting. references: - https://attack.mitre.org/techniques/T1018/ @@ -20,38 +33,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Remote system discovery enumeration with adsisearcher on $dest$ by $user$ + risk_objects: + - field: dest + type: system + score: 15 + threat_objects: [] tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 30 - message: Remote system discovery enumeration with adsisearcher on $dest$ by $user$ mitre_attack_id: - T1018 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ScriptBlockText - - Computer - - UserID - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/adsisearcher-powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/adsisearcher-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/remote_system_discovery_with_dsquery.yml b/detections/endpoint/remote_system_discovery_with_dsquery.yml index 478bfe3291..0f3b92aaf9 100644 --- a/detections/endpoint/remote_system_discovery_with_dsquery.yml +++ b/detections/endpoint/remote_system_discovery_with_dsquery.yml @@ -1,17 +1,37 @@ name: Remote System Discovery with Dsquery id: 9fb562f4-42f8-4139-8e11-a82edf7ed718 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of `dsquery.exe` with the `computer` argument, which is used to discover remote systems within a domain. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Remote system discovery is significant as it indicates potential reconnaissance activities by adversaries or Red Teams to map out network resources and Active Directory structures. If confirmed malicious, this activity could lead to further exploitation, lateral movement, and unauthorized access to critical systems within the network. +description: The following analytic detects the execution of `dsquery.exe` with the + `computer` argument, which is used to discover remote systems within a domain. This + detection leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process names and command-line arguments. Remote system discovery is significant + as it indicates potential reconnaissance activities by adversaries or Red Teams + to map out network resources and Active Directory structures. If confirmed malicious, + this activity could lead to further exploitation, lateral movement, and unauthorized + access to critical systems within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="dsquery.exe") (Processes.process="*computer*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_dsquery_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="dsquery.exe") + (Processes.process="*computer*") by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `remote_system_discovery_with_dsquery_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1018/ @@ -20,37 +40,17 @@ tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 30 - message: Remote system discovery enumeration on $dest$ by $user$ mitre_attack_id: - T1018 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/remote_system_discovery_with_wmic.yml b/detections/endpoint/remote_system_discovery_with_wmic.yml index fa93e793fe..6db545d4bf 100644 --- a/detections/endpoint/remote_system_discovery_with_wmic.yml +++ b/detections/endpoint/remote_system_discovery_with_wmic.yml @@ -1,17 +1,38 @@ name: Remote System Discovery with Wmic id: d82eced3-b1dc-42ab-859e-a2fc98827359 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the execution of `wmic.exe` with specific command-line arguments used to discover remote systems within a domain. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to map out network resources and Active Directory structures. If confirmed malicious, this behavior could allow attackers to gain situational awareness, identify critical systems, and plan further attacks, potentially leading to unauthorized access and data exfiltration. +description: The following analytic detects the execution of `wmic.exe` with specific + command-line arguments used to discover remote systems within a domain. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process names + and command-line executions. This activity is significant as it indicates potential + reconnaissance efforts by adversaries to map out network resources and Active Directory + structures. If confirmed malicious, this behavior could allow attackers to gain + situational awareness, identify critical systems, and plan further attacks, potentially + leading to unauthorized access and data exfiltration. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="wmic.exe") (Processes.process=*/NAMESPACE:\\\\root\\directory\\ldap* AND Processes.process=*ds_computer* AND Processes.process="*GET ds_samaccountname*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_wmic_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="wmic.exe") + (Processes.process=*/NAMESPACE:\\\\root\\directory\\ldap* AND Processes.process=*ds_computer* + AND Processes.process="*GET ds_samaccountname*") by Processes.dest Processes.user + Processes.parent_process Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `remote_system_discovery_with_wmic_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1018/ @@ -22,44 +43,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Remote system discovery enumeration on $dest$ by $user$ + risk_objects: + - field: dest + type: system + score: 15 + threat_objects: [] tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 30 - message: Remote system discovery enumeration on $dest$ by $user$ mitre_attack_id: - T1018 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/remote_wmi_command_attempt.yml b/detections/endpoint/remote_wmi_command_attempt.yml index d28ae699cc..5bb7266b17 100644 --- a/detections/endpoint/remote_wmi_command_attempt.yml +++ b/detections/endpoint/remote_wmi_command_attempt.yml @@ -1,18 +1,37 @@ name: Remote WMI Command Attempt id: 272df6de-61f1-4784-877c-1fbc3e2d0838 -version: 6 -date: '2024-09-30' +version: 7 +date: '2024-11-13' author: Rico Valdez, Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the execution of `wmic.exe` with the `node` switch, indicating an attempt to spawn a local or remote process. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line arguments. This activity is significant as it may indicate lateral movement or remote code execution attempts by an attacker. If confirmed malicious, the attacker could gain remote control over the targeted system, execute arbitrary commands, and potentially escalate privileges or persist within the environment. +description: The following analytic detects the execution of `wmic.exe` with the `node` + switch, indicating an attempt to spawn a local or remote process. This detection + leverages data from Endpoint Detection and Response (EDR) agents, focusing on process + creation events and command-line arguments. This activity is significant as it may + indicate lateral movement or remote code execution attempts by an attacker. If confirmed + malicious, the attacker could gain remote control over the targeted system, execute + arbitrary commands, and potentially escalate privileges or persist within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process=*node* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_wmi_command_attempt_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrators may use this legitimately to gather info from remote systems. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process=*node* + by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_wmi_command_attempt_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators may use this legitimately to gather info from + remote systems. Filter as needed. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.yaml - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ @@ -23,9 +42,25 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A wmic.exe process $process$ contain node commandline $process$ in host + $dest$ + risk_objects: + - field: dest + type: system + score: 36 + - field: user + type: user + score: 36 + threat_objects: [] tags: analytic_story: - Graceful Wipe Out Attack @@ -35,38 +70,17 @@ tags: - Suspicious WMI Use - CISA AA23-347A asset_type: Endpoint - confidence: 60 - impact: 60 - message: A wmic.exe process $process$ contain node commandline $process$ in host $dest$ mitre_attack_id: - T1047 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.user - - Processes.process_name - - Processes.parent_process_name - - Processes.dest - - Processes.parent_process - - Processes.parent_process_id - - Processes.process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/resize_shadowstorage_volume.yml b/detections/endpoint/resize_shadowstorage_volume.yml index 5ddadf2550..9f1d18a373 100644 --- a/detections/endpoint/resize_shadowstorage_volume.yml +++ b/detections/endpoint/resize_shadowstorage_volume.yml @@ -1,7 +1,7 @@ name: Resize ShadowStorage volume id: bc760ca6-8336-11eb-bcbb-acde48001122 -version: '4' -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Teoderick Contreras status: production type: TTP @@ -57,44 +57,34 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A process $parent_process_name$ attempted to resize shadow copy with commandline + $process$ in host $dest$ + risk_objects: + - field: dest + type: system + score: 72 + - field: user + type: user + score: 72 + threat_objects: [] tags: analytic_story: - Compromised Windows Host - Clop Ransomware - BlackByte Ransomware asset_type: Endpoint - confidence: 90 - impact: 80 - message: A process $parent_process_name$ attempt to resize shadow copy with commandline - $process$ in host $dest$ mitre_attack_id: - T1490 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.process - - Processes.parent_process_name - - _time - - Processes.process_name - - Processes.parent_process - - Processes.dest - - Processes.user - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/revil_common_exec_parameter.yml b/detections/endpoint/revil_common_exec_parameter.yml index 1b709cc911..a4b2b3f7f5 100644 --- a/detections/endpoint/revil_common_exec_parameter.yml +++ b/detections/endpoint/revil_common_exec_parameter.yml @@ -1,18 +1,40 @@ name: Revil Common Exec Parameter id: 85facebe-c382-11eb-9c3e-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the execution of command-line parameters commonly associated with REVIL ransomware, such as "-nolan", "-nolocal", "-fast", and "-full". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs mapped to the `Processes` node of the `Endpoint` data model. This activity is significant because these parameters are indicative of ransomware attempting to encrypt files on a compromised machine. If confirmed malicious, this could lead to widespread data encryption, rendering critical files inaccessible and potentially causing significant operational disruption. +description: The following analytic detects the execution of command-line parameters + commonly associated with REVIL ransomware, such as "-nolan", "-nolocal", "-fast", + and "-full". It leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process execution logs mapped to the `Processes` node of the `Endpoint` + data model. This activity is significant because these parameters are indicative + of ransomware attempting to encrypt files on a compromised machine. If confirmed + malicious, this could lead to widespread data encryption, rendering critical files + inaccessible and potentially causing significant operational disruption. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "* -nolan *" OR Processes.process = "* -nolocal *" OR Processes.process = "* -fast *" OR Processes.process = "* -full *" by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `revil_common_exec_parameter_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: third party tool may have same command line parameters as revil ransomware. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process = "* -nolan + *" OR Processes.process = "* -nolocal *" OR Processes.process = "* -fast *" OR Processes.process + = "* -full *" by Processes.process_name Processes.process Processes.parent_process_name + Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `revil_common_exec_parameter_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: third party tool may have same command line parameters as revil + ransomware. references: - https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/ - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/ @@ -22,47 +44,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A process $process_name$ with commandline $process$ related to revil ransomware + in host $dest$ + risk_objects: + - field: dest + type: system + score: 54 + - field: user + type: user + score: 54 + threat_objects: [] tags: analytic_story: - Ransomware - Revil Ransomware asset_type: Endpoint - confidence: 90 - impact: 60 - message: A process $process_name$ with commandline $process$ related to revil ransomware in host $dest$ mitre_attack_id: - T1204 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_name - - Processes.process - - Processes.parent_process_name - - Processes.parent_process - - Processes.dest - - Processes.user - - Processes.process_id - - Processes.process_guid - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/revil/inf1/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/revil/inf1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/revil_registry_entry.yml b/detections/endpoint/revil_registry_entry.yml index 79340ebb5a..f6f6c0e032 100644 --- a/detections/endpoint/revil_registry_entry.yml +++ b/detections/endpoint/revil_registry_entry.yml @@ -1,19 +1,47 @@ name: Revil Registry Entry id: e3d3f57a-c381-11eb-9e35-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic identifies suspicious modifications in the registry entry, specifically targeting paths used by malware like REVIL. It detects changes in registry paths such as `SOFTWARE\\WOW6432Node\\Facebook_Assistant` and `SOFTWARE\\WOW6432Node\\BlackLivesMatter`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications linked to process GUIDs. This activity is significant as it indicates potential malware persistence mechanisms, often used by advanced persistent threats (APTs) and ransomware. If confirmed malicious, this could allow attackers to maintain persistence, encrypt files, and store critical ransomware-related information on compromised hosts. +description: The following analytic identifies suspicious modifications in the registry + entry, specifically targeting paths used by malware like REVIL. It detects changes + in registry paths such as `SOFTWARE\\WOW6432Node\\Facebook_Assistant` and `SOFTWARE\\WOW6432Node\\BlackLivesMatter`. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on registry modifications linked to process GUIDs. This activity is significant + as it indicates potential malware persistence mechanisms, often used by advanced + persistent threats (APTs) and ransomware. If confirmed malicious, this could allow + attackers to maintain persistence, encrypt files, and store critical ransomware-related + information on compromised hosts. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\SOFTWARE\\WOW6432Node\\Facebook_Assistant\\*" OR Registry.registry_path="*\\SOFTWARE\\WOW6432Node\\BlackLivesMatter*") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `revil_registry_entry_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) + AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id + Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name + Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` + | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry + WHERE (Registry.registry_path="*\\SOFTWARE\\WOW6432Node\\Facebook_Assistant\\*" + OR Registry.registry_path="*\\SOFTWARE\\WOW6432Node\\BlackLivesMatter*") BY _time + span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name + Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] + | fields firstTime lastTime dest user parent_process_name parent_process process_name + process_path process registry_key_name registry_path registry_value_name registry_value_data + process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `revil_registry_entry_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/ @@ -24,55 +52,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A registry entry $registry_path$ with registry value $registry_value_name$ + and $registry_value_name$ related to revil ransomware in host $dest$ + risk_objects: + - field: dest + type: system + score: 60 + - field: user + type: user + score: 60 + threat_objects: [] tags: analytic_story: - Ransomware - Revil Ransomware - Windows Registry Abuse asset_type: Endpoint - confidence: 100 - impact: 60 - message: A registry entry $registry_path$ with registry value $registry_value_name$ and $registry_value_name$ related to revil ransomware in host $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.user - - Processes.dest - - Processes.process_id - - Processes.process_name - - Processes.process - - Processes.process_path - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_guid - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 60 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/revil/inf1/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/revil/inf1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/rubeus_command_line_parameters.yml b/detections/endpoint/rubeus_command_line_parameters.yml index fa3c517f28..9a0fe4997a 100644 --- a/detections/endpoint/rubeus_command_line_parameters.yml +++ b/detections/endpoint/rubeus_command_line_parameters.yml @@ -1,18 +1,44 @@ name: Rubeus Command Line Parameters id: cca37478-8377-11ec-b59a-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the use of Rubeus command line parameters, a toolset for Kerberos attacks within Active Directory environments. It leverages Endpoint Detection and Response (EDR) data to identify specific command-line arguments associated with actions like ticket manipulation, kerberoasting, and password spraying. This activity is significant as Rubeus is commonly used by adversaries to exploit Kerberos for privilege escalation and lateral movement. If confirmed malicious, this could lead to unauthorized access, persistence, and potential compromise of sensitive information within the network. +description: The following analytic detects the use of Rubeus command line parameters, + a toolset for Kerberos attacks within Active Directory environments. It leverages + Endpoint Detection and Response (EDR) data to identify specific command-line arguments + associated with actions like ticket manipulation, kerberoasting, and password spraying. + This activity is significant as Rubeus is commonly used by adversaries to exploit + Kerberos for privilege escalation and lateral movement. If confirmed malicious, + this could lead to unauthorized access, persistence, and potential compromise of + sensitive information within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process = "*ptt /ticket*" OR Processes.process = "* monitor /interval*" OR Processes.process ="* asktgt* /user:*" OR Processes.process ="* asktgs* /service:*" OR Processes.process ="* golden* /user:*" OR Processes.process ="* silver* /service:*" OR Processes.process ="* kerberoast*" OR Processes.process ="* asreproast*" OR Processes.process = "* renew* /ticket:*" OR Processes.process = "* brute* /password:*" OR Processes.process = "* brute* /passwords:*" OR Processes.process ="* harvest*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rubeus_command_line_parameters_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Although unlikely, legitimate applications may use the same command line parameters as Rubeus. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process = "*ptt /ticket*" + OR Processes.process = "* monitor /interval*" OR Processes.process ="* asktgt* /user:*" + OR Processes.process ="* asktgs* /service:*" OR Processes.process ="* golden* /user:*" + OR Processes.process ="* silver* /service:*" OR Processes.process ="* kerberoast*" + OR Processes.process ="* asreproast*" OR Processes.process = "* renew* /ticket:*" + OR Processes.process = "* brute* /password:*" OR Processes.process = "* brute* /passwords:*" + OR Processes.process ="* harvest*") by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `rubeus_command_line_parameters_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Although unlikely, legitimate applications may use the same + command line parameters as Rubeus. Filter as needed. references: - https://github.com/GhostPack/Rubeus - https://web.archive.org/web/20210725005734/http://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/ @@ -24,9 +50,26 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Rubeus command line parameters were used on $dest$ + risk_objects: + - field: user + type: user + score: 36 + - field: dest + type: system + score: 36 + threat_objects: + - field: parent_process_name + type: parent_process_name tags: analytic_story: - Active Directory Privilege Escalation @@ -34,47 +77,21 @@ tags: - Active Directory Kerberos Attacks - BlackSuit Ransomware asset_type: Endpoint - confidence: 60 - impact: 60 - message: Rubeus command line parameters were used on $dest$ mitre_attack_id: - T1550 - T1550.003 - T1558 - T1558.003 - T1558.004 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - - Processes.parent_process_name - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.003/rubeus/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.003/rubeus/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml b/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml index e78edcc6f6..e9200fe464 100644 --- a/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml +++ b/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml @@ -1,16 +1,34 @@ name: Rubeus Kerberos Ticket Exports Through Winlogon Access id: 5ed8c50a-8869-11ec-876f-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects a process accessing the winlogon.exe system process, indicative of the Rubeus tool attempting to export Kerberos tickets from memory. This detection leverages Sysmon EventCode 10 logs, focusing on processes obtaining a handle to winlogon.exe with specific access rights. This activity is significant as it often precedes pass-the-ticket attacks, where adversaries use stolen Kerberos tickets to move laterally within an environment. If confirmed malicious, this could allow attackers to bypass normal access controls, escalate privileges, and persist within the network, posing a severe security risk. +description: The following analytic detects a process accessing the winlogon.exe system + process, indicative of the Rubeus tool attempting to export Kerberos tickets from + memory. This detection leverages Sysmon EventCode 10 logs, focusing on processes + obtaining a handle to winlogon.exe with specific access rights. This activity is + significant as it often precedes pass-the-ticket attacks, where adversaries use + stolen Kerberos tickets to move laterally within an environment. If confirmed malicious, + this could allow attackers to bypass normal access controls, escalate privileges, + and persist within the network, posing a severe security risk. data_source: - Sysmon EventID 10 -search: '`sysmon` EventCode=10 TargetImage=C:\\Windows\\system32\\winlogon.exe (GrantedAccess=0x1f3fff) (SourceImage!=C:\\Windows\\system32\\svchost.exe AND SourceImage!=C:\\Windows\\system32\\lsass.exe AND SourceImage!=C:\\Windows\\system32\\LogonUI.exe AND SourceImage!=C:\\Windows\\system32\\smss.exe AND SourceImage!=C:\\Windows\\system32\\wbem\\wmiprvse.exe) | stats count min(_time) as firstTime max(_time) as lastTime by dest, SourceImage, SourceProcessId, TargetImage, TargetProcessId, EventCode, GrantedAccess | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `rubeus_kerberos_ticket_exports_through_winlogon_access_filter`' -how_to_implement: This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. -known_false_positives: Legitimate applications may obtain a handle for winlogon.exe. Filter as needed +search: '`sysmon` EventCode=10 TargetImage=C:\\Windows\\system32\\winlogon.exe (GrantedAccess=0x1f3fff) + (SourceImage!=C:\\Windows\\system32\\svchost.exe AND SourceImage!=C:\\Windows\\system32\\lsass.exe + AND SourceImage!=C:\\Windows\\system32\\LogonUI.exe AND SourceImage!=C:\\Windows\\system32\\smss.exe + AND SourceImage!=C:\\Windows\\system32\\wbem\\wmiprvse.exe) | stats count min(_time) + as firstTime max(_time) as lastTime by dest, SourceImage, SourceProcessId, TargetImage, + TargetProcessId, EventCode, GrantedAccess | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)` | `rubeus_kerberos_ticket_exports_through_winlogon_access_filter`' +how_to_implement: This search needs Sysmon Logs and a sysmon configuration, which + includes EventCode 10. This search uses an input macro named `sysmon`. We strongly + recommend that you specify your environment-specific configurations (index, source, + sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations + for your Splunk environment. +known_false_positives: Legitimate applications may obtain a handle for winlogon.exe. + Filter as needed references: - https://github.com/GhostPack/Rubeus - https://web.archive.org/web/20210725005734/http://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/ @@ -21,48 +39,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Winlogon.exe was accessed by $SourceImage$ on $dest$ + risk_objects: + - field: dest + type: system + score: 36 + threat_objects: + - field: TargetImage + type: process tags: analytic_story: - CISA AA23-347A - Active Directory Kerberos Attacks - BlackSuit Ransomware asset_type: Endpoint - confidence: 60 - impact: 60 - message: Winlogon.exe was accessed by $SourceImage$ on $dest$ mitre_attack_id: - T1550 - T1550.003 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: TargetImage - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - TargetImage - - CallTrace - - dest - - TargetProcessId - - SourceImage - - SourceProcessId - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.003/rubeus/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.003/rubeus/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/runas_execution_in_commandline.yml b/detections/endpoint/runas_execution_in_commandline.yml index 3da210cd7d..dd66057bfe 100644 --- a/detections/endpoint/runas_execution_in_commandline.yml +++ b/detections/endpoint/runas_execution_in_commandline.yml @@ -1,18 +1,40 @@ name: Runas Execution in CommandLine id: 4807e716-43a4-11ec-a0e7-acde48001122 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the execution of the runas.exe process with administrator user options. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it may indicate an attempt to gain elevated privileges, a common tactic in privilege escalation and lateral movement. If confirmed malicious, this could allow an attacker to execute commands with higher privileges, potentially leading to unauthorized access, data exfiltration, or further compromise of the target host. +description: The following analytic detects the execution of the runas.exe process + with administrator user options. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on command-line executions and process details. This activity + is significant as it may indicate an attempt to gain elevated privileges, a common + tactic in privilege escalation and lateral movement. If confirmed malicious, this + could allow an attacker to execute commands with higher privileges, potentially + leading to unauthorized access, data exfiltration, or further compromise of the + target host. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_runas` AND Processes.process = "*/user:*" AND Processes.process = "*admin*" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `runas_execution_in_commandline_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: A network operator or systems administrator may utilize an automated or manual execute this command that may generate false positives. filter is needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_runas` AND Processes.process + = "*/user:*" AND Processes.process = "*admin*" by Processes.dest Processes.user + Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `runas_execution_in_commandline_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: A network operator or systems administrator may utilize an + automated or manual execute this command that may generate false positives. filter + is needed. references: - https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/ tags: @@ -21,36 +43,18 @@ tags: - Hermetic Wiper - Windows Privilege Escalation asset_type: Endpoint - confidence: 50 - impact: 50 - message: elevated process using runas on $dest$ by $user$ mitre_attack_id: - T1134 - T1134.001 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/rundll32_control_rundll_hunt.yml b/detections/endpoint/rundll32_control_rundll_hunt.yml index 3dadfcf009..dc0beb376a 100644 --- a/detections/endpoint/rundll32_control_rundll_hunt.yml +++ b/detections/endpoint/rundll32_control_rundll_hunt.yml @@ -1,18 +1,39 @@ name: Rundll32 Control RunDLL Hunt id: c8e7ced0-10c5-11ec-8b03-acde48001122 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies instances of rundll32.exe executing with `Control_RunDLL` in the command line, which is indicative of loading a .cpl or other file types. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as rundll32.exe can be exploited to execute malicious Control Panel Item files, potentially linked to CVE-2021-40444. If confirmed malicious, this could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment. +description: The following analytic identifies instances of rundll32.exe executing + with `Control_RunDLL` in the command line, which is indicative of loading a .cpl + or other file types. This detection leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process execution logs and command-line arguments. This + activity is significant as rundll32.exe can be exploited to execute malicious Control + Panel Item files, potentially linked to CVE-2021-40444. If confirmed malicious, + this could allow attackers to execute arbitrary code, escalate privileges, or maintain + persistence within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*Control_RunDLL* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_control_rundll_hunt_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: This is a hunting detection, meant to provide a understanding of how voluminous control_rundll is within the environment. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*Control_RunDLL* by + Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `rundll32_control_rundll_hunt_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: This is a hunting detection, meant to provide a understanding + of how voluminous control_rundll is within the environment. references: - https://strontic.github.io/xcyclopedia/library/rundll32.exe-111474C61232202B5B588D2B512CBB25.html - https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/ @@ -26,52 +47,20 @@ tags: - Microsoft MSHTML Remote Code Execution CVE-2021-40444 - Living Off The Land asset_type: Endpoint - confidence: 50 cve: - CVE-2021-40444 - impact: 30 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a suspicious file from disk. mitre_attack_id: - T1218 - T1218.011 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.002/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml b/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml index 77bffc861a..151768e0f0 100644 --- a/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml +++ b/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml @@ -1,7 +1,7 @@ name: Rundll32 Control RunDLL World Writable Directory id: 1adffe86-10c3-11ec-8ce6-acde48001122 -version: '5' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -56,6 +56,21 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to load a suspicious file from disk. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Microsoft MSHTML Remote Code Execution CVE-2021-40444 @@ -63,53 +78,20 @@ tags: - Living Off The Land - Compromised Windows Host asset_type: Endpoint - confidence: 100 cve: - CVE-2021-40444 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ attempting to load a suspicious file from disk. mitre_attack_id: - T1218 - T1218.011 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.002/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml b/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml index 8a0c5d6c36..7aca900e66 100644 --- a/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml +++ b/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml @@ -1,15 +1,27 @@ name: Rundll32 Create Remote Thread To A Process id: 2dbeee3a-f067-11eb-96c0-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the creation of a remote thread by rundll32.exe into another process. It leverages Sysmon EventCode 8 logs, specifically monitoring SourceImage and TargetImage fields. This activity is significant as it is a common technique used by malware, such as IcedID, to execute malicious code within legitimate processes, aiding in defense evasion and data theft. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, escalate privileges, and exfiltrate sensitive information from the compromised host. +description: The following analytic detects the creation of a remote thread by rundll32.exe + into another process. It leverages Sysmon EventCode 8 logs, specifically monitoring + SourceImage and TargetImage fields. This activity is significant as it is a common + technique used by malware, such as IcedID, to execute malicious code within legitimate + processes, aiding in defense evasion and data theft. If confirmed malicious, this + behavior could allow an attacker to execute arbitrary code, escalate privileges, + and exfiltrate sensitive information from the compromised host. data_source: - Sysmon EventID 8 -search: '`sysmon` EventCode=8 SourceImage = "*\\rundll32.exe" TargetImage = "*.exe" | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage TargetProcessId SourceProcessId StartAddress EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_create_remote_thread_to_a_process_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +search: '`sysmon` EventCode=8 SourceImage = "*\\rundll32.exe" TargetImage = "*.exe" + | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage + TargetProcessId SourceProcessId StartAddress EventCode dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `rundll32_create_remote_thread_to_a_process_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the SourceImage, TargetImage, and EventCode executions from your endpoints + related to create remote thread or injecting codes. If you are using Sysmon, you + must have at least version 6.0.4 of the Sysmon TA. known_false_positives: unknown references: - https://www.joesandbox.com/analysis/380662/0/html @@ -19,46 +31,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: rundl32 process $SourceImage$ create a remote thread to process $TargetImage$ + in host $dest$ + risk_objects: + - field: dest + type: system + score: 56 + threat_objects: + - field: SourceImage + type: process tags: analytic_story: - IcedID - Living Off The Land asset_type: Endpoint - confidence: 80 - impact: 70 - message: rundl32 process $SourceImage$ create a remote thread to process $TargetImage$ in host $dest$ mitre_attack_id: - T1055 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: SourceImage - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - SourceImage - - TargetImage - - TargetProcessId - - SourceProcessId - - StartAddress - - EventCode - - dest - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/rundll32_createremotethread_in_browser.yml b/detections/endpoint/rundll32_createremotethread_in_browser.yml index bc09aa98fb..0076a94683 100644 --- a/detections/endpoint/rundll32_createremotethread_in_browser.yml +++ b/detections/endpoint/rundll32_createremotethread_in_browser.yml @@ -1,15 +1,29 @@ name: Rundll32 CreateRemoteThread In Browser id: f8a22586-ee2d-11eb-a193-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the suspicious creation of a remote thread by rundll32.exe targeting browser processes such as firefox.exe, chrome.exe, iexplore.exe, and microsoftedgecp.exe. This detection leverages Sysmon EventCode 8, focusing on SourceImage and TargetImage fields to identify the behavior. This activity is significant as it is commonly associated with malware like IcedID, which hooks browsers to steal sensitive information such as banking details. If confirmed malicious, this could allow attackers to intercept and exfiltrate sensitive user data, leading to potential financial loss and privacy breaches. +description: The following analytic detects the suspicious creation of a remote thread + by rundll32.exe targeting browser processes such as firefox.exe, chrome.exe, iexplore.exe, + and microsoftedgecp.exe. This detection leverages Sysmon EventCode 8, focusing on + SourceImage and TargetImage fields to identify the behavior. This activity is significant + as it is commonly associated with malware like IcedID, which hooks browsers to steal + sensitive information such as banking details. If confirmed malicious, this could + allow attackers to intercept and exfiltrate sensitive user data, leading to potential + financial loss and privacy breaches. data_source: - Sysmon EventID 8 -search: '`sysmon` EventCode=8 SourceImage = "*\\rundll32.exe" TargetImage IN ("*\\firefox.exe", "*\\chrome.exe", "*\\iexplore.exe","*\\microsoftedgecp.exe") | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage TargetProcessId SourceProcessId StartAddress EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_createremotethread_in_browser_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +search: '`sysmon` EventCode=8 SourceImage = "*\\rundll32.exe" TargetImage IN ("*\\firefox.exe", + "*\\chrome.exe", "*\\iexplore.exe","*\\microsoftedgecp.exe") | stats count min(_time) + as firstTime max(_time) as lastTime by SourceImage TargetImage TargetProcessId SourceProcessId + StartAddress EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `rundll32_createremotethread_in_browser_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the SourceImage, TargetImage, and EventCode executions from your endpoints + related to create remote thread or injecting codes. If you are using Sysmon, you + must have at least version 6.0.4 of the Sysmon TA. known_false_positives: unknown references: - https://www.joesandbox.com/analysis/380662/0/html @@ -19,46 +33,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: rundl32 process $SourceImage$ create a remote thread to browser process + $TargetImage$ in host $dest$ + risk_objects: + - field: dest + type: system + score: 70 + threat_objects: + - field: SourceImage + type: process tags: analytic_story: - IcedID - Living Off The Land asset_type: Endpoint - confidence: 100 - impact: 70 - message: rundl32 process $SourceImage$ create a remote thread to browser process $TargetImage$ in host $dest$ mitre_attack_id: - T1055 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: SourceImage - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - SourceImage - - TargetImage - - TargetProcessId - - SourceProcessId - - StartAddress - - EventCode - - dest - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/rundll32_dnsquery.yml b/detections/endpoint/rundll32_dnsquery.yml index e77e25821f..f72c6c3ba3 100644 --- a/detections/endpoint/rundll32_dnsquery.yml +++ b/detections/endpoint/rundll32_dnsquery.yml @@ -1,15 +1,29 @@ name: Rundll32 DNSQuery id: f1483f5e-ee29-11eb-9d23-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects a suspicious `rundll32.exe` process making HTTP connections and performing DNS queries to web domains. It leverages Sysmon EventCode 22 logs to identify these activities. This behavior is significant as it is commonly associated with IcedID malware, where `rundll32.exe` checks internet connectivity and communicates with C&C servers to download configurations and other components. If confirmed malicious, this activity could allow attackers to establish persistence, download additional payloads, and exfiltrate sensitive data, posing a severe threat to the network. +description: The following analytic detects a suspicious `rundll32.exe` process making + HTTP connections and performing DNS queries to web domains. It leverages Sysmon + EventCode 22 logs to identify these activities. This behavior is significant as + it is commonly associated with IcedID malware, where `rundll32.exe` checks internet + connectivity and communicates with C&C servers to download configurations and other + components. If confirmed malicious, this activity could allow attackers to establish + persistence, download additional payloads, and exfiltrate sensitive data, posing + a severe threat to the network. data_source: - Sysmon EventID 22 -search: '`sysmon` EventCode=22 process_name="rundll32.exe" | stats count min(_time) as firstTime max(_time) as lastTime values(query) as query values(answer) as answer values(QueryResults) as query_results values(QueryStatus) as query_status by process_name process_guid Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_dnsquery_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and eventcode = 22 dnsquery executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. +search: '`sysmon` EventCode=22 process_name="rundll32.exe" | stats count min(_time) + as firstTime max(_time) as lastTime values(query) as query values(answer) as answer + values(QueryResults) as query_results values(QueryStatus) as query_status by process_name + process_guid Computer | rename Computer as dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `rundll32_dnsquery_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name and eventcode = 22 dnsquery executions from your endpoints. + If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. + Tune and filter known instances where renamed rundll32.exe may be used. known_false_positives: unknown references: - https://any.run/malware-trends/icedid @@ -19,45 +33,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: rundll32 process $process_name$ made a DNS query for $query$ from host + $dest$ + risk_objects: + - field: dest + type: system + score: 56 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - IcedID - Living Off The Land asset_type: Endpoint - confidence: 80 - impact: 70 - message: rundll32 process $process_name$ made a DNS query for $query$ from host $dest$ mitre_attack_id: - T1218 - T1218.011 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Image - - QueryName - - QueryStatus - - ProcessId - - dest - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/rundll32_lockworkstation.yml b/detections/endpoint/rundll32_lockworkstation.yml index 3dd340e8cf..b3a0ca0968 100644 --- a/detections/endpoint/rundll32_lockworkstation.yml +++ b/detections/endpoint/rundll32_lockworkstation.yml @@ -1,17 +1,36 @@ name: Rundll32 LockWorkStation id: fa90f372-f91d-11eb-816c-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the execution of the rundll32.exe command with the user32.dll,LockWorkStation parameter, which is used to lock the workstation via command line. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it is an uncommon method to lock a screen and has been observed in CONTI ransomware tooling for defense evasion. If confirmed malicious, this technique could indicate an attempt to evade detection and hinder incident response efforts. +description: The following analytic detects the execution of the rundll32.exe command + with the user32.dll,LockWorkStation parameter, which is used to lock the workstation + via command line. This detection leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process names and command-line executions. This activity + is significant as it is an uncommon method to lock a screen and has been observed + in CONTI ransomware tooling for defense evasion. If confirmed malicious, this technique + could indicate an attempt to evade detection and hinder incident response efforts. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process= "*user32.dll,LockWorkStation*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_lockworkstation_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe + Processes.process= "*user32.dll,LockWorkStation*" by Processes.dest Processes.user + Processes.parent_process Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_lockworkstation_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://threadreaderapp.com/thread/1423361119926816776.html @@ -21,47 +40,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Process $process_name$ with cmdline $process$ in host $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Ransomware asset_type: Endpoint - confidence: 50 - impact: 50 - message: Process $process_name$ with cmdline $process$ in host $dest$ mitre_attack_id: - T1218 - T1218.011 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/rundll32_process_creating_exe_dll_files.yml b/detections/endpoint/rundll32_process_creating_exe_dll_files.yml index 1b49069bc7..7381fd77d0 100644 --- a/detections/endpoint/rundll32_process_creating_exe_dll_files.yml +++ b/detections/endpoint/rundll32_process_creating_exe_dll_files.yml @@ -1,15 +1,27 @@ name: Rundll32 Process Creating Exe Dll Files id: 6338266a-ee2a-11eb-bf68-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects a rundll32 process creating executable (.exe) or dynamic link library (.dll) files. It leverages Sysmon EventCode 11 to identify instances where rundll32.exe generates these file types. This activity is significant because rundll32 is often exploited by malware, such as IcedID, to drop malicious payloads in directories like Temp, AppData, or ProgramData. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, establish persistence, or escalate privileges within the environment. +description: The following analytic detects a rundll32 process creating executable + (.exe) or dynamic link library (.dll) files. It leverages Sysmon EventCode 11 to + identify instances where rundll32.exe generates these file types. This activity + is significant because rundll32 is often exploited by malware, such as IcedID, to + drop malicious payloads in directories like Temp, AppData, or ProgramData. If confirmed + malicious, this behavior could allow an attacker to execute arbitrary code, establish + persistence, or escalate privileges within the environment. data_source: - Sysmon EventID 11 -search: '`sysmon` EventCode=11 Image="*rundll32.exe" TargetFilename IN ("*.exe", "*.dll") | stats count min(_time) as firstTime max(_time) as lastTime by Image TargetFilename Computer | rename Computer as dest | rename TargetFilename as file_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_process_creating_exe_dll_files_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, TargetFilename, and eventcode 11 executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. +search: '`sysmon` EventCode=11 Image="*rundll32.exe" TargetFilename IN ("*.exe", "*.dll") + | stats count min(_time) as firstTime max(_time) as lastTime by Image TargetFilename + Computer | rename Computer as dest | rename TargetFilename as file_name | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `rundll32_process_creating_exe_dll_files_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, TargetFilename, and eventcode 11 executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. known_false_positives: unknown references: - https://any.run/malware-trends/icedid @@ -19,45 +31,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: rundll32 process drops a file $file_name$ on host $dest$ + risk_objects: + - field: dest + type: system + score: 80 + threat_objects: + - field: file_name + type: file_name tags: analytic_story: - IcedID - Living Off The Land asset_type: Endpoint - confidence: 100 - impact: 80 - message: rundll32 process drops a file $file_name$ on host $dest$ mitre_attack_id: - T1218 - T1218.011 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: file_name - type: File Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - process_name - - file_name - - process_guid - - dest - - user_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/rundll32_shimcache_flush.yml b/detections/endpoint/rundll32_shimcache_flush.yml index 09b2961435..b2f5d5934a 100644 --- a/detections/endpoint/rundll32_shimcache_flush.yml +++ b/detections/endpoint/rundll32_shimcache_flush.yml @@ -1,7 +1,7 @@ name: Rundll32 Shimcache Flush id: a913718a-25b6-11ec-96d3-acde48001122 -version: '4' -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: TTP @@ -48,48 +48,33 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: rundll32 process execute $process$ to clear shim cache on $dest$ + risk_objects: + - field: dest + type: system + score: 80 + - field: user + type: user + score: 80 + threat_objects: [] tags: analytic_story: - Unusual Processes - Living Off The Land - Compromised Windows Host asset_type: Endpoint - confidence: 100 - impact: 80 - message: rundll32 process execute $process$ to clear shim cache in $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/shimcache_flush/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/shimcache_flush/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml b/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml index c7f51b0620..b668edd1ef 100644 --- a/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml +++ b/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml @@ -1,7 +1,7 @@ name: Rundll32 with no Command Line Arguments with Network id: 35307032-a12d-11eb-835f-acde48001122 -version: '7' -date: '2024-11-28' +version: 8 +date: '2024-12-10' author: Steven Dick, Michael Haag, Splunk status: production type: TTP @@ -55,6 +55,16 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A rundll32 process $process_name$ with no commandline argument like this + process commandline $process$ in host $src$ + risk_objects: + - field: dest + type: system + score: 70 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - BlackSuit Ransomware @@ -65,46 +75,20 @@ tags: - PrintNightmare CVE-2021-34527 - BlackByte Ransomware asset_type: Endpoint - confidence: 100 cve: - CVE-2021-34527 - impact: 70 - message: A rundll32 process $process_name$ with no commandline argument like this - process commandline $process$ in host $src$ mitre_attack_id: - T1218 - T1218.011 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/rundll_loading_dll_by_ordinal.yml b/detections/endpoint/rundll_loading_dll_by_ordinal.yml index 61b451f233..b8fccdd6c4 100644 --- a/detections/endpoint/rundll_loading_dll_by_ordinal.yml +++ b/detections/endpoint/rundll_loading_dll_by_ordinal.yml @@ -1,18 +1,40 @@ name: RunDLL Loading DLL By Ordinal id: 6c135f8d-5e60-454e-80b7-c56eed739833 -version: 8 -date: '2024-09-30' +version: 9 +date: '2024-11-13' author: Michael Haag, David Dorsey, Splunk status: production type: TTP -description: The following analytic detects rundll32.exe loading a DLL export function by ordinal value. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line executions. This behavior is significant because adversaries may use rundll32.exe to execute malicious code while evading security tools that do not monitor this process. If confirmed malicious, this activity could allow attackers to execute arbitrary code, potentially leading to system compromise, privilege escalation, or persistent access within the environment. +description: The following analytic detects rundll32.exe loading a DLL export function + by ordinal value. It leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process command-line executions. This behavior is significant because + adversaries may use rundll32.exe to execute malicious code while evading security + tools that do not monitor this process. If confirmed malicious, this activity could + allow attackers to execute arbitrary code, potentially leading to system compromise, + privilege escalation, or persistent access within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,"rundll32.+\#\d+") | `rundll_loading_dll_by_ordinal_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives are possible with native utilities and third party applications. Filtering may be needed based on command-line, or add world writeable paths to restrict query. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where `process_rundll32` by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | where match(process,"rundll32.+\#\d+") | + `rundll_loading_dll_by_ordinal_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives are possible with native utilities and third + party applications. Filtering may be needed based on command-line, or add world + writeable paths to restrict query. references: - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/ - https://twitter.com/M_haggis/status/1491109262428635136 @@ -23,9 +45,25 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A rundll32 process $process_name$ with ordinal parameter like this process + commandline $process$ on host $dest$. + risk_objects: + - field: dest + type: system + score: 49 + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - Unusual Processes @@ -33,43 +71,18 @@ tags: - Living Off The Land - IcedID asset_type: Endpoint - confidence: 70 - impact: 70 - message: A rundll32 process $process_name$ with ordinal parameter like this process commandline $process$ on host $dest$. mitre_attack_id: - T1218 - T1218.011 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/ordinal_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/ordinal_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/ryuk_test_files_detected.yml b/detections/endpoint/ryuk_test_files_detected.yml index 56335cb81a..e2fdf3bd6c 100644 --- a/detections/endpoint/ryuk_test_files_detected.yml +++ b/detections/endpoint/ryuk_test_files_detected.yml @@ -1,16 +1,30 @@ name: Ryuk Test Files Detected id: 57d44d70-28d9-4ed1-acf5-1c80ae2bbce3 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Rod Soto, Jose Hernandez, Splunk status: production type: TTP -description: The following analytic identifies the presence of files containing the keyword "Ryuk" in any folder on the C drive, indicative of Ryuk ransomware activity. It leverages the Endpoint Filesystem data model to detect file paths matching this pattern. This activity is significant as Ryuk ransomware is known for its destructive impact, encrypting critical files and demanding ransom. If confirmed malicious, this could lead to significant data loss, operational disruption, and financial damage due to ransom payments and recovery efforts. Immediate investigation and response are crucial to mitigate potential damage. +description: The following analytic identifies the presence of files containing the + keyword "Ryuk" in any folder on the C drive, indicative of Ryuk ransomware activity. + It leverages the Endpoint Filesystem data model to detect file paths matching this + pattern. This activity is significant as Ryuk ransomware is known for its destructive + impact, encrypting critical files and demanding ransom. If confirmed malicious, + this could lead to significant data loss, operational disruption, and financial + damage due to ransom payments and recovery efforts. Immediate investigation and + response are crucial to mitigate potential damage. data_source: - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem WHERE "Filesystem.file_path"=C:\\*Ryuk* BY "Filesystem.dest", "Filesystem.user", "Filesystem.file_path" | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ryuk_test_files_detected_filter`' -how_to_implement: You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint Filesystem data-model object. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. -known_false_positives: If there are files with this keywoord as file names it might trigger false possitives, please make use of our filters to tune out potential FPs. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Filesystem WHERE "Filesystem.file_path"=C:\\*Ryuk* + BY "Filesystem.dest", "Filesystem.user", "Filesystem.file_path" | `drop_dm_object_name(Filesystem)` + | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ryuk_test_files_detected_filter`' +how_to_implement: You must be ingesting data that records the filesystem activity + from your hosts to populate the Endpoint Filesystem data-model object. If you are + using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which + you want to collect data. +known_false_positives: If there are files with this keywoord as file names it might + trigger false possitives, please make use of our filters to tune out potential FPs. references: [] drilldown_searches: - name: View the detection results for - "$dest$" and "$user$" @@ -18,41 +32,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A creation of ryuk test file $file_path$ in host $dest$ + risk_objects: + - field: dest + type: system + score: 70 + - field: user + type: user + score: 70 + threat_objects: [] tags: analytic_story: - Ryuk Ransomware asset_type: Endpoint - confidence: 100 - impact: 70 - message: A creation of ryuk test file $file_path$ in host $dest$ mitre_attack_id: - T1486 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.file_path - - Filesystem.dest - - Filesystem.user - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ryuk/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ryuk/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/ryuk_wake_on_lan_command.yml b/detections/endpoint/ryuk_wake_on_lan_command.yml index 06e5b06533..e7f88ed5c7 100644 --- a/detections/endpoint/ryuk_wake_on_lan_command.yml +++ b/detections/endpoint/ryuk_wake_on_lan_command.yml @@ -1,7 +1,7 @@ name: Ryuk Wake on LAN Command id: 538d0152-7aaa-11eb-beaa-acde48001122 -version: '4' -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -51,46 +51,34 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A process $process_name$ with wake on LAN commandline $process$ on host + $dest$ + risk_objects: + - field: dest + type: system + score: 63 + - field: user + type: user + score: 63 + threat_objects: [] tags: analytic_story: - Compromised Windows Host - Ryuk Ransomware asset_type: Endpoint - confidence: 90 - impact: 70 - message: A process $process_name$ with wake on LAN commandline $process$ in host - $dest$ mitre_attack_id: - T1059 - T1059.003 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/ryuk/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/ryuk/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/sam_database_file_access_attempt.yml b/detections/endpoint/sam_database_file_access_attempt.yml index 2bf193709e..e76cbb1396 100644 --- a/detections/endpoint/sam_database_file_access_attempt.yml +++ b/detections/endpoint/sam_database_file_access_attempt.yml @@ -1,16 +1,30 @@ name: SAM Database File Access Attempt id: 57551656-ebdb-11eb-afdf-acde48001122 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Michael Haag, Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects attempts to access the SAM, SYSTEM, or SECURITY database files within the `windows\system32\config` directory using Windows Security EventCode 4663. This detection leverages Windows Security Event logs to identify unauthorized access attempts. Monitoring this activity is crucial as it indicates potential credential access attempts, possibly exploiting vulnerabilities like CVE-2021-36934. If confirmed malicious, an attacker could extract user passwords, leading to unauthorized access, privilege escalation, and further compromise of the system. +description: The following analytic detects attempts to access the SAM, SYSTEM, or + SECURITY database files within the `windows\system32\config` directory using Windows + Security EventCode 4663. This detection leverages Windows Security Event logs to + identify unauthorized access attempts. Monitoring this activity is crucial as it + indicates potential credential access attempts, possibly exploiting vulnerabilities + like CVE-2021-36934. If confirmed malicious, an attacker could extract user passwords, + leading to unauthorized access, privilege escalation, and further compromise of + the system. data_source: - Windows Event Log Security 4663 -search: '`wineventlog_security` (EventCode=4663) ProcessName!=*\\dllhost.exe ObjectName IN ("*\\Windows\\System32\\config\\SAM*","*\\Windows\\System32\\config\\SYSTEM*","*\\Windows\\System32\\config\\SECURITY*") | stats values(AccessList) count by ProcessName ObjectName dest src_user | rename ProcessName as process_name | `sam_database_file_access_attempt_filter`' -how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -known_false_positives: Natively, `dllhost.exe` will access the files. Every environment will have additional native processes that do as well. Filter by process_name. As an aside, one can remove process_name entirely and add `Object_Name=*ShadowCopy*`. +search: '`wineventlog_security` (EventCode=4663) ProcessName!=*\\dllhost.exe ObjectName + IN ("*\\Windows\\System32\\config\\SAM*","*\\Windows\\System32\\config\\SYSTEM*","*\\Windows\\System32\\config\\SECURITY*") + | stats values(AccessList) count by ProcessName ObjectName dest src_user | rename + ProcessName as process_name | `sam_database_file_access_attempt_filter`' +how_to_implement: To successfully implement this search, you must ingest Windows Security + Event logs and track event code 4663. For 4663, enable "Audit Object Access" in + Group Policy. Then check the two boxes listed for both "Success" and "Failure." +known_false_positives: Natively, `dllhost.exe` will access the files. Every environment + will have additional native processes that do as well. Filter by process_name. As + an aside, one can remove process_name entirely and add `Object_Name=*ShadowCopy*`. references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4663 - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663 @@ -24,46 +38,20 @@ tags: - Graceful Wipe Out Attack - Rhysida Ransomware asset_type: Endpoint - confidence: 100 cve: - CVE-2021-36934 - impact: 80 - message: The following process $process_name$ accessed the object $ObjectName$ attempting to gain access to credentials on $dest$ by user $src_user$. mitre_attack_id: - T1003.002 - T1003 - observable: - - name: src_user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker - - name: ObjectName - type: File - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - process_name - - Object_Name - - dest - - user - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/serioussam/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/serioussam/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/samsam_test_file_write.yml b/detections/endpoint/samsam_test_file_write.yml index f2db5e7aa7..25bc5a6808 100644 --- a/detections/endpoint/samsam_test_file_write.yml +++ b/detections/endpoint/samsam_test_file_write.yml @@ -1,15 +1,29 @@ name: Samsam Test File Write id: 493a879d-519d-428f-8f57-a06a0fdc107e -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Rico Valdez, Splunk status: production type: TTP -description: The following analytic detects the creation of a file named "test.txt" within the Windows system directory, indicative of Samsam ransomware propagation. It leverages file-system activity data from the Endpoint data model, specifically monitoring file paths within the Windows System32 directory. This activity is significant as it aligns with known Samsam ransomware behavior, which uses such files for propagation and execution. If confirmed malicious, this could lead to ransomware deployment, resulting in data encryption, system disruption, and potential data loss. Immediate investigation and remediation are crucial to prevent further damage. +description: The following analytic detects the creation of a file named "test.txt" + within the Windows system directory, indicative of Samsam ransomware propagation. + It leverages file-system activity data from the Endpoint data model, specifically + monitoring file paths within the Windows System32 directory. This activity is significant + as it aligns with known Samsam ransomware behavior, which uses such files for propagation + and execution. If confirmed malicious, this could lead to ransomware deployment, + resulting in data encryption, system disruption, and potential data loss. Immediate + investigation and remediation are crucial to prevent further damage. data_source: - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_name) as file_name from datamodel=Endpoint.Filesystem where Filesystem.file_path=*\\windows\\system32\\test.txt by Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `samsam_test_file_write_filter`' -how_to_implement: You must be ingesting data that records the file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_name) + as file_name from datamodel=Endpoint.Filesystem where Filesystem.file_path=*\\windows\\system32\\test.txt + by Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` + | `security_content_ctime(firstTime)` | `samsam_test_file_write_filter`' +how_to_implement: You must be ingesting data that records the file-system activity + from your hosts to populate the Endpoint file-system data-model node. If you are + using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which + you want to collect data. known_false_positives: No false positives have been identified. references: [] drilldown_searches: @@ -18,42 +32,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A samsam ransomware test file creation in $file_path$ in host $dest$ + risk_objects: + - field: dest + type: system + score: 12 + - field: user + type: user + score: 12 + threat_objects: [] tags: analytic_story: - SamSam Ransomware asset_type: Endpoint - confidence: 20 - impact: 60 - message: A samsam ransomware test file creation in $file_path$ in host $dest$ mitre_attack_id: - T1486 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.user - - Filesystem.dest - - Filesystem.file_name - - Filesystem.file_path - risk_score: 12 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/sam_sam_note/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/sam_sam_note/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/sc_exe_manipulating_windows_services.yml b/detections/endpoint/sc_exe_manipulating_windows_services.yml index 972d6b948a..2ca5eeaf14 100644 --- a/detections/endpoint/sc_exe_manipulating_windows_services.yml +++ b/detections/endpoint/sc_exe_manipulating_windows_services.yml @@ -1,18 +1,40 @@ name: Sc exe Manipulating Windows Services id: f0c693d8-2a89-4ce7-80b4-98fea4c3ea6d -version: 6 -date: '2024-09-30' +version: 8 +date: '2024-11-13' author: Rico Valdez, Splunk status: production type: TTP -description: The following analytic detects the creation or modification of Windows services using the sc.exe command. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because manipulating Windows services can be a method for attackers to establish persistence, escalate privileges, or execute arbitrary code. If confirmed malicious, this behavior could allow an attacker to maintain long-term access, disrupt services, or gain control over critical system functions, posing a severe threat to the environment. +description: The following analytic detects the creation or modification of Windows + services using the sc.exe command. It leverages data from Endpoint Detection and + Response (EDR) agents, focusing on process names and command-line arguments. This + activity is significant because manipulating Windows services can be a method for + attackers to establish persistence, escalate privileges, or execute arbitrary code. + If confirmed malicious, this behavior could allow an attacker to maintain long-term + access, disrupt services, or gain control over critical system functions, posing + a severe threat to the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sc.exe (Processes.process="* create *" OR Processes.process="* config *") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sc_exe_manipulating_windows_services_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Using sc.exe to manipulate Windows services is uncommon. However, there may be legitimate instances of this behavior. It is important to validate and investigate as appropriate. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.process_name = sc.exe (Processes.process="* create *" OR Processes.process="* + config *") by Processes.process_name Processes.parent_process_name Processes.dest + Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `sc_exe_manipulating_windows_services_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Using sc.exe to manipulate Windows services is uncommon. However, + there may be legitimate instances of this behavior. It is important to validate + and investigate as appropriate. references: - https://www.secureworks.com/blog/drokbk-malware-uses-github-as-dead-drop-resolver drilldown_searches: @@ -21,51 +43,49 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A sc process $process_name$ with commandline $process$ to create of configure + services in host $dest$ + risk_objects: + - field: dest + type: system + score: 56 + - field: user + type: user + score: 56 + threat_objects: [] tags: analytic_story: - - Windows Service Abuse - - DHS Report TA18-074A + - Azorult - Orangeworm Attack Group + - Windows Drivers + - NOBELIUM Group - Windows Persistence Techniques - Disabling Security Tools - - NOBELIUM Group - - Azorult - - Windows Drivers + - Windows Service Abuse + - DHS Report TA18-074A + - Crypto Stealer asset_type: Endpoint - confidence: 80 - impact: 70 - message: A sc process $process_name$ with commandline $process$ to create of configure services in host $dest$ mitre_attack_id: - T1543.003 - T1543 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_name - - Processes.process - - Processes.parent_process_name - - Processes.dest - - Processes.user - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml b/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml index e36a232f40..fff2339458 100644 --- a/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml +++ b/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml @@ -1,16 +1,31 @@ name: SchCache Change By App Connect And Create ADSI Object id: 991eb510-0fc6-11ec-82d3-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects an application attempting to connect and create an ADSI object to perform an LDAP query. It leverages Sysmon EventCode 11 to identify changes in the Active Directory Schema cache files located in %LOCALAPPDATA%\Microsoft\Windows\SchCache or %systemroot%\SchCache. This activity is significant as it can indicate the presence of suspicious applications, such as ransomware, using ADSI object APIs for LDAP queries. If confirmed malicious, this behavior could allow attackers to gather sensitive directory information, potentially leading to further exploitation or lateral movement within the network. +description: The following analytic detects an application attempting to connect and + create an ADSI object to perform an LDAP query. It leverages Sysmon EventCode 11 + to identify changes in the Active Directory Schema cache files located in %LOCALAPPDATA%\Microsoft\Windows\SchCache + or %systemroot%\SchCache. This activity is significant as it can indicate the presence + of suspicious applications, such as ransomware, using ADSI object APIs for LDAP + queries. If confirmed malicious, this behavior could allow attackers to gather sensitive + directory information, potentially leading to further exploitation or lateral movement + within the network. data_source: - Sysmon EventID 11 -search: '`sysmon` EventCode=11 TargetFilename = "*\\Windows\\SchCache\\*" TargetFilename = "*.sch*" NOT (Image IN ("*\\Windows\\system32\\mmc.exe")) |stats count min(_time) as firstTime max(_time) as lastTime by Image TargetFilename EventCode process_id process_name dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schcache_change_by_app_connect_and_create_adsi_object_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: normal application like mmc.exe and other ldap query tool may trigger this detections. +search: '`sysmon` EventCode=11 TargetFilename = "*\\Windows\\SchCache\\*" TargetFilename + = "*.sch*" NOT (Image IN ("*\\Windows\\system32\\mmc.exe")) |stats count min(_time) + as firstTime max(_time) as lastTime by Image TargetFilename EventCode process_id process_name + dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `schcache_change_by_app_connect_and_create_adsi_object_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. +known_false_positives: normal application like mmc.exe and other ldap query tool may + trigger this detections. references: - https://docs.microsoft.com/en-us/windows/win32/adsi/adsi-and-uac - https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ @@ -20,41 +35,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: process $Image$ create a file $TargetFilename$ in host $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - BlackMatter Ransomware asset_type: Endpoint - confidence: 50 - impact: 50 - message: process $Image$ create a file $TargetFilename$ in host $dest$ mitre_attack_id: - T1087.002 - T1087 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Image - - TargetFilename - - EventCode - - process_id - - process_name - - dest - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/blackmatter_schcache/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/blackmatter_schcache/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/schedule_task_with_http_command_arguments.yml b/detections/endpoint/schedule_task_with_http_command_arguments.yml index 6ecd1b6bee..bfea49a4e0 100644 --- a/detections/endpoint/schedule_task_with_http_command_arguments.yml +++ b/detections/endpoint/schedule_task_with_http_command_arguments.yml @@ -1,7 +1,7 @@ name: Schedule Task with HTTP Command Arguments id: 523c2684-a101-11eb-916b-acde48001122 -version: '4' -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: TTP @@ -39,6 +39,14 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A scheduled task process commandline arguments $Arguments$ with http string + in it on host $dest$ + risk_objects: + - field: dest + type: system + score: 63 + threat_objects: [] tags: analytic_story: - Windows Persistence Techniques @@ -47,35 +55,17 @@ tags: - Scheduled Tasks - Winter Vivern asset_type: Endpoint - confidence: 90 - impact: 70 - message: A schedule task process commandline arguments $Arguments$ with http string - on it in host $dest$ mitre_attack_id: - T1053 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - Task_Name - - Command - - Author - - Enabled - - Hidden - - Arguments - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/tasksched/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/tasksched/windows-security.log source: WinEventLog:Security sourcetype: WinEventLog diff --git a/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml b/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml index 212a2cb1ae..46ece09f64 100644 --- a/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml +++ b/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml @@ -1,7 +1,7 @@ name: Schedule Task with Rundll32 Command Trigger id: 75b00fd8-a0ff-11eb-8b31-acde48001122 -version: '4' -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: TTP @@ -40,6 +40,14 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A scheduled task process commandline rundll32 arguments $Arguments$ on + host $dest$ + risk_objects: + - field: dest + type: system + score: 70 + threat_objects: [] tags: analytic_story: - Windows Persistence Techniques @@ -49,35 +57,17 @@ tags: - Compromised Windows Host - Trickbot asset_type: Endpoint - confidence: 100 - impact: 70 - message: A schedule task process commandline rundll32 arguments $Arguments$ in host - $dest$ mitre_attack_id: - T1053 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - Task_Name - - Command - - Author - - Enabled - - Hidden - - Arguments - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/tasksched/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/tasksched/windows-security.log source: WinEventLog:Security sourcetype: WinEventLog diff --git a/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml b/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml index 5d50547204..7732be5bf9 100644 --- a/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml +++ b/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml @@ -1,18 +1,39 @@ name: Scheduled Task Creation on Remote Endpoint using At id: 4be54858-432f-11ec-8209-3e22fbd008af -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the creation of scheduled tasks on remote Windows endpoints using the at.exe command. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process creation events involving at.exe with remote command-line arguments. Identifying this activity is significant for a SOC as it may indicate lateral movement or remote code execution attempts by an attacker. If confirmed malicious, this activity could lead to unauthorized access, persistence, or execution of malicious code, potentially resulting in data theft or further compromise of the network. +description: The following analytic detects the creation of scheduled tasks on remote + Windows endpoints using the at.exe command. This detection leverages Endpoint Detection + and Response (EDR) telemetry, focusing on process creation events involving at.exe + with remote command-line arguments. Identifying this activity is significant for + a SOC as it may indicate lateral movement or remote code execution attempts by an + attacker. If confirmed malicious, this activity could lead to unauthorized access, + persistence, or execution of malicious code, potentially resulting in data theft + or further compromise of the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=at.exe OR Processes.original_file_name=at.exe) (Processes.process=*\\\\*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_creation_on_remote_endpoint_using_at_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrators may create scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=at.exe + OR Processes.original_file_name=at.exe) (Processes.process=*\\\\*) by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_creation_on_remote_endpoint_using_at_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators may create scheduled tasks on remote systems, + but this activity is usually limited to a small set of hosts or users. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/at - https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob?redirectedfrom=MSDN @@ -22,48 +43,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A Windows Scheduled Task was created on a remote endpoint from $dest$ + risk_objects: + - field: dest + type: system + score: 54 + threat_objects: [] tags: analytic_story: - Active Directory Lateral Movement - Living Off The Land - Scheduled Tasks asset_type: Endpoint - confidence: 60 - impact: 90 - message: A Windows Scheduled Task was created on a remote endpoint from $dest$ mitre_attack_id: - T1053 - T1053.002 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/lateral_movement/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml index 365e3e1418..6d89907f5b 100644 --- a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml +++ b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml @@ -1,18 +1,41 @@ name: Scheduled Task Deleted Or Created via CMD id: d5af132c-7c17-439c-9d31-13d55340f36c -version: 8 -date: '2024-09-30' +version: 11 +date: '2025-01-27' author: Bhavin Patel, Splunk status: production type: TTP -description: The following analytic identifies the creation or deletion of scheduled tasks using the schtasks.exe utility with the -create or -delete flags. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it can indicate unauthorized system manipulation or malicious intent, often associated with threat actors like Dragonfly and incidents such as the SUNBURST attack. If confirmed malicious, this activity could allow attackers to execute code, escalate privileges, or persist within the environment, posing a significant security risk. +description: The following analytic identifies the creation or deletion of scheduled + tasks using the schtasks.exe utility with the -create or -delete flags. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process names + and command-line executions. This activity is significant as it can indicate unauthorized + system manipulation or malicious intent, often associated with threat actors like + Dragonfly and incidents such as the SUNBURST attack. If confirmed malicious, this + activity could allow attackers to execute code, escalate privileges, or persist + within the environment, posing a significant security risk. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process=*delete* OR Processes.process=*create*) by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_deleted_or_created_via_cmd_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: While it is possible for legitimate scripts or administrators to trigger this behavior, filtering can be applied based on the parent process and application to reduce false positives. Analysts should reference the provided references to understand the context and threat landscape associated with this activity. +search: '| tstats `security_content_summariesonly` count values(Processes.process) + as process values(Processes.parent_process) as parent_process min(_time) as firstTime + max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe + (Processes.process=*delete* OR Processes.process=*create*) by Processes.user Processes.process_name + Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_deleted_or_created_via_cmd_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: While it is possible for legitimate scripts or administrators + to trigger this behavior, filtering can be applied based on the parent process and + application to reduce false positives. Analysts should reference the provided references + to understand the context and threat landscape associated with this activity. references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ - https://www.joesandbox.com/analysis/691823/0/html @@ -22,64 +45,61 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A schedule task process $process_name$ with create or delete commandline + $process$ in host $dest$ + risk_objects: + - field: dest + type: system + score: 56 + - field: user + type: user + score: 56 + threat_objects: [] tags: analytic_story: - - AsyncRAT - - Winter Vivern - Windows Persistence Techniques - - Living Off The Land - - Prestige Ransomware - - AgentTesla - - NjRAT - - RedLine Stealer - - Rhysida Ransomware - - Azorult - DHS Report TA18-074A - - Scheduled Tasks - - Sandworm Tools - - Qakbot - - CISA AA22-257A - Trickbot - - NOBELIUM Group - - Amadey - - DarkCrystal RAT - CISA AA23-347A - - Phemedrone Stealer + - Qakbot + - Azorult - ShrinkLocker + - AsyncRAT + - Phemedrone Stealer + - NjRAT + - Prestige Ransomware + - Scheduled Tasks + - AgentTesla - MoonPeak + - NOBELIUM Group + - Living Off The Land + - CISA AA22-257A - CISA AA24-241A + - Amadey + - DarkCrystal RAT + - Sandworm Tools + - Winter Vivern + - Nexus APT Threat Activity + - Earth Estries + - Rhysida Ransomware + - RedLine Stealer asset_type: Endpoint - confidence: 80 - impact: 70 - message: A schedule task process $process_name$ with create or delete commandline $process$ in host $dest$ mitre_attack_id: - T1053.005 - T1053 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process - - Processes.parent_process - - Processes.process_name - - Processes.user - - Processes.parent_process_name - - Processes.dest - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml b/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml index 548127b8f8..80d3a28e57 100644 --- a/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml +++ b/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml @@ -1,18 +1,38 @@ name: Scheduled Task Initiation on Remote Endpoint id: 95cf4608-4302-11ec-8194-3e22fbd008af -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Mauricio Velazco, Splunk, Badoodish, Github Community status: production type: TTP -description: The following analytic detects the use of 'schtasks.exe' to start a Scheduled Task on a remote endpoint. This detection leverages Endpoint Detection and Response (EDR) data, focusing on process details such as process name, parent process, and command-line executions. This activity is significant as adversaries often abuse Task Scheduler for lateral movement and remote code execution. If confirmed malicious, this behavior could allow attackers to execute arbitrary code remotely, potentially leading to further compromise of the network. +description: The following analytic detects the use of 'schtasks.exe' to start a Scheduled + Task on a remote endpoint. This detection leverages Endpoint Detection and Response + (EDR) data, focusing on process details such as process name, parent process, and + command-line executions. This activity is significant as adversaries often abuse + Task Scheduler for lateral movement and remote code execution. If confirmed malicious, + this behavior could allow attackers to execute arbitrary code remotely, potentially + leading to further compromise of the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=schtasks.exe OR Processes.original_file_name=schtasks.exe) (Processes.process= "* /S *" AND Processes.process=*/run*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_initiation_on_remote_endpoint_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrators may start scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=schtasks.exe + OR Processes.original_file_name=schtasks.exe) (Processes.process= "* /S *" AND Processes.process=*/run*) + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_initiation_on_remote_endpoint_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators may start scheduled tasks on remote systems, + but this activity is usually limited to a small set of hosts or users. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks - https://attack.mitre.org/techniques/T1053/005/ @@ -22,48 +42,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A Windows Scheduled Task was ran on a remote endpoint from $dest$ + risk_objects: + - field: dest + type: system + score: 54 + threat_objects: [] tags: analytic_story: - Active Directory Lateral Movement - Living Off The Land - Scheduled Tasks asset_type: Endpoint - confidence: 60 - impact: 90 - message: A Windows Scheduled Task was ran on a remote endpoint from $dest$ mitre_attack_id: - T1053 - T1053.005 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/lateral_movement/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/schtasks_run_task_on_demand.yml b/detections/endpoint/schtasks_run_task_on_demand.yml index 92539df2da..189d728507 100644 --- a/detections/endpoint/schtasks_run_task_on_demand.yml +++ b/detections/endpoint/schtasks_run_task_on_demand.yml @@ -1,18 +1,41 @@ name: Schtasks Run Task On Demand id: bb37061e-af1f-11eb-a159-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the execution of a Windows Scheduled Task on demand via the shell or command line. It leverages process-related data, including process name, parent process, and command-line executions, sourced from endpoint logs. The detection focuses on 'schtasks.exe' with an associated 'run' command. This activity is significant as adversaries often use it to force the execution of their created Scheduled Tasks for persistent access or lateral movement within a compromised machine. If confirmed malicious, this could allow attackers to maintain persistence or move laterally within the network, potentially leading to further compromise. +description: The following analytic detects the execution of a Windows Scheduled Task + on demand via the shell or command line. It leverages process-related data, including + process name, parent process, and command-line executions, sourced from endpoint + logs. The detection focuses on 'schtasks.exe' with an associated 'run' command. + This activity is significant as adversaries often use it to force the execution + of their created Scheduled Tasks for persistent access or lateral movement within + a compromised machine. If confirmed malicious, this could allow attackers to maintain + persistence or move laterally within the network, potentially leading to further + compromise. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "schtasks.exe" Processes.process = "*/run*" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_run_task_on_demand_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Bear in mind, administrators debugging Scheduled Task entries may trigger this analytic, necessitating fine-tuning and filtering to distinguish between legitimate and potentially malicious use of 'schtasks.exe'. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "schtasks.exe" + Processes.process = "*/run*" by Processes.process_name Processes.parent_process_name + Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `schtasks_run_task_on_demand_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Bear in mind, administrators debugging Scheduled Task entries + may trigger this analytic, necessitating fine-tuning and filtering to distinguish + between legitimate and potentially malicious use of 'schtasks.exe'. references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ drilldown_searches: @@ -21,9 +44,25 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A "on demand" execution of schedule task process $process_name$ using + commandline $process$ in host $dest$ + risk_objects: + - field: dest + type: system + score: 48 + - field: user + type: user + score: 48 + threat_objects: [] tags: analytic_story: - Qakbot @@ -33,37 +72,17 @@ tags: - Data Destruction - Scheduled Tasks asset_type: Endpoint - confidence: 80 - impact: 60 - message: A "on demand" execution of schedule task process $process_name$ using commandline $process$ in host $dest$ mitre_attack_id: - T1053 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process - - Processes.process_id - - Processes.process_name - - Processes.parent_process_name - - Processes.dest - - Processes.user - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml b/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml index eca908bfdf..a32d7dca97 100644 --- a/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml +++ b/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml @@ -1,7 +1,7 @@ name: Schtasks scheduling job on remote system id: 1297fb80-f42a-4b4a-9c8a-88c066237cf6 -version: '10' -date: '2024-11-28' +version: 11 +date: '2024-12-10' author: David Dorsey, Mauricio Velazco, Splunk status: production type: TTP @@ -50,6 +50,19 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A scheduled task process $process_name$ with remote job command-line $process$ + on host $dest$ by $user$. + risk_objects: + - field: dest + type: system + score: 63 + - field: user + type: user + score: 63 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Active Directory Lateral Movement @@ -61,42 +74,18 @@ tags: - Compromised Windows Host - RedLine Stealer asset_type: Endpoint - confidence: 90 - impact: 70 - message: A schedule task process $process_name$ with remote job command-line $process$ - in host $dest$ by $user$. mitre_attack_id: - T1053.005 - T1053 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_name - - Processes.process - - Processes.parent_process_name - - Processes.dest - - Processes.user - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml b/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml index 319cb56975..b49abbe0fc 100644 --- a/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml +++ b/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml @@ -1,18 +1,40 @@ name: Schtasks used for forcing a reboot id: 1297fb80-f42a-4b4a-9c8a-88c066437cf6 -version: 6 -date: '2024-09-30' +version: 8 +date: '2024-11-13' author: Bhavin Patel, Splunk status: production type: TTP -description: The following analytic detects the use of 'schtasks.exe' to schedule forced system reboots using the 'shutdown' and '/create' flags. It leverages endpoint process data to identify instances where these specific command-line arguments are used. This activity is significant because it may indicate an adversary attempting to disrupt operations or force a reboot to execute further malicious actions. If confirmed malicious, this could lead to system downtime, potential data loss, and provide an attacker with an opportunity to execute additional payloads or evade detection. +description: The following analytic detects the use of 'schtasks.exe' to schedule + forced system reboots using the 'shutdown' and '/create' flags. It leverages endpoint + process data to identify instances where these specific command-line arguments are + used. This activity is significant because it may indicate an adversary attempting + to disrupt operations or force a reboot to execute further malicious actions. If + confirmed malicious, this could lead to system downtime, potential data loss, and + provide an attacker with an opportunity to execute additional payloads or evade + detection. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process="*shutdown*" Processes.process="*/create *" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_used_for_forcing_a_reboot_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: This analytic may also capture legitimate administrative activities such as system updates or maintenance tasks, which can be classified as false positives. Filter as needed. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.process_name=schtasks.exe Processes.process="*shutdown*" Processes.process="*/create + *" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `schtasks_used_for_forcing_a_reboot_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: This analytic may also capture legitimate administrative activities + such as system updates or maintenance tasks, which can be classified as false positives. + Filter as needed. references: [] drilldown_searches: - name: View the detection results for - "$dest$" and "$user$" @@ -20,46 +42,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A schedule task process $process_name$ with force reboot commandline $process$ + in host $dest$ + risk_objects: + - field: dest + type: system + score: 56 + - field: user + type: user + score: 56 + threat_objects: [] tags: analytic_story: - Windows Persistence Techniques - Ransomware - Scheduled Tasks asset_type: Endpoint - confidence: 80 - impact: 70 - message: A schedule task process $process_name$ with force reboot commandline $process$ in host $dest$ mitre_attack_id: - T1053.005 - T1053 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process - - Processes.process_name - - Processes.parent_process_name - - Processes.dest - - Processes.user - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtask_shutdown/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtask_shutdown/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/screensaver_event_trigger_execution.yml b/detections/endpoint/screensaver_event_trigger_execution.yml index 80d2c33469..cd7c86469d 100644 --- a/detections/endpoint/screensaver_event_trigger_execution.yml +++ b/detections/endpoint/screensaver_event_trigger_execution.yml @@ -1,15 +1,31 @@ name: Screensaver Event Trigger Execution id: 58cea3ec-1f6d-11ec-8560-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects modifications to the SCRNSAVE.EXE registry entry, indicating potential event trigger execution via screensaver settings for persistence or privilege escalation. It leverages registry activity data from the Endpoint data model to identify changes to the specified registry path. This activity is significant as it is a known technique used by APT groups and malware to maintain persistence or escalate privileges. If confirmed malicious, this could allow an attacker to execute arbitrary code with elevated privileges, leading to further system compromise and persistent access. +description: The following analytic detects modifications to the SCRNSAVE.EXE registry + entry, indicating potential event trigger execution via screensaver settings for + persistence or privilege escalation. It leverages registry activity data from the + Endpoint data model to identify changes to the specified registry path. This activity + is significant as it is a known technique used by APT groups and malware to maintain + persistence or escalate privileges. If confirmed malicious, this could allow an + attacker to execute arbitrary code with elevated privileges, leading to further + system compromise and persistent access. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path="*\\Control Panel\\Desktop\\SCRNSAVE.EXE*") by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `screensaver_event_trigger_execution_filter`' -how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime + max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path="*\\Control + Panel\\Desktop\\SCRNSAVE.EXE*") by Registry.dest Registry.user Registry.registry_path + Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` + | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `screensaver_event_trigger_execution_filter`' +how_to_implement: To successfully implement this search, you must be ingesting data + that records registry activity from your hosts to populate the endpoint data model + in the registry node. This is typically populated via endpoint detection-and-response + product, such as Carbon Black or endpoint data sources, such as Sysmon. The data + used for this search is typically generated via logs that report reads and writes + to the registry. known_false_positives: unknown references: - https://attack.mitre.org/techniques/T1546/002/ @@ -20,9 +36,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Registry path $registry_path$ was modified, added, or deleted on $dest$. + risk_objects: + - field: dest + type: system + score: 72 + - field: user + type: user + score: 72 + threat_objects: [] tags: analytic_story: - Hermetic Wiper @@ -31,37 +62,18 @@ tags: - Windows Registry Abuse - Data Destruction asset_type: Endpoint - confidence: 90 - impact: 80 - message: Registry path $registry_path$ was modified, added, or deleted in $dest$. mitre_attack_id: - T1546 - T1546.002 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.registry_key_name - - Registry.registry_value_name - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.002/scrnsave_reg/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.002/scrnsave_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/script_execution_via_wmi.yml b/detections/endpoint/script_execution_via_wmi.yml index 6ff371fed6..3e4e7d0663 100644 --- a/detections/endpoint/script_execution_via_wmi.yml +++ b/detections/endpoint/script_execution_via_wmi.yml @@ -1,18 +1,39 @@ name: Script Execution via WMI id: aa73f80d-d728-4077-b226-81ea0c8be589 -version: 6 -date: '2024-09-30' +version: 7 +date: '2024-11-13' author: Rico Valdez, Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the execution of scripts via Windows Management Instrumentation (WMI) by monitoring the process 'scrcons.exe'. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events. WMI-based script execution is significant because adversaries often use it to perform malicious activities stealthily, such as system compromise, data exfiltration, or establishing persistence. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain long-term access to the environment. Analysts should differentiate between legitimate administrative use and potential threats. +description: The following analytic detects the execution of scripts via Windows Management + Instrumentation (WMI) by monitoring the process 'scrcons.exe'. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process creation + events. WMI-based script execution is significant because adversaries often use + it to perform malicious activities stealthily, such as system compromise, data exfiltration, + or establishing persistence. If confirmed malicious, this activity could allow attackers + to execute arbitrary code, escalate privileges, or maintain long-term access to + the environment. Analysts should differentiate between legitimate administrative + use and potential threats. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=scrcons.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `script_execution_via_wmi_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Although unlikely, administrators may use wmi to launch scripts for legitimate purposes. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=scrcons.exe + by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `script_execution_via_wmi_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Although unlikely, administrators may use wmi to launch scripts + for legitimate purposes. Filter as needed. references: - https://redcanary.com/blog/child-processes/ drilldown_searches: @@ -21,41 +42,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A wmic.exe process $process_name$ that execute script in host $dest$ + risk_objects: + - field: dest + type: system + score: 36 + - field: user + type: user + score: 36 + threat_objects: [] tags: analytic_story: - Suspicious WMI Use asset_type: Endpoint - confidence: 60 - impact: 60 - message: A wmic.exe process $process_name$ that execute script in host $dest$ mitre_attack_id: - T1047 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_name - - Processes.user - - Processes.dest - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/execution_scrcons/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/execution_scrcons/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/sdclt_uac_bypass.yml b/detections/endpoint/sdclt_uac_bypass.yml index 49c6139415..4efac5ec1b 100644 --- a/detections/endpoint/sdclt_uac_bypass.yml +++ b/detections/endpoint/sdclt_uac_bypass.yml @@ -1,19 +1,46 @@ name: Sdclt UAC Bypass id: d71efbf6-da63-11eb-8c6e-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects suspicious modifications to the sdclt.exe registry, a technique often used to bypass User Account Control (UAC). It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific registry paths and values associated with sdclt.exe. This activity is significant because UAC bypasses can allow attackers to execute payloads with elevated privileges without user consent. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, and potential persistence within the environment, posing a severe security risk. +description: The following analytic detects suspicious modifications to the sdclt.exe + registry, a technique often used to bypass User Account Control (UAC). It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on specific registry + paths and values associated with sdclt.exe. This activity is significant because + UAC bypasses can allow attackers to execute payloads with elevated privileges without + user consent. If confirmed malicious, this could lead to unauthorized code execution, + privilege escalation, and potential persistence within the environment, posing a + severe security risk. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= "*\\Windows\\CurrentVersion\\App Paths\\control.exe*" OR Registry.registry_path= "*\\exefile\\shell\\runas\\command\\*") (Registry.registry_value_name = "(Default)" OR Registry.registry_value_name = "IsolatedCommand")) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sdclt_uac_bypass_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) + AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id + Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name + Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` + | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry + WHERE ((Registry.registry_path= "*\\Windows\\CurrentVersion\\App Paths\\control.exe*" + OR Registry.registry_path= "*\\exefile\\shell\\runas\\command\\*") (Registry.registry_value_name + = "(Default)" OR Registry.registry_value_name = "IsolatedCommand")) BY _time span=1h + Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime + dest user parent_process_name parent_process process_name process_path process registry_key_name + registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sdclt_uac_bypass_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Limited to no false positives are expected. references: - https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ @@ -25,51 +52,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious modification of registry $registry_path$ with possible payload + path $registry_value_name$ on $dest$ + risk_objects: + - field: dest + type: system + score: 63 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - confidence: 90 - impact: 70 - message: Suspicious modification of registry $registry_path$ with possible payload path $registry_value_name$ in $dest$ mitre_attack_id: - T1548.002 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.user - - Processes.dest - - Processes.process_id - - Processes.process_name - - Processes.process - - Processes.process_path - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_guid - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/sdelete_application_execution.yml b/detections/endpoint/sdelete_application_execution.yml index a2676c6614..30f375f28a 100644 --- a/detections/endpoint/sdelete_application_execution.yml +++ b/detections/endpoint/sdelete_application_execution.yml @@ -1,17 +1,38 @@ name: Sdelete Application Execution id: 31702fc0-2682-11ec-85c3-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the execution of the sdelete.exe application, a Sysinternals tool often used by adversaries to securely delete files and remove forensic evidence from a targeted host. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. Monitoring this activity is crucial as sdelete.exe is not commonly used in regular operations and its presence may indicate an attempt to cover malicious activities. If confirmed malicious, this could lead to the loss of critical forensic data, hindering incident response and investigation efforts. +description: The following analytic detects the execution of the sdelete.exe application, + a Sysinternals tool often used by adversaries to securely delete files and remove + forensic evidence from a targeted host. This detection leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process execution logs. Monitoring + this activity is crucial as sdelete.exe is not commonly used in regular operations + and its presence may indicate an attempt to cover malicious activities. If confirmed + malicious, this could lead to the loss of critical forensic data, hindering incident + response and investigation efforts. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_sdelete` by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sdelete_application_execution_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + values(Processes.parent_process) as parent_process values(Processes.process_id) + as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where `process_sdelete` by Processes.process_name Processes.original_file_name + Processes.dest Processes.user Processes.parent_process_name Processes.parent_process + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `sdelete_application_execution_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: user may execute and use this application references: - https://app.any.run/tasks/956f50be-2c13-465a-ac00-6224c14c5f89/ @@ -21,51 +42,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: sdelete process $process_name$ executed on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - Masquerading - Rename System Utilities asset_type: Endpoint - confidence: 70 - impact: 70 - message: sdelete process $process_name$ executed in $dest$ mitre_attack_id: - T1485 - T1070.004 - T1070 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/sdelete/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/sdelete/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml b/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml index 06f3be8d2a..fc8584a30d 100644 --- a/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml +++ b/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml @@ -1,7 +1,7 @@ name: SearchProtocolHost with no Command Line with Network id: b690df8c-a145-11eb-a38b-acde48001122 -version: '6' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -51,6 +51,16 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A searchprotocolhost.exe process $process_name$ with no commandline on + host $dest$ + risk_objects: + - field: dest + type: system + score: 70 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Graceful Wipe Out Attack @@ -58,37 +68,17 @@ tags: - Compromised Windows Host - BlackByte Ransomware asset_type: Endpoint - confidence: 100 - impact: 70 - message: A searchprotocolhost.exe process $process_name$ with no commandline in - host $dest$ mitre_attack_id: - T1055 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - process_name - - process_id - - parent_process_name - - dest_port - - process_path - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon_searchprotocolhost.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon_searchprotocolhost.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml b/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml index 099dc3aa81..f973ba81b6 100644 --- a/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml +++ b/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml @@ -1,7 +1,7 @@ name: SecretDumps Offline NTDS Dumping Tool id: 5672819c-be09-11eb-bbfb-acde48001122 -version: '4' -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: TTP @@ -51,6 +51,17 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A secretdump process $process_name$ with secretdump commandline $process$ + to dump credentials on host $dest$ + risk_objects: + - field: dest + type: system + score: 80 + - field: user + type: user + score: 80 + threat_objects: [] tags: analytic_story: - Compromised Windows Host @@ -58,41 +69,18 @@ tags: - Rhysida Ransomware - Credential Dumping asset_type: Endpoint - confidence: 100 - impact: 80 - message: A secretdump process $process_name$ with secretdump commandline $process$ - to dump credentials in host $dest$ mitre_attack_id: - T1003.003 - T1003 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_name - - Processes.process - - Processes.parent_process_name - - Processes.parent_process - - Processes.dest - - Processes.user - - Processes.process_id - - Processes.process_guid - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/honeypots/casper/datasets1/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/honeypots/casper/datasets1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml b/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml index 605dca4340..c584719964 100644 --- a/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml +++ b/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml @@ -1,15 +1,26 @@ name: ServicePrincipalNames Discovery with PowerShell id: 13243068-2d38-11ec-8908-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the use of `powershell.exe` to query the domain for Service Principal Names (SPNs) using Script Block Logging EventCode 4104. It identifies the use of the KerberosRequestorSecurityToken class within the script block, which is equivalent to using setspn.exe. This activity is significant as it often precedes kerberoasting or silver ticket attacks, which can lead to credential theft. If confirmed malicious, attackers could leverage this information to escalate privileges or persist within the environment. +description: The following analytic detects the use of `powershell.exe` to query the + domain for Service Principal Names (SPNs) using Script Block Logging EventCode 4104. + It identifies the use of the KerberosRequestorSecurityToken class within the script + block, which is equivalent to using setspn.exe. This activity is significant as + it often precedes kerberoasting or silver ticket attacks, which can lead to credential + theft. If confirmed malicious, attackers could leverage this information to escalate + privileges or persist within the environment. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText="*KerberosRequestorSecurityToken*" | stats count min(_time) as firstTime max(_time) as lastTime by ScriptBlockText Opcode Computer UserID EventCode | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `serviceprincipalnames_discovery_with_powershell_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +search: '`powershell` EventCode=4104 ScriptBlockText="*KerberosRequestorSecurityToken*" + | stats count min(_time) as firstTime max(_time) as lastTime by ScriptBlockText + Opcode Computer UserID EventCode | rename Computer as dest | rename UserID as user + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `serviceprincipalnames_discovery_with_powershell_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: False positives should be limited, however filter as needed. references: - https://docs.microsoft.com/en-us/windows/win32/ad/service-principal-names @@ -32,9 +43,25 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of attempting to identify service principle detected on $dest$ + names. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: [] tags: analytic_story: - Active Directory Discovery @@ -42,36 +69,17 @@ tags: - Malicious PowerShell - Active Directory Privilege Escalation asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of attempting to identify service principle detected on $dest$ names. mitre_attack_id: - T1558.003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCode - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml b/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml index fc68f9958d..1abd21eb3c 100644 --- a/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml +++ b/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml @@ -1,7 +1,7 @@ name: ServicePrincipalNames Discovery with SetSPN id: ae8b3efc-2d2e-11ec-8b57-acde48001122 -version: '5' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -58,6 +58,21 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to identify service principal names. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Active Directory Discovery @@ -65,51 +80,17 @@ tags: - Compromised Windows Host - Active Directory Kerberos Attacks asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ attempting to identify service principle names. mitre_attack_id: - T1558.003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/atomic_red_team/windows-sysmon_setspn.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/atomic_red_team/windows-sysmon_setspn.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/services_escalate_exe.yml b/detections/endpoint/services_escalate_exe.yml index ac975b14bc..dcfbd904f1 100644 --- a/detections/endpoint/services_escalate_exe.yml +++ b/detections/endpoint/services_escalate_exe.yml @@ -1,7 +1,7 @@ name: Services Escalate Exe id: c448488c-b7ec-11eb-8253-acde48001122 -version: '5' -date: '2024-11-28' +version: 6 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -52,6 +52,17 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A service process $parent_process_name$ with process path $process_path$ + on host $dest$ + risk_objects: + - field: dest + type: system + score: 76 + - field: user + type: user + score: 76 + threat_objects: [] tags: analytic_story: - Graceful Wipe Out Attack @@ -60,39 +71,17 @@ tags: - Compromised Windows Host - BlackByte Ransomware asset_type: Endpoint - confidence: 95 - impact: 80 - message: A service process $parent_process_name$ with process path $process_path$ - in host $dest$ mitre_attack_id: - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 76 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/services_lolbas_execution_process_spawn.yml b/detections/endpoint/services_lolbas_execution_process_spawn.yml index 79b5cf4205..7d8de9c979 100644 --- a/detections/endpoint/services_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/services_lolbas_execution_process_spawn.yml @@ -1,18 +1,49 @@ name: Services LOLBAS Execution Process Spawn id: ba9e1954-4c04-11ec-8b74-3e22fbd008af -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies `services.exe` spawning a LOLBAS (Living Off the Land Binaries and Scripts) execution process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where `services.exe` is the parent process. This activity is significant because adversaries often abuse the Service Control Manager to execute malicious code via native Windows binaries, facilitating lateral movement. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe security risk. +description: The following analytic identifies `services.exe` spawning a LOLBAS (Living + Off the Land Binaries and Scripts) execution process. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process creation events where `services.exe` + is the parent process. This activity is significant because adversaries often abuse + the Service Control Manager to execute malicious code via native Windows binaries, + facilitating lateral movement. If confirmed malicious, this behavior could allow + attackers to execute arbitrary code, escalate privileges, or maintain persistence + within the environment, posing a severe security risk. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=services.exe) (Processes.process_name IN ("Regsvcs.exe", "Ftp.exe", "OfflineScannerShell.exe", "Rasautou.exe", "Schtasks.exe", "Xwizard.exe", "Dllhost.exe", "Pnputil.exe", "Atbroker.exe", "Pcwrun.exe", "Ttdinject.exe","Mshta.exe", "Bitsadmin.exe", "Certoc.exe", "Ieexec.exe", "Microsoft.Workflow.Compiler.exe", "Runscripthelper.exe", "Forfiles.exe", "Msbuild.exe", "Register-cimprovider.exe", "Tttracer.exe", "Ie4uinit.exe", "Bash.exe", "Hh.exe", "SettingSyncHost.exe", "Cmstp.exe", "Mmc.exe", "Stordiag.exe", "Scriptrunner.exe", "Odbcconf.exe", "Extexport.exe", "Msdt.exe", "WorkFolders.exe", "Diskshadow.exe", "Mavinject.exe", "Regasm.exe", "Gpscript.exe", "Rundll32.exe", "Regsvr32.exe", "Msiexec.exe", "Wuauclt.exe", "Presentationhost.exe", "Wmic.exe", "Runonce.exe", "Syncappvpublishingserver.exe", "Verclsid.exe", "Infdefaultinstall.exe", "Explorer.exe", "Installutil.exe", "Netsh.exe", "Wab.exe", "Dnscmd.exe", "At.exe", "Pcalua.exe", "Msconfig.exe")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `services_lolbas_execution_process_spawn_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Legitimate applications may trigger this behavior, filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=services.exe) + (Processes.process_name IN ("Regsvcs.exe", "Ftp.exe", "OfflineScannerShell.exe", + "Rasautou.exe", "Schtasks.exe", "Xwizard.exe", "Dllhost.exe", "Pnputil.exe", "Atbroker.exe", + "Pcwrun.exe", "Ttdinject.exe","Mshta.exe", "Bitsadmin.exe", "Certoc.exe", "Ieexec.exe", + "Microsoft.Workflow.Compiler.exe", "Runscripthelper.exe", "Forfiles.exe", "Msbuild.exe", + "Register-cimprovider.exe", "Tttracer.exe", "Ie4uinit.exe", "Bash.exe", "Hh.exe", + "SettingSyncHost.exe", "Cmstp.exe", "Mmc.exe", "Stordiag.exe", "Scriptrunner.exe", + "Odbcconf.exe", "Extexport.exe", "Msdt.exe", "WorkFolders.exe", "Diskshadow.exe", + "Mavinject.exe", "Regasm.exe", "Gpscript.exe", "Rundll32.exe", "Regsvr32.exe", "Msiexec.exe", + "Wuauclt.exe", "Presentationhost.exe", "Wmic.exe", "Runonce.exe", "Syncappvpublishingserver.exe", + "Verclsid.exe", "Infdefaultinstall.exe", "Explorer.exe", "Installutil.exe", "Netsh.exe", + "Wab.exe", "Dnscmd.exe", "At.exe", "Pcalua.exe", "Msconfig.exe")) by Processes.dest + Processes.user Processes.parent_process Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `services_lolbas_execution_process_spawn_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Legitimate applications may trigger this behavior, filter as + needed. references: - https://attack.mitre.org/techniques/T1543/003/ - https://pentestlab.blog/2020/07/21/lateral-movement-services/ @@ -23,9 +54,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Services.exe spawned a LOLBAS process on $dest$ + risk_objects: + - field: dest + type: system + score: 54 + threat_objects: [] tags: analytic_story: - Active Directory Lateral Movement @@ -33,39 +76,18 @@ tags: - Qakbot - CISA AA23-347A asset_type: Endpoint - confidence: 60 - impact: 90 - message: Services.exe spawned a LOLBAS process on $dest$ mitre_attack_id: - T1543 - T1543.003 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement_lolbas/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement_lolbas/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml b/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml index 47d9c3c06d..edfccceae6 100644 --- a/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml +++ b/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml @@ -1,20 +1,49 @@ name: Set Default PowerShell Execution Policy To Unrestricted or Bypass id: c2590137-0b08-4985-9ec5-6ae23d92f63d -version: 11 -date: '2024-09-30' +version: 12 +date: '2024-11-13' author: Steven Dick, Patrick Bareiss, Splunk status: production type: TTP -description: The following analytic detects changes to the PowerShell ExecutionPolicy in the registry to "Unrestricted" or "Bypass." It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications under the path *Software\Microsoft\Powershell\1\ShellIds\Microsoft.PowerShell*. This activity is significant because setting the ExecutionPolicy to these values can allow the execution of potentially malicious scripts without restriction. If confirmed malicious, this could enable an attacker to execute arbitrary code, leading to further compromise of the system and potential escalation of privileges. +description: The following analytic detects changes to the PowerShell ExecutionPolicy + in the registry to "Unrestricted" or "Bypass." It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on registry modifications under the path *Software\Microsoft\Powershell\1\ShellIds\Microsoft.PowerShell*. + This activity is significant because setting the ExecutionPolicy to these values + can allow the execution of potentially malicious scripts without restriction. If + confirmed malicious, this could enable an attacker to execute arbitrary code, leading + to further compromise of the system and potential escalation of privileges. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=*Software\\Microsoft\\Powershell\\1\\ShellIds\\Microsoft.PowerShell* Registry.registry_value_name=ExecutionPolicy (Registry.registry_value_data=Unrestricted OR Registry.registry_value_data=Bypass)) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrators may attempt to change the default execution policy on a system for a variety of reasons. However, setting the policy to "unrestricted" or "bypass" as this search is designed to identify, would be unusual. Hits should be reviewed and investigated as appropriate. +search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) + AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id + Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name + Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` + | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry + WHERE (Registry.registry_path=*Software\\Microsoft\\Powershell\\1\\ShellIds\\Microsoft.PowerShell* + Registry.registry_value_name=ExecutionPolicy (Registry.registry_value_data=Unrestricted + OR Registry.registry_value_data=Bypass)) BY _time span=1h Registry.registry_path + Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime + dest user parent_process_name parent_process process_name process_path process registry_key_name + registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators may attempt to change the default execution + policy on a system for a variety of reasons. However, setting the policy to "unrestricted" + or "bypass" as this search is designed to identify, would be unusual. Hits should + be reviewed and investigated as appropriate. references: [] drilldown_searches: - name: View the detection results for - "$dest$" @@ -22,9 +51,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A registry modification in $registry_path$ with reg key $registry_key_name$ + and reg value $registry_value_name$ in host $dest$ + risk_objects: + - field: dest + type: system + score: 48 + threat_objects: + - field: registry_path + type: registry_path tags: analytic_story: - HAFNIUM Group @@ -34,47 +78,18 @@ tags: - Data Destruction - DarkGate Malware asset_type: Endpoint - confidence: 80 - impact: 60 - message: A registry modification in $registry_path$ with reg key $registry_key_name$ and reg value $registry_value_name$ in host $dest$ mitre_attack_id: - T1059 - T1059.001 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: registry_path - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.user - - Processes.dest - - Processes.process_id - - Processes.process_name - - Processes.process - - Processes.process_path - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_guid - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_execution_policy/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_execution_policy/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/shim_database_file_creation.yml b/detections/endpoint/shim_database_file_creation.yml index 12480258a4..21a14c236b 100644 --- a/detections/endpoint/shim_database_file_creation.yml +++ b/detections/endpoint/shim_database_file_creation.yml @@ -1,16 +1,31 @@ name: Shim Database File Creation id: 6e4c4588-ba2f-42fa-97e6-9f6f548eaa33 -version: 6 -date: '2024-09-30' +version: 7 +date: '2024-11-13' author: David Dorsey, Splunk status: production type: TTP -description: The following analytic detects the creation of shim database files (.sdb) in default directories using the sdbinst.exe application. It leverages filesystem activity data from the Endpoint.Filesystem data model to identify file writes to the Windows\AppPatch\Custom directory. This activity is significant because shims can intercept and alter API calls, potentially allowing attackers to bypass security controls or execute malicious code. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, or persistent access within the environment. +description: The following analytic detects the creation of shim database files (.sdb) + in default directories using the sdbinst.exe application. It leverages filesystem + activity data from the Endpoint.Filesystem data model to identify file writes to + the Windows\AppPatch\Custom directory. This activity is significant because shims + can intercept and alter API calls, potentially allowing attackers to bypass security + controls or execute malicious code. If confirmed malicious, this could lead to unauthorized + code execution, privilege escalation, or persistent access within the environment. data_source: - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count values(Filesystem.action) values(Filesystem.file_hash) as file_hash values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path=*Windows\\AppPatch\\Custom* by Filesystem.file_name Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` |`drop_dm_object_name(Filesystem)` | `shim_database_file_creation_filter`' -how_to_implement: You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. -known_false_positives: Because legitimate shim files are created and used all the time, this event, in itself, is not suspicious. However, if there are other correlating events, it may warrant further investigation. +search: '| tstats `security_content_summariesonly` count values(Filesystem.action) + values(Filesystem.file_hash) as file_hash values(Filesystem.file_path) as file_path min(_time) + as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path=*Windows\\AppPatch\\Custom* + by Filesystem.file_name Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` + |`drop_dm_object_name(Filesystem)` | `shim_database_file_creation_filter`' +how_to_implement: You must be ingesting data that records the filesystem activity + from your hosts to populate the Endpoint file-system data model node. If you are + using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which + you want to collect data. +known_false_positives: Because legitimate shim files are created and used all the + time, this event, in itself, is not suspicious. However, if there are other correlating + events, it may warrant further investigation. references: [] drilldown_searches: - name: View the detection results for - "$dest$" @@ -18,43 +33,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A process that possibly write shim database in $file_path$ in host $dest$ + risk_objects: + - field: dest + type: system + score: 56 + threat_objects: + - field: file_path + type: file_path tags: analytic_story: - Windows Persistence Techniques asset_type: Endpoint - confidence: 80 - impact: 70 - message: A process that possibly write shim database in $file_path$ in host $dest$ mitre_attack_id: - T1546.011 - T1546 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: file_path - type: File - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.file_hash - - Filesystem.file_path - - Filesystem.file_name - - Filesystem.dest - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.011/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.011/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml b/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml index 0f82de52f1..9e30f471ff 100644 --- a/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml +++ b/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml @@ -1,7 +1,7 @@ name: Shim Database Installation With Suspicious Parameters id: 404620de-46d8-48b6-90cc-8a8d7b0876a3 -version: '7' -date: '2024-11-28' +version: 8 +date: '2024-12-16' author: David Dorsey, Splunk status: production type: TTP @@ -17,7 +17,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sdbinst.exe NOT Processes.process IN ("\"C:\\Windows\\System32\\sdbinst.exe\"", "C:\\Windows\\System32\\sdbinst.exe", "*-mm", "*-?") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `shim_database_installation_with_suspicious_parameters_filter`' +search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sdbinst.exe NOT Processes.process IN ("\"C:\\Windows\\System32\\sdbinst.exe\"", "C:\\Windows\\System32\\sdbinst.exe", "*-mm", "*-?", "*-m -bg") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `shim_database_installation_with_suspicious_parameters_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: None identified references: [] @@ -35,38 +35,29 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A process $process_name$ that possibly creates a shim db silently in host + $dest$ + risk_objects: + - field: dest + type: system + score: 63 + - field: user + type: user + score: 63 + threat_objects: [] tags: analytic_story: - Windows Persistence Techniques - Compromised Windows Host asset_type: Endpoint - confidence: 90 - impact: 70 - message: A process $process_name$ that possible create a shim db silently in host - $dest$ mitre_attack_id: - T1546.011 - T1546 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_name - - Processes.parent_process_name - - Processes.dest - - Processes.user - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/short_lived_scheduled_task.yml b/detections/endpoint/short_lived_scheduled_task.yml index d48a7ac1ff..898596df66 100644 --- a/detections/endpoint/short_lived_scheduled_task.yml +++ b/detections/endpoint/short_lived_scheduled_task.yml @@ -1,7 +1,7 @@ name: Short Lived Scheduled Task id: 6fa31414-546e-11ec-adfa-acde48001122 -version: '5' -date: '2024-11-28' +version: 6 +date: '2024-12-10' author: Mauricio Velazco, Splunk status: production type: TTP @@ -42,6 +42,13 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A windows scheduled task was created and deleted in 30 seconds on $dest$ + risk_objects: + - field: dest + type: system + score: 81 + threat_objects: [] tags: analytic_story: - Active Directory Lateral Movement @@ -50,33 +57,17 @@ tags: - Compromised Windows Host - Scheduled Tasks asset_type: Endpoint - confidence: 90 - impact: 90 - message: A windows scheduled task was created and deleted in 30 seconds on $dest$ mitre_attack_id: - T1053.005 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - ComputerName - - Account_Name - - Task_Name - - Description - - Command - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/lateral_movement/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/lateral_movement/windows-security.log source: WinEventLog:Security sourcetype: WinEventLog diff --git a/detections/endpoint/short_lived_windows_accounts.yml b/detections/endpoint/short_lived_windows_accounts.yml index 343a908605..528b8e0280 100644 --- a/detections/endpoint/short_lived_windows_accounts.yml +++ b/detections/endpoint/short_lived_windows_accounts.yml @@ -1,24 +1,36 @@ name: Short Lived Windows Accounts id: b25f6f62-0782-43c1-b403-083231ffd97d -version: 6 -date: '2024-11-14' +version: 7 +date: '2024-11-22' author: David Dorsey, Bhavin Patel, Splunk status: production type: TTP -description: The following analytic detects the rapid creation and deletion of Windows accounts within a short time frame of 1 hour. It leverages the "Change" data model in Splunk, specifically monitoring events with result IDs 4720 (account creation) and 4726 (account deletion). This behavior is significant as it may indicate an attacker attempting to create and remove accounts quickly to evade detection or gain unauthorized access. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or further malicious actions within the environment. Immediate investigation of flagged events is crucial to mitigate potential damage. +description: The following analytic detects the rapid creation and deletion of Windows + accounts within a short time frame of 1 hour. It leverages the "Change" data model + in Splunk, specifically monitoring events with result IDs 4720 (account creation) + and 4726 (account deletion). This behavior is significant as it may indicate an + attacker attempting to create and remove accounts quickly to evade detection or + gain unauthorized access. If confirmed malicious, this activity could lead to unauthorized + access, privilege escalation, or further malicious actions within the environment. + Immediate investigation of flagged events is crucial to mitigate potential damage. data_source: - Windows Event Log System 4720 - Windows Event Log System 4726 -search: '| tstats `security_content_summariesonly` values(All_Changes.result_id) as result_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Change where All_Changes.result_id=4720 OR All_Changes.result_id=4726 by _time span=1h All_Changes.user All_Changes.dest All_Changes.Account_Management.src All_Changes.Account_Management.src_user -| `security_content_ctime(lastTime)` -| `security_content_ctime(firstTime)` -| `drop_dm_object_name("All_Changes")` | `drop_dm_object_name("Account_Management")` -| transaction user connected=false maxspan=60m -| eval create_result_id=mvindex(result_id, 0) | eval delete_result_id=mvindex(result_id, 1) | search create_result_id = 4720 delete_result_id=4726 -| table firstTime lastTime count user src src_user dest create_result_id delete_result_id -| `short_lived_windows_accounts_filter`' -how_to_implement: 'This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/. We also recommend adjsuting the maxspan and _time parameter to better fit your environment.' -known_false_positives: It is possible that an administrator created and deleted an account in a short time period. Verifying activity with an administrator is advised. +search: '| tstats `security_content_summariesonly` values(All_Changes.result_id) as + result_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Change + where All_Changes.result_id=4720 OR All_Changes.result_id=4726 by _time span=1h + All_Changes.user All_Changes.dest All_Changes.Account_Management.src All_Changes.Account_Management.src_user + | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name("All_Changes")` + | `drop_dm_object_name("Account_Management")` | transaction user connected=false + maxspan=60m | eval create_result_id=mvindex(result_id, 0) | eval delete_result_id=mvindex(result_id, + 1) | search create_result_id = 4720 delete_result_id=4726 | table firstTime lastTime + count user src src_user dest create_result_id delete_result_id | `short_lived_windows_accounts_filter`' +how_to_implement: 'This search requires you to have enabled your Group Management + Audit Logs in your Local Windows Security Policy and be ingesting those logs. More + information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/. + We also recommend adjsuting the maxspan and _time parameter to better fit your environment.' +known_false_positives: It is possible that an administrator created and deleted an + account in a short time period. Verifying activity with an administrator is advised. references: - https://www.youtube.com/watch?v=D4Cd-KK4ctk - https://attack.mitre.org/techniques/T1078/ @@ -27,52 +39,51 @@ drilldown_searches: search: '%original_detection_search% | search dest = "$dest$" src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$dest$" and "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A user account $user$ is created and deleted within a short time period + on host $dest$ by user $src_user$ + risk_objects: + - field: dest + type: system + score: 63 + - field: src_user + type: user + score: 63 + threat_objects: [] tags: analytic_story: - Active Directory Lateral Movement asset_type: Windows - confidence: 90 - impact: 70 - message: A user account $user$ is created and deleted within a short time period on host $dest$ by user $src_user$ mitre_attack_id: - T1136.001 - T1136 - T1078.003 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.result_id - - All_Changes.user - - All_Changes.dest - risk_score: 63 security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security.log source: WinEventLog:Security sourcetype: WinEventLog - update_timestamp: true - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-system.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-system.log source: WinEventLog:System sourcetype: WinEventLog - update_timestamp: true - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/silentcleanup_uac_bypass.yml b/detections/endpoint/silentcleanup_uac_bypass.yml index 18d5461718..9c6c70c9c5 100644 --- a/detections/endpoint/silentcleanup_uac_bypass.yml +++ b/detections/endpoint/silentcleanup_uac_bypass.yml @@ -1,19 +1,45 @@ name: SilentCleanup UAC Bypass id: 56d7cfcc-da63-11eb-92d4-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects suspicious modifications to the registry that may indicate a UAC (User Account Control) bypass attempt via the SilentCleanup task. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry changes in the path "*\\Environment\\windir" with executable values. This activity is significant as it can allow an attacker to gain high-privilege execution without user consent, bypassing UAC protections. If confirmed malicious, this could lead to unauthorized administrative access, enabling further system compromise and persistence. +description: The following analytic detects suspicious modifications to the registry + that may indicate a UAC (User Account Control) bypass attempt via the SilentCleanup + task. It leverages data from Endpoint Detection and Response (EDR) agents, focusing + on registry changes in the path "*\\Environment\\windir" with executable values. + This activity is significant as it can allow an attacker to gain high-privilege + execution without user consent, bypassing UAC protections. If confirmed malicious, + this could lead to unauthorized administrative access, enabling further system compromise + and persistence. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Environment\\windir" Registry.registry_value_data = "*.exe*") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `silentcleanup_uac_bypass_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) + AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id + Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name + Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` + | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry + WHERE (Registry.registry_path= "*\\Environment\\windir" Registry.registry_value_data + = "*.exe*") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name + Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] + | fields firstTime lastTime dest user parent_process_name parent_process process_name + process_path process registry_key_name registry_path registry_value_name registry_value_data + process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `silentcleanup_uac_bypass_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://github.com/hfiref0x/UACME @@ -24,52 +50,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious modification of registry $registry_path$ with possible payload + path $registry_value_name$ on $dest$ + risk_objects: + - field: dest + type: system + score: 63 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse - MoonPeak asset_type: Endpoint - confidence: 90 - impact: 70 - message: Suspicious modification of registry $registry_path$ with possible payload path $registry_value_name$ in $dest$ mitre_attack_id: - T1548.002 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.user - - Processes.dest - - Processes.process_id - - Processes.process_name - - Processes.process - - Processes.process_path - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_guid - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/single_letter_process_on_endpoint.yml b/detections/endpoint/single_letter_process_on_endpoint.yml index e46cc079b9..29bfc12c8d 100644 --- a/detections/endpoint/single_letter_process_on_endpoint.yml +++ b/detections/endpoint/single_letter_process_on_endpoint.yml @@ -1,7 +1,7 @@ name: Single Letter Process On Endpoint id: a4214f0b-e01c-41bc-8cc4-d2b71e3056b4 -version: '6' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: David Dorsey, Splunk status: production type: TTP @@ -51,41 +51,33 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A suspicious process $process_name$ with single letter on host $dest$ + risk_objects: + - field: dest + type: system + score: 63 + - field: user + type: user + score: 63 + threat_objects: [] tags: analytic_story: - DHS Report TA18-074A - Compromised Windows Host asset_type: Endpoint - confidence: 90 - impact: 70 - message: A suspicious process $process_name$ with single letter in host $dest$ mitre_attack_id: - T1204 - T1204.002 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.process - - Processes.process_name - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/single_letter_exe/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/single_letter_exe/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/slui_runas_elevated.yml b/detections/endpoint/slui_runas_elevated.yml index 5fda1794b1..02cbd1a2ae 100644 --- a/detections/endpoint/slui_runas_elevated.yml +++ b/detections/endpoint/slui_runas_elevated.yml @@ -1,7 +1,7 @@ name: SLUI RunAs Elevated id: 8d124810-b3e4-11eb-96c7-acde48001122 -version: '4' -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -54,46 +54,35 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A slui process $process_name$ with elevated commandline $process$ on host + $dest$ + risk_objects: + - field: dest + type: system + score: 63 + - field: user + type: system + score: 63 + threat_objects: [] tags: analytic_story: - DarkSide Ransomware - Compromised Windows Host - Windows Defense Evasion Tactics asset_type: Endpoint - confidence: 90 - impact: 70 - message: A slui process $process_name$ with elevated commandline $process$ in host - $dest$ mitre_attack_id: - T1548.002 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/slui/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/slui/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/slui_spawning_a_process.yml b/detections/endpoint/slui_spawning_a_process.yml index c8011308af..a9b5887f11 100644 --- a/detections/endpoint/slui_spawning_a_process.yml +++ b/detections/endpoint/slui_spawning_a_process.yml @@ -1,7 +1,7 @@ name: SLUI Spawning a Process id: 879c4330-b3e0-11eb-b1b1-acde48001122 -version: '4' -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -52,46 +52,35 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A slui process $parent_process_name$ spawning child process $process_name$ + on host $dest$ + risk_objects: + - field: dest + type: system + score: 63 + - field: user + type: user + score: 63 + threat_objects: [] tags: analytic_story: - DarkSide Ransomware - Compromised Windows Host - Windows Defense Evasion Tactics asset_type: Endpoint - confidence: 90 - impact: 70 - message: A slui process $parent_process_name$ spawning child process $process_name$ - in host $dest$ mitre_attack_id: - T1548.002 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/slui/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/slui/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/spike_in_file_writes.yml b/detections/endpoint/spike_in_file_writes.yml index 0c4a0d86d3..2cdc1931a8 100644 --- a/detections/endpoint/spike_in_file_writes.yml +++ b/detections/endpoint/spike_in_file_writes.yml @@ -1,17 +1,42 @@ name: Spike in File Writes id: fdb0f805-74e4-4539-8c00-618927333aae -version: 5 -date: '2024-10-17' +version: 6 +date: '2024-11-13' author: David Dorsey, Splunk status: experimental type: Anomaly -description: The following analytic detects a sharp increase in the number of files written to a specific host. It leverages the Endpoint.Filesystem data model, focusing on 'created' actions and comparing current file write counts against historical averages and standard deviations. This activity is significant as a sudden spike in file writes can indicate malicious activities such as ransomware encryption or data exfiltration. If confirmed malicious, this behavior could lead to significant data loss, system compromise, or further propagation of malware within the network. +description: The following analytic detects a sharp increase in the number of files + written to a specific host. It leverages the Endpoint.Filesystem data model, focusing + on 'created' actions and comparing current file write counts against historical + averages and standard deviations. This activity is significant as a sudden spike + in file writes can indicate malicious activities such as ransomware encryption or + data exfiltration. If confirmed malicious, this behavior could lead to significant + data loss, system compromise, or further propagation of malware within the network. data_source: - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.action=created by _time span=1h, Filesystem.dest | `drop_dm_object_name(Filesystem)` | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, "-1d@d"), count, null))) as "count" avg(eval(if(_time upperBound) AND num_data_samples >=20, 1, 0) | search isOutlier=1 | `spike_in_file_writes_filter`' -how_to_implement: In order to implement this search, you must populate the Endpoint file-system data model node. This is typically populated via endpoint detection and response product, such as Carbon Black or endpoint data sources such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the file system. -known_false_positives: It is important to understand that if you happen to install any new applications on your hosts or are copying a large number of files, you can expect to see a large increase of file modifications. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem + where Filesystem.action=created by _time span=1h, Filesystem.dest | `drop_dm_object_name(Filesystem)` + | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time + >= relative_time(maxtime, "-1d@d"), count, null))) as "count" avg(eval(if(_time upperBound) AND num_data_samples >=20, 1, 0) | search isOutlier=1 | `spike_in_file_writes_filter`' +how_to_implement: In order to implement this search, you must populate the Endpoint + file-system data model node. This is typically populated via endpoint detection + and response product, such as Carbon Black or endpoint data sources such as Sysmon. + The data used for this search is typically generated via logs that report reads + and writes to the file system. +known_false_positives: It is important to understand that if you happen to install + any new applications on your hosts or are copying a large number of files, you can + expect to see a large increase of file modifications. references: [] +rba: + message: Spike in File Writes observed on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - SamSam Ransomware @@ -19,21 +44,8 @@ tags: - Ransomware - Rhysida Ransomware asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.action - - Filesystem.dest - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/spoolsv_spawning_rundll32.yml b/detections/endpoint/spoolsv_spawning_rundll32.yml index 720eaca612..04f2ce636b 100644 --- a/detections/endpoint/spoolsv_spawning_rundll32.yml +++ b/detections/endpoint/spoolsv_spawning_rundll32.yml @@ -1,7 +1,7 @@ name: Spoolsv Spawning Rundll32 id: 15d905f6-da6b-11eb-ab82-acde48001122 -version: '5' -date: '2024-11-28' +version: 6 +date: '2024-12-10' author: Mauricio Velazco, Michael Haag, Splunk status: production type: TTP @@ -53,51 +53,35 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $parent_process_name$ has spawned $process_name$ on endpoint $dest$. This + behavior is suspicious and related to PrintNightmare. + risk_objects: + - field: dest + type: system + score: 72 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - PrintNightmare CVE-2021-34527 - Compromised Windows Host asset_type: Endpoint - confidence: 90 cve: - CVE-2021-34527 - impact: 80 - message: $parent_process_name$ has spawned $process_name$ on endpoint $dest$. This - behavior is suspicious and related to PrintNightmare. mitre_attack_id: - T1547.012 - T1547 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/spoolsv_suspicious_loaded_modules.yml b/detections/endpoint/spoolsv_suspicious_loaded_modules.yml index 04a49c2bdc..eda8f672d8 100644 --- a/detections/endpoint/spoolsv_suspicious_loaded_modules.yml +++ b/detections/endpoint/spoolsv_suspicious_loaded_modules.yml @@ -1,15 +1,27 @@ name: Spoolsv Suspicious Loaded Modules id: a5e451f8-da81-11eb-b245-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the suspicious loading of DLLs by spoolsv.exe, potentially indicating PrintNightmare exploitation. It leverages Sysmon EventCode 7 to identify instances where spoolsv.exe loads multiple DLLs from the Windows System32 spool drivers x64 directory. This activity is significant as it may signify an attacker exploiting the PrintNightmare vulnerability to execute arbitrary code. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, and persistent access within the environment, posing a severe security risk. +description: The following analytic detects the suspicious loading of DLLs by spoolsv.exe, + potentially indicating PrintNightmare exploitation. It leverages Sysmon EventCode + 7 to identify instances where spoolsv.exe loads multiple DLLs from the Windows System32 + spool drivers x64 directory. This activity is significant as it may signify an attacker + exploiting the PrintNightmare vulnerability to execute arbitrary code. If confirmed + malicious, this could lead to unauthorized code execution, privilege escalation, + and persistent access within the environment, posing a severe security risk. data_source: - Sysmon EventID 7 -search: '`sysmon` EventCode=7 Image ="*\\spoolsv.exe" ImageLoaded="*\\Windows\\System32\\spool\\drivers\\x64\\*" ImageLoaded = "*.dll" | stats dc(ImageLoaded) as countImgloaded values(ImageLoaded) as ImageLoaded count min(_time) as firstTime max(_time) as lastTime by Image Computer ProcessId EventCode | rename Computer as dest | where countImgloaded >= 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_suspicious_loaded_modules_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +search: '`sysmon` EventCode=7 Image ="*\\spoolsv.exe" ImageLoaded="*\\Windows\\System32\\spool\\drivers\\x64\\*" + ImageLoaded = "*.dll" | stats dc(ImageLoaded) as countImgloaded values(ImageLoaded) + as ImageLoaded count min(_time) as firstTime max(_time) as lastTime by Image Computer + ProcessId EventCode | rename Computer as dest | where countImgloaded >= 3 | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `spoolsv_suspicious_loaded_modules_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name and imageloaded executions from your endpoints. If you + are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. known_false_positives: unknown references: - https://raw.githubusercontent.com/hieuttmmo/sigma/dceb13fe3f1821b119ae495b41e24438bd97e3d0/rules/windows/image_load/sysmon_cve_2021_1675_print_nightmare.yml @@ -19,41 +31,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $Image$ with process id $ProcessId$ has loaded a driver from $ImageLoaded$ + on endpoint $dest$. This behavior is suspicious and related to PrintNightmare. + risk_objects: + - field: dest + type: system + score: 72 + threat_objects: [] tags: analytic_story: - PrintNightmare CVE-2021-34527 asset_type: Endpoint - confidence: 90 cve: - CVE-2021-34527 - impact: 80 - message: $Image$ with process id $ProcessId$ has loaded a driver from $ImageLoaded$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare. mitre_attack_id: - T1547.012 - T1547 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Image - - dest - - EventCode - - ImageLoaded - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/spoolsv_suspicious_process_access.yml b/detections/endpoint/spoolsv_suspicious_process_access.yml index 1a2becf8d9..a41111a7b1 100644 --- a/detections/endpoint/spoolsv_suspicious_process_access.yml +++ b/detections/endpoint/spoolsv_suspicious_process_access.yml @@ -1,15 +1,29 @@ name: Spoolsv Suspicious Process Access id: 799b606e-da81-11eb-93f8-acde48001122 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects suspicious process access by spoolsv.exe, potentially indicating exploitation of the PrintNightmare vulnerability (CVE-2021-34527). It leverages Sysmon EventCode 10 to identify when spoolsv.exe accesses critical system files or processes like rundll32.exe with elevated privileges. This activity is significant as it may signal an attempt to gain unauthorized privilege escalation on a vulnerable machine. If confirmed malicious, an attacker could achieve elevated privileges, leading to further system compromise, persistent access, or unauthorized control over the affected environment. +description: The following analytic detects suspicious process access by spoolsv.exe, + potentially indicating exploitation of the PrintNightmare vulnerability (CVE-2021-34527). + It leverages Sysmon EventCode 10 to identify when spoolsv.exe accesses critical + system files or processes like rundll32.exe with elevated privileges. This activity + is significant as it may signal an attempt to gain unauthorized privilege escalation + on a vulnerable machine. If confirmed malicious, an attacker could achieve elevated + privileges, leading to further system compromise, persistent access, or unauthorized + control over the affected environment. data_source: - Sysmon EventID 10 -search: '`sysmon` EventCode=10 SourceImage = "*\\spoolsv.exe" CallTrace = "*\\Windows\\system32\\spool\\DRIVERS\\x64\\*" TargetImage IN ("*\\rundll32.exe", "*\\spoolsv.exe") GrantedAccess = 0x1fffff | stats count min(_time) as firstTime max(_time) as lastTime by dest SourceImage TargetImage GrantedAccess CallTrace EventCode ProcessID| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_suspicious_process_access_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with process access event where SourceImage, TargetImage, GrantedAccess and CallTrace executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of spoolsv.exe. +search: '`sysmon` EventCode=10 SourceImage = "*\\spoolsv.exe" CallTrace = "*\\Windows\\system32\\spool\\DRIVERS\\x64\\*" + TargetImage IN ("*\\rundll32.exe", "*\\spoolsv.exe") GrantedAccess = 0x1fffff | + stats count min(_time) as firstTime max(_time) as lastTime by dest SourceImage + TargetImage GrantedAccess CallTrace EventCode ProcessID| `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `spoolsv_suspicious_process_access_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with process access event where SourceImage, TargetImage, GrantedAccess and + CallTrace executions from your endpoints. If you are using Sysmon, you must have + at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of spoolsv.exe. known_false_positives: Unknown. Filter as needed. references: - https://github.com/cube0x0/impacket/commit/73b9466c17761384ece11e1028ec6689abad6818 @@ -22,49 +36,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $SourceImage$ was GrantedAccess open access to $TargetImage$ on endpoint + $dest$. This behavior is suspicious and related to PrintNightmare. + risk_objects: + - field: dest + type: system + score: 72 + threat_objects: + - field: ProcessID + type: process + - field: TargetImage + type: process_name tags: analytic_story: - PrintNightmare CVE-2021-34527 asset_type: Endpoint - confidence: 90 cve: - CVE-2021-34527 - impact: 80 - message: $SourceImage$ was GrantedAccess open access to $TargetImage$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare. mitre_attack_id: - T1068 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: ProcessID - type: Process - role: - - Attacker - - name: TargetImage - type: Process Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - SourceImage - - TargetImage - - GrantedAccess - - CallTrace - - EventCode - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/spoolsv_writing_a_dll.yml b/detections/endpoint/spoolsv_writing_a_dll.yml index e6c8b3bc6c..e4665434d5 100644 --- a/detections/endpoint/spoolsv_writing_a_dll.yml +++ b/detections/endpoint/spoolsv_writing_a_dll.yml @@ -1,7 +1,7 @@ name: Spoolsv Writing a DLL id: d5bf5cf2-da71-11eb-92c2-acde48001122 -version: '5' -date: '2024-11-28' +version: 6 +date: '2024-12-10' author: Mauricio Velazco, Michael Haag, Splunk status: production type: TTP @@ -51,48 +51,35 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $process_name$ has been identified writing dll's to $file_path$ on endpoint + $dest$. This behavior is suspicious and related to PrintNightmare. + risk_objects: + - field: dest + type: system + score: 72 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - PrintNightmare CVE-2021-34527 - Compromised Windows Host asset_type: Endpoint - confidence: 90 cve: - CVE-2021-34527 - impact: 80 - message: $process_name$ has been identified writing dll's to $file_path$ on endpoint - $dest$. This behavior is suspicious and related to PrintNightmare. mitre_attack_id: - T1547.012 - T1547 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.dest - - Filesystem.file_create_time - - Filesystem.file_name - - Filesystem.file_path - - Processes.process_name - - Processes.process_id - - Processes.process_name - - Processes.dest - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml b/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml index 6b93ddcb2b..255480b538 100644 --- a/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml +++ b/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml @@ -1,15 +1,28 @@ name: Spoolsv Writing a DLL - Sysmon id: 347fd388-da87-11eb-836d-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Mauricio Velazco, Michael Haag, Splunk status: production type: TTP -description: The following analytic detects `spoolsv.exe` writing a `.dll` file, which is unusual behavior and may indicate exploitation of vulnerabilities like CVE-2021-34527 (PrintNightmare). This detection leverages Sysmon EventID 11 to monitor file creation events in the `\spool\drivers\x64\` directory. This activity is significant because `spoolsv.exe` typically does not write DLL files, and such behavior could signify an ongoing attack. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence on the compromised system. +description: The following analytic detects `spoolsv.exe` writing a `.dll` file, which + is unusual behavior and may indicate exploitation of vulnerabilities like CVE-2021-34527 + (PrintNightmare). This detection leverages Sysmon EventID 11 to monitor file creation + events in the `\spool\drivers\x64\` directory. This activity is significant because + `spoolsv.exe` typically does not write DLL files, and such behavior could signify + an ongoing attack. If confirmed malicious, this could allow an attacker to execute + arbitrary code, escalate privileges, or maintain persistence on the compromised + system. data_source: - Sysmon EventID 11 -search: '`sysmon` EventID=11 process_name=spoolsv.exe file_path="*\\spool\\drivers\\x64\\*" file_name=*.dll | stats count min(_time) as firstTime max(_time) as lastTime by dest, UserID, process_name, file_path, file_name, TargetFilename, process_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_writing_a_dll___sysmon_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. +search: '`sysmon` EventID=11 process_name=spoolsv.exe file_path="*\\spool\\drivers\\x64\\*" + file_name=*.dll | stats count min(_time) as firstTime max(_time) as lastTime by + dest, UserID, process_name, file_path, file_name, TargetFilename, process_id | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `spoolsv_writing_a_dll___sysmon_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. known_false_positives: Limited false positives. Filter as needed. references: - https://github.com/cube0x0/impacket/commit/73b9466c17761384ece11e1028ec6689abad6818 @@ -22,51 +35,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $process_name$ has been identified writing dll's to $file_path$ on endpoint + $dest$. This behavior is suspicious and related to PrintNightmare. + risk_objects: + - field: dest + type: system + score: 72 + threat_objects: + - field: process_name + type: process_name + - field: file_name + type: file_name tags: analytic_story: - PrintNightmare CVE-2021-34527 asset_type: Endpoint - confidence: 90 cve: - CVE-2021-34527 - impact: 80 - message: $process_name$ has been identified writing dll's to $file_path$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare. mitre_attack_id: - T1547.012 - T1547 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: process_name - type: Process - role: - - Attacker - - name: file_name - type: File - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - UserID - - process_name - - file_path - - file_name - - TargetFilename - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/sqlite_module_in_temp_folder.yml b/detections/endpoint/sqlite_module_in_temp_folder.yml index 8b1d0dcafc..abcf4b35d0 100644 --- a/detections/endpoint/sqlite_module_in_temp_folder.yml +++ b/detections/endpoint/sqlite_module_in_temp_folder.yml @@ -1,15 +1,28 @@ name: Sqlite Module In Temp Folder id: 0f216a38-f45f-11eb-b09c-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the creation of sqlite3.dll files in the %temp% folder. It leverages Sysmon EventCode 11 to identify when these files are written to the temporary directory. This activity is significant because it is associated with IcedID malware, which uses the sqlite3 module to parse browser databases and steal sensitive information such as banking details, credit card information, and credentials. If confirmed malicious, this behavior could lead to significant data theft and compromise of user accounts. +description: The following analytic detects the creation of sqlite3.dll files in the + %temp% folder. It leverages Sysmon EventCode 11 to identify when these files are + written to the temporary directory. This activity is significant because it is associated + with IcedID malware, which uses the sqlite3 module to parse browser databases and + steal sensitive information such as banking details, credit card information, and + credentials. If confirmed malicious, this behavior could lead to significant data + theft and compromise of user accounts. data_source: - Sysmon EventID 11 -search: '`sysmon` EventCode=11 (TargetFilename = "*\\sqlite32.dll" OR TargetFilename = "*\\sqlite64.dll") (TargetFilename = "*\\temp\\*") | stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id process_name file_name file_path action process_guid| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sqlite_module_in_temp_folder_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +search: '`sysmon` EventCode=11 (TargetFilename = "*\\sqlite32.dll" OR TargetFilename + = "*\\sqlite64.dll") (TargetFilename = "*\\temp\\*") | stats count min(_time) as + firstTime max(_time) as lastTime by dest signature signature_id process_name file_name + file_path action process_guid| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `sqlite_module_in_temp_folder_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. known_false_positives: unknown references: - https://www.cisecurity.org/insights/white-papers/security-primer-icedid @@ -19,43 +32,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Process $process_name$ create a file $file_name$ in host $dest$ + risk_objects: + - field: dest + type: system + score: 9 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - IcedID asset_type: Endpoint - confidence: 30 - impact: 30 - message: Process $process_name$ create a file $file_name$ in host $dest$ mitre_attack_id: - T1005 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - process_name - - TargetFilename - - EventCode - - ProcessId - - Image - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml b/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml index a49f8ebc41..5e7d5d320b 100644 --- a/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml +++ b/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml @@ -1,15 +1,36 @@ name: Steal or Forge Authentication Certificates Behavior Identified id: 87ac670e-bbfd-44ca-b566-44e9f835518d -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Correlation data_source: [] -description: The following analytic identifies potential threats related to the theft or forgery of authentication certificates. It detects when five or more analytics from the Windows Certificate Services story trigger within a specified timeframe. This detection leverages aggregated risk scores and event counts from the Risk data model. This activity is significant as it may indicate an ongoing attack aimed at compromising authentication mechanisms. If confirmed malicious, attackers could gain unauthorized access to sensitive systems and data, potentially leading to severe security breaches. -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Windows Certificate Services" All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 5 | `steal_or_forge_authentication_certificates_behavior_identified_filter`' -how_to_implement: The Windows Certificate Services analytic story must have 5 or more analytics enabled. In addition, ensure data is being logged that is required. Modify the correlation as needed based on volume of noise related to the other analytics. -known_false_positives: False positives may be present based on automated tooling or system administrators. Filter as needed. +description: The following analytic identifies potential threats related to the theft + or forgery of authentication certificates. It detects when five or more analytics + from the Windows Certificate Services story trigger within a specified timeframe. + This detection leverages aggregated risk scores and event counts from the Risk data + model. This activity is significant as it may indicate an ongoing attack aimed at + compromising authentication mechanisms. If confirmed malicious, attackers could + gain unauthorized access to sensitive systems and data, potentially leading to severe + security breaches. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) + as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as + annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) + as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) + as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) + as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, + dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Windows + Certificate Services" All_Risk.risk_object_type="system" by All_Risk.risk_object + All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where + source_count >= 5 | `steal_or_forge_authentication_certificates_behavior_identified_filter`' +how_to_implement: The Windows Certificate Services analytic story must have 5 or more + analytics enabled. In addition, ensure data is being logged that is required. Modify + the correlation as needed based on volume of noise related to the other analytics. +known_false_positives: False positives may be present based on automated tooling or + system administrators. Filter as needed. references: - https://research.splunk.com/stories/windows_certificate_services/ - https://attack.mitre.org/techniques/T1649/ @@ -19,7 +40,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$risk_object$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: @@ -30,31 +56,17 @@ tags: - 290df60e-4b5d-4a5e-b0c7-dc5348ea0c86 - 78b274f8-acb0-428b-b1f7-7b0d0e73330a - 7617f689-bbd8-44bc-adcd-6f8968897848 - confidence: 90 - impact: 80 - message: Steal or Forge Authentication Certificates Behavior Identified on $risk_object$. mitre_attack_id: - T1649 - observable: - - name: risk_object - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 72 - required_fields: - - All_Risk.analyticstories - - All_Risk.risk_object_type - - All_Risk.risk_object - - All_Risk.annotations.mitre_attack.mitre_tactic - - source security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/risk_certificate_services.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/risk_certificate_services.log source: certs sourcetype: stash diff --git a/detections/endpoint/sunburst_correlation_dll_and_network_event.yml b/detections/endpoint/sunburst_correlation_dll_and_network_event.yml index 62b7121d16..4a2fde1696 100644 --- a/detections/endpoint/sunburst_correlation_dll_and_network_event.yml +++ b/detections/endpoint/sunburst_correlation_dll_and_network_event.yml @@ -1,41 +1,48 @@ name: Sunburst Correlation DLL and Network Event id: 701a8740-e8db-40df-9190-5516d3819787 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Patrick Bareiss, Splunk status: experimental type: TTP -description: The following analytic identifies the loading of the malicious SolarWinds.Orion.Core.BusinessLayer.dll by SolarWinds.BusinessLayerHost.exe and subsequent DNS queries to avsvmcloud.com. It uses Sysmon EventID 7 for DLL loading and Event ID 22 for DNS queries, correlating these events within a 12-14 day period. This activity is significant as it indicates potential Sunburst malware infection, a known supply chain attack. If confirmed malicious, this could lead to unauthorized network access, data exfiltration, and further compromise of the affected systems. +description: The following analytic identifies the loading of the malicious SolarWinds.Orion.Core.BusinessLayer.dll + by SolarWinds.BusinessLayerHost.exe and subsequent DNS queries to avsvmcloud.com. + It uses Sysmon EventID 7 for DLL loading and Event ID 22 for DNS queries, correlating + these events within a 12-14 day period. This activity is significant as it indicates + potential Sunburst malware infection, a known supply chain attack. If confirmed + malicious, this could lead to unauthorized network access, data exfiltration, and + further compromise of the affected systems. data_source: - Sysmon EventID 7 - Sysmon EventID 22 -search: (`sysmon` EventCode=7 ImageLoaded=*SolarWinds.Orion.Core.BusinessLayer.dll) OR (`sysmon` EventCode=22 QueryName=*avsvmcloud.com) | eventstats dc(EventCode) AS dc_events | where dc_events=2 | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) AS ImageLoaded values(QueryName) AS QueryName by host | rename host as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `sunburst_correlation_dll_and_network_event_filter` -how_to_implement: This detection relies on sysmon logs with the Event ID 7, Driver loaded. Please tune your sysmon config that you DriverLoad event for SolarWinds.Orion.Core.BusinessLayer.dll is captured by Sysmon. Additionally, you need sysmon logs for Event ID 22, DNS Query. We suggest to run this detection at least once a day over the last 14 days. +search: (`sysmon` EventCode=7 ImageLoaded=*SolarWinds.Orion.Core.BusinessLayer.dll) + OR (`sysmon` EventCode=22 QueryName=*avsvmcloud.com) | eventstats dc(EventCode) + AS dc_events | where dc_events=2 | stats min(_time) as firstTime max(_time) as lastTime + values(ImageLoaded) AS ImageLoaded values(QueryName) AS QueryName by host | rename + host as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `sunburst_correlation_dll_and_network_event_filter` +how_to_implement: This detection relies on sysmon logs with the Event ID 7, Driver + loaded. Please tune your sysmon config that you DriverLoad event for SolarWinds.Orion.Core.BusinessLayer.dll + is captured by Sysmon. Additionally, you need sysmon logs for Event ID 22, DNS Query. + We suggest to run this detection at least once a day over the last 14 days. known_false_positives: unknown references: - https://www.mandiant.com/resources/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor +rba: + message: Possible Sunburst activity on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - NOBELIUM Group asset_type: Windows - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1203 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ImageLoaded - - QueryName - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/suspicious_computer_account_name_change.yml b/detections/endpoint/suspicious_computer_account_name_change.yml index 430ecf9f0f..04edcd2a70 100644 --- a/detections/endpoint/suspicious_computer_account_name_change.yml +++ b/detections/endpoint/suspicious_computer_account_name_change.yml @@ -1,7 +1,7 @@ name: Suspicious Computer Account Name Change id: 35a61ed8-61c4-11ec-bc1e-acde48001122 -version: '5' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Mauricio Velazco, Splunk status: production type: TTP @@ -40,48 +40,38 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A computer account $OldTargetUserName$ was renamed with a suspicious computer + name on $dest$ + risk_objects: + - field: dest + type: system + score: 70 + - field: OldTargetUserName + type: user + score: 70 + threat_objects: [] tags: analytic_story: - Active Directory Privilege Escalation - Compromised Windows Host - sAMAccountName Spoofing and Domain Controller Impersonation asset_type: Endpoint - confidence: 70 cve: - CVE-2021-42287 - CVE-2021-42278 - impact: 100 - message: A computer account $OldTargetUserName$ was renamed with a suspicious computer - name on $dest$ mitre_attack_id: - T1078 - T1078.002 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: OldTargetUserName - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Computer - - Caller_User_Name - - OldTargetUserName - - NewTargetUserName - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/suspicious_computer_account_name_change/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/suspicious_computer_account_name_change/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/suspicious_copy_on_system32.yml b/detections/endpoint/suspicious_copy_on_system32.yml index 2ff66ca28f..552376e126 100644 --- a/detections/endpoint/suspicious_copy_on_system32.yml +++ b/detections/endpoint/suspicious_copy_on_system32.yml @@ -1,7 +1,7 @@ name: Suspicious Copy on System32 id: ce633e56-25b2-11ec-9e76-acde48001122 -version: '4' -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: TTP @@ -54,6 +54,16 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Execution of copy exe to copy file from $process$ on $dest$ + risk_objects: + - field: dest + type: system + score: 63 + - field: user + type: user + score: 63 + threat_objects: [] tags: analytic_story: - Qakbot @@ -64,43 +74,18 @@ tags: - Unusual Processes - Compromised Windows Host asset_type: Endpoint - confidence: 90 - impact: 70 - message: Execution of copy exe to copy file from $process$ in $dest$ mitre_attack_id: - T1036.003 - T1036 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/copy_sysmon/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/copy_sysmon/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/suspicious_curl_network_connection.yml b/detections/endpoint/suspicious_curl_network_connection.yml index 0e42418e42..82b88a7252 100644 --- a/detections/endpoint/suspicious_curl_network_connection.yml +++ b/detections/endpoint/suspicious_curl_network_connection.yml @@ -1,53 +1,61 @@ name: Suspicious Curl Network Connection id: 3f613dc0-21f2-4063-93b1-5d3c15eef22f -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: experimental type: TTP -description: The following analytic detects the use of the curl command contacting suspicious remote domains, such as s3.amazonaws.com, which is indicative of Command and Control (C2) activity or downloading further implants. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it may indicate the presence of MacOS adware or other malicious software attempting to establish persistence or exfiltrate data. If confirmed malicious, this could allow attackers to maintain control over the compromised system and deploy additional payloads. +description: The following analytic detects the use of the curl command contacting + suspicious remote domains, such as s3.amazonaws.com, which is indicative of Command + and Control (C2) activity or downloading further implants. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process execution + logs and command-line arguments. This activity is significant as it may indicate + the presence of MacOS adware or other malicious software attempting to establish + persistence or exfiltrate data. If confirmed malicious, this could allow attackers + to maintain control over the compromised system and deploy additional payloads. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process=s3.amazonaws.com by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_curl_network_connection_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl + Processes.process=s3.amazonaws.com by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `suspicious_curl_network_connection_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Unknown. Filter as needed. references: - https://redcanary.com/blog/clipping-silver-sparrows-wings/ - https://www.marcosantadev.com/manage-plist-files-plistbuddy/ +rba: + message: Suspicious usage of curl on $dest$ + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Silver Sparrow - Ingress Tool Transfer - Linux Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1105 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_name - - Processes.process - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_id - - Processes.parent_process_id - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml b/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml index 7a22a358a1..2a3b40ce3e 100644 --- a/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml @@ -1,18 +1,38 @@ name: Suspicious DLLHost no Command Line Arguments id: ff61e98c-0337-4593-a78f-72a676c56f26 -version: 6 -date: '2024-09-30' +version: 7 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects instances of DLLHost.exe executing without command line arguments. This behavior is unusual and often associated with malicious activities, such as those performed by Cobalt Strike. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because DLLHost.exe typically requires arguments to function correctly, and its absence may indicate an attempt to evade detection. If confirmed malicious, this could lead to unauthorized actions like credential dumping or file manipulation, posing a severe threat to the environment. +description: The following analytic detects instances of DLLHost.exe executing without + command line arguments. This behavior is unusual and often associated with malicious + activities, such as those performed by Cobalt Strike. The detection leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process execution + logs. This activity is significant because DLLHost.exe typically requires arguments + to function correctly, and its absence may indicate an attempt to evade detection. + If confirmed malicious, this could lead to unauthorized actions like credential + dumping or file manipulation, posing a severe threat to the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_dllhost` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(dllhost\.exe.{0,4}$)" | `suspicious_dllhost_no_command_line_arguments_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Limited false positives may be present in small environments. Tuning may be required based on parent process. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes + where `process_dllhost` by _time span=1h Processes.process_id Processes.process_name + Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | regex process="(?i)(dllhost\.exe.{0,4}$)" | `suspicious_dllhost_no_command_line_arguments_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Limited false positives may be present in small environments. + Tuning may be required based on parent process. references: - https://raw.githubusercontent.com/threatexpress/malleable-c2/c3385e481159a759f79b8acfe11acf240893b830/jquery-c2.4.2.profile - https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/ @@ -22,51 +42,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious dllhost.exe process with no command line arguments executed + on $dest$ by $user$ + risk_objects: + - field: dest + type: system + score: 49 + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - BlackByte Ransomware - Cobalt Strike - Graceful Wipe Out Attack asset_type: Endpoint - confidence: 70 - impact: 70 - message: Suspicious dllhost.exe process with no command line arguments executed on $dest$ by $user$ mitre_attack_id: - T1055 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/suspicious_driver_loaded_path.yml b/detections/endpoint/suspicious_driver_loaded_path.yml index 7ef8927ae7..91196704e5 100644 --- a/detections/endpoint/suspicious_driver_loaded_path.yml +++ b/detections/endpoint/suspicious_driver_loaded_path.yml @@ -1,16 +1,30 @@ name: Suspicious Driver Loaded Path id: f880acd4-a8f1-11eb-a53b-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the loading of drivers from suspicious paths, which is a technique often used by malicious software such as coin miners (e.g., xmrig). It leverages Sysmon EventCode 6 to identify drivers loaded from non-standard directories. This activity is significant because legitimate drivers typically reside in specific system directories, and deviations may indicate malicious activity. If confirmed malicious, this could allow an attacker to execute code at the kernel level, potentially leading to privilege escalation, persistence, or further system compromise. +description: The following analytic detects the loading of drivers from suspicious + paths, which is a technique often used by malicious software such as coin miners + (e.g., xmrig). It leverages Sysmon EventCode 6 to identify drivers loaded from non-standard + directories. This activity is significant because legitimate drivers typically reside + in specific system directories, and deviations may indicate malicious activity. + If confirmed malicious, this could allow an attacker to execute code at the kernel + level, potentially leading to privilege escalation, persistence, or further system + compromise. data_source: - Sysmon EventID 6 -search: '`sysmon` EventCode=6 ImageLoaded = "*.sys" NOT (ImageLoaded IN("*\\WINDOWS\\inf","*\\WINDOWS\\System32\\drivers\\*", "*\\WINDOWS\\System32\\DriverStore\\FileRepository\\*")) | stats min(_time) as firstTime max(_time) as lastTime count by dest ImageLoaded Hashes IMPHASH Signature Signed| rename ImageLoaded as file_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_driver_loaded_path_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the driver loaded and Signature from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: Limited false positives will be present. Some applications do load drivers +search: '`sysmon` EventCode=6 ImageLoaded = "*.sys" NOT (ImageLoaded IN("*\\WINDOWS\\inf","*\\WINDOWS\\System32\\drivers\\*", + "*\\WINDOWS\\System32\\DriverStore\\FileRepository\\*")) | stats min(_time) as + firstTime max(_time) as lastTime count by dest ImageLoaded Hashes IMPHASH Signature + Signed| rename ImageLoaded as file_name | `security_content_ctime(firstTime)` | + `security_content_ctime(lastTime)` | `suspicious_driver_loaded_path_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the driver loaded and Signature from your endpoints. If you are using + Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +known_false_positives: Limited false positives will be present. Some applications + do load drivers references: - https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/trojan.ps1.powtran.a/ - https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/ @@ -20,9 +34,23 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious driver $file_name$ on $dest$ + risk_objects: + - field: dest + type: system + score: 63 + threat_objects: + - field: file_name + type: file_name tags: analytic_story: - XMRig @@ -31,38 +59,18 @@ tags: - BlackByte Ransomware - Snake Keylogger asset_type: Endpoint - confidence: 90 - impact: 70 - message: Suspicious driver $file_name$ on $dest$ mitre_attack_id: - T1543.003 - T1543 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: file_name - type: File Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - ImageLoaded - - Hashes - - IMPHASH - - Signature - - Signed - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/suspicious_event_log_service_behavior.yml b/detections/endpoint/suspicious_event_log_service_behavior.yml index 142a4c048c..bac4d7f013 100644 --- a/detections/endpoint/suspicious_event_log_service_behavior.yml +++ b/detections/endpoint/suspicious_event_log_service_behavior.yml @@ -1,16 +1,26 @@ name: Suspicious Event Log Service Behavior id: 2b85aa3d-f5f6-4c2e-a081-a09f6e1c2e40 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the shutdown of the Windows Event Log service using Windows Event ID 1100. This event is logged every time the service stops, including during normal system shutdowns. Monitoring this activity is crucial as it can indicate attempts to cover tracks or disable logging. If confirmed malicious, an attacker could hide their activities, making it difficult to trace their actions and investigate further incidents. Analysts should verify if the shutdown was planned and review other alerts and data sources for additional suspicious behavior. +description: The following analytic detects the shutdown of the Windows Event Log + service using Windows Event ID 1100. This event is logged every time the service + stops, including during normal system shutdowns. Monitoring this activity is crucial + as it can indicate attempts to cover tracks or disable logging. If confirmed malicious, + an attacker could hide their activities, making it difficult to trace their actions + and investigate further incidents. Analysts should verify if the shutdown was planned + and review other alerts and data sources for additional suspicious behavior. data_source: - Windows Event Log Security 1100 -search: (`wineventlog_security` EventCode=1100) | stats count min(_time) as firstTime max(_time) as lastTime by dest name EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `suspicious_event_log_service_behavior_filter` -how_to_implement: To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed. -known_false_positives: It is possible the Event Logging service gets shut down due to system errors or legitimately administration tasks. Filter as needed. +search: (`wineventlog_security` EventCode=1100) | stats count min(_time) as firstTime + max(_time) as lastTime by dest name EventCode | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `suspicious_event_log_service_behavior_filter` +how_to_implement: To successfully implement this search, you need to be ingesting + Windows event logs from your hosts. In addition, the Splunk Windows TA is needed. +known_false_positives: It is possible the Event Logging service gets shut down due + to system errors or legitimately administration tasks. Filter as needed. references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1100 - https://www.ired.team/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog-service-threads @@ -22,30 +32,18 @@ tags: - Ransomware - Clop Ransomware asset_type: Endpoint - confidence: 30 - impact: 30 - message: The Windows Event Log Service shutdown on $dest$ mitre_attack_id: - T1070 - T1070.001 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - dest - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/suspicious_event_log_service_behavior/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/suspicious_event_log_service_behavior/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml b/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml index 96b9cb8a66..9dd5badbbf 100644 --- a/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml @@ -1,18 +1,38 @@ name: Suspicious GPUpdate no Command Line Arguments id: f308490a-473a-40ef-ae64-dd7a6eba284a -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the execution of gpupdate.exe without any command line arguments. This behavior is identified using data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. It is significant because gpupdate.exe typically runs with specific arguments, and its execution without them is often associated with malicious activities, such as those performed by Cobalt Strike. If confirmed malicious, this activity could indicate an attempt to execute unauthorized commands or scripts, potentially leading to further system compromise or lateral movement within the network. +description: The following analytic detects the execution of gpupdate.exe without + any command line arguments. This behavior is identified using data from Endpoint + Detection and Response (EDR) agents, focusing on process execution logs. It is significant + because gpupdate.exe typically runs with specific arguments, and its execution without + them is often associated with malicious activities, such as those performed by Cobalt + Strike. If confirmed malicious, this activity could indicate an attempt to execute + unauthorized commands or scripts, potentially leading to further system compromise + or lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_gpupdate` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(gpupdate\.exe.{0,4}$)" | `suspicious_gpupdate_no_command_line_arguments_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Limited false positives may be present in small environments. Tuning may be required based on parent process. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes + where `process_gpupdate` by _time span=1h Processes.process_id Processes.process_name + Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | regex process="(?i)(gpupdate\.exe.{0,4}$)" | `suspicious_gpupdate_no_command_line_arguments_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Limited false positives may be present in small environments. + Tuning may be required based on parent process. references: - https://raw.githubusercontent.com/xx0hcd/Malleable-C2-Profiles/0ef8cf4556e26f6d4190c56ba697c2159faa5822/crimeware/trick_ryuk.profile - https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/ @@ -22,51 +42,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious gpupdate.exe process with no command line arguments executed + on $dest$ by $user$ + risk_objects: + - field: dest + type: system + score: 49 + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - BlackByte Ransomware - Cobalt Strike - Graceful Wipe Out Attack asset_type: Endpoint - confidence: 70 - impact: 70 - message: Suspicious gpupdate.exe process with no command line arguments executed on $dest$ by $user$ mitre_attack_id: - T1055 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml b/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml index 08ce325284..f966afa7c3 100644 --- a/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml +++ b/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml @@ -1,18 +1,38 @@ name: Suspicious IcedID Rundll32 Cmdline id: bed761f8-ee29-11eb-8bf3-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects a suspicious `rundll32.exe` command line used to execute a DLL file, a technique associated with IcedID malware. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing the pattern `*/i:*`. This activity is significant as it indicates potential malware attempting to load an encrypted DLL payload, often named `license.dat`. If confirmed malicious, this could allow attackers to execute arbitrary code, leading to further system compromise and potential data exfiltration. +description: The following analytic detects a suspicious `rundll32.exe` command line + used to execute a DLL file, a technique associated with IcedID malware. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on command-line + executions containing the pattern `*/i:*`. This activity is significant as it indicates + potential malware attempting to load an encrypted DLL payload, often named `license.dat`. + If confirmed malicious, this could allow attackers to execute arbitrary code, leading + to further system compromise and potential data exfiltration. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*/i:* by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_icedid_rundll32_cmdline_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: limitted. this parameter is not commonly used by windows application but can be used by the network operator. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*/i:* + by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process + Processes.process_id Processes.parent_process_id Processes.dest Processes.user | + `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `suspicious_icedid_rundll32_cmdline_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: limitted. this parameter is not commonly used by windows application + but can be used by the network operator. references: - https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/ drilldown_searches: @@ -21,51 +41,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: rundll32 process $process_name$ with commandline $process$ in host $dest$ + risk_objects: + - field: dest + type: system + score: 56 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - IcedID - Living Off The Land asset_type: Endpoint - confidence: 80 - impact: 70 - message: rundll32 process $process_name$ with commandline $process$ in host $dest$ mitre_attack_id: - T1218 - T1218.011 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml b/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml index 26dbf83691..101fd0c2cb 100644 --- a/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml +++ b/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml @@ -1,15 +1,35 @@ name: Suspicious Image Creation In Appdata Folder id: f6f904c4-1ac0-11ec-806b-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the creation of image files in the AppData folder by processes that also have a file reference in the same folder. It leverages data from the Endpoint.Processes and Endpoint.Filesystem datamodels to identify this behavior. This activity is significant because it is commonly associated with malware, such as the Remcos RAT, which captures screenshots and stores them in the AppData folder before exfiltrating them to a command-and-control server. If confirmed malicious, this activity could indicate unauthorized data capture and exfiltration, compromising sensitive information and user privacy. +description: The following analytic detects the creation of image files in the AppData + folder by processes that also have a file reference in the same folder. It leverages + data from the Endpoint.Processes and Endpoint.Filesystem datamodels to identify + this behavior. This activity is significant because it is commonly associated with + malware, such as the Remcos RAT, which captures screenshots and stores them in the + AppData folder before exfiltrating them to a command-and-control server. If confirmed + malicious, this activity could indicate unauthorized data capture and exfiltration, + compromising sensitive information and user privacy. data_source: - Sysmon EventID 1 AND Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=*.exe Processes.process_path="*\\appdata\\Roaming\\*" by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid |join proc_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.png","*.jpg","*.bmp","*.gif","*.tiff") Filesystem.file_path= "*\\appdata\\Roaming\\*" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields _time dest file_create_time file_name file_path process_name process_path process proc_guid] | `suspicious_image_creation_in_appdata_folder_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes + where Processes.process_name=*.exe Processes.process_path="*\\appdata\\Roaming\\*" + by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest + Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as + proc_guid |join proc_guid, _time [| tstats `security_content_summariesonly` count + min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem + where Filesystem.file_name IN ("*.png","*.jpg","*.bmp","*.gif","*.tiff") Filesystem.file_path= + "*\\appdata\\Roaming\\*" by _time span=1h Filesystem.dest Filesystem.file_create_time + Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` + |rename process_guid as proc_guid | fields _time dest file_create_time file_name + file_path process_name process_path process proc_guid] | `suspicious_image_creation_in_appdata_folder_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. known_false_positives: unknown references: - https://success.trendmicro.com/dcx/s/solution/1123281-remcos-malware-information?language=en_US @@ -20,45 +40,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Process $process_name$ creating image file $file_path$ on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Remcos asset_type: Endpoint - confidence: 70 - impact: 70 - message: Process $process_name$ creating image file $file_path$ in $dest$ mitre_attack_id: - T1113 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - file_create_time - - file_name - - file_path - - process_name - - process_path - - process - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_agent/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_agent/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/suspicious_kerberos_service_ticket_request.yml b/detections/endpoint/suspicious_kerberos_service_ticket_request.yml index 207c2423f6..b8c5f71cac 100644 --- a/detections/endpoint/suspicious_kerberos_service_ticket_request.yml +++ b/detections/endpoint/suspicious_kerberos_service_ticket_request.yml @@ -1,16 +1,30 @@ name: Suspicious Kerberos Service Ticket Request id: 8b1297bc-6204-11ec-b7c4-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects suspicious Kerberos Service Ticket (TGS) requests where the requesting account name matches the service name, potentially indicating an exploitation attempt of CVE-2021-42278 and CVE-2021-42287. This detection leverages Event ID 4769 from Domain Controller and Kerberos events. Such activity is significant as it may represent an adversary attempting to escalate privileges by impersonating a domain controller. If confirmed malicious, this could allow an attacker to take control of the domain controller, leading to complete domain compromise and unauthorized access to sensitive information. +description: The following analytic detects suspicious Kerberos Service Ticket (TGS) + requests where the requesting account name matches the service name, potentially + indicating an exploitation attempt of CVE-2021-42278 and CVE-2021-42287. This detection + leverages Event ID 4769 from Domain Controller and Kerberos events. Such activity + is significant as it may represent an adversary attempting to escalate privileges + by impersonating a domain controller. If confirmed malicious, this could allow an + attacker to take control of the domain controller, leading to complete domain compromise + and unauthorized access to sensitive information. data_source: - Windows Event Log Security 4769 -search: '`wineventlog_security` EventCode=4769 | eval isSuspicious = if(lower(ServiceName) = lower(mvindex(split(TargetUserName,"@"),0)),1,0) | where isSuspicious = 1 | rename Computer as dest| rename TargetUserName as user | table _time, dest, src_ip, user, ServiceName, Error_Code, isSuspicious | `suspicious_kerberos_service_ticket_request_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -known_false_positives: We have tested this detection logic with ~2 million 4769 events and did not identify false positives. However, they may be possible in certain environments. Filter as needed. +search: '`wineventlog_security` EventCode=4769 | eval isSuspicious = if(lower(ServiceName) + = lower(mvindex(split(TargetUserName,"@"),0)),1,0) | where isSuspicious = 1 | rename + Computer as dest| rename TargetUserName as user | table _time, dest, src_ip, user, + ServiceName, Error_Code, isSuspicious | `suspicious_kerberos_service_ticket_request_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + Domain Controller and Kerberos events. The Advanced Security Audit policy setting + `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. +known_false_positives: We have tested this detection logic with ~2 million 4769 events + and did not identify false positives. However, they may be possible in certain environments. + Filter as needed. references: - https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278 @@ -22,45 +36,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A suspicious Kerberos Service Ticket was requested by $user$ on host $dest$ + risk_objects: + - field: dest + type: system + score: 60 + threat_objects: [] tags: analytic_story: - sAMAccountName Spoofing and Domain Controller Impersonation - Active Directory Kerberos Attacks - Active Directory Privilege Escalation asset_type: Endpoint - confidence: 60 cve: - CVE-2021-42287 - CVE-2021-42278 - impact: 100 - message: A suspicious Kerberos Service Ticket was requested by $user$ on host $dest$ mitre_attack_id: - T1078 - T1078.002 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Service_Name - - Account_Name - - Client_Address - - Failure_Code - risk_score: 60 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/suspicious_kerberos_service_ticket_request/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/suspicious_kerberos_service_ticket_request/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/suspicious_linux_discovery_commands.yml b/detections/endpoint/suspicious_linux_discovery_commands.yml index e608d0e559..4012c6fa6d 100644 --- a/detections/endpoint/suspicious_linux_discovery_commands.yml +++ b/detections/endpoint/suspicious_linux_discovery_commands.yml @@ -1,18 +1,41 @@ name: Suspicious Linux Discovery Commands id: 0edd5112-56c9-11ec-b990-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Bhavin Patel, Splunk status: production type: TTP -description: The following analytic detects the execution of suspicious bash commands commonly used in scripts like AutoSUID, LinEnum, and LinPeas for system discovery on a Linux host. It leverages Endpoint Detection and Response (EDR) data, specifically looking for a high number of distinct commands executed within a short time frame. This activity is significant as it often precedes privilege escalation or other malicious actions. If confirmed malicious, an attacker could gain detailed system information, identify vulnerabilities, and potentially escalate privileges, posing a severe threat to the environment. +description: The following analytic detects the execution of suspicious bash commands + commonly used in scripts like AutoSUID, LinEnum, and LinPeas for system discovery + on a Linux host. It leverages Endpoint Detection and Response (EDR) data, specifically + looking for a high number of distinct commands executed within a short time frame. + This activity is significant as it often precedes privilege escalation or other + malicious actions. If confirmed malicious, an attacker could gain detailed system + information, identify vulnerabilities, and potentially escalate privileges, posing + a severe threat to the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count values(Processes.process) values(Processes.process_name) values(Processes.parent_process_name) dc(Processes.process) as distinct_commands dc(Processes.process_name) as distinct_process_names min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where [|inputlookup linux_tool_discovery_process.csv | rename process as Processes.process |table Processes.process] by _time span=5m Processes.user Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| where distinct_commands > 40 AND distinct_process_names > 3| `suspicious_linux_discovery_commands_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Unless an administrator is using these commands to troubleshoot or audit a system, the execution of these commands should be monitored. +search: '| tstats `security_content_summariesonly` count values(Processes.process) + values(Processes.process_name) values(Processes.parent_process_name) dc(Processes.process) + as distinct_commands dc(Processes.process_name) as distinct_process_names min(_time) + as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where [|inputlookup + linux_tool_discovery_process | rename process as Processes.process |table Processes.process] + by _time span=5m Processes.user Processes.dest | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| where + distinct_commands > 40 AND distinct_process_names > 3| `suspicious_linux_discovery_commands_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Unless an administrator is using these commands to troubleshoot + or audit a system, the execution of these commands should be monitored. references: - https://attack.mitre.org/matrices/enterprise/linux/ - https://attack.mitre.org/techniques/T1059/004/ @@ -25,38 +48,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious Linux Discovery Commands detected on $dest$ + risk_objects: + - field: dest + type: system + score: 81 + threat_objects: [] tags: analytic_story: - Linux Post-Exploitation asset_type: Endpoint - confidence: 90 - impact: 90 - message: Suspicious Linux Discovery Commands detected on $dest$ mitre_attack_id: - T1059.004 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process - - Processes.parent_process_name - - Processes.user - - Processes.process_name - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.004/linux_discovery_tools/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.004/linux_discovery_tools/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml b/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml index e4a80bb382..31415533bd 100644 --- a/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml +++ b/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml @@ -1,18 +1,39 @@ name: Suspicious microsoft workflow compiler rename id: f0db4464-55d9-11eb-ae93-0242ac130002 -version: 7 -date: '2024-10-17' +version: 8 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic detects the renaming of microsoft.workflow.compiler.exe, a rarely used executable typically located in C:\Windows\Microsoft.NET\Framework64\v4.0.30319. This detection leverages Endpoint Detection and Response (EDR) data, focusing on process names and original file names. This activity is significant because renaming this executable can indicate an attempt to evade security controls. If confirmed malicious, an attacker could use this renamed executable to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment. +description: The following analytic detects the renaming of microsoft.workflow.compiler.exe, + a rarely used executable typically located in C:\Windows\Microsoft.NET\Framework64\v4.0.30319. + This detection leverages Endpoint Detection and Response (EDR) data, focusing on + process names and original file names. This activity is significant because renaming + this executable can indicate an attempt to evade security controls. If confirmed + malicious, an attacker could use this renamed executable to execute arbitrary code, + potentially leading to privilege escalation or persistent access within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=microsoft.workflow.compiler.exe AND Processes.original_file_name=Microsoft.Workflow.Compiler.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_microsoft_workflow_compiler_rename_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Although unlikely, some legitimate applications may use a moved copy of microsoft.workflow.compiler.exe, triggering a false positive. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=microsoft.workflow.compiler.exe + AND Processes.original_file_name=Microsoft.Workflow.Compiler.exe by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id Processes.original_file_name | + `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `suspicious_microsoft_workflow_compiler_rename_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Although unlikely, some legitimate applications may use a moved + copy of microsoft.workflow.compiler.exe, triggering a false positive. references: - https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-6---microsoftworkflowcompilerexe-payload-execution @@ -25,44 +46,19 @@ tags: - BlackByte Ransomware - Graceful Wipe Out Attack asset_type: Endpoint - confidence: 90 - impact: 70 - message: Suspicious renamed microsoft.workflow.compiler.exe binary ran on $dest$ by $user$ mitre_attack_id: - T1036 - T1127 - T1036.003 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml b/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml index 7af0cd38d9..18c7eafe0b 100644 --- a/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml +++ b/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml @@ -1,18 +1,38 @@ name: Suspicious microsoft workflow compiler usage id: 9bbc62e8-55d8-11eb-ae93-0242ac130002 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the usage of microsoft.workflow.compiler.exe, a rarely utilized executable typically found in C:\Windows\Microsoft.NET\Framework64\v4.0.30319. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution telemetry. The significance of this activity lies in its uncommon usage, which may indicate malicious intent such as code execution or persistence mechanisms. If confirmed malicious, an attacker could leverage this process to execute arbitrary code, potentially leading to unauthorized access or further compromise of the system. +description: The following analytic identifies the usage of microsoft.workflow.compiler.exe, + a rarely utilized executable typically found in C:\Windows\Microsoft.NET\Framework64\v4.0.30319. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process execution telemetry. The significance of this activity lies + in its uncommon usage, which may indicate malicious intent such as code execution + or persistence mechanisms. If confirmed malicious, an attacker could leverage this + process to execute arbitrary code, potentially leading to unauthorized access or + further compromise of the system. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_microsoftworkflowcompiler` by Processes.dest Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_microsoft_workflow_compiler_usage_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Although unlikely, limited instances have been identified coming from native Microsoft utilities similar to SCCM. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_microsoftworkflowcompiler` + by Processes.dest Processes.parent_process Processes.process_name Processes.original_file_name + Processes.process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `suspicious_microsoft_workflow_compiler_usage_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Although unlikely, limited instances have been identified coming + from native Microsoft utilities similar to SCCM. references: - https://lolbas-project.github.io/lolbas/Binaries/Msbuild/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-6---microsoftworkflowcompilerexe-payload-execution @@ -22,50 +42,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious microsoft.workflow.compiler.exe process ran on $dest$ by $user$ + risk_objects: + - field: dest + type: system + score: 35 + - field: user + type: user + score: 35 + threat_objects: [] tags: analytic_story: - Trusted Developer Utilities Proxy Execution - Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 70 - message: Suspicious microsoft.workflow.compiler.exe process ran on $dest$ by $user$ mitre_attack_id: - T1127 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/suspicious_msbuild_path.yml b/detections/endpoint/suspicious_msbuild_path.yml index 200b63cf90..1ee9e409d7 100644 --- a/detections/endpoint/suspicious_msbuild_path.yml +++ b/detections/endpoint/suspicious_msbuild_path.yml @@ -1,18 +1,40 @@ name: Suspicious msbuild path id: f5198224-551c-11eb-ae93-0242ac130002 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the execution of msbuild.exe from a non-standard path. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that deviate from typical msbuild.exe locations. This activity is significant because msbuild.exe is commonly abused by attackers to execute malicious code, and running it from an unusual path can indicate an attempt to evade detection. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, potentially leading to system compromise and further malicious activities. +description: The following analytic detects the execution of msbuild.exe from a non-standard + path. It leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process execution logs that deviate from typical msbuild.exe locations. This + activity is significant because msbuild.exe is commonly abused by attackers to execute + malicious code, and running it from an unusual path can indicate an attempt to evade + detection. If confirmed malicious, this behavior could allow an attacker to execute + arbitrary code, potentially leading to system compromise and further malicious activities. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msbuild` AND (Processes.process_path!=*\\framework*\\v*\\*) by Processes.dest Processes.original_file_name Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `suspicious_msbuild_path_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Some legitimate applications may use a moved copy of msbuild.exe, triggering a false positive. Baselining of MSBuild.exe usage is recommended to better understand it's path usage. Visual Studio runs an instance out of a path that will need to be filtered on. +search: '| tstats `security_content_summariesonly` count values(Processes.process_name) + as process_name values(Processes.process) as process min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_msbuild` AND (Processes.process_path!=*\\framework*\\v*\\*) + by Processes.dest Processes.original_file_name Processes.parent_process Processes.user + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `suspicious_msbuild_path_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Some legitimate applications may use a moved copy of msbuild.exe, + triggering a false positive. Baselining of MSBuild.exe usage is recommended to better + understand it's path usage. Visual Studio runs an instance out of a path that will + need to be filtered on. references: - https://lolbas-project.github.io/lolbas/Binaries/Msbuild/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md @@ -22,9 +44,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Msbuild.exe ran from an uncommon path on $dest$ execyted by $user$ + risk_objects: + - field: dest + type: system + score: 49 + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - Trusted Developer Utilities Proxy Execution MSBuild @@ -34,46 +71,20 @@ tags: - BlackByte Ransomware - Graceful Wipe Out Attack asset_type: Endpoint - confidence: 70 - impact: 70 - message: Msbuild.exe ran from an uncommon path on $dest$ execyted by $user$ mitre_attack_id: - T1036 - T1127 - T1036.003 - T1127.001 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/suspicious_msbuild_rename.yml b/detections/endpoint/suspicious_msbuild_rename.yml index aa285cf61f..438fcdeb92 100644 --- a/detections/endpoint/suspicious_msbuild_rename.yml +++ b/detections/endpoint/suspicious_msbuild_rename.yml @@ -1,18 +1,39 @@ name: Suspicious MSBuild Rename id: 4006adac-5937-11eb-ae93-0242ac130002 -version: 6 -date: '2024-10-17' +version: 7 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic detects the execution of renamed instances of msbuild.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names within the Endpoint data model. This activity is significant because msbuild.exe is a legitimate tool often abused by attackers to execute malicious code while evading detection. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network. +description: The following analytic detects the execution of renamed instances of + msbuild.exe. It leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process names and original file names within the Endpoint data model. + This activity is significant because msbuild.exe is a legitimate tool often abused + by attackers to execute malicious code while evading detection. If confirmed malicious, + this behavior could allow an attacker to execute arbitrary code, potentially leading + to system compromise, data exfiltration, or further lateral movement within the + network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=msbuild.exe AND Processes.original_file_name=MSBuild.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_msbuild_rename_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Although unlikely, some legitimate applications may use a moved copy of msbuild, triggering a false positive. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=msbuild.exe + AND Processes.original_file_name=MSBuild.exe by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `suspicious_msbuild_rename_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Although unlikely, some legitimate applications may use a moved + copy of msbuild, triggering a false positive. references: - https://lolbas-project.github.io/lolbas/Binaries/Msbuild/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md @@ -26,46 +47,20 @@ tags: - BlackByte Ransomware - Graceful Wipe Out Attack asset_type: Endpoint - confidence: 90 - impact: 70 - message: Suspicious renamed msbuild.exe binary ran on $dest$ by $user$ mitre_attack_id: - T1036 - T1127 - T1036.003 - T1127.001 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/suspicious_msbuild_spawn.yml b/detections/endpoint/suspicious_msbuild_spawn.yml index 7571102809..1c23444d24 100644 --- a/detections/endpoint/suspicious_msbuild_spawn.yml +++ b/detections/endpoint/suspicious_msbuild_spawn.yml @@ -1,18 +1,39 @@ name: Suspicious MSBuild Spawn id: a115fba6-5514-11eb-ae93-0242ac130002 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies instances where wmiprvse.exe spawns msbuild.exe, which is unusual and indicative of potential misuse of a COM object. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process relationships and command-line executions. This activity is significant because msbuild.exe is typically spawned by devenv.exe during legitimate Visual Studio use, not by wmiprvse.exe. If confirmed malicious, this behavior could indicate an attacker executing arbitrary code or scripts, potentially leading to system compromise or further malicious activities. +description: The following analytic identifies instances where wmiprvse.exe spawns + msbuild.exe, which is unusual and indicative of potential misuse of a COM object. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process relationships and command-line executions. This activity is + significant because msbuild.exe is typically spawned by devenv.exe during legitimate + Visual Studio use, not by wmiprvse.exe. If confirmed malicious, this behavior could + indicate an attacker executing arbitrary code or scripts, potentially leading to + system compromise or further malicious activities. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wmiprvse.exe AND `process_msbuild` by Processes.dest Processes.parent_process Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_msbuild_spawn_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive. +search: '| tstats `security_content_summariesonly` count values(Processes.process_name) + as process_name values(Processes.process) as process min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wmiprvse.exe + AND `process_msbuild` by Processes.dest Processes.parent_process Processes.original_file_name + Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `suspicious_msbuild_spawn_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Although unlikely, some legitimate applications may exhibit + this behavior, triggering a false positive. references: - https://lolbas-project.github.io/lolbas/Binaries/Msbuild/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md @@ -22,52 +43,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious msbuild.exe process executed on $dest$ by $user$ + risk_objects: + - field: dest + type: system + score: 42 + - field: user + type: user + score: 42 + threat_objects: [] tags: analytic_story: - Trusted Developer Utilities Proxy Execution MSBuild - Living Off The Land asset_type: Endpoint - confidence: 60 - impact: 70 - message: Suspicious msbuild.exe process executed on $dest$ by $user$ mitre_attack_id: - T1127 - T1127.001 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/suspicious_mshta_child_process.yml b/detections/endpoint/suspicious_mshta_child_process.yml index 80cdfb1221..55035b8d46 100644 --- a/detections/endpoint/suspicious_mshta_child_process.yml +++ b/detections/endpoint/suspicious_mshta_child_process.yml @@ -1,18 +1,43 @@ name: Suspicious mshta child process id: 60023bb6-5500-11eb-ae93-0242ac130002 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies child processes spawned from "mshta.exe". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific child processes like "powershell.exe" and "cmd.exe". This activity is significant because "mshta.exe" is often exploited by attackers to execute malicious scripts or commands. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment. Monitoring this activity helps in early detection of potential threats leveraging "mshta.exe" for malicious purposes. +description: The following analytic identifies child processes spawned from "mshta.exe". + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on + specific child processes like "powershell.exe" and "cmd.exe". This activity is significant + because "mshta.exe" is often exploited by attackers to execute malicious scripts + or commands. If confirmed malicious, this behavior could allow an attacker to execute + arbitrary code, escalate privileges, or maintain persistence within the environment. + Monitoring this activity helps in early detection of potential threats leveraging + "mshta.exe" for malicious purposes. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=mshta.exe AND (Processes.process_name=powershell.exe OR Processes.process_name=colorcpl.exe OR Processes.process_name=msbuild.exe OR Processes.process_name=microsoft.workflow.compiler.exe OR Processes.process_name=searchprotocolhost.exe OR Processes.process_name=scrcons.exe OR Processes.process_name=cscript.exe OR Processes.process_name=wscript.exe OR Processes.process_name=powershell.exe OR Processes.process_name=cmd.exe) by Processes.dest Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_mshta_child_process_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive. +search: '| tstats `security_content_summariesonly` count values(Processes.process_name) + as process_name values(Processes.process) as process min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=mshta.exe + AND (Processes.process_name=powershell.exe OR Processes.process_name=colorcpl.exe + OR Processes.process_name=msbuild.exe OR Processes.process_name=microsoft.workflow.compiler.exe + OR Processes.process_name=searchprotocolhost.exe OR Processes.process_name=scrcons.exe + OR Processes.process_name=cscript.exe OR Processes.process_name=wscript.exe OR Processes.process_name=powershell.exe + OR Processes.process_name=cmd.exe) by Processes.dest Processes.parent_process Processes.user + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `suspicious_mshta_child_process_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Although unlikely, some legitimate applications may exhibit + this behavior, triggering a false positive. references: - https://github.com/redcanaryco/AtomicTestHarnesses - https://redcanary.com/blog/introducing-atomictestharnesses/ @@ -22,52 +47,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: suspicious mshta child process detected on host $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 40 + - field: dest + type: system + score: 40 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Suspicious MSHTA Activity - Living Off The Land - Lumma Stealer asset_type: Endpoint - confidence: 80 - impact: 50 - message: suspicious mshta child process detected on host $dest$ by user $user$. mitre_attack_id: - T1218 - T1218.005 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_name - - Processes.process - - Processes.parent_process_name - - Processes.dest - - Processes.parent_process - - Processes.user - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/suspicious_mshta_spawn.yml b/detections/endpoint/suspicious_mshta_spawn.yml index 37b7c1ad33..95a3c39c82 100644 --- a/detections/endpoint/suspicious_mshta_spawn.yml +++ b/detections/endpoint/suspicious_mshta_spawn.yml @@ -1,18 +1,39 @@ name: Suspicious mshta spawn id: 4d33a488-5b5f-11eb-ae93-0242ac130002 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the spawning of mshta.exe by wmiprvse.exe or svchost.exe. This behavior is identified using Endpoint Detection and Response (EDR) data, focusing on process creation events where the parent process is either wmiprvse.exe or svchost.exe. This activity is significant as it may indicate the use of a DCOM object to execute malicious scripts via mshta.exe, a common tactic in sophisticated attacks. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise and further malicious activities. +description: The following analytic detects the spawning of mshta.exe by wmiprvse.exe + or svchost.exe. This behavior is identified using Endpoint Detection and Response + (EDR) data, focusing on process creation events where the parent process is either + wmiprvse.exe or svchost.exe. This activity is significant as it may indicate the + use of a DCOM object to execute malicious scripts via mshta.exe, a common tactic + in sophisticated attacks. If confirmed malicious, this could allow an attacker to + execute arbitrary code, potentially leading to system compromise and further malicious + activities. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=svchost.exe OR Processes.parent_process_name=wmiprvse.exe) AND `process_mshta` by Processes.dest Processes.parent_process Processes.user Processes.original_file_name| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_mshta_spawn_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive. +search: '| tstats `security_content_summariesonly` count values(Processes.process_name) + as process_name values(Processes.process) as process min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=svchost.exe + OR Processes.parent_process_name=wmiprvse.exe) AND `process_mshta` by Processes.dest + Processes.parent_process Processes.user Processes.original_file_name| `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_mshta_spawn_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Although unlikely, some legitimate applications may exhibit + this behavior, triggering a false positive. references: - https://codewhitesec.blogspot.com/2018/07/lethalhta.html - https://github.com/redcanaryco/AtomicTestHarnesses @@ -23,47 +44,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: mshta.exe spawned by wmiprvse.exe on $dest$ + risk_objects: + - field: dest + type: system + score: 42 + threat_objects: [] tags: analytic_story: - Suspicious MSHTA Activity - Living Off The Land asset_type: Endpoint - confidence: 60 - impact: 70 - message: mshta.exe spawned by wmiprvse.exe on $dest$ mitre_attack_id: - T1218 - T1218.005 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/suspicious_plistbuddy_usage.yml b/detections/endpoint/suspicious_plistbuddy_usage.yml index 7584612055..76c97f45ec 100644 --- a/detections/endpoint/suspicious_plistbuddy_usage.yml +++ b/detections/endpoint/suspicious_plistbuddy_usage.yml @@ -1,51 +1,61 @@ name: Suspicious PlistBuddy Usage id: c3194009-e0eb-4f84-87a9-4070f8688f00 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: experimental type: TTP -description: The following analytic identifies the use of the native macOS utility, PlistBuddy, to create or modify property list (.plist) files. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions involving PlistBuddy. This activity is significant because PlistBuddy can be used to establish persistence by modifying LaunchAgents, as seen in the Silver Sparrow malware. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary commands, and potentially escalate privileges on the compromised macOS system. +description: The following analytic identifies the use of the native macOS utility, + PlistBuddy, to create or modify property list (.plist) files. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process names + and command-line executions involving PlistBuddy. This activity is significant because + PlistBuddy can be used to establish persistence by modifying LaunchAgents, as seen + in the Silver Sparrow malware. If confirmed malicious, this could allow an attacker + to maintain persistence, execute arbitrary commands, and potentially escalate privileges + on the compromised macOS system. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=PlistBuddy (Processes.process=*LaunchAgents* OR Processes.process=*RunAtLoad* OR Processes.process=*true*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_plistbuddy_usage_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Some legitimate applications may use PlistBuddy to create or modify property lists and possibly generate false positives. Review the property list being modified or created to confirm. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=PlistBuddy + (Processes.process=*LaunchAgents* OR Processes.process=*RunAtLoad* OR Processes.process=*true*) + by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_plistbuddy_usage_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Some legitimate applications may use PlistBuddy to create or + modify property lists and possibly generate false positives. Review the property + list being modified or created to confirm. references: - https://www.marcosantadev.com/manage-plist-files-plistbuddy/ +rba: + message: Suspicious usage of plistbuddy on $dest$ + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Silver Sparrow asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1543.001 - T1543 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_name - - Processes.process - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_id - - Processes.parent_process_id - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/suspicious_plistbuddy_usage_via_osquery.yml b/detections/endpoint/suspicious_plistbuddy_usage_via_osquery.yml index b236e4924a..6bb4e11150 100644 --- a/detections/endpoint/suspicious_plistbuddy_usage_via_osquery.yml +++ b/detections/endpoint/suspicious_plistbuddy_usage_via_osquery.yml @@ -1,38 +1,45 @@ name: Suspicious PlistBuddy Usage via OSquery id: 20ba6c32-c733-4a32-b64e-2688cf231399 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: experimental type: TTP -description: The following analytic detects the use of the PlistBuddy utility on macOS to create or modify property list (.plist) files. It leverages OSQuery to monitor process events, specifically looking for commands that interact with LaunchAgents and set properties like RunAtLoad. This activity is significant because PlistBuddy can be used to establish persistence mechanisms, as seen in malware like Silver Sparrow. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary commands, and potentially escalate privileges on the compromised system. +description: The following analytic detects the use of the PlistBuddy utility on macOS + to create or modify property list (.plist) files. It leverages OSQuery to monitor + process events, specifically looking for commands that interact with LaunchAgents + and set properties like RunAtLoad. This activity is significant because PlistBuddy + can be used to establish persistence mechanisms, as seen in malware like Silver + Sparrow. If confirmed malicious, this could allow an attacker to maintain persistence, + execute arbitrary commands, and potentially escalate privileges on the compromised + system. data_source: [] -search: '`osquery_process` "columns.cmdline"="*LaunchAgents*" OR "columns.cmdline"="*RunAtLoad*" OR "columns.cmdline"="*true*" | `suspicious_plistbuddy_usage_via_osquery_filter`' -how_to_implement: OSQuery must be installed and configured to pick up process events (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. Modify the macro and validate fields are correct. -known_false_positives: Some legitimate applications may use PlistBuddy to create or modify property lists and possibly generate false positives. Review the property list being modified or created to confirm. +search: '`osquery_process` "columns.cmdline"="*LaunchAgents*" OR "columns.cmdline"="*RunAtLoad*" + OR "columns.cmdline"="*true*" | `suspicious_plistbuddy_usage_via_osquery_filter`' +how_to_implement: OSQuery must be installed and configured to pick up process events + (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. + Modify the macro and validate fields are correct. +known_false_positives: Some legitimate applications may use PlistBuddy to create or + modify property lists and possibly generate false positives. Review the property + list being modified or created to confirm. references: - https://www.marcosantadev.com/manage-plist-files-plistbuddy/ +rba: + message: Suspicious usage of plistbuddy on $host$ + risk_objects: + - field: host + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Silver Sparrow asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1543.001 - T1543 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - columns.cmdline - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml b/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml index d6988d8033..1bce9c0f7d 100644 --- a/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml +++ b/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml @@ -1,16 +1,31 @@ name: Suspicious Process DNS Query Known Abuse Web Services id: 3cf0dc36-484d-11ec-a6bc-acde48001122 -version: 7 -date: '2024-11-28' +version: 8 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects a suspicious process making DNS queries to known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms. It leverages Sysmon EventID 22 logs to identify queries from processes like cmd.exe, powershell.exe, and others. This activity is significant as it may indicate an attempt to download malicious files, a common initial access technique. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the target host. +description: The following analytic detects a suspicious process making DNS queries + to known, abused text-paste web services, VoIP, instant messaging, and digital distribution + platforms. It leverages Sysmon EventID 22 logs to identify queries from processes + like cmd.exe, powershell.exe, and others. This activity is significant as it may + indicate an attempt to download malicious files, a common initial access technique. + If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, + or further compromise of the target host. data_source: - Sysmon EventID 22 -search: '`sysmon` EventCode=22 QueryName IN ("*pastebin*", "*discord*", "*api.telegram*","*t.me*") process_name IN ("cmd.exe", "*powershell*", "pwsh.exe", "wscript.exe","cscript.exe") OR Image IN ("*\\users\\public\\*", "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", "*\\appdata\\*", "*\\perflogs\\*") | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_dns_query_known_abuse_web_services_filter`' -how_to_implement: This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days. -known_false_positives: Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed. +search: '`sysmon` EventCode=22 QueryName IN ("*pastebin*", "*discord*", "*api.telegram*","*t.me*") + process_name IN ("cmd.exe", "*powershell*", "pwsh.exe", "wscript.exe","cscript.exe") + OR Image IN ("*\\users\\public\\*", "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", + "*\\appdata\\*", "*\\perflogs\\*") | stats count min(_time) as firstTime max(_time) + as lastTime by Image QueryName QueryStatus process_name QueryResults Computer | + rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `suspicious_process_dns_query_known_abuse_web_services_filter`' +how_to_implement: This detection relies on sysmon logs with the Event ID 22, DNS Query. + We suggest you run this detection at least once a day over the last 14 days. +known_false_positives: Noise and false positive can be seen if the following instant + messaging is allowed to use within corporate network. In this case, a filter is + needed. references: - https://urlhaus.abuse.ch/url/1798923/ - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ @@ -20,9 +35,23 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious process $process_name$ made a DNS query for $QueryName$ on $dest$ + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Data Destruction @@ -33,38 +62,18 @@ tags: - PXA Stealer - Meduza Stealer asset_type: Endpoint - confidence: 80 - impact: 80 - message: suspicious process $process_name$ has a dns query in $QueryName$ on $dest$ mitre_attack_id: - T1059.005 - T1059 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Image - - QueryName - - QueryStatus - - process_name - - QueryResults - - dest - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_pastebin_download/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_pastebin_download/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/suspicious_process_executed_from_container_file.yml b/detections/endpoint/suspicious_process_executed_from_container_file.yml index 9df0d6caa8..61d0e8d0ad 100644 --- a/detections/endpoint/suspicious_process_executed_from_container_file.yml +++ b/detections/endpoint/suspicious_process_executed_from_container_file.yml @@ -1,17 +1,37 @@ name: Suspicious Process Executed From Container File id: d8120352-3b62-411c-8cb6-7b47584dd5e8 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Steven Dick status: production type: TTP -description: The following analytic identifies a suspicious process executed from within common container/archive file types such as ZIP, ISO, IMG, and others. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it is a common technique used by adversaries to execute scripts or evade defenses. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or persist within the environment, posing a significant security risk. +description: The following analytic identifies a suspicious process executed from + within common container/archive file types such as ZIP, ISO, IMG, and others. It + leverages data from Endpoint Detection and Response (EDR) agents, focusing on process + names and command-line executions. This activity is significant as it is a common + technique used by adversaries to execute scripts or evade defenses. If confirmed + malicious, this behavior could allow attackers to execute arbitrary code, escalate + privileges, or persist within the environment, posing a significant security risk. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*.ZIP\\*","*.ISO\\*","*.IMG\\*","*.CAB\\*","*.TAR\\*","*.GZ\\*","*.RAR\\*","*.7Z\\*") AND Processes.action="allowed" by Processes.dest Processes.parent_process Processes.process Processes.user| `drop_dm_object_name(Processes)`| regex process="(?i).*(ZIP|ISO|IMG|CAB|TAR|GZ|RAR|7Z)\\\\.+\.(BAT|BIN|CAB|CMD|COM|CPL|EX_|EXE|GADGET|INF1|INS|INX||HTM|HTML|ISU|JAR|JOB|JS|JSE|LNK|MSC|MSI|MSP|MST|PAF|PIF|PS1|REG|RGS|SCR|SCT|SHB|SHS|U3P|VB|VBE|VBS|VBSCRIPT|WS|WSF|WSH)\"?$" | rex field=process "(?i).+\\\\(?[^\\\]+\.(ZIP|ISO|IMG|CAB|TAR|GZ|RAR|7Z))\\\\((.+\\\\)+)?(?.+\.(BAT|BIN|CAB|CMD|COM|CPL|EX_|EXE|GADGET|INF1|INS|INX||HTM|HTML|ISU|JAR|JOB|JS|JSE|LNK|MSC|MSI|MSP|MST|PAF|PIF|PS1|REG|RGS|SCR|SCT|SHB|SHS|U3P|VB|VBE|VBS|VBSCRIPT|WS|WSF|WSH))\"?$"| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_executed_from_container_file_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count values(Processes.process_name) + as process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.process IN ("*.ZIP\\*","*.ISO\\*","*.IMG\\*","*.CAB\\*","*.TAR\\*","*.GZ\\*","*.RAR\\*","*.7Z\\*") + AND Processes.action="allowed" by Processes.dest Processes.parent_process Processes.process + Processes.user| `drop_dm_object_name(Processes)`| regex process="(?i).*(ZIP|ISO|IMG|CAB|TAR|GZ|RAR|7Z)\\\\.+\.(BAT|BIN|CAB|CMD|COM|CPL|EX_|EXE|GADGET|INF1|INS|INX||HTM|HTML|ISU|JAR|JOB|JS|JSE|LNK|MSC|MSI|MSP|MST|PAF|PIF|PS1|REG|RGS|SCR|SCT|SHB|SHS|U3P|VB|VBE|VBS|VBSCRIPT|WS|WSF|WSH)\"?$" + | rex field=process "(?i).+\\\\(?[^\\\]+\.(ZIP|ISO|IMG|CAB|TAR|GZ|RAR|7Z))\\\\((.+\\\\)+)?(?.+\.(BAT|BIN|CAB|CMD|COM|CPL|EX_|EXE|GADGET|INF1|INS|INX||HTM|HTML|ISU|JAR|JOB|JS|JSE|LNK|MSC|MSI|MSP|MST|PAF|PIF|PS1|REG|RGS|SCR|SCT|SHB|SHS|U3P|VB|VBE|VBS|VBSCRIPT|WS|WSF|WSH))\"?$"| + `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_executed_from_container_file_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Various business process or userland applications and behavior. references: - https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations @@ -23,9 +43,26 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A suspicious process $process_name$ was launched from $file_name$ on $dest$. + risk_objects: + - field: dest + type: system + score: 16 + - field: user + type: user + score: 16 + threat_objects: + - field: file_name + type: file_name tags: analytic_story: - Unusual Processes @@ -33,40 +70,18 @@ tags: - Remcos - Snake Keylogger asset_type: Endpoint - confidence: 20 - impact: 80 - message: A suspicious process $process_name$ was launched from $file_name$ on $dest$. mitre_attack_id: - T1204.002 - T1036.008 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim - - name: file_name - type: File Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.parent_process - - Processes.process - - Processes.user - risk_score: 16 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/gootloader/partial_ttps/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/gootloader/partial_ttps/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/suspicious_process_file_path.yml b/detections/endpoint/suspicious_process_file_path.yml index 061285ff6d..1d636ec76c 100644 --- a/detections/endpoint/suspicious_process_file_path.yml +++ b/detections/endpoint/suspicious_process_file_path.yml @@ -1,18 +1,41 @@ name: Suspicious Process File Path id: 9be25988-ad82-11eb-a14f-acde48001122 -version: 5 -date: '2024-11-28' +version: 6 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic identifies processes running from file paths not typically associated with legitimate software. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific process paths within the Endpoint data model. This activity is significant because adversaries often use unconventional file paths to execute malicious code without requiring administrative privileges. If confirmed malicious, this behavior could indicate an attempt to bypass security controls, leading to unauthorized software execution, potential system compromise, and further malicious activities within the environment. +description: The following analytic identifies processes running from file paths not + typically associated with legitimate software. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on specific process paths within the Endpoint + data model. This activity is significant because adversaries often use unconventional + file paths to execute malicious code without requiring administrative privileges. + If confirmed malicious, this behavior could indicate an attempt to bypass security + controls, leading to unauthorized software execution, potential system compromise, + and further malicious activities within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_path = "*\\windows\\fonts\\*" OR Processes.process_path = "*\\windows\\temp\\*" OR Processes.process_path = "*\\users\\public\\*" OR Processes.process_path = "*\\windows\\debug\\*" OR Processes.process_path = "*\\Users\\Administrator\\Music\\*" OR Processes.process_path = "*\\Windows\\servicing\\*" OR Processes.process_path = "*\\Users\\Default\\*" OR Processes.process_path = "*Recycle.bin*" OR Processes.process_path = "*\\Windows\\Media\\*" OR Processes.process_path = "\\Windows\\repair\\*" OR Processes.process_path = "*\\temp\\*" OR Processes.process_path = "*\\PerfLogs\\*" by Processes.parent_process_name Processes.parent_process Processes.process_path Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_file_path_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrators may allow execution of specific binaries in non-standard paths. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_path IN("*\\windows\\fonts\\*", + "*\\windows\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*", + "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*", "\\Windows\\repair\\*", + "*\\temp\\*" , "*\\PerfLogs\\*","*\\windows\\tasks\\*", "*:\\programdata\\*") by + Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_path Processes.dest + Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `suspicious_process_file_path_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators may allow execution of specific binaries in + non-standard paths. Filter as needed. references: - https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/trojan.ps1.powtran.a/ - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ @@ -25,78 +48,73 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious process $process_name$ running from a suspicious process path- + $process_path$ on host- $dest$ + risk_objects: + - field: dest + type: system + score: 35 + threat_objects: + - field: process_path + type: process_name tags: analytic_story: + - Volt Typhoon + - LockBit Ransomware + - Data Destruction + - XMRig + - DarkGate Malware + - Chaos Ransomware - Double Zero Destructor + - Hermetic Wiper + - Warzone RAT + - Phemedrone Stealer + - Prestige Ransomware - Graceful Wipe Out Attack + - BlackByte Ransomware + - IcedID + - Handala Wiper + - Meduza Stealer + - CISA AA23-347A - AsyncRAT - - WhisperGate - - Prestige Ransomware - - DarkGate Malware - - AgentTesla - - Brute Ratel C4 - - RedLine Stealer + - Amadey + - Industroyer2 + - ValleyRAT - Rhysida Ransomware - - Swift Slicer - - IcedID - DarkCrystal RAT - - Chaos Ransomware - - PlugX - - Industroyer2 + - Crypto Stealer - Azorult - - Remcos - - XMRig + - Swift Slicer + - AgentTesla - Qakbot - - Volt Typhoon - - Hermetic Wiper - - Warzone RAT + - Remcos - Trickbot - - Amadey - - BlackByte Ransomware - - LockBit Ransomware - - CISA AA23-347A - - Data Destruction - - Phemedrone Stealer - - Handala Wiper + - Brute Ratel C4 + - RedLine Stealer + - PlugX - MoonPeak - - ValleyRAT - - Meduza Stealer + - WhisperGate asset_type: Endpoint - confidence: 50 - impact: 70 - message: Suspicious process $process_name$ running from a suspicious process path- $process_path$ on host- $dest$ mitre_attack_id: - T1543 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: process_path - type: Process Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_name - - Processes.process - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_path - - Processes.dest - - Processes.user - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/suspicious_process_with_discord_dns_query.yml b/detections/endpoint/suspicious_process_with_discord_dns_query.yml index 98ef138882..29366f73c9 100644 --- a/detections/endpoint/suspicious_process_with_discord_dns_query.yml +++ b/detections/endpoint/suspicious_process_with_discord_dns_query.yml @@ -1,16 +1,28 @@ name: Suspicious Process With Discord DNS Query id: 4d4332ae-792c-11ec-89c1-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-22' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: Anomaly -description: The following analytic identifies a process making a DNS query to Discord, excluding legitimate Discord application paths. It leverages Sysmon logs with Event ID 22 to detect DNS queries containing "discord" in the QueryName field. This activity is significant because Discord can be abused by adversaries to host and download malicious files, as seen in the WhisperGate campaign. If confirmed malicious, this could indicate malware attempting to download additional payloads from Discord, potentially leading to further code execution and compromise of the affected system. +description: The following analytic identifies a process making a DNS query to Discord, + excluding legitimate Discord application paths. It leverages Sysmon logs with Event + ID 22 to detect DNS queries containing "discord" in the QueryName field. This activity + is significant because Discord can be abused by adversaries to host and download + malicious files, as seen in the WhisperGate campaign. If confirmed malicious, this + could indicate malware attempting to download additional payloads from Discord, + potentially leading to further code execution and compromise of the affected system. data_source: - Sysmon EventID 22 -search: '`sysmon` EventCode=22 QueryName IN ("*discord*") Image != "*\\AppData\\Local\\Discord\\*" AND Image != "*\\Program Files*" AND Image != "discord.exe" | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_with_discord_dns_query_filter`' +search: '`sysmon` EventCode=22 QueryName IN ("*discord*") Image != "*\\AppData\\Local\\Discord\\*" + AND Image != "*\\Program Files*" AND Image != "discord.exe" | stats count min(_time) + as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name + QueryResults Computer | rename Computer as dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `suspicious_process_with_discord_dns_query_filter`' how_to_implement: his detection relies on sysmon logs with the Event ID 22, DNS Query. -known_false_positives: Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed. +known_false_positives: Noise and false positive can be seen if the following instant + messaging is allowed to use within corporate network. In this case, a filter is + needed. references: - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ - https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3 @@ -21,47 +33,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: suspicious process $process_name$ has a dns query in $QueryName$ on $dest$ + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Data Destruction - WhisperGate - PXA Stealer asset_type: Endpoint - confidence: 80 - impact: 80 - message: suspicious process $process_name$ has a dns query in $QueryName$ on $dest$ mitre_attack_id: - T1059.005 - T1059 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Image - - QueryName - - QueryStatus - - process_name - - QueryResults - - dest - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/discord_dnsquery/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/discord_dnsquery/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/suspicious_reg_exe_process.yml b/detections/endpoint/suspicious_reg_exe_process.yml index f9111c32ce..0add6178bb 100644 --- a/detections/endpoint/suspicious_reg_exe_process.yml +++ b/detections/endpoint/suspicious_reg_exe_process.yml @@ -1,18 +1,45 @@ name: Suspicious Reg exe Process id: a6b3ab4e-dd77-4213-95fa-fc94701995e0 -version: 7 -date: '2024-09-30' +version: 9 +date: '2024-11-13' author: David Dorsey, Splunk status: production type: Anomaly -description: The following analytic identifies instances of reg.exe being launched from a command prompt (cmd.exe) that was not initiated by the user, as indicated by a parent process other than explorer.exe. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names. This activity is significant because reg.exe is often used in registry manipulation, which can be indicative of malicious behavior such as persistence mechanisms or system configuration changes. If confirmed malicious, this could allow an attacker to modify critical system settings, potentially leading to privilege escalation or persistent access. +description: The following analytic identifies instances of reg.exe being launched + from a command prompt (cmd.exe) that was not initiated by the user, as indicated + by a parent process other than explorer.exe. This detection leverages data from + Endpoint Detection and Response (EDR) agents, focusing on process and parent process + names. This activity is significant because reg.exe is often used in registry manipulation, + which can be indicative of malicious behavior such as persistence mechanisms or + system configuration changes. If confirmed malicious, this could allow an attacker + to modify critical system settings, potentially leading to privilege escalation + or persistent access. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name != explorer.exe Processes.process_name =cmd.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest Processes.process_id Processes.parent_process_id | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_process_name=cmd.exe Processes.process_name= reg.exe by Processes.parent_process_id Processes.dest Processes.process_name | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename parent_process_id as process_id |dedup process_id| table process_id dest] | `suspicious_reg_exe_process_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: It's possible for system administrators to write scripts that exhibit this behavior. If this is the case, the search will need to be modified to filter them out. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name + != explorer.exe Processes.process_name =cmd.exe by Processes.user Processes.process_name + Processes.parent_process_name Processes.dest Processes.process_id Processes.parent_process_id + | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | search [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes + where Processes.parent_process_name=cmd.exe Processes.process_name= reg.exe by Processes.parent_process_id + Processes.dest Processes.process_name | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | rename parent_process_id as process_id |dedup + process_id| table process_id dest] | `suspicious_reg_exe_process_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: It's possible for system administrators to write scripts that + exhibit this behavior. If this is the case, the search will need to be modified + to filter them out. references: - https://car.mitre.org/wiki/CAR-2013-03-001/ drilldown_searches: @@ -21,55 +48,46 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to add a registry entry. + risk_objects: + - field: user + type: user + score: 35 + - field: dest + type: system + score: 35 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Windows Defense Evasion Tactics - Disabling Security Tools - DHS Report TA18-074A asset_type: Endpoint - confidence: 50 - impact: 70 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to add a registry entry. mitre_attack_id: - T1112 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.parent_process_name - - Processes.process_name - - Processes.user - - Processes.parent_process_name - - Processes.dest - - Processes.process_id - - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml b/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml index 26de11f9ea..1167ae4fa3 100644 --- a/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml +++ b/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml @@ -1,18 +1,40 @@ name: Suspicious Regsvr32 Register Suspicious Path id: 62732736-6250-11eb-ae93-0242ac130002 -version: 6 -date: '2024-09-30' +version: 11 +date: '2025-01-27' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the use of Regsvr32.exe to register DLLs from suspicious paths such as AppData, ProgramData, or Windows Temp directories. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because Regsvr32.exe can be abused to proxy execution of malicious code, bypassing traditional security controls. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network. +description: The following analytic detects the use of Regsvr32.exe to register DLLs + from suspicious paths such as AppData, ProgramData, or Windows Temp directories. + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on + process execution logs and command-line arguments. This activity is significant + because Regsvr32.exe can be abused to proxy execution of malicious code, bypassing + traditional security controls. If confirmed malicious, this could allow an attacker + to execute arbitrary code, potentially leading to system compromise, data exfiltration, + or further lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process IN ("*\\appdata\\*", "*\\programdata\\*","*\\windows\\temp\\*") NOT (Processes.process IN ("*.dll*", "*.ax*", "*.ocx*")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_regsvr32_register_suspicious_path_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Limited false positives with the query restricted to specified paths. Add more world writeable paths as tuning continues. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process + IN ("*\\appdata\\*", "*\\programdata\\*","*\\windows\\temp\\*") NOT (Processes.process + IN ("*.dll*", "*.ax*", "*.ocx*")) by Processes.dest Processes.user Processes.parent_process_name + Processes.parent_process Processes.process_name Processes.process Processes.original_file_name + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_regsvr32_register_suspicious_path_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Limited false positives with the query restricted to specified + paths. Add more world writeable paths as tuning continues. references: - https://attack.mitre.org/techniques/T1218/010/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md @@ -25,57 +47,47 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to evade detection by using a non-standard + file extension. + risk_objects: + - field: user + type: user + score: 35 + - field: dest + type: system + score: 35 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: + - Qakbot + - Earth Estries - Suspicious Regsvr32 Activity - IcedID + - Derusbi + - Nexus APT Threat Activity - Living Off The Land - - Qakbot asset_type: Endpoint - confidence: 50 - impact: 70 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to evade detection by using a non-standard file extension. mitre_attack_id: - T1218 - T1218.010 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_rundll32_dllregisterserver.yml b/detections/endpoint/suspicious_rundll32_dllregisterserver.yml index 6bb090a30a..6443c7a1f4 100644 --- a/detections/endpoint/suspicious_rundll32_dllregisterserver.yml +++ b/detections/endpoint/suspicious_rundll32_dllregisterserver.yml @@ -1,18 +1,39 @@ name: Suspicious Rundll32 dllregisterserver id: 8c00a385-9b86-4ac0-8932-c9ec3713b159 -version: 5 -date: '2024-09-30' +version: 7 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the execution of rundll32.exe with the DllRegisterServer command to load a DLL. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it may indicate an attempt to register a malicious DLL, which can be a method for code execution or persistence. If confirmed malicious, an attacker could gain unauthorized code execution, escalate privileges, or maintain persistence within the environment, posing a severe security risk. +description: The following analytic detects the execution of rundll32.exe with the + DllRegisterServer command to load a DLL. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on command-line executions and process details. + This activity is significant as it may indicate an attempt to register a malicious + DLL, which can be a method for code execution or persistence. If confirmed malicious, + an attacker could gain unauthorized code execution, escalate privileges, or maintain + persistence within the environment, posing a severe security risk. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*dllregisterserver* by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_dllregisterserver_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: This is likely to produce false positives and will require some filtering. Tune the query by adding command line paths to known good DLLs, or filtering based on parent process names. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*dllregisterserver* + by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process + Processes.original_file_name Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `suspicious_rundll32_dllregisterserver_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: This is likely to produce false positives and will require + some filtering. Tune the query by adding command line paths to known good DLLs, + or filtering based on parent process names. references: - https://attack.mitre.org/techniques/T1218/011/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md @@ -27,60 +48,47 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to register a DLL. code + risk_objects: + - field: user + type: user + score: 35 + - field: dest + type: system + score: 35 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Suspicious Rundll32 Activity - Living Off The Land - IcedID asset_type: Endpoint - confidence: 50 - impact: 70 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to register a DLL. code mitre_attack_id: - T1218 - T1218.011 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml b/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml index c664963261..519b5bc050 100644 --- a/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml @@ -1,18 +1,38 @@ name: Suspicious Rundll32 no Command Line Arguments id: e451bd16-e4c5-4109-8eb1-c4c6ecf048b4 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the execution of rundll32.exe without any command line arguments. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process execution logs. It is significant because rundll32.exe typically requires command line arguments to function properly, and its absence is often associated with malicious activities, such as those performed by Cobalt Strike. If confirmed malicious, this activity could indicate an attempt to execute arbitrary code, potentially leading to credential dumping, unauthorized file writes, or other malicious actions. +description: The following analytic detects the execution of rundll32.exe without + any command line arguments. This behavior is identified using Endpoint Detection + and Response (EDR) telemetry, focusing on process execution logs. It is significant + because rundll32.exe typically requires command line arguments to function properly, + and its absence is often associated with malicious activities, such as those performed + by Cobalt Strike. If confirmed malicious, this activity could indicate an attempt + to execute arbitrary code, potentially leading to credential dumping, unauthorized + file writes, or other malicious actions. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_rundll32` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(rundll32\.exe.{0,4}$)" | `suspicious_rundll32_no_command_line_arguments_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes + where `process_rundll32` by _time span=1h Processes.process_id Processes.process_name + Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | regex process="(?i)(rundll32\.exe.{0,4}$)" | `suspicious_rundll32_no_command_line_arguments_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Although unlikely, some legitimate applications may use a moved + copy of rundll32, triggering a false positive. references: - https://attack.mitre.org/techniques/T1218/011/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md @@ -24,9 +44,25 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious rundll32.exe process with no command line arguments executed + on $dest$ by $user$ + risk_objects: + - field: dest + type: system + score: 49 + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - Suspicious Rundll32 Activity @@ -35,45 +71,20 @@ tags: - PrintNightmare CVE-2021-34527 - Graceful Wipe Out Attack asset_type: Endpoint - confidence: 70 cve: - CVE-2021-34527 - impact: 70 - message: Suspicious rundll32.exe process with no command line arguments executed on $dest$ by $user$ mitre_attack_id: - T1218 - T1218.011 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/suspicious_rundll32_plugininit.yml b/detections/endpoint/suspicious_rundll32_plugininit.yml index ca8308219a..ab0d1c31be 100644 --- a/detections/endpoint/suspicious_rundll32_plugininit.yml +++ b/detections/endpoint/suspicious_rundll32_plugininit.yml @@ -1,18 +1,38 @@ name: Suspicious Rundll32 PluginInit id: 92d51712-ee29-11eb-b1ae-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic identifies the execution of the rundll32.exe process with the "plugininit" parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line arguments. This activity is significant because the "plugininit" parameter is commonly associated with IcedID malware, which uses it to execute an initial DLL stager to download additional payloads. If confirmed malicious, this behavior could lead to further malware infections, data exfiltration, or complete system compromise. +description: The following analytic identifies the execution of the rundll32.exe process + with the "plugininit" parameter. This detection leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process creation events and command-line + arguments. This activity is significant because the "plugininit" parameter is commonly + associated with IcedID malware, which uses it to execute an initial DLL stager to + download additional payloads. If confirmed malicious, this behavior could lead to + further malware infections, data exfiltration, or complete system compromise. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*PluginInit* by Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_plugininit_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: third party application may used this dll export name to execute function. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*PluginInit* + by Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name + Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest + Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `suspicious_rundll32_plugininit_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: third party application may used this dll export name to execute + function. references: - https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/ drilldown_searches: @@ -21,50 +41,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: rundll32 process $process_name$ with commandline $process$ in host $dest$ + risk_objects: + - field: dest + type: system + score: 42 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - IcedID asset_type: Endpoint - confidence: 70 - impact: 60 - message: rundll32 process $process_name$ with commandline $process$ in host $dest$ mitre_attack_id: - T1218 - T1218.011 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/suspicious_rundll32_startw.yml b/detections/endpoint/suspicious_rundll32_startw.yml index 826c9fbeb8..2c39e6dec8 100644 --- a/detections/endpoint/suspicious_rundll32_startw.yml +++ b/detections/endpoint/suspicious_rundll32_startw.yml @@ -1,18 +1,39 @@ name: Suspicious Rundll32 StartW id: 9319dda5-73f2-4d43-a85a-67ce961bddb7 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the execution of rundll32.exe with the DLL function names "Start" and "StartW," commonly associated with Cobalt Strike payloads. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. This activity is significant as it often indicates the presence of malicious payloads, such as Cobalt Strike, which can lead to unauthorized code execution. If confirmed malicious, this activity could allow attackers to inject shellcode, escalate privileges, and maintain persistence within the environment. +description: The following analytic identifies the execution of rundll32.exe with + the DLL function names "Start" and "StartW," commonly associated with Cobalt Strike + payloads. This detection leverages data from Endpoint Detection and Response (EDR) + agents, focusing on command-line executions and process metadata. This activity + is significant as it often indicates the presence of malicious payloads, such as + Cobalt Strike, which can lead to unauthorized code execution. If confirmed malicious, + this activity could allow attackers to inject shellcode, escalate privileges, and + maintain persistence within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*start* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_startw_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Although unlikely, some legitimate applications may use Start as a function and call it via the command line. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*start* + by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `suspicious_rundll32_startw_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Although unlikely, some legitimate applications may use Start + as a function and call it via the command line. Filter as needed. references: - https://attack.mitre.org/techniques/T1218/011/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md @@ -25,9 +46,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: rundll32.exe running with suspicious StartW parameters on $dest$ + risk_objects: + - field: dest + type: system + score: 35 + - field: user + type: user + score: 35 + threat_objects: [] tags: analytic_story: - Trickbot @@ -36,43 +72,18 @@ tags: - BlackByte Ransomware - Graceful Wipe Out Attack asset_type: Endpoint - confidence: 50 - impact: 70 - message: rundll32.exe running with suspicious StartW parameters on $dest$ mitre_attack_id: - T1218 - T1218.011 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml index 3b2a40cac0..7fce587c31 100644 --- a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml +++ b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml @@ -1,18 +1,42 @@ name: Suspicious Scheduled Task from Public Directory id: 7feb7972-7ac3-11eb-bac8-acde48001122 -version: 3 -date: '2024-09-30' +version: 5 +date: '2025-01-27' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic identifies the creation of scheduled tasks that execute binaries or scripts from public directories, such as users\public, \programdata\, or \windows\temp, using schtasks.exe with the /create command. It leverages Sysmon Event ID 1 data to detect this behavior. This activity is significant because it often indicates an attempt to maintain persistence or execute malicious scripts, which are common tactics in malware deployment. If confirmed as malicious, this could lead to data compromise, unauthorized access, and potential lateral movement within the network. +description: The following analytic identifies the creation of scheduled tasks that + execute binaries or scripts from public directories, such as users\public, \programdata\, + or \windows\temp, using schtasks.exe with the /create command. It leverages Sysmon + Event ID 1 data to detect this behavior. This activity is significant because it + often indicates an attempt to maintain persistence or execute malicious scripts, + which are common tactics in malware deployment. If confirmed as malicious, this + could lead to data compromise, unauthorized access, and potential lateral movement + within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process=*\\users\\public\\* OR Processes.process=*\\programdata\\* OR Processes.process=*windows\\temp*) Processes.process=*/create* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `suspicious_scheduled_task_from_public_directory_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: The main source of false positives could be the legitimate use of scheduled tasks from these directories. Careful tuning of this search may be necessary to suit the specifics of your environment, reducing the rate of false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe + (Processes.process=*\\users\\public\\* OR Processes.process=*\\programdata\\* OR + Processes.process=*windows\\temp*) Processes.process=*/create* by Processes.dest + Processes.user Processes.parent_process Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `suspicious_scheduled_task_from_public_directory_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: The main source of false positives could be the legitimate + use of scheduled tasks from these directories. Careful tuning of this search may + be necessary to suit the specifics of your environment, reducing the rate of false + positives. references: - https://attack.mitre.org/techniques/T1053/005/ drilldown_searches: @@ -21,52 +45,47 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious scheduled task registered on $dest$ from Public Directory + risk_objects: + - field: dest + type: system + score: 35 + - field: user + type: user + score: 35 + threat_objects: [] tags: analytic_story: - - Azorult - - Ryuk Ransomware - - Scheduled Tasks - - Ransomware - Windows Persistence Techniques - - Living Off The Land - - DarkCrystal RAT - CISA AA23-347A + - Ransomware + - DarkCrystal RAT + - Scheduled Tasks + - Azorult + - Crypto Stealer + - Nexus APT Threat Activity + - Living Off The Land - MoonPeak + - Ryuk Ransomware + - Earth Estries - CISA AA24-241A asset_type: Endpoint - confidence: 50 - impact: 70 - message: Suspicious scheduled task registered on $dest$ from Public Directory mitre_attack_id: - T1053.005 - T1053 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_name - - Processes.process - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.process_id - - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml b/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml index 83f14d4a30..99ee59cae4 100644 --- a/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml @@ -1,18 +1,39 @@ name: Suspicious SearchProtocolHost no Command Line Arguments id: f52d2db8-31f9-4aa7-a176-25779effe55c -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects instances of searchprotocolhost.exe running without command line arguments. This behavior is unusual and often associated with malicious activities, such as those performed by Cobalt Strike. The detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process execution data. This activity is significant because searchprotocolhost.exe typically runs with specific arguments, and its absence may indicate an attempt to evade detection. If confirmed malicious, this could lead to unauthorized code execution, potential credential dumping, or other malicious actions within the environment. +description: The following analytic detects instances of searchprotocolhost.exe running + without command line arguments. This behavior is unusual and often associated with + malicious activities, such as those performed by Cobalt Strike. The detection leverages + Endpoint Detection and Response (EDR) telemetry, focusing on process execution data. + This activity is significant because searchprotocolhost.exe typically runs with + specific arguments, and its absence may indicate an attempt to evade detection. + If confirmed malicious, this could lead to unauthorized code execution, potential + credential dumping, or other malicious actions within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=searchprotocolhost.exe by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(searchprotocolhost\.exe.{0,4}$)" | `suspicious_searchprotocolhost_no_command_line_arguments_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Limited false positives may be present in small environments. Tuning may be required based on parent process. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes + where Processes.process_name=searchprotocolhost.exe by _time span=1h Processes.process_id + Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process + Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | regex process="(?i)(searchprotocolhost\.exe.{0,4}$)" + | `suspicious_searchprotocolhost_no_command_line_arguments_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Limited false positives may be present in small environments. + Tuning may be required based on parent process. references: - https://github.com/mandiant/red_team_tool_countermeasures/blob/master/rules/PGF/supplemental/hxioc/SUSPICIOUS%20EXECUTION%20OF%20SEARCHPROTOCOLHOST%20(METHODOLOGY).ioc drilldown_searches: @@ -21,51 +42,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious searchprotocolhost.exe process with no command line arguments + executed on $dest$ by $user$ + risk_objects: + - field: dest + type: system + score: 49 + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - BlackByte Ransomware - Cobalt Strike - Graceful Wipe Out Attack asset_type: Endpoint - confidence: 70 - impact: 70 - message: Suspicious searchprotocolhost.exe process with no command line arguments executed on $dest$ by $user$ mitre_attack_id: - T1055 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml b/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml index 935d91db0d..970e1f8f20 100644 --- a/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml +++ b/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml @@ -1,51 +1,59 @@ name: Suspicious SQLite3 LSQuarantine Behavior id: e1997b2e-655f-4561-82fd-aeba8e1c1a86 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: experimental type: TTP -description: The following analytic identifies the use of SQLite3 querying the MacOS preferences to determine the original URL from which a package was downloaded. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions involving LSQuarantine. This activity is significant as it is commonly associated with MacOS adware and other malicious software. If confirmed malicious, this behavior could indicate an attempt to track or manipulate downloaded packages, potentially leading to further system compromise or persistent adware infections. +description: The following analytic identifies the use of SQLite3 querying the MacOS + preferences to determine the original URL from which a package was downloaded. This + detection leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process names and command-line executions involving LSQuarantine. This activity + is significant as it is commonly associated with MacOS adware and other malicious + software. If confirmed malicious, this behavior could indicate an attempt to track + or manipulate downloaded packages, potentially leading to further system compromise + or persistent adware infections. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sqlite3 Processes.process=*LSQuarantine* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_sqlite3_lsquarantine_behavior_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sqlite3 + Processes.process=*LSQuarantine* by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `suspicious_sqlite3_lsquarantine_behavior_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Unknown. references: - https://redcanary.com/blog/clipping-silver-sparrows-wings/ - https://www.marcosantadev.com/manage-plist-files-plistbuddy/ +rba: + message: Suspicious sqlite LSQuarantine activity on $dest$ + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Silver Sparrow asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1074 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_name - - Processes.process - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_id - - Processes.parent_process_id - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/suspicious_ticket_granting_ticket_request.yml b/detections/endpoint/suspicious_ticket_granting_ticket_request.yml index 345f652f7d..069de0c8e2 100644 --- a/detections/endpoint/suspicious_ticket_granting_ticket_request.yml +++ b/detections/endpoint/suspicious_ticket_granting_ticket_request.yml @@ -1,17 +1,33 @@ name: Suspicious Ticket Granting Ticket Request id: d77d349e-6269-11ec-9cfe-acde48001122 -version: 5 -date: '2024-10-17' +version: 6 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects suspicious Kerberos Ticket Granting Ticket (TGT) requests that may indicate exploitation of CVE-2021-42278 and CVE-2021-42287. It leverages Event ID 4781 (account name change) and Event ID 4768 (TGT request) to identify sequences where a newly renamed computer account requests a TGT. This behavior is significant as it could represent an attempt to escalate privileges by impersonating a Domain Controller. If confirmed malicious, this activity could allow attackers to gain elevated access and potentially control over the domain environment. +description: The following analytic detects suspicious Kerberos Ticket Granting Ticket + (TGT) requests that may indicate exploitation of CVE-2021-42278 and CVE-2021-42287. + It leverages Event ID 4781 (account name change) and Event ID 4768 (TGT request) + to identify sequences where a newly renamed computer account requests a TGT. This + behavior is significant as it could represent an attempt to escalate privileges + by impersonating a Domain Controller. If confirmed malicious, this activity could + allow attackers to gain elevated access and potentially control over the domain + environment. data_source: - Windows Event Log Security 4768 - Windows Event Log Security 4781 -search: '`wineventlog_security` (EventCode=4781 OldTargetUserName="*$" NewTargetUserName!="*$") OR (EventCode=4768 TargetUserName!="*$") | eval RenamedComputerAccount = coalesce(NewTargetUserName, TargetUserName) | transaction RenamedComputerAccount startswith=(EventCode=4781) endswith=(EventCode=4768) | eval short_lived=case((duration<2),"TRUE") | search short_lived = TRUE | table _time, Computer, EventCode, TargetUserName, RenamedComputerAccount, short_lived | rename Computer as dest | `suspicious_ticket_granting_ticket_request_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -known_false_positives: A computer account name change event inmediately followed by a kerberos TGT request with matching fields is unsual. However, legitimate behavior may trigger it. Filter as needed. +search: '`wineventlog_security` (EventCode=4781 OldTargetUserName="*$" NewTargetUserName!="*$") + OR (EventCode=4768 TargetUserName!="*$") | eval RenamedComputerAccount = coalesce(NewTargetUserName, + TargetUserName) | transaction RenamedComputerAccount startswith=(EventCode=4781) + endswith=(EventCode=4768) | eval short_lived=case((duration<2),"TRUE") | search + short_lived = TRUE | table _time, Computer, EventCode, TargetUserName, RenamedComputerAccount, + short_lived | rename Computer as dest | `suspicious_ticket_granting_ticket_request_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + Domain Controller and Kerberos events. The Advanced Security Audit policy setting + `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. +known_false_positives: A computer account name change event inmediately followed by + a kerberos TGT request with matching fields is unsual. However, legitimate behavior + may trigger it. Filter as needed. references: - https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278 @@ -22,33 +38,18 @@ tags: - Active Directory Kerberos Attacks - Active Directory Privilege Escalation asset_type: Endpoint - confidence: 60 - impact: 100 - message: A suspicious TGT was requested was requested by $dest$ mitre_attack_id: - T1078 - T1078.002 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Old_Account_Name - - New_Account_Name - - Account_Name - - ComputerName - risk_score: 60 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/suspicious_ticket_granting_ticket_request/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/suspicious_ticket_granting_ticket_request/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml b/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml index 6f5a895eba..ea46ed5259 100644 --- a/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml +++ b/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml @@ -1,18 +1,38 @@ name: Suspicious WAV file in Appdata Folder id: 5be109e6-1ac5-11ec-b421-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the creation of .wav files in the AppData folder, a behavior associated with Remcos RAT malware, which stores audio recordings in this location for data exfiltration. The detection leverages endpoint process and filesystem data to identify .wav file creation within the AppData\Roaming directory. This activity is significant as it indicates potential unauthorized data collection and exfiltration by malware. If confirmed malicious, this could lead to sensitive information being sent to an attacker's command and control server, compromising the affected system's confidentiality. +description: The following analytic detects the creation of .wav files in the AppData + folder, a behavior associated with Remcos RAT malware, which stores audio recordings + in this location for data exfiltration. The detection leverages endpoint process + and filesystem data to identify .wav file creation within the AppData\Roaming directory. + This activity is significant as it indicates potential unauthorized data collection + and exfiltration by malware. If confirmed malicious, this could lead to sensitive + information being sent to an attacker's command and control server, compromising + the affected system's confidentiality. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=*.exe Processes.process_path="*\\appdata\\Roaming\\*" by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | join proc_guid, _time [ | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.wav") Filesystem.file_path = "*\\appdata\\Roaming\\*" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields file_name file_path process_name process_path process dest file_create_time _time proc_guid] | `suspicious_wav_file_in_appdata_folder_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, file_name, file_path and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes + where Processes.process_name=*.exe Processes.process_path="*\\appdata\\Roaming\\*" + by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest + Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as + proc_guid | join proc_guid, _time [ | tstats `security_content_summariesonly` count + min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem + where Filesystem.file_name IN ("*.wav") Filesystem.file_path = "*\\appdata\\Roaming\\*" + by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name + Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` + |rename process_guid as proc_guid | fields file_name file_path process_name process_path + process dest file_create_time _time proc_guid] | `suspicious_wav_file_in_appdata_folder_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, file_name, file_path and command-line + executions from your endpoints. If you are using Sysmon, you must have at least + version 6.0.4 of the Sysmon TA. known_false_positives: unknown references: - https://success.trendmicro.com/dcx/s/solution/1123281-remcos-malware-information?language=en_US @@ -23,45 +43,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: process $process_name$ creating image file $file_path$ on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Remcos asset_type: Endpoint - confidence: 70 - impact: 70 - message: process $process_name$ creating image file $file_path$ in $dest$ mitre_attack_id: - T1113 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - file_create_time - - file_name - - file_path - - process_name - - process_path - - process - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_agent/sysmon_wav.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_agent/sysmon_wav.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/suspicious_wevtutil_usage.yml b/detections/endpoint/suspicious_wevtutil_usage.yml index b943b6f210..db66f571be 100644 --- a/detections/endpoint/suspicious_wevtutil_usage.yml +++ b/detections/endpoint/suspicious_wevtutil_usage.yml @@ -1,18 +1,41 @@ name: Suspicious wevtutil Usage id: 2827c0fd-e1be-4868-ae25-59d28e0f9d4f -version: 7 -date: '2024-09-30' +version: 9 +date: '2024-11-13' author: David Dorsey, Michael Haag, Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the usage of wevtutil.exe with parameters for clearing event logs such as Application, Security, Setup, Trace, or System. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because clearing event logs can be an attempt to cover tracks after malicious actions, hindering forensic investigations. If confirmed malicious, this behavior could allow an attacker to erase evidence of their activities, making it difficult to trace their actions and understand the full scope of the compromise. +description: The following analytic detects the usage of wevtutil.exe with parameters + for clearing event logs such as Application, Security, Setup, Trace, or System. + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on + process names and command-line arguments. This activity is significant because clearing + event logs can be an attempt to cover tracks after malicious actions, hindering + forensic investigations. If confirmed malicious, this behavior could allow an attacker + to erase evidence of their activities, making it difficult to trace their actions + and understand the full scope of the compromise. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wevtutil.exe Processes.process IN ("* cl *", "*clear-log*", "* -cl *") Processes.process IN ("*System*", "*Security*", "*Setup*", "*Application*", "*trace*", "*powershell*") by Processes.parent_process_name Processes.parent_process Processes.process Processes.process_guid Processes.process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `suspicious_wevtutil_usage_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: The wevtutil.exe application is a legitimate Windows event log utility. Administrators may use it to manage Windows event logs. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.process_name=wevtutil.exe Processes.process IN ("* cl *", "*clear-log*", + "* -cl *") Processes.process IN ("*System*", "*Security*", "*Setup*", "*Application*", + "*trace*", "*powershell*") by Processes.parent_process_name Processes.parent_process + Processes.process Processes.process_guid Processes.process_id Processes.dest Processes.user + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` + | `suspicious_wevtutil_usage_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: The wevtutil.exe application is a legitimate Windows event + log utility. Administrators may use it to manage Windows event logs. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md drilldown_searches: @@ -21,9 +44,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Wevtutil.exe being used to clear Event Logs on $dest$ by $user$ + risk_objects: + - field: dest + type: system + score: 28 + - field: user + type: user + score: 28 + threat_objects: [] tags: analytic_story: - Windows Log Manipulation @@ -33,37 +71,18 @@ tags: - CISA AA23-347A - ShrinkLocker asset_type: Endpoint - confidence: 70 - impact: 40 - message: Wevtutil.exe being used to clear Event Logs on $dest$ by $user$ mitre_attack_id: - T1070.001 - T1070 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process - - Processes.process_name - - Processes.parent_process_name - - Processes.dest - - Processes.user - risk_score: 28 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/windows_pwh_log_cleared/wevtutil_clear_log.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/windows_pwh_log_cleared/wevtutil_clear_log.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml b/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml index 54254dde8a..b179bc80c6 100644 --- a/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml +++ b/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml @@ -1,16 +1,35 @@ name: Suspicious writes to windows Recycle Bin id: b5541828-8ffd-4070-9d95-b3da4de924cb -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Rico Valdez, Splunk status: production type: TTP -description: The following analytic detects when a process other than explorer.exe writes to the Windows Recycle Bin. It leverages the Endpoint.Filesystem and Endpoint.Processes data models in Splunk to identify any process writing to the "*$Recycle.Bin*" file path, excluding explorer.exe. This activity is significant because it may indicate an attacker attempting to hide their actions, potentially leading to data theft, ransomware, or other malicious outcomes. If confirmed malicious, this behavior could allow an attacker to persist in the environment and evade detection by security tools. +description: The following analytic detects when a process other than explorer.exe + writes to the Windows Recycle Bin. It leverages the Endpoint.Filesystem and Endpoint.Processes + data models in Splunk to identify any process writing to the "*$Recycle.Bin*" file + path, excluding explorer.exe. This activity is significant because it may indicate + an attacker attempting to hide their actions, potentially leading to data theft, + ransomware, or other malicious outcomes. If confirmed malicious, this behavior could + allow an attacker to persist in the environment and evade detection by security + tools. data_source: - Sysmon EventID 1 AND Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where Filesystem.file_path = "*$Recycle.Bin*" by Filesystem.process_name Filesystem.process_id Filesystem.dest | `drop_dm_object_name("Filesystem")` | join process_id [| tstats `security_content_summariesonly` values(Processes.user) as user values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name != "explorer.exe" by Processes.process_id Processes.dest | `drop_dm_object_name("Processes")` | table user process_name process_id dest] | `suspicious_writes_to_windows_recycle_bin_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on filesystem and process logs responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` nodes. -known_false_positives: Because the Recycle Bin is a hidden folder in modern versions of Windows, it would be unusual for a process other than explorer.exe to write to it. Incidents should be investigated as appropriate. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime values(Filesystem.file_path) as file_path values(Filesystem.file_name) + as file_name FROM datamodel=Endpoint.Filesystem where Filesystem.file_path = "*$Recycle.Bin*" + by Filesystem.process_name Filesystem.process_id Filesystem.dest | `drop_dm_object_name("Filesystem")` + | join process_id [| tstats `security_content_summariesonly` values(Processes.user) + as user values(Processes.process_name) as process_name values(Processes.parent_process_name) + as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name + != "explorer.exe" by Processes.process_id Processes.dest | `drop_dm_object_name("Processes")` + | table user process_name process_id dest] | `suspicious_writes_to_windows_recycle_bin_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on filesystem and process logs responsible for the changes from your endpoints into + the `Endpoint` datamodel in the `Processes` and `Filesystem` nodes. +known_false_positives: Because the Recycle Bin is a hidden folder in modern versions + of Windows, it would be unusual for a process other than explorer.exe to write to + it. Incidents should be investigated as appropriate. references: [] drilldown_searches: - name: View the detection results for - "$dest$" @@ -18,48 +37,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious writes to windows Recycle Bin process $process_name$ on $dest$ + risk_objects: + - field: dest + type: system + score: 28 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Collection and Staging - PlugX asset_type: Windows - confidence: 70 - impact: 40 - message: Suspicious writes to windows Recycle Bin process $process_name$ on $dest$ mitre_attack_id: - T1036 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.file_path - - Filesystem.file_name - - Filesystem.process_id - - Filesystem.dest - - Processes.user - - Processes.process_name - - Processes.parent_process_name - - Processes.process_id - - Processes.dest - risk_score: 28 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/write_to_recycle_bin/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/write_to_recycle_bin/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/svchost_lolbas_execution_process_spawn.yml b/detections/endpoint/svchost_lolbas_execution_process_spawn.yml index 3f8ec89a97..256c4e7869 100644 --- a/detections/endpoint/svchost_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/svchost_lolbas_execution_process_spawn.yml @@ -1,18 +1,48 @@ name: Svchost LOLBAS Execution Process Spawn id: 09e5c72a-4c0d-11ec-aa29-3e22fbd008af -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects instances of 'svchost.exe' spawning Living Off The Land Binaries and Scripts (LOLBAS) processes. It leverages Endpoint Detection and Response (EDR) data to monitor child processes of 'svchost.exe' that match known LOLBAS executables. This activity is significant as adversaries often use LOLBAS techniques to execute malicious code stealthily, potentially indicating lateral movement or code execution attempts. If confirmed malicious, this behavior could allow attackers to execute arbitrary commands, escalate privileges, or maintain persistence within the environment, posing a significant security risk. +description: The following analytic detects instances of 'svchost.exe' spawning Living + Off The Land Binaries and Scripts (LOLBAS) processes. It leverages Endpoint Detection + and Response (EDR) data to monitor child processes of 'svchost.exe' that match known + LOLBAS executables. This activity is significant as adversaries often use LOLBAS + techniques to execute malicious code stealthily, potentially indicating lateral + movement or code execution attempts. If confirmed malicious, this behavior could + allow attackers to execute arbitrary commands, escalate privileges, or maintain + persistence within the environment, posing a significant security risk. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=svchost.exe) (Processes.process_name IN ("Regsvcs.exe", "Ftp.exe", "OfflineScannerShell.exe", "Rasautou.exe", "Schtasks.exe", "Xwizard.exe", "Pnputil.exe", "Atbroker.exe", "Pcwrun.exe", "Ttdinject.exe","Mshta.exe", "Bitsadmin.exe", "Certoc.exe", "Ieexec.exe", "Microsoft.Workflow.Compiler.exe", "Runscripthelper.exe", "Forfiles.exe", "Msbuild.exe", "Register-cimprovider.exe", "Tttracer.exe", "Ie4uinit.exe", "Bash.exe", "Hh.exe", "SettingSyncHost.exe", "Cmstp.exe", "Stordiag.exe", "Scriptrunner.exe", "Odbcconf.exe", "Extexport.exe", "Msdt.exe", "WorkFolders.exe", "Diskshadow.exe", "Mavinject.exe", "Regasm.exe", "Gpscript.exe", "Regsvr32.exe", "Msiexec.exe", "Wuauclt.exe", "Presentationhost.exe", "Wmic.exe", "Runonce.exe", "Syncappvpublishingserver.exe", "Verclsid.exe", "Infdefaultinstall.exe", "Installutil.exe", "Netsh.exe", "Wab.exe", "Dnscmd.exe", "At.exe", "Pcalua.exe", "Msconfig.exe")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `svchost_lolbas_execution_process_spawn_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Legitimate applications may trigger this behavior, filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=svchost.exe) + (Processes.process_name IN ("Regsvcs.exe", "Ftp.exe", "OfflineScannerShell.exe", + "Rasautou.exe", "Schtasks.exe", "Xwizard.exe", "Pnputil.exe", "Atbroker.exe", "Pcwrun.exe", + "Ttdinject.exe","Mshta.exe", "Bitsadmin.exe", "Certoc.exe", "Ieexec.exe", "Microsoft.Workflow.Compiler.exe", + "Runscripthelper.exe", "Forfiles.exe", "Msbuild.exe", "Register-cimprovider.exe", + "Tttracer.exe", "Ie4uinit.exe", "Bash.exe", "Hh.exe", "SettingSyncHost.exe", "Cmstp.exe", + "Stordiag.exe", "Scriptrunner.exe", "Odbcconf.exe", "Extexport.exe", "Msdt.exe", + "WorkFolders.exe", "Diskshadow.exe", "Mavinject.exe", "Regasm.exe", "Gpscript.exe", + "Regsvr32.exe", "Msiexec.exe", "Wuauclt.exe", "Presentationhost.exe", "Wmic.exe", + "Runonce.exe", "Syncappvpublishingserver.exe", "Verclsid.exe", "Infdefaultinstall.exe", + "Installutil.exe", "Netsh.exe", "Wab.exe", "Dnscmd.exe", "At.exe", "Pcalua.exe", + "Msconfig.exe")) by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `svchost_lolbas_execution_process_spawn_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Legitimate applications may trigger this behavior, filter as + needed. references: - https://attack.mitre.org/techniques/T1053/005/ - https://www.ired.team/offensive-security/persistence/t1053-schtask @@ -23,48 +53,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Svchost.exe spawned a LOLBAS process on $dest$ + risk_objects: + - field: dest + type: system + score: 54 + threat_objects: [] tags: analytic_story: - Active Directory Lateral Movement - Living Off The Land - Scheduled Tasks asset_type: Endpoint - confidence: 60 - impact: 90 - message: Svchost.exe spawned a LOLBAS process on $dest$ mitre_attack_id: - T1053 - T1053.005 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/svchost_lolbas_execution_process_spawn/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/svchost_lolbas_execution_process_spawn/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/system_info_gathering_using_dxdiag_application.yml b/detections/endpoint/system_info_gathering_using_dxdiag_application.yml index d566e013b0..39d3aac52b 100644 --- a/detections/endpoint/system_info_gathering_using_dxdiag_application.yml +++ b/detections/endpoint/system_info_gathering_using_dxdiag_application.yml @@ -1,60 +1,56 @@ name: System Info Gathering Using Dxdiag Application id: f92d74f2-4921-11ec-b685-acde48001122 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic identifies the execution of the dxdiag.exe process with specific command-line arguments, which is used to gather system information. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line details. This activity is significant because dxdiag.exe is rarely used in corporate environments and its execution may indicate reconnaissance efforts by malicious actors. If confirmed malicious, this activity could allow attackers to collect detailed system information, aiding in further exploitation or lateral movement within the network. +description: The following analytic identifies the execution of the dxdiag.exe process + with specific command-line arguments, which is used to gather system information. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process creation events and command-line details. This activity is significant + because dxdiag.exe is rarely used in corporate environments and its execution may + indicate reconnaissance efforts by malicious actors. If confirmed malicious, this + activity could allow attackers to collect detailed system information, aiding in + further exploitation or lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_dxdiag` AND Processes.process = "* /t *" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_info_gathering_using_dxdiag_application_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: This commandline can be used by a network administrator to audit host machine specifications. Thus, a filter is needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_dxdiag` AND Processes.process + = "* /t *" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `system_info_gathering_using_dxdiag_application_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: This commandline can be used by a network administrator to + audit host machine specifications. Thus, a filter is needed. references: - https://app.any.run/tasks/df0baf9f-8baf-4c32-a452-16562ecb19be/ tags: analytic_story: - Remcos asset_type: Endpoint - confidence: 50 - impact: 50 - message: dxdiag.exe process with commandline $process$ on $dest$ mitre_attack_id: - T1592 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1592/host_info_dxdiag/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1592/host_info_dxdiag/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/system_information_discovery_detection.yml b/detections/endpoint/system_information_discovery_detection.yml index 113eb03ccb..095ef26ee7 100644 --- a/detections/endpoint/system_information_discovery_detection.yml +++ b/detections/endpoint/system_information_discovery_detection.yml @@ -1,17 +1,39 @@ name: System Information Discovery Detection id: 8e99f89e-ae58-4ebc-bf52-ae0b1a277e72 -version: 6 -date: '2024-12-11' +version: 7 +date: '2024-12-16' author: Patrick Bareiss, Splunk status: production type: TTP -description: The following analytic identifies system information discovery techniques, such as the execution of commands like `wmic qfe`, `systeminfo`, and `hostname`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because attackers often use these commands to gather system configuration details, which can aid in further exploitation. If confirmed malicious, this behavior could allow attackers to tailor their attacks based on the discovered system information, potentially leading to privilege escalation, persistence, or data exfiltration. +description: The following analytic identifies system information discovery techniques, + such as the execution of commands like `wmic qfe`, `systeminfo`, and `hostname`. + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on + process execution logs. This activity is significant because attackers often use + these commands to gather system configuration details, which can aid in further + exploitation. If confirmed malicious, this behavior could allow attackers to tailor + their attacks based on the discovered system information, potentially leading to + privilege escalation, persistence, or data exfiltration. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="*wmic* qfe*" OR Processes.process=*systeminfo* OR Processes.process=*hostname*) by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name | `drop_dm_object_name(Processes)` | eventstats dc(process) as dc_processes_by_dest by dest | where dc_processes_by_dest > 2 | stats values(process) as process min(firstTime) as firstTime max(lastTime) as lastTime by user, dest parent_process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_information_discovery_detection_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process="*wmic* qfe*" + OR Processes.process=*systeminfo* OR Processes.process=*hostname*) by Processes.user + Processes.process_name Processes.process Processes.dest Processes.parent_process_name + | `drop_dm_object_name(Processes)` | eventstats dc(process) as dc_processes_by_dest + by dest | where dc_processes_by_dest > 2 | stats values(process) as process min(firstTime) + as firstTime max(lastTime) as lastTime by user, dest parent_process_name | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `system_information_discovery_detection_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators debugging servers references: - https://web.archive.org/web/20210119205146/https://oscp.infosecsanyam.in/priv-escalation/windows-priv-escalation @@ -21,9 +43,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potential system information discovery behavior on $dest$ by $user$ + risk_objects: + - field: dest + type: system + score: 15 + - field: user + type: user + score: 15 + threat_objects: [] tags: analytic_story: - Windows Discovery Techniques @@ -31,35 +68,17 @@ tags: - BlackSuit Ransomware - Cleo File Transfer Software asset_type: Windows - confidence: 50 - impact: 30 - message: Potential system information discovery behavior on $dest$ by $user$ mitre_attack_id: - T1082 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process - - Processes.user - - Processes.process_name - - Processes.dest - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/system_processes_run_from_unexpected_locations.yml b/detections/endpoint/system_processes_run_from_unexpected_locations.yml index 0bd390af5d..689b31f757 100644 --- a/detections/endpoint/system_processes_run_from_unexpected_locations.yml +++ b/detections/endpoint/system_processes_run_from_unexpected_locations.yml @@ -1,18 +1,39 @@ name: System Processes Run From Unexpected Locations id: a34aae96-ccf8-4aef-952c-3ea21444444d -version: 8 -date: '2024-09-30' +version: 9 +date: '2024-11-13' author: David Dorsey, Michael Haag, Splunk status: production type: Anomaly -description: The following analytic identifies system processes running from unexpected locations outside `C:\Windows\System32\` or `C:\Windows\SysWOW64`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process paths, names, and hashes. This activity is significant as it may indicate a malicious process attempting to masquerade as a legitimate system process. If confirmed malicious, this behavior could allow an attacker to execute code, escalate privileges, or maintain persistence within the environment, posing a significant security risk. +description: The following analytic identifies system processes running from unexpected + locations outside `C:\Windows\System32\` or `C:\Windows\SysWOW64`. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process paths, + names, and hashes. This activity is significant as it may indicate a malicious process + attempting to masquerade as a legitimate system process. If confirmed malicious, + this behavior could allow an attacker to execute code, escalate privileges, or maintain + persistence within the environment, posing a significant security risk. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_path !="C:\\Windows\\System32*" Processes.process_path !="C:\\Windows\\SysWOW64*" by Processes.dest Processes.user Processes.parent_process Processes.process_path Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `is_windows_system_file_macro` | `system_processes_run_from_unexpected_locations_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: This detection may require tuning based on third party applications utilizing native Windows binaries in non-standard paths. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Processes where Processes.process_path !="C:\\Windows\\System32*" + Processes.process_path !="C:\\Windows\\SysWOW64*" by Processes.dest Processes.user + Processes.parent_process Processes.process_path Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name("Processes")` + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `is_windows_system_file_macro` + | `system_processes_run_from_unexpected_locations_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: This detection may require tuning based on third party applications + utilizing native Windows binaries in non-standard paths. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml - https://attack.mitre.org/techniques/T1036/003/ @@ -22,9 +43,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A System process $process_name$ is running from $process_path$ on $dest$, + potentially non-standard. + risk_objects: + - field: dest + type: system + score: 30 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Suspicious Command-Line Executions @@ -35,39 +71,18 @@ tags: - Windows Error Reporting Service Elevation of Privilege Vulnerability - DarkGate Malware asset_type: Endpoint - confidence: 50 - impact: 60 - message: A System process $process_name$ is running from $process_path$ on $dest$, potentially non-standard. mitre_attack_id: - T1036 - T1036.003 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_path - - Processes.user - - Processes.dest - - Processes.process_name - - Processes.process_id - - Processes.parent_process_name - - Processes.process_hash - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/system_user_discovery_with_query.yml b/detections/endpoint/system_user_discovery_with_query.yml index 2829746088..cd0788aeb9 100644 --- a/detections/endpoint/system_user_discovery_with_query.yml +++ b/detections/endpoint/system_user_discovery_with_query.yml @@ -1,17 +1,35 @@ name: System User Discovery With Query id: ad03bfcf-8a91-4bc2-a500-112993deba87 -version: 3 -date: '2024-10-17' +version: 5 +date: '2025-02-05' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of `query.exe` with command-line arguments aimed at discovering logged-in users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries may use `query.exe` to gain situational awareness and perform Active Directory discovery on compromised endpoints. If confirmed malicious, this behavior could allow attackers to identify active users, aiding in further lateral movement and privilege escalation within the network. +description: The following analytic detects the execution of `query.exe` with command-line + arguments aimed at discovering logged-in users. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names and command-line + executions. This activity is significant as adversaries may use `query.exe` to gain + situational awareness and perform Active Directory discovery on compromised endpoints. + If confirmed malicious, this behavior could allow attackers to identify active users, + aiding in further lateral movement and privilege escalation within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="query.exe") (Processes.process=*user*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_user_discovery_with_query_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="query.exe" OR Processes.original_file_name="query.exe") + AND Processes.process="*user*" AND ((NOT Processes.process="*/server*") OR Processes.process IN ("*/server:localhost*", "*/server:127.0.0.1*")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `system_user_discovery_with_query_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1033/ @@ -19,38 +37,17 @@ tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 30 - message: System user discovery on $dest$ mitre_attack_id: - T1033 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/system_user_discovery_with_whoami.yml b/detections/endpoint/system_user_discovery_with_whoami.yml index 18ab748408..594b175c8d 100644 --- a/detections/endpoint/system_user_discovery_with_whoami.yml +++ b/detections/endpoint/system_user_discovery_with_whoami.yml @@ -1,17 +1,36 @@ name: System User Discovery With Whoami id: 894fc43e-6f50-47d5-a68b-ee9ee23e18f4 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of `whoami.exe` without any arguments. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because both Red Teams and adversaries use `whoami.exe` to identify the current logged-in user, aiding in situational awareness and Active Directory discovery. If confirmed malicious, this behavior could indicate an attacker is gathering information to further compromise the system, potentially leading to privilege escalation or lateral movement within the network. +description: The following analytic detects the execution of `whoami.exe` without + any arguments. It leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process execution logs. This activity is significant because both Red + Teams and adversaries use `whoami.exe` to identify the current logged-in user, aiding + in situational awareness and Active Directory discovery. If confirmed malicious, + this behavior could indicate an attacker is gathering information to further compromise + the system, potentially leading to privilege escalation or lateral movement within + the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="whoami.exe") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_user_discovery_with_whoami_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="whoami.exe") + by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_user_discovery_with_whoami_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1033/ @@ -23,38 +42,17 @@ tags: - Qakbot - CISA AA23-347A asset_type: Endpoint - confidence: 50 - impact: 30 - message: System user discovery on $dest$ mitre_attack_id: - T1033 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/time_provider_persistence_registry.yml b/detections/endpoint/time_provider_persistence_registry.yml index 6b4aa18842..704f218a6e 100644 --- a/detections/endpoint/time_provider_persistence_registry.yml +++ b/detections/endpoint/time_provider_persistence_registry.yml @@ -5,11 +5,18 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects suspicious modifications to the time provider registry for persistence and autostart. It leverages data from the Endpoint.Registry data model, focusing on changes to the "CurrentControlSet\\Services\\W32Time\\TimeProviders" registry path. This activity is significant because such modifications are uncommon and can indicate an attempt to establish persistence on a compromised host. If confirmed malicious, this technique allows an attacker to maintain access and execute code automatically upon system boot, potentially leading to further exploitation and control over the affected system. +description: The following analytic detects suspicious modifications to the time provider + registry for persistence and autostart. It leverages data from the Endpoint.Registry + data model, focusing on changes to the "CurrentControlSet\\Services\\W32Time\\TimeProviders" + registry path. This activity is significant because such modifications are uncommon + and can indicate an attempt to establish persistence on a compromised host. If confirmed + malicious, this technique allows an attacker to maintain access and execute code + automatically upon system boot, potentially leading to further exploitation and + control over the affected system. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path="*\\CurrentControlSet\\Services\\W32Time\\TimeProviders*") +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\CurrentControlSet\\Services\\W32Time\\TimeProviders*") BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` @@ -28,9 +35,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: modified/added/deleted registry entry $registry_path$ on $dest$ + risk_objects: + - field: dest + type: system + score: 80 + - field: user + type: user + score: 80 + threat_objects: [] tags: analytic_story: - Hermetic Wiper @@ -39,38 +61,18 @@ tags: - Windows Registry Abuse - Data Destruction asset_type: Endpoint - confidence: 100 - impact: 80 - message: modified/added/deleted registry entry $registry_path$ in $dest$ mitre_attack_id: - T1547.003 - T1547 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.003/timeprovider_reg/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.003/timeprovider_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/trickbot_named_pipe.yml b/detections/endpoint/trickbot_named_pipe.yml index 7038c0b9e5..409104955e 100644 --- a/detections/endpoint/trickbot_named_pipe.yml +++ b/detections/endpoint/trickbot_named_pipe.yml @@ -1,16 +1,27 @@ name: Trickbot Named Pipe id: 1804b0a4-a682-11eb-8f68-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the creation or connection to a named pipe associated with Trickbot malware. It leverages Sysmon EventCodes 17 and 18 to identify named pipes with the pattern "\\pipe\\*lacesomepipe". This activity is significant as Trickbot uses named pipes for communication with its command and control (C2) servers, facilitating data exfiltration and command execution. If confirmed malicious, this behavior could allow attackers to maintain persistence, execute arbitrary commands, and exfiltrate sensitive information from the compromised system. +description: The following analytic detects the creation or connection to a named + pipe associated with Trickbot malware. It leverages Sysmon EventCodes 17 and 18 + to identify named pipes with the pattern "\\pipe\\*lacesomepipe". This activity + is significant as Trickbot uses named pipes for communication with its command and + control (C2) servers, facilitating data exfiltration and command execution. If confirmed + malicious, this behavior could allow attackers to maintain persistence, execute + arbitrary commands, and exfiltrate sensitive information from the compromised system. data_source: - Sysmon EventID 17 - Sysmon EventID 18 -search: '`sysmon` EventCode IN (17,18) PipeName="\\pipe\\*lacesomepipe" | stats min(_time) as firstTime max(_time) as lastTime count by dest user_id EventCode PipeName signature Image process_id | rename Image as process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `trickbot_named_pipe_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and pipename from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. . +search: '`sysmon` EventCode IN (17,18) PipeName="\\pipe\\*lacesomepipe" | stats min(_time) + as firstTime max(_time) as lastTime count by dest user_id EventCode PipeName signature + Image process_id | rename Image as process_name | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `trickbot_named_pipe_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name and pipename from your endpoints. If you are using Sysmon, + you must have at least version 6.0.4 of the Sysmon TA. . known_false_positives: unknown references: - https://labs.vipre.com/trickbot-and-its-modules/ @@ -21,45 +32,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Possible Trickbot namedpipe created on $dest$ by $process_name$ + risk_objects: + - field: dest + type: system + score: 42 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Trickbot asset_type: Endpoint - confidence: 60 - impact: 70 - message: Possible Trickbot namedpipe created on $dest$ by $process_name$ mitre_attack_id: - T1055 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - user_id - - EventCode - - PipeName - - signature - - Image - - process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/namedpipe/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/namedpipe/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml b/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml index 46d6c1608e..669ef87e2e 100644 --- a/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml +++ b/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml @@ -1,16 +1,31 @@ name: UAC Bypass MMC Load Unsigned Dll id: 7f04349c-e30d-11eb-bc7f-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the loading of an unsigned DLL by the MMC.exe application, which is indicative of a potential UAC bypass or privilege escalation attempt. It leverages Sysmon EventCode 7 to identify instances where MMC.exe loads a non-Microsoft, unsigned DLL. This activity is significant because attackers often use this technique to modify CLSID registry entries, causing MMC.exe to load malicious DLLs, thereby bypassing User Account Control (UAC) and gaining elevated privileges. If confirmed malicious, this could allow an attacker to execute arbitrary code with higher privileges, leading to further system compromise and persistence. +description: The following analytic detects the loading of an unsigned DLL by the + MMC.exe application, which is indicative of a potential UAC bypass or privilege + escalation attempt. It leverages Sysmon EventCode 7 to identify instances where + MMC.exe loads a non-Microsoft, unsigned DLL. This activity is significant because + attackers often use this technique to modify CLSID registry entries, causing MMC.exe + to load malicious DLLs, thereby bypassing User Account Control (UAC) and gaining + elevated privileges. If confirmed malicious, this could allow an attacker to execute + arbitrary code with higher privileges, leading to further system compromise and + persistence. data_source: - Sysmon EventID 7 -search: '`sysmon` EventCode=7 ImageLoaded = "*.dll" Image = "*\\mmc.exe" Signed=false Company != "Microsoft Corporation" | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed ProcessId OriginalFileName dest EventCode Company | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uac_bypass_mmc_load_unsigned_dll_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: unknown. all of the dll loaded by mmc.exe is microsoft signed dll. +search: '`sysmon` EventCode=7 ImageLoaded = "*.dll" Image = "*\\mmc.exe" Signed=false + Company != "Microsoft Corporation" | stats count min(_time) as firstTime max(_time) + as lastTime by Image ImageLoaded Signed ProcessId OriginalFileName dest EventCode + Company | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `uac_bypass_mmc_load_unsigned_dll_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name and imageloaded executions from your endpoints. If you + are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +known_false_positives: unknown. all of the dll loaded by mmc.exe is microsoft signed + dll. references: - https://offsec.almond.consulting/UAC-bypass-dotnet.html drilldown_searches: @@ -19,44 +34,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious unsigned $ImageLoaded$ loaded by $Image$ on endpoint $dest$ + with EventCode $EventCode$ + risk_objects: + - field: dest + type: system + score: 63 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics asset_type: Endpoint - confidence: 90 - impact: 70 - message: Suspicious unsigned $ImageLoaded$ loaded by $Image$ on endpoint $dest$ with EventCode $EventCode$ mitre_attack_id: - T1548.002 - T1548 - T1218.014 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Image - - ImageLoaded - - Signed - - ProcessId - - OriginalFileName - - dest - - EventCode - - Company - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon2.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon2.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/uac_bypass_with_colorui_com_object.yml b/detections/endpoint/uac_bypass_with_colorui_com_object.yml index d68f8c25fb..c93938fb95 100644 --- a/detections/endpoint/uac_bypass_with_colorui_com_object.yml +++ b/detections/endpoint/uac_bypass_with_colorui_com_object.yml @@ -1,15 +1,28 @@ name: UAC Bypass With Colorui COM Object id: 2bcccd20-fc2b-11eb-8d22-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects a potential UAC bypass using the colorui.dll COM Object. It leverages Sysmon EventCode 7 to identify instances where colorui.dll is loaded by a process other than colorcpl.exe, excluding common system directories. This activity is significant because UAC bypass techniques are often used by malware, such as LockBit ransomware, to gain elevated privileges without user consent. If confirmed malicious, this could allow an attacker to execute code with higher privileges, leading to further system compromise and persistence within the environment. +description: The following analytic detects a potential UAC bypass using the colorui.dll + COM Object. It leverages Sysmon EventCode 7 to identify instances where colorui.dll + is loaded by a process other than colorcpl.exe, excluding common system directories. + This activity is significant because UAC bypass techniques are often used by malware, + such as LockBit ransomware, to gain elevated privileges without user consent. If + confirmed malicious, this could allow an attacker to execute code with higher privileges, + leading to further system compromise and persistence within the environment. data_source: - Sysmon EventID 7 -search: '`sysmon` EventCode=7 ImageLoaded="*\\colorui.dll" process_name != "colorcpl.exe" NOT(Image IN("*\\windows\\*", "*\\program files*")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest user_id EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uac_bypass_with_colorui_com_object_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +search: '`sysmon` EventCode=7 ImageLoaded="*\\colorui.dll" process_name != "colorcpl.exe" + NOT(Image IN("*\\windows\\*", "*\\program files*")) | stats count min(_time) as + firstTime max(_time) as lastTime by Image ImageLoaded process_name dest user_id + EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `uac_bypass_with_colorui_com_object_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. known_false_positives: not so common. but 3rd part app may load this dll. references: - https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/ @@ -19,47 +32,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The following module $ImageLoaded$ was loaded by a non-standard application + on endpoint $dest$. + risk_objects: + - field: dest + type: system + score: 48 + threat_objects: [] tags: analytic_story: - Ransomware - LockBit Ransomware asset_type: Endpoint - confidence: 80 - impact: 60 - message: The following module $ImageLoaded$ was loaded by a non-standard application on endpoint $dest$. mitre_attack_id: - T1218 - T1218.003 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: ImageLoaded - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Image - - ImageLoaded - - process_name - - dest - - EventCode - - Signed - - ProcessId - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/uac_colorui/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/uac_colorui/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/uninstall_app_using_msiexec.yml b/detections/endpoint/uninstall_app_using_msiexec.yml index 75e2c8de26..95e609aade 100644 --- a/detections/endpoint/uninstall_app_using_msiexec.yml +++ b/detections/endpoint/uninstall_app_using_msiexec.yml @@ -1,17 +1,37 @@ name: Uninstall App Using MsiExec id: 1fca2b28-f922-11eb-b2dd-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the uninstallation of applications using msiexec with specific command-line arguments. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it is an uncommon practice in enterprise environments and has been associated with malicious behavior, such as disabling antivirus software. If confirmed malicious, this could allow an attacker to remove security software, potentially leading to further compromise and persistence within the network. +description: The following analytic detects the uninstallation of applications using + msiexec with specific command-line arguments. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process execution logs that include command-line + details. This activity is significant because it is an uncommon practice in enterprise + environments and has been associated with malicious behavior, such as disabling + antivirus software. If confirmed malicious, this could allow an attacker to remove + security software, potentially leading to further compromise and persistence within + the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=msiexec.exe Processes.process= "* /qn *" Processes.process= "*/X*" Processes.process= "*REBOOT=*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uninstall_app_using_msiexec_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=msiexec.exe + Processes.process= "* /qn *" Processes.process= "*/X*" Processes.process= "*REBOOT=*" + by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uninstall_app_using_msiexec_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown. references: - https://threadreaderapp.com/thread/1423361119926816776.html @@ -21,47 +41,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: process $process_name$ with a cmdline $process$ in host $dest$ + risk_objects: + - field: dest + type: system + score: 30 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Ransomware asset_type: Endpoint - confidence: 60 - impact: 50 - message: process $process_name$ with a cmdline $process$ in host $dest$ mitre_attack_id: - T1218.007 - T1218 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml b/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml index 3b3a9594d3..f1a31e9ae9 100644 --- a/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml +++ b/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml @@ -1,16 +1,39 @@ name: Unknown Process Using The Kerberos Protocol id: c91a0852-9fbb-11ec-af44-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies a non-lsass.exe process making an outbound connection on port 88, which is typically used by the Kerberos authentication protocol. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and network traffic logs. This activity is significant because, under normal circumstances, only the lsass.exe process should interact with the Kerberos Distribution Center. If confirmed malicious, this behavior could indicate an adversary attempting to abuse the Kerberos protocol, potentially leading to unauthorized access or lateral movement within the network. +description: The following analytic identifies a non-lsass.exe process making an outbound + connection on port 88, which is typically used by the Kerberos authentication protocol. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process and network traffic logs. This activity is significant because, + under normal circumstances, only the lsass.exe process should interact with the + Kerberos Distribution Center. If confirmed malicious, this behavior could indicate + an adversary attempting to abuse the Kerberos protocol, potentially leading to unauthorized + access or lateral movement within the network. data_source: - Sysmon EventID 1 AND Sysmon EventID 3 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name!=lsass.exe by _time Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id dest [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port = 88 by All_Traffic.src All_Traffic.process_id All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename src as dest ] | table _time dest parent_process_name process_name process_path process process_id dest_port | `unknown_process_using_the_kerberos_protocol_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Custom applications may leverage the Kerberos protocol. Filter as needed. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes + where Processes.process_name!=lsass.exe by _time Processes.process_id Processes.process_name + Processes.dest Processes.process_path Processes.process Processes.parent_process_name + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | join process_id dest [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic + where All_Traffic.dest_port = 88 by All_Traffic.src All_Traffic.process_id All_Traffic.dest_port + | `drop_dm_object_name(All_Traffic)` | rename src as dest ] | table _time dest + parent_process_name process_name process_path process process_id dest_port | `unknown_process_using_the_kerberos_protocol_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Custom applications may leverage the Kerberos protocol. Filter + as needed. references: - https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/ - https://www.thehacker.recipes/ad/movement/kerberos/ptk @@ -20,47 +43,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Unknown process $process_name$ using the kerberos protocol detected on + host $dest$ + risk_objects: + - field: dest + type: system + score: 36 + threat_objects: [] tags: analytic_story: - Active Directory Kerberos Attacks - BlackSuit Ransomware asset_type: Endpoint - confidence: 60 - impact: 60 - message: Unknown process $process_name$ using the kerberos protocol detected on host $dest$ mitre_attack_id: - T1550 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Traffic.dest_ip - - All_Traffic.dest_port - - All_Traffic.src_ip - - Processes.process_id - - Processes.process_name - - Processes.dest - - Processes.process_path - - Processes.process - - Processes.parent_process_name - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550/rubeus/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550/rubeus/windows-security.log source: WinEventLog:Security sourcetype: WinEventLog - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550/rubeus/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550/rubeus/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/unload_sysmon_filter_driver.yml b/detections/endpoint/unload_sysmon_filter_driver.yml index a2a669e459..93302c30ba 100644 --- a/detections/endpoint/unload_sysmon_filter_driver.yml +++ b/detections/endpoint/unload_sysmon_filter_driver.yml @@ -1,17 +1,37 @@ name: Unload Sysmon Filter Driver id: e5928ff3-23eb-4d8b-b8a4-dcbc844fdfbe -version: 6 -date: '2024-09-30' +version: 7 +date: '2024-11-13' author: Bhavin Patel, Splunk status: production type: TTP -description: The following analytic detects the use of `fltMC.exe` to unload the Sysmon driver, which stops Sysmon from collecting data. It leverages Endpoint Detection and Response (EDR) logs, focusing on process names and command-line executions. This activity is significant because disabling Sysmon can blind security monitoring, allowing malicious actions to go undetected. If confirmed malicious, this could enable attackers to execute further attacks without being logged, leading to potential data breaches, privilege escalation, or persistent access within the environment. +description: The following analytic detects the use of `fltMC.exe` to unload the Sysmon + driver, which stops Sysmon from collecting data. It leverages Endpoint Detection + and Response (EDR) logs, focusing on process names and command-line executions. + This activity is significant because disabling Sysmon can blind security monitoring, + allowing malicious actions to go undetected. If confirmed malicious, this could + enable attackers to execute further attacks without being logged, leading to potential + data breaches, privilege escalation, or persistent access within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fltMC.exe AND Processes.process=*unload* AND Processes.process=*SysmonDrv* by Processes.process_name Processes.process_id Processes.parent_process_name Processes.process Processes.dest Processes.user | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | table firstTime lastTime dest user count process_name process_id parent_process_name process | `unload_sysmon_filter_driver_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) + as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fltMC.exe + AND Processes.process=*unload* AND Processes.process=*SysmonDrv* by Processes.process_name + Processes.process_id Processes.parent_process_name Processes.process Processes.dest + Processes.user | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` + | table firstTime lastTime dest user count process_name process_id parent_process_name + process | `unload_sysmon_filter_driver_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Unknown at the moment references: - https://www.ired.team/offensive-security/defense-evasion/unloading-sysmon-driver @@ -21,42 +41,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Possible Sysmon filter driver unloading on $dest$ + risk_objects: + - field: dest + type: system + score: 45 + threat_objects: [] tags: analytic_story: - CISA AA23-347A - Disabling Security Tools asset_type: Endpoint - confidence: 90 - impact: 50 - message: Possible Sysmon filter driver unloading on $dest$ mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_name - - Processes.dest - - Processes.user - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/unload_sysmon/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/unload_sysmon/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/unloading_amsi_via_reflection.yml b/detections/endpoint/unloading_amsi_via_reflection.yml index a2fadb67eb..3fba97f093 100644 --- a/detections/endpoint/unloading_amsi_via_reflection.yml +++ b/detections/endpoint/unloading_amsi_via_reflection.yml @@ -1,16 +1,29 @@ name: Unloading AMSI via Reflection id: a21e3484-c94d-11eb-b55b-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the tampering of AMSI (Antimalware Scan Interface) via PowerShell reflection. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze suspicious PowerShell commands, specifically those involving `system.management.automation.amsi`. This activity is significant as it indicates an attempt to bypass AMSI, a critical security feature that helps detect and block malicious scripts. If confirmed malicious, this could allow an attacker to execute harmful code undetected, leading to potential system compromise and data exfiltration. +description: The following analytic detects the tampering of AMSI (Antimalware Scan + Interface) via PowerShell reflection. It leverages PowerShell Script Block Logging + (EventCode=4104) to capture and analyze suspicious PowerShell commands, specifically + those involving `system.management.automation.amsi`. This activity is significant + as it indicates an attempt to bypass AMSI, a critical security feature that helps + detect and block malicious scripts. If confirmed malicious, this could allow an + attacker to execute harmful code undetected, leading to potential system compromise + and data exfiltration. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText = *system.management.automation.amsi* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `unloading_amsi_via_reflection_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Potential for some third party applications to disable AMSI upon invocation. Filter as needed. +search: '`powershell` EventCode=4104 ScriptBlockText = *system.management.automation.amsi* + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `unloading_amsi_via_reflection_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Potential for some third party applications to disable AMSI + upon invocation. Filter as needed. references: - https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. - https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 @@ -22,43 +35,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$Computer$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Possible AMSI Unloading via Reflection using PowerShell on $Computer$ + risk_objects: + - field: Computer + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Malicious PowerShell - Hermetic Wiper - Data Destruction asset_type: Endpoint - confidence: 70 - impact: 70 - message: Possible AMSI Unloading via Reflection using PowerShell on $Computer$ mitre_attack_id: - T1562 - T1059.001 - T1059 - observable: - - name: Computer - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCode - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/unusual_number_of_computer_service_tickets_requested.yml b/detections/endpoint/unusual_number_of_computer_service_tickets_requested.yml index f8ede9c340..c891b89ed2 100644 --- a/detections/endpoint/unusual_number_of_computer_service_tickets_requested.yml +++ b/detections/endpoint/unusual_number_of_computer_service_tickets_requested.yml @@ -1,16 +1,33 @@ name: Unusual Number of Computer Service Tickets Requested id: ac3b81c0-52f4-11ec-ac44-acde48001122 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: experimental type: Hunting -description: The following analytic identifies an unusual number of computer service ticket requests from a single source, leveraging Event ID 4769, "A Kerberos service ticket was requested." It uses statistical analysis, including standard deviation and the 3-sigma rule, to detect anomalies in service ticket requests. This activity is significant as it may indicate malicious behavior such as lateral movement, malware staging, or reconnaissance. If confirmed malicious, an attacker could gain unauthorized access to multiple endpoints, facilitating further compromise and potential data exfiltration. +description: The following analytic identifies an unusual number of computer service + ticket requests from a single source, leveraging Event ID 4769, "A Kerberos service + ticket was requested." It uses statistical analysis, including standard deviation + and the 3-sigma rule, to detect anomalies in service ticket requests. This activity + is significant as it may indicate malicious behavior such as lateral movement, malware + staging, or reconnaissance. If confirmed malicious, an attacker could gain unauthorized + access to multiple endpoints, facilitating further compromise and potential data + exfiltration. data_source: - Windows Event Log Security 4769 -search: '`wineventlog_security` EventCode=4769 Service_Name="*$" Account_Name!="*$*" | bucket span=2m _time | stats dc(Service_Name) AS unique_targets values(Service_Name) as host_targets by _time, Client_Address, Account_Name | eventstats avg(unique_targets) as comp_avg , stdev(unique_targets) as comp_std by Client_Address, Account_Name | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_targets >10 and unique_targets >= upperBound, 1, 0) | `unusual_number_of_computer_service_tickets_requested_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -known_false_positives: An single endpoint requesting a large number of computer service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systeams and missconfigured systems. +search: '`wineventlog_security` EventCode=4769 Service_Name="*$" Account_Name!="*$*" + | bucket span=2m _time | stats dc(Service_Name) AS unique_targets values(Service_Name) + as host_targets by _time, Client_Address, Account_Name | eventstats avg(unique_targets) + as comp_avg , stdev(unique_targets) as comp_std by Client_Address, Account_Name + | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_targets >10 and + unique_targets >= upperBound, 1, 0) | `unusual_number_of_computer_service_tickets_requested_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + Domain Controller and Kerberos events. The Advanced Security Audit policy setting + `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. +known_false_positives: An single endpoint requesting a large number of computer service + tickets is not common behavior. Possible false positive scenarios include but are + not limited to vulnerability scanners, administration systeams and missconfigured + systems. references: - https://attack.mitre.org/techniques/T1078/ tags: @@ -19,27 +36,10 @@ tags: - Active Directory Kerberos Attacks - Active Directory Privilege Escalation asset_type: Endpoint - confidence: 60 - impact: 70 - message: '' mitre_attack_id: - T1078 - observable: - - name: Client_Address - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Ticket_Options - - Ticket_Encryption_Type - - dest - - service - - service_id - risk_score: 42 security_domain: endpoint diff --git a/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml b/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml index 0d6fa27f5d..104fb978fa 100644 --- a/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml +++ b/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml @@ -1,25 +1,32 @@ name: Unusual Number of Kerberos Service Tickets Requested id: eb3e6702-8936-11ec-98fe-acde48001122 -version: 5 -date: '2024-10-17' +version: 7 +date: '2024-11-13' author: Mauricio Velazco, Dean Luxton, Splunk status: production type: Anomaly -description: The following analytic identifies an unusual number of Kerberos service ticket requests, potentially indicating a kerberoasting attack. It leverages Kerberos Event 4769 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This activity is significant as kerberoasting allows adversaries to request service tickets and crack them offline, potentially gaining privileged access to the domain. If confirmed malicious, this could lead to unauthorized access to sensitive accounts and escalation of privileges within the Active Directory environment. +description: The following analytic identifies an unusual number of Kerberos service + ticket requests, potentially indicating a kerberoasting attack. It leverages Kerberos + Event 4769 and calculates the standard deviation for each host, using the 3-sigma + rule to detect anomalies. This activity is significant as kerberoasting allows adversaries + to request service tickets and crack them offline, potentially gaining privileged + access to the domain. If confirmed malicious, this could lead to unauthorized access + to sensitive accounts and escalation of privileges within the Active Directory environment. data_source: - Windows Event Log Security 4769 search: >- `wineventlog_security` EventCode=4769 ServiceName!="*$" TicketEncryptionType=0x17 - | bucket span=2m _time - | stats dc(ServiceName) AS unique_services values(ServiceName) as requested_services values(user_category) as user_category values(src_category) as src_category by _time, user, src - | eventstats avg(unique_services) as comp_avg , stdev(unique_services) as comp_std by user, src - | eval upperBound=(comp_avg+comp_std*3) - | eval isOutlier=if(unique_services > 2 and unique_services >= upperBound, 1, 0) - | search isOutlier=1 + | bucket span=2m _time | stats dc(ServiceName) AS unique_services values(ServiceName) + as requested_services values(user_category) as user_category values(src_category) + as src_category by _time, user, src + | eventstats avg(unique_services) as comp_avg , stdev(unique_services) as comp_std + by user, src + | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_services > 2 + and unique_services >= upperBound, 1, 0) | search isOutlier=1 | `unusual_number_of_kerberos_service_tickets_requested_filter` how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting - `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. + `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. known_false_positives: An single endpoint requesting a large number of kerberos service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured @@ -33,47 +40,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ requested a service ticket for $unique_services$ services indicating + a potential kerberoasting attack + risk_objects: + - field: src + type: system + score: 64 + - field: user + type: user + score: 64 + threat_objects: [] tags: analytic_story: - Active Directory Kerberos Attacks asset_type: Endpoint - confidence: 80 - impact: 80 - message: User $user$ requested a service ticket for $unique_services$ services indicating a potential kerberoasting attack mitre_attack_id: - T1558 - T1558.003 - observable: - - name: src - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Ticket_Options - - Ticket_Encryption_Type - - user - - src - - Service_Name - - service_id - - Client_Address - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/unusual_number_of_kerberos_service_tickets_requested/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/unusual_number_of_kerberos_service_tickets_requested/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/unusual_number_of_remote_endpoint_authentication_events.yml b/detections/endpoint/unusual_number_of_remote_endpoint_authentication_events.yml index 7bc1ff16b7..e01d6a6efb 100644 --- a/detections/endpoint/unusual_number_of_remote_endpoint_authentication_events.yml +++ b/detections/endpoint/unusual_number_of_remote_endpoint_authentication_events.yml @@ -1,16 +1,33 @@ name: Unusual Number of Remote Endpoint Authentication Events id: acb5dc74-5324-11ec-a36d-acde48001122 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: experimental type: Hunting -description: The following analytic identifies an unusual number of remote authentication attempts from a single source by leveraging Windows Event ID 4624, which logs successful account logons. It uses statistical analysis, specifically the 3-sigma rule, to detect deviations from normal behavior. This activity is significant for a SOC as it may indicate lateral movement, malware staging, or reconnaissance. If confirmed malicious, this behavior could allow an attacker to move laterally within the network, escalate privileges, or gather information for further attacks. +description: The following analytic identifies an unusual number of remote authentication + attempts from a single source by leveraging Windows Event ID 4624, which logs successful + account logons. It uses statistical analysis, specifically the 3-sigma rule, to + detect deviations from normal behavior. This activity is significant for a SOC as + it may indicate lateral movement, malware staging, or reconnaissance. If confirmed + malicious, this behavior could allow an attacker to move laterally within the network, + escalate privileges, or gather information for further attacks. data_source: - Windows Event Log Security 4624 -search: '`wineventlog_security` EventCode=4624 Logon_Type=3 Account_Name!="*$" | eval Source_Account = mvindex(Account_Name, 1) | bucket span=2m _time | stats dc(ComputerName) AS unique_targets values(ComputerName) as target_hosts by _time, Source_Network_Address, Source_Account | eventstats avg(unique_targets) as comp_avg , stdev(unique_targets) as comp_std by Source_Network_Address, Source_Account | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_targets >10 and unique_targets >= upperBound, 1, 0) | `unusual_number_of_remote_endpoint_authentication_events_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -known_false_positives: An single endpoint authenticating to a large number of hosts is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, jump servers and missconfigured systems. +search: '`wineventlog_security` EventCode=4624 Logon_Type=3 Account_Name!="*$" | eval + Source_Account = mvindex(Account_Name, 1) | bucket span=2m _time | stats dc(ComputerName) + AS unique_targets values(ComputerName) as target_hosts by _time, Source_Network_Address, + Source_Account | eventstats avg(unique_targets) as comp_avg , stdev(unique_targets) + as comp_std by Source_Network_Address, Source_Account | eval upperBound=(comp_avg+comp_std*3) + | eval isOutlier=if(unique_targets >10 and unique_targets >= upperBound, 1, 0) | + `unusual_number_of_remote_endpoint_authentication_events_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + Windows Event Logs from domain controllers as well as member servers and workstations. + The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs + to be enabled. +known_false_positives: An single endpoint authenticating to a large number of hosts + is not common behavior. Possible false positive scenarios include but are not limited + to vulnerability scanners, jump servers and missconfigured systems. references: - https://attack.mitre.org/techniques/T1078/ tags: @@ -18,27 +35,10 @@ tags: - Active Directory Lateral Movement - Active Directory Privilege Escalation asset_type: Endpoint - confidence: 60 - impact: 70 - message: Unusual number of remote authentication events from $Source_Network_Address$ mitre_attack_id: - T1078 - observable: - - name: target_hosts - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Logon_Type - - Caller_Process_Name - - Security_ID - - Account_Name - - ComputerName - risk_score: 42 security_domain: endpoint diff --git a/detections/endpoint/unusually_long_command_line.yml b/detections/endpoint/unusually_long_command_line.yml index 3feac13ffb..bf72181614 100644 --- a/detections/endpoint/unusually_long_command_line.yml +++ b/detections/endpoint/unusually_long_command_line.yml @@ -1,19 +1,50 @@ name: Unusually Long Command Line id: c77162d3-f93c-45cc-80c8-22f6a4264e7f -version: 7 -date: '2024-10-17' +version: 8 +date: '2024-11-13' author: David Dorsey, Splunk status: experimental type: Anomaly -description: The following analytic detects unusually long command lines, which may indicate malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on the length of command lines executed on hosts. This behavior is significant because attackers often use obfuscated or complex command lines to evade detection and execute malicious payloads. If confirmed malicious, this activity could lead to data theft, ransomware deployment, or further system compromise. Analysts should investigate the source and content of the command line, inspect relevant artifacts, and review concurrent processes to identify potential threats. +description: The following analytic detects unusually long command lines, which may + indicate malicious activity. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on the length of command lines executed on hosts. This behavior + is significant because attackers often use obfuscated or complex command lines to + evade detection and execute malicious payloads. If confirmed malicious, this activity + could lead to data theft, ransomware deployment, or further system compromise. Analysts + should investigate the source and content of the command line, inspect relevant + artifacts, and review concurrent processes to identify potential threats. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | eventstats stdev(processlen) as stdev, avg(processlen) as avg by dest | stats max(processlen) as maxlen, values(stdev) as stdevperhost, values(avg) as avgperhost by dest, user, process_name, process | `unusually_long_command_line_filter` |eval threshold = 3 | where maxlen > ((threshold*stdevperhost) + avgperhost)' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name + Processes.process | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)`| eval processlen=len(process) | eventstats stdev(processlen) + as stdev, avg(processlen) as avg by dest | stats max(processlen) as maxlen, values(stdev) + as stdevperhost, values(avg) as avgperhost by dest, user, process_name, process + | `unusually_long_command_line_filter` |eval threshold = 3 | where maxlen > ((threshold*stdevperhost) + + avgperhost)' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Some legitimate applications start with long command lines. references: [] +rba: + message: Unusually long command line $process_name$ on $dest$ + risk_objects: + - field: dest + type: system + score: 42 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Suspicious Command-Line Executions @@ -21,27 +52,8 @@ tags: - Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns - Ransomware asset_type: Endpoint - confidence: 60 - impact: 70 - message: Unusually long command line $process_name$ on $dest$ - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.user - - Processes.dest - - Processes.process_name - - Processes.process - risk_score: 42 security_domain: endpoint diff --git a/detections/endpoint/unusually_long_command_line___mltk.yml b/detections/endpoint/unusually_long_command_line___mltk.yml index 852993c7f4..a1449bf5e2 100644 --- a/detections/endpoint/unusually_long_command_line___mltk.yml +++ b/detections/endpoint/unusually_long_command_line___mltk.yml @@ -1,19 +1,64 @@ name: Unusually Long Command Line - MLTK id: 57edaefa-a73b-45e5-bbae-f39c1473f941 -version: 4 +version: 5 date: '2024-12-16' author: Rico Valdez, Splunk status: experimental type: Anomaly -description: The following analytic identifies unusually long command lines executed on hosts, which may indicate malicious activity. It leverages the Machine Learning Toolkit (MLTK) to detect command lines with lengths that deviate from the norm for a given user. This is significant for a SOC as unusually long command lines can be a sign of obfuscation or complex malicious scripts. If confirmed malicious, this activity could allow attackers to execute sophisticated commands, potentially leading to unauthorized access, data exfiltration, or further compromise of the system. +description: The following analytic identifies unusually long command lines executed + on hosts, which may indicate malicious activity. It leverages the Machine Learning + Toolkit (MLTK) to detect command lines with lengths that deviate from the norm for + a given user. This is significant for a SOC as unusually long command lines can + be a sign of obfuscation or complex malicious scripts. If confirmed malicious, this + activity could allow attackers to execute sophisticated commands, potentially leading + to unauthorized access, data exfiltration, or further compromise of the system. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | search user!=unknown | apply cmdline_pdfmodel threshold=0.01 | rename "IsOutlier(processlen)" as isOutlier | search isOutlier > 0 | table firstTime lastTime user dest process_name process processlen count | `unusually_long_command_line___mltk_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. In addition, the Machine Learning Toolkit (MLTK) version 4.2 or greater must be installed on your search heads, along with any required dependencies. Finally, the support search "ESCU - Baseline of Command Line Length - MLTK" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment. -known_false_positives: Some legitimate applications use long command lines for installs or updates. You should review identified command lines for legitimacy. You may modify the first part of the search to omit legitimate command lines from consideration. If you are seeing more results than desired, you may consider changing the value of threshold in the search to a smaller value. You should also periodically re-run the support search to re-build the ML model on the latest data. You may get unexpected results if the user identified in the results is not present in the data used to build the associated model. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name + Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)`| eval processlen=len(process) | search user!=unknown + | apply cmdline_pdfmodel threshold=0.01 | rename "IsOutlier(processlen)" as isOutlier + | search isOutlier > 0 | table firstTime lastTime user dest process_name process + processlen count | `unusually_long_command_line___mltk_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. In addition, the Machine Learning + Toolkit (MLTK) version 4.2 or greater must be installed on your search heads, along + with any required dependencies. Finally, the support search "ESCU - Baseline of + Command Line Length - MLTK" must be executed before this detection search, because + it builds a machine-learning (ML) model over the historical data used by this search. + It is important that this search is run in the same app context as the associated + support search, so that the model created by the support search is available for + use. You should periodically re-run the support search to rebuild the model with + the latest data available in your environment. +known_false_positives: Some legitimate applications use long command lines for installs + or updates. You should review identified command lines for legitimacy. You may modify + the first part of the search to omit legitimate command lines from consideration. + If you are seeing more results than desired, you may consider changing the value + of threshold in the search to a smaller value. You should also periodically re-run + the support search to re-build the ML model on the latest data. You may get unexpected + results if the user identified in the results is not present in the data used to + build the associated model. references: [] +rba: + message: Unusually long command line usage on $dest$ + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Suspicious Command-Line Executions @@ -21,27 +66,8 @@ tags: - Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns - Ransomware asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.user - - Processes.dest - - Processes.process_name - - Processes.process - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/user_discovery_with_env_vars_powershell.yml b/detections/endpoint/user_discovery_with_env_vars_powershell.yml index 149aff1ced..79d4aea5e9 100644 --- a/detections/endpoint/user_discovery_with_env_vars_powershell.yml +++ b/detections/endpoint/user_discovery_with_env_vars_powershell.yml @@ -1,17 +1,37 @@ name: User Discovery With Env Vars PowerShell id: 0cdf318b-a0dd-47d7-b257-c621c0247de8 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of `powershell.exe` with command-line arguments that use PowerShell environment variables to identify the current logged user. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries may use it for situational awareness and Active Directory discovery on compromised endpoints. If confirmed malicious, this behavior could allow attackers to gather critical user information, aiding in further exploitation and lateral movement within the network. +description: The following analytic detects the execution of `powershell.exe` with + command-line arguments that use PowerShell environment variables to identify the + current logged user. It leverages data from Endpoint Detection and Response (EDR) + agents, focusing on process names and command-line executions. This activity is + significant as adversaries may use it for situational awareness and Active Directory + discovery on compromised endpoints. If confirmed malicious, this behavior could + allow attackers to gather critical user information, aiding in further exploitation + and lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process="*$env:UserName*" OR Processes.process="*[System.Environment]::UserName*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `user_discovery_with_env_vars_powershell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") + (Processes.process="*$env:UserName*" OR Processes.process="*[System.Environment]::UserName*") + by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `user_discovery_with_env_vars_powershell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1033/ @@ -19,38 +39,17 @@ tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 30 - message: System user discovery on $dest$ mitre_attack_id: - T1033 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml b/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml index 126881a041..840a2991e0 100644 --- a/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml +++ b/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml @@ -1,53 +1,47 @@ name: User Discovery With Env Vars PowerShell Script Block id: 77f41d9e-b8be-47e3-ab35-5776f5ec1d20 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the use of PowerShell environment variables to identify the current logged user by leveraging PowerShell Script Block Logging (EventCode=4104). This method monitors script blocks containing `$env:UserName` or `[System.Environment]::UserName`. Identifying this activity is significant as adversaries and Red Teams may use it for situational awareness and Active Directory discovery on compromised endpoints. If confirmed malicious, this activity could allow attackers to gain insights into user context, aiding in further exploitation and lateral movement within the network. +description: The following analytic detects the use of PowerShell environment variables + to identify the current logged user by leveraging PowerShell Script Block Logging + (EventCode=4104). This method monitors script blocks containing `$env:UserName` + or `[System.Environment]::UserName`. Identifying this activity is significant as + adversaries and Red Teams may use it for situational awareness and Active Directory + discovery on compromised endpoints. If confirmed malicious, this activity could + allow attackers to gain insights into user context, aiding in further exploitation + and lateral movement within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText = "*$env:UserName*" OR ScriptBlockText = "*[System.Environment]::UserName*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest, user_id as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `user_discovery_with_env_vars_powershell_script_block_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Administrators or power users may use this PowerShell commandlet for troubleshooting. +search: '`powershell` EventCode=4104 (ScriptBlockText = "*$env:UserName*" OR ScriptBlockText + = "*[System.Environment]::UserName*") | stats count min(_time) as firstTime max(_time) + as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest, + user_id as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `user_discovery_with_env_vars_powershell_script_block_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Administrators or power users may use this PowerShell commandlet + for troubleshooting. references: - https://attack.mitre.org/techniques/T1033/ tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 30 - message: System user discovery on endpoint $dest$ by user $user$ mitre_attack_id: - T1033 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Path - - Message - - OpCode - - ComputerName - - User - - EventCode - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/usn_journal_deletion.yml b/detections/endpoint/usn_journal_deletion.yml index 68b1758de5..7be7337d7e 100644 --- a/detections/endpoint/usn_journal_deletion.yml +++ b/detections/endpoint/usn_journal_deletion.yml @@ -1,17 +1,37 @@ name: USN Journal Deletion id: b6e0ff70-b122-4227-9368-4cf322ab43c3 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: David Dorsey, Splunk status: production type: TTP -description: The following analytic detects the deletion of the USN Journal using the fsutil.exe utility. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because the USN Journal maintains a log of all changes made to files on the disk, and its deletion can be an indicator of an attempt to cover tracks or hinder forensic investigations. If confirmed malicious, this action could allow an attacker to obscure their activities, making it difficult to trace file modifications and potentially compromising incident response efforts. +description: The following analytic detects the deletion of the USN Journal using + the fsutil.exe utility. It leverages data from Endpoint Detection and Response (EDR) + agents, focusing on process execution logs that include command-line details. This + activity is significant because the USN Journal maintains a log of all changes made + to files on the disk, and its deletion can be an indicator of an attempt to cover + tracks or hinder forensic investigations. If confirmed malicious, this action could + allow an attacker to obscure their activities, making it difficult to trace file + modifications and potentially compromising incident response efforts. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process="*deletejournal*" AND process="*usn*" | `usn_journal_deletion_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count values(Processes.process) + as process values(Processes.parent_process) as parent_process min(_time) as firstTime + max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe + by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | + `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | search process="*deletejournal*" AND process="*usn*" | `usn_journal_deletion_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: None identified references: [] drilldown_searches: @@ -20,41 +40,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Possible USN journal deletion on $dest$ + risk_objects: + - field: dest + type: system + score: 45 + threat_objects: [] tags: analytic_story: - Windows Log Manipulation - Ransomware asset_type: Endpoint - confidence: 90 - impact: 50 - message: Possible USN journal deletion on $dest$ mitre_attack_id: - T1070 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process - - Processes.parent_process - - Processes.process_name - - Processes.user - - Processes.parent_process_name - - Processes.dest - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/vbscript_execution_using_wscript_app.yml b/detections/endpoint/vbscript_execution_using_wscript_app.yml index 9721d41cd5..e9fd89ca8c 100644 --- a/detections/endpoint/vbscript_execution_using_wscript_app.yml +++ b/detections/endpoint/vbscript_execution_using_wscript_app.yml @@ -1,17 +1,38 @@ name: Vbscript Execution Using Wscript App id: 35159940-228f-11ec-8a49-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the execution of VBScript using the wscript.exe application. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant because wscript.exe is typically not used to execute VBScript, which is usually associated with cscript.exe. This deviation can indicate an attempt to evade traditional process monitoring and antivirus defenses. If confirmed malicious, this technique could allow attackers to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network. +description: The following analytic detects the execution of VBScript using the wscript.exe + application. It leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process and command-line telemetry. This activity is significant because + wscript.exe is typically not used to execute VBScript, which is usually associated + with cscript.exe. This deviation can indicate an attempt to evade traditional process + monitoring and antivirus defenses. If confirmed malicious, this technique could + allow attackers to execute arbitrary code, potentially leading to system compromise, + data exfiltration, or further lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = "wscript.exe" AND Processes.parent_process = "*//e:vbscript*") OR (Processes.process_name = "wscript.exe" AND Processes.process = "*//e:vbscript*") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vbscript_execution_using_wscript_app_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name + = "wscript.exe" AND Processes.parent_process = "*//e:vbscript*") OR (Processes.process_name + = "wscript.exe" AND Processes.process = "*//e:vbscript*") by Processes.parent_process_name + Processes.parent_process Processes.process_name Processes.process_id Processes.process + Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `vbscript_execution_using_wscript_app_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://www.joesandbox.com/analysis/369332/0/html @@ -22,52 +43,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Process name $process_name$ with commandline $process$ to execute vbsscript + risk_objects: + - field: dest + type: system + score: 49 + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - FIN7 - Remcos - AsyncRAT asset_type: Endpoint - confidence: 70 - impact: 70 - message: Process name $process_name$ with commandline $process$ to execute vbsscript mitre_attack_id: - T1059.005 - T1059 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/vbs_wscript/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/vbs_wscript/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/verclsid_clsid_execution.yml b/detections/endpoint/verclsid_clsid_execution.yml index 7d7fcaf26e..fa5b44a719 100644 --- a/detections/endpoint/verclsid_clsid_execution.yml +++ b/detections/endpoint/verclsid_clsid_execution.yml @@ -1,18 +1,41 @@ name: Verclsid CLSID Execution id: 61e9a56a-20fa-11ec-8ba3-acde48001122 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the potential abuse of the verclsid.exe utility to execute malicious files via generated CLSIDs. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns associated with verclsid.exe. This activity is significant because verclsid.exe is a legitimate Windows application used to verify CLSID COM objects, and its misuse can indicate an attempt to bypass security controls. If confirmed malicious, this technique could allow an attacker to execute arbitrary code, potentially leading to system compromise or further malicious activities. +description: The following analytic detects the potential abuse of the verclsid.exe + utility to execute malicious files via generated CLSIDs. It leverages data from + Endpoint Detection and Response (EDR) agents, focusing on specific command-line + patterns associated with verclsid.exe. This activity is significant because verclsid.exe + is a legitimate Windows application used to verify CLSID COM objects, and its misuse + can indicate an attempt to bypass security controls. If confirmed malicious, this + technique could allow an attacker to execute arbitrary code, potentially leading + to system compromise or further malicious activities. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_verclsid` AND Processes.process="*/S*" Processes.process="*/C*" AND Processes.process="*{*" AND Processes.process="*}*" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `verclsid_clsid_execution_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: windows can used this application for its normal COM object validation. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + values(Processes.parent_process) as parent_process values(Processes.process_id) + as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where `process_verclsid` AND Processes.process="*/S*" Processes.process="*/C*" AND Processes.process="*{*" + AND Processes.process="*}*" by Processes.process_name Processes.original_file_name + Processes.dest Processes.user Processes.parent_process_name Processes.parent_process + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `verclsid_clsid_execution_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: windows can used this application for its normal COM object + validation. references: - https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ @@ -20,43 +43,18 @@ tags: analytic_story: - Unusual Processes asset_type: Endpoint - confidence: 50 - impact: 50 - message: process $process_name$ to execute possible clsid commandline $process$ in $dest$ mitre_attack_id: - T1218.012 - T1218 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.012/verclsid_exec/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.012/verclsid_exec/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/w3wp_spawning_shell.yml b/detections/endpoint/w3wp_spawning_shell.yml index c4f09f596c..30d7cd3caa 100644 --- a/detections/endpoint/w3wp_spawning_shell.yml +++ b/detections/endpoint/w3wp_spawning_shell.yml @@ -1,18 +1,40 @@ name: W3WP Spawning Shell id: 0f03423c-7c6a-11eb-bc47-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies instances where a shell (PowerShell.exe or Cmd.exe) is spawned from W3WP.exe, the IIS worker process. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is W3WP.exe. This activity is significant as it may indicate webshell activity, often associated with exploitation attempts like those by the HAFNIUM Group on Exchange servers. If confirmed malicious, this behavior could allow attackers to execute arbitrary commands, potentially leading to system compromise, data exfiltration, or further lateral movement within the network. +description: The following analytic identifies instances where a shell (PowerShell.exe + or Cmd.exe) is spawned from W3WP.exe, the IIS worker process. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process creation + events where the parent process is W3WP.exe. This activity is significant as it + may indicate webshell activity, often associated with exploitation attempts like + those by the HAFNIUM Group on Exchange servers. If confirmed malicious, this behavior + could allow attackers to execute arbitrary commands, potentially leading to system + compromise, data exfiltration, or further lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=w3wp.exe AND `process_cmd` OR `process_powershell` by Processes.dest Processes.parent_process Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `w3wp_spawning_shell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Baseline your environment before production. It is possible build systems using IIS will spawn cmd.exe to perform a software build. Filter as needed. +search: '| tstats `security_content_summariesonly` count values(Processes.process_name) + as process_name values(Processes.process) as process min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=w3wp.exe + AND `process_cmd` OR `process_powershell` by Processes.dest Processes.parent_process + Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | + `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `w3wp_spawning_shell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Baseline your environment before production. It is possible + build systems using IIS will spawn cmd.exe to perform a software build. Filter as + needed. references: - https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/ - https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell @@ -24,9 +46,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Possible Web Shell execution on $dest$ + risk_objects: + - field: dest + type: system + score: 56 + threat_objects: [] tags: analytic_story: - ProxyNotShell @@ -40,43 +74,22 @@ tags: - Flax Typhoon - WS FTP Server Critical Vulnerabilities asset_type: Endpoint - confidence: 80 cve: - CVE-2021-34473 - CVE-2021-34523 - CVE-2021-31207 - impact: 70 - message: Possible Web Shell execution on $dest$ mitre_attack_id: - T1505 - T1505.003 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/wbadmin_delete_system_backups.yml b/detections/endpoint/wbadmin_delete_system_backups.yml index 703e47bed4..01aead7047 100644 --- a/detections/endpoint/wbadmin_delete_system_backups.yml +++ b/detections/endpoint/wbadmin_delete_system_backups.yml @@ -1,17 +1,36 @@ name: WBAdmin Delete System Backups id: cd5aed7e-5cea-11eb-ae93-0242ac130002 -version: 4 -date: '2024-11-26' +version: 5 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the execution of wbadmin.exe with flags that delete backup files, specifically targeting catalog or system state backups. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it is commonly used by ransomware to prevent recovery by deleting system backups. If confirmed malicious, this action could severely hinder recovery efforts, leading to prolonged downtime and potential data loss. +description: The following analytic detects the execution of wbadmin.exe with flags + that delete backup files, specifically targeting catalog or system state backups. + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on + process names and command-line arguments. This activity is significant because it + is commonly used by ransomware to prevent recovery by deleting system backups. If + confirmed malicious, this action could severely hinder recovery efforts, leading + to prolonged downtime and potential data loss. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wbadmin` AND Processes.process="*delete*" AND (Processes.process="*catalog*" OR Processes.process="*backup*") by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `wbadmin_delete_system_backups_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_wbadmin` AND Processes.process="*delete*" + AND (Processes.process="*catalog*" OR Processes.process="*backup*") by Processes.process_name + Processes.process Processes.parent_process_name Processes.dest Processes.user | + `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `wbadmin_delete_system_backups_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators may modify the boot configuration. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md @@ -25,9 +44,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: System backups deletion on $dest$ + risk_objects: + - field: dest + type: system + score: 15 + threat_objects: [] tags: analytic_story: - Ryuk Ransomware @@ -35,32 +66,17 @@ tags: - Prestige Ransomware - Chaos Ransomware asset_type: Endpoint - confidence: 50 - impact: 30 - message: System backups deletion on $dest$ mitre_attack_id: - T1490 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_name - - Processes.process - - Processes.parent_process_name - - Processes.dest - - Processes.user - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/wbemprox_com_object_execution.yml b/detections/endpoint/wbemprox_com_object_execution.yml index 0f97c7f8d8..6e770d7563 100644 --- a/detections/endpoint/wbemprox_com_object_execution.yml +++ b/detections/endpoint/wbemprox_com_object_execution.yml @@ -1,16 +1,31 @@ name: Wbemprox COM Object Execution id: 9d911ce0-c3be-11eb-b177-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects a suspicious process loading a COM object from wbemprox.dll, fastprox.dll, or wbemcomn.dll. It leverages Sysmon EventCode 7 to identify instances where these DLLs are loaded by processes not typically associated with them, excluding known legitimate processes and directories. This activity is significant as it may indicate an attempt by threat actors to abuse COM objects for privilege escalation or evasion of detection mechanisms. If confirmed malicious, this could allow attackers to gain elevated privileges or maintain persistence within the environment, posing a significant security risk. +description: The following analytic detects a suspicious process loading a COM object + from wbemprox.dll, fastprox.dll, or wbemcomn.dll. It leverages Sysmon EventCode + 7 to identify instances where these DLLs are loaded by processes not typically associated + with them, excluding known legitimate processes and directories. This activity is + significant as it may indicate an attempt by threat actors to abuse COM objects + for privilege escalation or evasion of detection mechanisms. If confirmed malicious, + this could allow attackers to gain elevated privileges or maintain persistence within + the environment, posing a significant security risk. data_source: - Sysmon EventID 7 -search: '`sysmon` EventCode=7 ImageLoaded IN ("*\\fastprox.dll", "*\\wbemprox.dll", "*\\wbemcomn.dll") NOT (process_name IN ("wmiprvse.exe", "WmiApSrv.exe", "unsecapp.exe")) NOT(Image IN("*\\windows\\*","*\\program files*", "*\\wbem\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode Signed ProcessId Hashes IMPHASH | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wbemprox_com_object_execution_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: legitimate process that are not in the exception list may trigger this event. +search: '`sysmon` EventCode=7 ImageLoaded IN ("*\\fastprox.dll", "*\\wbemprox.dll", + "*\\wbemcomn.dll") NOT (process_name IN ("wmiprvse.exe", "WmiApSrv.exe", "unsecapp.exe")) + NOT(Image IN("*\\windows\\*","*\\program files*", "*\\wbem\\*")) | stats count min(_time) + as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode + Signed ProcessId Hashes IMPHASH | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `wbemprox_com_object_execution_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name and imageloaded executions from your endpoints. If you + are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +known_false_positives: legitimate process that are not in the exception list may trigger + this event. references: - https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/ - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/ @@ -20,46 +35,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious COM Object Execution on $dest$ + risk_objects: + - field: dest + type: system + score: 35 + threat_objects: [] tags: analytic_story: - Ransomware - Revil Ransomware - LockBit Ransomware asset_type: Endpoint - confidence: 50 - impact: 70 - message: Suspicious COM Object Execution on $dest$ mitre_attack_id: - T1218 - T1218.003 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Image - - ImageLoaded - - process_name - - dest - - EventCode - - Signed - - ProcessId - - Hashes - - IMPHASH - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/revil/inf2/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/revil/inf2/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml b/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml index e519b0b582..fe60773917 100644 --- a/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml +++ b/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml @@ -1,15 +1,31 @@ name: Wermgr Process Connecting To IP Check Web Services id: ed313326-a0f9-11eb-a89c-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the wermgr.exe process attempting to connect to known IP check web services. It leverages Sysmon EventCode 22 to identify DNS queries made by wermgr.exe to specific IP check services. This activity is significant because wermgr.exe is typically used for Windows error reporting, and its connection to these services may indicate malicious code injection, often associated with malware like Trickbot. If confirmed malicious, this behavior could allow attackers to recon the infected machine's IP address, aiding in further exploitation and evasion tactics. +description: The following analytic detects the wermgr.exe process attempting to connect + to known IP check web services. It leverages Sysmon EventCode 22 to identify DNS + queries made by wermgr.exe to specific IP check services. This activity is significant + because wermgr.exe is typically used for Windows error reporting, and its connection + to these services may indicate malicious code injection, often associated with malware + like Trickbot. If confirmed malicious, this behavior could allow attackers to recon + the infected machine's IP address, aiding in further exploitation and evasion tactics. data_source: - Sysmon EventID 22 -search: '`sysmon` EventCode =22 process_name = wermgr.exe QueryName IN ("*wtfismyip.com", "*checkip.amazonaws.com", "*ipecho.net", "*ipinfo.io", "*api.ipify.org", "*icanhazip.com", "*ip.anysrc.com","*api.ip.sb", "ident.me", "www.myexternalip.com", "*zen.spamhaus.org", "*cbl.abuseat.org", "*b.barracudacentral.org","*dnsbl-1.uceprotect.net", "*spam.dnsbl.sorbs.net") | stats min(_time) as firstTime max(_time) as lastTime count by Image process_name ProcessId QueryName QueryStatus QueryResults EventCode Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_connecting_to_ip_check_web_services_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, dns query name process path , and query ststus from your endpoints like EventCode 22. If you are using Sysmon, you must have at least version 12 of the Sysmon TA. +search: '`sysmon` EventCode =22 process_name = wermgr.exe QueryName IN ("*wtfismyip.com", + "*checkip.amazonaws.com", "*ipecho.net", "*ipinfo.io", "*api.ipify.org", "*icanhazip.com", + "*ip.anysrc.com","*api.ip.sb", "ident.me", "www.myexternalip.com", "*zen.spamhaus.org", + "*cbl.abuseat.org", "*b.barracudacentral.org","*dnsbl-1.uceprotect.net", "*spam.dnsbl.sorbs.net") + | stats min(_time) as firstTime max(_time) as lastTime count by Image process_name + ProcessId QueryName QueryStatus QueryResults EventCode Computer | rename Computer + as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `wermgr_process_connecting_to_ip_check_web_services_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, dns query name process path , and query ststus from + your endpoints like EventCode 22. If you are using Sysmon, you must have at least + version 12 of the Sysmon TA. known_false_positives: unknown references: - https://labs.vipre.com/trickbot-and-its-modules/ @@ -20,43 +36,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Wermgr.exe process connecting IP location web services on $dest$ + risk_objects: + - field: dest + type: system + score: 56 + threat_objects: [] tags: analytic_story: - Trickbot asset_type: Endpoint - confidence: 80 - impact: 70 - message: Wermgr.exe process connecting IP location web services on $dest$ mitre_attack_id: - T1590 - T1590.005 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - process_path - - process_name - - process_id - - QueryName - - QueryStatus - - QueryResults - - dest - - EventCode - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/wermgr_process_create_executable_file.yml b/detections/endpoint/wermgr_process_create_executable_file.yml index 943b40cf46..f648718227 100644 --- a/detections/endpoint/wermgr_process_create_executable_file.yml +++ b/detections/endpoint/wermgr_process_create_executable_file.yml @@ -1,15 +1,27 @@ name: Wermgr Process Create Executable File id: ab3bcce0-a105-11eb-973c-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the wermgr.exe process creating an executable file. It leverages Sysmon EventCode 11 to identify instances where wermgr.exe generates a .exe file. This behavior is unusual because wermgr.exe is typically associated with error reporting, not file creation. Such activity is significant as it may indicate TrickBot malware, which injects code into wermgr.exe to execute malicious actions like downloading additional payloads. If confirmed malicious, this could lead to further malware infections, data exfiltration, or system compromise. +description: The following analytic detects the wermgr.exe process creating an executable + file. It leverages Sysmon EventCode 11 to identify instances where wermgr.exe generates + a .exe file. This behavior is unusual because wermgr.exe is typically associated + with error reporting, not file creation. Such activity is significant as it may + indicate TrickBot malware, which injects code into wermgr.exe to execute malicious + actions like downloading additional payloads. If confirmed malicious, this could + lead to further malware infections, data exfiltration, or system compromise. data_source: - Sysmon EventID 11 -search: '`sysmon` EventCode=11 process_name = "wermgr.exe" TargetFilename = "*.exe" | stats min(_time) as firstTime max(_time) as lastTime count by Image TargetFilename process_name dest EventCode ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_create_executable_file_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used. +search: '`sysmon` EventCode=11 process_name = "wermgr.exe" TargetFilename = "*.exe" + | stats min(_time) as firstTime max(_time) as lastTime count by Image TargetFilename + process_name dest EventCode ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `wermgr_process_create_executable_file_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. Tune and filter known instances of wermgr.exe may be used. known_false_positives: unknown references: - https://labs.vipre.com/trickbot-and-its-modules/ @@ -20,40 +32,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Wermgr.exe writing executable files on $dest$ + risk_objects: + - field: dest + type: system + score: 56 + threat_objects: [] tags: analytic_story: - Trickbot asset_type: Endpoint - confidence: 80 - impact: 70 - message: Wermgr.exe writing executable files on $dest$ mitre_attack_id: - T1027 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Image - - TargetFilename - - process_name - - dest - - EventCode - - ProcessId - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml b/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml index 9dbdc073c5..73dc26d297 100644 --- a/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml +++ b/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml @@ -1,17 +1,38 @@ name: Wermgr Process Spawned CMD Or Powershell Process id: e8fc95bc-a107-11eb-a978-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the spawning of cmd or PowerShell processes by the wermgr.exe process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process telemetry, including parent-child process relationships and command-line executions. This behavior is significant as it is commonly associated with code injection techniques used by malware like TrickBot to execute shellcode or malicious DLL modules. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to system security. +description: The following analytic detects the spawning of cmd or PowerShell processes + by the wermgr.exe process. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process telemetry, including parent-child process relationships + and command-line executions. This behavior is significant as it is commonly associated + with code injection techniques used by malware like TrickBot to execute shellcode + or malicious DLL modules. If confirmed malicious, this activity could allow attackers + to execute arbitrary code, escalate privileges, or maintain persistence within the + environment, posing a severe threat to system security. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as cmdline min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = "wermgr.exe" `process_cmd` OR `process_powershell` by Processes.parent_process_name Processes.original_file_name Processes.parent_process_id Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_spawned_cmd_or_powershell_process_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` values(Processes.process) as cmdline + min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.parent_process_name = "wermgr.exe" `process_cmd` OR `process_powershell` + by Processes.parent_process_name Processes.original_file_name Processes.parent_process_id Processes.process_name + Processes.process Processes.process_id Processes.process_guid Processes.dest Processes.user + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `wermgr_process_spawned_cmd_or_powershell_process_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://labs.vipre.com/trickbot-and-its-modules/ @@ -22,46 +43,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Wermgr.exe spawning suspicious processes on $dest$ + risk_objects: + - field: dest + type: system + score: 56 + threat_objects: [] tags: analytic_story: - Trickbot - Qakbot asset_type: Endpoint - confidence: 80 - impact: 70 - message: Wermgr.exe spawning suspicious processes on $dest$ mitre_attack_id: - T1059 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/wget_download_and_bash_execution.yml b/detections/endpoint/wget_download_and_bash_execution.yml index c8b97f7881..6e8ced3331 100644 --- a/detections/endpoint/wget_download_and_bash_execution.yml +++ b/detections/endpoint/wget_download_and_bash_execution.yml @@ -1,28 +1,30 @@ name: Wget Download and Bash Execution id: 35682718-5a85-11ec-b8f7-acde48001122 -version: 6 -date: '2024-12-03' +version: 7 +date: '2024-12-10' author: Michael Haag, Splunk, DipsyTipsy status: production type: TTP -description: The following analytic detects the use of wget on Windows, Linux or MacOS to download - a file from a remote source and pipe it to bash. This detection leverages data from - Endpoint Detection and Response (EDR) agents, focusing on process names and command-line - executions. This activity is significant as it is commonly associated with malicious - actions like coinminers and exploits such as CVE-2021-44228 in Log4j. If confirmed - malicious, this behavior could allow attackers to execute arbitrary code, potentially - leading to system compromise and unauthorized access to sensitive data. +description: The following analytic detects the use of wget on Windows, Linux or MacOS + to download a file from a remote source and pipe it to bash. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process names + and command-line executions. This activity is significant as it is commonly associated + with malicious actions like coinminers and exploits such as CVE-2021-44228 in Log4j. + If confirmed malicious, this behavior could allow attackers to execute arbitrary + code, potentially leading to system compromise and unauthorized access to sensitive + data. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=wget OR Processes.process_name=wget.exe) - ((Processes.process="*-q *" OR Processes.process="*-q" OR Processes.process="*--quiet*") AND Processes.process="*-O- - *") AND (Processes.process="*|*" AND Processes.process="*bash*") by Processes.dest - Processes.user Processes.parent_process_name Processes.process_name Processes.process - Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wget_download_and_bash_execution_filter`' + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=wget + OR Processes.process_name=wget.exe) ((Processes.process="*-q *" OR Processes.process="*-q" + OR Processes.process="*--quiet*") AND Processes.process="*-O- *") AND (Processes.process="*|*" + AND Processes.process="*bash*") by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `wget_download_and_bash_execution_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -53,50 +55,33 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $process_name$ was identified on endpoint $dest$ attempting + to download a remote file and run it with bash. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Log4Shell CVE-2021-44228 - Compromised Windows Host - Ingress Tool Transfer asset_type: Endpoint - confidence: 100 cve: - CVE-2021-44228 - impact: 80 - message: An instance of $process_name$ was identified on endpoint $dest$ attempting - to download a remote file and run it with bash. mitre_attack_id: - T1105 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint manual_test: Due to current limitations in command line extraction capabilities with Sysmon for Linux, full CommandLine data cannot be collected for complete @@ -104,6 +89,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/linux-sysmon_curlwget.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/linux-sysmon_curlwget.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/windows_abused_web_services.yml b/detections/endpoint/windows_abused_web_services.yml index 766d58bed0..e1658b85c3 100644 --- a/detections/endpoint/windows_abused_web_services.yml +++ b/detections/endpoint/windows_abused_web_services.yml @@ -1,16 +1,29 @@ name: Windows Abused Web Services id: 01f0aef4-8591-4daa-a53d-0ed49823b681 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 22 -description: The following analytic detects a suspicious process making DNS queries to known, abused web services such as text-paste sites, VoIP, secure tunneling, instant messaging, and digital distribution platforms. This detection leverages Sysmon logs with Event ID 22, focusing on specific query names. This activity is significant as it may indicate an adversary attempting to download malicious files, a common initial access technique. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the target host. -search: '`sysmon` EventCode=22 QueryName IN ("*pastebin*",""*textbin*"", "*ngrok.io*", "*discord*", "*duckdns.org*", "*pasteio.com*") | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_abused_web_services_filter`' -how_to_implement: This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days. -known_false_positives: Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed. +description: The following analytic detects a suspicious process making DNS queries + to known, abused web services such as text-paste sites, VoIP, secure tunneling, + instant messaging, and digital distribution platforms. This detection leverages + Sysmon logs with Event ID 22, focusing on specific query names. This activity is + significant as it may indicate an adversary attempting to download malicious files, + a common initial access technique. If confirmed malicious, this could lead to unauthorized + code execution, data exfiltration, or further compromise of the target host. +search: '`sysmon` EventCode=22 QueryName IN ("*pastebin*",""*textbin*"", "*ngrok.io*", + "*discord*", "*duckdns.org*", "*pasteio.com*") | stats count min(_time) as firstTime + max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults + Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_abused_web_services_filter`' +how_to_implement: This detection relies on sysmon logs with the Event ID 22, DNS Query. + We suggest you run this detection at least once a day over the last 14 days. +known_false_positives: Noise and false positive can be seen if the following instant + messaging is allowed to use within corporate network. In this case, a filter is + needed. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat drilldown_searches: @@ -19,45 +32,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a network connection on known abused web services from $dest$ + risk_objects: + - field: dest + type: system + score: 36 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - NjRAT - CISA AA24-241A asset_type: Endpoint - confidence: 60 - impact: 60 - message: a network connection on known abused web services from $dest$ mitre_attack_id: - T1102 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 36 - required_fields: - - _time - - Image - - QueryName - - QueryStatus - - process_name - - QueryResults - - Computer security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1102/njrat_ngrok_connection/ngrok.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1102/njrat_ngrok_connection/ngrok.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml index 4e8d4ab1ba..9f00ab5ca2 100644 --- a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml +++ b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml @@ -1,16 +1,31 @@ name: Windows Access Token Manipulation SeDebugPrivilege id: 6ece9ed0-5f92-4315-889d-48560472b188 -version: 5 -date: '2024-11-28' +version: 10 +date: '2025-01-27' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects a process enabling the "SeDebugPrivilege" privilege token. It leverages Windows Security Event Logs with EventCode 4703, filtering out common legitimate processes. This activity is significant because SeDebugPrivilege allows a process to inspect and modify the memory of other processes, potentially leading to credential dumping or code injection. If confirmed malicious, an attacker could gain extensive control over system processes, enabling them to escalate privileges, persist in the environment, or access sensitive information. +description: The following analytic detects a process enabling the "SeDebugPrivilege" + privilege token. It leverages Windows Security Event Logs with EventCode 4703, filtering + out common legitimate processes. This activity is significant because SeDebugPrivilege + allows a process to inspect and modify the memory of other processes, potentially + leading to credential dumping or code injection. If confirmed malicious, an attacker + could gain extensive control over system processes, enabling them to escalate privileges, + persist in the environment, or access sensitive information. data_source: - Windows Event Log Security 4703 -search: '`wineventlog_security` EventCode=4703 EnabledPrivilegeList = "*SeDebugPrivilege*" AND NOT(ProcessName IN ("*\\Program File*", "*\\System32\\lsass.exe*", "*\\SysWOW64\\lsass.exe*", "*\\SysWOW64\\svchost.exe*", "*\\System32\\svchost.exe*")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer ProcessName ProcessId SubjectDomainName SubjectUserName SubjectUserSid TargetUserName TargetLogonId TargetDomainName EnabledPrivilegeList action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_manipulation_sedebugprivilege_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4703 EventCode enabled. The Windows TA is also required. -known_false_positives: Some native binaries and browser applications may request SeDebugPrivilege. Filter as needed. +search: '`wineventlog_security` EventCode=4703 EnabledPrivilegeList = "*SeDebugPrivilege*" + AND NOT(ProcessName IN ("*\\Program File*", "*\\System32\\lsass.exe*", "*\\SysWOW64\\lsass.exe*", + "*\\SysWOW64\\svchost.exe*", "*\\System32\\svchost.exe*")) | stats count min(_time) + as firstTime max(_time) as lastTime by Computer ProcessName ProcessId SubjectDomainName + SubjectUserName SubjectUserSid TargetUserName TargetLogonId TargetDomainName EnabledPrivilegeList + action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_access_token_manipulation_sedebugprivilege_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + Windows Security Event Logs with 4703 EventCode enabled. The Windows TA is also + required. +known_false_positives: Some native binaries and browser applications may request SeDebugPrivilege. + Filter as needed. references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703 - https://devblogs.microsoft.com/oldnewthing/20080314-00/?p=23113 @@ -23,46 +38,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$Computer$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A process $ProcessName$ adjust its privileges with SeDebugPrivilege on + $Computer$. + risk_objects: + - field: Computer + type: system + score: 36 + threat_objects: [] tags: analytic_story: - Brute Ratel C4 + - PlugX - AsyncRAT - - DarkGate Malware - CISA AA23-347A - - PlugX + - WinDealer RAT - ValleyRAT + - Derusbi + - Nexus APT Threat Activity + - DarkGate Malware - Meduza Stealer + - Earth Estries asset_type: Endpoint - confidence: 60 - impact: 60 - message: A process $ProcessName$ adjust its privileges with SeDebugPrivilege on $Computer$. mitre_attack_id: - T1134.002 - T1134 - observable: - - name: Computer - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ProcessName - - Security_ID - - action - - result - - Process_ID - - Message - - member_dn - - ComputerName - - user - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test @@ -70,4 +82,3 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/sedebugprivilege_token/security-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml b/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml index 47ccaee603..4dbd423a92 100644 --- a/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml +++ b/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml @@ -1,16 +1,31 @@ name: Windows Access Token Manipulation Winlogon Duplicate Token Handle id: dda126d7-1d99-4f0b-b72a-4c14031f9398 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects a process attempting to access winlogon.exe to duplicate its handle. This is identified using Sysmon EventCode 10, focusing on processes targeting winlogon.exe with specific access rights. This activity is significant because it is a common technique used by adversaries to escalate privileges by leveraging the high privileges and security tokens associated with winlogon.exe. If confirmed malicious, this could allow an attacker to gain elevated privileges, potentially leading to full system compromise and unauthorized access to sensitive information. +description: The following analytic detects a process attempting to access winlogon.exe + to duplicate its handle. This is identified using Sysmon EventCode 10, focusing + on processes targeting winlogon.exe with specific access rights. This activity is + significant because it is a common technique used by adversaries to escalate privileges + by leveraging the high privileges and security tokens associated with winlogon.exe. + If confirmed malicious, this could allow an attacker to gain elevated privileges, + potentially leading to full system compromise and unauthorized access to sensitive + information. data_source: - Sysmon EventID 10 -search: '`sysmon` EventCode=10 TargetImage IN("*\\system32\\winlogon.exe*", "*\\SysWOW64\\winlogon.exe*") GrantedAccess = 0x1040 | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace dest user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_manipulation_winlogon_duplicate_token_handle_filter`' -how_to_implement: To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: It is possible legitimate applications will request access to winlogon, filter as needed. +search: '`sysmon` EventCode=10 TargetImage IN("*\\system32\\winlogon.exe*", "*\\SysWOW64\\winlogon.exe*") + GrantedAccess = 0x1040 | stats count min(_time) as firstTime max(_time) as lastTime + by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId + GrantedAccess CallTrace dest user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_access_token_manipulation_winlogon_duplicate_token_handle_filter`' +how_to_implement: To successfully implement this search, you must be ingesting data + that records process activity from your hosts to populate the endpoint data model + in the processes node. If you are using Sysmon, you must have at least version 6.0.4 + of the Sysmon TA. +known_false_positives: It is possible legitimate applications will request access + to winlogon, filter as needed. references: - https://docs.microsoft.com/en-us/windows/win32/api/handleapi/nf-handleapi-duplicatehandle - https://attack.mitre.org/techniques/T1134/001/ @@ -18,43 +33,18 @@ tags: analytic_story: - Brute Ratel C4 asset_type: Endpoint - confidence: 60 - impact: 60 - message: A process $SourceImage$ is duplicating the handle token of winlogon.exe in $dest$ mitre_attack_id: - T1134.001 - T1134 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: SourceImage - type: Process Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - SourceImage - - TargetImage - - SourceProcessGUID - - TargetProcessGUID - - SourceProcessId - - TargetProcessId - - GrantedAccess - - CallTrace - - dest - - user_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/brute_duplicate_token/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/brute_duplicate_token/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml b/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml index f456343e17..b3cc876fb9 100644 --- a/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml +++ b/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml @@ -1,16 +1,32 @@ name: Windows Access Token Winlogon Duplicate Handle In Uncommon Path id: b8f7ed6b-0556-4c84-bffd-839c262b0278 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects a process attempting to duplicate the handle of winlogon.exe from an uncommon or public source path. This is identified using Sysmon EventCode 10, focusing on processes targeting winlogon.exe with specific access rights and excluding common system paths. This activity is significant because it may indicate an adversary trying to escalate privileges by leveraging the high-privilege tokens associated with winlogon.exe. If confirmed malicious, this could allow the attacker to gain elevated access, potentially leading to full system compromise and persistent control over the affected host. +description: The following analytic detects a process attempting to duplicate the + handle of winlogon.exe from an uncommon or public source path. This is identified + using Sysmon EventCode 10, focusing on processes targeting winlogon.exe with specific + access rights and excluding common system paths. This activity is significant because + it may indicate an adversary trying to escalate privileges by leveraging the high-privilege + tokens associated with winlogon.exe. If confirmed malicious, this could allow the + attacker to gain elevated access, potentially leading to full system compromise + and persistent control over the affected host. data_source: - Sysmon EventID 10 -search: '`sysmon` EventCode=10 TargetImage IN("*\\system32\\winlogon.exe*", "*\\SysWOW64\\winlogon.exe*") AND GrantedAccess = 0x1040 AND NOT (SourceImage IN("C:\\Windows\\*", "C:\\Program File*", "%systemroot%\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace | rename Computer as dest| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter`' -how_to_implement: To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: It is possible legitimate applications will request access to winlogon, filter as needed. +search: '`sysmon` EventCode=10 TargetImage IN("*\\system32\\winlogon.exe*", "*\\SysWOW64\\winlogon.exe*") + AND GrantedAccess = 0x1040 AND NOT (SourceImage IN("C:\\Windows\\*", "C:\\Program + File*", "%systemroot%\\*")) | stats count min(_time) as firstTime max(_time) as + lastTime by Computer SourceImage TargetImage SourceProcessGUID TargetProcessGUID + SourceProcessId TargetProcessId GrantedAccess CallTrace | rename Computer as dest| + `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter`' +how_to_implement: To successfully implement this search, you must be ingesting data + that records process activity from your hosts to populate the endpoint data model + in the processes node. If you are using Sysmon, you must have at least version 6.0.4 + of the Sysmon TA. +known_false_positives: It is possible legitimate applications will request access + to winlogon, filter as needed. references: - https://docs.microsoft.com/en-us/windows/win32/api/handleapi/nf-handleapi-duplicatehandle - https://attack.mitre.org/techniques/T1134/001/ @@ -20,50 +36,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A process $SourceImage$ is duplicating the handle token of winlogon.exe + on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: + - field: SourceImage + type: process_name tags: analytic_story: - Brute Ratel C4 asset_type: Endpoint - confidence: 70 - impact: 70 - message: A process $SourceImage$ is duplicating the handle token of winlogon.exe on $dest$ mitre_attack_id: - T1134.001 - T1134 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: SourceImage - type: Process Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - SourceImage - - TargetImage - - SourceProcessGUID - - TargetProcessGUID - - SourceProcessId - - TargetProcessId - - GrantedAccess - - CallTrace - - dest - - user_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/brute_duplicate_token/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/brute_duplicate_token/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml b/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml new file mode 100644 index 0000000000..709d34b600 --- /dev/null +++ b/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml @@ -0,0 +1,59 @@ +name: Windows Account Access Removal via Logoff Exec +id: 223572ab-8768-4e20-9b39-c38707af80dc +version: 1 +date: '2024-12-17' +author: Teoderick Contreras, Splunk +data_source: +- Sysmon EventID 1 +type: Anomaly +status: production +description: The following analytic detects the process of logging off a user through the use of the quser and logoff commands. By monitoring for these commands, the analytic identifies actions where a user session is forcibly terminated, which could be part of an administrative task or a potentially unauthorized access attempt. This detection helps identify potential misuse or malicious activity where a user’s access is revoked without proper authorization, providing insight into potential security incidents involving account management or session manipulation. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.process_name = logoff.exe + by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_account_access_removal_via_logoff_exec_filter`' +how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +known_false_positives: Administrators or power users may use this command. +references: +- https://devblogs.microsoft.com/scripting/automating-quser-through-powershell/ +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Process having child process [$process_name$] used to logoff user on [$dest$]. + risk_objects: + - field: dest + type: system + score: 36 + - field: user + type: user + score: 36 + threat_objects: [] +tags: + analytic_story: + - Crypto Stealer + asset_type: Endpoint + mitre_attack_id: + - T1531 + - T1059.001 + - T1059 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1531/powershell_log_process_tree/powershell_logoff.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_account_discovery_for_none_disable_user_account.yml b/detections/endpoint/windows_account_discovery_for_none_disable_user_account.yml index b34524f65f..501c9abd55 100644 --- a/detections/endpoint/windows_account_discovery_for_none_disable_user_account.yml +++ b/detections/endpoint/windows_account_discovery_for_none_disable_user_account.yml @@ -1,16 +1,30 @@ name: Windows Account Discovery for None Disable User Account id: eddbf5ba-b89e-47ca-995e-2d259804e55e -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting data_source: - Powershell Script Block Logging 4104 -description: The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetUser with the UACFilter parameter set to NOT_ACCOUNTDISABLE, indicating an attempt to enumerate Active Directory user accounts that are not disabled. This detection leverages PowerShell Script Block Logging (EventCode 4104) to identify the specific script block text. Monitoring this activity is significant as it may indicate reconnaissance efforts by an attacker to identify active user accounts for further exploitation. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or lateral movement within the network. -search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-NetUser*" ScriptBlockText = "*NOT_ACCOUNTDISABLE*" ScriptBlockText = "*-UACFilter*" | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_account_discovery_for_none_disable_user_account_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= -known_false_positives: Administrators may leverage PowerView for legitimate purposes, filter as needed. +description: The following analytic detects the execution of the PowerView PowerShell + cmdlet Get-NetUser with the UACFilter parameter set to NOT_ACCOUNTDISABLE, indicating + an attempt to enumerate Active Directory user accounts that are not disabled. This + detection leverages PowerShell Script Block Logging (EventCode 4104) to identify + the specific script block text. Monitoring this activity is significant as it may + indicate reconnaissance efforts by an attacker to identify active user accounts + for further exploitation. If confirmed malicious, this activity could lead to unauthorized + access, privilege escalation, or lateral movement within the network. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-NetUser*" ScriptBlockText + = "*NOT_ACCOUNTDISABLE*" ScriptBlockText = "*-UACFilter*" | rename Computer as dest, + UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode + ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_account_discovery_for_none_disable_user_account_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= +known_false_positives: Administrators may leverage PowerView for legitimate purposes, + filter as needed. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a - https://powersploit.readthedocs.io/en/stable/Recon/README/ @@ -20,32 +34,18 @@ tags: analytic_story: - CISA AA23-347A asset_type: Endpoint - confidence: 50 - impact: 30 - message: Windows Account Discovery for None Disable User Account using PowerView's Get-NetUser on $dest$. mitre_attack_id: - T1087 - T1087.001 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 15 - required_fields: - - _time - - ScriptBlockText - - dest - - EventCode - - user security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/get-netuser-not-require-pwh.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/get-netuser-not-require-pwh.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_account_discovery_for_sam_account_name.yml b/detections/endpoint/windows_account_discovery_for_sam_account_name.yml index cec3944cd2..13e239cb64 100644 --- a/detections/endpoint/windows_account_discovery_for_sam_account_name.yml +++ b/detections/endpoint/windows_account_discovery_for_sam_account_name.yml @@ -1,16 +1,30 @@ name: Windows Account Discovery for Sam Account Name id: 69934363-e1dd-4c49-8651-9d7663dd4d2f -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Powershell Script Block Logging 4104 -description: The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetUser, specifically querying for "samaccountname" and "pwdlastset" attributes. It leverages Event ID 4104 from PowerShell Script Block Logging to identify this activity. This behavior is significant as it may indicate an attempt to gather user account information from Active Directory, which is a common reconnaissance step in lateral movement or privilege escalation attacks. If confirmed malicious, this activity could allow an attacker to map out user accounts, potentially leading to further exploitation and unauthorized access within the network. -search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-NetUser*" ScriptBlockText IN ("*samaccountname*", "*pwdlastset*") | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_account_discovery_for_sam_account_name_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= -known_false_positives: Administrators may leverage PowerView for legitimate purposes, filter as needed. +description: The following analytic detects the execution of the PowerView PowerShell + cmdlet Get-NetUser, specifically querying for "samaccountname" and "pwdlastset" + attributes. It leverages Event ID 4104 from PowerShell Script Block Logging to identify + this activity. This behavior is significant as it may indicate an attempt to gather + user account information from Active Directory, which is a common reconnaissance + step in lateral movement or privilege escalation attacks. If confirmed malicious, + this activity could allow an attacker to map out user accounts, potentially leading + to further exploitation and unauthorized access within the network. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-NetUser*" ScriptBlockText + IN ("*samaccountname*", "*pwdlastset*") | rename Computer as dest, UserID as user + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_account_discovery_for_sam_account_name_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= +known_false_positives: Administrators may leverage PowerView for legitimate purposes, + filter as needed. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a drilldown_searches: @@ -19,38 +33,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows Account Discovery for Sam Account Name on $dest$. + risk_objects: + - field: dest + type: system + score: 15 + threat_objects: [] tags: analytic_story: - CISA AA23-347A asset_type: Endpoint - confidence: 50 - impact: 30 - message: Windows Account Discovery for Sam Account Name on $dest$. mitre_attack_id: - T1087 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 15 - required_fields: - - _time - - ScriptBlockText - - dest - - EventCode - - user security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/get-netuser-not-require-pwh.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/get-netuser-not-require-pwh.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_account_discovery_with_netuser_preauthnotrequire.yml b/detections/endpoint/windows_account_discovery_with_netuser_preauthnotrequire.yml index 17c069bc3a..27a5351a7d 100644 --- a/detections/endpoint/windows_account_discovery_with_netuser_preauthnotrequire.yml +++ b/detections/endpoint/windows_account_discovery_with_netuser_preauthnotrequire.yml @@ -1,47 +1,46 @@ name: Windows Account Discovery With NetUser PreauthNotRequire id: cf056b65-44b2-4d32-9172-d6b6f081a376 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting data_source: - Powershell Script Block Logging 4104 -description: The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetUser with the -PreauthNotRequire parameter, leveraging Event ID 4104. This method identifies attempts to query Active Directory user accounts that do not require Kerberos preauthentication. Monitoring this activity is crucial as it can indicate reconnaissance efforts by an attacker to identify potentially vulnerable accounts. If confirmed malicious, this behavior could lead to further exploitation, such as unauthorized access or privilege escalation within the network. -search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-NetUser*" ScriptBlockText = "*-PreauthNotRequire*" | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_account_discovery_with_netuser_preauthnotrequire_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= -known_false_positives: Administrators may leverage PowerView for legitimate purposes, filter as needed. +description: The following analytic detects the execution of the PowerView PowerShell + cmdlet Get-NetUser with the -PreauthNotRequire parameter, leveraging Event ID 4104. + This method identifies attempts to query Active Directory user accounts that do + not require Kerberos preauthentication. Monitoring this activity is crucial as it + can indicate reconnaissance efforts by an attacker to identify potentially vulnerable + accounts. If confirmed malicious, this behavior could lead to further exploitation, + such as unauthorized access or privilege escalation within the network. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-NetUser*" ScriptBlockText + = "*-PreauthNotRequire*" | rename Computer as dest, UserID as user | stats count + min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest + user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_account_discovery_with_netuser_preauthnotrequire_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= +known_false_positives: Administrators may leverage PowerView for legitimate purposes, + filter as needed. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a tags: analytic_story: - CISA AA23-347A asset_type: Endpoint - confidence: 50 - impact: 30 - message: A user dicovery using powerview commandlet Get-NetUser with PreauthNotRequire parameter on $dest$. mitre_attack_id: - T1087 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 15 - required_fields: - - _time - - ScriptBlockText - - dest - - EventCode - - user security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/get-netuser-not-require-pwh.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/get-netuser-not-require-pwh.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_ad_abnormal_object_access_activity.yml b/detections/endpoint/windows_ad_abnormal_object_access_activity.yml index 3bbe348601..d950358d37 100644 --- a/detections/endpoint/windows_ad_abnormal_object_access_activity.yml +++ b/detections/endpoint/windows_ad_abnormal_object_access_activity.yml @@ -1,16 +1,33 @@ name: Windows AD Abnormal Object Access Activity id: 71b289db-5f2c-4c43-8256-8bf26ae7324a -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Steven Dick status: production type: Anomaly -description: The following analytic identifies a statistically significant increase in access to Active Directory objects, which may indicate attacker enumeration. It leverages Windows Security Event Code 4662 to monitor and analyze access patterns, comparing them against historical averages to detect anomalies. This activity is significant for a SOC because abnormal access to AD objects can be an early indicator of reconnaissance efforts by an attacker. If confirmed malicious, this behavior could lead to unauthorized access, privilege escalation, or further compromise of the Active Directory environment. +description: The following analytic identifies a statistically significant increase + in access to Active Directory objects, which may indicate attacker enumeration. + It leverages Windows Security Event Code 4662 to monitor and analyze access patterns, + comparing them against historical averages to detect anomalies. This activity is + significant for a SOC because abnormal access to AD objects can be an early indicator + of reconnaissance efforts by an attacker. If confirmed malicious, this behavior + could lead to unauthorized access, privilege escalation, or further compromise of + the Active Directory environment. data_source: - Windows Event Log Security 4662 -search: '`wineventlog_security` EventCode=4662 | stats min(_time) AS firstTime, max(_time) AS lastTime, dc(ObjectName) AS ObjectName_count, values(ObjectType) AS ObjectType, latest(Computer) AS dest count BY SubjectUserName | eventstats avg(ObjectName_count) AS average stdev(ObjectName_count) AS standarddev | eval limit = round((average+(standarddev*3)),0), user = SubjectUserName | where ObjectName_count > limit | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_ad_abnormal_object_access_activity_filter`' -how_to_implement: Enable Audit Directory Service Access via GPO and collect event code 4662. The required SACLs need to be created for the relevant objects. Be aware Splunk filters this event by default on the Windows TA. Recommend pre-filtering any known service accounts that frequently query AD to make detection more accurate. Setting wide search window of 48~72hr may smooth out misfires. -known_false_positives: Service accounts or applications that routinely query Active Directory for information. +search: '`wineventlog_security` EventCode=4662 | stats min(_time) AS firstTime, max(_time) + AS lastTime, dc(ObjectName) AS ObjectName_count, values(ObjectType) AS ObjectType, + latest(Computer) AS dest count BY SubjectUserName | eventstats avg(ObjectName_count) + AS average stdev(ObjectName_count) AS standarddev | eval limit = round((average+(standarddev*3)),0), + user = SubjectUserName | where ObjectName_count > limit | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `windows_ad_abnormal_object_access_activity_filter`' +how_to_implement: Enable Audit Directory Service Access via GPO and collect event + code 4662. The required SACLs need to be created for the relevant objects. Be aware + Splunk filters this event by default on the Windows TA. Recommend pre-filtering + any known service accounts that frequently query AD to make detection more accurate. + Setting wide search window of 48~72hr may smooth out misfires. +known_false_positives: Service accounts or applications that routinely query Active + Directory for information. references: - https://medium.com/securonix-tech-blog/detecting-ldap-enumeration-and-bloodhound-s-sharphound-collector-using-active-directory-decoys-dfc840f2f644 - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662 @@ -21,41 +38,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The account $user$ accessed an abnormal amount ($ObjectName_count$) of + [$ObjectType$] AD object(s) between $firstTime$ and $lastTime$. + risk_objects: + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Active Directory Discovery - BlackSuit Ransomware asset_type: Endpoint - confidence: 50 - impact: 50 - message: The account $user$ accessed an abnormal amount ($ObjectName_count$) of [$ObjectType$] AD object(s) between $firstTime$ and $lastTime$. mitre_attack_id: - T1087 - T1087.002 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ObjectName - - EventCode - - SubjectUserName - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/4662_ad_enum/4662_priv_events.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/4662_ad_enum/4662_priv_events.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml b/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml index 7278ed7266..87740e631d 100644 --- a/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml +++ b/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml @@ -1,16 +1,55 @@ name: Windows AD AdminSDHolder ACL Modified id: 00d877c3-7b7b-443d-9562-6b231e2abab9 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Mauricio Velazco, Dean Luxton, Splunk type: TTP status: production data_source: - Windows Event Log Security 5136 -description: The following analytic detects modifications to the Access Control List (ACL) of the AdminSDHolder object in a Windows domain, specifically the addition of new rules. It leverages EventCode 5136 from the Security Event Log, focusing on changes to the nTSecurityDescriptor attribute. This activity is significant because the AdminSDHolder object secures privileged group members, and unauthorized changes can allow attackers to establish persistence and escalate privileges. If confirmed malicious, this could enable an attacker to control domain-level permissions, compromising the entire Active Directory environment. -search: '`wineventlog_security` EventCode=5136 ObjectClass=container ObjectDN="CN=AdminSDHolder,CN=System*" | stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId | rex field=old_value max_match=10000 "\((?P.*?)\)" | rex field=new_value max_match=10000 "\((?P.*?)\)" | mvexpand new_ace | where NOT new_ace IN (old_values) | rex field=new_ace "(?P.*?);(?P.*?);(?P.*?);(?P.*?);(?P.*?);(?P.*?)$" | rex max_match=100 field=aceAccessRights "(?P[A-Z]{2})" | rex max_match=100 field=aceFlags "(?P[A-Z]{2})" | lookup msad_guid_lookup guid as aceObjectGuid OUTPUT displayName as ControlAccessRights | lookup ace_access_rights_lookup access_rights_string as AccessRights OUTPUT access_rights_value | lookup ace_type_lookup ace_type_string as aceType OUTPUT ace_type_value | lookup ace_flag_lookup flag_string as aceFlags OUTPUT flag_value as ace_flag_value ``` Optional SID resolution lookups | lookup identity_lookup_expanded objectSid as aceSid OUTPUT downLevelDomainName as user | lookup admon_groups_def objectSid as aceSid OUTPUT cn as group``` | lookup builtin_groups_lookup builtin_group_string as aceSid OUTPUTNEW builtin_group_name as builtin_group | eval aceType=coalesce(ace_type_value,aceType), aceFlags=coalesce(ace_flag_value,"This object only"), aceAccessRights=if(aceAccessRights="CCDCLCSWRPWPDTLOCRSDRCWDWO","Full control",coalesce(access_rights_value,AccessRights)), aceControlAccessRights=coalesce(ControlAccessRights,aceObjectGuid), user=coalesce(user, group, builtin_group, aceSid) | stats min(_time) as _time values(aceType) as aceType values(aceFlags) as aceFlags(inheritance) values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(SubjectLogonId) as SubjectLogonId by ObjectClass ObjectDN src_user user | eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 AND aceControlAccessRights="","All rights",''aceControlAccessRights'') | search NOT aceType IN (*denied*,D,OD,XD) AND aceAccessRights IN ("Full control","All extended rights","All validated writes","Create all child objects","Delete all child objects","Delete subtree","Delete","Modify permissions","Modify owner","Write all properties",CC,CR,DC,DT,SD,SW,WD,WO,WP) | `windows_ad_adminsdholder_acl_modified_filter`' -how_to_implement: To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for the AdminSDHolder object in order to log modifications. -known_false_positives: Adding new users or groups to the AdminSDHolder ACL is not usual. Filter as needed +description: The following analytic detects modifications to the Access Control List + (ACL) of the AdminSDHolder object in a Windows domain, specifically the addition + of new rules. It leverages EventCode 5136 from the Security Event Log, focusing + on changes to the nTSecurityDescriptor attribute. This activity is significant because + the AdminSDHolder object secures privileged group members, and unauthorized changes + can allow attackers to establish persistence and escalate privileges. If confirmed + malicious, this could enable an attacker to control domain-level permissions, compromising + the entire Active Directory environment. +search: "`wineventlog_security` EventCode=5136 ObjectClass=container ObjectDN=\"CN=AdminSDHolder,CN=System*\"\ + \ | stats min(_time) as _time values(eval(if(OperationType==\"%%14675\",AttributeValue,null))) + as old_value values(eval(if(OperationType==\"%%14674\",AttributeValue,null))) as + new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID + src_user SubjectLogonId | rex field=old_value max_match=10000 \"\\((?P.*?)\\\ + )\" | rex field=new_value max_match=10000 \"\\((?P.*?)\\)\" | mvexpand + new_ace | where NOT new_ace IN (old_values) | rex field=new_ace \"(?P.*?);(?P.*?);(?P.*?);(?P.*?);(?P.*?);(?P.*?)$\"\ + \ | rex max_match=100 field=aceAccessRights \"(?P[A-Z]{2})\" | rex + max_match=100 field=aceFlags \"(?P[A-Z]{2})\" | lookup msad_guid_lookup + guid as aceObjectGuid OUTPUT displayName as ControlAccessRights | lookup ace_access_rights_lookup + access_rights_string as AccessRights OUTPUT access_rights_value | lookup ace_type_lookup + ace_type_string as aceType OUTPUT ace_type_value | lookup ace_flag_lookup flag_string + as aceFlags OUTPUT flag_value as ace_flag_value ``` Optional SID resolution lookups + | lookup identity_lookup_expanded objectSid as aceSid OUTPUT downLevelDomainName + as user | lookup admon_groups_def objectSid as aceSid OUTPUT cn as group``` | lookup + builtin_groups_lookup builtin_group_string as aceSid OUTPUTNEW builtin_group_name + as builtin_group | eval aceType=coalesce(ace_type_value,aceType), aceFlags=coalesce(ace_flag_value,\"\ + This object only\"), aceAccessRights=if(aceAccessRights=\"CCDCLCSWRPWPDTLOCRSDRCWDWO\"\ + ,\"Full control\",coalesce(access_rights_value,AccessRights)), aceControlAccessRights=coalesce(ControlAccessRights,aceObjectGuid), + user=coalesce(user, group, builtin_group, aceSid) | stats min(_time) as _time values(aceType) + as aceType values(aceFlags) as aceFlags(inheritance) values(aceControlAccessRights) + as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) + as new_ace values(SubjectLogonId) as SubjectLogonId by ObjectClass ObjectDN src_user + user | eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 AND aceControlAccessRights=\"\ + \",\"All rights\",'aceControlAccessRights') | search NOT aceType IN (*denied*,D,OD,XD) + AND aceAccessRights IN (\"Full control\",\"All extended rights\",\"All validated + writes\",\"Create all child objects\",\"Delete all child objects\",\"Delete subtree\"\ + ,\"Delete\",\"Modify permissions\",\"Modify owner\",\"Write all properties\",CC,CR,DC,DT,SD,SW,WD,WO,WP) + | `windows_ad_adminsdholder_acl_modified_filter`" +how_to_implement: To successfully implement this search, you ned to be ingesting eventcode + `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` + within `DS Access` needs to be enabled. Additionally, a SACL needs to be created + for the AdminSDHolder object in order to log modifications. +known_false_positives: Adding new users or groups to the AdminSDHolder ACL is not + usual. Filter as needed references: - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory - https://social.technet.microsoft.com/wiki/contents/articles/22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx @@ -26,45 +65,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The AdminSDHolder domain object $ObjectDN$ has been modified by $src_user$ + risk_objects: + - field: user + type: user + score: 56 + - field: src_user + type: user + score: 56 + threat_objects: [] tags: analytic_story: - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 70 - impact: 80 - message: The AdminSDHolder domain object $ObjectDN$ has been modified by $src_user$ mitre_attack_id: - T1546 - observable: - - name: user - type: User - role: - - Victim - - name: src_user - type: User - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - AttributeLDAPDisplayName - - OperationType - - ObjectDN - - Computer - - SubjectUserName - - AttributeValue - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546/adminsdholder_modified/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546/adminsdholder_modified/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml b/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml index e3552e7579..d84075b5e2 100644 --- a/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml +++ b/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml @@ -1,7 +1,7 @@ name: Windows AD Cross Domain SID History Addition id: 41bbb371-28ba-439c-bb5c-d9930c28365d -version: '4' -date: '2024-11-28' +version: 6 +date: '2024-12-10' author: Dean Luxton type: TTP status: production @@ -45,44 +45,33 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Active Directory SID History Attribute was added to $user$ by $src_user$ + risk_objects: + - field: src_user + type: user + score: 80 + - field: user + type: user + score: 80 + threat_objects: [] tags: analytic_story: - Compromised Windows Host - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 80 - impact: 100 - message: Active Directory SID History Attribute was added to $user$ by $src_user$ mitre_attack_id: - T1134.005 - T1134 - observable: - - name: src_user - type: User - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - SidHistory - - TargetSid - - TargetDomainName - - user - - src_user - - Logon_ID - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134.005/mimikatz/windows-security-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134.005/mimikatz/windows-security-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml b/detections/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml index a14826df9b..58f2fc2bf5 100644 --- a/detections/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml +++ b/detections/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml @@ -1,15 +1,32 @@ name: Windows AD Domain Controller Audit Policy Disabled id: fc3ccef1-60a4-4239-bd66-b279511b4d14 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Dean Luxton type: TTP status: production data_source: - Windows Event Log Security 4719 -description: The following analytic detects the disabling of audit policies on a domain controller. It leverages EventCode 4719 from Windows Security Event Logs to identify changes where success or failure auditing is removed. This activity is significant as it suggests an attacker may have gained access to the domain controller and is attempting to evade detection by tampering with audit policies. If confirmed malicious, this could lead to severe consequences, including data theft, privilege escalation, and full network compromise. Immediate investigation is required to determine the source and intent of the change. -search: '`wineventlog_security` EventCode=4719 (AuditPolicyChanges IN ("%%8448","%%8450","%%8448, %%8450") OR Changes IN ("Failure removed","Success removed","Success removed, Failure removed")) dest_category="domain_controller"| replace "%%8448" with "Success removed", "%%8450" with "Failure removed", "%%8448, %%8450" with "Success removed, Failure removed" in AuditPolicyChanges | eval AuditPolicyChanges=coalesce(AuditPolicyChanges,Changes), SubcategoryGuid=coalesce(SubcategoryGuid,Subcategory_GUID) | stats min(_time) as _time values(host) as dest by AuditPolicyChanges SubcategoryGuid | lookup advanced_audit_policy_guids GUID as SubcategoryGuid OUTPUT Category SubCategory | `windows_ad_domain_controller_audit_policy_disabled_filter`' -how_to_implement: Ensure you are ingesting EventCode `4719` from your domain controllers, the category domain_controller exists in assets and identities, and that assets and identities is enabled. If A&I is not configured, you will need to manually filter the results within the base search. +description: The following analytic detects the disabling of audit policies on a domain + controller. It leverages EventCode 4719 from Windows Security Event Logs to identify + changes where success or failure auditing is removed. This activity is significant + as it suggests an attacker may have gained access to the domain controller and is + attempting to evade detection by tampering with audit policies. If confirmed malicious, + this could lead to severe consequences, including data theft, privilege escalation, + and full network compromise. Immediate investigation is required to determine the + source and intent of the change. +search: '`wineventlog_security` EventCode=4719 (AuditPolicyChanges IN ("%%8448","%%8450","%%8448, + %%8450") OR Changes IN ("Failure removed","Success removed","Success removed, Failure + removed")) dest_category="domain_controller"| replace "%%8448" with "Success removed", + "%%8450" with "Failure removed", "%%8448, %%8450" with "Success removed, Failure + removed" in AuditPolicyChanges | eval AuditPolicyChanges=coalesce(AuditPolicyChanges,Changes), + SubcategoryGuid=coalesce(SubcategoryGuid,Subcategory_GUID) | stats min(_time) as + _time values(host) as dest by AuditPolicyChanges SubcategoryGuid | lookup advanced_audit_policy_guids + GUID as SubcategoryGuid OUTPUT Category SubCategory | `windows_ad_domain_controller_audit_policy_disabled_filter`' +how_to_implement: Ensure you are ingesting EventCode `4719` from your domain controllers, + the category domain_controller exists in assets and identities, and that assets + and identities is enabled. If A&I is not configured, you will need to manually filter + the results within the base search. known_false_positives: Unknown references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4719 @@ -19,38 +36,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: GPO $SubCategory$ of $Category$ was disabled on $dest$ + risk_objects: + - field: dest + type: system + score: 60 + threat_objects: [] tags: analytic_story: - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 60 - impact: 100 - message: GPO $SubCategory$ of $Category$ was disabled on $dest$ mitre_attack_id: - T1562.001 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - AuditPolicyChanges - - SubcategoryGuid - risk_score: 60 security_domain: endpoint - manual_test: This search uses a lookup provided by Enterprise Security and needs to be manually tested + manual_test: This search uses a lookup provided by Enterprise Security and needs + to be manually tested tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_gpo/windows-security-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_gpo/windows-security-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_ad_domain_controller_promotion.yml b/detections/endpoint/windows_ad_domain_controller_promotion.yml index ab8f1853db..e24eb768b5 100644 --- a/detections/endpoint/windows_ad_domain_controller_promotion.yml +++ b/detections/endpoint/windows_ad_domain_controller_promotion.yml @@ -1,7 +1,7 @@ name: Windows AD Domain Controller Promotion id: e633a0ef-2a6e-4ed7-b925-5ff999e5d1f0 -version: '4' -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Dean Luxton type: TTP status: production @@ -46,38 +46,29 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: AD Domain Controller Promotion Event Detected for $dest$ + risk_objects: + - field: dest + type: system + score: 80 + threat_objects: [] tags: analytic_story: - Compromised Windows Host - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 100 - impact: 80 - message: AD Domain Controller Promotion Event Detected for $dest$ mitre_attack_id: - T1207 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ServicePrincipalNames - - src_user - - user - - Logon_ID - - dvc - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1207/dc_promo/windows-security-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1207/dc_promo/windows-security-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_ad_domain_replication_acl_addition.yml b/detections/endpoint/windows_ad_domain_replication_acl_addition.yml index 2aa2cf45fe..a303064df9 100644 --- a/detections/endpoint/windows_ad_domain_replication_acl_addition.yml +++ b/detections/endpoint/windows_ad_domain_replication_acl_addition.yml @@ -1,7 +1,7 @@ name: Windows AD Domain Replication ACL Addition id: 8c372853-f459-4995-afdc-280c114d33ab -version: '6' -date: '2024-11-28' +version: 8 +date: '2024-12-10' author: Dean Luxton type: TTP status: production @@ -73,43 +73,34 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $src_user$ has granted $user$ permission to replicate AD objects + risk_objects: + - field: user + type: user + score: 80 + - field: src_user + type: user + score: 80 + threat_objects: [] tags: analytic_story: - Compromised Windows Host - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 80 - impact: 100 - message: $src_user$ has granted $user$ permission to replicate AD objects mitre_attack_id: - T1484 - observable: - - name: user - type: User - role: - - Victim - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - OperationType - - src_user - - AttributeLDAPDisplayName - - AttributeValue - - ObjectClass - risk_score: 80 security_domain: endpoint manual_test: This search uses a lookup provided by Enterprise Security and needs to be manually tested. tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/aclmodification/windows-security-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/aclmodification/windows-security-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_ad_dsrm_account_changes.yml b/detections/endpoint/windows_ad_dsrm_account_changes.yml index 2bd28e3e49..47a929e7b3 100644 --- a/detections/endpoint/windows_ad_dsrm_account_changes.yml +++ b/detections/endpoint/windows_ad_dsrm_account_changes.yml @@ -1,16 +1,40 @@ name: Windows AD DSRM Account Changes id: 08cb291e-ea77-48e8-a95a-0799319bf056 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Dean Luxton type: TTP status: production data_source: - Sysmon EventID 1 AND Sysmon EventID 12 - Sysmon EventID 1 AND Sysmon EventID 13 -description: The following analytic identifies changes to the Directory Services Restore Mode (DSRM) account behavior via registry modifications. It detects alterations in the registry path "*\\System\\CurrentControlSet\\Control\\Lsa\\DSRMAdminLogonBehavior" with specific values indicating potential misuse. This activity is significant because the DSRM account, if misconfigured, can be exploited to persist within a domain, similar to a local administrator account. If confirmed malicious, an attacker could gain persistent administrative access to a Domain Controller, leading to potential domain-wide compromise and unauthorized access to sensitive information. -search: '| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Endpoint.Registry where Registry.registry_path= "*\\System\\CurrentControlSet\\Control\\Lsa\\DSRMAdminLogonBehavior" Registry.registry_value_data IN ("*1","*2") by Registry.action Registry.registry_path Registry.registry_value_data Registry.registry_value_type Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | join type=outer process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)`] | table _time action dest user parent_process_name parent_process process_name process process_guid registry_path registry_value_data registry_value_type | `windows_ad_dsrm_account_changes_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +description: The following analytic identifies changes to the Directory Services Restore + Mode (DSRM) account behavior via registry modifications. It detects alterations + in the registry path "*\\System\\CurrentControlSet\\Control\\Lsa\\DSRMAdminLogonBehavior" + with specific values indicating potential misuse. This activity is significant because + the DSRM account, if misconfigured, can be exploited to persist within a domain, + similar to a local administrator account. If confirmed malicious, an attacker could + gain persistent administrative access to a Domain Controller, leading to potential + domain-wide compromise and unauthorized access to sensitive information. +search: '| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Endpoint.Registry + where Registry.registry_path= "*\\System\\CurrentControlSet\\Control\\Lsa\\DSRMAdminLogonBehavior" + Registry.registry_value_data IN ("*1","*2") by Registry.action Registry.registry_path + Registry.registry_value_data Registry.registry_value_type Registry.process_guid + Registry.dest Registry.user | `drop_dm_object_name(Registry)` | join type=outer + process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes + by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name + Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)`] + | table _time action dest user parent_process_name parent_process process_name process + process_guid registry_path registry_value_data registry_value_type | `windows_ad_dsrm_account_changes_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Disaster recovery events. references: - https://adsecurity.org/?p=1714 @@ -20,44 +44,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: DSRM Account Changes Initiated on $dest$ by $user$ + risk_objects: + - field: user + type: user + score: 100 + - field: dest + type: system + score: 100 + threat_objects: [] tags: analytic_story: - Sneaky Active Directory Persistence Tricks - Windows Registry Abuse - Windows Persistence Techniques asset_type: Endpoint - confidence: 100 - impact: 100 - message: DSRM Account Changes Initiated on $dest$ by $user$ mitre_attack_id: - T1098 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_value_data - - Registry.registry_path - - Registry.dest - - Registry.user - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/dsrm_account/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/dsrm_account/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_ad_dsrm_password_reset.yml b/detections/endpoint/windows_ad_dsrm_password_reset.yml index 377174fb96..6544238451 100644 --- a/detections/endpoint/windows_ad_dsrm_password_reset.yml +++ b/detections/endpoint/windows_ad_dsrm_password_reset.yml @@ -1,16 +1,29 @@ name: Windows AD DSRM Password Reset id: d1ab841c-36a6-46cf-b50f-b2b04b31182a -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Dean Luxton type: TTP status: production data_source: - Windows Event Log Security 4794 -description: The following analytic detects attempts to reset the Directory Services Restore Mode (DSRM) administrator password on a Domain Controller. It leverages event code 4794 from the Windows Security Event Log, specifically looking for events where the DSRM password reset is attempted. This activity is significant because the DSRM account can be used similarly to a local administrator account, providing potential persistence for an attacker. If confirmed malicious, this could allow an attacker to maintain administrative access to the Domain Controller, posing a severe risk to the domain's security. -search: '| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Change where All_Changes.result_id="4794" AND All_Changes.result="set the Directory Services Restore Mode administrator password" by All_Changes.action, All_Changes.dest, All_Changes.src, All_Changes.user | `drop_dm_object_name(All_Changes)` | `windows_ad_dsrm_password_reset_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting eventcode `4794` and have the Advanced Security Audit policy `Audit User Account Management` within `Account Management` enabled. -known_false_positives: Resetting the DSRM password for legitamate reasons, i.e. forgot the password. Disaster recovery. Deploying AD backdoor deliberately. +description: The following analytic detects attempts to reset the Directory Services + Restore Mode (DSRM) administrator password on a Domain Controller. It leverages + event code 4794 from the Windows Security Event Log, specifically looking for events + where the DSRM password reset is attempted. This activity is significant because + the DSRM account can be used similarly to a local administrator account, providing + potential persistence for an attacker. If confirmed malicious, this could allow + an attacker to maintain administrative access to the Domain Controller, posing a + severe risk to the domain's security. +search: '| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Change + where All_Changes.result_id="4794" AND All_Changes.result="set the Directory Services + Restore Mode administrator password" by All_Changes.action, All_Changes.dest, All_Changes.src, + All_Changes.user | `drop_dm_object_name(All_Changes)` | `windows_ad_dsrm_password_reset_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + eventcode `4794` and have the Advanced Security Audit policy `Audit User Account + Management` within `Account Management` enabled. +known_false_positives: Resetting the DSRM password for legitamate reasons, i.e. forgot + the password. Disaster recovery. Deploying AD backdoor deliberately. references: - https://adsecurity.org/?p=1714 drilldown_searches: @@ -19,44 +32,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: DSRM Account Password was reset on $dest$ by $user$ + risk_objects: + - field: user + type: user + score: 100 + - field: dest + type: system + score: 100 + threat_objects: [] tags: analytic_story: - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 100 - impact: 100 - message: DSRM Account Password was reset on $dest$ by $user$ mitre_attack_id: - T1098 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Changes.result_id - - All_Changes.result - - All_Changes.action - - All_Changes.dest - - All_Changes.src - - All_Changes.user - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/dsrm_account/windows-security-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/dsrm_account/windows-security-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_ad_privileged_account_sid_history_addition.yml b/detections/endpoint/windows_ad_privileged_account_sid_history_addition.yml index 628806ad58..b27e21cabe 100644 --- a/detections/endpoint/windows_ad_privileged_account_sid_history_addition.yml +++ b/detections/endpoint/windows_ad_privileged_account_sid_history_addition.yml @@ -1,7 +1,7 @@ name: Windows AD Privileged Account SID History Addition id: 6b521149-b91c-43aa-ba97-c2cac59ec830 -version: '5' -date: '2024-11-28' +version: 6 +date: '2024-12-10' author: Dean Luxton type: TTP status: production @@ -43,43 +43,33 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A Privileged User Account SID History Attribute was added to $userSid$ + by $src_user$ + risk_objects: + - field: src_user + type: user + score: 90 + threat_objects: [] tags: analytic_story: - Compromised Windows Host - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 90 - impact: 100 - message: A Privileged User Account SID History Attribute was added to $userSid$ - by $src_user$ mitre_attack_id: - T1134.005 - T1134 - observable: - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - SidHistory - - TargetSid - - TargetDomainName - - user - - src_user - - Logon_ID - risk_score: 90 security_domain: endpoint manual_test: This search uses a lookup provided by Enterprise Security and needs to be manually tested. tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134.005/mimikatz/windows-security-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134.005/mimikatz/windows-security-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_ad_privileged_object_access_activity.yml b/detections/endpoint/windows_ad_privileged_object_access_activity.yml index b6c78f36bf..022e799c23 100644 --- a/detections/endpoint/windows_ad_privileged_object_access_activity.yml +++ b/detections/endpoint/windows_ad_privileged_object_access_activity.yml @@ -1,16 +1,38 @@ name: Windows AD Privileged Object Access Activity id: dc2f58bc-8cd2-4e51-962a-694b963acde0 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Steven Dick status: production type: TTP -description: The following analytic detects access attempts to privileged Active Directory objects, such as Domain Admins or Enterprise Admins. It leverages Windows Security Event Code 4662 to identify when these sensitive objects are accessed. This activity is significant because such objects should rarely be accessed by normal users or processes, and unauthorized access attempts may indicate attacker enumeration or lateral movement within the domain. If confirmed malicious, this activity could allow attackers to escalate privileges, persist in the environment, or gain control over critical domain resources. +description: The following analytic detects access attempts to privileged Active Directory + objects, such as Domain Admins or Enterprise Admins. It leverages Windows Security + Event Code 4662 to identify when these sensitive objects are accessed. This activity + is significant because such objects should rarely be accessed by normal users or + processes, and unauthorized access attempts may indicate attacker enumeration or + lateral movement within the domain. If confirmed malicious, this activity could + allow attackers to escalate privileges, persist in the environment, or gain control + over critical domain resources. data_source: - Windows Event Log Security 4662 -search: '`wineventlog_security` EventCode=4662 ObjectName IN ( "CN=Account Operators,*", "CN=Administrators,*", "CN=Backup Operators,*", "CN=Cert Publishers,*", "CN=Certificate Service DCOM Access,*", "CN=Domain Admins,*", "CN=Domain Controllers,*", "CN=Enterprise Admins,*", "CN=Enterprise Read-only Domain Controllers,*", "CN=Group Policy Creator Owners,*", "CN=Incoming Forest Trust Builders,*", "CN=Microsoft Exchange Servers,*", "CN=Network Configuration Operators,*", "CN=Power Users,*", "CN=Print Operators,*", "CN=Read-only Domain Controllers,*", "CN=Replicators,*", "CN=Schema Admins,*", "CN=Server Operators,*", "CN=Exchange Trusted Subsystem,*", "CN=Exchange Windows Permission,*", "CN=Organization Management,*") | rex field=ObjectName "CN\=(?[^,]+)" | stats values(Computer) as dest, values(object_name) as object_name, dc(ObjectName) as object_count, min(_time) as firstTime, max(_time) as lastTime, count by SubjectUserName | rename SubjectUserName as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_ad_privileged_object_access_activity_filter`' -how_to_implement: Enable Audit Directory Service Access via GPO and collect event code 4662. The required SACLs need to be created for the relevant objects. Be aware Splunk filters this event by default on the Windows TA. -known_false_positives: Service accounts or applications that routinely query Active Directory for information. +search: '`wineventlog_security` EventCode=4662 ObjectName IN ( "CN=Account Operators,*", + "CN=Administrators,*", "CN=Backup Operators,*", "CN=Cert Publishers,*", "CN=Certificate + Service DCOM Access,*", "CN=Domain Admins,*", "CN=Domain Controllers,*", "CN=Enterprise + Admins,*", "CN=Enterprise Read-only Domain Controllers,*", "CN=Group Policy Creator + Owners,*", "CN=Incoming Forest Trust Builders,*", "CN=Microsoft Exchange Servers,*", + "CN=Network Configuration Operators,*", "CN=Power Users,*", "CN=Print Operators,*", + "CN=Read-only Domain Controllers,*", "CN=Replicators,*", "CN=Schema Admins,*", "CN=Server + Operators,*", "CN=Exchange Trusted Subsystem,*", "CN=Exchange Windows Permission,*", + "CN=Organization Management,*") | rex field=ObjectName "CN\=(?[^,]+)" + | stats values(Computer) as dest, values(object_name) as object_name, dc(ObjectName) + as object_count, min(_time) as firstTime, max(_time) as lastTime, count by SubjectUserName + | rename SubjectUserName as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_ad_privileged_object_access_activity_filter`' +how_to_implement: Enable Audit Directory Service Access via GPO and collect event + code 4662. The required SACLs need to be created for the relevant objects. Be aware + Splunk filters this event by default on the Windows TA. +known_false_positives: Service accounts or applications that routinely query Active + Directory for information. references: - https://medium.com/securonix-tech-blog/detecting-ldap-enumeration-and-bloodhound-s-sharphound-collector-using-active-directory-decoys-dfc840f2f644 - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662 @@ -21,46 +43,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The account $user$ accessed $object_count$ privileged AD object(s). + risk_objects: + - field: user + type: user + score: 40 + threat_objects: [] tags: analytic_story: - Active Directory Discovery - BlackSuit Ransomware asset_type: Endpoint - confidence: 50 - impact: 80 - message: The account $user$ accessed $object_count$ privileged AD object(s). mitre_attack_id: - T1087 - T1087.002 - observable: - - name: user - type: User - role: - - Victim - - name: object_name - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ObjectName - - EventCode - - Computer - - SubjectUserName - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/4662_ad_enum/4662_priv_events.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/4662_ad_enum/4662_priv_events.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml b/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml index b1d3e842f0..559582d368 100644 --- a/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml +++ b/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml @@ -1,7 +1,7 @@ name: Windows AD Replication Request Initiated by User Account id: 51307514-1236-49f6-8686-d46d93cc2821 -version: '5' -date: '2024-11-28' +version: 6 +date: '2024-12-10' author: Dean Luxton type: TTP status: production @@ -55,53 +55,34 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows Active Directory Replication Request Initiated by User Account + $user$ at $src_ip$ + risk_objects: + - field: user + type: user + score: 100 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Compromised Windows Host - Sneaky Active Directory Persistence Tricks - Credential Dumping asset_type: Endpoint - confidence: 100 - impact: 100 - message: Windows Active Directory Replication Request Initiated by User Account - $user$ at $src_ip$ mitre_attack_id: - T1003.006 - T1003 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ObjectType - - Properties - - AccessMask - - SubjectDomainName - - SubjectUserName - - SubjectUserSid - - Computer - - Logon_ID - - ObjectName - - ObjectServer - - ObjectType - - OperationType - - status - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/mimikatz/xml-windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/mimikatz/xml-windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml b/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml index f3c177a0d5..1d6a7be15c 100644 --- a/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml +++ b/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml @@ -1,7 +1,7 @@ name: Windows AD Replication Request Initiated from Unsanctioned Location id: 50998483-bb15-457b-a870-965080d9e3d3 -version: '6' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Dean Luxton type: TTP status: production @@ -59,55 +59,36 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows Active Directory Replication Request Initiated from Unsanctioned + Location $src_ip$ by $user$ + risk_objects: + - field: user + type: user + score: 100 + threat_objects: + - field: src_ip + type: ip_address tags: analytic_story: - Compromised Windows Host - Sneaky Active Directory Persistence Tricks - Credential Dumping asset_type: Endpoint - confidence: 100 - impact: 100 - message: Windows Active Directory Replication Request Initiated from Unsanctioned - Location $src_ip$ by $user$ mitre_attack_id: - T1003.006 - T1003 - observable: - - name: user - type: User - role: - - Victim - - name: src_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ObjectType - - Properties - - AccessMask - - SubjectDomainName - - SubjectUserName - - SubjectUserSid - - Computer - - Logon_ID - - ObjectName - - ObjectServer - - ObjectType - - OperationType - - status - risk_score: 100 security_domain: endpoint manual_test: This detection runs correctly when run manually and given some time is given for data to settle in the splunk index. tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/impacket/windows-security-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/impacket/windows-security-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml b/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml index 029a5249a5..00764a6d79 100644 --- a/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml +++ b/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml @@ -1,7 +1,7 @@ name: Windows AD Same Domain SID History Addition id: 5fde0b7c-df7a-40b1-9b3a-294c00f0289d -version: '5' -date: '2024-11-28' +version: 6 +date: '2024-12-10' author: Dean Luxton type: TTP status: production @@ -45,45 +45,34 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Active Directory SID History Attribute was added to $user$ by $src_user$ + risk_objects: + - field: src_user + type: user + score: 100 + - field: user + type: user + score: 100 + threat_objects: [] tags: analytic_story: - Compromised Windows Host - Windows Persistence Techniques - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 100 - impact: 100 - message: Active Directory SID History Attribute was added to $user$ by $src_user$ mitre_attack_id: - T1134.005 - T1134 - observable: - - name: src_user - type: User - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - SidHistory - - TargetSid - - TargetDomainName - - user - - src_user - - Logon_ID - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134.005/mimikatz/windows-security-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134.005/mimikatz/windows-security-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml b/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml index 33fcf5b2f0..8178c2a2b3 100644 --- a/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml +++ b/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml @@ -1,7 +1,7 @@ name: Windows AD ServicePrincipalName Added To Domain Account id: 8a1259cb-0ea7-409c-8bfe-74bad89259f9 -version: 5 -date: '2024-10-16' +version: 6 +date: '2024-11-13' author: Mauricio Velazco, Splunk type: TTP status: production @@ -15,11 +15,11 @@ description: The following analytic detects the addition of a Service Principal allow an attacker to obtain cleartext passwords, leading to unauthorized access and potential lateral movement within the domain environment. search: >- - `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName OperationType="%%14674" ObjectClass=user + `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName + OperationType="%%14674" ObjectClass=user | stats values(ObjectDN) as ObjectDN by _time, Computer, SubjectUserName, AttributeValue | rex field=ObjectDN "^CN=(?P[a-zA-Z0-9!#$%&'@^_{}~.-]+)," - | rename Computer as dest, SubjectUserName as src_user - | `windows_ad_serviceprincipalname_added_to_domain_account_filter` + | rename Computer as dest, SubjectUserName as src_user | `windows_ad_serviceprincipalname_added_to_domain_account_filter` how_to_implement: To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created @@ -38,43 +38,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$ObjectDN$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$ObjectDN$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$ObjectDN$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A Servince Principal Name for $ObjectDN$ was set by $user$ + risk_objects: + - field: user + type: user + score: 30 + - field: src_user + type: user + score: 30 + threat_objects: [] tags: analytic_story: - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 50 - impact: 60 - message: A Servince Principal Name for $ObjectDN$ was set by $user$ mitre_attack_id: - T1098 - observable: - - name: src_user - type: User - role: - - Attacker - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ObjectDN - - signature - - SubjectUserName - - Computer - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/service_principal_name_added/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/service_principal_name_added/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml b/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml index 4e50edd550..ab66bb479f 100644 --- a/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml +++ b/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml @@ -1,16 +1,31 @@ name: Windows AD Short Lived Domain Account ServicePrincipalName id: b681977c-d90c-4efc-81a5-c58f945fb541 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk type: TTP status: production data_source: - Windows Event Log Security 5136 -description: The following analytic identifies the addition and quick deletion of a Service Principal Name (SPN) to a domain account within 5 minutes. This detection leverages EventCode 5136 from the Windows Security Event Log, focusing on changes to the servicePrincipalName attribute. This activity is significant as it may indicate an attempt to perform Kerberoasting, a technique used to crack the cleartext password of a domain account offline. If confirmed malicious, this could allow an attacker to gain unauthorized access to sensitive information or escalate privileges within the domain environment. -search: '`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName | transaction ObjectDN AttributeValue startswith=(EventCode=5136 OperationType="%%14674") endswith=(EventCode=5136 OperationType="%%14675") | eval short_lived=case((duration<300),"TRUE") | search short_lived = TRUE | rename ObjectDN as user | `windows_ad_short_lived_domain_account_serviceprincipalname_filter`' -how_to_implement: To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications. -known_false_positives: A Service Principal Name should only be added to an account when an application requires it. Adding an SPN and quickly deleting it is less common but may be part of legitimate action. Filter as needed. +description: The following analytic identifies the addition and quick deletion of + a Service Principal Name (SPN) to a domain account within 5 minutes. This detection + leverages EventCode 5136 from the Windows Security Event Log, focusing on changes + to the servicePrincipalName attribute. This activity is significant as it may indicate + an attempt to perform Kerberoasting, a technique used to crack the cleartext password + of a domain account offline. If confirmed malicious, this could allow an attacker + to gain unauthorized access to sensitive information or escalate privileges within + the domain environment. +search: '`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName + | transaction ObjectDN AttributeValue startswith=(EventCode=5136 OperationType="%%14674") + endswith=(EventCode=5136 OperationType="%%14675") | eval short_lived=case((duration<300),"TRUE") + | search short_lived = TRUE | rename ObjectDN as user | `windows_ad_short_lived_domain_account_serviceprincipalname_filter`' +how_to_implement: To successfully implement this search, you ned to be ingesting eventcode + `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` + within `DS Access` needs to be enabled. Additionally, a SACL needs to be created + for AD objects in order to ingest attribute modifications. +known_false_positives: A Service Principal Name should only be added to an account + when an application requires it. Adding an SPN and quickly deleting it is less common + but may be part of legitimate action. Filter as needed. references: - https://adsecurity.org/?p=3466 - https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting @@ -22,39 +37,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A Servince Principal Name for $user$ was set and shortly deleted + risk_objects: + - field: user + type: user + score: 40 + threat_objects: [] tags: analytic_story: - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 80 - impact: 50 - message: A Servince Principal Name for $user$ was set and shortly deleted mitre_attack_id: - T1098 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ObjectDN - - signature - - SubjectUserName - - Computer - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/short_lived_service_principal_name/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/short_lived_service_principal_name/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_ad_short_lived_domain_controller_spn_attribute.yml b/detections/endpoint/windows_ad_short_lived_domain_controller_spn_attribute.yml index aac071f22f..35c57cdcaa 100644 --- a/detections/endpoint/windows_ad_short_lived_domain_controller_spn_attribute.yml +++ b/detections/endpoint/windows_ad_short_lived_domain_controller_spn_attribute.yml @@ -1,7 +1,7 @@ name: Windows AD Short Lived Domain Controller SPN Attribute id: 57e27f27-369c-4df8-af08-e8c7ee8373d4 -version: '6' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Dean Luxton type: TTP status: production @@ -52,41 +52,29 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Short Lived Domain Controller SPN AD Attribute Triggered by $src_user$ + risk_objects: + - field: src_user + type: user + score: 100 + threat_objects: [] tags: analytic_story: - Compromised Windows Host - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 100 - impact: 100 - message: Short Lived Domain Controller SPN AD Attribute Triggered by $src_user$ mitre_attack_id: - T1207 - observable: - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - AttributeLDAPDisplayName - - AttributeValue - - src_nt_domain - - src_user - - Computer - - ObjectDN - - Logon_ID - - signature - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1207/mimikatz/windows-security-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1207/mimikatz/windows-security-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_ad_short_lived_server_object.yml b/detections/endpoint/windows_ad_short_lived_server_object.yml index 4f8615a444..e6e6c0b674 100644 --- a/detections/endpoint/windows_ad_short_lived_server_object.yml +++ b/detections/endpoint/windows_ad_short_lived_server_object.yml @@ -1,7 +1,7 @@ name: Windows AD Short Lived Server Object id: 193769d3-1e33-43a9-970e-ad4a88256cdb -version: '5' -date: '2024-11-28' +version: 6 +date: '2024-12-10' author: Mauricio Velazco, Splunk type: TTP status: production @@ -47,41 +47,32 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A short-lived server object was created and deleted on $Computer$ + risk_objects: + - field: Computer + type: system + score: 64 + - field: SubjectUserName + type: user + score: 64 + threat_objects: [] tags: analytic_story: - Compromised Windows Host - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 80 - impact: 80 - message: Potential DCShadow Attack Detected on $Computer$ mitre_attack_id: - T1207 - observable: - - name: SubjectUserName - type: User - role: - - Attacker - - name: Computer - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ObjectDN - - signature - - SubjectUserName - - Computer - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1207/short_lived_server_object/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1207/short_lived_server_object/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_ad_sid_history_attribute_modified.yml b/detections/endpoint/windows_ad_sid_history_attribute_modified.yml index 429e177649..55ba1e1045 100644 --- a/detections/endpoint/windows_ad_sid_history_attribute_modified.yml +++ b/detections/endpoint/windows_ad_sid_history_attribute_modified.yml @@ -1,16 +1,29 @@ name: Windows AD SID History Attribute Modified id: 1155e47d-307f-4247-beab-71071e3a458c -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk type: TTP status: production data_source: - Windows Event Log Security 5136 -description: The following analytic detects modifications to the SID History attribute in Active Directory by leveraging event code 5136. This detection uses logs from the `wineventlog_security` data source to identify changes to the sIDHistory attribute. Monitoring this activity is crucial as the SID History attribute can be exploited by adversaries to inherit permissions from other accounts, potentially granting unauthorized access. If confirmed malicious, this activity could allow attackers to maintain persistent access and escalate privileges within the domain, posing a significant security risk. -search: '`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=sIDHistory OperationType="%%14674" | stats values(ObjectDN) as ObjectDN by _time, Computer, SubjectUserName, AttributeValue | rename Computer as dest | `windows_ad_sid_history_attribute_modified_filter`' -how_to_implement: To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications. -known_false_positives: Domain mergers and migrations may generate large volumes of false positives for this analytic. +description: The following analytic detects modifications to the SID History attribute + in Active Directory by leveraging event code 5136. This detection uses logs from + the `wineventlog_security` data source to identify changes to the sIDHistory attribute. + Monitoring this activity is crucial as the SID History attribute can be exploited + by adversaries to inherit permissions from other accounts, potentially granting + unauthorized access. If confirmed malicious, this activity could allow attackers + to maintain persistent access and escalate privileges within the domain, posing + a significant security risk. +search: '`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=sIDHistory + OperationType="%%14674" | stats values(ObjectDN) as ObjectDN by _time, Computer, + SubjectUserName, AttributeValue | rename Computer as dest | `windows_ad_sid_history_attribute_modified_filter`' +how_to_implement: To successfully implement this search, you ned to be ingesting eventcode + `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` + within `DS Access` needs to be enabled. Additionally, a SACL needs to be created + for AD objects in order to ingest attribute modifications. +known_false_positives: Domain mergers and migrations may generate large volumes of + false positives for this analytic. references: - https://adsecurity.org/?p=1772 - https://learn.microsoft.com/en-us/windows/win32/adschema/a-sidhistory?redirectedfrom=MSDN @@ -22,42 +35,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: SID History AD attribute modified by $SubjectUserName$ for $ObjectDN$ on + $dest$ + risk_objects: + - field: dest + type: system + score: 56 + threat_objects: [] tags: analytic_story: - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 70 - impact: 80 - message: SID History AD attribute modified by $SubjectUserName$ for $ObjectDN$ on $dest$ mitre_attack_id: - T1134 - T1134.005 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - AttributeLDAPDisplayName - - OperationType= - - ObjectDN - - Computer - - SubjectUserName - - AttributeValue - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134.005/sid_history2/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134.005/sid_history2/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_adfind_exe.yml b/detections/endpoint/windows_adfind_exe.yml index dca9fa917a..fc0560f8f3 100644 --- a/detections/endpoint/windows_adfind_exe.yml +++ b/detections/endpoint/windows_adfind_exe.yml @@ -1,18 +1,42 @@ name: Windows AdFind Exe id: bd3b0187-189b-46c0-be45-f52da2bae67f -version: 6 -date: '2024-10-17' +version: 7 +date: '2024-11-13' author: Jose Hernandez, Bhavin Patel, Splunk status: production type: TTP -description: The following analytic identifies the execution of `adfind.exe` with specific command-line arguments related to Active Directory queries. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line arguments, and parent processes. This activity is significant because `adfind.exe` is a powerful tool often used by threat actors like Wizard Spider and FIN6 to gather sensitive AD information. If confirmed malicious, this activity could allow attackers to map the AD environment, facilitating further attacks such as privilege escalation or lateral movement. +description: The following analytic identifies the execution of `adfind.exe` with + specific command-line arguments related to Active Directory queries. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process names, + command-line arguments, and parent processes. This activity is significant because + `adfind.exe` is a powerful tool often used by threat actors like Wizard Spider and + FIN6 to gather sensitive AD information. If confirmed malicious, this activity could + allow attackers to map the AD environment, facilitating further attacks such as + privilege escalation or lateral movement. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where ((Processes.process="* -f *" OR Processes.process="* -b *") AND (Processes.process=*objectcategory* OR Processes.process="*-gcb *" OR Processes.process="* -sc *" )) OR ((Processes.process="*trustdmp*" OR Processes.process="*dclist*")) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_adfind_exe_filter`| `windows_adfind_exe_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: ADfind is a command-line tool for AD administration and management that is seen to be leveraged by various adversaries. Filter out legitimate administrator usage using the filter macro. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where ((Processes.process="* -f *" + OR Processes.process="* -b *") AND (Processes.process=*objectcategory* OR Processes.process="*-gcb + *" OR Processes.process="* -sc *" )) OR ((Processes.process="*trustdmp*" OR Processes.process="*dclist*")) + by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_adfind_exe_filter`| + `windows_adfind_exe_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: ADfind is a command-line tool for AD administration and management + that is seen to be leveraged by various adversaries. Filter out legitimate administrator + usage using the filter macro. references: - https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ - https://www.mandiant.com/resources/a-nasty-trick-from-credential-theft-malware-to-business-disruption @@ -24,9 +48,22 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows AdFind Exe detected with command-line arguments associated with + Active Directory queries on machine - [dest] + risk_objects: + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Domain Trust Discovery @@ -35,9 +72,6 @@ tags: - Graceful Wipe Out Attack - BlackSuit Ransomware asset_type: Endpoint - confidence: 50 - impact: 50 - message: Windows AdFind Exe detected with command-line arguments associated with Active Directory queries on machine - [dest] atomic_guid: - 736b4f53-f400-4c22-855d-1a6b5a551600 - b95fd967-4e62-4109-b48d-265edfd28c3a @@ -47,29 +81,15 @@ tags: - 51a98f96-0269-4e09-a10f-e307779a8b05 mitre_attack_id: - T1018 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process - - Processes.dest - - Processes.user - - Processes.process_name - - Processes.parent_process - - Processes.process_id - - Processes.parent_process_id - risk_score: 25.0 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_admin_permission_discovery.yml b/detections/endpoint/windows_admin_permission_discovery.yml index 4ede43d2ff..dd928372f2 100644 --- a/detections/endpoint/windows_admin_permission_discovery.yml +++ b/detections/endpoint/windows_admin_permission_discovery.yml @@ -1,16 +1,35 @@ name: Windows Admin Permission Discovery id: e08620cb-9488-4052-832d-97bcc0afd414 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 11 -description: The following analytic identifies the creation of a suspicious file named 'win.dat' in the root directory (C:\). It leverages data from the Endpoint.Filesystem datamodel to detect this activity. This behavior is significant as it is commonly used by malware like NjRAT to check for administrative privileges on a compromised host. If confirmed malicious, this activity could indicate that the malware has administrative access, allowing it to perform high-privilege actions, potentially leading to further system compromise and persistence. -search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe", "*.js", "*.bat", "*.cmd", "*.pif", "*.lnk", "*.dat") by Filesystem.dest Filesystem.file_create_time Filesystem.process_id Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.user | `drop_dm_object_name(Filesystem)` | eval dropped_file_path = split(file_path, "\\") | eval dropped_file_path_split_count = mvcount(dropped_file_path) | eval root_drive = mvindex(dropped_file_path,0) | where LIKE(root_drive, "C:") AND dropped_file_path_split_count = 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admin_permission_discovery_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -known_false_positives: False positives may occur if there are legitimate accounts with the privilege to drop files in the root of the C drive. It's recommended to verify the legitimacy of such actions and the accounts involved. +description: The following analytic identifies the creation of a suspicious file named + 'win.dat' in the root directory (C:\). It leverages data from the Endpoint.Filesystem + datamodel to detect this activity. This behavior is significant as it is commonly + used by malware like NjRAT to check for administrative privileges on a compromised + host. If confirmed malicious, this activity could indicate that the malware has + administrative access, allowing it to perform high-privilege actions, potentially + leading to further system compromise and persistence. +search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.exe", + "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe", "*.js", "*.bat", "*.cmd", "*.pif", + "*.lnk", "*.dat") by Filesystem.dest Filesystem.file_create_time Filesystem.process_id + Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.user + | `drop_dm_object_name(Filesystem)` | eval dropped_file_path = split(file_path, + "\\") | eval dropped_file_path_split_count = mvcount(dropped_file_path) | eval root_drive + = mvindex(dropped_file_path,0) | where LIKE(root_drive, "C:") AND dropped_file_path_split_count + = 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | + `windows_admin_permission_discovery_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the Filesystem responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Filesystem` node. +known_false_positives: False positives may occur if there are legitimate accounts + with the privilege to drop files in the root of the C drive. It's recommended to + verify the legitimacy of such actions and the accounts involved. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat drilldown_searches: @@ -19,47 +38,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A file was created in root drive C:/ on host - $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: + - field: file_name + type: file_name tags: analytic_story: - NjRAT asset_type: Endpoint - confidence: 50 - impact: 50 - message: A file was created in root drive C:/ on host - $dest$ mitre_attack_id: - T1069.001 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: file_name - type: File Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 25 - required_fields: - - _time - - Filesystem.file_path - - Filesystem.file_create_time - - Filesystem.process_id - - Filesystem.file_name - - Filesystem.user - - Filesystem.dest - - Filesystem.process_guid - - Filesystem.file_path security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/njrat_admin_check/win_dat.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/njrat_admin_check/win_dat.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml b/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml index 481e1aa230..dd898f8ddf 100644 --- a/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml +++ b/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml @@ -1,17 +1,32 @@ name: Windows Administrative Shares Accessed On Multiple Hosts id: d92f2d95-05fb-48a7-910f-4d3d61ab8655 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk type: TTP status: production data_source: - Windows Event Log Security 5140 - Windows Event Log Security 5145 -description: The following analytic detects a source computer accessing Windows administrative shares (C$, Admin$, IPC$) on 30 or more remote endpoints within a 5-minute window. It leverages Event IDs 5140 and 5145 from file share events. This behavior is significant as it may indicate an adversary enumerating network shares to locate sensitive files, a common tactic used by threat actors. If confirmed malicious, this activity could lead to unauthorized access to critical data, lateral movement, and potential compromise of multiple systems within the network. -search: '`wineventlog_security` EventCode=5140 OR EventCode=5145 (ShareName="\\\\*\\ADMIN$" OR ShareName="\\\\*\\IPC$" OR ShareName="\\\\*\\C$") | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets values(ShareName) as shares by _time, IpAddress, SubjectUserName, EventCode | where unique_targets > 30 | `windows_administrative_shares_accessed_on_multiple_hosts_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting file share events. The Advanced Security Audit policy setting `Audit Detailed File Share` or `Audit File Share` within `Object Access` need to be enabled. -known_false_positives: An single endpoint accessing windows administrative shares across a large number of endpoints is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems. +description: The following analytic detects a source computer accessing Windows administrative + shares (C$, Admin$, IPC$) on 30 or more remote endpoints within a 5-minute window. + It leverages Event IDs 5140 and 5145 from file share events. This behavior is significant + as it may indicate an adversary enumerating network shares to locate sensitive files, + a common tactic used by threat actors. If confirmed malicious, this activity could + lead to unauthorized access to critical data, lateral movement, and potential compromise + of multiple systems within the network. +search: '`wineventlog_security` EventCode=5140 OR EventCode=5145 (ShareName="\\\\*\\ADMIN$" + OR ShareName="\\\\*\\IPC$" OR ShareName="\\\\*\\C$") | bucket span=5m _time | stats + dc(Computer) AS unique_targets values(Computer) as host_targets values(ShareName) + as shares by _time, IpAddress, SubjectUserName, EventCode | where unique_targets + > 30 | `windows_administrative_shares_accessed_on_multiple_hosts_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + file share events. The Advanced Security Audit policy setting `Audit Detailed File + Share` or `Audit File Share` within `Object Access` need to be enabled. +known_false_positives: An single endpoint accessing windows administrative shares + across a large number of endpoints is not common behavior. Possible false positive + scenarios include but are not limited to vulnerability scanners, administration + systems and missconfigured systems. references: - https://attack.mitre.org/techniques/T1135/ - https://en.wikipedia.org/wiki/Administrative_share @@ -24,44 +39,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$host_targets$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host_targets$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host_targets$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $IpAddress$ accessed the IPC share on more than 30 endpoints in a timespan + of 5 minutes. + risk_objects: + - field: host_targets + type: system + score: 56 + threat_objects: + - field: IpAddress + type: ip_address tags: analytic_story: - Active Directory Privilege Escalation - Active Directory Lateral Movement asset_type: Endpoint - confidence: 80 - impact: 70 - message: $IpAddress$ accessed the IPC share on more than 30 endpoints in a timespan of 5 minutes. mitre_attack_id: - T1135 - observable: - - name: host_targets - type: Endpoint - role: - - Victim - - name: IpAddress - type: Endpoint - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ShareName - - Computer - - IpAddress - - SubjectUserName - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/ipc_share_accessed/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/ipc_share_accessed/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_admon_default_group_policy_object_modified.yml b/detections/endpoint/windows_admon_default_group_policy_object_modified.yml index 2f7c780133..dba80bbc1b 100644 --- a/detections/endpoint/windows_admon_default_group_policy_object_modified.yml +++ b/detections/endpoint/windows_admon_default_group_policy_object_modified.yml @@ -1,16 +1,30 @@ name: Windows Admon Default Group Policy Object Modified id: 83458004-db60-4170-857d-8572f16f070b -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - Windows Active Directory Admon -description: The following analytic detects modifications to the default Group Policy Objects (GPOs) in an Active Directory environment. It leverages Splunk's Admon to monitor updates to the "Default Domain Policy" and "Default Domain Controllers Policy." This activity is significant because changes to these default GPOs can indicate an adversary with privileged access attempting to gain further control, establish persistence, or deploy malware across multiple hosts. If confirmed malicious, such modifications could lead to widespread policy enforcement changes, unauthorized access, and potential compromise of the entire domain environment. -search: '`admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" (displayName="Default Domain Policy" OR displayName="Default Domain Controllers Policy") | stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath) by dcName, displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admon_default_group_policy_object_modified_filter`' -how_to_implement: To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory -known_false_positives: The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed. +description: The following analytic detects modifications to the default Group Policy + Objects (GPOs) in an Active Directory environment. It leverages Splunk's Admon to + monitor updates to the "Default Domain Policy" and "Default Domain Controllers Policy." + This activity is significant because changes to these default GPOs can indicate + an adversary with privileged access attempting to gain further control, establish + persistence, or deploy malware across multiple hosts. If confirmed malicious, such + modifications could lead to widespread policy enforcement changes, unauthorized + access, and potential compromise of the entire domain environment. +search: '`admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" + (displayName="Default Domain Policy" OR displayName="Default Domain Controllers + Policy") | stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath) + by dcName, displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_admon_default_group_policy_object_modified_filter`' +how_to_implement: To successfully implement this search, you need to be monitoring + Active Directory logs using Admon. Details can be found here + https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory +known_false_positives: The default Group Policy Objects within an AD network may be + legitimately updated for administrative operations, filter as needed. references: - https://attack.mitre.org/techniques/T1484/ - https://attack.mitre.org/techniques/T1484/001 @@ -23,41 +37,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dcName$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dcName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dcName$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A default domain group policy was updated on $dcName$ + risk_objects: + - field: dcName + type: system + score: 50 + threat_objects: [] tags: analytic_story: - Active Directory Privilege Escalation - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 50 - impact: 100 - message: A default domain group policy was updated on $dcName$ mitre_attack_id: - T1484 - T1484.001 - observable: - - name: dcName - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - admonEventType - - objectCategory - - displayName - - gPCFileSysPath - - dcName - risk_score: 50 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/windows-security.log source: ActiveDirectory sourcetype: ActiveDirectory diff --git a/detections/endpoint/windows_admon_group_policy_object_created.yml b/detections/endpoint/windows_admon_group_policy_object_created.yml index bea6685566..83a1435afa 100644 --- a/detections/endpoint/windows_admon_group_policy_object_created.yml +++ b/detections/endpoint/windows_admon_group_policy_object_created.yml @@ -1,16 +1,28 @@ name: Windows Admon Group Policy Object Created id: 69201633-30d9-48ef-b1b6-e680805f0582 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - Windows Active Directory Admon -description: The following analytic detects the creation of a new Group Policy Object (GPO) using Splunk's Admon data. It identifies events where a new GPO is created, excluding default "New Group Policy Object" entries. Monitoring GPO creation is crucial as adversaries can exploit GPOs to escalate privileges or deploy malware across an Active Directory network. If confirmed malicious, this activity could allow attackers to control system configurations, deploy ransomware, or propagate malware, significantly compromising the network's security. -search: '`admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" versionNumber=0 displayName!="New Group Policy Object" | stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath) by dcName, displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admon_group_policy_object_created_filter`' -how_to_implement: To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory -known_false_positives: Group Policy Objects are created as part of regular administrative operations, filter as needed. +description: The following analytic detects the creation of a new Group Policy Object + (GPO) using Splunk's Admon data. It identifies events where a new GPO is created, + excluding default "New Group Policy Object" entries. Monitoring GPO creation is + crucial as adversaries can exploit GPOs to escalate privileges or deploy malware + across an Active Directory network. If confirmed malicious, this activity could + allow attackers to control system configurations, deploy ransomware, or propagate + malware, significantly compromising the network's security. +search: '`admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" + versionNumber=0 displayName!="New Group Policy Object" | stats min(_time) as firstTime + max(_time) as lastTime values(gPCFileSysPath) by dcName, displayName | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_admon_group_policy_object_created_filter`' +how_to_implement: To successfully implement this search, you need to be monitoring + Active Directory logs using Admon. Details can be found here + https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory +known_false_positives: Group Policy Objects are created as part of regular administrative + operations, filter as needed. references: - https://attack.mitre.org/techniques/T1484/ - https://attack.mitre.org/techniques/T1484/001 @@ -23,41 +35,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dcName$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dcName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dcName$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A new group policy objected was created on $dcName$ + risk_objects: + - field: dcName + type: system + score: 50 + threat_objects: [] tags: analytic_story: - Active Directory Privilege Escalation - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 50 - impact: 100 - message: A new group policy objected was created on $dcName$ mitre_attack_id: - T1484 - T1484.001 - observable: - - name: dcName - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - admonEventType - - objectCategory - - displayName - - gPCFileSysPath - - dcName - risk_score: 50 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_created/windows-admon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_created/windows-admon.log source: ActiveDirectory sourcetype: ActiveDirectory diff --git a/detections/endpoint/windows_alternate_datastream___base64_content.yml b/detections/endpoint/windows_alternate_datastream___base64_content.yml index fbd6af92e9..7a95b21409 100644 --- a/detections/endpoint/windows_alternate_datastream___base64_content.yml +++ b/detections/endpoint/windows_alternate_datastream___base64_content.yml @@ -1,15 +1,30 @@ name: Windows Alternate DataStream - Base64 Content id: 683f48de-982f-4a7e-9aac-9cec550da498 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Steven Dick, Teoderick Contreras, Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the creation of Alternate Data Streams (ADS) with Base64 content on Windows systems. It leverages Sysmon EventID 15, which captures file creation events, including the content of named streams. ADS can conceal malicious payloads, making them significant for SOC monitoring. This detection identifies hidden streams that may contain executables, scripts, or configuration data, often used by malware to evade detection. If confirmed malicious, this activity could allow attackers to hide and execute payloads, persist in the environment, or access sensitive information without being easily detected. +description: The following analytic detects the creation of Alternate Data Streams + (ADS) with Base64 content on Windows systems. It leverages Sysmon EventID 15, which + captures file creation events, including the content of named streams. ADS can conceal + malicious payloads, making them significant for SOC monitoring. This detection identifies + hidden streams that may contain executables, scripts, or configuration data, often + used by malware to evade detection. If confirmed malicious, this activity could + allow attackers to hide and execute payloads, persist in the environment, or access + sensitive information without being easily detected. data_source: - Sysmon EventID 15 -search: '`sysmon` EventCode=15 NOT Contents IN ("-","[ZoneTransfer]*") | regex TargetFilename="(? upperBound, "Yes", "No") | where anomaly="Yes" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_applocker_execution_from_uncommon_locations_filter`' -how_to_implement: The analytic is designed to be run against Windows AppLocker event logs collected from endpoints with AppLocker enabled. If using Microsoft Defender for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match the block events for AppLocker. The analytic requires the AppLocker event logs to be ingested into Splunk. Note that, an additional method to reduce any false positives would be to add the specific EventCodes - 8003 or 8004 and filter from there. Upon tuning, modify to Anomaly or TTP. -known_false_positives: False positives are possible if legitimate users are executing applications from file paths that are not permitted by AppLocker. It is recommended to investigate the context of the application execution to determine if it is malicious or not. Modify the threshold as needed to reduce false positives. +description: The following analytic identifies the execution of applications or scripts + from uncommon or suspicious file paths, potentially indicating malware or unauthorized + activity. It leverages Windows AppLocker event logs and uses statistical analysis + to detect anomalies. By calculating the average and standard deviation of execution + counts per file path, it flags paths with execution counts significantly higher + than expected. This behavior is significant as it can uncover malicious activities + or policy violations. If confirmed malicious, this activity could allow attackers + to execute unauthorized code, leading to potential system compromise or data breaches. +search: '`applocker` | spath input=UserData_Xml | rename RuleAndFileData.* as *, Computer + as dest, TargetUser AS user | stats count min(_time) as firstTime max(_time) as + lastTime by dest, PolicyName, RuleId, user, TargetProcessId, FilePath, FullFilePath + | eventstats avg(count) as avg, stdev(count) as stdev | eval upperBound=(avg+stdev*2), + anomaly=if(count > upperBound, "Yes", "No") | where anomaly="Yes" | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_applocker_execution_from_uncommon_locations_filter`' +how_to_implement: The analytic is designed to be run against Windows AppLocker event + logs collected from endpoints with AppLocker enabled. If using Microsoft Defender + for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match + the block events for AppLocker. The analytic requires the AppLocker event logs to + be ingested into Splunk. Note that, an additional method to reduce any false positives + would be to add the specific EventCodes - 8003 or 8004 and filter from there. Upon + tuning, modify to Anomaly or TTP. +known_false_positives: False positives are possible if legitimate users are executing + applications from file paths that are not permitted by AppLocker. It is recommended + to investigate the context of the application execution to determine if it is malicious + or not. Modify the threshold as needed to reduce false positives. references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/querying-application-control-events-centrally-using-advanced-hunting - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker @@ -17,30 +38,18 @@ tags: analytic_story: - Windows AppLocker asset_type: Endpoint - confidence: 70 - impact: 70 - message: An application was executed from an uncommon location on a host $dest$. mitre_attack_id: - T1218 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - FullFilePath - - dest - - user - risk_score: 49 security_domain: endpoint cve: [] tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/applocker/applocker.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/applocker/applocker.log sourcetype: XmlWinEventLog source: XmlWinEventLog:Microsoft-Windows-AppLocker/MSI and Script diff --git a/detections/endpoint/windows_applocker_privilege_escalation_via_unauthorized_bypass.yml b/detections/endpoint/windows_applocker_privilege_escalation_via_unauthorized_bypass.yml index a1e62f912e..1e44b50ad4 100644 --- a/detections/endpoint/windows_applocker_privilege_escalation_via_unauthorized_bypass.yml +++ b/detections/endpoint/windows_applocker_privilege_escalation_via_unauthorized_bypass.yml @@ -1,15 +1,36 @@ name: Windows AppLocker Privilege Escalation via Unauthorized Bypass id: bca48629-7fa2-40d3-9e5d-807564504e28 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk data_source: [] type: TTP status: production -description: The following analytic utilizes Windows AppLocker event logs to identify attempts to bypass application restrictions. AppLocker is a feature that allows administrators to specify which applications are permitted to run on a system. This analytic is designed to identify attempts to bypass these restrictions, which could be indicative of an attacker attempting to escalate privileges. The analytic uses EventCodes 8007, 8004, 8022, 8025, 8029, and 8040 to identify these attempts. The analytic will identify the host, full file path, and target user associated with the bypass attempt. These EventCodes are related to block events and focus on 5 attempts or more. -search: '`applocker` EventCode IN (8007, 8004, 8022, 8025, 8029, 8040) | spath input=UserData_Xml | rename RuleAndFileData.* as *, Computer as dest, TargetUser AS user | stats count AS attempt_count min(_time) as firstTime max(_time) as lastTime by dest, PolicyName, RuleId, user, TargetProcessId, FilePath, FullFilePath, EventCode | where attempt_count > 5 | sort - attempt_count | lookup applockereventcodes EventCode OUTPUT Description | `windows_applocker_privilege_escalation_via_unauthorized_bypass_filter`' -how_to_implement: The analytic is designed to be run against Windows AppLocker event logs collected from endpoints with AppLocker enabled. If using Microsoft Defender for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match the block events for AppLocker. The analytic requires the AppLocker event logs to be ingested into Splunk. -known_false_positives: False positives are possible if legitimate users are attempting to bypass application restrictions. This could occur if a user is attempting to run an application that is not permitted by AppLocker. It is recommended to investigate the context of the bypass attempt to determine if it is malicious or not. Modify the threshold as needed to reduce false positives. +description: The following analytic utilizes Windows AppLocker event logs to identify + attempts to bypass application restrictions. AppLocker is a feature that allows + administrators to specify which applications are permitted to run on a system. This + analytic is designed to identify attempts to bypass these restrictions, which could + be indicative of an attacker attempting to escalate privileges. The analytic uses + EventCodes 8007, 8004, 8022, 8025, 8029, and 8040 to identify these attempts. The + analytic will identify the host, full file path, and target user associated with + the bypass attempt. These EventCodes are related to block events and focus on 5 + attempts or more. +search: '`applocker` EventCode IN (8007, 8004, 8022, 8025, 8029, 8040) | spath input=UserData_Xml + | rename RuleAndFileData.* as *, Computer as dest, TargetUser AS user | stats count + AS attempt_count min(_time) as firstTime max(_time) as lastTime by dest, PolicyName, + RuleId, user, TargetProcessId, FilePath, FullFilePath, EventCode | where attempt_count + > 5 | sort - attempt_count | lookup applockereventcodes EventCode OUTPUT Description + | `windows_applocker_privilege_escalation_via_unauthorized_bypass_filter`' +how_to_implement: The analytic is designed to be run against Windows AppLocker event + logs collected from endpoints with AppLocker enabled. If using Microsoft Defender + for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match + the block events for AppLocker. The analytic requires the AppLocker event logs to + be ingested into Splunk. +known_false_positives: False positives are possible if legitimate users are attempting + to bypass application restrictions. This could occur if a user is attempting to + run an application that is not permitted by AppLocker. It is recommended to investigate + the context of the bypass attempt to determine if it is malicious or not. Modify + the threshold as needed to reduce false positives. references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/querying-application-control-events-centrally-using-advanced-hunting - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker @@ -19,37 +40,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An attempt to bypass application restrictions was detected on a host $dest$. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Windows AppLocker asset_type: Endpoint - confidence: 80 - impact: 80 - message: An attempt to bypass application restrictions was detected on a host $dest$. mitre_attack_id: - T1218 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Computer - - FullFilePath - - TargetUser - risk_score: 64 security_domain: endpoint cve: [] tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/applocker/applocker.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/applocker/applocker.log sourcetype: XmlWinEventLog source: XmlWinEventLog:Microsoft-Windows-AppLocker/MSI and Script diff --git a/detections/endpoint/windows_applocker_rare_application_launch_detection.yml b/detections/endpoint/windows_applocker_rare_application_launch_detection.yml index 9698a56585..937dc27423 100644 --- a/detections/endpoint/windows_applocker_rare_application_launch_detection.yml +++ b/detections/endpoint/windows_applocker_rare_application_launch_detection.yml @@ -1,15 +1,33 @@ name: Windows AppLocker Rare Application Launch Detection id: 9556f7b7-285f-4f18-8eeb-963d989f9d27 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk data_source: [] type: Hunting status: production -description: The following analytic detects the launch of rarely used applications within the environment, which may indicate the use of potentially malicious software or tools by attackers. It leverages Windows AppLocker event logs, aggregating application launch counts over time and flagging those that significantly deviate from the norm. This behavior is significant as it helps identify unusual application activity that could signal a security threat. If confirmed malicious, this activity could allow attackers to execute unauthorized code, potentially leading to further compromise of the system. -search: '`applocker` | spath input=UserData_Xml | rename RuleAndFileData.* as *, Computer as dest, TargetUser AS user | stats dc(_time) as days, count by FullFilePath dest user | eventstats avg(count) as avg, stdev(count) as stdev | eval upperBound=(avg+stdev*3), lowerBound=(avg-stdev*3) | where count > upperBound OR count < lowerBound | `windows_applocker_rare_application_launch_detection_filter`' -how_to_implement: The analytic is designed to be run against Windows AppLocker event logs collected from endpoints with AppLocker enabled. If using Microsoft Defender for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match the block events for AppLocker. The analytic requires the AppLocker event logs to be ingested into Splunk. Note that, an additional method to reduce any false positives would be to add the specific EventCodes - 8003 or 8004 and filter from there. -known_false_positives: False positives are possible if legitimate users are launching applications that are not permitted by AppLocker. It is recommended to investigate the context of the application launch to determine if it is malicious or not. Modify the threshold as needed to reduce false positives. +description: The following analytic detects the launch of rarely used applications + within the environment, which may indicate the use of potentially malicious software + or tools by attackers. It leverages Windows AppLocker event logs, aggregating application + launch counts over time and flagging those that significantly deviate from the norm. + This behavior is significant as it helps identify unusual application activity that + could signal a security threat. If confirmed malicious, this activity could allow + attackers to execute unauthorized code, potentially leading to further compromise + of the system. +search: '`applocker` | spath input=UserData_Xml | rename RuleAndFileData.* as *, Computer + as dest, TargetUser AS user | stats dc(_time) as days, count by FullFilePath dest + user | eventstats avg(count) as avg, stdev(count) as stdev | eval upperBound=(avg+stdev*3), + lowerBound=(avg-stdev*3) | where count > upperBound OR count < lowerBound | `windows_applocker_rare_application_launch_detection_filter`' +how_to_implement: The analytic is designed to be run against Windows AppLocker event + logs collected from endpoints with AppLocker enabled. If using Microsoft Defender + for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match + the block events for AppLocker. The analytic requires the AppLocker event logs to + be ingested into Splunk. Note that, an additional method to reduce any false positives + would be to add the specific EventCodes - 8003 or 8004 and filter from there. +known_false_positives: False positives are possible if legitimate users are launching + applications that are not permitted by AppLocker. It is recommended to investigate + the context of the application launch to determine if it is malicious or not. Modify + the threshold as needed to reduce false positives. references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/querying-application-control-events-centrally-using-advanced-hunting @@ -17,30 +35,18 @@ tags: analytic_story: - Windows AppLocker asset_type: Endpoint - confidence: 30 - impact: 50 - message: An application launch that deviates from the norm was detected on a host $dest$. mitre_attack_id: - T1218 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - FullFilePath - - dest - - user - risk_score: 15 security_domain: endpoint cve: [] tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/applocker/applocker.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/applocker/applocker.log sourcetype: XmlWinEventLog source: XmlWinEventLog:Microsoft-Windows-AppLocker/MSI and Script diff --git a/detections/endpoint/windows_archive_collected_data_via_powershell.yml b/detections/endpoint/windows_archive_collected_data_via_powershell.yml index 2b1883e29d..c407336352 100644 --- a/detections/endpoint/windows_archive_collected_data_via_powershell.yml +++ b/detections/endpoint/windows_archive_collected_data_via_powershell.yml @@ -1,15 +1,26 @@ name: Windows Archive Collected Data via Powershell id: 74c5a3b0-27a7-463c-9d00-1a5bb12cb7b5 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Powershell Script Block Logging 4104 -description: The following analytic detects the use of PowerShell scripts to archive files into a temporary folder. It leverages PowerShell Script Block Logging, specifically monitoring for the `Compress-Archive` command targeting the `Temp` directory. This activity is significant as it may indicate an adversary's attempt to collect and compress data for exfiltration. If confirmed malicious, this behavior could lead to unauthorized data access and exfiltration, posing a severe risk to sensitive information and overall network security. -search: '`powershell` EventCode=4104 ScriptBlockText = "*Compress-Archive*" ScriptBlockText = "*\\Temp\\*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_archive_collected_data_via_powershell_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +description: The following analytic detects the use of PowerShell scripts to archive + files into a temporary folder. It leverages PowerShell Script Block Logging, specifically + monitoring for the `Compress-Archive` command targeting the `Temp` directory. This + activity is significant as it may indicate an adversary's attempt to collect and + compress data for exfiltration. If confirmed malicious, this behavior could lead + to unauthorized data access and exfiltration, posing a severe risk to sensitive + information and overall network security. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Compress-Archive*" ScriptBlockText + = "*\\Temp\\*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode + ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_archive_collected_data_via_powershell_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: powershell may used this function to archive data. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a @@ -19,39 +30,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows Archive Collected Data via Powershell on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - CISA AA23-347A asset_type: Endpoint - confidence: 70 - impact: 70 - message: Windows Archive Collected Data via Powershell on $dest$. mitre_attack_id: - T1560 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - EventCode - - ScriptBlockText - - dest - - user - - Score security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560/powershell_archive/powershell_archive.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560/powershell_archive/powershell_archive.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_archive_collected_data_via_rar.yml b/detections/endpoint/windows_archive_collected_data_via_rar.yml index 560c0ce1dd..d3403433b5 100644 --- a/detections/endpoint/windows_archive_collected_data_via_rar.yml +++ b/detections/endpoint/windows_archive_collected_data_via_rar.yml @@ -1,7 +1,7 @@ name: Windows Archive Collected Data via Rar id: 2015de95-fe91-413d-9d62-2fe011b67e82 -version: 3 -date: '2024-09-30' +version: 5 +date: '2025-01-27' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -9,9 +9,32 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic identifies the execution of RAR utilities to archive files on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, GUIDs, and command-line arguments. This activity is significant as threat actors, including red-teamers and malware like DarkGate, use RAR archiving to compress and exfiltrate collected data from compromised hosts. If confirmed malicious, this behavior could lead to the unauthorized transfer of sensitive information to command and control servers, posing a severe risk to data confidentiality and integrity. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="Rar.exe" OR Processes.original_file_name = "Rar.exe" AND Processes.process = "*a*" Processes.process = "* -ep1*" Processes.process = "* -r*" Processes.process = "* -y*" Processes.process = "* -v5m*" Processes.process = "* -m1*" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_archive_collected_data_via_rar_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +description: The following analytic identifies the execution of RAR utilities to archive + files on a system. It leverages data from Endpoint Detection and Response (EDR) + agents, focusing on process names, GUIDs, and command-line arguments. This activity + is significant as threat actors, including red-teamers and malware like DarkGate, + use RAR archiving to compress and exfiltrate collected data from compromised hosts. + If confirmed malicious, this behavior could lead to the unauthorized transfer of + sensitive information to command and control servers, posing a severe risk to data + confidentiality and integrity. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name="Rar.exe" + OR Processes.original_file_name = "Rar.exe" AND Processes.process = "*a*" Processes.process + = "* -ep1*" Processes.process = "* -r*" Processes.process = "* -y*" Processes.process + = "* -v5m*" Processes.process = "* -m1*" by Processes.process_name Processes.original_file_name + Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name + Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_archive_collected_data_via_rar_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: user and network administrator can execute this command. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate @@ -21,44 +44,34 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a Rar.exe commandline used in archiving collected data on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: + - Earth Estries + - Nexus APT Threat Activity - DarkGate Malware asset_type: Endpoint - confidence: 70 - impact: 70 - message: a Rar.exe commandline used in archiving collected data in $dest$. mitre_attack_id: - T1560.001 - T1560 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - - Processes.parent_process_guid - - Processes.process_guid security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml b/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml index 3e1b07f39e..b9c347fea1 100644 --- a/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml +++ b/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml @@ -1,20 +1,25 @@ name: Windows Archived Collected Data In TEMP Folder id: cb56a1ea-e0b1-46d5-913f-e024cba40cbe -version: 1 -date: '2024-09-24' +version: 2 +date: '2024-11-13' author: Teoderick Contreras, Splunk -data_sources: +data_source: - Sysmon Event ID 11 type: TTP status: production -description: The following analytic detects the creation of archived files in a temporary folder, which may contain collected data. This behavior is often associated with malicious activity, where attackers compress sensitive information before exfiltration. The detection focuses on monitoring specific directories, such as temp folders, for the presence of newly created archive files (e.g., .zip, .rar, .tar). By identifying this pattern, security teams can quickly respond to potential data collection and exfiltration attempts, minimizing the risk of data breaches and improving overall threat detection. -search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem - where Filesystem.file_name IN ("*.zip", "*.rar", "*.tar", "*.7z") Filesystem.file_path = "*\\temp\\*" - by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time - | `drop_dm_object_name(Filesystem)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_archived_collected_data_in_temp_folder_filter`' +description: The following analytic detects the creation of archived files in a temporary + folder, which may contain collected data. This behavior is often associated with + malicious activity, where attackers compress sensitive information before exfiltration. + The detection focuses on monitoring specific directories, such as temp folders, + for the presence of newly created archive files (e.g., .zip, .rar, .tar). By identifying + this pattern, security teams can quickly respond to potential data collection and + exfiltration attempts, minimizing the risk of data breaches and improving overall + threat detection. +search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.zip", + "*.rar", "*.tar", "*.7z") Filesystem.file_path = "*\\temp\\*" by _time Filesystem.file_name + Filesystem.file_path Filesystem.dest Filesystem.file_create_time | `drop_dm_object_name(Filesystem)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_archived_collected_data_in_temp_folder_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, @@ -30,39 +35,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A archive file [$file_name$] was creatd in %temp% folder on [$dest$]. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Braodo Stealer asset_type: Endpoint - confidence: 80 - impact: 80 - message: A archive file [$file_name$] was creatd in %temp% folder on [$dest$]. mitre_attack_id: - T1560 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.dest - - Filesystem.file_create_time - - Filesystem.file_name - - Filesystem.user - - Filesystem.file_path - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560/archived_in_temp_dir/braodo_zip_temp.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560/archived_in_temp_dir/braodo_zip_temp.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/attempt_to_stop_security_service.yml b/detections/endpoint/windows_attempt_to_stop_security_service.yml similarity index 62% rename from detections/endpoint/attempt_to_stop_security_service.yml rename to detections/endpoint/windows_attempt_to_stop_security_service.yml index a84ecb6ecc..0719d4656f 100644 --- a/detections/endpoint/attempt_to_stop_security_service.yml +++ b/detections/endpoint/windows_attempt_to_stop_security_service.yml @@ -1,16 +1,16 @@ -name: Attempt To Stop Security Service -id: c8e349c6-b97c-486e-8949-bd7bcd1f3910 -version: 7 -date: '2024-09-30' -author: Rico Valdez, Splunk +name: Windows Attempt To Stop Security Service +id: 9ed27cea-4e27-4eff-b2c6-aac9e78a7517 +version: 2 +date: '2025-01-13' +author: Rico Valdez, Nasreddine Bencherchali, Splunk status: production type: TTP -description: The following analytic detects attempts to stop security-related services on an endpoint, which may indicate malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, specifically searching for processes involving the "sc.exe" command with the "stop" parameter. This activity is significant because disabling security services can undermine the organization's security posture, potentially leading to unauthorized access, data exfiltration, or further attacks like malware installation or privilege escalation. If confirmed malicious, this behavior could compromise the endpoint and the entire network, necessitating immediate investigation and response. +description: The following analytic detects attempts to stop security-related services on an endpoint, which may indicate malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, specifically searching for processes involving the "sc.exe" or "net.exe" command with the "stop" parameter or the PowerShell "Stop-Service" cmdlet. This activity is significant because disabling security services can undermine the organization's security posture, potentially leading to unauthorized access, data exfiltration, or further attacks like malware installation or privilege escalation. If confirmed malicious, this behavior could compromise the endpoint and the entire network, necessitating immediate investigation and response. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = sc.exe Processes.process="* stop *" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |lookup security_services_lookup service as process OUTPUTNEW category, description | search category=security | `attempt_to_stop_security_service_filter`' +search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where ((`process_net` OR `process_sc`) Processes.process="* stop *") OR Processes.process="*Stop-Service *" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |lookup security_services_lookup service as process OUTPUTNEW category, description | search category=security | `windows_attempt_to_stop_security_service_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: None identified. Attempts to disable security-related services should be identified and understood. references: @@ -25,6 +25,21 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + attempting to disable security services on endpoint $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 20 + - field: dest + type: system + score: 20 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - WhisperGate @@ -34,47 +49,13 @@ tags: - Azorult - Trickbot asset_type: Endpoint - confidence: 50 - impact: 40 - message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable security services on endpoint $dest$ by user $user$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 20 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_autoit3_execution.yml b/detections/endpoint/windows_autoit3_execution.yml index bfa49d58ee..e6ddf3ce77 100644 --- a/detections/endpoint/windows_autoit3_execution.yml +++ b/detections/endpoint/windows_autoit3_execution.yml @@ -1,7 +1,7 @@ name: Windows AutoIt3 Execution id: 0ecb40d9-492b-4a57-9f87-515dd742794c -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP @@ -9,10 +9,31 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic detects the execution of AutoIt3, a scripting language often used for automating Windows GUI tasks and general scripting. It identifies instances where AutoIt3 or its variants are executed by searching for process names or original file names matching 'autoit3.exe'. This activity is significant because attackers frequently use AutoIt3 to automate malicious actions, such as executing malware. If confirmed malicious, this activity could lead to unauthorized code execution, system compromise, or further propagation of malware within the environment. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("autoit3.exe", "autoit*.exe") OR Processes.original_file_name IN ("autoit3.exe", "autoit*.exe") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_autoit3_execution_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be present if the application is legitimately used, filter by user or endpoint as needed. +description: The following analytic detects the execution of AutoIt3, a scripting + language often used for automating Windows GUI tasks and general scripting. It identifies + instances where AutoIt3 or its variants are executed by searching for process names + or original file names matching 'autoit3.exe'. This activity is significant because + attackers frequently use AutoIt3 to automate malicious actions, such as executing + malware. If confirmed malicious, this activity could lead to unauthorized code execution, + system compromise, or further propagation of malware within the environment. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("autoit3.exe", + "autoit*.exe") OR Processes.original_file_name IN ("autoit3.exe", "autoit*.exe") + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_autoit3_execution_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present if the application is legitimately + used, filter by user or endpoint as needed. references: - https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-25-IOCs-from-DarkGate-activity.txt drilldown_searches: @@ -21,55 +42,47 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Execution of AutoIt3 detected. The source process is $parent_process_name$ + and the destination process is $process_name$ on $dest$ by + risk_objects: + - field: dest + type: system + score: 50 + - field: user + type: user + score: 50 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - - DarkGate Malware + - Crypto Stealer - Handala Wiper + - DarkGate Malware asset_type: Endpoint atomic_guid: [] - confidence: 100 - impact: 50 - message: Execution of AutoIt3 detected. The source process is $parent_process_name$ and the destination process is $process_name$ on $dest$ by mitre_attack_id: - T1059 - observable: - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 50 - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.original_file_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/autoit/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/autoit/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml b/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml index c6c85479dd..4a11ee87c7 100644 --- a/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml +++ b/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml @@ -1,16 +1,35 @@ name: Windows Autostart Execution LSASS Driver Registry Modification id: 57fb8656-141e-4d8a-9f51-62cff4ecb82a -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects modifications to undocumented registry keys that allow a DLL to load into lsass.exe, potentially capturing credentials. It leverages the Endpoint.Registry data model to identify changes to \CurrentControlSet\Services\NTDS\DirectoryServiceExtPt or \CurrentControlSet\Services\NTDS\LsaDbExtPt. This activity is significant as it indicates a possible attempt to inject malicious code into the Local Security Authority Subsystem Service (LSASS), which can lead to credential theft. If confirmed malicious, this could allow attackers to gain unauthorized access to sensitive information and escalate privileges within the environment. +description: The following analytic detects modifications to undocumented registry + keys that allow a DLL to load into lsass.exe, potentially capturing credentials. + It leverages the Endpoint.Registry data model to identify changes to \CurrentControlSet\Services\NTDS\DirectoryServiceExtPt + or \CurrentControlSet\Services\NTDS\LsaDbExtPt. This activity is significant as + it indicates a possible attempt to inject malicious code into the Local Security + Authority Subsystem Service (LSASS), which can lead to credential theft. If confirmed + malicious, this could allow attackers to gain unauthorized access to sensitive information + and escalate privileges within the environment. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path IN ("*\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt","*\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt") by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_autostart_execution_lsass_driver_registry_modification_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: False positives may be present on recent Windows Operating Systems. Filtering may be required based on process_name. In addition, look for non-standard, unsigned, module loads into LSASS. If query is too noisy, modify by adding Endpoint.processes process_name to query to identify the process making the modification. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path IN ("*\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt","*\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt") + by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data + Registry.action Registry.dest Registry.process_guid | `drop_dm_object_name(Registry)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_autostart_execution_lsass_driver_registry_modification_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: False positives may be present on recent Windows Operating + Systems. Filtering may be required based on process_name. In addition, look for + non-standard, unsigned, module loads into LSASS. If query is too noisy, modify by + adding Endpoint.processes process_name to query to identify the process making the + modification. references: - https://blog.xpnsec.com/exploring-mimikatz-part-1/ - https://github.com/oxfemale/LogonCredentialsSteal/tree/master/lsass_lib @@ -20,41 +39,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The registry values for DirectoryServiceExtPt or LsaDbExtPt were modified + on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: The registry values for DirectoryServiceExtPt or LsaDbExtPt were modified on $dest$. mitre_attack_id: - T1547.008 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.008/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.008/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml b/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml index 38be3b1a49..30f986c479 100644 --- a/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml +++ b/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml @@ -1,18 +1,39 @@ name: Windows Binary Proxy Execution Mavinject DLL Injection id: ccf4b61b-1b26-4f2e-a089-f2009c569c57 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the use of mavinject.exe for DLL injection into running processes, identified by specific command-line parameters such as /INJECTRUNNING and /HMODULE. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because it indicates potential arbitrary code execution, a common tactic for malware deployment and persistence. If confirmed malicious, this could allow attackers to execute unauthorized code, escalate privileges, and maintain persistence within the environment, posing a severe security risk. +description: The following analytic detects the use of mavinject.exe for DLL injection + into running processes, identified by specific command-line parameters such as /INJECTRUNNING + and /HMODULE. This detection leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process names and command-line executions. This activity + is significant because it indicates potential arbitrary code execution, a common + tactic for malware deployment and persistence. If confirmed malicious, this could + allow attackers to execute unauthorized code, escalate privileges, and maintain + persistence within the environment, posing a severe security risk. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mavinject.exe Processes.process IN ("*injectrunning*", "*hmodule=0x*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_binary_proxy_execution_mavinject_dll_injection_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be present, filter on DLL name or parent process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mavinject.exe + Processes.process IN ("*injectrunning*", "*hmodule=0x*") by Processes.dest Processes.user + Processes.parent_process_name Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_binary_proxy_execution_mavinject_dll_injection_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present, filter on DLL name or parent + process. references: - https://attack.mitre.org/techniques/T1218/013/ - https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e @@ -23,59 +44,45 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting load a DLL. + risk_objects: + - field: user + type: user + score: 49 + - field: dest + type: system + score: 49 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Living Off The Land asset_type: Endpoint - confidence: 70 - impact: 70 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting load a DLL. mitre_attack_id: - T1218.013 - T1218 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process Name - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.013/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.013/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_bitlockertogo_process_execution.yml b/detections/endpoint/windows_bitlockertogo_process_execution.yml index 7f08c25fae..a6607a72a8 100644 --- a/detections/endpoint/windows_bitlockertogo_process_execution.yml +++ b/detections/endpoint/windows_bitlockertogo_process_execution.yml @@ -1,54 +1,56 @@ name: Windows BitLockerToGo Process Execution id: 68cbc9e9-2882-46f2-b636-3b5080589d58 -version: 1 -date: '2024-11-13' +version: 2 +date: '2025-01-21' author: Michael Haag, Nasreddine Bencherchali, Splunk -data_sources: +data_source: - Sysmon Event ID 1 - Windows Event Log Security 4688 type: Hunting status: production -description: The following analytic detects BitLockerToGo.exe execution, which has been observed being abused by Lumma stealer malware. The malware leverages this legitimate Windows utility to manipulate registry keys, search for cryptocurrency wallets and credentials, and exfiltrate sensitive data. This activity is significant because BitLockerToGo.exe provides functionality for viewing, copying, and writing files as well as modifying registry branches - capabilities that the Lumma stealer exploits. However, note that if legitimate use of BitLockerToGo.exe is in the organization, this detection will -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=bitlockertogo.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_bitlockertogo_process_execution_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives are likely, as BitLockerToGo.exe is a legitimate Windows utility used for managing BitLocker encryption. However, monitor for usage of BitLockerToGo.exe in your environment, tune as needed. If BitLockerToGo.exe is not used in your environment, move to TTP. +description: The following analytic detects BitLockerToGo.exe execution, which has + been observed being abused by Lumma stealer malware. The malware leverages this + legitimate Windows utility to manipulate registry keys, search for cryptocurrency + wallets and credentials, and exfiltrate sensitive data. This activity is significant + because BitLockerToGo.exe provides functionality for viewing, copying, and writing + files as well as modifying registry branches - capabilities that the Lumma stealer + exploits. However, note that if legitimate use of BitLockerToGo.exe is in the organization, + this detection will +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=bitlockertogo.exe + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_bitlockertogo_process_execution_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives are likely, as BitLockerToGo.exe is a legitimate + Windows utility used for managing BitLocker encryption. However, monitor for usage + of BitLockerToGo.exe in your environment, tune as needed. If BitLockerToGo.exe is + not used in your environment, move to TTP. references: - https://securelist.com/fake-captcha-delivers-lumma-amadey/114312/ tags: analytic_story: - - Lumma Stealer + - Lumma Stealer asset_type: Endpoint - confidence: 80 - impact: 70 - message: BitLockerToGo.exe was executed on $dest$ by $user$. mitre_attack_id: - T1218 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.process_name - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/bitlockertogo/4688_bitlockertogo_windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/bitlockertogo/4688_bitlockertogo_windows-security.log source: XmlWinEventLog:Security - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_bitlockertogo_with_network_activity.yml b/detections/endpoint/windows_bitlockertogo_with_network_activity.yml index bd441fc14a..9be44cb329 100644 --- a/detections/endpoint/windows_bitlockertogo_with_network_activity.yml +++ b/detections/endpoint/windows_bitlockertogo_with_network_activity.yml @@ -1,16 +1,34 @@ name: Windows BitLockerToGo with Network Activity id: 14e3a089-cc23-4f4d-a770-26e44a31fbac -version: 1 -date: '2024-11-13' +version: 2 +date: '2025-01-21' author: Michael Haag, Nasreddine Bencherchali, Splunk -data_sources: +data_source: - Sysmon Event ID 22 type: Hunting status: production -description: The following analytic detects suspicious usage of BitLockerToGo.exe, which has been observed being abused by Lumma stealer malware. The malware leverages this legitimate Windows utility to manipulate registry keys, search for cryptocurrency wallets and credentials, and exfiltrate sensitive data. This activity is significant because BitLockerToGo.exe provides functionality for viewing, copying, and writing files as well as modifying registry branches - capabilities that the Lumma stealer exploits for malicious purposes. If confirmed malicious, this could indicate an active data theft campaign targeting cryptocurrency wallets, browser credentials, and password manager archives. The detection focuses on identifying BitLockerToGo.exe execution patterns that deviate from normal system behavior. -search: '`sysmon` EventCode=22 process_name="bitlockertogo.exe" | stats count min(_time) as firstTime max(_time) as lastTime values(query) as query values(answer) as answer values(QueryResults) as query_results values(QueryStatus) as query_status by process_name process_guid Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_bitlockertogo_with_network_activity_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and eventcode = 22 dnsquery executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: False positives are likely, as BitLockerToGo.exe is a legitimate Windows utility used for managing BitLocker encryption. However, the detection is designed to flag unusual execution patterns that deviate from standard usage. Filtering may be required to reduce false positives, once confirmed - move to TTP. +description: The following analytic detects suspicious usage of BitLockerToGo.exe, + which has been observed being abused by Lumma stealer malware. The malware leverages + this legitimate Windows utility to manipulate registry keys, search for cryptocurrency + wallets and credentials, and exfiltrate sensitive data. This activity is significant + because BitLockerToGo.exe provides functionality for viewing, copying, and writing + files as well as modifying registry branches - capabilities that the Lumma stealer + exploits for malicious purposes. If confirmed malicious, this could indicate an + active data theft campaign targeting cryptocurrency wallets, browser credentials, + and password manager archives. The detection focuses on identifying BitLockerToGo.exe + execution patterns that deviate from normal system behavior. +search: '`sysmon` EventCode=22 process_name="bitlockertogo.exe" | stats count min(_time) + as firstTime max(_time) as lastTime values(query) as query values(answer) as answer + values(QueryResults) as query_results values(QueryStatus) as query_status by process_name + process_guid Computer | rename Computer as dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_bitlockertogo_with_network_activity_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name and eventcode = 22 dnsquery executions from your endpoints. + If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +known_false_positives: False positives are likely, as BitLockerToGo.exe is a legitimate + Windows utility used for managing BitLocker encryption. However, the detection is + designed to flag unusual execution patterns that deviate from standard usage. Filtering + may be required to reduce false positives, once confirmed - move to TTP. references: - https://any.run/report/5e9ba24639f70787e56f10a241271ae819ef9c573edb22b9eeade7cb40a2df2a/66f16c7b-2cfc-40c5-91cc-f1cbe9743fa3 - https://securelist.com/fake-captcha-delivers-lumma-amadey/114312/ @@ -18,35 +36,17 @@ tags: analytic_story: - Lumma Stealer asset_type: Endpoint - confidence: 80 - impact: 70 - message: BitLockerToGo.exe was executed with network activity on $dest$. mitre_attack_id: - T1218 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - process_name - - process_guid - - Computer - - query - - answer - - QueryResults - - QueryStatus - - dest - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/bitlockertogo/bitlockertogo_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/bitlockertogo/bitlockertogo_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml index 743156d77b..974d986e9f 100644 --- a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml +++ b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml @@ -1,16 +1,30 @@ name: Windows Boot or Logon Autostart Execution In Startup Folder id: 99d157cb-923f-4a00-aee9-1f385412146f -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the creation of files in the Windows %startup% folder, a common persistence technique. It leverages the Endpoint.Filesystem data model to identify file creation events in this specific directory. This activity is significant because adversaries often use the startup folder to ensure their malicious code executes automatically upon system boot or user logon. If confirmed malicious, this could allow attackers to maintain persistence on the host, potentially leading to further system compromise and unauthorized access to sensitive information. +description: The following analytic detects the creation of files in the Windows %startup% + folder, a common persistence technique. It leverages the Endpoint.Filesystem data + model to identify file creation events in this specific directory. This activity + is significant because adversaries often use the startup folder to ensure their + malicious code executes automatically upon system boot or user logon. If confirmed + malicious, this could allow attackers to maintain persistence on the host, potentially + leading to further system compromise and unauthorized access to sensitive information. data_source: - Sysmon EventID 11 -search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path = "*\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.file_path Filesystem.process_guid Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_boot_or_logon_autostart_execution_in_startup_folder_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -known_false_positives: Administrators may allow creation of script or exe in this path. +search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path = "*\\Microsoft\\Windows\\Start + Menu\\Programs\\Startup\\*" by Filesystem.file_create_time Filesystem.process_id + Filesystem.file_name Filesystem.user Filesystem.file_path Filesystem.process_guid + Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_boot_or_logon_autostart_execution_in_startup_folder_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the Filesystem responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Filesystem` node. +known_false_positives: Administrators may allow creation of script or exe in this + path. references: - https://attack.mitre.org/techniques/T1204/002/ - https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia @@ -20,50 +34,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a process dropped a file in %startup% folder on $dest$ + risk_objects: + - field: user + type: user + score: 81 + - field: dest + type: system + score: 81 + threat_objects: [] tags: analytic_story: - - Chaos Ransomware - NjRAT - RedLine Stealer - Gozi Malware + - Crypto Stealer + - Chaos Ransomware asset_type: Endpoint - confidence: 90 - impact: 90 - message: a process dropped a file in %startup% folder in $dest$ mitre_attack_id: - T1547.001 - T1547 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.file_create_time - - Filesystem.process_id - - Filesystem.file_name - - Filesystem.user - - Filesystem.file_path - - Filesystem.process_guid - - Filesystem.dest - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/chaos_ransomware/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/chaos_ransomware/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_bootloader_inventory.yml b/detections/endpoint/windows_bootloader_inventory.yml index e32c7b076d..375c844994 100644 --- a/detections/endpoint/windows_bootloader_inventory.yml +++ b/detections/endpoint/windows_bootloader_inventory.yml @@ -1,15 +1,27 @@ name: Windows BootLoader Inventory id: 4f7e3913-4db3-4ccd-afe4-31198982305d -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: experimental type: Hunting data_source: [] -description: The following analytic identifies the bootloader paths on Windows endpoints. It leverages a PowerShell Scripted input to capture this data, which is then processed and aggregated using Splunk. Monitoring bootloader paths is significant for a SOC as it helps detect unauthorized modifications that could indicate bootkits or other persistent threats. If confirmed malicious, such activity could allow attackers to maintain persistence, bypass security controls, and potentially control the boot process, leading to full system compromise. -search: '`bootloader_inventory` | stats count min(_time) as firstTime max(_time) as lastTime values(_raw) by host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_bootloader_inventory_filter`' -how_to_implement: To implement this analytic, a new stanza will need to be added to a inputs.conf and deployed to all or some Windows endpoints. https://gist.github.com/MHaggis/26518cd2844b0e03de6126660bb45707 provides the stanza. If modifying the sourcetype, be sure to update the Macro for this analytic. Recommend running it daily, or weekly, depending on threat model. -known_false_positives: No false positives here, only bootloaders. Filter as needed or create a lookup as a baseline. +description: The following analytic identifies the bootloader paths on Windows endpoints. + It leverages a PowerShell Scripted input to capture this data, which is then processed + and aggregated using Splunk. Monitoring bootloader paths is significant for a SOC + as it helps detect unauthorized modifications that could indicate bootkits or other + persistent threats. If confirmed malicious, such activity could allow attackers + to maintain persistence, bypass security controls, and potentially control the boot + process, leading to full system compromise. +search: '`bootloader_inventory` | stats count min(_time) as firstTime max(_time) as + lastTime values(_raw) by host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_bootloader_inventory_filter`' +how_to_implement: To implement this analytic, a new stanza will need to be added to + a inputs.conf and deployed to all or some Windows endpoints. https://gist.github.com/MHaggis/26518cd2844b0e03de6126660bb45707 + provides the stanza. If modifying the sourcetype, be sure to update the Macro for + this analytic. Recommend running it daily, or weekly, depending on threat model. +known_false_positives: No false positives here, only bootloaders. Filter as needed + or create a lookup as a baseline. references: - https://gist.github.com/MHaggis/26518cd2844b0e03de6126660bb45707 - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ @@ -19,23 +31,11 @@ tags: - Windows BootKits asset_type: Endpoint atomic_guid: [] - confidence: 90 - impact: 90 - message: A list of BootLoaders are present on $dest$ mitre_attack_id: - T1542.001 - T1542 - observable: - - name: host - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - _raw - risk_score: 81 security_domain: endpoint diff --git a/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml b/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml index b6e9d36f7f..31d51c8ae8 100644 --- a/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml +++ b/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml @@ -1,7 +1,7 @@ name: Windows Bypass UAC via Pkgmgr Tool id: cce58e2c-988a-4319-9390-0daa9eefa3cd -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -9,10 +9,36 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic detects the execution of the deprecated 'pkgmgr.exe' process with an XML input file, which is unusual and potentially suspicious. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process execution details and command-line arguments. The significance lies in the deprecated status of 'pkgmgr.exe' and the use of XML files, which could indicate an attempt to bypass User Account Control (UAC). If confirmed malicious, this activity could allow an attacker to execute commands with elevated privileges, leading to potential system compromise and unauthorized changes. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = pkgmgr.exe Processes.process = "*.xml*" NOT(Processes.parent_process_path IN("*:\\windows\\system32\\*", "*:\\windows\\syswow64\\*", "*:\\Program Files*")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process_path Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_bypass_uac_via_pkgmgr_tool_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be present on recent Windows Operating Systems. Filtering may be required based on process_name. In addition, look for non-standard, unsigned, module loads into LSASS. If query is too noisy, modify by adding Endpoint.processes process_name to query to identify the process making the modification. +description: The following analytic detects the execution of the deprecated 'pkgmgr.exe' + process with an XML input file, which is unusual and potentially suspicious. This + detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on + process execution details and command-line arguments. The significance lies in the + deprecated status of 'pkgmgr.exe' and the use of XML files, which could indicate + an attempt to bypass User Account Control (UAC). If confirmed malicious, this activity + could allow an attacker to execute commands with elevated privileges, leading to + potential system compromise and unauthorized changes. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name = pkgmgr.exe + Processes.process = "*.xml*" NOT(Processes.parent_process_path IN("*:\\windows\\system32\\*", + "*:\\windows\\syswow64\\*", "*:\\Program Files*")) by Processes.dest Processes.user + Processes.parent_process_name Processes.parent_process_path Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_bypass_uac_via_pkgmgr_tool_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present on recent Windows Operating + Systems. Filtering may be required based on process_name. In addition, look for + non-standard, unsigned, module loads into LSASS. If query is too noisy, modify by + adding Endpoint.processes process_name to query to identify the process making the + modification. references: - https://asec.ahnlab.com/en/17692/ - https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/warzone#:~:text=Warzone%20RAT%20(AKA%20Ave%20Maria)%20is%20a%20remote%20access%20trojan,is%20as%20an%20information%20stealer. @@ -22,49 +48,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A pkgmgr.exe executed with package manager xml input file on $dest$ + risk_objects: + - field: user + type: user + score: 9 + - field: dest + type: system + score: 9 + threat_objects: [] tags: analytic_story: - Warzone RAT asset_type: Endpoint - confidence: 30 - impact: 30 - message: A pkgmgr.exe executed with package manager xml input file on $dest$ mitre_attack_id: - T1548.002 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 9 - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/warzone_rat/pkgmgr_uac_bypass/pkgmgr_create_file.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/warzone_rat/pkgmgr_uac_bypass/pkgmgr_create_file.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_cab_file_on_disk.yml b/detections/endpoint/windows_cab_file_on_disk.yml index c758e1d1de..01753c7d62 100644 --- a/detections/endpoint/windows_cab_file_on_disk.yml +++ b/detections/endpoint/windows_cab_file_on_disk.yml @@ -1,16 +1,36 @@ name: Windows CAB File on Disk id: 622f08d0-69ef-42c2-8139-66088bc25acd -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Anomaly data_source: - Sysmon EventID 11 -description: The following analytic detects .cab files being written to disk. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on events where the file name is '*.cab' and the action is 'write'. This activity is significant as .cab files can be used to deliver malicious payloads, including embedded .url files that execute harmful code. If confirmed malicious, this behavior could lead to unauthorized code execution and potential system compromise. Analysts should review the file path and associated artifacts for further investigation. -search: '| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name=*.cab) by Filesystem.dest Filesystem.action Filesystem.process_id Filesystem.file_name | `drop_dm_object_name("Filesystem")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cab_file_on_disk_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives will only be present if a process legitimately writes a .cab file to disk. Modify the analytic as needed by file path. Filter as needed. +description: The following analytic detects .cab files being written to disk. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on events where + the file name is '*.cab' and the action is 'write'. This activity is significant + as .cab files can be used to deliver malicious payloads, including embedded .url + files that execute harmful code. If confirmed malicious, this behavior could lead + to unauthorized code execution and potential system compromise. Analysts should + review the file path and associated artifacts for further investigation. +search: '| tstats `security_content_summariesonly` count values(Filesystem.file_path) + as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem + where (Filesystem.file_name=*.cab) by Filesystem.dest Filesystem.action Filesystem.process_id + Filesystem.file_name | `drop_dm_object_name("Filesystem")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_cab_file_on_disk_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives will only be present if a process legitimately + writes a .cab file to disk. Modify the analytic as needed by file path. Filter as + needed. references: - https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-25-IOCs-from-DarkGate-activity.txt drilldown_searches: @@ -19,38 +39,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A .cab file was written to disk on endpoint $dest$. + risk_objects: + - field: dest + type: system + score: 5 + threat_objects: [] tags: analytic_story: - DarkGate Malware asset_type: Endpoint atomic_guid: [] - confidence: 10 - impact: 50 - message: A .cab file was written to disk on endpoint $dest$. mitre_attack_id: - T1566.001 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 5 - required_fields: - - Filesystem.dest - - Filesystem.action - - Filesystem.process_id - - Filesystem.file_name security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/autoit/cab_files.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/autoit/cab_files.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_cached_domain_credentials_reg_query.yml b/detections/endpoint/windows_cached_domain_credentials_reg_query.yml index ae84280fa2..b0cf4007cc 100644 --- a/detections/endpoint/windows_cached_domain_credentials_reg_query.yml +++ b/detections/endpoint/windows_cached_domain_credentials_reg_query.yml @@ -1,17 +1,39 @@ name: Windows Cached Domain Credentials Reg Query id: 40ccb8e0-1785-466e-901e-6a8b75c04ecd -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies a process command line querying the CachedLogonsCount registry value in the Winlogon registry. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and registry queries. Monitoring this activity is significant as it can indicate the use of post-exploitation tools like Winpeas, which gather information about login caching settings. If confirmed malicious, this activity could help attackers understand login caching configurations, potentially aiding in credential theft or lateral movement within the network. +description: The following analytic identifies a process command line querying the + CachedLogonsCount registry value in the Winlogon registry. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on command-line + executions and registry queries. Monitoring this activity is significant as it can + indicate the use of post-exploitation tools like Winpeas, which gather information + about login caching settings. If confirmed malicious, this activity could help attackers + understand login caching configurations, potentially aiding in credential theft + or lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = "* query *" AND Processes.process = "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" AND Processes.process = "*CACHEDLOGONSCOUNT*" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cached_domain_credentials_reg_query_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process + = "* query *" AND Processes.process = "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" + AND Processes.process = "*CACHEDLOGONSCOUNT*" by Processes.process_name Processes.original_file_name + Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name + Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_cached_domain_credentials_reg_query_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ @@ -23,50 +45,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a process with commandline $process$ tries to retrieve cache domain credential + logon count on $dest$ + risk_objects: + - field: dest + type: system + score: 9 + threat_objects: [] tags: analytic_story: - Windows Post-Exploitation - Prestige Ransomware asset_type: Endpoint - confidence: 30 - impact: 30 - message: a process with commandline $process$ tries to retrieve cache domain credential logon count in $dest$ mitre_attack_id: - T1003.005 - T1003 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - - Processes.parent_process_guid - - Processes.process_guid - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_certutil_download_with_url_argument.yml b/detections/endpoint/windows_certutil_download_with_url_argument.yml index 7ae9749bec..87ff45c03c 100644 --- a/detections/endpoint/windows_certutil_download_with_url_argument.yml +++ b/detections/endpoint/windows_certutil_download_with_url_argument.yml @@ -1,18 +1,39 @@ name: Windows CertUtil Download With URL Argument id: 4fc5ca00-4c7c-46b3-8772-c98a4b8bd944 -version: 1 -date: '2024-12-08' +version: 3 +date: '2025-01-07' author: Nasreddine Bencherchali, Splunk status: production type: TTP -description: The following analytic detects the use of `certutil.exe` to download files using the `-URL` arguments. This behavior is identified by monitoring command-line executions for these specific arguments via Endpoint Detection and Response (EDR) telemetry. This activity is significant because `certutil.exe` is a legitimate tool often abused by attackers to download and execute malicious payloads. If confirmed malicious, this could allow an attacker to download and execute arbitrary files, potentially leading to code execution, data exfiltration, or further compromise of the system. +description: The following analytic detects the use of `certutil.exe` to download + files using the `-URL` arguments. This behavior is identified by monitoring command-line + executions for these specific arguments via Endpoint Detection and Response (EDR) + telemetry. This activity is significant because `certutil.exe` is a legitimate tool + often abused by attackers to download and execute malicious payloads. If confirmed + malicious, this could allow an attacker to download and execute arbitrary files, + potentially leading to code execution, data exfiltration, or further compromise + of the system. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process="*-URL *" OR Processes.process="*/URL *") by Processes.dest Processes.user Processes.original_file_name Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_certutil_download_with_url_argument_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Limited false positives in most environments, however tune as needed based on parent-child relationship or network connection. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process="*-URL + *" OR Processes.process="*/URL *") by Processes.dest Processes.user Processes.original_file_name + Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_certutil_download_with_url_argument_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Limited false positives in most environments, however tune + as needed based on parent-child relationship or network connection. references: - https://attack.mitre.org/techniques/T1105/ - https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin/ @@ -30,56 +51,37 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to download a file. + risk_objects: + - field: user + type: user + score: 90 + - field: dest + type: system + score: 90 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Living Off The Land - Ingress Tool Transfer asset_type: Endpoint - confidence: 100 - impact: 90 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ attempting to download a file. mitre_attack_id: - T1105 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml b/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml index a315d54720..36f61bdd44 100644 --- a/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml +++ b/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml @@ -1,7 +1,7 @@ name: Windows Change Default File Association For No File Ext id: dbdf52ad-d6a1-4b68-975f-0a10939d8e38 -version: '4' -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: TTP @@ -53,46 +53,31 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: process with commandline $process$ set or change the file association of + a file with no file extension on $dest$ + risk_objects: + - field: dest + type: system + score: 80 + threat_objects: [] tags: analytic_story: - Prestige Ransomware - Compromised Windows Host asset_type: Endpoint - confidence: 100 - impact: 80 - message: process with commandline $process$ set or change the file association of - a file with no file extension in $dest$ mitre_attack_id: - T1546.001 - T1546 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/prestige_ransomware/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/prestige_ransomware/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml b/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml index 891dc16947..e66040efb9 100644 --- a/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml +++ b/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml @@ -1,15 +1,26 @@ name: Windows ClipBoard Data via Get-ClipBoard id: ab73289e-2246-4de0-a14b-67006c72a893 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the execution of the PowerShell command 'Get-Clipboard' to retrieve clipboard data. It leverages PowerShell Script Block Logging (EventCode 4104) to identify instances where this command is used. This activity is significant because it can indicate an attempt to steal sensitive information such as usernames, passwords, or other confidential data copied to the clipboard. If confirmed malicious, this behavior could lead to unauthorized access to sensitive information, potentially compromising user accounts and other critical assets. +description: The following analytic detects the execution of the PowerShell command + 'Get-Clipboard' to retrieve clipboard data. It leverages PowerShell Script Block + Logging (EventCode 4104) to identify instances where this command is used. This + activity is significant because it can indicate an attempt to steal sensitive information + such as usernames, passwords, or other confidential data copied to the clipboard. + If confirmed malicious, this behavior could lead to unauthorized access to sensitive + information, potentially compromising user accounts and other critical assets. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-Clipboard*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_clipboard_data_via_get_clipboard_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-Clipboard*" | stats count + min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer + UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_clipboard_data_via_get_clipboard_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: It is possible there will be false positives, filter as needed. references: - https://attack.mitre.org/techniques/T1115/ @@ -21,45 +32,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Powershell script $ScriptBlockText$ execute Get-Clipboard commandlet on + $dest$ + risk_objects: + - field: dest + type: system + score: 25 + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Windows Post-Exploitation - Prestige Ransomware asset_type: Endpoint - confidence: 50 - impact: 50 - message: Powershell script $ScriptBlockText$ execute Get-Clipboard commandlet on $dest$ mitre_attack_id: - T1115 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCode - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/powershell/windows-powershell-xml2.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/powershell/windows-powershell-xml2.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml similarity index 58% rename from detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml rename to detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml index 798df38377..441ba5036d 100644 --- a/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml +++ b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml @@ -1,16 +1,16 @@ -name: Cmdline Tool Not Executed In CMD Shell -id: 6c3f7dd8-153c-11ec-ac2d-acde48001122 -version: 5 -date: '2024-09-30' +name: Windows Cmdline Tool Execution From Non-Shell Process +id: 2afa393f-b88d-41b7-9793-623c93a2dfde +version: 2 +date: '2025-01-13' author: Teoderick Contreras, Splunk status: production -type: TTP -description: The following analytic identifies instances where `ipconfig.exe`, `systeminfo.exe`, or similar tools are executed by a non-standard parent process, excluding CMD, PowerShell, or Explorer. This detection leverages Endpoint Detection and Response (EDR) telemetry to monitor process creation events. Such behavior is significant as it may indicate adversaries using injected processes to perform system discovery, a tactic observed in FIN7's JSSLoader. If confirmed malicious, this activity could allow attackers to gather critical host information, aiding in further exploitation or lateral movement within the network. +type: Anomaly +description: The following analytic identifies instances where `ipconfig.exe`, `systeminfo.exe`, or similar tools are executed by a non-standard shell parent process, excluding CMD, PowerShell, or Explorer. This detection leverages Endpoint Detection and Response (EDR) telemetry to monitor process creation events. Such behavior is significant as it may indicate adversaries using injected processes to perform system discovery, a tactic observed in FIN7's JSSLoader. If confirmed malicious, this activity could allow attackers to gather critical host information, aiding in further exploitation or lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = "ipconfig.exe" OR Processes.process_name = "systeminfo.exe" OR Processes.process_name = "net.exe" OR Processes.process_name = "net1.exe" OR Processes.process_name = "arp.exe" OR Processes.process_name = "nslookup.exe" OR Processes.process_name = "route.exe" OR Processes.process_name = "netstat.exe" OR Processes.process_name = "whoami.exe") AND NOT (Processes.parent_process_name = "cmd.exe" OR Processes.parent_process_name = "powershell*" OR Processes.parent_process_name="pwsh.exe" OR Processes.parent_process_name = "explorer.exe") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmdline_tool_not_executed_in_cmd_shell_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("ipconfig.exe", "systeminfo.exe", "net1.exe", "arp.exe", "nslookup.exe", "route.exe", "netstat.exe", "whoami.exe") AND NOT Processes.parent_process_name IN ("cmd.exe", "powershell.exe", "powershell_ise.exe", "pwsh.exe", "explorer.exe", "-", "unknown") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cmdline_tool_execution_from_non_shell_process_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: A network operator or systems administrator may utilize an automated host discovery application that may generate false positives. Filter as needed. references: @@ -26,6 +26,21 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A non-standard parent process $parent_process_name$ spawned child process + $process_name$ to execute command-line tool on $dest$. + risk_objects: + - field: dest + type: system + score: 56 + - field: user + type: user + score: 56 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Volt Typhoon @@ -37,47 +52,13 @@ tags: - CISA AA23-347A - Gozi Malware asset_type: Endpoint - confidence: 80 - impact: 70 - message: A non-standard parent process $parent_process_name$ spawned child process $process_name$ to execute command-line tool on $dest$. mitre_attack_id: - T1059 - T1059.007 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml b/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml index 0750832a75..4c8b9324c6 100644 --- a/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml +++ b/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml @@ -1,7 +1,7 @@ name: Windows COM Hijacking InprocServer32 Modification id: b7bd83c0-92b5-4fc7-b286-23eccfa2c561 -version: '5' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -50,48 +50,39 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to modify InProcServer32 within the + registry. + risk_objects: + - field: user + type: user + score: 64 + - field: dest + type: system + score: 64 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Living Off The Land - Compromised Windows Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ attempting to modify InProcServer32 within the - registry. mitre_attack_id: - T1546.015 - T1546 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - UPDATE - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml b/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml index a0fd469474..f53e86e200 100644 --- a/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml +++ b/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml @@ -1,18 +1,43 @@ name: Windows Command and Scripting Interpreter Hunting Path Traversal id: d0026380-b3c4-4da0-ac8e-02790063ff6b -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies path traversal command-line executions, leveraging data from Endpoint Detection and Response (EDR) agents. It detects patterns in command-line arguments indicative of path traversal techniques, such as multiple instances of "/..", "\..", or "\\..". This activity is significant as it often indicates attempts to evade defenses by executing malicious code, such as through msdt.exe. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network. +description: The following analytic identifies path traversal command-line executions, + leveraging data from Endpoint Detection and Response (EDR) agents. It detects patterns + in command-line arguments indicative of path traversal techniques, such as multiple + instances of "/..", "\..", or "\\..". This activity is significant as it often indicates + attempts to evade defenses by executing malicious code, such as through msdt.exe. + If confirmed malicious, this behavior could allow attackers to execute arbitrary + code, potentially leading to system compromise, data exfiltration, or further lateral + movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval count_of_pattern1 = (mvcount(split(process,"/.."))-1) | eval count_of_pattern2 = (mvcount(split(process,"\.."))-1) | eval count_of_pattern3 = (mvcount(split(process,"\\.."))-1) | eval count_of_pattern4 = (mvcount(split(process,"//.."))-1) | search count_of_pattern1 > 1 OR count_of_pattern2 > 1 OR count_of_pattern3 > 1 OR count_of_pattern4 > 1 | `windows_command_and_scripting_interpreter_hunting_path_traversal_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: false positive may vary depends on the score you want to check. The bigger number of path traversal string count the better. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Processes by Processes.original_file_name Processes.process_id + Processes.parent_process_id Processes.process_hash Processes.dest Processes.user + Processes.parent_process_name Processes.process_name Processes.process | `drop_dm_object_name("Processes")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval + count_of_pattern1 = (mvcount(split(process,"/.."))-1) | eval count_of_pattern2 = + (mvcount(split(process,"\.."))-1) | eval count_of_pattern3 = (mvcount(split(process,"\\.."))-1) + | eval count_of_pattern4 = (mvcount(split(process,"//.."))-1) | search count_of_pattern1 + > 1 OR count_of_pattern2 > 1 OR count_of_pattern3 > 1 OR count_of_pattern4 > 1 | + `windows_command_and_scripting_interpreter_hunting_path_traversal_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: false positive may vary depends on the score you want to check. + The bigger number of path traversal string count the better. references: - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/ tags: @@ -20,39 +45,17 @@ tags: - Windows Defense Evasion Tactics - Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190 asset_type: Endpoint - confidence: 60 - impact: 60 - message: A parent process $parent_process_name$ has spawned a child $process_name$ with path traversal commandline $process$ in $dest$ mitre_attack_id: - T1059 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/path_traversal/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/path_traversal/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml b/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml index 99c7c5d85e..c04c043616 100644 --- a/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml +++ b/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml @@ -1,7 +1,7 @@ name: Windows Command and Scripting Interpreter Path Traversal Exec id: 58fcdeb1-728d-415d-b0d7-3ab18a275ec2 -version: '5' -date: '2024-11-28' +version: 6 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: TTP @@ -50,46 +50,31 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A process $parent_process_name$ has spawned a child $process_name$ with + path traversal commandline $process$ on $dest$ + risk_objects: + - field: dest + type: system + score: 90 + threat_objects: [] tags: analytic_story: - Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190 - Compromised Windows Host - Windows Defense Evasion Tactics asset_type: Endpoint - confidence: 100 - impact: 90 - message: A parent process $parent_process_name$ has spawned a child $process_name$ - with path traversal commandline $process$ in $dest$ mitre_attack_id: - T1059 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/path_traversal/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/path_traversal/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml b/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml index ff42b193fd..68a89ff942 100644 --- a/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml +++ b/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml @@ -1,7 +1,7 @@ name: Windows Command Shell DCRat ForkBomb Payload id: 2bb1a362-7aa8-444a-92ed-1987e8da83e1 -version: '4' -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: TTP @@ -56,46 +56,31 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Multiple cmd.exe processes with child process of notepad.exe executed on + $dest$ + risk_objects: + - field: dest + type: system + score: 81 + threat_objects: [] tags: analytic_story: - Compromised Windows Host - DarkCrystal RAT asset_type: Endpoint - confidence: 90 - impact: 90 - message: Multiple cmd.exe processes with child process of notepad.exe executed on - $dest$ mitre_attack_id: - T1059.003 - T1059 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_forkbomb/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_forkbomb/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml b/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml index b96b349845..8e8aba3b57 100644 --- a/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml +++ b/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml @@ -1,13 +1,13 @@ name: Windows Common Abused Cmd Shell Risk Behavior id: e99fcc4f-c6b0-4443-aa2a-e3c85126ec9a -version: 3 -date: '2024-09-30' +version: 4 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: Correlation data_source: [] description: The following analytic identifies instances where four or more distinct detection analytics are associated with malicious command line behavior on a specific host. This detection leverages the Command Line Interface (CLI) data from various sources to identify suspicious activities. This behavior is significant as it often indicates attempts to execute malicious commands, access sensitive data, install backdoors, or perform other nefarious actions. If confirmed malicious, attackers could gain unauthorized control, exfiltrate information, escalate privileges, or launch further attacks within the network, leading to severe compromise. -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where source IN ("*Cmdline Tool Not Executed In CMD Shell*", "*Windows System Network Config Discovery Display DNS*", "*Local Account Discovery With Wmic*", "*Net Localgroup Discovery*", "*Create local admin accounts using net exe*", "*Local Account Discovery with Net*", "*Icacls Deny Command*", "*ICACLS Grant Command*", "*Windows Proxy Via Netsh*", "*Processes launching netsh*", "*Disabling Firewall with Netsh*", "*Windows System Network Connections Discovery Netsh*", "*Network Connection Discovery With Arp*", "*Windows System Discovery Using ldap Nslookup*", "*Windows System Shutdown CommandLine*") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `windows_common_abused_cmd_shell_risk_behavior_filter`' +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where source IN ("*Windows Cmdline Tool Execution From Non-Shell Process*", "*Windows System Network Config Discovery Display DNS*", "*Local Account Discovery With Wmic*", "*Windows Group Discovery Via Net*", "*Windows Create Local Administrator Account Via Net*", "*Windows User Discovery Via Net*", "*Icacls Deny Command*", "*ICACLS Grant Command*", "*Windows Proxy Via Netsh*", "*Processes launching netsh*", "*Disabling Firewall with Netsh*", "*Windows System Network Connections Discovery Netsh*", "*Network Connection Discovery With Arp*", "*Windows System Discovery Using ldap Nslookup*", "*Windows System Shutdown CommandLine*") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `windows_common_abused_cmd_shell_risk_behavior_filter`' how_to_implement: Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased base on internal testing. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance. known_false_positives: False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers. references: @@ -36,9 +36,6 @@ tags: - CISA AA23-347A - Disabling Security Tools asset_type: Endpoint - confidence: 70 - impact: 70 - message: series of process commandline being abused by threat actor have been identified on $risk_object$ mitre_attack_id: - T1222 - T1049 @@ -46,23 +43,10 @@ tags: - T1529 - T1016 - T1059 - observable: - - name: risk_object - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - All_Risk.analyticstories - - All_Risk.risk_object_type - - All_Risk.risk_object - - All_Risk.annotations.mitre_attack.mitre_tactic - - source security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_computer_account_created_by_computer_account.yml b/detections/endpoint/windows_computer_account_created_by_computer_account.yml index f87e60cb45..08bdaaf6c2 100644 --- a/detections/endpoint/windows_computer_account_created_by_computer_account.yml +++ b/detections/endpoint/windows_computer_account_created_by_computer_account.yml @@ -1,16 +1,30 @@ name: Windows Computer Account Created by Computer Account id: 97a8dc5f-8a7c-4fed-9e3e-ec407fd0268a -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies a computer account creating a new computer account with a specific Service Principal Name (SPN) "RestrictedKrbHost". This detection leverages Windows Security Event Logs, specifically EventCode 4741, to identify such activities. This behavior is significant as it may indicate an attempt to establish unauthorized Kerberos authentication channels, potentially leading to lateral movement or privilege escalation. If confirmed malicious, this activity could allow an attacker to impersonate services, access sensitive information, or maintain persistence within the network. +description: The following analytic identifies a computer account creating a new computer + account with a specific Service Principal Name (SPN) "RestrictedKrbHost". This detection + leverages Windows Security Event Logs, specifically EventCode 4741, to identify + such activities. This behavior is significant as it may indicate an attempt to establish + unauthorized Kerberos authentication channels, potentially leading to lateral movement + or privilege escalation. If confirmed malicious, this activity could allow an attacker + to impersonate services, access sensitive information, or maintain persistence within + the network. data_source: - Windows Event Log Security 4741 -search: '`wineventlog_security` EventCode=4741 user_type=computer SubjectDomainName!="NT AUTHORITY" ServicePrincipalNames=*RestrictedKrbHost* | stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, action ,src_user, user, user_type, SubjectUserName,SubjectDomainName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_computer_account_created_by_computer_account_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4741 EventCode enabled. The Windows TA is also required. -known_false_positives: It is possible third party applications may have a computer account that adds computer accounts, filtering may be required. +search: '`wineventlog_security` EventCode=4741 user_type=computer SubjectDomainName!="NT + AUTHORITY" ServicePrincipalNames=*RestrictedKrbHost* | stats count min(_time) as + firstTime max(_time) as lastTime by dest, subject, action ,src_user, user, user_type, + SubjectUserName,SubjectDomainName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_computer_account_created_by_computer_account_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + Windows Security Event Logs with 4741 EventCode enabled. The Windows TA is also + required. +known_false_positives: It is possible third party applications may have a computer + account that adds computer accounts, filtering may be required. references: - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/445e4499-7e49-4f2a-8d82-aaf2d1ee3c47 - https://github.com/Dec0ne/KrbRelayUp @@ -20,43 +34,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A Computer Account on $dest$ created by a computer account (possibly indicative + of Kerberos relay attack). + risk_objects: + - field: dest + type: system + score: 30 + threat_objects: [] tags: analytic_story: - Active Directory Kerberos Attacks - Local Privilege Escalation With KrbRelayUp asset_type: Endpoint - confidence: 60 - impact: 50 - message: A Computer Account on $dest$ created by a computer account (possibly indicative of Kerberos relay attack). mitre_attack_id: - T1558 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - subject - - action - - src_user - - user - - Account_Name - - Subject_Account_Name - - Subject_Account_Domain - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558/windows_computer_account_created_by_computer_account/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558/windows_computer_account_created_by_computer_account/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_computer_account_requesting_kerberos_ticket.yml b/detections/endpoint/windows_computer_account_requesting_kerberos_ticket.yml index 5d9c9d7b3e..62e7e4a05d 100644 --- a/detections/endpoint/windows_computer_account_requesting_kerberos_ticket.yml +++ b/detections/endpoint/windows_computer_account_requesting_kerberos_ticket.yml @@ -1,16 +1,29 @@ name: Windows Computer Account Requesting Kerberos Ticket id: fb3b2bb3-75a4-4279-848a-165b42624770 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects a computer account requesting a Kerberos ticket, which is unusual as typically user accounts request these tickets. This detection leverages Windows Security Event Logs, specifically EventCode 4768, to identify instances where the TargetUserName ends with a dollar sign ($), indicating a computer account. This activity is significant because it may indicate the use of tools like KrbUpRelay or other Kerberos-based attacks. If confirmed malicious, this could allow attackers to impersonate computer accounts, potentially leading to unauthorized access and lateral movement within the network. +description: The following analytic detects a computer account requesting a Kerberos + ticket, which is unusual as typically user accounts request these tickets. This + detection leverages Windows Security Event Logs, specifically EventCode 4768, to + identify instances where the TargetUserName ends with a dollar sign ($), indicating + a computer account. This activity is significant because it may indicate the use + of tools like KrbUpRelay or other Kerberos-based attacks. If confirmed malicious, + this could allow attackers to impersonate computer accounts, potentially leading + to unauthorized access and lateral movement within the network. data_source: - Windows Event Log Security 4768 -search: '`wineventlog_security` EventCode=4768 TargetUserName="*$" src_ip!="::1" | stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, action, user, TargetUserName, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_computer_account_requesting_kerberos_ticket_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4768 EventCode enabled. The Windows TA is also required. -known_false_positives: It is possible false positives will be present based on third party applications. Filtering may be needed. +search: '`wineventlog_security` EventCode=4768 TargetUserName="*$" src_ip!="::1" + | stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, + action, user, TargetUserName, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_computer_account_requesting_kerberos_ticket_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + Windows Security Event Logs with 4768 EventCode enabled. The Windows TA is also + required. +known_false_positives: It is possible false positives will be present based on third + party applications. Filtering may be needed. references: - https://github.com/Dec0ne/KrbRelayUp drilldown_searches: @@ -19,42 +32,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A Computer Account requested a Kerberos ticket on $dest$, possibly indicative + of Kerberos relay attack. + risk_objects: + - field: dest + type: system + score: 35 + threat_objects: [] tags: analytic_story: - Active Directory Kerberos Attacks - Local Privilege Escalation With KrbRelayUp asset_type: Endpoint - confidence: 70 - impact: 50 - message: A Computer Account requested a Kerberos ticket on $dest$, possibly indicative of Kerberos relay attack. mitre_attack_id: - T1558 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - subject - - action - - Supplied_Realm_Name - - user - - Account_Name - - src_ip - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558/windows_computer_account_requesting_kerberos_ticket/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558/windows_computer_account_requesting_kerberos_ticket/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_computer_account_with_spn.yml b/detections/endpoint/windows_computer_account_with_spn.yml index deb50f0fae..a452d720e4 100644 --- a/detections/endpoint/windows_computer_account_with_spn.yml +++ b/detections/endpoint/windows_computer_account_with_spn.yml @@ -1,7 +1,7 @@ name: Windows Computer Account With SPN id: 9a3e57e7-33f4-470e-b25d-165baa6e8357 -version: '5' -date: '2024-11-28' +version: 6 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -43,42 +43,31 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A Computer Account was created with SPNs related to Kerberos on $dest$, + possibly indicative of Kerberos relay attack. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Local Privilege Escalation With KrbRelayUp - Active Directory Kerberos Attacks - Compromised Windows Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: A Computer Account was created with SPNs related to Kerberos on $dest$, - possibly indicative of Kerberos relay attack. mitre_attack_id: - T1558 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - MSADChangedAttributes - - New_UAC_Value - - Security_ID - - Account_Domain - - SAM_Account_Name - - DNS_Host_Name - - Logon_Id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558/windows_computer_account_with_spn/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558/windows_computer_account_with_spn/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_conhost_with_headless_argument.yml b/detections/endpoint/windows_conhost_with_headless_argument.yml index c497fbf7fc..819c297afd 100644 --- a/detections/endpoint/windows_conhost_with_headless_argument.yml +++ b/detections/endpoint/windows_conhost_with_headless_argument.yml @@ -1,7 +1,7 @@ name: Windows ConHost with Headless Argument id: d5039508-998d-4cfc-8b5e-9dcd679d9a62 -version: '4' -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -52,44 +52,34 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows ConHost with Headless Argument detected on $dest$ by $user$. + risk_objects: + - field: user + type: user + score: 70 + - field: dest + type: system + score: 70 + threat_objects: [] tags: analytic_story: - Spearphishing Attachments - Compromised Windows Host asset_type: Endpoint atomic_guid: [] - confidence: 70 - impact: 100 - message: Windows ConHost with Headless Argument detected on $dest$ by $user$. mitre_attack_id: - T1564.003 - T1564.006 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 70 - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.003/headless/4688_conhost_headless.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.003/headless/4688_conhost_headless.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_create_local_account.yml b/detections/endpoint/windows_create_local_account.yml index 28855abc84..91781c15e8 100644 --- a/detections/endpoint/windows_create_local_account.yml +++ b/detections/endpoint/windows_create_local_account.yml @@ -1,15 +1,30 @@ name: Windows Create Local Account id: 3fb2e8e3-7bc0-4567-9722-c5ab9f8595eb -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic detects the creation of a new local user account on a Windows system. It leverages Windows Security Audit logs, specifically event ID 4720, to identify this activity. Monitoring the creation of local accounts is crucial for a SOC as it can indicate unauthorized access or lateral movement within the network. If confirmed malicious, this activity could allow an attacker to establish persistence, escalate privileges, or gain unauthorized access to sensitive systems and data. +description: The following analytic detects the creation of a new local user account + on a Windows system. It leverages Windows Security Audit logs, specifically event + ID 4720, to identify this activity. Monitoring the creation of local accounts is + crucial for a SOC as it can indicate unauthorized access or lateral movement within + the network. If confirmed malicious, this activity could allow an attacker to establish + persistence, escalate privileges, or gain unauthorized access to sensitive systems + and data. data_source: [] -search: '| tstats `security_content_summariesonly` values(All_Changes.result_id) as result_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Change where All_Changes.result_id=4720 by All_Changes.user All_Changes.dest All_Changes.result All_Changes.action | `drop_dm_object_name("All_Changes")` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_create_local_account_filter`' -how_to_implement: 'This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/' -known_false_positives: It is possible that an administrator created the account. Verifying activity with an administrator is advised. This analytic is set to anomaly to allow for risk to be added. Filter and tune as needed. Restrict to critical infrastructure to reduce any volume. +search: '| tstats `security_content_summariesonly` values(All_Changes.result_id) as + result_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Change + where All_Changes.result_id=4720 by All_Changes.user All_Changes.dest All_Changes.result + All_Changes.action | `drop_dm_object_name("All_Changes")` | `security_content_ctime(lastTime)` + | `security_content_ctime(firstTime)` | `windows_create_local_account_filter`' +how_to_implement: 'This search requires you to have enabled your Group Management + Audit Logs in your Local Windows Security Policy and be ingesting those logs. More + information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/' +known_false_positives: It is possible that an administrator created the account. Verifying + activity with an administrator is advised. This analytic is set to anomaly to allow + for risk to be added. Filter and tune as needed. Restrict to critical infrastructure + to reduce any volume. references: - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/ drilldown_searches: @@ -18,44 +33,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The following $user$ was added to $dest$ as a local account. + risk_objects: + - field: user + type: user + score: 18 + - field: dest + type: system + score: 18 + threat_objects: [] tags: analytic_story: - Active Directory Password Spraying - CISA AA24-241A asset_type: Endpoint - confidence: 90 - impact: 20 - message: The following $user$ was added to $dest$ as a local account. mitre_attack_id: - T1136.001 - T1136 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - All_Changes.user - - All_Changes.dest - - All_Changes.result - - All_Changes.action - risk_score: 18 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/4720.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/4720.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/create_local_admin_accounts_using_net_exe.yml b/detections/endpoint/windows_create_local_administrator_account_via_net.yml similarity index 56% rename from detections/endpoint/create_local_admin_accounts_using_net_exe.yml rename to detections/endpoint/windows_create_local_administrator_account_via_net.yml index 5a6097eadc..9a9f76fffd 100644 --- a/detections/endpoint/create_local_admin_accounts_using_net_exe.yml +++ b/detections/endpoint/windows_create_local_administrator_account_via_net.yml @@ -1,16 +1,16 @@ -name: Create local admin accounts using net exe -id: b89919ed-fe5f-492c-b139-151bb162040e -version: 13 -date: '2024-11-26' +name: Windows Create Local Administrator Account Via Net +id: 2c568c34-bb57-4b43-9d75-19c605b98e70 +version: 2 +date: '2025-01-13' author: Bhavin Patel, Splunk status: production -type: TTP -description: The following analytic detects the creation of local administrator accounts using the net.exe command. It leverages Endpoint Detection and Response (EDR) data to identify processes named net.exe or net1.exe with the "/add" parameter and keywords related to administrator accounts. This activity is significant as it may indicate an attacker attempting to gain persistent access or escalate privileges. If confirmed malicious, this could lead to unauthorized access, data theft, or further system compromise. Review the process details, user context, and related artifacts to determine the legitimacy of the activity. +type: Anomaly +description: The following analytic detects the creation of a local administrator account using the "net.exe" command. It leverages Endpoint Detection and Response (EDR) data to identify processes named "net.exe" with the "/add" parameter and keywords related to administrator accounts. This activity is significant as it may indicate an attacker attempting to gain persistent access or escalate privileges. If confirmed malicious, this could lead to unauthorized access, data theft, or further system compromise. Review the process details, user context, and related artifacts to determine the legitimacy of the activity. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process values(parent_process_name) as parent_process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process=*/add* AND (Processes.process=*administrators* OR Processes.process=*administratoren* OR Processes.process=*administrateurs* OR Processes.process=*administrador* OR Processes.process=*amministratori* OR Processes.process=*administratorer* OR Processes.process=*Rendszergazda* OR Processes.process=*Администратор* OR Processes.process=*Administratör*) by Processes.process Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `create_local_admin_accounts_using_net_exe_filter`' +search: '| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process values(parent_process_name) as parent_process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process=*/add* AND Processes.process IN ("*administrators*", "*administratoren*", "*administrateurs*", "*administrador*", "*amministratori*", "*administratorer*", "*Rendszergazda*", "*Администратор*", "*Administratör*") by Processes.process Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_create_local_administrator_account_via_net_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators often leverage net.exe to create admin accounts. references: [] @@ -23,6 +23,22 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to add a user to the local Administrators + group. + risk_objects: + - field: user + type: user + score: 30 + - field: dest + type: system + score: 30 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - DHS Report TA18-074A @@ -31,47 +47,13 @@ tags: - DarkGate Malware - CISA AA24-241A asset_type: Endpoint - confidence: 60 - impact: 50 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to add a user to the local Administrators group. mitre_attack_id: - T1136.001 - T1136 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_credential_access_from_browser_password_store.yml b/detections/endpoint/windows_credential_access_from_browser_password_store.yml index b5c10e4040..f3ad514e0c 100644 --- a/detections/endpoint/windows_credential_access_from_browser_password_store.yml +++ b/detections/endpoint/windows_credential_access_from_browser_password_store.yml @@ -1,16 +1,38 @@ name: Windows Credential Access From Browser Password Store id: 72013a8e-5cea-408a-9d51-5585386b4d69 -version: 5 -date: '2024-11-28' +version: 6 +date: '2024-12-10' author: Teoderick Contreras, Bhavin Patel Splunk data_source: - Windows Event Log Security 4663 type: Anomaly status: production -description: The following analytic identifies a possible non-common browser process accessing its browser user data profile. This tactic/technique has been observed in various Trojan Stealers, such as SnakeKeylogger, which attempt to gather sensitive browser information and credentials as part of their exfiltration strategy. Detecting this anomaly can serve as a valuable pivot for identifying processes that access lists of browser user data profiles unexpectedly. This detection uses a lookup file `browser_app_list` that maintains a list of well known browser applications and the browser paths that are allowed to access the browser user data profiles. -search: '`wineventlog_security` EventCode=4663 | stats count by _time object_file_path object_file_name dest process_name process_path process_id EventCode | lookup browser_app_list browser_object_path as object_file_path OUTPUT browser_process_name isAllowed | stats count min(_time) as firstTime max(_time) as lastTime values(object_file_name) values(object_file_path) values(browser_process_name) as browser_process_name by dest process_name process_path process_id EventCode isAllowed | rex field=process_name "(?[^\\\\]+)$" | eval isMalicious=if(match(browser_process_name, extracted_process_name), "0", "1") | where isMalicious=1 and isAllowed="false" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credential_access_from_browser_password_store_filter`' -how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." This search may trigger on a browser application that is not included in the browser_app_list lookup file. -known_false_positives: The lookup file `browser_app_list` may not contain all the browser applications that are allowed to access the browser user data profiles. Consider updating the lookup files to add allowed object paths for the browser applications that are not included in the lookup file. +description: The following analytic identifies a possible non-common browser process + accessing its browser user data profile. This tactic/technique has been observed + in various Trojan Stealers, such as SnakeKeylogger, which attempt to gather sensitive + browser information and credentials as part of their exfiltration strategy. Detecting + this anomaly can serve as a valuable pivot for identifying processes that access + lists of browser user data profiles unexpectedly. This detection uses a lookup file + `browser_app_list` that maintains a list of well known browser applications and + the browser paths that are allowed to access the browser user data profiles. +search: '`wineventlog_security` EventCode=4663 | stats count by _time object_file_path + object_file_name dest process_name process_path process_id EventCode | lookup browser_app_list + browser_object_path as object_file_path OUTPUT browser_process_name isAllowed | + stats count min(_time) as firstTime max(_time) as lastTime values(object_file_name) + values(object_file_path) values(browser_process_name) as browser_process_name by + dest process_name process_path process_id EventCode isAllowed | rex field=process_name + "(?[^\\\\]+)$" | eval isMalicious=if(match(browser_process_name, + extracted_process_name), "0", "1") | where isMalicious=1 and isAllowed="false" | + `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credential_access_from_browser_password_store_filter`' +how_to_implement: To successfully implement this search, you must ingest Windows Security + Event logs and track event code 4663. For 4663, enable "Audit Object Access" in + Group Policy. Then check the two boxes listed for both "Success" and "Failure." + This search may trigger on a browser application that is not included in the browser_app_list + lookup file. +known_false_positives: The lookup file `browser_app_list` may not contain all the + browser applications that are allowed to access the browser user data profiles. + Consider updating the lookup files to add allowed object paths for the browser applications + that are not included in the lookup file. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger - https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/snake-keylogger-malware/ @@ -20,9 +42,22 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A non-common browser process $process_name$ accessing browser user data + folder on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Snake Keylogger @@ -31,34 +66,17 @@ tags: - PXA Stealer - Meduza Stealer asset_type: Endpoint - confidence: 50 - impact: 50 - message: A non-common browser process $process_name$ accessing browser user data folder on $dest$ mitre_attack_id: - T1012 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - object_file_name - - object_file_path - - process_name - - process_path - - process_id - - EventCode - - dest - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552/snakey_keylogger_outlook_reg_access/snakekeylogger_4663.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552/snakey_keylogger_outlook_reg_access/snakekeylogger_4663.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml b/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml index 9a9896842e..b33e006ced 100644 --- a/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml +++ b/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml @@ -1,7 +1,7 @@ name: Windows Credential Dumping LSASS Memory Createdump id: b3b7ce35-fce5-4c73-85f4-700aeada81a9 -version: '5' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -51,57 +51,37 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to dump a process. + risk_objects: + - field: user + type: user + score: 70 + - field: dest + type: system + score: 70 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Compromised Windows Host - Credential Dumping asset_type: Endpoint - confidence: 70 - impact: 100 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ attempting to dump a process. mitre_attack_id: - T1003.001 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/createdump_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/createdump_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_credentials_access_via_vaultcli_module.yml b/detections/endpoint/windows_credentials_access_via_vaultcli_module.yml index f505d0fcd2..cd4e6a6221 100644 --- a/detections/endpoint/windows_credentials_access_via_vaultcli_module.yml +++ b/detections/endpoint/windows_credentials_access_via_vaultcli_module.yml @@ -1,20 +1,35 @@ name: Windows Credentials Access via VaultCli Module id: c0d89118-3f89-4cd7-8140-1f39e7210681 -version: 1 -date: '2024-11-29' +version: 2 +date: '2025-01-21' author: Teoderick Contreras, Splunk -data_sources: +data_source: - Sysmon Event ID 7 type: Anomaly status: production -description: The following analytic detects potentially abnormal interactions with VaultCLI.dll, particularly those initiated by processes located in publicly writable Windows folder paths. The VaultCLI.dll module allows processes to extract credentials from the Windows Credential Vault. It was seen being abused by information stealers such as Meduza. The analytic monitors suspicious API calls, unauthorized credential access patterns, and anomalous process behaviors indicative of malicious activity. By leveraging a combination of signature-based detection and behavioral analysis, it effectively flags attempts to misuse the vault for credential theft, enabling swift response to protect sensitive user data and ensure system security. -search: '`sysmon` EventCode=7 ImageLoaded ="*\\vaultcli.dll" process_path IN("*\\windows\\fonts\\*", "*\\windows\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*", "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*", "\\Windows\\repair\\*", "*\\appdata\\local\\temp\\*", "*\\PerfLogs\\*", "*:\\temp\\*") - | stats count min(_time) as firstTime max(_time) as lastTime by dest Image ImageLoaded process_name EventCode Signed ProcessId - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_credentials_access_via_vaultcli_module_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: Third party software might leverage this DLL in order to make use of the Credential Manager feature via the provided exports. Typically the vaultcli.dll module is loaded by the vaultcmd.exe Windows Utility to interact with the Windows Credential Manager for secure storage and retrieval of credentials. +description: The following analytic detects potentially abnormal interactions with + VaultCLI.dll, particularly those initiated by processes located in publicly writable + Windows folder paths. The VaultCLI.dll module allows processes to extract credentials + from the Windows Credential Vault. It was seen being abused by information stealers + such as Meduza. The analytic monitors suspicious API calls, unauthorized credential + access patterns, and anomalous process behaviors indicative of malicious activity. + By leveraging a combination of signature-based detection and behavioral analysis, + it effectively flags attempts to misuse the vault for credential theft, enabling + swift response to protect sensitive user data and ensure system security. +search: '`sysmon` EventCode=7 ImageLoaded ="*\\vaultcli.dll" process_path IN("*\\windows\\fonts\\*", + "*\\windows\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*", + "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*", + "\\Windows\\repair\\*", "*\\appdata\\local\\temp\\*", "*\\PerfLogs\\*", "*:\\temp\\*") + | stats count min(_time) as firstTime max(_time) as lastTime by dest Image ImageLoaded + process_name EventCode Signed ProcessId | `security_content_ctime(firstTime)` | + `security_content_ctime(lastTime)` | `windows_credentials_access_via_vaultcli_module_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name and imageloaded executions from your endpoints. If you + are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +known_false_positives: Third party software might leverage this DLL in order to make + use of the Credential Manager feature via the provided exports. Typically the vaultcli.dll + module is loaded by the vaultcmd.exe Windows Utility to interact with the Windows + Credential Manager for secure storage and retrieval of credentials. references: - https://hijacklibs.net/entries/microsoft/built-in/vaultcli.html - https://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed @@ -27,43 +42,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of process $process_name$ loading the file $ImageLoaded$ was + identified on endpoint $dest$ to potentially capture credentials in memory. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Meduza Stealer asset_type: Endpoint - confidence: 80 - impact: 80 - message: An instance of process name [$process_name$] loading a file [$ImageLoaded$] was identified on endpoint- [$dest$] to potentially capture credentials in memory. mitre_attack_id: - T1555.004 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - process_path - - ImageLoaded - - Signed - - ProcessId - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555.004/vaultcli_creds/vaultcli.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555.004/vaultcli_creds/vaultcli.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml index 43c207c08d..25c6142e2f 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml @@ -1,19 +1,25 @@ name: Windows Credentials from Password Stores Chrome Copied in TEMP Dir id: 4d14c86d-fdee-4393-94da-238d2706902f -version: 1 -date: '2024-09-24' +version: 2 +date: '2024-11-13' author: Teoderick Contreras, Splunk -data_sources: +data_source: - Sysmon Event ID 11 type: TTP status: production -description: The following analytic detects the copying of Chrome's Local State and Login Data files into temporary folders, a tactic often used by the Braodo stealer malware. These files contain encrypted user credentials, including saved passwords and login session details. The detection monitors for suspicious copying activity involving these specific Chrome files, particularly in temp directories where malware typically processes the stolen data. Identifying this behavior enables security teams to act quickly, preventing attackers from decrypting and exfiltrating sensitive browser credentials and mitigating the risk of unauthorized access. -search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem - where Filesystem.file_name IN ("Local State", "Login Data") Filesystem.file_path = "*\\temp\\*" - by _time Filesystem.dest Filesystem.user Filesystem.file_name Filesystem.file_path Filesystem.file_create_time - | `drop_dm_object_name(Filesystem)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic detects the copying of Chrome's Local State and + Login Data files into temporary folders, a tactic often used by the Braodo stealer + malware. These files contain encrypted user credentials, including saved passwords + and login session details. The detection monitors for suspicious copying activity + involving these specific Chrome files, particularly in temp directories where malware + typically processes the stolen data. Identifying this behavior enables security + teams to act quickly, preventing attackers from decrypting and exfiltrating sensitive + browser credentials and mitigating the risk of unauthorized access. +search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("Local + State", "Login Data") Filesystem.file_path = "*\\temp\\*" by _time Filesystem.dest + Filesystem.user Filesystem.file_name Filesystem.file_path Filesystem.file_create_time + | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_copied_in_temp_dir_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from @@ -30,40 +36,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Chrome Password Store File [$file_name$] was copied in %temp% folder on + [$dest$]. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Braodo Stealer asset_type: Endpoint - confidence: 80 - impact: 80 - message: Chrome Password Store File [$file_name$] was copied in %temp% folder on [$dest$]. mitre_attack_id: - T1555.003 - T1555 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.dest - - Filesystem.file_create_time - - Filesystem.file_name - - Filesystem.user - - Filesystem.file_path - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555.003/browser_credential_info_temp/braodo_browser_info.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555.003/browser_credential_info_temp/braodo_browser_info.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml index beb2318abc..538d843239 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml @@ -1,21 +1,31 @@ name: Windows Credentials from Password Stores Chrome Extension Access id: 2e65afe0-9a75-4487-bd87-ada9a9f1b9af -version: 4 -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Windows Event Log Security 4663 -description: The following analytic detects non-Chrome processes attempting to access the Chrome extensions file. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. This activity is significant because adversaries may exploit this file to extract sensitive information from the Chrome browser, posing a security risk. If confirmed malicious, this could lead to unauthorized access to stored credentials and other sensitive data, potentially compromising the security of the affected system and broader network. -search: '`wineventlog_security` EventCode=4663 - object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\*" AND NOT (process_path IN ("*:\\Windows\\explorer.exe", "*\\chrome.exe")) - | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic detects non-Chrome processes attempting to access + the Chrome extensions file. It leverages Windows Security Event logs, specifically + event code 4663, to identify this behavior. This activity is significant because + adversaries may exploit this file to extract sensitive information from the Chrome + browser, posing a security risk. If confirmed malicious, this could lead to unauthorized + access to stored credentials and other sensitive data, potentially compromising + the security of the affected system and broader network. +search: '`wineventlog_security` EventCode=4663 object_file_path="*\\AppData\\Local\\Google\\Chrome\\User + Data\\Default\\Local Extension Settings\\*" AND NOT (process_path IN ("*:\\Windows\\explorer.exe", + "*\\chrome.exe")) | stats count min(_time) as firstTime max(_time) as lastTime by + object_file_name object_file_path process_name process_path process_id EventCode + dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_extension_access_filter`' -how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -known_false_positives: Uninstall chrome browser extension application may access this file and folder path to removed chrome installation in the target host. Filter is needed. +how_to_implement: To successfully implement this search, you must ingest Windows Security + Event logs and track event code 4663. For 4663, enable "Audit Object Access" in + Group Policy. Then check the two boxes listed for both "Success" and "Failure." +known_false_positives: Uninstall chrome browser extension application may access this + file and folder path to removed chrome installation in the target host. Filter is + needed. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer drilldown_searches: @@ -24,9 +34,22 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A non-chrome process $process_name$ accessing chrome browser extension + folder files on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - DarkGate Malware @@ -38,34 +61,17 @@ tags: - Braodo Stealer - Meduza Stealer asset_type: Endpoint - confidence: 50 - impact: 50 - message: A non-chrome process $process_name$ accessing chrome browser extension folder files on $dest$ mitre_attack_id: - T1012 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - object_file_name - - object_file_path - - process_name - - process_path - - process_id - - EventCode - - dest - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/browser_ext_access/security-ext-raw.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/browser_ext_access/security-ext-raw.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml index 099998f8c3..c981720bb5 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml @@ -1,21 +1,30 @@ name: Windows Credentials from Password Stores Chrome LocalState Access id: 3b1d09a8-a26f-473e-a510-6c6613573657 -version: 5 -date: '2024-11-28' +version: 7 +date: '2025-01-27' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Windows Event Log Security 4663 -description: The following analytic detects non-Chrome processes accessing the Chrome "Local State" file, which contains critical settings and information. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. This activity is significant because threat actors can exploit this file to extract the encrypted master key used for decrypting saved passwords in Chrome. If confirmed malicious, this could lead to unauthorized access to sensitive information, posing a severe security risk. Monitoring this anomaly helps identify potential threats and safeguard browser-stored data. -search: '`wineventlog_security` EventCode=4663 - object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Local State" NOT (process_name IN ("*\\chrome.exe","*:\\Windows\\explorer.exe")) - | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_credentials_from_password_stores_chrome_localstate_access_filter`' -how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -known_false_positives: Uninstall chrome application may access this file and folder path to removed chrome installation in target host. Filter is needed. +description: The following analytic detects non-Chrome processes accessing the Chrome + "Local State" file, which contains critical settings and information. It leverages + Windows Security Event logs, specifically event code 4663, to identify this behavior. + This activity is significant because threat actors can exploit this file to extract + the encrypted master key used for decrypting saved passwords in Chrome. If confirmed + malicious, this could lead to unauthorized access to sensitive information, posing + a severe security risk. Monitoring this anomaly helps identify potential threats + and safeguard browser-stored data. +search: '`wineventlog_security` EventCode=4663 object_file_path="*\\AppData\\Local\\Google\\Chrome\\User + Data\\Local State" NOT (process_name IN ("*\\chrome.exe","*:\\Windows\\explorer.exe")) + | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name + object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_localstate_access_filter`' +how_to_implement: To successfully implement this search, you must ingest Windows Security + Event logs and track event code 4663. For 4663, enable "Audit Object Access" in + Group Policy. Then check the two boxes listed for both "Success" and "Failure." +known_false_positives: Uninstall chrome application may access this file and folder + path to removed chrome installation in target host. Filter is needed. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer drilldown_searches: @@ -24,47 +33,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A non-chrome process $process_name$ accessing "Chrome\\User Data\\Local + State" file on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - - RedLine Stealer + - Snake Keylogger - Amadey - Warzone RAT - - NjRAT - - DarkGate Malware - - Phemedrone Stealer - - Snake Keylogger - - MoonPeak - - Braodo Stealer - PXA Stealer + - Braodo Stealer + - Phemedrone Stealer + - Nexus APT Threat Activity + - DarkGate Malware - Meduza Stealer + - MoonPeak + - Earth Estries + - NjRAT + - RedLine Stealer asset_type: Endpoint - confidence: 50 - impact: 50 - message: A non-chrome process $process_name$ accessing "Chrome\\User Data\\Local State" file on $dest$ mitre_attack_id: - T1012 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - object_file_name - - object_file_path - - process_name - - process_path - - process_id - - EventCode - - dest - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml index 0325172666..5ed95dadf5 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml @@ -1,21 +1,31 @@ name: Windows Credentials from Password Stores Chrome Login Data Access id: 0d32ba37-80fc-4429-809c-0ba15801aeaf -version: 5 -date: '2024-11-28' +version: 7 +date: '2025-01-27' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Windows Event Log Security 4663 -description: The following analytic identifies non-Chrome processes accessing the Chrome user data file "login data." This file is an SQLite database containing sensitive information, including saved passwords. The detection leverages Windows Security Event logs, specifically event code 4663, to monitor access attempts. This activity is significant as it may indicate attempts by threat actors to extract and decrypt stored passwords, posing a risk to user credentials. If confirmed malicious, attackers could gain unauthorized access to sensitive accounts and escalate their privileges within the environment. -search: '`wineventlog_security` EventCode=4663 - object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data" AND NOT (process_path IN ("*:\\Windows\\explorer.exe", "*:\\Windows\\System32\\dllhost.exe", "*\\chrome.exe")) - | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_credentials_from_password_stores_chrome_login_data_access_filter`' -how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -known_false_positives: Uninstall application may access this registry to remove the entry of the target application. filter is needed. +description: The following analytic identifies non-Chrome processes accessing the + Chrome user data file "login data." This file is an SQLite database containing sensitive + information, including saved passwords. The detection leverages Windows Security + Event logs, specifically event code 4663, to monitor access attempts. This activity + is significant as it may indicate attempts by threat actors to extract and decrypt + stored passwords, posing a risk to user credentials. If confirmed malicious, attackers + could gain unauthorized access to sensitive accounts and escalate their privileges + within the environment. +search: '`wineventlog_security` EventCode=4663 object_file_path="*\\AppData\\Local\\Google\\Chrome\\User + Data\\Default\\Login Data" AND NOT (process_path IN ("*:\\Windows\\explorer.exe", + "*:\\Windows\\System32\\dllhost.exe", "*\\chrome.exe")) | stats count min(_time) + as firstTime max(_time) as lastTime by object_file_name object_file_path process_name + process_path process_id EventCode dest | `security_content_ctime(firstTime)` | + `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_login_data_access_filter`' +how_to_implement: To successfully implement this search, you must ingest Windows Security + Event logs and track event code 4663. For 4663, enable "Audit Object Access" in + Group Policy. Then check the two boxes listed for both "Success" and "Failure." +known_false_positives: Uninstall application may access this registry to remove the + entry of the target application. filter is needed. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer drilldown_searches: @@ -24,47 +34,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A non-chrome process $process_name$ accessing Chrome "Login Data" file + on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - - RedLine Stealer + - Snake Keylogger - Amadey - Warzone RAT - - NjRAT - - DarkGate Malware - - Phemedrone Stealer - - Snake Keylogger - - MoonPeak - - Braodo Stealer - PXA Stealer + - Braodo Stealer + - Phemedrone Stealer + - Nexus APT Threat Activity + - DarkGate Malware - Meduza Stealer + - MoonPeak + - Earth Estries + - NjRAT + - RedLine Stealer asset_type: Endpoint - confidence: 70 - impact: 70 - message: A non-chrome process $process_name$ accessing Chrome "Login Data" file on $dest$ mitre_attack_id: - T1012 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - object_file_name - - object_file_path - - process_name - - process_path - - process_id - - EventCode - - dest - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_credentials_from_password_stores_creation.yml b/detections/endpoint/windows_credentials_from_password_stores_creation.yml index 73e45112d2..78fa620d8c 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_creation.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_creation.yml @@ -1,7 +1,7 @@ name: Windows Credentials from Password Stores Creation id: c0c5a479-bf57-4ca0-af3a-4c7081e5ba05 -version: '4' -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: TTP @@ -51,45 +51,29 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a process $process_name$ was executed on $dest$ to create stored credentials + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Compromised Windows Host - DarkGate Malware asset_type: Endpoint - confidence: 80 - impact: 80 - message: a process $process_name$ was executed in $dest$ to create stored credentials mitre_attack_id: - T1555 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - - Processes.parent_process_guid - - Processes.process_guid security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/cmdkey_create_credential_store/cmdkey_gen_sys.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/cmdkey_create_credential_store/cmdkey_gen_sys.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_credentials_from_password_stores_deletion.yml b/detections/endpoint/windows_credentials_from_password_stores_deletion.yml index 16c628c73f..19a1bef08d 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_deletion.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_deletion.yml @@ -1,7 +1,7 @@ name: Windows Credentials from Password Stores Deletion id: 46d676aa-40c6-4fe6-b917-d23b621f0f89 -version: '4' -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: TTP @@ -50,45 +50,29 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a process $process_name$ was executed on $dest$ to delete stored credentials + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Compromised Windows Host - DarkGate Malware asset_type: Endpoint - confidence: 80 - impact: 80 - message: a process $process_name$ was executed in $dest$ to delete stored credentials mitre_attack_id: - T1555 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - - Processes.parent_process_guid - - Processes.process_guid security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/cmdkey_delete_credentials_store/cmdkey_del_sys.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/cmdkey_delete_credentials_store/cmdkey_del_sys.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_credentials_from_password_stores_query.yml b/detections/endpoint/windows_credentials_from_password_stores_query.yml index 7ebede5ea1..c8225b75ad 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_query.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_query.yml @@ -1,17 +1,38 @@ name: Windows Credentials from Password Stores Query id: db02d6b4-5d5b-4c33-8d8f-f0577516a8c7 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the execution of the Windows OS tool cmdkey.exe, which is often abused by post-exploitation tools like winpeas, commonly used in ransomware attacks to list stored usernames, passwords, or credentials. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant as it indicates potential credential harvesting, which can lead to privilege escalation and persistence. If confirmed malicious, attackers could gain unauthorized access to sensitive information and maintain control over compromised systems for further exploitation. +description: The following analytic detects the execution of the Windows OS tool cmdkey.exe, + which is often abused by post-exploitation tools like winpeas, commonly used in + ransomware attacks to list stored usernames, passwords, or credentials. This detection + leverages data from Endpoint Detection and Response (EDR) agents, focusing on process + execution logs. This activity is significant as it indicates potential credential + harvesting, which can lead to privilege escalation and persistence. If confirmed + malicious, attackers could gain unauthorized access to sensitive information and + maintain control over compromised systems for further exploitation. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="cmdkey.exe" OR Processes.original_file_name = "cmdkey.exe" AND Processes.process = "*/list*" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_query_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name="cmdkey.exe" + OR Processes.original_file_name = "cmdkey.exe" AND Processes.process = "*/list*" + by Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid + Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_query_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: network administrator can use this tool for auditing process. references: - https://ss64.com/nt/cmdkey.html @@ -23,50 +44,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a process $process_name$ was executed on $dest$ to display stored username + and credentials. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Windows Post-Exploitation - Prestige Ransomware - DarkGate Malware asset_type: Endpoint - confidence: 50 - impact: 50 - message: a process $process_name$ was executed in $dest$ to display stored username and credentials. mitre_attack_id: - T1555 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - - Processes.parent_process_guid - - Processes.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_cmdkeylist/cmdkey-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_cmdkeylist/cmdkey-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml b/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml index 1c02d241f5..f597206fbb 100644 --- a/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml +++ b/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml @@ -1,20 +1,25 @@ name: Windows Credentials from Web Browsers Saved in TEMP Folder id: b36b23ea-763c-417b-bd4a-6a378dabad1a -version: 1 -date: '2024-09-24' +version: 2 +date: '2024-11-13' author: Teoderick Contreras, Splunk -data_sources: +data_source: - Sysmon Event ID 11 type: TTP status: production -description: The following analytic detects the creation of files containing passwords, cookies, and saved login account information by the Braodo stealer malware in temporary folders. Braodo often collects these credentials from browsers and applications, storing them in temp directories before exfiltration. This detection focuses on monitoring for the creation of files with patterns or formats commonly associated with stolen credentials. By identifying these activities, security teams can take needed action to prevent sensitive login data from being leaked, reducing the risk of unauthorized access to user accounts and systems. -search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem - where Filesystem.file_name IN ("login*", "pass*","cookie*","master_key*") Filesystem.file_path = "*\\temp\\*" - by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time - | `drop_dm_object_name(Filesystem)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_credentials_from_web_browsers_saved_in_temp_folder_filter`' +description: The following analytic detects the creation of files containing passwords, + cookies, and saved login account information by the Braodo stealer malware in temporary + folders. Braodo often collects these credentials from browsers and applications, + storing them in temp directories before exfiltration. This detection focuses on + monitoring for the creation of files with patterns or formats commonly associated + with stolen credentials. By identifying these activities, security teams can take + needed action to prevent sensitive login data from being leaked, reducing the risk + of unauthorized access to user accounts and systems. +search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("login*", + "pass*","cookie*","master_key*") Filesystem.file_path = "*\\temp\\*" by _time Filesystem.file_name + Filesystem.file_path Filesystem.dest Filesystem.file_create_time | `drop_dm_object_name(Filesystem)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_web_browsers_saved_in_temp_folder_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, @@ -30,40 +35,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A known credential file name - [$file_name$] was saved in %temp% folder + of [$dest$]. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Braodo Stealer asset_type: Endpoint - confidence: 80 - impact: 80 - message: A known credential file name - [$file_name$] was saved in %temp% folder of [$dest$]. mitre_attack_id: - T1555.003 - T1555 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.dest - - Filesystem.file_create_time - - Filesystem.file_name - - Filesystem.user - - Filesystem.file_path - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555.003/browser_credential_info_temp/braodo_browser_info.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555.003/browser_credential_info_temp/braodo_browser_info.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_credentials_in_registry_reg_query.yml b/detections/endpoint/windows_credentials_in_registry_reg_query.yml index d42f2d9df7..5465160a3a 100644 --- a/detections/endpoint/windows_credentials_in_registry_reg_query.yml +++ b/detections/endpoint/windows_credentials_in_registry_reg_query.yml @@ -1,17 +1,41 @@ name: Windows Credentials in Registry Reg Query id: a8b3124e-2278-4b73-ae9c-585117079fb2 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies processes querying the registry for potential passwords or credentials. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that access specific registry paths known to store sensitive information. This activity is significant as it may indicate credential theft attempts, often used by adversaries or post-exploitation tools like winPEAS. If confirmed malicious, this behavior could lead to privilege escalation, persistence, or lateral movement within the network, posing a severe security risk. +description: The following analytic identifies processes querying the registry for + potential passwords or credentials. It leverages data from Endpoint Detection and + Response (EDR) agents, focusing on command-line executions that access specific + registry paths known to store sensitive information. This activity is significant + as it may indicate credential theft attempts, often used by adversaries or post-exploitation + tools like winPEAS. If confirmed malicious, this behavior could lead to privilege + escalation, persistence, or lateral movement within the network, posing a severe + security risk. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = "* query *" AND Processes.process IN ("*\\Software\\ORL\\WinVNC3\\Password*", "*\\SOFTWARE\\RealVNC\\WinVNC4 /v password*", "*\\CurrentControlSet\\Services\\SNMP*", "*\\Software\\TightVNC\\Server*", "*\\Software\\SimonTatham\\PuTTY\\Sessions*", "*\\Software\\OpenSSH\\Agent\\Keys*", "*password*") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_in_registry_reg_query_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process + = "* query *" AND Processes.process IN ("*\\Software\\ORL\\WinVNC3\\Password*", + "*\\SOFTWARE\\RealVNC\\WinVNC4 /v password*", "*\\CurrentControlSet\\Services\\SNMP*", + "*\\Software\\TightVNC\\Server*", "*\\Software\\SimonTatham\\PuTTY\\Sessions*", + "*\\Software\\OpenSSH\\Agent\\Keys*", "*password*") by Processes.process_name Processes.original_file_name + Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name + Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_credentials_in_registry_reg_query_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://attack.mitre.org/techniques/T1552/002/ @@ -23,50 +47,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: reg query commandline $process$ on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Windows Post-Exploitation - Prestige Ransomware asset_type: Endpoint - confidence: 50 - impact: 50 - message: reg query commandline $process$ in $dest$ mitre_attack_id: - T1552.002 - T1552 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - - Processes.parent_process_guid - - Processes.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_pwd/query-putty-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_pwd/query-putty-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_curl_download_to_suspicious_path.yml b/detections/endpoint/windows_curl_download_to_suspicious_path.yml index d0fc9fffb1..fc5ad0009f 100644 --- a/detections/endpoint/windows_curl_download_to_suspicious_path.yml +++ b/detections/endpoint/windows_curl_download_to_suspicious_path.yml @@ -1,7 +1,7 @@ name: Windows Curl Download to Suspicious Path id: c32f091e-30db-11ec-8738-acde48001122 -version: '5' -date: '2024-11-28' +version: 8 +date: '2025-01-27' author: Michael Haag, Splunk status: production type: TTP @@ -53,54 +53,36 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ to download a file to a suspicious directory. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - - IcedID - - Compromised Windows Host - Ingress Tool Transfer - Forest Blizzard + - IcedID + - Nexus APT Threat Activity + - Compromised Windows Host + - Earth Estries asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ to download a file to a suspicious directory. mitre_attack_id: - T1105 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_curl_upload_to_remote_destination.yml b/detections/endpoint/windows_curl_upload_to_remote_destination.yml index cbb649a70e..8b99b345c5 100644 --- a/detections/endpoint/windows_curl_upload_to_remote_destination.yml +++ b/detections/endpoint/windows_curl_upload_to_remote_destination.yml @@ -1,7 +1,7 @@ name: Windows Curl Upload to Remote Destination id: 42f8f1a2-4228-11ec-aade-acde48001122 -version: '5' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -51,56 +51,37 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ uploading a file to a remote destination. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Compromised Windows Host - Ingress Tool Transfer asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ uploading a file to a remote destination. mitre_attack_id: - T1105 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon_curl_upload.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon_curl_upload.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml b/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml index 474a808302..2eeeeb2fdd 100644 --- a/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml +++ b/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml @@ -1,17 +1,32 @@ name: Windows Data Destruction Recursive Exec Files Deletion id: 3596a799-6320-4a2f-8772-a9e98ddb2960 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic identifies a suspicious process that is recursively deleting executable files on a compromised host. It leverages Sysmon Event Codes 23 and 26 to detect this activity by monitoring for a high volume of deletions or overwrites of files with extensions like .exe, .sys, and .dll. This behavior is significant as it is commonly associated with destructive malware such as CaddyWiper, DoubleZero, and SwiftSlicer, which aim to make file recovery impossible. If confirmed malicious, this activity could lead to significant data loss and system instability, severely impacting business operations. +description: The following analytic identifies a suspicious process that is recursively + deleting executable files on a compromised host. It leverages Sysmon Event Codes + 23 and 26 to detect this activity by monitoring for a high volume of deletions or + overwrites of files with extensions like .exe, .sys, and .dll. This behavior is + significant as it is commonly associated with destructive malware such as CaddyWiper, + DoubleZero, and SwiftSlicer, which aim to make file recovery impossible. If confirmed + malicious, this activity could lead to significant data loss and system instability, + severely impacting business operations. data_source: - Sysmon EventID 23 - Sysmon EventID 26 -search: '`sysmon` EventCode IN ("23","26") TargetFilename IN ("*.exe", "*.sys", "*.dll") | bin _time span=2m | stats count, values(TargetFilename) as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, process_name, process_guid | rename Image as process | where count >=100 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_data_destruction_recursive_exec_files_deletion_filter`' -how_to_implement: To successfully implement this search, you need to ingest logs that include the process name, TargetFilename, and ProcessID executions from your endpoints. If you are using Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed. -known_false_positives: The uninstallation of a large software application or the use of cleanmgr.exe may trigger this detection. A filter is necessary to reduce false positives. +search: '`sysmon` EventCode IN ("23","26") TargetFilename IN ("*.exe", "*.sys", "*.dll") + | bin _time span=2m | stats count, values(TargetFilename) as deleted_files, min(_time) + as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, + process_name, process_guid | rename Image as process | where count >=100 | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_data_destruction_recursive_exec_files_deletion_filter`' +how_to_implement: To successfully implement this search, you need to ingest logs that + include the process name, TargetFilename, and ProcessID executions from your endpoints. + If you are using Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed. +known_false_positives: The uninstallation of a large software application or the use + of cleanmgr.exe may trigger this detection. A filter is necessary to reduce false + positives. references: - https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/ drilldown_searches: @@ -20,51 +35,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The process $process_name$ has removed a significant quantity of executable + files, totaling [$count$], from the destination $dest$. + risk_objects: + - field: user + type: user + score: 64 + - field: dest + type: system + score: 64 + threat_objects: + - field: deleted_files + type: file_name tags: analytic_story: - Swift Slicer - Data Destruction - Handala Wiper asset_type: Endpoint - confidence: 80 - impact: 80 - message: The process $process_name$ has removed a significant quantity of executable files, totaling [$count$], from the destination $dest$. mitre_attack_id: - T1485 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim - - name: deleted_files - type: File Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Image - - TargetFilename - - dest - - user - - signature_id - - process_name - - process_guid - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/swift_slicer/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/swift_slicer/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_debugger_tool_execution.yml b/detections/endpoint/windows_debugger_tool_execution.yml index 3d47e73552..19bcd73533 100644 --- a/detections/endpoint/windows_debugger_tool_execution.yml +++ b/detections/endpoint/windows_debugger_tool_execution.yml @@ -1,15 +1,34 @@ name: Windows Debugger Tool Execution id: e14d94a3-07fb-4b47-8406-f5e37180d422 -version: 2 -date: '2024-10-17' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk data_source: [] type: Hunting status: production -description: This analysis detects the use of debugger tools within a production environment. While these tools are legitimate for file analysis and debugging, they are abused by malware like PlugX and DarkGate for malicious DLL side-loading. The hunting query aids Security Operations Centers (SOCs) in identifying potentially suspicious tool executions, particularly for non-technical users in the production network. -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "x32dbg.exe" OR Processes.process_name = "x64dbg.exe" OR Processes.process_name = "windbg.exe" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_debugger_tool_execution_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: administrator or IT professional may execute this application for verifying files or debugging application. +description: This analysis detects the use of debugger tools within a production environment. + While these tools are legitimate for file analysis and debugging, they are abused + by malware like PlugX and DarkGate for malicious DLL side-loading. The hunting query + aids Security Operations Centers (SOCs) in identifying potentially suspicious tool + executions, particularly for non-technical users in the production network. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "x32dbg.exe" + OR Processes.process_name = "x64dbg.exe" OR Processes.process_name = "windbg.exe" + by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_debugger_tool_execution_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: administrator or IT professional may execute this application + for verifying files or debugging application. references: - https://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html - https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html @@ -18,40 +37,17 @@ tags: - DarkGate Malware - PlugX asset_type: Endpoint - confidence: 30 - impact: 30 - message: a debugger $process_name$ is executed in $dest$ mitre_attack_id: - T1036 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_name - - Processes.process_id - - Processes.process - - Processes.dest - - Processes.user - - Processes.process_id - - Processes.parent_process_id - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/debugger_execution/debugger.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/debugger_execution/debugger.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml b/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml index f16f240923..d2fb815e5d 100644 --- a/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml +++ b/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml @@ -1,18 +1,39 @@ name: Windows Defacement Modify Transcodedwallpaper File id: e11c3d90-5bc7-42ad-94cd-ba75db10d897 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies modifications to the TranscodedWallpaper file in the wallpaper theme directory, excluding changes made by explorer.exe. This detection leverages the Endpoint.Processes and Endpoint.Filesystem data models to correlate process activity with file modifications. This activity is significant as it may indicate an adversary attempting to deface or change the desktop wallpaper of a targeted host, a tactic often used to signal compromise or deliver a message. If confirmed malicious, this could be a sign of unauthorized access and tampering, potentially leading to further system compromise or data exfiltration. +description: The following analytic identifies modifications to the TranscodedWallpaper + file in the wallpaper theme directory, excluding changes made by explorer.exe. This + detection leverages the Endpoint.Processes and Endpoint.Filesystem data models to + correlate process activity with file modifications. This activity is significant + as it may indicate an adversary attempting to deface or change the desktop wallpaper + of a targeted host, a tactic often used to signal compromise or deliver a message. + If confirmed malicious, this could be a sign of unauthorized access and tampering, + potentially leading to further system compromise or data exfiltration. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_path !="*\\Windows\\Explorer.EXE" by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid Processes.original_file_name | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | join proc_guid, _time [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path = "*\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields file_name file_path process_name process_path process dest file_create_time _time proc_guid] | `windows_defacement_modify_transcodedwallpaper_file_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: 3rd part software application can change the wallpaper. Filter is needed. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes + where Processes.process_path !="*\\Windows\\Explorer.EXE" by _time span=1h Processes.process_id + Processes.process_name Processes.process Processes.dest Processes.process_guid Processes.original_file_name + | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | join proc_guid, + _time [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem + where Filesystem.file_path = "*\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper" + by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name + Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` + |rename process_guid as proc_guid | fields file_name file_path process_name process_path + process dest file_create_time _time proc_guid] | `windows_defacement_modify_transcodedwallpaper_file_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: 3rd part software application can change the wallpaper. Filter + is needed. references: - https://forums.ivanti.com/s/article/Wallpaper-Windows-Settings-Desktop-Settings-and-the-transcodedwallpaper-jpg?language=en_US - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_sifreli.a @@ -22,46 +43,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: modification or creation of transcodedwallpaper file by $process_name$ + on $dest$ + risk_objects: + - field: dest + type: system + score: 9 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Brute Ratel C4 asset_type: Endpoint - confidence: 30 - impact: 30 - message: modification or creation of transcodedwallpaper file by $process_name$ in $dest$ mitre_attack_id: - T1491 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - file_create_time - - file_name - - file_path - - process_name - - process_path - - process - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_default_group_policy_object_modified.yml b/detections/endpoint/windows_default_group_policy_object_modified.yml index bc24c42541..0f8ba948b0 100644 --- a/detections/endpoint/windows_default_group_policy_object_modified.yml +++ b/detections/endpoint/windows_default_group_policy_object_modified.yml @@ -1,16 +1,34 @@ name: Windows Default Group Policy Object Modified id: fe6a6cc4-9e0d-4d66-bcf4-2c7f44860876 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - Windows Event Log Security 5136 -description: The following analytic detects modifications to default Group Policy Objects (GPOs) using Event ID 5136. It monitors changes to the `Default Domain Controllers Policy` and `Default Domain Policy`, which are critical for enforcing security settings across domain controllers and all users/computers, respectively. This activity is significant because unauthorized changes to these GPOs can indicate an adversary with privileged access attempting to deploy persistence mechanisms or execute malware across the network. If confirmed malicious, such modifications could lead to widespread compromise, allowing attackers to maintain control and execute arbitrary code on numerous hosts. -search: '`wineventlog_security` EventCode=5136 ObjectClass=groupPolicyContainer AttributeLDAPDisplayName=versionNumber (ObjectDN="CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=*" OR ObjectDN="CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=POLICIES,CN=SYSTEM,DC=*") | stats min(_time) as firstTime max(_time) as lastTime by ObjectDN SubjectUserSid AttributeValue Computer DSName | rename AttributeValue as versionNumber | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_default_group_policy_object_modified_filter`' -how_to_implement: To successfully implement this search, the Advanced Security Audit policy setting `Audit Directory Service Changes` within `DS Access` needs to be enabled. Furthermore, the appropriate system access control lists (SACL) need to be created as the used events are not logged by default. A good guide to accomplish this can be found here https://jgspiers.com/audit-group-policy-changes/. -known_false_positives: The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed. +description: The following analytic detects modifications to default Group Policy + Objects (GPOs) using Event ID 5136. It monitors changes to the `Default Domain Controllers + Policy` and `Default Domain Policy`, which are critical for enforcing security settings + across domain controllers and all users/computers, respectively. This activity is + significant because unauthorized changes to these GPOs can indicate an adversary + with privileged access attempting to deploy persistence mechanisms or execute malware + across the network. If confirmed malicious, such modifications could lead to widespread + compromise, allowing attackers to maintain control and execute arbitrary code on + numerous hosts. +search: '`wineventlog_security` EventCode=5136 ObjectClass=groupPolicyContainer AttributeLDAPDisplayName=versionNumber + (ObjectDN="CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=*" + OR ObjectDN="CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=POLICIES,CN=SYSTEM,DC=*") + | stats min(_time) as firstTime max(_time) as lastTime by ObjectDN SubjectUserSid + AttributeValue Computer DSName | rename AttributeValue as versionNumber | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_default_group_policy_object_modified_filter`' +how_to_implement: To successfully implement this search, the Advanced Security Audit + policy setting `Audit Directory Service Changes` within `DS Access` needs to be + enabled. Furthermore, the appropriate system access control lists (SACL) need to + be created as the used events are not logged by default. A good guide to accomplish + this can be found here https://jgspiers.com/audit-group-policy-changes/. +known_false_positives: The default Group Policy Objects within an AD network may be + legitimately updated for administrative operations, filter as needed. references: - https://attack.mitre.org/techniques/T1484/ - https://attack.mitre.org/techniques/T1484/001 @@ -22,47 +40,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$Computer$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A default group policy object was modified on $Computer$ by $SubjectUserSid$ + risk_objects: + - field: Computer + type: system + score: 50 + - field: SubjectUserSid + type: user + score: 50 + threat_objects: [] tags: analytic_story: - Active Directory Privilege Escalation - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 50 - impact: 100 - message: A default group policy object was modified on $Computer$ by $SubjectUserSid$ mitre_attack_id: - T1484 - T1484.001 - observable: - - name: SubjectUserSid - type: User - role: - - Attacker - - name: Computer - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - EventCode - - ObjectClass - - AttributeLDAPDisplayName - - ObjectDN - - Computer - - DSName - - AttributeValue - - SubjectUserSid - risk_score: 50 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml b/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml index 6b20831e80..732f0e172d 100644 --- a/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml +++ b/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml @@ -1,7 +1,7 @@ name: Windows Default Group Policy Object Modified with GPME id: eaf688b3-bb8f-454d-b105-920a862cd8cb -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP @@ -9,10 +9,32 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic detects modifications to default Group Policy Objects (GPOs) using the Group Policy Management Editor (GPME). It leverages the Endpoint data model to identify processes where `mmc.exe` executes `gpme.msc` with specific GUIDs related to default GPOs. This activity is significant because default GPOs, such as the `Default Domain Controllers Policy` and `Default Domain Policy`, are critical for enforcing security policies across the domain. If malicious, such modifications could allow an attacker to gain further access, establish persistence, or deploy malware across numerous hosts, severely compromising the network's security. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mmc.exe (Processes.process =*gpme.msc*) AND (Processes.process = "*31B2F340-016D-11D2-945F-00C04FB984F9*" OR Processes.process = "*6AC1786C-016F-11D2-945F-00C04fB984F9*" ) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_default_group_policy_object_modified_with_gpme_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed. +description: The following analytic detects modifications to default Group Policy + Objects (GPOs) using the Group Policy Management Editor (GPME). It leverages the + Endpoint data model to identify processes where `mmc.exe` executes `gpme.msc` with + specific GUIDs related to default GPOs. This activity is significant because default + GPOs, such as the `Default Domain Controllers Policy` and `Default Domain Policy`, + are critical for enforcing security policies across the domain. If malicious, such + modifications could allow an attacker to gain further access, establish persistence, + or deploy malware across numerous hosts, severely compromising the network's security. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mmc.exe + (Processes.process =*gpme.msc*) AND (Processes.process = "*31B2F340-016D-11D2-945F-00C04FB984F9*" + OR Processes.process = "*6AC1786C-016F-11D2-945F-00C04fB984F9*" ) by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_default_group_policy_object_modified_with_gpme_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: The default Group Policy Objects within an AD network may be + legitimately updated for administrative operations, filter as needed. references: - https://attack.mitre.org/techniques/T1484/ - https://attack.mitre.org/techniques/T1484/001 @@ -25,55 +47,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A default group policy object was opened with Group Policy Manage Editor + on $dest$ + risk_objects: + - field: dest + type: system + score: 50 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Active Directory Privilege Escalation - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 50 - impact: 100 - message: A default group policy object was opened with Group Policy Manage Editor on $dest$ mitre_attack_id: - T1484 - T1484.001 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 50 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/windows-security.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_defender_asr_audit_events.yml b/detections/endpoint/windows_defender_asr_audit_events.yml index 0381c2fa6b..4a54fc7211 100644 --- a/detections/endpoint/windows_defender_asr_audit_events.yml +++ b/detections/endpoint/windows_defender_asr_audit_events.yml @@ -1,7 +1,7 @@ name: Windows Defender ASR Audit Events id: 0e4d46b1-22bd-4f0e-8337-ca6f60ad4bea -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Anomaly @@ -11,10 +11,28 @@ data_source: - Windows Event Log Defender 1126 - Windows Event Log Defender 1132 - Windows Event Log Defender 1134 -description: This detection searches for Windows Defender ASR audit events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR audit events that are generated when a process or application attempts to perform an action that would be blocked by an ASR rule, but is allowed to proceed for auditing purposes. -search: '`ms_defender` EventCode IN (1122, 1125, 1126, 1132, 1134) | stats count min(_time) as firstTime max(_time) as lastTime by host, Process_Name, Target_Commandline, Path, ID, EventCode | lookup asr_rules ID OUTPUT ASR_Rule | fillnull value=NULL | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_audit_events_filter`' -how_to_implement: The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore the analytic will need to be modified for each type of event. -known_false_positives: False positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. For example, Event ID 1122 is generated when a process attempts to load a DLL that is blocked by an ASR rule. This can be triggered by legitimate applications that attempt to load DLLs that are not blocked by ASR rules. This is audit only. +description: This detection searches for Windows Defender ASR audit events. ASR is + a feature of Windows Defender Exploit Guard that prevents actions and apps that + are typically used by exploit-seeking malware to infect machines. ASR rules are + applied to processes and applications. When a process or application attempts to + perform an action that is blocked by an ASR rule, an event is generated. This detection + searches for ASR audit events that are generated when a process or application attempts + to perform an action that would be blocked by an ASR rule, but is allowed to proceed + for auditing purposes. +search: '`ms_defender` EventCode IN (1122, 1125, 1126, 1132, 1134) | stats count min(_time) + as firstTime max(_time) as lastTime by host, Process_Name, Target_Commandline, Path, + ID, EventCode | lookup asr_rules ID OUTPUT ASR_Rule | fillnull value=NULL | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_audit_events_filter`' +how_to_implement: The following analytic requires collection of Windows Defender Operational + logs in either XML or multi-line. To collect, setup a new input for the Windows + Defender Operational logs. In addition, it does require a lookup that maps the ID + to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore + the analytic will need to be modified for each type of event. +known_false_positives: False positives are expected from legitimate applications generating + events that are similar to those generated by malicious activity. For example, Event + ID 1122 is generated when a process attempts to load a DLL that is blocked by an + ASR rule. This can be triggered by legitimate applications that attempt to load + DLLs that are not blocked by ASR rules. This is audit only. references: - https://asrgen.streamlit.app/ drilldown_searches: @@ -23,42 +41,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: ASR audit event, $ASR_Rule$, was triggered on $dest$. + risk_objects: + - field: dest + type: system + score: 5 + threat_objects: [] tags: analytic_story: - Windows Attack Surface Reduction asset_type: Endpoint atomic_guid: [] - confidence: 50 - impact: 10 - message: ASR audit event, $ASR_Rule$, was triggered on $dest$. mitre_attack_id: - T1059 - T1566.001 - T1566.002 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 5 - required_fields: - - host - - Process_Name - - Target_Commandline - - ID - - EventCode - - ASR_Rule security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/defender/asr_audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/defender/asr_audit.log source: WinEventLog:Microsoft-Windows-Windows Defender/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_defender_asr_block_events.yml b/detections/endpoint/windows_defender_asr_block_events.yml index 5ff8ed519b..8192e5b189 100644 --- a/detections/endpoint/windows_defender_asr_block_events.yml +++ b/detections/endpoint/windows_defender_asr_block_events.yml @@ -1,7 +1,7 @@ name: Windows Defender ASR Block Events id: 026f5f4e-e99f-4155-9e63-911ba587300b -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Anomaly @@ -11,10 +11,29 @@ data_source: - Windows Event Log Defender 1129 - Windows Event Log Defender 1131 - Windows Event Log Defender 1133 -description: This detection searches for Windows Defender ASR block events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR block events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. Typically, these will be enabled in block most after auditing and tuning the ASR rules themselves. Set to TTP once tuned. -search: '`ms_defender` EventCode IN (1121, 1126, 1129, 1131, 1133) | stats count min(_time) as firstTime max(_time) as lastTime by host, Path, Parent_Commandline, Process_Name, ID, EventCode | lookup asr_rules ID OUTPUT ASR_Rule | fillnull value=NULL | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_block_events_filter`' -how_to_implement: The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore the analytic will need to be modified for each type of event. -known_false_positives: False positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. For example, Event ID 1122 is generated when a process attempts to load a DLL that is blocked by an ASR rule. This can be triggered by legitimate applications that attempt to load DLLs that are not blocked by ASR rules. This is block only. +description: This detection searches for Windows Defender ASR block events. ASR is + a feature of Windows Defender Exploit Guard that prevents actions and apps that + are typically used by exploit-seeking malware to infect machines. ASR rules are + applied to processes and applications. When a process or application attempts to + perform an action that is blocked by an ASR rule, an event is generated. This detection + searches for ASR block events that are generated when a process or application attempts + to perform an action that is blocked by an ASR rule. Typically, these will be enabled + in block most after auditing and tuning the ASR rules themselves. Set to TTP once + tuned. +search: '`ms_defender` EventCode IN (1121, 1126, 1129, 1131, 1133) | stats count min(_time) + as firstTime max(_time) as lastTime by host, Path, Parent_Commandline, Process_Name, + ID, EventCode | lookup asr_rules ID OUTPUT ASR_Rule | fillnull value=NULL | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_block_events_filter`' +how_to_implement: The following analytic requires collection of Windows Defender Operational + logs in either XML or multi-line. To collect, setup a new input for the Windows + Defender Operational logs. In addition, it does require a lookup that maps the ID + to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore + the analytic will need to be modified for each type of event. +known_false_positives: False positives are expected from legitimate applications generating + events that are similar to those generated by malicious activity. For example, Event + ID 1122 is generated when a process attempts to load a DLL that is blocked by an + ASR rule. This can be triggered by legitimate applications that attempt to load + DLLs that are not blocked by ASR rules. This is block only. references: - https://asrgen.streamlit.app/ drilldown_searches: @@ -23,46 +42,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: ASR block event, $ASR_Rule$, was triggered on $dest$. + risk_objects: + - field: dest + type: system + score: 45 + threat_objects: [] tags: analytic_story: - Windows Attack Surface Reduction asset_type: Endpoint atomic_guid: [] - confidence: 90 - impact: 50 - message: ASR block event, $ASR_Rule$, was triggered on $dest$. mitre_attack_id: - T1059 - T1566.001 - T1566.002 - observable: - - name: ASR_Rule - type: Unknown - role: - - Attacker - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 45 - required_fields: - - host - - Process_Name - - Path - - ID - - EventCode - - ASR_Rule security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/defender/asr_block.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/defender/asr_block.log source: WinEventLog:Microsoft-Windows-Windows Defender/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_defender_asr_registry_modification.yml b/detections/endpoint/windows_defender_asr_registry_modification.yml index 17420d6e22..d79a433c88 100644 --- a/detections/endpoint/windows_defender_asr_registry_modification.yml +++ b/detections/endpoint/windows_defender_asr_registry_modification.yml @@ -1,16 +1,39 @@ name: Windows Defender ASR Registry Modification id: 6a1b6cbe-6612-44c3-92b9-1a1bd77412eb -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting data_source: - Windows Event Log Defender 5007 -description: The following analytic detects modifications to Windows Defender Attack Surface Reduction (ASR) registry settings. It leverages Windows Defender Operational logs, specifically EventCode 5007, to identify changes in ASR rules. This activity is significant because ASR rules are designed to block actions commonly used by malware to exploit systems. Unauthorized modifications to these settings could indicate an attempt to weaken system defenses. If confirmed malicious, this could allow an attacker to bypass security measures, leading to potential system compromise and data breaches. -search: '`ms_defender` EventCode IN (5007) | rex field=New_Value "0x(?\\d+)$" | rex field=Old_Value "0x(?\\d+)$" | rex field=New_Value "Rules\\\\(?[A-Fa-f0-9\\-]+)\\s*=" | eval New_Registry_Value=case(New_Registry_Value=="0", "Disabled", New_Registry_Value=="1", "Block", New_Registry_Value=="2", "Audit", New_Registry_Value=="6", "Warn") | eval Old_Registry_Value=case(Old_Registry_Value=="0", "Disabled", Old_Registry_Value=="1", "Block", Old_Registry_Value=="2", "Audit", Old_Registry_Value=="6", "Warn") | stats count min(_time) as firstTime max(_time) as lastTime by host, New_Value, Old_Value, Old_Registry_Value, New_Registry_Value, ASR_ID | lookup asr_rules ID AS ASR_ID OUTPUT ASR_Rule | `security_content_ctime(firstTime)`| rename host as dest | `security_content_ctime(lastTime)` | `windows_defender_asr_registry_modification_filter`' -how_to_implement: The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. -known_false_positives: False positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. For example, Event ID 5007 is generated when a process attempts to modify a registry key that is related to ASR rules. This can be triggered by legitimate applications that attempt to modify registry keys that are not blocked by ASR rules. +description: The following analytic detects modifications to Windows Defender Attack + Surface Reduction (ASR) registry settings. It leverages Windows Defender Operational + logs, specifically EventCode 5007, to identify changes in ASR rules. This activity + is significant because ASR rules are designed to block actions commonly used by + malware to exploit systems. Unauthorized modifications to these settings could indicate + an attempt to weaken system defenses. If confirmed malicious, this could allow an + attacker to bypass security measures, leading to potential system compromise and + data breaches. +search: '`ms_defender` EventCode IN (5007) | rex field=New_Value "0x(?\\d+)$" + | rex field=Old_Value "0x(?\\d+)$" | rex field=New_Value "Rules\\\\(?[A-Fa-f0-9\\-]+)\\s*=" + | eval New_Registry_Value=case(New_Registry_Value=="0", "Disabled", New_Registry_Value=="1", + "Block", New_Registry_Value=="2", "Audit", New_Registry_Value=="6", "Warn") | eval + Old_Registry_Value=case(Old_Registry_Value=="0", "Disabled", Old_Registry_Value=="1", + "Block", Old_Registry_Value=="2", "Audit", Old_Registry_Value=="6", "Warn") | stats + count min(_time) as firstTime max(_time) as lastTime by host, New_Value, Old_Value, + Old_Registry_Value, New_Registry_Value, ASR_ID | lookup asr_rules ID AS ASR_ID OUTPUT + ASR_Rule | `security_content_ctime(firstTime)`| rename host as dest | `security_content_ctime(lastTime)` + | `windows_defender_asr_registry_modification_filter`' +how_to_implement: The following analytic requires collection of Windows Defender Operational + logs in either XML or multi-line. To collect, setup a new input for the Windows + Defender Operational logs. In addition, it does require a lookup that maps the ID + to ASR Rule name. +known_false_positives: False positives are expected from legitimate applications generating + events that are similar to those generated by malicious activity. For example, Event + ID 5007 is generated when a process attempts to modify a registry key that is related + to ASR rules. This can be triggered by legitimate applications that attempt to modify + registry keys that are not blocked by ASR rules. references: - https://asrgen.streamlit.app/ tags: @@ -18,32 +41,17 @@ tags: - Windows Attack Surface Reduction asset_type: Endpoint atomic_guid: [] - confidence: 100 - impact: 50 - message: ASR registry modification event, $ASR_Rule$, was triggered on $dest$. mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 50 - required_fields: - - host - - New_Value - - Old_Value - - Old_Registry_Value - - New_Registry_Value - - ASR_Rule security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/defender/asr_registry.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/defender/asr_registry.log source: WinEventLog:Microsoft-Windows-Windows Defender/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_defender_asr_rule_disabled.yml b/detections/endpoint/windows_defender_asr_rule_disabled.yml index ec7a0c62cc..8fda9c7200 100644 --- a/detections/endpoint/windows_defender_asr_rule_disabled.yml +++ b/detections/endpoint/windows_defender_asr_rule_disabled.yml @@ -1,16 +1,36 @@ name: Windows Defender ASR Rule Disabled id: 429d611b-3183-49a7-b235-fc4203c4e1cb -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP data_source: - Windows Event Log Defender 5007 -description: The following analytic identifies when a Windows Defender ASR rule disabled events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR rule disabled events that are generated when an ASR rule is disabled. -search: '`ms_defender` EventCode IN (5007) | rex field=New_Value "0x(?\\d+)$" | rex field=Old_Value "0x(?\\d+)$" | rex field=New_Value "Rules\\\\(?[A-Fa-f0-9\\-]+)\\s*=" | eval New_Registry_Value=case(New_Registry_Value=="0", "Disabled", New_Registry_Value=="1", "Block", New_Registry_Value=="2", "Audit", New_Registry_Value=="6", "Warn") | eval Old_Registry_Value=case(Old_Registry_Value=="0", "Disabled", Old_Registry_Value=="1", "Block", Old_Registry_Value=="2", "Audit", Old_Registry_Value=="6", "Warn") | search New_Registry_Value="Disabled" | stats count min(_time) as firstTime max(_time) as lastTime by host, New_Value, Old_Value, Old_Registry_Value, New_Registry_Value, ASR_ID | lookup asr_rules ID AS ASR_ID OUTPUT ASR_Rule | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_rule_disabled_filter`' -how_to_implement: The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. -known_false_positives: False positives may occur if applications are typically disabling ASR rules in the environment. Monitor for changes to ASR rules to determine if this is a false positive. +description: The following analytic identifies when a Windows Defender ASR rule disabled + events. ASR is a feature of Windows Defender Exploit Guard that prevents actions + and apps that are typically used by exploit-seeking malware to infect machines. + ASR rules are applied to processes and applications. When a process or application + attempts to perform an action that is blocked by an ASR rule, an event is generated. + This detection searches for ASR rule disabled events that are generated when an + ASR rule is disabled. +search: '`ms_defender` EventCode IN (5007) | rex field=New_Value "0x(?\\d+)$" + | rex field=Old_Value "0x(?\\d+)$" | rex field=New_Value "Rules\\\\(?[A-Fa-f0-9\\-]+)\\s*=" + | eval New_Registry_Value=case(New_Registry_Value=="0", "Disabled", New_Registry_Value=="1", + "Block", New_Registry_Value=="2", "Audit", New_Registry_Value=="6", "Warn") | eval + Old_Registry_Value=case(Old_Registry_Value=="0", "Disabled", Old_Registry_Value=="1", + "Block", Old_Registry_Value=="2", "Audit", Old_Registry_Value=="6", "Warn") | search + New_Registry_Value="Disabled" | stats count min(_time) as firstTime max(_time) as + lastTime by host, New_Value, Old_Value, Old_Registry_Value, New_Registry_Value, + ASR_ID | lookup asr_rules ID AS ASR_ID OUTPUT ASR_Rule | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_rule_disabled_filter`' +how_to_implement: The following analytic requires collection of Windows Defender Operational + logs in either XML or multi-line. To collect, setup a new input for the Windows + Defender Operational logs. In addition, it does require a lookup that maps the ID + to ASR Rule name. +known_false_positives: False positives may occur if applications are typically disabling + ASR rules in the environment. Monitor for changes to ASR rules to determine if this + is a false positive. references: - https://asrgen.streamlit.app/ drilldown_searches: @@ -19,44 +39,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: ASR rule disabled event, $ASR_Rule$, was triggered on $dest$. + risk_objects: + - field: dest + type: system + score: 100 + threat_objects: [] tags: analytic_story: - Windows Attack Surface Reduction asset_type: Endpoint atomic_guid: [] - confidence: 100 - impact: 100 - message: ASR rule disabled event, $ASR_Rule$, was triggered on $dest$. mitre_attack_id: - T1112 - observable: - - name: ASR_Rule - type: Unknown - role: - - Attacker - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 - required_fields: - - host - - New_Value - - Old_Value - - Old_Registry_Value - - New_Registry_Value - - ASR_Rule security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/defender/asr_disabled_registry.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/defender/asr_disabled_registry.log source: WinEventLog:Microsoft-Windows-Windows Defender/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_defender_asr_rules_stacking.yml b/detections/endpoint/windows_defender_asr_rules_stacking.yml index a9882d1b2b..40983214b4 100644 --- a/detections/endpoint/windows_defender_asr_rules_stacking.yml +++ b/detections/endpoint/windows_defender_asr_rules_stacking.yml @@ -1,7 +1,7 @@ name: Windows Defender ASR Rules Stacking id: 425a6657-c5e4-4cbb-909e-fc9e5d326f01 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting @@ -15,10 +15,31 @@ data_source: - Windows Event Log Defender 1133 - Windows Event Log Defender 1134 - Windows Event Log Defender 5007 -description: The following analytic identifies security events from Microsoft Defender, focusing on Exploit Guard and Attack Surface Reduction (ASR) features. It detects Event IDs 1121, 1126, 1131, and 1133 for blocked operations, and Event IDs 1122, 1125, 1132, and 1134 for audit logs. Event ID 1129 indicates user overrides, while Event ID 5007 signals configuration changes. This detection uses a lookup to correlate ASR rule GUIDs with descriptive names. Monitoring these events is crucial for identifying unauthorized operations, potential security breaches, and policy enforcement issues. If confirmed malicious, attackers could bypass security measures, execute unauthorized actions, or alter system configurations. -search: '`ms_defender` EventCode IN (1121, 1122, 1125, 1126, 1129, 1131, 1132, 1133, 1134, 5007) | stats count min(_time) as firstTime max(_time) as lastTime by host Parent_Commandline, Process_Name, Path, ID, EventCode | lookup asr_rules ID OUTPUT ASR_Rule | fillnull value=NULL | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_rules_stacking_filter`' -how_to_implement: The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore the analytic will need to be modified for each type of event. The analytic can be modified to look for specific ASR rules, or to look for specific Event IDs. EventID 5007 is a change in the registry, and may be a false positive. This can be removed from the search if desired. -known_false_positives: False positives are not expected with this analytic, since it is a hunting analytic. It is meant to show the use of ASR rules and how they can be used to detect malicious activity. +description: The following analytic identifies security events from Microsoft Defender, + focusing on Exploit Guard and Attack Surface Reduction (ASR) features. It detects + Event IDs 1121, 1126, 1131, and 1133 for blocked operations, and Event IDs 1122, + 1125, 1132, and 1134 for audit logs. Event ID 1129 indicates user overrides, while + Event ID 5007 signals configuration changes. This detection uses a lookup to correlate + ASR rule GUIDs with descriptive names. Monitoring these events is crucial for identifying + unauthorized operations, potential security breaches, and policy enforcement issues. + If confirmed malicious, attackers could bypass security measures, execute unauthorized + actions, or alter system configurations. +search: '`ms_defender` EventCode IN (1121, 1122, 1125, 1126, 1129, 1131, 1132, 1133, + 1134, 5007) | stats count min(_time) as firstTime max(_time) as lastTime by host + Parent_Commandline, Process_Name, Path, ID, EventCode | lookup asr_rules ID OUTPUT + ASR_Rule | fillnull value=NULL | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + rename host as dest | `windows_defender_asr_rules_stacking_filter`' +how_to_implement: The following analytic requires collection of Windows Defender Operational + logs in either XML or multi-line. To collect, setup a new input for the Windows + Defender Operational logs. In addition, it does require a lookup that maps the ID + to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore + the analytic will need to be modified for each type of event. The analytic can be + modified to look for specific ASR rules, or to look for specific Event IDs. EventID + 5007 is a change in the registry, and may be a false positive. This can be removed + from the search if desired. +known_false_positives: False positives are not expected with this analytic, since + it is a hunting analytic. It is meant to show the use of ASR rules and how they + can be used to detect malicious activity. references: - https://asrgen.streamlit.app/ - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide @@ -27,38 +48,19 @@ tags: - Windows Attack Surface Reduction asset_type: Endpoint atomic_guid: [] - confidence: 100 - impact: 50 - message: An ASR rule, $ASR_Rule$, was triggered on $dest$. mitre_attack_id: - T1566.001 - T1566.002 - T1059 - observable: - - name: ASR_Rule - type: Unknown - role: - - Attacker - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 50 - required_fields: - - host - - Parent_Commandline - - Target_Commandline - - ID - - EventCode - - ASR_Rule security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/defender/asr_defender_operational.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/defender/asr_defender_operational.log source: WinEventLog:Microsoft-Windows-Windows Defender/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_defender_exclusion_registry_entry.yml b/detections/endpoint/windows_defender_exclusion_registry_entry.yml index 7b705436d4..7391597697 100644 --- a/detections/endpoint/windows_defender_exclusion_registry_entry.yml +++ b/detections/endpoint/windows_defender_exclusion_registry_entry.yml @@ -5,15 +5,21 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects modifications to the Windows Defender exclusion registry entries. It leverages endpoint registry data to identify changes in the registry path "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Exclusions\\*". This activity is significant because adversaries often modify these entries to bypass Windows Defender, allowing malicious code to execute without detection. If confirmed malicious, this behavior could enable attackers to evade antivirus defenses, maintain persistence, and execute further malicious activities undetected. +description: The following analytic detects modifications to the Windows Defender + exclusion registry entries. It leverages endpoint registry data to identify changes + in the registry path "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Exclusions\\*". + This activity is significant because adversaries often modify these entries to bypass + Windows Defender, allowing malicious code to execute without detection. If confirmed + malicious, this behavior could enable attackers to evade antivirus defenses, maintain + persistence, and execute further malicious activities undetected. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path = "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Exclusions\\*") - BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name - Registry.registry_value_name Registry.registry_value_data Registry.process_guid - | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_defender_exclusion_registry_entry_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\SOFTWARE\\Policies\\Microsoft\\Windows + Defender\\Exclusions\\*") BY Registry.dest Registry.user Registry.registry_path + Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_defender_exclusion_registry_entry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official @@ -29,9 +35,25 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Exclusion registry $registry_path$ modified or added on $dest$ for Windows + Defender + risk_objects: + - field: user + type: user + score: 64 + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Remcos @@ -41,37 +63,18 @@ tags: - Warzone RAT - ValleyRAT asset_type: Endpoint - confidence: 80 - impact: 80 - message: Exclusion registry $registry_path$ modified or added on $dest$ for Windows Defender mitre_attack_id: - T1562.001 - T1562 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_delete_or_modify_system_firewall.yml b/detections/endpoint/windows_delete_or_modify_system_firewall.yml index 13706abb70..bcb293d9d4 100644 --- a/detections/endpoint/windows_delete_or_modify_system_firewall.yml +++ b/detections/endpoint/windows_delete_or_modify_system_firewall.yml @@ -1,7 +1,7 @@ name: Windows Delete or Modify System Firewall id: b188d11a-eba7-419d-b8b6-cc265b4f2c4f -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -9,9 +9,28 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic identifies 'netsh' processes that delete or modify firewall configurations. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing specific keywords. This activity is significant because it can indicate malware, such as NJRAT, attempting to alter firewall settings to evade detection or remove traces. If confirmed malicious, this behavior could allow an attacker to disable security measures, facilitating further compromise and persistence within the network. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process = "* firewall *" Processes.process = "* del*" by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_delete_or_modify_system_firewall_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +description: The following analytic identifies 'netsh' processes that delete or modify + firewall configurations. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on command-line executions containing specific keywords. + This activity is significant because it can indicate malware, such as NJRAT, attempting + to alter firewall settings to evade detection or remove traces. If confirmed malicious, + this behavior could allow an attacker to disable security measures, facilitating + further compromise and persistence within the network. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process + = "* firewall *" Processes.process = "* del*" by Processes.parent_process Processes.parent_process_name + Processes.process_name Processes.process_id Processes.process_guid Processes.process + Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_delete_or_modify_system_firewall_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrator may modify or delete firewall configuration. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat @@ -21,44 +40,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A $process_name$ deleted a firewall configuration on $dest$ + risk_objects: + - field: dest + type: system + score: 36 + threat_objects: [] tags: analytic_story: - NjRAT - ShrinkLocker asset_type: Endpoint - confidence: 60 - impact: 60 - message: A $process_name$ deleted a firewall configuration on $dest$ mitre_attack_id: - T1562 - T1562.004 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 36 - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/njrat_delete_firewall/njrat_delete_firewall.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/njrat_delete_firewall/njrat_delete_firewall.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml b/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml index 6988eed160..cea12cb9f7 100644 --- a/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml +++ b/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml @@ -1,17 +1,42 @@ name: Windows Deleted Registry By A Non Critical Process File Path id: 15e70689-f55b-489e-8a80-6d0cd6d8aad2 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Steven Dick, Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the deletion of registry keys by non-critical processes. It leverages Endpoint Detection and Response (EDR) data, focusing on registry deletion events and correlating them with processes not typically associated with system or program files. This activity is significant as it may indicate malware, such as the Double Zero wiper, attempting to evade defenses or cause destructive payload impacts. If confirmed malicious, this behavior could lead to significant system damage, loss of critical configurations, and potential disruption of services. +description: The following analytic detects the deletion of registry keys by non-critical + processes. It leverages Endpoint Detection and Response (EDR) data, focusing on + registry deletion events and correlating them with processes not typically associated + with system or program files. This activity is significant as it may indicate malware, + such as the Double Zero wiper, attempting to evade defenses or cause destructive + payload impacts. If confirmed malicious, this behavior could lead to significant + system damage, loss of critical configurations, and potential disruption of services. data_source: - Sysmon EventID 1 AND Sysmon EventID 12 - Sysmon EventID 1 AND Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry WHERE Registry.action=deleted BY _time span=1h Registry.dest Registry.registry_path Registry.registry_value_name Registry.registry_key_name Registry.process_guid Registry.registry_value_data Registry.action | `drop_dm_object_name(Registry)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes WHERE NOT (Processes.process_path IN ("*\\windows\\*", "*\\program files*")) by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.user Processes.parent_process_name Processes.parent_process Processes.process_path Processes.process_guid | `drop_dm_object_name(Processes)`] | fields _time parent_process_name parent_process process_name process_path process process_guid registry_path registry_value_name registry_value_data registry_key_name action dest user | `windows_deleted_registry_by_a_non_critical_process_file_path_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: This detection can catch for third party application updates or installation. In this scenario false positive filter is needed. +search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry + WHERE Registry.action=deleted BY _time span=1h Registry.dest Registry.registry_path + Registry.registry_value_name Registry.registry_key_name Registry.process_guid Registry.registry_value_data + Registry.action | `drop_dm_object_name(Registry)` | join process_guid [| tstats + `security_content_summariesonly` count FROM datamodel=Endpoint.Processes WHERE NOT + (Processes.process_path IN ("*\\windows\\*", "*\\program files*")) by _time span=1h + Processes.process_id Processes.process_name Processes.process Processes.user Processes.parent_process_name + Processes.parent_process Processes.process_path Processes.process_guid | `drop_dm_object_name(Processes)`] + | fields _time parent_process_name parent_process process_name process_path process + process_guid registry_path registry_value_name registry_value_data registry_key_name + action dest user | `windows_deleted_registry_by_a_non_critical_process_file_path_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: This detection can catch for third party application updates + or installation. In this scenario false positive filter is needed. references: - https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html drilldown_searches: @@ -20,49 +45,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The registry was deleted by a suspicious process named $process_name$ with + the process path $process_path$ on dest $dest$. + risk_objects: + - field: dest + type: system + score: 36 + threat_objects: [] tags: analytic_story: - Data Destruction - Double Zero Destructor asset_type: Endpoint - confidence: 60 - impact: 60 - message: The registry was deleted by a suspicious process named $process_name$ with the process path $process_path$ on dest $dest$. mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.user - - Processes.dest - - Processes.process_id - - Processes.process_name - - Processes.process - - Processes.process_path - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_guid - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/doublezero_wiper/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/doublezero_wiper/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_detect_network_scanner_behavior.yml b/detections/endpoint/windows_detect_network_scanner_behavior.yml index 9fc1b34e46..3db7828a2b 100644 --- a/detections/endpoint/windows_detect_network_scanner_behavior.yml +++ b/detections/endpoint/windows_detect_network_scanner_behavior.yml @@ -1,76 +1,63 @@ -name: Windows Detect Network Scanner Behavior -id: 78e678d2-bf64-4fe6-aa52-2f7b11dddee7 -version: 1 -date: '2024-12-26' -author: Steven Dick -status: production -type: Anomaly -description: The following analytic detects when an application is used to connect a large number of unique ports/targets within a short time frame. Network enumeration may be used by adversaries as a method of discovery, lateral movement, or remote execution. This analytic may require significant tuning depending on the organization and applications being actively used, highly recommended to pre-populate the filter macro prior to activation. -data_source: -- Sysmon EventID 3 -search: '| tstats `security_content_summariesonly` count latest(All_Traffic.dest_port) as dest_port dc(All_Traffic.dest_port) as port_count dc(All_Traffic.dest) as dest_count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic where sourcetype=XmlWinEventLog All_Traffic.app = "*\\*" All_Traffic.dest_port < 32000 NOT All_Traffic.dest_port IN (8443,8080,5353,3268,443,389,88,80,53,25) by host,All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user _time span=5m -| `drop_dm_object_name(All_Traffic)` -| rex field=app ".*\\\(?.*)$" -| where port_count > 10 OR dest_count > 10 -| stats latest(src) as src, latest(src_ip) as src_ip, max(dest_count) as dest_count, max(port_count) as port_count, latest(dest_port) as dest_port, min(firstTime) as firstTime, max(lastTime) as lastTime, max(count) as count by host,user,app,process_name -| `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)` -| `windows_detect_network_scanner_behavior_filter`' -how_to_implement: This detection relies on Sysmon EventID 3 events being ingested AND tagged into the Network_Traffic datamodel. -known_false_positives: Various, could be noisy depending on processes in the organization and sysmon configuration used. Adjusted port/dest count thresholds as needed. -references: -- https://attack.mitre.org/techniques/T1595 -drilldown_searches: -- name: View the detection results for - "$src$" and "$user$" - search: '%original_detection_search% | search src = "$src$" user = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$src$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -tags: - analytic_story: - - Network Discovery - - Windows Discovery Techniques - asset_type: Endpoint - confidence: 50 - impact: 50 - message: A process exhibiting network scanning behavior [$process_name$] was detected on $src$ - mitre_attack_id: - - T1595 - - T1595.001 - - T1595.002 - observable: - - name: src - type: IP Address - role: - - Victim - - name: user - type: User - role: - - Victim - - name: process_name - type: Process - role: - - Attacker - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - required_fields: - - All_Traffic.dest_port - - host - - All_Traffic.app - - All_Traffic.src - - All_Traffic.src_ip - - All_Traffic.user - - _time - risk_score: 25 - security_domain: network -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1595/sysmon_scanning_events/sysmon_scanning_events.log - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog +name: Windows Detect Network Scanner Behavior +id: 78e678d2-bf64-4fe6-aa52-2f7b11dddee7 +version: 3 +date: '2025-01-09' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic detects when an application is used to connect a large number of unique ports/targets within a short time frame. Network enumeration may be used by adversaries as a method of discovery, lateral movement, or remote execution. This analytic may require significant tuning depending on the organization and applications being actively used, highly recommended to pre-populate the filter macro prior to activation. +data_source: +- Sysmon EventID 3 +search: '| tstats `security_content_summariesonly` count latest(All_Traffic.dest_port) as dest_port dc(All_Traffic.dest_port) as port_count dc(All_Traffic.dest) as dest_count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic where sourcetype=XmlWinEventLog All_Traffic.app = "*\\*" All_Traffic.dest_port < 32000 NOT All_Traffic.dest_port IN (8443,8080,5353,3268,443,389,88,80,53,25) by host,All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user _time span=5m +| `drop_dm_object_name(All_Traffic)` +| rex field=app ".*\\\(?.*)$" +| where port_count > 10 OR dest_count > 10 +| stats latest(src) as src, latest(src_ip) as src_ip, max(dest_count) as dest_count, max(port_count) as port_count, latest(dest_port) as dest_port, min(firstTime) as firstTime, max(lastTime) as lastTime, max(count) as count by host,user,app,process_name +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)` +| `windows_detect_network_scanner_behavior_filter`' +how_to_implement: This detection relies on Sysmon EventID 3 events being ingested AND tagged into the Network_Traffic datamodel. +known_false_positives: Various, could be noisy depending on processes in the organization and sysmon configuration used. Adjusted port/dest count thresholds as needed. +references: +- https://attack.mitre.org/techniques/T1595 +drilldown_searches: +- name: View the detection results for - "$src$" and "$user$" + search: '%original_detection_search% | search src = "$src$" user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$src$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A process exhibiting network scanning behavior [$process_name$] was detected on $src$ + risk_objects: + - field: src + type: system + score: 25 + - field: user + type: user + score: 25 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - Network Discovery + - Windows Discovery Techniques + asset_type: Endpoint + mitre_attack_id: + - T1595 + - T1595.001 + - T1595.002 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1595/sysmon_scanning_events/sysmon_scanning_events.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_disable_change_password_through_registry.yml b/detections/endpoint/windows_disable_change_password_through_registry.yml index 82405699dc..3b51f5480c 100644 --- a/detections/endpoint/windows_disable_change_password_through_registry.yml +++ b/detections/endpoint/windows_disable_change_password_through_registry.yml @@ -5,11 +5,19 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly -description: The following analytic detects a suspicious registry modification that disables the Change Password feature on a Windows host. It identifies changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableChangePassword" with a value of "0x00000001". This activity is significant as it can prevent users from changing their passwords, a tactic often used by ransomware to maintain control over compromised systems. If confirmed malicious, this could hinder user response to an attack, allowing the attacker to persist and potentially escalate their access within the network. +description: The following analytic detects a suspicious registry modification that + disables the Change Password feature on a Windows host. It identifies changes to + the registry path + "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableChangePassword" + with a value of "0x00000001". This activity is significant as it can prevent users + from changing their passwords, a tactic often used by ransomware to maintain control + over compromised systems. If confirmed malicious, this could hinder user response + to an attack, allowing the attacker to persist and potentially escalate their access + within the network. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableChangePassword" +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableChangePassword" Registry.registry_value_data = "0x00000001") BY Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) @@ -29,41 +37,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Registry modification in "DisableChangePassword" on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Ransomware - Windows Defense Evasion Tactics asset_type: Endpoint - confidence: 70 - impact: 70 - message: Registry modification in "DisableChangePassword" on $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml b/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml index fa53d6951d..3d56cc753b 100644 --- a/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml +++ b/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml @@ -5,13 +5,21 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly -description: The following analytic detects a suspicious registry modification that disables the Lock Computer feature in Windows. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableLockWorkstation" with a value of "0x00000001". This activity is significant because it prevents users from locking their screens, a tactic often used by malware, including ransomware, to maintain control over compromised systems. If confirmed malicious, this could allow attackers to sustain their presence and execute further malicious actions without user interruption. +description: The following analytic detects a suspicious registry modification that + disables the Lock Computer feature in Windows. It leverages data from the Endpoint.Registry + data model, specifically monitoring changes to the registry path + "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableLockWorkstation" + with a value of "0x00000001". This activity is significant because it prevents users + from locking their screens, a tactic often used by malware, including ransomware, + to maintain control over compromised systems. If confirmed malicious, this could + allow attackers to sustain their presence and execute further malicious actions + without user interruption. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableLockWorkstation" - Registry.registry_value_data = "0x00000001") BY Registry.dest Registry.user - Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableLockWorkstation" + Registry.registry_value_data = "0x00000001") BY Registry.dest Registry.user Registry.registry_path + Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_lock_workstation_feature_through_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -28,42 +36,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Registry modification in "DisableLockWorkstation" on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Ransomware - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: Registry modification in "DisableLockWorkstation" on $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_disable_logoff_button_through_registry.yml b/detections/endpoint/windows_disable_logoff_button_through_registry.yml index 5ed288b00c..fe2aae6ba1 100644 --- a/detections/endpoint/windows_disable_logoff_button_through_registry.yml +++ b/detections/endpoint/windows_disable_logoff_button_through_registry.yml @@ -5,16 +5,23 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly -description: The following analytic detects a suspicious registry modification that disables the logoff feature on a Windows host. It leverages data from the Endpoint.Registry data model to identify changes to specific registry values associated with logoff functionality. This activity is significant because it can indicate ransomware attempting to make the compromised host unusable and hinder remediation efforts. If confirmed malicious, this action could prevent users from logging off, complicate incident response, and allow attackers to maintain persistence and control over the affected system. +description: The following analytic detects a suspicious registry modification that + disables the logoff feature on a Windows host. It leverages data from the Endpoint.Registry + data model to identify changes to specific registry values associated with logoff + functionality. This activity is significant because it can indicate ransomware attempting + to make the compromised host unusable and hinder remediation efforts. If confirmed + malicious, this action could prevent users from logging off, complicate incident + response, and allow attackers to maintain persistence and control over the affected + system. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\*" +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\*" Registry.registry_value_name IN ("NoLogOff", "StartMenuLogOff") Registry.registry_value_data - = "0x00000001") BY Registry.dest Registry.user Registry.registry_path - Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data - Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_logoff_button_through_registry_filter`' + = "0x00000001") BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name + Registry.registry_value_name Registry.registry_value_data Registry.process_guid + | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_disable_logoff_button_through_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official @@ -32,41 +39,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Registry modification in "NoLogOff" on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Ransomware - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: Registry modification in "NoLogOff" on $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_disable_memory_crash_dump.yml b/detections/endpoint/windows_disable_memory_crash_dump.yml index 83dddbadbf..d550077307 100644 --- a/detections/endpoint/windows_disable_memory_crash_dump.yml +++ b/detections/endpoint/windows_disable_memory_crash_dump.yml @@ -1,15 +1,30 @@ name: Windows Disable Memory Crash Dump id: 59e54602-9680-11ec-a8a6-acde48001122 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects attempts to disable the memory crash dump feature on Windows systems by setting the registry value to 0. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the CrashDumpEnabled registry key. This activity is significant because disabling crash dumps can hinder forensic analysis and incident response efforts. If confirmed malicious, this action could be part of a broader attack strategy, such as data destruction or system destabilization, as seen with HermeticWiper, potentially leading to significant operational disruptions and data loss. +description: The following analytic detects attempts to disable the memory crash dump + feature on Windows systems by setting the registry value to 0. It leverages data + from the Endpoint.Registry datamodel, specifically monitoring changes to the CrashDumpEnabled + registry key. This activity is significant because disabling crash dumps can hinder + forensic analysis and incident response efforts. If confirmed malicious, this action + could be part of a broader attack strategy, such as data destruction or system destabilization, + as seen with HermeticWiper, potentially leading to significant operational disruptions + and data loss. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where (Registry.registry_path="*\\CurrentControlSet\\Control\\CrashControl\\CrashDumpEnabled") AND Registry.registry_value_data="0x00000000" by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_memory_crash_dump_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` and `Registry` node. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry + where (Registry.registry_path="*\\CurrentControlSet\\Control\\CrashControl\\CrashDumpEnabled") + AND Registry.registry_value_data="0x00000000" by _time span=1h Registry.dest Registry.user + Registry.registry_path Registry.registry_value_name Registry.registry_value_data + Registry.process_guid Registry.registry_key_name | `drop_dm_object_name(Registry)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_memory_crash_dump_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the Filesystem responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Filesystem` and `Registry` + node. known_false_positives: unknown references: - https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html @@ -20,9 +35,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A process was identified attempting to disable memory crash dumps on $dest$. + risk_objects: + - field: user + type: user + score: 90 + - field: dest + type: system + score: 90 + threat_objects: [] tags: analytic_story: - Ransomware @@ -30,37 +60,17 @@ tags: - Windows Registry Abuse - Hermetic Wiper asset_type: Endpoint - confidence: 100 - impact: 90 - message: A process was identified attempting to disable memory crash dumps on $dest$. mitre_attack_id: - T1485 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_disable_notification_center.yml b/detections/endpoint/windows_disable_notification_center.yml index b558f88840..f767d9182e 100644 --- a/detections/endpoint/windows_disable_notification_center.yml +++ b/detections/endpoint/windows_disable_notification_center.yml @@ -5,15 +5,22 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly -description: The following analytic detects the modification of the Windows registry to disable the Notification Center on a host machine. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the "DisableNotificationCenter" registry value set to "0x00000001." This activity is significant because disabling the Notification Center can be a tactic used by RAT malware to hide its presence and subsequent actions. If confirmed malicious, this could allow an attacker to operate stealthily, potentially leading to further system compromise and data exfiltration. +description: The following analytic detects the modification of the Windows registry + to disable the Notification Center on a host machine. It leverages data from the + Endpoint.Registry data model, specifically looking for changes to the "DisableNotificationCenter" + registry value set to "0x00000001." This activity is significant because disabling + the Notification Center can be a tactic used by RAT malware to hide its presence + and subsequent actions. If confirmed malicious, this could allow an attacker to + operate stealthily, potentially leading to further system compromise and data exfiltration. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_value_name= "DisableNotificationCenter" Registry.registry_value_data - = "0x00000001") BY Registry.dest Registry.user Registry.registry_path - Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data - Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_notification_center_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= + "DisableNotificationCenter" Registry.registry_value_data = "0x00000001") BY Registry.dest + Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name + Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` + | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_disable_notification_center_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official @@ -27,45 +34,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The Windows notification center was disabled on $dest$ by $user$. + risk_objects: + - field: user + type: user + score: 48 + - field: dest + type: system + score: 48 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - CISA AA23-347A - Windows Registry Abuse asset_type: Endpoint - confidence: 80 - impact: 60 - message: The Windows notification center was disabled on $dest$ by $user$. mitre_attack_id: - T1112 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/disable_notif_center/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/disable_notif_center/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml index 91e1238744..b21faffa59 100644 --- a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml +++ b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml @@ -1,7 +1,7 @@ name: Windows Disable or Modify Tools Via Taskkill id: a43ae66f-c410-4b3d-8741-9ce1ad17ddb0 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-22' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -9,10 +9,32 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic identifies the use of taskkill.exe to forcibly terminate processes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include specific taskkill parameters. This activity is significant because it can indicate attempts to disable security tools or disrupt legitimate applications, a common tactic in malware operations. If confirmed malicious, this behavior could allow attackers to evade detection, disrupt system stability, and potentially gain further control over the compromised system. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "taskkill.exe" Processes.process IN ("* /f*", "* /t*") Processes.process IN ("* /im*", "* /pid*") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_or_modify_tools_via_taskkill_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Network administrator can use this application to kill process during audit or investigation. +description: The following analytic identifies the use of taskkill.exe to forcibly + terminate processes. It leverages data from Endpoint Detection and Response (EDR) + agents, focusing on command-line executions that include specific taskkill parameters. + This activity is significant because it can indicate attempts to disable security + tools or disrupt legitimate applications, a common tactic in malware operations. + If confirmed malicious, this behavior could allow attackers to evade detection, + disrupt system stability, and potentially gain further control over the compromised + system. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "taskkill.exe" + Processes.process IN ("* /f*", "* /t*") Processes.process IN ("* /im*", "* /pid*") + by Processes.parent_process_name Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest + | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_disable_or_modify_tools_via_taskkill_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Network administrator can use this application to kill process + during audit or investigation. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat drilldown_searches: @@ -21,48 +43,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A taskkill process to terminate process is executed on host- $dest$ + risk_objects: + - field: dest + type: system + score: 36 + threat_objects: + - field: parent_process_name + type: parent_process_name tags: analytic_story: - - NjRAT - PXA Stealer + - NjRAT + - Crypto Stealer asset_type: Endpoint - confidence: 60 - impact: 60 - message: A taskkill process to terminate process is executed on host- $dest$ mitre_attack_id: - T1562 - T1562.001 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: parent_process_name - type: Process Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 36 - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/taskkill/taskkill_im.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/taskkill/taskkill_im.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_disable_or_stop_browser_process.yml b/detections/endpoint/windows_disable_or_stop_browser_process.yml index 865efdcd6b..3c49e0a8d1 100644 --- a/detections/endpoint/windows_disable_or_stop_browser_process.yml +++ b/detections/endpoint/windows_disable_or_stop_browser_process.yml @@ -1,19 +1,26 @@ name: Windows Disable or Stop Browser Process id: 220d34b7-b6c7-45fe-8dbb-c35cdd9fe6d5 -version: 1 -date: '2024-09-24' +version: 2 +date: '2024-11-13' author: Teoderick Contreras, Splunk -data_sources: +data_source: - Sysmon Event ID 1 type: TTP status: production -description: The following analytic detects the use of the taskkill command in a process command line to terminate several known browser processes, a technique commonly employed by the Braodo stealer malware to steal credentials. By forcefully closing browsers like Chrome, Edge, and Firefox, the malware can unlock files that store sensitive information, such as passwords and login data. This detection focuses on identifying taskkill commands targeting these browsers, signaling malicious intent. Early detection allows security teams to investigate and prevent further credential theft and system compromise. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.process = "*taskkill*" Processes.process IN("*chrome.exe","*firefox.exe","*brave.exe","*opera.exe","*msedge.exe","*chromium.exe") - by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id - Processes.parent_process_id - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` +description: The following analytic detects the use of the taskkill command in a process + command line to terminate several known browser processes, a technique commonly + employed by the Braodo stealer malware to steal credentials. By forcefully closing + browsers like Chrome, Edge, and Firefox, the malware can unlock files that store + sensitive information, such as passwords and login data. This detection focuses + on identifying taskkill commands targeting these browsers, signaling malicious intent. + Early detection allows security teams to investigate and prevent further credential + theft and system compromise. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process = "*taskkill*" + Processes.process IN("*chrome.exe","*firefox.exe","*brave.exe","*opera.exe","*msedge.exe","*chromium.exe") + by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_or_stop_browser_process_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related @@ -24,8 +31,8 @@ how_to_implement: The detection is based on data that originates from Endpoint D the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Admin or user may choose to terminate browser via taskkill.exe. Filter - as needed. +known_false_positives: Admin or user may choose to terminate browser via taskkill.exe. + Filter as needed. references: - https://x.com/suyog41/status/1825869470323056748 - https://g0njxa.medium.com/from-vietnam-to-united-states-malware-fraud-and-dropshipping-98b7a7b2c36d @@ -35,50 +42,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A process commandline- [$process$] that tries to kill browser on [$dest$]. + risk_objects: + - field: user + type: user + score: 64 + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Braodo Stealer asset_type: Endpoint - confidence: 80 - impact: 80 - message: A process commandline- [$process$] that tries to kill browser on [$dest$]. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/taskkill_browser/braodo_taskkill.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/taskkill_browser/braodo_taskkill.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_disable_shutdown_button_through_registry.yml b/detections/endpoint/windows_disable_shutdown_button_through_registry.yml index ce55014b80..69f099d60e 100644 --- a/detections/endpoint/windows_disable_shutdown_button_through_registry.yml +++ b/detections/endpoint/windows_disable_shutdown_button_through_registry.yml @@ -5,14 +5,21 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly -description: The following analytic detects suspicious registry modifications that disable the shutdown button on a user's logon screen. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with shutdown policies. This activity is significant because it is a tactic used by malware, particularly ransomware like KillDisk, to hinder system usability and prevent the removal of malicious changes. If confirmed malicious, this could impede system recovery efforts, making it difficult to restart the machine and remove other harmful modifications. +description: The following analytic detects suspicious registry modifications that + disable the shutdown button on a user's logon screen. It leverages data from the + Endpoint.Registry data model, specifically monitoring changes to registry paths + associated with shutdown policies. This activity is significant because it is a + tactic used by malware, particularly ransomware like KillDisk, to hinder system + usability and prevent the removal of malicious changes. If confirmed malicious, + this could impede system recovery efforts, making it difficult to restart the machine + and remove other harmful modifications. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE ((Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\shutdownwithoutlogon" +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\shutdownwithoutlogon" Registry.registry_value_data = "0x00000000") OR (Registry.registry_path="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoClose" - Registry.registry_value_data = "0x00000001")) BY Registry.dest Registry.user - Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.registry_value_data = "0x00000001")) BY Registry.dest Registry.user Registry.registry_path + Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_shutdown_button_through_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -30,41 +37,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Registry modification in "shutdownwithoutlogon" on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Ransomware - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: Registry modification in "shutdownwithoutlogon" on $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml b/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml index 75a75d1b8c..5c03275ca5 100644 --- a/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml +++ b/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml @@ -1,7 +1,7 @@ name: Windows Disable Windows Event Logging Disable HTTP Logging id: 23fb6787-255f-4d5b-9a66-9fd7504032b5 -version: '5' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -54,6 +54,21 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to disable IIS HTTP Logging. + risk_objects: + - field: user + type: user + score: 64 + - field: dest + type: system + score: 64 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - IIS Components @@ -61,55 +76,20 @@ tags: - Compromised Windows Host - Windows Defense Evasion Tactics asset_type: Endpoint - confidence: 80 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ attempting to disable IIS HTTP Logging. mitre_attack_id: - T1562.002 - T1562 - T1505 - T1505.004 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/disable_http_logging_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/disable_http_logging_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml b/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml index b4e8203e5d..80f461f52a 100644 --- a/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml +++ b/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml @@ -1,16 +1,35 @@ name: Windows Disable Windows Group Policy Features Through Registry id: 63a449ae-9f04-11ec-945e-acde48001122 -version: 7 -date: '2024-12-08' +version: 8 +date: '2024-12-16' author: Steven Dick, Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects suspicious registry modifications aimed at disabling Windows Group Policy features. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values associated with disabling key Windows functionalities. This activity is significant because it is commonly used by ransomware to hinder mitigation and forensic response efforts. If confirmed malicious, this behavior could severely impair the ability of security teams to analyze and respond to the attack, allowing the attacker to maintain control and persist within the compromised environment. +description: The following analytic detects suspicious registry modifications aimed + at disabling Windows Group Policy features. It leverages data from the Endpoint.Registry + data model, focusing on specific registry paths and values associated with disabling + key Windows functionalities. This activity is significant because it is commonly + used by ransomware to hinder mitigation and forensic response efforts. If confirmed + malicious, this behavior could severely impair the ability of security teams to + analyze and respond to the attack, allowing the attacker to maintain control and + persist within the compromised environment. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\*" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\*" Registry.registry_value_name IN ("NoDesktop", "NoFind", "NoControlPanel", "NoFileMenu", "NoSetTaskbar", "NoTrayContextMenu", "TaskbarLockAll", "NoThemesTab","NoPropertiesMyDocuments","NoVisualStyleChoice","NoColorChoice","NoPropertiesMyDocuments") Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_windows_group_policy_features_through_registry_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 -known_false_positives: Disabling these features for legitimate purposes is not a common use case but can still be implemented by the administrators. Filter as needed. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry + WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\*" + OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\*" + Registry.registry_value_name IN ("NoDesktop", "NoFind", "NoControlPanel", "NoFileMenu", + "NoSetTaskbar", "NoTrayContextMenu", "TaskbarLockAll", "NoThemesTab","NoPropertiesMyDocuments","NoVisualStyleChoice","NoColorChoice","NoPropertiesMyDocuments") + Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user + Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_windows_group_policy_features_through_registry_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the registry value name, registry path, and registry value data from your + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official + Sysmon TA. https://splunkbase.splunk.com/app/5709 +known_false_positives: Disabling these features for legitimate purposes is not a common + use case but can still be implemented by the administrators. Filter as needed. references: - https://hybrid-analysis.com/sample/ef1c427394c205580576d18ba68d5911089c7da0386f19d1ca126929d3e671ab?environmentId=120&lang=en - https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis @@ -21,9 +40,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Registry modification to disable windows group policy features on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Ransomware @@ -31,33 +62,17 @@ tags: - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: Registry modification to disable windows group policy features on $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_disableantispyware_registry.yml b/detections/endpoint/windows_disableantispyware_registry.yml index c1b19cf2ec..abc8e88047 100644 --- a/detections/endpoint/windows_disableantispyware_registry.yml +++ b/detections/endpoint/windows_disableantispyware_registry.yml @@ -1,16 +1,33 @@ name: Windows DisableAntiSpyware Registry id: 23150a40-9301-4195-b802-5bb4f43067fb -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Rod Soto, Jose Hernandez, Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the modification of the Windows Registry key "DisableAntiSpyware" being set to disable. This detection leverages data from the Endpoint.Registry datamodel, specifically looking for the registry value name "DisableAntiSpyware" with a value of "0x00000001". This activity is significant as it is commonly associated with Ryuk ransomware infections, indicating potential malicious intent to disable Windows Defender. If confirmed malicious, this action could allow attackers to disable critical security defenses, facilitating further malicious activities such as data encryption, exfiltration, or additional system compromise. +description: The following analytic detects the modification of the Windows Registry + key "DisableAntiSpyware" being set to disable. This detection leverages data from + the Endpoint.Registry datamodel, specifically looking for the registry value name + "DisableAntiSpyware" with a value of "0x00000001". This activity is significant + as it is commonly associated with Ryuk ransomware infections, indicating potential + malicious intent to disable Windows Defender. If confirmed malicious, this action + could allow attackers to disable critical security defenses, facilitating further + malicious activities such as data encryption, exfiltration, or additional system + compromise. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_value_name="DisableAntiSpyware" AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_disableantispyware_registry_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -known_false_positives: It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_value_name="DisableAntiSpyware" + AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path + Registry.registry_value_data | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` + | `security_content_ctime(firstTime)` | `windows_disableantispyware_registry_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. +known_false_positives: It is unusual to turn this feature off a Windows system since + it is a default security control, although it is not rare for some policies to disable + it. Although no false positives have been identified, use the provided filter macro + to tune the search. references: - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/ drilldown_searches: @@ -19,9 +36,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows DisableAntiSpyware registry key set to 'disabled' on $dest$ + risk_objects: + - field: dest + type: system + score: 24 + threat_objects: [] tags: analytic_story: - Azorult @@ -32,33 +61,18 @@ tags: - Windows Defense Evasion Tactics - CISA AA23-347A asset_type: Endpoint - confidence: 80 - impact: 30 - message: Windows DisableAntiSpyware registry key set to 'disabled' on $dest$ mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.dest - - Registry.user - - Registry.registry_path - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_diskcryptor_usage.yml b/detections/endpoint/windows_diskcryptor_usage.yml index 10e8b7080c..0be876557c 100644 --- a/detections/endpoint/windows_diskcryptor_usage.yml +++ b/detections/endpoint/windows_diskcryptor_usage.yml @@ -1,18 +1,40 @@ name: Windows DiskCryptor Usage id: d56fe0c8-4650-11ec-a8fa-acde48001122 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic detects the execution of DiskCryptor, identified by the process names "dcrypt.exe" or "dcinst.exe". This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names. DiskCryptor is significant because adversaries use it to manually encrypt disks during an operation, potentially leading to data inaccessibility. If confirmed malicious, this activity could result in complete disk encryption, causing data loss and operational disruption. Immediate investigation is required to mitigate potential ransomware attacks. +description: The following analytic detects the execution of DiskCryptor, identified + by the process names "dcrypt.exe" or "dcinst.exe". This detection leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process names and + original file names. DiskCryptor is significant because adversaries use it to manually + encrypt disks during an operation, potentially leading to data inaccessibility. + If confirmed malicious, this activity could result in complete disk encryption, + causing data loss and operational disruption. Immediate investigation is required + to mitigate potential ransomware attacks. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="dcrypt.exe" OR Processes.original_file_name=dcinst.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_diskcryptor_usage_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: It is possible false positives may be present based on the internal name dcinst.exe, filter as needed. It may be worthy to alert on the service name. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="dcrypt.exe" + OR Processes.original_file_name=dcinst.exe) by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_diskcryptor_usage_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: It is possible false positives may be present based on the + internal name dcinst.exe, filter as needed. It may be worthy to alert on the service + name. references: - https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/ - https://github.com/DavidXanatos/DiskCryptor @@ -20,50 +42,17 @@ tags: analytic_story: - Ransomware asset_type: Endpoint - confidence: 50 - impact: 70 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to encrypt disks. mitre_attack_id: - T1486 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/dcrypt/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/dcrypt/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_diskshadow_proxy_execution.yml b/detections/endpoint/windows_diskshadow_proxy_execution.yml index f0ccdbbf7d..ab85e79c51 100644 --- a/detections/endpoint/windows_diskshadow_proxy_execution.yml +++ b/detections/endpoint/windows_diskshadow_proxy_execution.yml @@ -1,18 +1,39 @@ name: Windows Diskshadow Proxy Execution id: 58adae9e-8ea3-11ec-90f6-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Lou Stella, Splunk status: production type: TTP -description: The following analytic detects the use of DiskShadow.exe in scripting mode, which can execute arbitrary unsigned code. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions with scripting mode flags. This activity is significant because DiskShadow.exe is typically used for legitimate backup operations, but its misuse can indicate an attempt to execute unauthorized code. If confirmed malicious, this could lead to unauthorized code execution, potentially compromising the system and allowing further malicious activities. +description: The following analytic detects the use of DiskShadow.exe in scripting + mode, which can execute arbitrary unsigned code. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on command-line executions with scripting + mode flags. This activity is significant because DiskShadow.exe is typically used + for legitimate backup operations, but its misuse can indicate an attempt to execute + unauthorized code. If confirmed malicious, this could lead to unauthorized code + execution, potentially compromising the system and allowing further malicious activities. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_diskshadow` (Processes.process=*-s* OR Processes.process=*/s*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_diskshadow_proxy_execution_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrators using the DiskShadow tool in their infrastructure as a main backup tool with scripts will cause false positives that can be filtered with `windows_diskshadow_proxy_execution_filter` +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_diskshadow` (Processes.process=*-s* + OR Processes.process=*/s*) by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_diskshadow_proxy_execution_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators using the DiskShadow tool in their infrastructure + as a main backup tool with scripts will cause false positives that can be filtered + with `windows_diskshadow_proxy_execution_filter` references: - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ drilldown_searches: @@ -21,42 +42,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Possible Signed Binary Proxy Execution on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Living Off The Land asset_type: Endpoint - confidence: 70 - impact: 70 - message: Possible Signed Binary Proxy Execution on $dest$ mitre_attack_id: - T1218 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process - - Porcesses.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.process_id - - Processes.parent_process_id - - Processes.original_file_name - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/diskshadow/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/diskshadow/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_dism_install_powershell_web_access.yml b/detections/endpoint/windows_dism_install_powershell_web_access.yml index bd6bea68a1..bf908d0a4f 100644 --- a/detections/endpoint/windows_dism_install_powershell_web_access.yml +++ b/detections/endpoint/windows_dism_install_powershell_web_access.yml @@ -1,17 +1,39 @@ name: Windows DISM Install PowerShell Web Access id: fa6142a7-c364-4d11-9954-895dd9efb2d4 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk data_source: - Windows Event Log Security 4688 - Sysmon EventID 1 type: TTP status: production -description: The following analytic detects the installation of PowerShell Web Access using the Deployment Image Servicing and Management (DISM) tool. It leverages Sysmon EventID 1 to identify the execution of `dism.exe` with specific parameters related to enabling the WindowsPowerShellWebAccess feature. This activity is significant because enabling PowerShell Web Access can facilitate remote execution of PowerShell commands, potentially allowing an attacker to gain unauthorized access to systems and networks. If confirmed malicious, this action could lead to further exploitation and compromise of the affected system. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=dism.exe (Processes.process="*WindowsPowerShellWebAccess*" AND Processes.process="*/online*" AND Processes.process="*/enable-feature*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dism_install_powershell_web_access_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrators using the DISM tool to update and install Windows features may cause false positives that can be filtered with `windows_dism_install_powershell_web_access_filter`. +description: The following analytic detects the installation of PowerShell Web Access + using the Deployment Image Servicing and Management (DISM) tool. It leverages Sysmon + EventID 1 to identify the execution of `dism.exe` with specific parameters related + to enabling the WindowsPowerShellWebAccess feature. This activity is significant + because enabling PowerShell Web Access can facilitate remote execution of PowerShell + commands, potentially allowing an attacker to gain unauthorized access to systems + and networks. If confirmed malicious, this action could lead to further exploitation + and compromise of the affected system. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=dism.exe + (Processes.process="*WindowsPowerShellWebAccess*" AND Processes.process="*/online*" + AND Processes.process="*/enable-feature*") by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_dism_install_powershell_web_access_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators using the DISM tool to update and install Windows + features may cause false positives that can be filtered with `windows_dism_install_powershell_web_access_filter`. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a - https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41 @@ -21,43 +43,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: PowerShell Web Access has been installed on $dest$. + risk_objects: + - field: dest + type: system + score: 72 + threat_objects: [] tags: analytic_story: - CISA AA24-241A asset_type: Endpoint - confidence: 80 - impact: 90 - message: PowerShell Web Access has been installed on $dest$. mitre_attack_id: - T1548.002 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - user - - parent_process_name - - process_name - - original_file_name - - process - - process_id - - parent_process_id - risk_score: 72 security_domain: endpoint cve: [] tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/dism_pswa_4688_windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/dism_pswa_4688_windows-security.log sourcetype: XmlWinEventLog source: XmlWinEventLog:Security diff --git a/detections/endpoint/windows_dism_remove_defender.yml b/detections/endpoint/windows_dism_remove_defender.yml index fbc4649e63..a84e7ed383 100644 --- a/detections/endpoint/windows_dism_remove_defender.yml +++ b/detections/endpoint/windows_dism_remove_defender.yml @@ -1,7 +1,7 @@ name: Windows DISM Remove Defender id: 8567da9e-47f0-11ec-99a9-acde48001122 -version: '5' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -51,58 +51,39 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to disable Windows Defender. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - CISA AA23-347A - Compromised Windows Host - Windows Defense Evasion Tactics asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ attempting to disable Windows Defender. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon_dism.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon_dism.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml b/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml index 0a6fcc9609..69a5506c40 100644 --- a/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml +++ b/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml @@ -1,16 +1,30 @@ name: Windows DLL Search Order Hijacking Hunt with Sysmon id: 79c7d1fc-64c7-91be-a616-ccda752efe81 -version: 6 -date: '2024-10-17' +version: 7 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies potential DLL search order hijacking or DLL sideloading by detecting known Windows libraries loaded from non-standard directories. It leverages Sysmon EventCode 7 to monitor DLL loads and cross-references them with a lookup of known hijackable libraries. This activity is significant as it may indicate an attempt to execute malicious code by exploiting DLL search order vulnerabilities. If confirmed malicious, this could allow attackers to gain code execution, escalate privileges, or maintain persistence within the environment. +description: The following analytic identifies potential DLL search order hijacking + or DLL sideloading by detecting known Windows libraries loaded from non-standard + directories. It leverages Sysmon EventCode 7 to monitor DLL loads and cross-references + them with a lookup of known hijackable libraries. This activity is significant as + it may indicate an attempt to execute malicious code by exploiting DLL search order + vulnerabilities. If confirmed malicious, this could allow attackers to gain code + execution, escalate privileges, or maintain persistence within the environment. data_source: - Sysmon EventID 7 -search: '`sysmon` EventCode=7 NOT (process_path IN ("*\\system32\\*", "*\\syswow64\\*","*\\winsxs\\*","*\\wbem\\*")) | lookup hijacklibs library AS loaded_file OUTPUT islibrary | search islibrary = True | stats count min(_time) as firstTime max(_time) as lastTime values(process_name) as process_name by _time dest loaded_file | `windows_dll_search_order_hijacking_hunt_with_sysmon_filter`' -how_to_implement: The search is written against the latest Sysmon TA 4.0 https://splunkbase.splunk.com/app/5709. For this specific event ID 7, the sysmon TA will extract the ImageLoaded name to the loaded_file field which is used in the search to compare against the hijacklibs lookup. -known_false_positives: False positives will be present based on paths. Filter or add other paths to the exclusion as needed. Some applications may legitimately load libraries from non-standard paths. +search: '`sysmon` EventCode=7 NOT (process_path IN ("*\\system32\\*", "*\\syswow64\\*","*\\winsxs\\*","*\\wbem\\*")) + | lookup hijacklibs library AS loaded_file OUTPUT islibrary | search islibrary = + True | stats count min(_time) as firstTime max(_time) as lastTime values(process_name) + as process_name by _time dest loaded_file | `windows_dll_search_order_hijacking_hunt_with_sysmon_filter`' +how_to_implement: The search is written against the latest Sysmon TA 4.0 https://splunkbase.splunk.com/app/5709. + For this specific event ID 7, the sysmon TA will extract the ImageLoaded name to + the loaded_file field which is used in the search to compare against the hijacklibs + lookup. +known_false_positives: False positives will be present based on paths. Filter or add + other paths to the exclusion as needed. Some applications may legitimately load + libraries from non-standard paths. references: - https://hijacklibs.net tags: @@ -19,32 +33,18 @@ tags: - Windows Defense Evasion Tactics - Qakbot asset_type: Endpoint - confidence: 10 - impact: 10 - message: Potential Windows DLL Search Order Hijacking detected on $dest$ mitre_attack_id: - T1574.001 - T1574 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - ImageLoaded - - Module_Path - risk_score: 1 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml b/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml index 6cbb4f48a3..d5d279ce64 100644 --- a/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml +++ b/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml @@ -1,7 +1,7 @@ name: Windows DLL Search Order Hijacking with iscsicpl id: f39ee679-3b1e-4f47-841c-5c3c580acda2 -version: '5' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -51,58 +51,38 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to elevate access. + risk_objects: + - field: user + type: user + score: 64 + - field: dest + type: system + score: 64 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Living Off The Land - Compromised Windows Host - Windows Defense Evasion Tactics asset_type: Endpoint - confidence: 80 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ attempting to elevate access. mitre_attack_id: - T1574.001 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/iscsicpl/iscsicpl-windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/iscsicpl/iscsicpl-windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_dll_side_loading_in_calc.yml b/detections/endpoint/windows_dll_side_loading_in_calc.yml index a2fa7b4b0d..bbaa20e218 100644 --- a/detections/endpoint/windows_dll_side_loading_in_calc.yml +++ b/detections/endpoint/windows_dll_side_loading_in_calc.yml @@ -1,15 +1,31 @@ name: Windows DLL Side-Loading In Calc id: af01f6db-26ac-440e-8d89-2793e303f137 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects suspicious DLL modules loaded by calc.exe that are not located in the %systemroot%\system32 or %systemroot%\sysWoW64 directories. This detection leverages Sysmon EventCode 7 to identify DLL side-loading, a technique often used by Qakbot malware to execute malicious DLLs. This activity is significant as it indicates potential malware execution through a trusted process, which can bypass security controls. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, and escalate privileges within the environment. +description: The following analytic detects suspicious DLL modules loaded by calc.exe + that are not located in the %systemroot%\system32 or %systemroot%\sysWoW64 directories. + This detection leverages Sysmon EventCode 7 to identify DLL side-loading, a technique + often used by Qakbot malware to execute malicious DLLs. This activity is significant + as it indicates potential malware execution through a trusted process, which can + bypass security controls. If confirmed malicious, this could allow attackers to + execute arbitrary code, maintain persistence, and escalate privileges within the + environment. data_source: - Sysmon EventID 7 -search: '`sysmon` EventCode=7 Image = "*\calc.exe" AND NOT (Image IN ("*:\\windows\\system32\\*", "*:\\windows\\sysWow64\\*")) AND NOT(ImageLoaded IN("*:\\windows\\system32\\*", "*:\\windows\\sysWow64\\*", "*:\\windows\\WinSXS\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName Product process_name dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dll_side_loading_in_calc_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on processes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. +search: '`sysmon` EventCode=7 Image = "*\calc.exe" AND NOT (Image IN ("*:\\windows\\system32\\*", + "*:\\windows\\sysWow64\\*")) AND NOT(ImageLoaded IN("*:\\windows\\system32\\*", + "*:\\windows\\sysWow64\\*", "*:\\windows\\WinSXS\\*")) | stats count min(_time) + as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName Product + process_name dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_dll_side_loading_in_calc_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on processes that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` + node. In addition, confirm the latest CIM App 4.20 or higher is installed and the + latest TA for the endpoint product. known_false_positives: unknown references: - https://www.bitdefender.com/blog/hotforsecurity/new-qakbot-malware-strain-replaces-windows-calculator-dll-to-infected-pcs/ @@ -19,45 +35,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a dll modules is loaded by calc.exe in $ImageLoaded$ that are not in common + windows OS installation folder on $dest$ + risk_objects: + - field: dest + type: system + score: 90 + threat_objects: [] tags: analytic_story: - Qakbot asset_type: Endpoint - confidence: 100 - impact: 90 - message: a dll modules is loaded by calc.exe in $ImageLoaded$ that are not in common windows OS installation folder in $dest$ mitre_attack_id: - T1574.002 - T1574 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Image - - ImageLoaded - - OriginalFileName - - Product - - process_name - - dest - - EventCode - - Signed - - ProcessId - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot2/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot2/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml b/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml index db497309f9..1e661f00bf 100644 --- a/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml +++ b/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml @@ -1,7 +1,7 @@ name: Windows DLL Side-Loading Process Child Of Calc id: 295ca9ed-e97b-4520-90f7-dfb6469902e1 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -9,9 +9,29 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic identifies suspicious child processes spawned by calc.exe, indicative of DLL side-loading techniques. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, and parent processes. This activity is significant as it is commonly associated with Qakbot malware, which uses calc.exe to load malicious DLLs via regsvr32.exe. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, maintain persistence, and escalate privileges, posing a severe threat to the environment. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = "calc.exe") AND Processes.process_name != "win32calc.exe" by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dll_side_loading_process_child_of_calc_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +description: The following analytic identifies suspicious child processes spawned + by calc.exe, indicative of DLL side-loading techniques. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, + names, and parent processes. This activity is significant as it is commonly associated + with Qakbot malware, which uses calc.exe to load malicious DLLs via regsvr32.exe. + If confirmed malicious, this behavior could allow attackers to execute arbitrary + code, maintain persistence, and escalate privileges, posing a severe threat to the + environment. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name + = "calc.exe") AND Processes.process_name != "win32calc.exe" by Processes.parent_process + Processes.process_name Processes.process_id Processes.process_guid Processes.process + Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_dll_side_loading_process_child_of_calc_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot @@ -21,47 +41,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: calc.exe has a child process $process_name$ on $dest$ + risk_objects: + - field: dest + type: system + score: 81 + threat_objects: [] tags: analytic_story: - Qakbot asset_type: Endpoint - confidence: 90 - impact: 90 - message: calc.exe has a child process $process_name$ in $dest$ mitre_attack_id: - T1574.002 - T1574 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_dns_gather_network_info.yml b/detections/endpoint/windows_dns_gather_network_info.yml index 1bc6eb6502..aa8aa701f0 100644 --- a/detections/endpoint/windows_dns_gather_network_info.yml +++ b/detections/endpoint/windows_dns_gather_network_info.yml @@ -1,7 +1,7 @@ name: Windows DNS Gather Network Info id: 347e0892-e8f3-4512-afda-dc0e3fa996f3 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk type: Anomaly status: production @@ -9,10 +9,30 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic detects the use of the dnscmd.exe command to enumerate DNS records. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line executions. This activity is significant as it may indicate an adversary gathering network information, a common precursor to more targeted attacks. If confirmed malicious, this behavior could enable attackers to map the network, identify critical assets, and plan subsequent actions, potentially leading to data exfiltration or further compromise of the network. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "dnscmd.exe" Processes.process = "* /enumrecords *" by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dns_gather_network_info_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: network administrator can execute this command to enumerate DNS record. Filter or add other paths to the exclusion as needed. +description: The following analytic detects the use of the dnscmd.exe command to enumerate + DNS records. It leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process command-line executions. This activity is significant as it + may indicate an adversary gathering network information, a common precursor to more + targeted attacks. If confirmed malicious, this behavior could enable attackers to + map the network, identify critical assets, and plan subsequent actions, potentially + leading to data exfiltration or further compromise of the network. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "dnscmd.exe" + Processes.process = "* /enumrecords *" by Processes.parent_process Processes.process_name + Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest + | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_dns_gather_network_info_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: network administrator can execute this command to enumerate + DNS record. Filter or add other paths to the exclusion as needed. references: - https://cert.gov.ua/article/3718487 - https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF @@ -22,46 +42,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A process commandline $process$ to enumerate dns record on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Sandworm Tools - Volt Typhoon asset_type: Endpoint - confidence: 50 - impact: 50 - message: A process commandline $process$ to enumerate dns record in $dest$ mitre_attack_id: - T1590.002 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1590.002/enum_dns_record/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1590.002/enum_dns_record/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_dns_query_request_by_telegram_bot_api.yml b/detections/endpoint/windows_dns_query_request_by_telegram_bot_api.yml new file mode 100644 index 0000000000..39e7c9496e --- /dev/null +++ b/detections/endpoint/windows_dns_query_request_by_telegram_bot_api.yml @@ -0,0 +1,56 @@ +name: Windows DNS Query Request by Telegram Bot API +id: 86f66f44-94d9-412d-a71d-5d8ed0fef72e +version: 1 +date: '2024-12-12' +author: Teoderick Contreras, Splunk +data_source: +- Sysmon EventID 22 +type: Anomaly +status: production +description: The following analytic detects the execution of a DNS query by a process to the associated Telegram API domain, which could indicate access via a Telegram bot commonly used by malware for command and control (C2) communications. By monitoring DNS queries related to Telegram's infrastructure, the detection identifies potential attempts to establish covert communication channels between a compromised system and external malicious actors. This behavior is often observed in cyberattacks where Telegram bots are used to receive commands or exfiltrate data, making it a key indicator of suspicious or malicious activity within a network. +search: '`sysmon` EventCode=22 query = "api.telegram.org" process_name != "telegram.exe" + | stats count min(_time) as firstTime max(_time) as lastTime by query answer QueryResults QueryStatus process_name process_guid Computer + | rename Computer as dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_dns_query_request_by_telegram_bot_api_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and eventcode = 22 dnsquery executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +known_false_positives: a third part automation using telegram API. +references: +- https://www.splunk.com/en_us/blog/security/threat-advisory-telegram-crypto-botnet-strt-ta01.html +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: DNS query by a telegram bot [$query$] on [$dest$]. + risk_objects: + - field: dest + type: system + score: 36 + threat_objects: [] +tags: + analytic_story: + - Crypto Stealer + asset_type: Endpoint + mitre_attack_id: + - T1102.002 + - T1071.004 + - T1071 + - T1102 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1102.002/telegram_api_dns/telegram_dns.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_dnsadmins_new_member_added.yml b/detections/endpoint/windows_dnsadmins_new_member_added.yml index 1ad888380e..dc4d89d1bf 100644 --- a/detections/endpoint/windows_dnsadmins_new_member_added.yml +++ b/detections/endpoint/windows_dnsadmins_new_member_added.yml @@ -1,16 +1,29 @@ name: Windows DnsAdmins New Member Added id: 27e600aa-77f8-4614-bc80-2662a67e2f48 -version: 6 -date: '2024-09-30' +version: 7 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - Windows Event Log Security 4732 -description: The following analytic detects the addition of a new member to the DnsAdmins group in Active Directory by leveraging Event ID 4732. This detection uses security event logs to identify changes to this high-privilege group. Monitoring this activity is crucial because members of the DnsAdmins group can manage the DNS service, often running on Domain Controllers, and potentially execute malicious code with SYSTEM privileges. If confirmed malicious, this activity could allow an attacker to escalate privileges and gain control over critical domain services, posing a significant security risk. -search: '`wineventlog_security` EventCode=4732 TargetUserName=DnsAdmins | stats min(_time) as firstTime max(_time) as lastTime values(TargetUserName) as target_users_added values(user) as user by dest src_user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dnsadmins_new_member_added_filter`' -how_to_implement: To successfully implement this search, Domain Controller events need to be ingested. The Advanced Security Audit policy setting `Audit Security Group Management` within `Account Management` needs to be enabled. -known_false_positives: New members can be added to the DnsAdmins group as part of legitimate administrative tasks. Filter as needed. +description: The following analytic detects the addition of a new member to the DnsAdmins + group in Active Directory by leveraging Event ID 4732. This detection uses security + event logs to identify changes to this high-privilege group. Monitoring this activity + is crucial because members of the DnsAdmins group can manage the DNS service, often + running on Domain Controllers, and potentially execute malicious code with SYSTEM + privileges. If confirmed malicious, this activity could allow an attacker to escalate + privileges and gain control over critical domain services, posing a significant + security risk. +search: '`wineventlog_security` EventCode=4732 TargetUserName=DnsAdmins | stats min(_time) + as firstTime max(_time) as lastTime values(TargetUserName) as target_users_added + values(user) as user by dest src_user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_dnsadmins_new_member_added_filter`' +how_to_implement: To successfully implement this search, Domain Controller events + need to be ingested. The Advanced Security Audit policy setting `Audit Security + Group Management` within `Account Management` needs to be enabled. +known_false_positives: New members can be added to the DnsAdmins group as part of + legitimate administrative tasks. Filter as needed. references: - https://attack.mitre.org/techniques/T1098/ - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise @@ -22,40 +35,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A new member $user$ added to the DnsAdmins group by $src_user$ + risk_objects: + - field: src_user + type: user + score: 40 + threat_objects: [] tags: analytic_story: - Active Directory Privilege Escalation asset_type: Endpoint - confidence: 50 - impact: 80 - message: A new member $user$ added to the DnsAdmins group by $src_user$ mitre_attack_id: - T1098 - observable: - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - TargetUserName - - SubjectUserName - - Computer - - MemberSid - - TargetUserName - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/dnsadmins_member_added/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/dnsadmins_member_added/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml b/detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml index 6a61fdb6f5..eb09f87426 100644 --- a/detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml +++ b/detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml @@ -1,16 +1,30 @@ name: Windows Domain Account Discovery Via Get-NetComputer id: a7fbbc4e-4571-424a-b627-6968e1c939e4 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Powershell Script Block Logging 4104 -description: The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetComputer, which is used to query Active Directory for user account details such as "samaccountname," "accountexpires," "lastlogon," and more. It leverages Event ID 4104 from PowerShell Script Block Logging to identify this activity. This behavior is significant as it may indicate an attempt to gather user account information, which is often a precursor to further malicious actions. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or lateral movement within the network. -search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-NetComputer*" ScriptBlockText IN ("*samaccountname*", "*accountexpires*", "*lastlogon*", "*lastlogoff*", "*pwdlastset*", "*logoncount*") | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_domain_account_discovery_via_get_netcomputer_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= -known_false_positives: Administrators may leverage PowerView for legitimate purposes, filter as needed. +description: The following analytic detects the execution of the PowerView PowerShell + cmdlet Get-NetComputer, which is used to query Active Directory for user account + details such as "samaccountname," "accountexpires," "lastlogon," and more. It leverages + Event ID 4104 from PowerShell Script Block Logging to identify this activity. This + behavior is significant as it may indicate an attempt to gather user account information, + which is often a precursor to further malicious actions. If confirmed malicious, + this activity could lead to unauthorized access, privilege escalation, or lateral + movement within the network. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-NetComputer*" ScriptBlockText + IN ("*samaccountname*", "*accountexpires*", "*lastlogon*", "*lastlogoff*", "*pwdlastset*", + "*logoncount*") | rename Computer as dest, UserID as user | stats count min(_time) + as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_domain_account_discovery_via_get_netcomputer_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= +known_false_positives: Administrators may leverage PowerView for legitimate purposes, + filter as needed. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a drilldown_searches: @@ -19,39 +33,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows Domain Account Discovery Via Get-NetComputer on $dest$. + risk_objects: + - field: dest + type: system + score: 15 + threat_objects: [] tags: analytic_story: - CISA AA23-347A asset_type: Endpoint - confidence: 50 - impact: 30 - message: Windows Domain Account Discovery Via Get-NetComputer in $dest$. mitre_attack_id: - T1087 - T1087.002 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 15 - required_fields: - - _time - - ScriptBlockText - - dest - - EventCode - - user security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/get-netuser-not-require-pwh.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/get-netuser-not-require-pwh.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_domain_admin_impersonation_indicator.yml b/detections/endpoint/windows_domain_admin_impersonation_indicator.yml index aba0071eea..806aa64509 100644 --- a/detections/endpoint/windows_domain_admin_impersonation_indicator.yml +++ b/detections/endpoint/windows_domain_admin_impersonation_indicator.yml @@ -1,7 +1,7 @@ name: Windows Domain Admin Impersonation Indicator id: 10381f93-6d38-470a-9c30-d25478e3bd3f -version: '5' -date: '2024-11-28' +version: 6 +date: '2025-01-20' author: Mauricio Velazco, Splunk status: production type: TTP @@ -33,7 +33,7 @@ search: '`wineventlog_security` EventCode=4627 LogonType=3 NOT TargetUserName I | fillnull value=NotDA username | search username = "NotDA" | `windows_domain_admin_impersonation_indicator_filter`' how_to_implement: To successfully implement this search, you need to be ingesting Authentication events across all endpoints and ingest Event Id 4627. Specifically, - the Audit Group Membership subcategory within the Logon Logooff category needs to + the Audit Group Membership subcategory within the Logon Logoff category needs to be enabled. Its crucial to note that the accuracy and effectiveness of this detection heavily rely on the users diligence in populating and regularly updating this lookup table. @@ -58,6 +58,14 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $TargetUserName$ may be impersonating a Domain Administrator through a + forged Kerberos ticket. + risk_objects: + - field: TargetUserName + type: user + score: 80 + threat_objects: [] tags: analytic_story: - Active Directory Kerberos Attacks @@ -65,28 +73,12 @@ tags: - Compromised Windows Host - Active Directory Privilege Escalation asset_type: Endpoint - confidence: 100 - impact: 80 - message: $TargetUserName$ may be impersonating a Domain Administrator through a - forged Kerberos ticket. mitre_attack_id: - T1558 - observable: - - name: TargetUserName - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 80 - required_fields: - - _time, - - EventCode - - LogonType - - TargetUserName - - GroupMembership security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml b/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml index 965333e905..6efd4b398f 100644 --- a/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml +++ b/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml @@ -1,18 +1,43 @@ name: Windows DotNet Binary in Non Standard Path id: fddf3b56-7933-11ec-98a6-acde48001122 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the execution of native .NET binaries from non-standard directories within the Windows operating system. It leverages Endpoint Detection and Response (EDR) telemetry, comparing process names and original file names against a predefined lookup using the `is_net_windows_file_macro` macro. This activity is significant because adversaries may move .NET binaries to unconventional paths to evade detection and execute malicious code. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a significant security risk. +description: The following analytic detects the execution of native .NET binaries + from non-standard directories within the Windows operating system. It leverages + Endpoint Detection and Response (EDR) telemetry, comparing process names and original + file names against a predefined lookup using the `is_net_windows_file_macro` macro. + This activity is significant because adversaries may move .NET binaries to unconventional + paths to evade detection and execute malicious code. If confirmed malicious, this + behavior could allow attackers to execute arbitrary code, escalate privileges, or + maintain persistence within the environment, posing a significant security risk. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where NOT (Processes.process_path IN ("*\\Windows\\ADWS\\*","*\\Windows\\SysWOW64*", "*\\Windows\\system32*", "*\\Windows\\NetworkController\\*", "*\\Windows\\SystemApps\\*", "*\\WinSxS\\*", "*\\Windows\\Microsoft.NET\\*")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_path Processes.process_id Processes.parent_process_id | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_net_windows_file_macro` | `windows_dotnet_binary_in_non_standard_path_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be present and filtering may be required. Certain utilities will run from non-standard paths based on the third-party application in use. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Processes where NOT (Processes.process_path + IN ("*\\Windows\\ADWS\\*","*\\Windows\\SysWOW64*", "*\\Windows\\system32*", "*\\Windows\\NetworkController\\*", + "*\\Windows\\SystemApps\\*", "*\\WinSxS\\*", "*\\Windows\\Microsoft.NET\\*")) by + Processes.dest Processes.user Processes.parent_process_name Processes.parent_process + Processes.process_name Processes.process Processes.original_file_name Processes.process_path + Processes.process_id Processes.parent_process_id | `drop_dm_object_name("Processes")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_net_windows_file_macro` + | `windows_dotnet_binary_in_non_standard_path_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present and filtering may be required. + Certain utilities will run from non-standard paths based on the third-party application + in use. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml - https://attack.mitre.org/techniques/T1036/003/ @@ -24,9 +49,29 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ from a non-standard + path was identified on endpoint $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 49 + - field: dest + type: system + score: 49 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Masquerading - Rename System Utilities @@ -36,53 +81,20 @@ tags: - Data Destruction - WhisperGate asset_type: Endpoint - confidence: 70 - impact: 70 - message: An instance of $parent_process_name$ spawning $process_name$ from a non-standard path was identified on endpoint $dest$ by user $user$. mitre_attack_id: - T1036 - T1036.003 - T1218 - T1218.004 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon_installutil_path.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon_installutil_path.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_driver_inventory.yml b/detections/endpoint/windows_driver_inventory.yml index b5f5e7b05b..6b0dac97a8 100644 --- a/detections/endpoint/windows_driver_inventory.yml +++ b/detections/endpoint/windows_driver_inventory.yml @@ -1,46 +1,41 @@ name: Windows Driver Inventory id: f87aa96b-369b-4a3e-9021-1bbacbfcb8fb -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: experimental type: Hunting -description: The following analytic identifies drivers being loaded across the fleet. It leverages a PowerShell script input deployed to critical systems to capture driver data. This detection is significant as it helps monitor for unauthorized or malicious drivers that could compromise system integrity. If confirmed malicious, such drivers could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment. +description: The following analytic identifies drivers being loaded across the fleet. + It leverages a PowerShell script input deployed to critical systems to capture driver + data. This detection is significant as it helps monitor for unauthorized or malicious + drivers that could compromise system integrity. If confirmed malicious, such drivers + could allow attackers to execute arbitrary code, escalate privileges, or maintain + persistence within the environment. data_source: [] -search: '`driverinventory` | stats values(Path) min(_time) as firstTime max(_time) as lastTime count by host DriverType | rename host as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_driver_inventory_filter`' -how_to_implement: To capture the drivers by host, utilize the referenced Gist to create the inputs, props and transforms. Otherwise, this hunt query will not work. -known_false_positives: Filter and modify the analytic as you'd like. Filter based on path. Remove the system32\drivers and look for non-standard paths. +search: '`driverinventory` | stats values(Path) min(_time) as firstTime max(_time) + as lastTime count by host DriverType | rename host as dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_driver_inventory_filter`' +how_to_implement: To capture the drivers by host, utilize the referenced Gist to create + the inputs, props and transforms. Otherwise, this hunt query will not work. +known_false_positives: Filter and modify the analytic as you'd like. Filter based + on path. Remove the system32\drivers and look for non-standard paths. references: - https://gist.github.com/MHaggis/3e4dc85c69b3f7a4595a06c8a692f244 tags: analytic_story: - Windows Drivers asset_type: Endpoint - confidence: 10 - impact: 50 - message: Drivers have been identified on $dest$. mitre_attack_id: - T1068 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Path - - host - - DriverType - risk_score: 5 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/driver_inventory.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/driver_inventory.log source: PwSh:DriverInventory sourcetype: PwSh:DriverInventory - update_timestamp: true diff --git a/detections/endpoint/windows_driver_load_non_standard_path.yml b/detections/endpoint/windows_driver_load_non_standard_path.yml index f4c48b9e35..bf5adb05b7 100644 --- a/detections/endpoint/windows_driver_load_non_standard_path.yml +++ b/detections/endpoint/windows_driver_load_non_standard_path.yml @@ -1,21 +1,26 @@ name: Windows Driver Load Non-Standard Path id: 9216ef3d-066a-4958-8f27-c84589465e62 -version: 4 -date: "2024-10-17" +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the loading of new Kernel Mode Drivers from non-standard paths using Windows EventCode 7045. It identifies drivers not located in typical directories like Windows, Program Files, or SystemRoot. This activity is significant because adversaries may use these non-standard paths to load malicious or vulnerable drivers, potentially bypassing security controls. If confirmed malicious, this could allow attackers to execute code at the kernel level, escalate privileges, or maintain persistence within the environment, posing a severe threat to system integrity and security. +description: The following analytic detects the loading of new Kernel Mode Drivers + from non-standard paths using Windows EventCode 7045. It identifies drivers not + located in typical directories like Windows, Program Files, or SystemRoot. This + activity is significant because adversaries may use these non-standard paths to + load malicious or vulnerable drivers, potentially bypassing security controls. If + confirmed malicious, this could allow attackers to execute code at the kernel level, + escalate privileges, or maintain persistence within the environment, posing a severe + threat to system integrity and security. data_source: - Windows Event Log System 7045 search: >- `wineventlog_system` EventCode=7045 ServiceType="kernel mode driver" | regex ImagePath!="(?i)^(\w:\\\\Windows\\\\|\w:\\\\Program\sFile|\\\\systemroot\\\\|%SystemRoot%|system32\\\\)" - | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType - | rename Computer as dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_driver_load_non_standard_path_filter` + | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode + ImagePath ServiceName ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` | + `security_content_ctime(lastTime)` | `windows_driver_load_non_standard_path_filter` how_to_implement: To implement this analytic, the Windows EventCode 7045 will need to be logged. The Windows TA for Splunk is also recommended. known_false_positives: False positives may be present based on legitimate third party @@ -31,9 +36,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A kernel mode driver was loaded from a non-standard path on $dest$. + risk_objects: + - field: dest + type: system + score: 36 + threat_objects: [] tags: analytic_story: - Windows Drivers @@ -42,34 +59,18 @@ tags: - BlackByte Ransomware - BlackSuit Ransomware asset_type: Endpoint - confidence: 60 - impact: 60 - message: A kernel mode driver was loaded from a non-standard path on $dest$. mitre_attack_id: - T1014 - T1068 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Computer - - EventCode - - ImagePath - - ServiceName - - ServiceType - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/xml7045_windows-system.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/xml7045_windows-system.log source: XmlWinEventLog:System sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_drivers_loaded_by_signature.yml b/detections/endpoint/windows_drivers_loaded_by_signature.yml index c178301c19..7e3badca4e 100644 --- a/detections/endpoint/windows_drivers_loaded_by_signature.yml +++ b/detections/endpoint/windows_drivers_loaded_by_signature.yml @@ -1,16 +1,30 @@ name: Windows Drivers Loaded by Signature id: d2d4af6a-6c2b-4d79-80c5-fc2cf12a2f68 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies all drivers being loaded on Windows systems using Sysmon EventCode 6 (Driver Load). It leverages fields such as driver path, signature status, and hash to detect potentially suspicious drivers. This activity is significant for a SOC as malicious drivers can be used to gain kernel-level access, bypass security controls, or persist in the environment. If confirmed malicious, this activity could allow an attacker to execute arbitrary code with high privileges, leading to severe system compromise and potential data exfiltration. +description: The following analytic identifies all drivers being loaded on Windows + systems using Sysmon EventCode 6 (Driver Load). It leverages fields such as driver + path, signature status, and hash to detect potentially suspicious drivers. This + activity is significant for a SOC as malicious drivers can be used to gain kernel-level + access, bypass security controls, or persist in the environment. If confirmed malicious, + this activity could allow an attacker to execute arbitrary code with high privileges, + leading to severe system compromise and potential data exfiltration. data_source: - Sysmon EventID 6 -search: '`sysmon` EventCode=6 | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) count by dest Signed Signature service_signature_verified service_signature_exists Hashes | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_drivers_loaded_by_signature_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have the latest version of the Sysmon TA. Most EDR products provide the ability to review driver loads, or module loads, and using a query as such help with hunting for malicious drivers. -known_false_positives: This analytic is meant to assist with identifying drivers loaded in the environment and not to be setup for notables off the bat. +search: '`sysmon` EventCode=6 | stats min(_time) as firstTime max(_time) as lastTime + values(ImageLoaded) count by dest Signed Signature service_signature_verified service_signature_exists + Hashes | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_drivers_loaded_by_signature_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have the latest version of the Sysmon + TA. Most EDR products provide the ability to review driver loads, or module loads, + and using a query as such help with hunting for malicious drivers. +known_false_positives: This analytic is meant to assist with identifying and hunting drivers loaded + in the environment. references: - https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/ - https://attack.mitre.org/techniques/T1014/ @@ -22,35 +36,18 @@ tags: - AgentTesla - BlackByte Ransomware asset_type: Endpoint - confidence: 70 - impact: 60 - message: A driver has loaded on $dest$. mitre_attack_id: - T1014 - T1068 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ImageLoaded - - dest - - Signed - - Signature - - service_signature_verified - - service_signature_exists - - Hashes - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_enable_powershell_web_access.yml b/detections/endpoint/windows_enable_powershell_web_access.yml index fb8dea6a41..8e20aedce6 100644 --- a/detections/endpoint/windows_enable_powershell_web_access.yml +++ b/detections/endpoint/windows_enable_powershell_web_access.yml @@ -1,16 +1,27 @@ name: Windows Enable PowerShell Web Access id: 175bb2de-6227-416b-9678-9b61999cd21f -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk data_source: - Powershell Script Block Logging 4104 type: TTP status: production -description: The following analytic detects the enabling of PowerShell Web Access via PowerShell commands. It leverages PowerShell script block logging (EventCode 4104) to identify the execution of the `Install-WindowsFeature` cmdlet with the `WindowsPowerShellWebAccess` parameter. This activity is significant because enabling PowerShell Web Access can facilitate remote execution of PowerShell commands, potentially allowing an attacker to gain unauthorized access to systems and networks. -search: '`powershell` EventCode=4104 ScriptBlockText IN ("*Install-WindowsFeature*WindowsPowerShellWebAccess*","*Install-PswaWebApplication*","*Add-PswaAuthorizationRule*UserName *ComputerName *") | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_enable_powershell_web_access_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: It is possible that legitimate scripts or network administrators may enable PowerShell Web Access. Monitor and escalate as needed. +description: The following analytic detects the enabling of PowerShell Web Access + via PowerShell commands. It leverages PowerShell script block logging (EventCode + 4104) to identify the execution of the `Install-WindowsFeature` cmdlet with the + `WindowsPowerShellWebAccess` parameter. This activity is significant because enabling + PowerShell Web Access can facilitate remote execution of PowerShell commands, potentially + allowing an attacker to gain unauthorized access to systems and networks. +search: '`powershell` EventCode=4104 ScriptBlockText IN ("*Install-WindowsFeature*WindowsPowerShellWebAccess*","*Install-PswaWebApplication*","*Add-PswaAuthorizationRule*UserName + *ComputerName *") | rename Computer as dest | stats count min(_time) as firstTime + max(_time) as lastTime by EventCode ScriptBlockText dest UserID | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_enable_powershell_web_access_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: It is possible that legitimate scripts or network administrators + may enable PowerShell Web Access. Monitor and escalate as needed. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a - https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41 @@ -20,40 +31,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: PowerShell Web Access has been enabled on $dest$. + risk_objects: + - field: dest + type: system + score: 72 + threat_objects: [] tags: analytic_story: - CISA AA24-241A - Malicious PowerShell asset_type: Endpoint - confidence: 80 - impact: 90 - message: PowerShell Web Access has been enabled on $dest$. mitre_attack_id: - T1059.001 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ScriptBlockText - - dest - - UserID - risk_score: 72 security_domain: endpoint cve: [] tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/pswa_powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/pswa_powershell.log sourcetype: XmlWinEventLog source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml b/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml index a48e35906b..eb95c64cf3 100644 --- a/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml +++ b/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml @@ -1,16 +1,39 @@ name: Windows Enable Win32 ScheduledJob via Registry id: 12c80db8-ef62-4456-92df-b23e1b3219f6 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk type: Anomaly status: production data_source: - Sysmon EventID 13 -description: The following analytic detects the creation of a new DWORD value named "EnableAt" in the registry path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration". This modification enables the use of the at.exe or wmi Win32_ScheduledJob commands to add scheduled tasks on a Windows endpoint. The detection leverages registry event data from the Endpoint datamodel. This activity is significant because it may indicate that an attacker is enabling the ability to schedule tasks, potentially to execute malicious code at specific times or intervals. If confirmed malicious, this could allow persistent code execution on the system. -search: '| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\CurrentVersion\\Schedule\\Configuration*" Registry.registry_value_name=EnableAt by Registry.dest, Registry.user, Registry.registry_value_name, Registry.registry_value_type | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_enable_win32_scheduledjob_via_registry_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: In some cases, an automated script or system may enable this setting continuously, leading to false positives. To avoid such situations, it is recommended to monitor the frequency and context of the registry modification and modify or filter the detection rules as needed. This can help to reduce the number of false positives and ensure that only genuine threats are identified. Additionally, it is important to investigate any detected instances of this modification and analyze them in the broader context of the system and network to determine if further action is necessary. +description: The following analytic detects the creation of a new DWORD value named + "EnableAt" in the registry path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration". + This modification enables the use of the at.exe or wmi Win32_ScheduledJob commands + to add scheduled tasks on a Windows endpoint. The detection leverages registry event + data from the Endpoint datamodel. This activity is significant because it may indicate + that an attacker is enabling the ability to schedule tasks, potentially to execute + malicious code at specific times or intervals. If confirmed malicious, this could + allow persistent code execution on the system. +search: '| tstats `security_content_summariesonly` count values(Registry.registry_key_name) + as registry_key_name values(Registry.registry_path) as registry_path min(_time) + as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\CurrentVersion\\Schedule\\Configuration*" + Registry.registry_value_name=EnableAt by Registry.dest, Registry.user, Registry.registry_value_name, + Registry.registry_value_type | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` + | `drop_dm_object_name(Registry)` | `windows_enable_win32_scheduledjob_via_registry_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: In some cases, an automated script or system may enable this + setting continuously, leading to false positives. To avoid such situations, it is + recommended to monitor the frequency and context of the registry modification and + modify or filter the detection rules as needed. This can help to reduce the number + of false positives and ensure that only genuine threats are identified. Additionally, + it is important to investigate any detected instances of this modification and analyze + them in the broader context of the system and network to determine if further action + is necessary. references: - https://securityonline.info/wmiexec-regout-get-outputdata-response-from-registry/ - https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob @@ -20,44 +43,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A process has modified the schedule task registry value - EnableAt - on + endpoint $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Active Directory Lateral Movement - Scheduled Tasks asset_type: Endpoint - confidence: 50 - impact: 50 - message: A process has modified the schedule task registry value - EnableAt - on endpoint $dest$ by user $user$. mitre_attack_id: - T1053.005 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_path - - Registry.dest - - Registry.user - - Registry.registry_value_name - - Registry.registry_value_type - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/enableat_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/enableat_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_esx_admins_group_creation_security_event.yml b/detections/endpoint/windows_esx_admins_group_creation_security_event.yml index a9f49f4fd4..abe412ad24 100644 --- a/detections/endpoint/windows_esx_admins_group_creation_security_event.yml +++ b/detections/endpoint/windows_esx_admins_group_creation_security_event.yml @@ -1,7 +1,7 @@ name: Windows ESX Admins Group Creation Security Event id: 53b4c927-5ec4-47cd-8aed-d4b303304f87 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk data_source: - Windows Event Log Security 4727 @@ -9,10 +9,25 @@ data_source: - Windows Event Log Security 4737 type: TTP status: production -description: This analytic detects creation, deletion, or modification of the "ESX Admins" group in Active Directory. These events may indicate attempts to exploit the VMware ESXi Active Directory Integration Authentication Bypass vulnerability (CVE-2024-37085). -search: '`wineventlog_security` EventCode IN (4727, 4730, 4737) (TargetUserName="ESX Admins" OR TargetUserName="*ESX Admins*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode TargetUserName TargetDomainName SubjectUserName SubjectDomainName Computer | rename Computer as dest | eval EventCodeDescription=case( EventCode=4727, "Security Enabled Global Group Created", EventCode=4730, "Security Enabled Global Group Deleted", EventCode=4737, "Security Enabled Global Group Modified" ) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_esx_admins_group_creation_security_event_filter`' -how_to_implement: To successfully implement this search, ensure that Windows Security Event logging is enabled and being ingested into Splunk, particularly for event codes 4727, 4730, and 4737. Configure Group Policy settings to audit these specific events. -known_false_positives: Legitimate administrators might create, delete, or modify an "ESX Admins" group for valid reasons. Verify that the group changes are authorized and part of normal administrative tasks. Consider the context of the action, such as the user performing it and any related activities. +description: This analytic detects creation, deletion, or modification of the "ESX + Admins" group in Active Directory. These events may indicate attempts to exploit + the VMware ESXi Active Directory Integration Authentication Bypass vulnerability + (CVE-2024-37085). +search: '`wineventlog_security` EventCode IN (4727, 4730, 4737) (TargetUserName="ESX + Admins" OR TargetUserName="*ESX Admins*") | stats count min(_time) as firstTime + max(_time) as lastTime by EventCode TargetUserName TargetDomainName SubjectUserName + SubjectDomainName Computer | rename Computer as dest | eval EventCodeDescription=case( + EventCode=4727, "Security Enabled Global Group Created", EventCode=4730, "Security + Enabled Global Group Deleted", EventCode=4737, "Security Enabled Global Group Modified" + ) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_esx_admins_group_creation_security_event_filter`' +how_to_implement: To successfully implement this search, ensure that Windows Security + Event logging is enabled and being ingested into Splunk, particularly for event + codes 4727, 4730, and 4737. Configure Group Policy settings to audit these specific + events. +known_false_positives: Legitimate administrators might create, delete, or modify an + "ESX Admins" group for valid reasons. Verify that the group changes are authorized + and part of normal administrative tasks. Consider the context of the action, such + as the user performing it and any related activities. references: - https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505 - https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ @@ -23,47 +38,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: ESX Admins group $EventCodeDescription$ on $dest$ by user $SubjectUserName$. + risk_objects: + - field: dest + type: system + score: 25 + - field: SubjectUserName + type: user + score: 25 + threat_objects: [] tags: analytic_story: - VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 asset_type: Endpoint - confidence: 50 - impact: 50 - message: ESX Admins group $EventCodeDescription$ on $dest$ by user $SubjectUserName$. mitre_attack_id: - T1136.001 - T1136.002 - observable: - - name: SubjectUserName - type: User - role: - - Attacker - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - TargetUserName - - TargetDomainName - - SubjectUserName - - SubjectDomainName - - Computer - risk_score: 25 security_domain: endpoint cve: - CVE-2024-37085 tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security-esxadmins.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security-esxadmins.log sourcetype: XmlWinEventLog source: Security diff --git a/detections/endpoint/windows_esx_admins_group_creation_via_net.yml b/detections/endpoint/windows_esx_admins_group_creation_via_net.yml index 8f258e1d94..373e172977 100644 --- a/detections/endpoint/windows_esx_admins_group_creation_via_net.yml +++ b/detections/endpoint/windows_esx_admins_group_creation_via_net.yml @@ -1,14 +1,16 @@ name: Windows ESX Admins Group Creation via Net id: 3d7df60b-3332-4667-8090-afe03e08dce0 -version: 3 -date: '2024-11-26' +version: 5 +date: '2025-01-13' author: Michael Haag, Splunk +status: production +type: TTP data_source: - Sysmon EventID 1 -type: TTP -status: production +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 description: This analytic detects attempts to create an "ESX Admins" group using the Windows net.exe or net1.exe commands. This activity may indicate an attempt to exploit the VMware ESXi Active Directory Integration Authentication Bypass vulnerability (CVE-2024-37085). Attackers can use this method to gain unauthorized access to ESXi hosts by recreating the "ESX Admins" group after its deletion from Active Directory. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND (Processes.process="*group \"ESX Admins\"*" OR Processes.process="*group ESX Admins*") AND Processes.process="*/add*" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_esx_admins_group_creation_via_net_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` Processes.process="*group*" Processes.process="*ESX Admins*" AND Processes.process="*/add*" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_esx_admins_group_creation_via_net_filter`' how_to_implement: To successfully implement this search, you need to be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. known_false_positives: Legitimate administrators might create an "ESX Admins" group for valid reasons. Verify that the group creation is authorized and part of normal administrative tasks. Consider the context of the action, such as the user performing it and any related activities. references: @@ -24,40 +26,28 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An attempt to create an "ESX Admins" group was detected on $dest$ by user + $user$. + risk_objects: + - field: user + type: user + score: 56 + - field: dest + type: system + score: 56 + threat_objects: [] tags: analytic_story: - VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 asset_type: Endpoint - confidence: 70 - impact: 80 - message: An attempt to create an "ESX Admins" group was detected on $dest$ by user $user$. mitre_attack_id: - T1136.002 - T1136.001 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.original_file_name - risk_score: 56 security_domain: endpoint cve: - CVE-2024-37085 diff --git a/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml b/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml index 8f504ab250..fd301786bb 100644 --- a/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml +++ b/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml @@ -1,16 +1,29 @@ name: Windows ESX Admins Group Creation via PowerShell id: f48a5557-be06-4b96-b8e8-be563e387620 -version: 2 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk data_source: - Powershell Script Block Logging 4104 type: TTP status: production -description: This analytic detects attempts to create an "ESX Admins" group using PowerShell commands. This activity may indicate an attempt to exploit the VMware ESXi Active Directory Integration Authentication Bypass vulnerability (CVE-2024-37085). Attackers can use this method to gain unauthorized access to ESXi hosts by recreating the 'ESX Admins' group after its deletion from Active Directory. -search: '`powershell` EventCode=4104 (ScriptBlockText="*New-ADGroup*" OR ScriptBlockText="*New-LocalGroup*") ScriptBlockText="*ESX Admins*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_esx_admins_group_creation_via_powershell_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. You can find additional setup instructions in the Splunk documentation for configuring PowerShell logging. -known_false_positives: Legitimate administrators might create an "ESX Admins" group for valid reasons. Verify that the group creation is authorized and part of normal administrative tasks. Consider the context of the action, such as the user performing it and any related activities. +description: This analytic detects attempts to create an "ESX Admins" group using + PowerShell commands. This activity may indicate an attempt to exploit the VMware + ESXi Active Directory Integration Authentication Bypass vulnerability (CVE-2024-37085). + Attackers can use this method to gain unauthorized access to ESXi hosts by recreating + the 'ESX Admins' group after its deletion from Active Directory. +search: '`powershell` EventCode=4104 (ScriptBlockText="*New-ADGroup*" OR ScriptBlockText="*New-LocalGroup*") + ScriptBlockText="*ESX Admins*" | stats count min(_time) as firstTime max(_time) + as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest + | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_esx_admins_group_creation_via_powershell_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. You can find additional + setup instructions in the Splunk documentation for configuring PowerShell logging. +known_false_positives: Legitimate administrators might create an "ESX Admins" group + for valid reasons. Verify that the group creation is authorized and part of normal + administrative tasks. Consider the context of the action, such as the user performing + it and any related activities. references: - https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505 - https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ @@ -21,43 +34,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: PowerShell command to create "ESX Admins" group detected on host $dest$ + by user $user$. + risk_objects: + - field: user + type: user + score: 56 + - field: dest + type: system + score: 56 + threat_objects: [] tags: analytic_story: - VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 asset_type: Endpoint - confidence: 70 - impact: 80 - message: PowerShell command to create "ESX Admins" group detected on host $dest$ by user $user$. mitre_attack_id: - T1136.002 - T1136.001 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ScriptBlockText - - Computer - - UserID - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-powershell-esxadmins.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-powershell-esxadmins.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_event_for_service_disabled.yml b/detections/endpoint/windows_event_for_service_disabled.yml index 0668edd350..070028f5ee 100644 --- a/detections/endpoint/windows_event_for_service_disabled.yml +++ b/detections/endpoint/windows_event_for_service_disabled.yml @@ -1,16 +1,28 @@ name: Windows Event For Service Disabled id: 9c2620a8-94a1-11ec-b40c-acde48001122 -version: 5 -date: '2024-10-17' +version: 6 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects when a Windows service is modified from a start type to disabled. It leverages system event logs, specifically EventCode 7040, to identify this change. This activity is significant because adversaries often disable security or other critical services to evade detection and maintain control over a compromised host. If confirmed malicious, this action could allow attackers to bypass security defenses, leading to further exploitation and persistence within the environment. +description: The following analytic detects when a Windows service is modified from + a start type to disabled. It leverages system event logs, specifically EventCode + 7040, to identify this change. This activity is significant because adversaries + often disable security or other critical services to evade detection and maintain + control over a compromised host. If confirmed malicious, this action could allow + attackers to bypass security defenses, leading to further exploitation and persistence + within the environment. data_source: - Windows Event Log System 7040 -search: '`wineventlog_system` EventCode=7040 EventData_Xml="*disabled*" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode Name UserID service ServiceName | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_for_service_disabled_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. -known_false_positives: Windows service update may cause this event. In that scenario, filtering is needed. +search: '`wineventlog_system` EventCode=7040 EventData_Xml="*disabled*" | stats count + min(_time) as firstTime max(_time) as lastTime by Computer EventCode Name UserID + service ServiceName | rename Computer as dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_event_for_service_disabled_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the Service name, Service File Name Service Start type, and Service Type + from your endpoints. +known_false_positives: Windows service update may cause this event. In that scenario, + filtering is needed. references: - https://blog.talosintelligence.com/2018/02/olympic-destroyer.html tags: @@ -18,33 +30,18 @@ tags: - Windows Defense Evasion Tactics - RedLine Stealer asset_type: Endpoint - confidence: 60 - impact: 60 - message: Service $ServiceName$ was disabled on $dest$ mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ComputerName - - EventCode - - Message - - User - - Sid - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/windows_excessive_disabled_services_event/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/windows_excessive_disabled_services_event/windows-xml.log source: XmlWinEventLog:System sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_event_log_cleared.yml b/detections/endpoint/windows_event_log_cleared.yml index bc1746633a..2bfd8a88e7 100644 --- a/detections/endpoint/windows_event_log_cleared.yml +++ b/detections/endpoint/windows_event_log_cleared.yml @@ -1,7 +1,7 @@ name: Windows Event Log Cleared id: ad517544-aff9-4c96-bd99-d6eb43bfbb6a -version: '11' -date: '2024-11-28' +version: 12 +date: '2024-12-10' author: Rico Valdez, Michael Haag, Splunk status: production type: TTP @@ -41,6 +41,13 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows $object$ cleared on $dest$ via EventCode $EventCode$ + risk_objects: + - field: dest + type: system + score: 70 + threat_objects: [] tags: analytic_story: - ShrinkLocker @@ -50,30 +57,18 @@ tags: - Compromised Windows Host - Clop Ransomware asset_type: Endpoint - confidence: 100 - impact: 70 - message: Windows $object$ cleared on $dest$ via EventCode $EventCode$ mitre_attack_id: - T1070 - T1070.001 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - dest - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_event_triggered_image_file_execution_options_injection.yml b/detections/endpoint/windows_event_triggered_image_file_execution_options_injection.yml index a324abb208..3b9abe6184 100644 --- a/detections/endpoint/windows_event_triggered_image_file_execution_options_injection.yml +++ b/detections/endpoint/windows_event_triggered_image_file_execution_options_injection.yml @@ -1,16 +1,28 @@ name: Windows Event Triggered Image File Execution Options Injection id: f7abfab9-12ea-44e8-8745-475f9ca6e0a4 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies the creation or modification of Image File Execution Options (IFEO) registry keys, detected via EventCode 3000 in the Application channel. This detection leverages Windows Event Logs to monitor for process names added to IFEO under specific registry paths. This activity is significant as it can indicate attempts to set traps for process monitoring or debugging, often used by attackers for persistence or evasion. If confirmed malicious, this could allow an attacker to execute arbitrary code or manipulate process behavior, leading to potential system compromise. +description: The following analytic identifies the creation or modification of Image + File Execution Options (IFEO) registry keys, detected via EventCode 3000 in the + Application channel. This detection leverages Windows Event Logs to monitor for + process names added to IFEO under specific registry paths. This activity is significant + as it can indicate attempts to set traps for process monitoring or debugging, often + used by attackers for persistence or evasion. If confirmed malicious, this could + allow an attacker to execute arbitrary code or manipulate process behavior, leading + to potential system compromise. data_source: - Windows Event Log Application 3000 -search: '`wineventlog_application` EventCode=3000 | rename param1 AS "Process" param2 AS "Exit_Code" | stats count min(_time) as firstTime max(_time) as lastTime by Process Exit_Code dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_triggered_image_file_execution_options_injection_filter`' -how_to_implement: This analytic requires capturing the Windows Event Log Application channel in XML. -known_false_positives: False positives may be present and tuning will be required before turning into a TTP or notable. +search: '`wineventlog_application` EventCode=3000 | rename param1 AS "Process" param2 + AS "Exit_Code" | stats count min(_time) as firstTime max(_time) as lastTime by Process + Exit_Code dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_event_triggered_image_file_execution_options_injection_filter`' +how_to_implement: This analytic requires capturing the Windows Event Log Application + channel in XML. +known_false_positives: False positives may be present and tuning will be required + before turning into a TTP or notable. references: - https://blog.thinkst.com/2022/09/sensitive-command-token-so-much-offense.html - https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit @@ -18,32 +30,17 @@ tags: analytic_story: - Windows Persistence Techniques asset_type: Endpoint - confidence: 50 - impact: 50 - message: Windows eventcode 3000 triggered on $dest$ potentially indicating persistence or a monitoring of a process has occurred. mitre_attack_id: - T1546.012 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Process - - Exit_Code - - dest - - EventCode - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.012/atomic_red_team/windows-application.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.012/atomic_red_team/windows-application.log source: XmlWinEventLog:Application sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_excessive_disabled_services_event.yml b/detections/endpoint/windows_excessive_disabled_services_event.yml index 3764db3f48..9f17eac2d5 100644 --- a/detections/endpoint/windows_excessive_disabled_services_event.yml +++ b/detections/endpoint/windows_excessive_disabled_services_event.yml @@ -1,7 +1,7 @@ name: Windows Excessive Disabled Services Event id: c3f85976-94a5-11ec-9a58-acde48001122 -version: '6' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: TTP @@ -40,41 +40,32 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An excessive number (Count - $MessageCount$) of Windows services were disabled + on dest - $dest$. + risk_objects: + - field: dest + type: system + score: 81 + threat_objects: [] tags: analytic_story: - CISA AA23-347A - Compromised Windows Host - Windows Defense Evasion Tactics asset_type: Endpoint - confidence: 90 - impact: 90 - message: An excessive number (Count - $MessageCount$) of Windows services were disabled - on dest - $dest$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - src - - ComputerName - - EventCode - - Message - - User - - Sid - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/windows_excessive_disabled_services_event/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/windows_excessive_disabled_services_event/windows-xml.log source: XmlWinEventLog:System sourcetype: XmlWinEventLog diff --git a/detections/endpoint/excessive_service_stop_attempt.yml b/detections/endpoint/windows_excessive_service_stop_attempt.yml similarity index 60% rename from detections/endpoint/excessive_service_stop_attempt.yml rename to detections/endpoint/windows_excessive_service_stop_attempt.yml index 90dcb51e91..9267afdd3c 100644 --- a/detections/endpoint/excessive_service_stop_attempt.yml +++ b/detections/endpoint/windows_excessive_service_stop_attempt.yml @@ -1,16 +1,16 @@ -name: Excessive Service Stop Attempt -id: ae8d3f4a-acd7-11eb-8846-acde48001122 -version: 5 -date: '2024-09-30' +name: Windows Excessive Service Stop Attempt +id: 8f3a614f-6b98-4f7d-82dd-d0df38452a8b +version: 1 +date: '2025-01-13' author: Teoderick Contreras, Splunk status: production -type: Anomaly -description: The following analytic detects multiple attempts to stop or delete services on a system using `net.exe`, `sc.exe`, or `net1.exe`. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and command-line executions within a one-minute window. This activity is significant as it may indicate an adversary attempting to disable security or critical services to evade detection and further their objectives. If confirmed malicious, this could lead to the attacker gaining persistence, escalating privileges, or disrupting essential services, thereby compromising the system's security posture. +type: TTP +description: The following analytic detects multiple attempts to stop or delete services on a system using `net.exe` or `sc.exe`. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and command-line executions within a one-minute window. This activity is significant as it may indicate an adversary attempting to disable security or critical services to evade detection and further their objectives. If confirmed malicious, this could lead to the attacker gaining persistence, escalating privileges, or disrupting essential services, thereby compromising the system's security posture. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = "sc.exe" OR Processes.process_name = "net1.exe" AND Processes.process="*stop*" OR Processes.process="*delete*" by Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest Processes.user _time span=1m | where count >=5 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_service_stop_attempt_filter`' +search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (`process_net` OR `process_sc`) AND Processes.process="*stop*" OR Processes.process="*delete*" by Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest Processes.user _time span=1m | where count >=5 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_excessive_service_stop_attempt_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: unknown references: @@ -24,44 +24,28 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An excessive amount of $process_name$ was executed on $dest$ attempting + to disable services. + risk_objects: + - field: dest + type: system + score: 80 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - XMRig - Ransomware - BlackByte Ransomware asset_type: Endpoint - confidence: 100 - impact: 80 - message: An excessive amount of $process_name$ was executed on $dest$ attempting to disable services. mitre_attack_id: - T1489 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/excessive_usage_of_net_app.yml b/detections/endpoint/windows_excessive_usage_of_net_app.yml similarity index 69% rename from detections/endpoint/excessive_usage_of_net_app.yml rename to detections/endpoint/windows_excessive_usage_of_net_app.yml index 9d5f2390f0..10716cc575 100644 --- a/detections/endpoint/excessive_usage_of_net_app.yml +++ b/detections/endpoint/windows_excessive_usage_of_net_app.yml @@ -1,16 +1,16 @@ -name: Excessive Usage Of Net App -id: 45e52536-ae42-11eb-b5c6-acde48001122 -version: 4 -date: '2024-09-30' +name: Windows Excessive Usage Of Net App +id: 355ba810-0a20-4215-8485-9ce3f87f2e38 +version: 2 +date: '2025-01-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects excessive usage of `net.exe` or `net1.exe` within a one-minute interval. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This behavior is significant as it may indicate an adversary attempting to create, delete, or disable multiple user accounts rapidly, a tactic observed in Monero mining incidents. If confirmed malicious, this activity could lead to unauthorized user account manipulation, potentially compromising system integrity and enabling further malicious actions. +description: The following analytic detects excessive usage of `net.exe` within a one-minute interval. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This behavior is significant as it may indicate an adversary attempting to create, delete, or disable multiple user accounts rapidly, a tactic observed in Monero mining incidents. If confirmed malicious, this activity could lead to unauthorized user account manipulation, potentially compromising system integrity and enabling further malicious actions. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_net_app_filter`' +search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_excessive_usage_of_net_app_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: unknown. Filter as needed. Modify the time span as needed. references: @@ -24,6 +24,19 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Excessive usage of net1.exe or net.exe within 1m, with command line $process$ + has been detected on $dest$ by $user$ + risk_objects: + - field: user + type: user + score: 28 + - field: dest + type: system + score: 28 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Prestige Ransomware @@ -34,42 +47,12 @@ tags: - Ransomware - Rhysida Ransomware asset_type: Endpoint - confidence: 70 - impact: 40 - message: Excessive usage of net1.exe or net.exe within 1m, with command line $process$ has been detected on $dest$ by $user$ mitre_attack_id: - T1531 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 28 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_executable_in_loaded_modules.yml b/detections/endpoint/windows_executable_in_loaded_modules.yml index f3d8824e6e..0c64d5ae6e 100644 --- a/detections/endpoint/windows_executable_in_loaded_modules.yml +++ b/detections/endpoint/windows_executable_in_loaded_modules.yml @@ -1,15 +1,27 @@ name: Windows Executable in Loaded Modules id: 3e27af56-fcf0-4113-988d-24969b062be7 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 7 -description: The following analytic identifies instances where executable files (.exe) are loaded as modules, detected through 'ImageLoaded' events in Sysmon logs. This method leverages Sysmon EventCode 7 to track unusual module loading behavior, which is significant as it deviates from the norm of loading .dll files. This activity is crucial for SOC monitoring because it can indicate the presence of malware like NjRAT, which uses this technique to load malicious modules. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, maintain persistence, and further compromise the host system. -search: '`sysmon` EventCode=7 ImageLoaded= *.exe | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed SignatureStatus OriginalFileName process_name Computer EventCode ProcessId Hashes IMPHASH | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_executable_in_loaded_modules_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +description: The following analytic identifies instances where executable files (.exe) + are loaded as modules, detected through 'ImageLoaded' events in Sysmon logs. This + method leverages Sysmon EventCode 7 to track unusual module loading behavior, which + is significant as it deviates from the norm of loading .dll files. This activity + is crucial for SOC monitoring because it can indicate the presence of malware like + NjRAT, which uses this technique to load malicious modules. If confirmed malicious, + this behavior could allow attackers to execute arbitrary code, maintain persistence, + and further compromise the host system. +search: '`sysmon` EventCode=7 ImageLoaded= *.exe | stats count min(_time) as firstTime + max(_time) as lastTime by Image ImageLoaded Signed SignatureStatus OriginalFileName + process_name Computer EventCode ProcessId Hashes IMPHASH | rename Computer as dest + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_executable_in_loaded_modules_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name and imageloaded executions from your endpoints. If you + are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. known_false_positives: unknown. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat @@ -19,45 +31,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An executable $ImageLoaded$ loaded by $Image$ on $dest$ + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - NjRAT asset_type: Endpoint - confidence: 80 - impact: 80 - message: An executable $ImageLoaded$ loaded by $Image$ on $dest$ mitre_attack_id: - T1129 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 - required_fields: - - _time - - Image - - ImageLoaded - - Signed - - SignatureStatus - - OriginalFileName - - process_name - - Computer - - EventCode - - ProcessId - - Hashes - - IMPHASH security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1129/executable_shared_modules/image_loaded_exe.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1129/executable_shared_modules/image_loaded_exe.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml b/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml index ff0cce97e1..abbcec0359 100644 --- a/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml +++ b/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml @@ -1,7 +1,7 @@ name: Windows Execute Arbitrary Commands with MSDT id: e1d5145f-38fe-42b9-a5d5-457796715f97 -version: '7' -date: '2024-11-28' +version: 9 +date: '2024-12-10' author: Michael Haag, Teoderick Contreras, Splunk status: production type: TTP @@ -57,59 +57,39 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A parent process $parent_process_name$ has spawned a child process $process_name$ + on host $dest$ possibly indicative of indirect command execution. + risk_objects: + - field: user + type: user + score: 100 + - field: dest + type: system + score: 100 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Compromised Windows Host - Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190 asset_type: Endpoint - confidence: 100 cve: - CVE-2022-30190 - impact: 100 - message: A parent process $parent_process_name$ has spawned a child process $process_name$ - on host $dest$ possibly indicative of indirect command execution. mitre_attack_id: - T1218 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/msdt.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/msdt.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml b/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml index 1a56c51eab..2b92a1ae16 100644 --- a/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml +++ b/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml @@ -1,15 +1,28 @@ name: Windows Exfiltration Over C2 Via Invoke RestMethod id: 06ade821-f6fa-40d0-80af-15bc1d45b3ba -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Powershell Script Block Logging 4104 -description: The following analytic detects potential data exfiltration using PowerShell's Invoke-RestMethod. It leverages PowerShell Script Block Logging to identify scripts that attempt to upload files via HTTP POST requests. This activity is significant as it may indicate an attacker is exfiltrating sensitive data, such as desktop screenshots or files, to an external command and control (C2) server. If confirmed malicious, this could lead to data breaches, loss of sensitive information, and further compromise of the affected systems. Immediate investigation is recommended to determine the intent and scope of the activity. -search: '`powershell` EventCode=4104 ScriptBlockText = "*Invoke-RestMethod *" AND ScriptBlockText = "* -Uri *" AND ScriptBlockText = "* -Method *" AND ScriptBlockText = "* Post *" AND ScriptBlockText = "* -InFile *" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_exfiltration_over_c2_via_invoke_restmethod_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +description: The following analytic detects potential data exfiltration using PowerShell's + Invoke-RestMethod. It leverages PowerShell Script Block Logging to identify scripts + that attempt to upload files via HTTP POST requests. This activity is significant + as it may indicate an attacker is exfiltrating sensitive data, such as desktop screenshots + or files, to an external command and control (C2) server. If confirmed malicious, + this could lead to data breaches, loss of sensitive information, and further compromise + of the affected systems. Immediate investigation is recommended to determine the + intent and scope of the activity. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Invoke-RestMethod *" AND + ScriptBlockText = "* -Uri *" AND ScriptBlockText = "* -Method *" AND ScriptBlockText + = "* Post *" AND ScriptBlockText = "* -InFile *" | stats count min(_time) as firstTime + max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_exfiltration_over_c2_via_invoke_restmethod_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: False positives should be limited. Filter as needed. references: - https://twitter.com/_CERT_UA/status/1620781684257091584 @@ -20,38 +33,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$Computer$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A PowerShell script on $Computer$ is attempting to transfer files to a + remote URL. + risk_objects: + - field: Computer + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Winter Vivern asset_type: Endpoint - confidence: 70 - impact: 70 - message: A PowerShell script on $Computer$ is attempting to transfer files to a remote URL. mitre_attack_id: - T1041 - observable: - - name: Computer - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Computer - - UserID - - EventCode - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/pwh_exfiltration/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/pwh_exfiltration/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml b/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml index a23b81b5f8..1a2c2061cf 100644 --- a/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml +++ b/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml @@ -1,15 +1,27 @@ name: Windows Exfiltration Over C2 Via Powershell UploadString id: 59e8bf41-7472-412a-90d3-00f3afa452e9 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Powershell Script Block Logging 4104 -description: The following analytic identifies potential data exfiltration using the PowerShell `net.webclient` command with the `UploadString` method. It leverages PowerShell Script Block Logging to detect instances where this command is executed. This activity is significant as it may indicate an attempt to upload sensitive data, such as desktop screenshots or files, to an external or internal URI, often associated with malware like Winter-Vivern. If confirmed malicious, this could lead to unauthorized data transfer, compromising sensitive information and potentially leading to further exploitation of the compromised host. -search: '`powershell` EventCode=4104 ScriptBlockText = "*Net.webclient*" AND ScriptBlockText = "*.UploadString*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_exfiltration_over_c2_via_powershell_uploadstring_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +description: The following analytic identifies potential data exfiltration using the + PowerShell `net.webclient` command with the `UploadString` method. It leverages + PowerShell Script Block Logging to detect instances where this command is executed. + This activity is significant as it may indicate an attempt to upload sensitive data, + such as desktop screenshots or files, to an external or internal URI, often associated + with malware like Winter-Vivern. If confirmed malicious, this could lead to unauthorized + data transfer, compromising sensitive information and potentially leading to further + exploitation of the compromised host. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Net.webclient*" AND ScriptBlockText + = "*.UploadString*" | stats count min(_time) as firstTime max(_time) as lastTime + by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_exfiltration_over_c2_via_powershell_uploadstring_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: False positives should be limited. Filter as needed. references: - https://twitter.com/_CERT_UA/status/1620781684257091584 @@ -20,38 +32,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$Computer$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A PowerShell script on $Computer$ is attempting to transfer files to a + remote URL. + risk_objects: + - field: Computer + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Winter Vivern asset_type: Endpoint - confidence: 70 - impact: 70 - message: A PowerShell script on $Computer$ is attempting to transfer files to a remote URL. mitre_attack_id: - T1041 - observable: - - name: Computer - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Computer - - UserID - - EventCode - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/pwh_uploadstring/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/pwh_uploadstring/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_export_certificate.yml b/detections/endpoint/windows_export_certificate.yml index 4b1e6c2e1e..bb27c581d8 100644 --- a/detections/endpoint/windows_export_certificate.yml +++ b/detections/endpoint/windows_export_certificate.yml @@ -1,16 +1,27 @@ name: Windows Export Certificate id: d8ddfa9b-b724-4df9-9dbe-f34cc0936714 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic detects the export of a certificate from the Windows Certificate Store. It leverages the Certificates Lifecycle log channel, specifically event ID 1007, to identify this activity. Monitoring certificate exports is crucial as certificates can be used for authentication to VPNs or private resources. If malicious actors export certificates, they could potentially gain unauthorized access to sensitive systems or data, leading to significant security breaches. +description: The following analytic detects the export of a certificate from the Windows + Certificate Store. It leverages the Certificates Lifecycle log channel, specifically + event ID 1007, to identify this activity. Monitoring certificate exports is crucial + as certificates can be used for authentication to VPNs or private resources. If + malicious actors export certificates, they could potentially gain unauthorized access + to sensitive systems or data, leading to significant security breaches. data_source: - Windows Event Log CertificateServicesClient 1007 -search: '`certificateservices_lifecycle` EventCode=1007 | xmlkv UserData_Xml | stats count min(_time) as firstTime max(_time) as lastTime by Computer, SubjectName, UserData_Xml | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_export_certificate_filter`' -how_to_implement: To implement this analytic, you must collect Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational or Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational. -known_false_positives: False positives may be generated based on an automated process or service that exports certificates on the regular. Review is required before setting to alert. Monitor for abnormal processes performing an export. +search: '`certificateservices_lifecycle` EventCode=1007 | xmlkv UserData_Xml | stats + count min(_time) as firstTime max(_time) as lastTime by Computer, SubjectName, UserData_Xml + | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `windows_export_certificate_filter`' +how_to_implement: To implement this analytic, you must collect Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational + or Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational. +known_false_positives: False positives may be generated based on an automated process + or service that exports certificates on the regular. Review is required before setting + to alert. Monitor for abnormal processes performing an export. references: - https://atomicredteam.io/defense-evasion/T1553.004/#atomic-test-4---install-root-ca-on-windows drilldown_searches: @@ -19,40 +30,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An certificate was exported on $dest$ from the Windows Certificate Store. + risk_objects: + - field: dest + type: system + score: 36 + threat_objects: [] tags: analytic_story: - Windows Certificate Services asset_type: Endpoint - confidence: 60 - impact: 60 - message: An certificate was exported on $dest$ from the Windows Certificate Store. mitre_attack_id: - T1552.004 - T1552 - T1649 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - SubjectName - - UserData_Xml - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/certificateservices-lifecycle.log - source: XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/certificateservices-lifecycle.log + source: + XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml b/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml new file mode 100644 index 0000000000..31f3eb0a66 --- /dev/null +++ b/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml @@ -0,0 +1,61 @@ +name: Windows File and Directory Enable ReadOnly Permissions +id: 1ae407b0-a042-4eb0-834a-590da055575e +version: 1 +date: '2024-12-13' +author: Teoderick Contreras, Splunk +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +type: TTP +status: production +description: The following analytic detects instances where file or folder permissions are modified to grant read-only access. Such changes are characterized by the presence of read-related permissions (e.g., R, REA, RA, RD) and the absence of write (W) or execute (E) permissions. Monitoring these events is crucial for tracking access control changes that could be intentional for restricting access or indicative of malicious behavior. Alerts generated by this detection help ensure that legitimate security measures are enforced while unauthorized changes are promptly investigated. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe") AND Processes.process IN ("*/grant*", "*/G*") AND Processes.process IN ("*SYSTEM*", "*admin*", "*S-1-1-0*", "*EVERYONE*") + by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user + | `drop_dm_object_name(Processes)` + | rex field=process ":\\((?[^)]+)\\)" + | eval has_read_attribute=if(match(permission, "R"), "true", "false") + | eval has_write_execute=if(match(permission, "(W|GA|X|M|F|AD|DC|DE)"), "true", "false") + | where has_write_execute="false" and has_read_attribute = "true" + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_file_and_directory_enable_readonly_permissions_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Administrators or administrative scripts may use this application. Filter as needed. +references: +- https://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A [$process_name$] was executed on [$dest$] attempting to change the access to a file or directory into readonly permissions. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - Crypto Stealer + asset_type: Endpoint + mitre_attack_id: + - T1222.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/icacls_inheritance/icacls_process_1.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/windows_file_and_directory_permissions_enable_inheritance.yml b/detections/endpoint/windows_file_and_directory_permissions_enable_inheritance.yml new file mode 100644 index 0000000000..71b96e2add --- /dev/null +++ b/detections/endpoint/windows_file_and_directory_permissions_enable_inheritance.yml @@ -0,0 +1,48 @@ +name: Windows File and Directory Permissions Enable Inheritance +id: 0247f90a-aca4-47b2-a94d-e30f445d7b41 +version: 1 +date: '2024-12-13' +author: Teoderick Contreras, Splunk +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +type: Hunting +status: production +description: The following analytic detects the enabling of permission inheritance using ICACLS. This analytic identifies instances where ICACLS commands are used to enable permission inheritance on files or directories. The /inheritance:e flag, which restores inherited permissions from a parent directory, is monitored to detect changes that might reapply broader access control settings. Enabling inheritance can indicate legitimate administrative actions but may also signal attempts to override restrictive custom permissions, potentially exposing sensitive files to unauthorized access. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe") AND Processes.process = "*/inheritance:e*" + by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_file_and_directory_permissions_enable_inheritance_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Administrators or administrative scripts may use this application. Filter as needed. +references: +- https://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Crypto Stealer + asset_type: Endpoint + mitre_attack_id: + - T1222.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/icacls_inheritance/icacls_process_1.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_file_and_directory_permissions_remove_inheritance.yml b/detections/endpoint/windows_file_and_directory_permissions_remove_inheritance.yml new file mode 100644 index 0000000000..8c8d1cbacf --- /dev/null +++ b/detections/endpoint/windows_file_and_directory_permissions_remove_inheritance.yml @@ -0,0 +1,57 @@ +name: Windows File and Directory Permissions Remove Inheritance +id: 9b62da2c-e442-474f-83ca-fac4dabab1b3 +version: 1 +date: '2024-12-13' +author: Teoderick Contreras, Splunk +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +type: Anomaly +status: production +description: The following analytic detects the removal of permission inheritance using ICACLS. This analytic identifies instances where ICACLS is used to remove permission inheritance from files or directories. The /inheritance:r flag, which strips inherited permissions while optionally preserving or altering explicit permissions, is monitored to detect changes that may restrict access or establish isolated permission configurations. Removing inheritance can be a legitimate administrative action but may also indicate an attempt to conceal malicious activity or bypass inherited security controls. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe") AND Processes.process = "*/inheritance:r*" + by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_file_and_directory_permissions_remove_inheritance_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Administrators or administrative scripts may use this application. Filter as needed. +references: +- https://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A [$process_name$] was executed on [$dest$] attempting to remove inheritance permissions. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - Crypto Stealer + asset_type: Endpoint + mitre_attack_id: + - T1222.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/icacls_inheritance/icacls_process_1.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/windows_file_share_discovery_with_powerview.yml b/detections/endpoint/windows_file_share_discovery_with_powerview.yml index 4c2410e198..344bcb30ed 100644 --- a/detections/endpoint/windows_file_share_discovery_with_powerview.yml +++ b/detections/endpoint/windows_file_share_discovery_with_powerview.yml @@ -1,67 +1,73 @@ name: Windows File Share Discovery With Powerview id: a44c0be1-d7ab-41e4-92fd-aa9af4fe232c -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Mauricio Velazco, Splunk type: TTP status: production data_source: - Powershell Script Block Logging 4104 -description: The following analytic detects the execution of the Invoke-ShareFinder PowerShell cmdlet from PowerView. This detection leverages PowerShell Script Block Logging to identify instances where this specific command is executed. Monitoring this activity is crucial as it indicates an attempt to enumerate network file shares, which may contain sensitive information such as backups, scripts, and credentials. If confirmed malicious, this activity could enable an attacker to escalate privileges or move laterally within the network, potentially compromising additional systems and sensitive data. -search: '`powershell` EventCode=4104 (ScriptBlockText=Invoke-ShareFinder*) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_share_discovery_with_powerview_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= -known_false_positives: Security teams may leverage PowerView proactively to identify and remediate sensitive file shares. Filter as needed. +description: The following analytic detects the execution of the Invoke-ShareFinder + PowerShell cmdlet from PowerView. This detection leverages PowerShell Script Block + Logging to identify instances where this specific command is executed. Monitoring + this activity is crucial as it indicates an attempt to enumerate network file shares, + which may contain sensitive information such as backups, scripts, and credentials. + If confirmed malicious, this activity could enable an attacker to escalate privileges + or move laterally within the network, potentially compromising additional systems + and sensitive data. +search: '`powershell` EventCode=4104 (ScriptBlockText=Invoke-ShareFinder*) | stats + count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode + ScriptBlockText | rename UserID as user | rename Computer as dest | `security_content_ctime(firstTime)` | + `security_content_ctime(lastTime)` | `windows_file_share_discovery_with_powerview_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= +known_false_positives: Security teams may leverage PowerView proactively to identify + and remediate sensitive file shares. Filter as needed. references: - https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1 - https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/ - https://attack.mitre.org/techniques/T1135/ drilldown_searches: -- name: View the detection results for - "$Computer$" and "$UserID$" - search: '%original_detection_search% | search Computer = "$Computer$" UserID = "$UserID$"' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$Computer$" and "$UserID$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$UserID$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Invoke-ShareFinder commandlet was executed on $dest$ + risk_objects: + - field: dest + type: system + score: 48 + - field: user + type: user + score: 48 + threat_objects: [] tags: analytic_story: - Active Directory Privilege Escalation - Active Directory Discovery asset_type: Endpoint - confidence: 80 - context: - - Source:Endpoint - - Stage:Privilege Escalation - impact: 60 - message: Invoke-ShareFinder commandlet was executed on $Computer$ mitre_attack_id: - T1135 - observable: - - name: Computer - type: Hostname - role: - - Victim - - name: UserID - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ScriptBlockText - - Opcode - - Computer - - UserID - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/powerview_sharefinder/windows-powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/powerview_sharefinder/windows-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml b/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml index e98c25a420..314c2ed9fd 100644 --- a/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml +++ b/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml @@ -1,16 +1,31 @@ name: Windows File Transfer Protocol In Non-Common Process Path id: 0f43758f-1fe9-470a-a9e4-780acc4d5407 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects FTP connections initiated by processes located in non-standard installation paths on Windows systems. It leverages Sysmon EventCode 3 to identify network connections where the process image path does not match common directories like "Program Files" or "Windows\System32". This activity is significant as FTP is often used by adversaries and malware, such as AgentTesla, for Command and Control (C2) communications to exfiltrate stolen data. If confirmed malicious, this could lead to unauthorized data transfer, exposing sensitive information and compromising the integrity of the affected host. +description: The following analytic detects FTP connections initiated by processes + located in non-standard installation paths on Windows systems. It leverages Sysmon + EventCode 3 to identify network connections where the process image path does not + match common directories like "Program Files" or "Windows\System32". This activity + is significant as FTP is often used by adversaries and malware, such as AgentTesla, + for Command and Control (C2) communications to exfiltrate stolen data. If confirmed + malicious, this could lead to unauthorized data transfer, exposing sensitive information + and compromising the integrity of the affected host. data_source: - Sysmon EventID 3 -search: '`sysmon` EventCode=3 NOT(Image IN("*\\program files*", "*\\windows\\system32\\*","*\\windows\\SysWOW64\\*")) (DestinationPortName="ftp" OR DestinationPort=21) | stats count min(_time) as firstTime max(_time) as lastTime by Image DestinationPort DestinationPortName DestinationHostname DestinationIp SourcePort SourcePortName Protocol SourceHostname dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_transfer_protocol_in_non_common_process_path_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 3 connection events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: third party application may use this network protocol as part of its feature. Filter is needed. +search: '`sysmon` EventCode=3 NOT(Image IN("*\\program files*", "*\\windows\\system32\\*","*\\windows\\SysWOW64\\*")) + (DestinationPortName="ftp" OR DestinationPort=21) | stats count min(_time) as firstTime + max(_time) as lastTime by Image DestinationPort DestinationPortName DestinationHostname + DestinationIp SourcePort SourcePortName Protocol SourceHostname dest user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_file_transfer_protocol_in_non_common_process_path_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name and sysmon eventcode = 3 connection events from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. +known_false_positives: third party application may use this network protocol as part + of its feature. Filter is needed. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla drilldown_searches: @@ -19,48 +34,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a process $Image$ is having a FTP connection to $DestinationHostname$ in + $dest$ + risk_objects: + - field: dest + type: system + score: 9 + threat_objects: [] tags: analytic_story: - AgentTesla - Snake Keylogger asset_type: Endpoint - confidence: 30 - impact: 30 - message: a process $Image$ is having a FTP connection to $DestinationHostname$ in $dest$ mitre_attack_id: - T1071.003 - T1071 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Image - - DestinationPort - - DestinationPortName - - DestinationHostname - - SourceHostname - - SourcePort - - SourcePortName - - Protocol - - DestinationIp - - dest - - user - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_ftp/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_ftp/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_file_without_extension_in_critical_folder.yml b/detections/endpoint/windows_file_without_extension_in_critical_folder.yml index 892f4f6c0d..256673d3f1 100644 --- a/detections/endpoint/windows_file_without_extension_in_critical_folder.yml +++ b/detections/endpoint/windows_file_without_extension_in_critical_folder.yml @@ -1,15 +1,33 @@ name: Windows File Without Extension In Critical Folder id: 0dbcac64-963c-11ec-bf04-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Bhavin Patel, Splunk status: production type: TTP -description: The following analytic detects the creation of files without extensions in critical folders like "System32\Drivers." It leverages data from the Endpoint.Filesystem datamodel, focusing on file paths and creation times. This activity is significant as it may indicate the presence of destructive malware, such as HermeticWiper, which drops driver components in these directories. If confirmed malicious, this behavior could lead to severe system compromise, including boot sector wiping, resulting in potential data loss and system inoperability. +description: The following analytic detects the creation of files without extensions + in critical folders like "System32\Drivers." It leverages data from the Endpoint.Filesystem + datamodel, focusing on file paths and creation times. This activity is significant + as it may indicate the presence of destructive malware, such as HermeticWiper, which + drops driver components in these directories. If confirmed malicious, this behavior + could lead to severe system compromise, including boot sector wiping, resulting + in potential data loss and system inoperability. data_source: - Sysmon EventID 1 AND Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\System32\\drivers\\*", "*\\syswow64\\drivers\\*") by _time span=5m Filesystem.dest Filesystem.user Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.file_create_time | `drop_dm_object_name(Filesystem)` | rex field="file_name" "\.(?[^\.]*$)" | where isnull(extension) | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time span=5m Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)`] | stats count min(_time) as firstTime max(_time) as lastTime by dest process_name process_guid file_name file_path file_create_time user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_without_extension_in_critical_folder_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem + where Filesystem.file_path IN ("*\\System32\\drivers\\*", "*\\syswow64\\drivers\\*") + by _time span=5m Filesystem.dest Filesystem.user Filesystem.file_name Filesystem.file_path + Filesystem.process_guid Filesystem.file_create_time | `drop_dm_object_name(Filesystem)` + | rex field="file_name" "\.(?[^\.]*$)" | where isnull(extension) | join + process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes + by _time span=5m Processes.process_name Processes.dest Processes.process_guid Processes.user + | `drop_dm_object_name(Processes)`] | stats count min(_time) as firstTime max(_time) + as lastTime by dest process_name process_guid file_name file_path file_create_time + user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_file_without_extension_in_critical_folder_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the Filesystem responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Filesystem` node. known_false_positives: Unknown at this point references: - https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html @@ -19,45 +37,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Driver file with out file extension drop in $file_path$ on $dest$ + risk_objects: + - field: user + type: user + score: 90 + threat_objects: [] tags: analytic_story: - Data Destruction - Hermetic Wiper asset_type: Endpoint - confidence: 100 - impact: 90 - message: Driver file with out file extension drop in $file_path$ in $dest$ mitre_attack_id: - T1485 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.file_create_time - - Filesystem.process_id - - Filesystem.file_name - - Filesystem.user - - Filesystem.file_path - - Filesystem.dest - - Processes.process_name - - Processes.dest - - Processes.process_guid - - Processes.user - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml b/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml index dccf14431e..6f4b92d1c5 100644 --- a/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml +++ b/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml @@ -1,7 +1,7 @@ name: Windows Files and Dirs Access Rights Modification Via Icacls id: c76b796c-27e1-4520-91c4-4a58695c749e -version: 4 -date: '2024-12-06' +version: 5 +date: '2024-12-16' author: Teoderick Contreras, Splunk status: production type: TTP @@ -9,10 +9,32 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic identifies the modification of security permissions on files or directories using tools like icacls.exe, cacls.exe, or xcacls.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line executions. This activity is significant as it is commonly used by Advanced Persistent Threats (APTs) and coinminer scripts to evade detection and maintain control over compromised systems. If confirmed malicious, this behavior could allow attackers to hinder investigation, impede remediation efforts, and maintain persistent access to the compromised environment. -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe", "cacls.exe","xcacls.exe") AND Processes.process IN ("*:R*", "*:W*", "*:F*", "*:C*",, "*:N*","*/P*", "*/E*") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_files_and_dirs_access_rights_modification_via_icacls_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Unknown. It is possible some administrative scripts use ICacls. Filter as needed. +description: The following analytic identifies the modification of security permissions + on files or directories using tools like icacls.exe, cacls.exe, or xcacls.exe. It + leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific + command-line executions. This activity is significant as it is commonly used by + Advanced Persistent Threats (APTs) and coinminer scripts to evade detection and + maintain control over compromised systems. If confirmed malicious, this behavior + could allow attackers to hinder investigation, impede remediation efforts, and maintain + persistent access to the compromised environment. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe", + "cacls.exe","xcacls.exe") AND Processes.process IN ("*:R*", "*:W*", "*:F*", "*:C*",, + "*:N*","*/P*", "*/E*") by Processes.parent_process_name Processes.parent_process + Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_files_and_dirs_access_rights_modification_via_icacls_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Unknown. It is possible some administrative scripts use ICacls. + Filter as needed. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey drilldown_searches: @@ -21,9 +43,26 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Process name $process_name$ with access right modification argument executed + by $user$ to change security permission of a specific file or directory on host + $dest$ + risk_objects: + - field: dest + type: system + score: 49 + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - Amadey @@ -31,41 +70,18 @@ tags: asset_type: Endpoint atomic_guid: - 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 - confidence: 70 - impact: 70 - message: Process name $process_name$ with access right modification argument executed by $user$ to change security permission of a specific file or directory on host $dest$ mitre_attack_id: - T1222.001 - T1222 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_guid - - Processes.dest - - Processes.user - - Processes.process_id - - Processes.process security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/amadey/access_permission/amadey_sysmon2.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/amadey/access_permission/amadey_sysmon2.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml b/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml index 16e1e19180..936ae3761c 100644 --- a/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml +++ b/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml @@ -1,16 +1,29 @@ name: Windows Find Domain Organizational Units with GetDomainOU id: 0ada2f82-b7af-40cc-b1d7-1e5985afcb4e -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk status: production type: TTP data_source: - Powershell Script Block Logging 4104 -description: The following analytic detects the execution of the `Get-DomainOU` cmdlet, a part of the PowerView toolkit used for Windows domain enumeration. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. Detecting `Get-DomainOU` usage is significant as adversaries may use it to gather information about organizational units within Active Directory, which can facilitate lateral movement or privilege escalation. If confirmed malicious, this activity could allow attackers to map the domain structure, aiding in further exploitation and persistence within the network. -search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-DomainOU*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_find_domain_organizational_units_with_getdomainou_filter`' -how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -known_false_positives: Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed. +description: The following analytic detects the execution of the `Get-DomainOU` cmdlet, + a part of the PowerView toolkit used for Windows domain enumeration. It leverages + PowerShell Script Block Logging (EventCode=4104) to identify this activity. Detecting + `Get-DomainOU` usage is significant as adversaries may use it to gather information + about organizational units within Active Directory, which can facilitate lateral + movement or privilege escalation. If confirmed malicious, this activity could allow + attackers to map the domain structure, aiding in further exploitation and persistence + within the network. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-DomainOU*" | stats count + min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer + UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_find_domain_organizational_units_with_getdomainou_filter`' +how_to_implement: The following Hunting analytic requires PowerShell operational logs + to be imported. Modify the powershell macro as needed to match the sourcetype or + add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +known_false_positives: Administrators may leverage PowerSploit tools for legitimate + reasons, filter as needed. references: - https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainOU/ - https://attack.mitre.org/techniques/T1087/002/ @@ -21,43 +34,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious PowerShell Get-DomainOU was identified on endpoint $dest$ by + user $user$. + risk_objects: + - field: dest + type: system + score: 25 + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 50 - message: Suspicious PowerShell Get-DomainOU was identified on endpoint $dest$ by user $user$. mitre_attack_id: - T1087 - T1087.002 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Message - - Computer - - UserID - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-DomainOU-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-DomainOU-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml b/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml index c297114997..e855820ea9 100644 --- a/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml +++ b/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml @@ -1,16 +1,28 @@ name: Windows Find Interesting ACL with FindInterestingDomainAcl id: e4a96dfd-667a-4487-b942-ccef5a1e81e8 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk status: production type: TTP data_source: - Powershell Script Block Logging 4104 -description: The following analytic detects the execution of the `Find-InterestingDomainAcl` cmdlet, part of the PowerView toolkit, using PowerShell Script Block Logging (EventCode=4104). This detection leverages logs to identify when this command is run, which is significant as adversaries may use it to find misconfigured or unusual Access Control Lists (ACLs) within a domain. If confirmed malicious, this activity could allow attackers to identify privilege escalation opportunities or weak security configurations in Active Directory, potentially leading to unauthorized access or further exploitation. -search: '`powershell` EventCode=4104 ScriptBlockText = "*Find-InterestingDomainAcl*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_find_interesting_acl_with_findinterestingdomainacl_filter`' -how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -known_false_positives: Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed. +description: The following analytic detects the execution of the `Find-InterestingDomainAcl` + cmdlet, part of the PowerView toolkit, using PowerShell Script Block Logging (EventCode=4104). + This detection leverages logs to identify when this command is run, which is significant + as adversaries may use it to find misconfigured or unusual Access Control Lists + (ACLs) within a domain. If confirmed malicious, this activity could allow attackers + to identify privilege escalation opportunities or weak security configurations in + Active Directory, potentially leading to unauthorized access or further exploitation. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Find-InterestingDomainAcl*" + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_find_interesting_acl_with_findinterestingdomainacl_filter`' +how_to_implement: The following Hunting analytic requires PowerShell operational logs + to be imported. Modify the powershell macro as needed to match the sourcetype or + add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +known_false_positives: Administrators may leverage PowerSploit tools for legitimate + reasons, filter as needed. references: - https://powersploit.readthedocs.io/en/latest/Recon/Find-InterestingDomainAcl/ - https://attack.mitre.org/techniques/T1087/002/ @@ -21,43 +33,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious PowerShell Find-InterestingDomainAcl was identified on endpoint + $dest$ by user $user$. + risk_objects: + - field: dest + type: system + score: 25 + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 50 - message: Suspicious PowerShell Find-InterestingDomainAcl was identified on endpoint $dest$ by user $user$. mitre_attack_id: - T1087 - T1087.002 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Message - - Computer - - UserID - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-interestingACL-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-interestingACL-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_findstr_gpp_discovery.yml b/detections/endpoint/windows_findstr_gpp_discovery.yml index c788f1835b..90504904d8 100644 --- a/detections/endpoint/windows_findstr_gpp_discovery.yml +++ b/detections/endpoint/windows_findstr_gpp_discovery.yml @@ -1,7 +1,7 @@ name: Windows Findstr GPP Discovery id: 1631ac2d-f2a9-42fa-8a59-d6e210d472f5 -version: 3 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk type: TTP status: production @@ -9,10 +9,32 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic detects the use of the findstr command to search for unsecured credentials in Group Policy Preferences (GPP). It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving findstr.exe with references to SYSVOL and cpassword. This activity is significant because it indicates an attempt to locate and potentially decrypt embedded credentials in GPP, which could lead to unauthorized access. If confirmed malicious, this could allow an attacker to escalate privileges or gain access to sensitive systems and data within the domain. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=findstr.exe AND Processes.process=*sysvol* AND Processes.process=*cpassword*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_findstr_gpp_discovery_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrators may leverage findstr to find passwords in GPO to validate exposure. Filter as needed. +description: The following analytic detects the use of the findstr command to search + for unsecured credentials in Group Policy Preferences (GPP). It leverages data from + Endpoint Detection and Response (EDR) agents, focusing on command-line executions + involving findstr.exe with references to SYSVOL and cpassword. This activity is + significant because it indicates an attempt to locate and potentially decrypt embedded + credentials in GPP, which could lead to unauthorized access. If confirmed malicious, + this could allow an attacker to escalate privileges or gain access to sensitive + systems and data within the domain. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=findstr.exe + AND Processes.process=*sysvol* AND Processes.process=*cpassword*) by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id Processes.original_file_name | + `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_findstr_gpp_discovery_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators may leverage findstr to find passwords in GPO + to validate exposure. Filter as needed. references: - https://attack.mitre.org/techniques/T1552/006/ - https://pentestlab.blog/2017/03/20/group-policy-preferences/ @@ -25,50 +47,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Findstr was executed to discover GPP credentials on $dest$ + risk_objects: + - field: dest + type: system + score: 56 + - field: user + type: user + score: 56 + threat_objects: [] tags: analytic_story: - Active Directory Privilege Escalation asset_type: Endpoint - confidence: 80 - impact: 70 - message: Findstr was executed to discover GPP credentials on $dest$ mitre_attack_id: - T1552 - T1552.006 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.user - - Processes.dest - - Processes.process_name - - Processes.process - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.process_id - - Processes.parent_process_id - - Processes.original_file_name - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/windows-security.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml b/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml index 1faa59f8cc..aac21bf7bb 100644 --- a/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml +++ b/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml @@ -1,16 +1,28 @@ name: Windows Forest Discovery with GetForestDomain id: a14803b2-4bd9-4c08-8b57-c37980edebe8 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk status: production type: TTP data_source: - Powershell Script Block Logging 4104 -description: The following analytic detects the execution of the `Get-ForestDomain` cmdlet, a component of the PowerView toolkit used for Windows domain enumeration. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. Detecting `Get-ForestDomain` is significant because adversaries and Red Teams use it to gather detailed information about Active Directory forest and domain configurations. If confirmed malicious, this activity could enable attackers to understand the domain structure, facilitating lateral movement or privilege escalation within the environment. -search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-ForestDomain*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_forest_discovery_with_getforestdomain_filter`' -how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -known_false_positives: Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed. +description: The following analytic detects the execution of the `Get-ForestDomain` + cmdlet, a component of the PowerView toolkit used for Windows domain enumeration. + It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. + Detecting `Get-ForestDomain` is significant because adversaries and Red Teams use + it to gather detailed information about Active Directory forest and domain configurations. + If confirmed malicious, this activity could enable attackers to understand the domain + structure, facilitating lateral movement or privilege escalation within the environment. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-ForestDomain*" | stats + count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_forest_discovery_with_getforestdomain_filter`' +how_to_implement: The following Hunting analytic requires PowerShell operational logs + to be imported. Modify the powershell macro as needed to match the sourcetype or + add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +known_false_positives: Administrators may leverage PowerSploit tools for legitimate + reasons, filter as needed. references: - https://powersploit.readthedocs.io/en/latest/Recon/Get-ForestDomain/ - https://attack.mitre.org/techniques/T1087/002/ @@ -21,43 +33,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious PowerShell Get-ForestDomain was identified on endpoint $dest$ + by user $user$. + risk_objects: + - field: dest + type: system + score: 25 + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 50 - message: Suspicious PowerShell Get-ForestDomain was identified on endpoint $dest$ by user $user$. mitre_attack_id: - T1087 - T1087.002 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Message - - Computer - - UserID - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-ForestDomain-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-ForestDomain-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_gather_victim_host_information_camera.yml b/detections/endpoint/windows_gather_victim_host_information_camera.yml index ef1c3fc456..44ac29e470 100644 --- a/detections/endpoint/windows_gather_victim_host_information_camera.yml +++ b/detections/endpoint/windows_gather_victim_host_information_camera.yml @@ -1,16 +1,30 @@ name: Windows Gather Victim Host Information Camera id: e4df4676-ea41-4397-b160-3ee0140dc332 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects a PowerShell script that enumerates camera devices on the targeted host. This detection leverages PowerShell Script Block Logging, specifically looking for commands querying Win32_PnPEntity for camera-related information. This activity is significant as it is commonly observed in DCRat malware, which collects camera data to send to its command-and-control server. If confirmed malicious, this behavior could indicate an attempt to gather sensitive visual information from the host, potentially leading to privacy breaches or further exploitation. +description: The following analytic detects a PowerShell script that enumerates camera + devices on the targeted host. This detection leverages PowerShell Script Block Logging, + specifically looking for commands querying Win32_PnPEntity for camera-related information. + This activity is significant as it is commonly observed in DCRat malware, which + collects camera data to send to its command-and-control server. If confirmed malicious, + this behavior could indicate an attempt to gather sensitive visual information from + the host, potentially leading to privacy breaches or further exploitation. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText= "* Win32_PnPEntity *" ScriptBlockText= "*SELECT*" ScriptBlockText= "*WHERE*" ScriptBlockText = "*PNPClass*" ScriptBlockText IN ("*Image*", "*Camera*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_host_information_camera_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Administrators may execute this powershell command to get hardware information related to camera on $dest$. +search: '`powershell` EventCode=4104 ScriptBlockText= "* Win32_PnPEntity *" ScriptBlockText= + "*SELECT*" ScriptBlockText= "*WHERE*" ScriptBlockText = "*PNPClass*" ScriptBlockText + IN ("*Image*", "*Camera*") | stats count min(_time) as firstTime max(_time) as lastTime + by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename + UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_gather_victim_host_information_camera_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Administrators may execute this powershell command to get hardware + information related to camera on $dest$. references: - https://cert.gov.ua/article/405538 - https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat @@ -21,43 +35,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A Powershell script to enumerate camera detected on host - $dest$ + risk_objects: + - field: dest + type: system + score: 42 + - field: user + type: user + score: 42 + threat_objects: [] tags: analytic_story: - DarkCrystal RAT asset_type: Endpoint - confidence: 70 - impact: 60 - message: A Powershell script to enumerate camera detected on host - $dest$ mitre_attack_id: - T1592.001 - T1592 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Computer - - EventCode - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_enum_camera/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_enum_camera/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_gather_victim_identity_sam_info.yml b/detections/endpoint/windows_gather_victim_identity_sam_info.yml index 8096ec6259..58829b5f21 100644 --- a/detections/endpoint/windows_gather_victim_identity_sam_info.yml +++ b/detections/endpoint/windows_gather_victim_identity_sam_info.yml @@ -1,16 +1,30 @@ name: Windows Gather Victim Identity SAM Info id: a18e85d7-8b98-4399-820c-d46a1ca3516f -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects processes loading the samlib.dll or samcli.dll modules, which are often abused to access Security Account Manager (SAM) objects or credentials on domain controllers. This detection leverages Sysmon EventCode 7 to identify these DLLs being loaded outside typical system directories. Monitoring this activity is crucial as it may indicate attempts to gather sensitive identity information. If confirmed malicious, this behavior could allow attackers to obtain credentials, escalate privileges, or further infiltrate the network. +description: The following analytic detects processes loading the samlib.dll or samcli.dll + modules, which are often abused to access Security Account Manager (SAM) objects + or credentials on domain controllers. This detection leverages Sysmon EventCode + 7 to identify these DLLs being loaded outside typical system directories. Monitoring + this activity is crucial as it may indicate attempts to gather sensitive identity + information. If confirmed malicious, this behavior could allow attackers to obtain + credentials, escalate privileges, or further infiltrate the network. data_source: - Sysmon EventID 7 -search: '`sysmon` EventCode=7 (ImageLoaded = "*\\samlib.dll" AND OriginalFileName = "samlib.dll") OR (ImageLoaded = "*\\samcli.dll" AND OriginalFileName = "SAMCLI.DLL") AND NOT (Image IN("C:\\Windows\\*", "C:\\Program File*", "%systemroot%\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_identity_sam_info_filter`' -how_to_implement: The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products. -known_false_positives: this module can be loaded by a third party application. Filter is needed. +search: '`sysmon` EventCode=7 (ImageLoaded = "*\\samlib.dll" AND OriginalFileName + = "samlib.dll") OR (ImageLoaded = "*\\samcli.dll" AND OriginalFileName = "SAMCLI.DLL") + AND NOT (Image IN("C:\\Windows\\*", "C:\\Program File*", "%systemroot%\\*")) | stats + count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name + dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_gather_victim_identity_sam_info_filter`' +how_to_implement: The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 + will add the ImageLoaded name to the process_name field, allowing this query to + work. Use as an example and implement for other products. +known_false_positives: this module can be loaded by a third party application. Filter + is needed. references: - https://redcanary.com/blog/active-breach-evading-defenses/ - https://strontic.github.io/xcyclopedia/library/samlib.dll-0BDF6351009F6EBA5BA7E886F23263B1.html @@ -18,35 +32,18 @@ tags: analytic_story: - Brute Ratel C4 asset_type: Endpoint - confidence: 30 - impact: 30 - message: An instance of $dest$ that loads $ImageLoaded$ that are related to accessing to SAM object information. mitre_attack_id: - T1589.001 - T1589 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Image - - ImageLoaded - - dest - - EventCode - - Signed - - ProcessId - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/loading_samlib/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/loading_samlib/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml b/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml index d88ab63cf3..1f6f6dcc37 100644 --- a/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml +++ b/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml @@ -1,16 +1,33 @@ name: Windows Gather Victim Network Info Through Ip Check Web Services id: 70f7c952-0758-46d6-9148-d8969c4481d1 -version: 7 -date: '2024-11-28' +version: 8 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects processes attempting to connect to known IP check web services. This behavior is identified using Sysmon EventCode 22 logs, specifically monitoring DNS queries to services like "wtfismyip.com" and "ipinfo.io". This activity is significant as it is commonly used by malware, such as Trickbot, for reconnaissance to determine the infected machine's IP address. If confirmed malicious, this could allow attackers to gather network information, aiding in further attacks or lateral movement within the network. +description: The following analytic detects processes attempting to connect to known + IP check web services. This behavior is identified using Sysmon EventCode 22 logs, + specifically monitoring DNS queries to services like "wtfismyip.com" and "ipinfo.io". + This activity is significant as it is commonly used by malware, such as Trickbot, + for reconnaissance to determine the infected machine's IP address. If confirmed + malicious, this could allow attackers to gather network information, aiding in further + attacks or lateral movement within the network. data_source: - Sysmon EventID 22 -search: '`sysmon` EventCode=22 QueryName IN ("*wtfismyip.com", "*checkip.*", "*ipecho.net", "*ipinfo.io", "*api.ipify.org", "*icanhazip.com", "*ip.anysrc.com","*api.ip.sb", "ident.me", "www.myexternalip.com", "*zen.spamhaus.org", "*cbl.abuseat.org", "*b.barracudacentral.org", "*dnsbl-1.uceprotect.net", "*spam.dnsbl.sorbs.net", "*iplogger.org*", "*ip-api.com*", "*geoip.*", "*icanhazip.*") | stats min(_time) as firstTime max(_time) as lastTime count by Image ProcessId QueryName QueryStatus QueryResults EventCode Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_network_info_through_ip_check_web_services_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, dns query name process path , and query ststus from your endpoints like EventCode 22. If you are using Sysmon, you must have at least version 12 of the Sysmon TA. -known_false_positives: Filter internet browser application to minimize the false positive of this detection. +search: '`sysmon` EventCode=22 QueryName IN ("*wtfismyip.com", "*checkip.*", "*ipecho.net", + "*ipinfo.io", "*api.ipify.org", "*icanhazip.com", "*ip.anysrc.com","*api.ip.sb", + "ident.me", "www.myexternalip.com", "*zen.spamhaus.org", "*cbl.abuseat.org", "*b.barracudacentral.org", + "*dnsbl-1.uceprotect.net", "*spam.dnsbl.sorbs.net", "*iplogger.org*", "*ip-api.com*", + "*geoip.*", "*icanhazip.*") | stats min(_time) as firstTime max(_time) as lastTime + count by Image ProcessId QueryName QueryStatus QueryResults EventCode Computer + | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_gather_victim_network_info_through_ip_check_web_services_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, dns query name process path , and query ststus from + your endpoints like EventCode 22. If you are using Sysmon, you must have at least + version 12 of the Sysmon TA. +known_false_positives: Filter internet browser application to minimize the false positive + of this detection. references: - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ tags: @@ -23,36 +40,18 @@ tags: - PXA Stealer - Meduza Stealer asset_type: Endpoint - confidence: 50 - impact: 50 - message: Process connecting IP location web services on $dest$ mitre_attack_id: - T1590.005 - T1590 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Image - - ProcessId - - QueryName - - QueryStatus - - QueryResults - - dest - - EventCode - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml b/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml index 787345751e..6f3bc7bea2 100644 --- a/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml +++ b/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml @@ -1,16 +1,30 @@ name: Windows Get-AdComputer Unconstrained Delegation Discovery id: c8640777-469f-4638-ab44-c34a3233ffac -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the use of the Get-ADComputer cmdlet with parameters indicating a search for Windows endpoints with Kerberos Unconstrained Delegation. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this specific activity. This behavior is significant as it may indicate an attempt by adversaries or Red Teams to gain situational awareness and perform Active Directory discovery. If confirmed malicious, this activity could allow attackers to identify high-value targets for further exploitation, potentially leading to privilege escalation or lateral movement within the network. +description: The following analytic detects the use of the Get-ADComputer cmdlet with + parameters indicating a search for Windows endpoints with Kerberos Unconstrained + Delegation. It leverages PowerShell Script Block Logging (EventCode=4104) to identify + this specific activity. This behavior is significant as it may indicate an attempt + by adversaries or Red Teams to gain situational awareness and perform Active Directory + discovery. If confirmed malicious, this activity could allow attackers to identify + high-value targets for further exploitation, potentially leading to privilege escalation + or lateral movement within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-ADComputer*" AND ScriptBlockText = "*TrustedForDelegation*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_get_adcomputer_unconstrained_delegation_discovery_filter`' -how_to_implement: The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -known_false_positives: Administrators or power users may leverage PowerView for system management or troubleshooting. +search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-ADComputer*" AND ScriptBlockText + = "*TrustedForDelegation*") | stats count min(_time) as firstTime max(_time) as + lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest + | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_get_adcomputer_unconstrained_delegation_discovery_filter`' +how_to_implement: The following analytic requires PowerShell operational logs to + be imported. Modify the powershell macro as needed to match the sourcetype or add + index. This analytic is specific to 4104, or PowerShell Script Block Logging. +known_false_positives: Administrators or power users may leverage PowerView for system + management or troubleshooting. references: - https://attack.mitre.org/techniques/T1018/ - https://adsecurity.org/?p=1667 @@ -23,42 +37,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious PowerShell Get-ADComputer was identified on endpoint $dest$ + risk_objects: + - field: dest + type: system + score: 35 + - field: user + type: user + score: 35 + threat_objects: [] tags: analytic_story: - Active Directory Kerberos Attacks asset_type: Endpoint - confidence: 70 - impact: 50 - message: Suspicious PowerShell Get-ADComputer was identified on endpoint $dest$ mitre_attack_id: - T1018 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ScriptBlockText - - Computer - - UserID - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/windows_get_adcomputer_unconstrained_delegation_discovery/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/windows_get_adcomputer_unconstrained_delegation_discovery/windows-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml b/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml index 7278da4e3c..8d7779ac20 100644 --- a/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml +++ b/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml @@ -1,16 +1,29 @@ name: Windows Get Local Admin with FindLocalAdminAccess id: d2988160-3ce9-4310-b59d-905334920cdd -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk status: production type: TTP data_source: - Powershell Script Block Logging 4104 -description: The following analytic detects the execution of the `Find-LocalAdminAccess` cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is part of PowerView, a toolkit for Windows domain enumeration. Identifying the use of `Find-LocalAdminAccess` is crucial as adversaries may use it to find machines where the current user has local administrator access, facilitating lateral movement or privilege escalation. If confirmed malicious, this activity could allow attackers to target and compromise additional systems within the network, significantly increasing their control and access to sensitive information. -search: '`powershell` EventCode=4104 ScriptBlockText = "*Find-LocalAdminAccess*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_get_local_admin_with_findlocaladminaccess_filter`' -how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -known_false_positives: Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed. +description: The following analytic detects the execution of the `Find-LocalAdminAccess` + cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is part + of PowerView, a toolkit for Windows domain enumeration. Identifying the use of `Find-LocalAdminAccess` + is crucial as adversaries may use it to find machines where the current user has + local administrator access, facilitating lateral movement or privilege escalation. + If confirmed malicious, this activity could allow attackers to target and compromise + additional systems within the network, significantly increasing their control and + access to sensitive information. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Find-LocalAdminAccess*" | + stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_get_local_admin_with_findlocaladminaccess_filter`' +how_to_implement: The following Hunting analytic requires PowerShell operational logs + to be imported. Modify the powershell macro as needed to match the sourcetype or + add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +known_false_positives: Administrators may leverage PowerSploit tools for legitimate + reasons, filter as needed. references: - https://powersploit.readthedocs.io/en/latest/Recon/Find-LocalAdminAccess/ - https://attack.mitre.org/techniques/T1087/002/ @@ -21,43 +34,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious PowerShell Find-LocalAdminAccess was identified on endpoint + $dest$ by user $user$. + risk_objects: + - field: dest + type: system + score: 25 + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 50 - message: Suspicious PowerShell Find-LocalAdminAccess was identified on endpoint $dest$ by user $user$. mitre_attack_id: - T1087 - T1087.002 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Message - - Computer - - UserID - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-LocalAdminAccess-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-LocalAdminAccess-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/net_localgroup_discovery.yml b/detections/endpoint/windows_group_discovery_via_net.yml similarity index 53% rename from detections/endpoint/net_localgroup_discovery.yml rename to detections/endpoint/windows_group_discovery_via_net.yml index 3a1e501a64..b351dac9de 100644 --- a/detections/endpoint/net_localgroup_discovery.yml +++ b/detections/endpoint/windows_group_discovery_via_net.yml @@ -1,72 +1,54 @@ -name: Net Localgroup Discovery -id: 54f5201e-155b-11ec-a6e2-acde48001122 -version: 4 -date: '2024-11-26' -author: Michael Haag, Splunk +name: Windows Group Discovery Via Net +id: c5c8e0f3-147a-43da-bf04-4cfaec27dc44 +version: 1 +date: '2025-01-13' +author: Michael Haag, Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of the `net localgroup` command, which is used to enumerate local group memberships on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it can indicate an attacker is gathering information about local group memberships, potentially to identify privileged accounts. If confirmed malicious, this behavior could lead to further privilege escalation or lateral movement within the network. +description: The following analytic identifies the execution of `net.exe` with command-line arguments used to query global, local and domain groups. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate local or domain groups, which is a common step in Active Directory or privileged accounts discovery. If confirmed malicious, this behavior could allow attackers to gain insights into the domain structure, aiding in further attacks such as privilege escalation or lateral movement. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND (Processes.process="*localgroup*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `net_localgroup_discovery_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` Processes.process="*group*" AND NOT (Processes.process="*/add" OR Processes.process="*/delete") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_group_discovery_via_net_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be present. Tune as needed. +known_false_positives: Administrators or power users may use this command for troubleshooting. references: +- https://attack.mitre.org/techniques/T1069/002/ - https://attack.mitre.org/techniques/T1069/001/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md - https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ tags: analytic_story: + - Windows Post-Exploitation + - Active Directory Discovery - Prestige Ransomware - - Volt Typhoon - Graceful Wipe Out Attack + - Rhysida Ransomware + - Cleo File Transfer Software + - Volt Typhoon - IcedID - Windows Discovery Techniques - - Windows Post-Exploitation - Azorult - - Active Directory Discovery - - Rhysida Ransomware asset_type: Endpoint - confidence: 50 - impact: 30 - message: Local group discovery on $dest$ by $user$. mitre_attack_id: - T1069 - T1069.001 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim + - T1069.002 product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/windows_group_policy_object_created.yml b/detections/endpoint/windows_group_policy_object_created.yml index e53ead572a..f3a08ffa82 100644 --- a/detections/endpoint/windows_group_policy_object_created.yml +++ b/detections/endpoint/windows_group_policy_object_created.yml @@ -1,17 +1,32 @@ name: Windows Group Policy Object Created id: 23add2a8-ea22-4fd4-8bc0-8c0b822373a1 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco status: production type: TTP data_source: - Windows Event Log Security 5136 - Windows Event Log Security 5137 -description: The following analytic detects the creation of a new Group Policy Object (GPO) by leveraging Event IDs 5136 and 5137. This detection uses directory service change events to identify when a new GPO is created. Monitoring GPO creation is crucial as adversaries can exploit GPOs to escalate privileges or deploy malware across an Active Directory network. If confirmed malicious, this activity could allow attackers to control system configurations, deploy ransomware, or propagate malware, leading to widespread compromise and significant operational disruption. -search: '`wineventlog_security` EventCode=5137 OR (EventCode=5136 AttributeValue!="New Group Policy Object" AND (AttributeLDAPDisplayName=displayName OR AttributeLDAPDisplayName=gPCFileSysPath) ) ObjectClass=groupPolicyContainer | stats values(AttributeValue) as details values(SubjectUserSid) as User values(ObjectDN) as ObjectDN by ObjectGUID Computer | eval GPO_Name = mvindex(details, 0) | eval GPO_Path = mvindex(details, 1) | fields - details | `windows_group_policy_object_created_filter`' -how_to_implement: To successfully implement this search, the Advanced Security Audit policy setting `Audit Directory Service Changes` within `DS Access` needs to be enabled. Furthermore, the appropriate system access control lists (SACL) need to be created as the used events are not logged by default. A good guide to accomplish this can be found here https://jgspiers.com/audit-group-policy-changes/. -known_false_positives: Group Policy Objects are created as part of regular administrative operations, filter as needed. +description: The following analytic detects the creation of a new Group Policy Object + (GPO) by leveraging Event IDs 5136 and 5137. This detection uses directory service + change events to identify when a new GPO is created. Monitoring GPO creation is + crucial as adversaries can exploit GPOs to escalate privileges or deploy malware + across an Active Directory network. If confirmed malicious, this activity could + allow attackers to control system configurations, deploy ransomware, or propagate + malware, leading to widespread compromise and significant operational disruption. +search: '`wineventlog_security` EventCode=5137 OR (EventCode=5136 AttributeValue!="New + Group Policy Object" AND (AttributeLDAPDisplayName=displayName OR AttributeLDAPDisplayName=gPCFileSysPath) + ) ObjectClass=groupPolicyContainer | stats values(AttributeValue) as details values(SubjectUserSid) + as User values(ObjectDN) as ObjectDN by ObjectGUID Computer | eval GPO_Name = mvindex(details, + 0) | eval GPO_Path = mvindex(details, 1) | fields - details | `windows_group_policy_object_created_filter`' +how_to_implement: To successfully implement this search, the Advanced Security Audit + policy setting `Audit Directory Service Changes` within `DS Access` needs to be + enabled. Furthermore, the appropriate system access control lists (SACL) need to + be created as the used events are not logged by default. A good guide to accomplish + this can be found here https://jgspiers.com/audit-group-policy-changes/. +known_false_positives: Group Policy Objects are created as part of regular administrative + operations, filter as needed. references: - https://attack.mitre.org/techniques/T1484/ - https://attack.mitre.org/techniques/T1484/001 @@ -25,45 +40,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$User$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$User$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$User$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A new group policy objected was created by $User$ + risk_objects: + - field: User + type: user + score: 40 + threat_objects: [] tags: analytic_story: - Active Directory Privilege Escalation - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 50 - impact: 80 - message: A new group policy objected was created by $User$ mitre_attack_id: - T1484 - T1484.001 - T1078.002 - observable: - - name: User - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - AttributeValue - - AttributeLDAPDisplayName - - ObjectClass - - SubjectUserSid - - ObjectDN - - ObjectGUID - - Computer - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_created/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_created/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_hidden_schedule_task_settings.yml b/detections/endpoint/windows_hidden_schedule_task_settings.yml index 63707ce8ae..7f04828698 100644 --- a/detections/endpoint/windows_hidden_schedule_task_settings.yml +++ b/detections/endpoint/windows_hidden_schedule_task_settings.yml @@ -1,7 +1,7 @@ name: Windows Hidden Schedule Task Settings id: 0b730470-5fe8-4b13-93a7-fe0ad014d0cc -version: '4' -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: TTP @@ -40,6 +40,13 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A schedule task with hidden setting enable in host $dest$ + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - CISA AA22-257A @@ -49,34 +56,17 @@ tags: - Compromised Windows Host - Active Directory Discovery asset_type: Endpoint - confidence: 80 - impact: 80 - message: A schedule task with hidden setting enable in host $dest$ mitre_attack_id: - T1053 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - Task_Name - - Command - - Author - - Enabled - - Hidden - - Arguments - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053/hidden_schedule_task/security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053/hidden_schedule_task/security.log source: WinEventLog:Security sourcetype: WinEventLog diff --git a/detections/endpoint/windows_hide_notification_features_through_registry.yml b/detections/endpoint/windows_hide_notification_features_through_registry.yml index d3136294c2..859425c0f0 100644 --- a/detections/endpoint/windows_hide_notification_features_through_registry.yml +++ b/detections/endpoint/windows_hide_notification_features_through_registry.yml @@ -5,11 +5,17 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly -description: The following analytic detects suspicious registry modifications aimed at hiding common Windows notification features on a compromised host. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values. This activity is significant as it is often used by ransomware to obscure visual indicators, increasing the impact of the attack. If confirmed malicious, this could prevent users from noticing critical system alerts, thereby aiding the attacker in maintaining persistence and furthering their malicious activities undetected. +description: The following analytic detects suspicious registry modifications aimed + at hiding common Windows notification features on a compromised host. It leverages + data from the Endpoint.Registry data model, focusing on specific registry paths + and values. This activity is significant as it is often used by ransomware to obscure + visual indicators, increasing the impact of the attack. If confirmed malicious, + this could prevent users from noticing critical system alerts, thereby aiding the + attacker in maintaining persistence and furthering their malicious activities undetected. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\*" +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\*" Registry.registry_value_name IN ("HideClock", "HideSCAHealth", "HideSCANetwork", "HideSCAPower", "HideSCAVolume") Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name @@ -29,42 +35,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Registry modification to hide windows notification on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Ransomware - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: Registry modification to hide windows notification on $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_high_file_deletion_frequency.yml b/detections/endpoint/windows_high_file_deletion_frequency.yml index 91e856414c..7c18190d62 100644 --- a/detections/endpoint/windows_high_file_deletion_frequency.yml +++ b/detections/endpoint/windows_high_file_deletion_frequency.yml @@ -1,17 +1,35 @@ name: Windows High File Deletion Frequency id: 45b125c4-866f-11eb-a95a-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly -description: The following analytic identifies a high frequency of file deletions by monitoring Sysmon EventCodes 23 and 26 for specific file extensions. This detection leverages Sysmon logs to track deleted target filenames, process names, and process IDs. Such activity is significant as it often indicates ransomware behavior, where files are encrypted and the originals are deleted. If confirmed malicious, this activity could lead to extensive data loss and operational disruption, as ransomware can render critical files inaccessible, demanding a ransom for their recovery. +description: The following analytic identifies a high frequency of file deletions + by monitoring Sysmon EventCodes 23 and 26 for specific file extensions. This detection + leverages Sysmon logs to track deleted target filenames, process names, and process + IDs. Such activity is significant as it often indicates ransomware behavior, where + files are encrypted and the originals are deleted. If confirmed malicious, this + activity could lead to extensive data loss and operational disruption, as ransomware + can render critical files inaccessible, demanding a ransom for their recovery. data_source: - Sysmon EventID 23 - Sysmon EventID 26 -search: '`sysmon` EventCode IN ("23","26") TargetFilename IN ("*.cmd", "*.ini","*.gif", "*.jpg", "*.jpeg", "*.db", "*.ps1", "*.doc", "*.docx", "*.xls", "*.xlsx", "*.ppt", "*.pptx", "*.bmp","*.zip", "*.rar", "*.7z", "*.chm", "*.png", "*.log", "*.vbs", "*.js", "*.vhd", "*.bak", "*.wbcat", "*.bkf" , "*.backup*", "*.dsk", "*.win") NOT TargetFilename IN ("*\\INetCache\\Content.Outlook\\*") | stats count, values(TargetFilename) as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, process_name, process_guid | rename Image as process | where count >=100 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_high_file_deletion_frequency_filter`' -how_to_implement: To successfully implement this search, you need to ingest logs that include the deleted target file name, process name, and process ID from your endpoints. If you are using Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed. -known_false_positives: Users may delete a large number of pictures or files in a folder, which could trigger this detection. Additionally, heavy usage of PowerBI and Outlook may also result in false positives. +search: '`sysmon` EventCode IN ("23","26") TargetFilename IN ("*.cmd", "*.ini","*.gif", + "*.jpg", "*.jpeg", "*.db", "*.ps1", "*.doc", "*.docx", "*.xls", "*.xlsx", "*.ppt", + "*.pptx", "*.bmp","*.zip", "*.rar", "*.7z", "*.chm", "*.png", "*.log", "*.vbs", + "*.js", "*.vhd", "*.bak", "*.wbcat", "*.bkf" , "*.backup*", "*.dsk", "*.win") NOT + TargetFilename IN ("*\\INetCache\\Content.Outlook\\*") | stats count, values(TargetFilename) + as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user, dest, + signature, signature_id, Image, process_name, process_guid | rename Image as process + | where count >=100 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_high_file_deletion_frequency_filter`' +how_to_implement: To successfully implement this search, you need to ingest logs that + include the deleted target file name, process name, and process ID from your endpoints. + If you are using Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed. +known_false_positives: Users may delete a large number of pictures or files in a folder, + which could trigger this detection. Additionally, heavy usage of PowerBI and Outlook + may also result in false positives. references: - https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft - https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html @@ -22,9 +40,29 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Elevated file deletion rate observed from process [$process_name$] on machine + $dest$ + risk_objects: + - field: user + type: user + score: 72 + - field: dest + type: system + score: 72 + threat_objects: + - field: deleted_files + type: file_name + - field: process_name + type: process_name tags: analytic_story: - Clop Ransomware @@ -35,45 +73,17 @@ tags: - Sandworm Tools - Handala Wiper asset_type: Endpoint - confidence: 80 - impact: 90 - message: Elevated file deletion rate observed from process [$process_name$] on machine $dest$ mitre_attack_id: - T1485 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim - - name: deleted_files - type: File Name - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - EventCode - - TargetFilename - - dest - - user - - Image - - ProcessID - - _time - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml index 9278044b65..392783e8d3 100644 --- a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml +++ b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml @@ -1,15 +1,28 @@ name: Windows Hijack Execution Flow Version Dll Side Load id: 8351340b-ac0e-41ec-8b07-dd01bf32d6ea -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects a process loading a version.dll file from a directory other than %windir%\system32 or %windir%\syswow64. This detection leverages Sysmon EventCode 7 to identify instances where an unsigned or improperly located version.dll is loaded. This activity is significant as it is a common technique used in ransomware and APT malware campaigns, including Brute Ratel C4, to execute malicious code via DLL side loading. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, and potentially compromise the target host. +description: The following analytic detects a process loading a version.dll file from + a directory other than %windir%\system32 or %windir%\syswow64. This detection leverages + Sysmon EventCode 7 to identify instances where an unsigned or improperly located + version.dll is loaded. This activity is significant as it is a common technique + used in ransomware and APT malware campaigns, including Brute Ratel C4, to execute + malicious code via DLL side loading. If confirmed malicious, this could allow attackers + to execute arbitrary code, maintain persistence, and potentially compromise the + target host. data_source: - Sysmon EventID 7 -search: '`sysmon` EventCode=7 ImageLoaded = "*\\version.dll" AND (Signed = "false" OR NOT(ImageLoaded IN("*\\windows\\system32*", "*\\windows\\syswow64\\*"))) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hijack_execution_flow_version_dll_side_load_filter`' -how_to_implement: The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products. +search: '`sysmon` EventCode=7 ImageLoaded = "*\\version.dll" AND (Signed = "false" + OR NOT(ImageLoaded IN("*\\windows\\system32*", "*\\windows\\syswow64\\*"))) | stats + count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name + dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_hijack_execution_flow_version_dll_side_load_filter`' +how_to_implement: The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 + will add the ImageLoaded name to the process_name field, allowing this query to + work. Use as an example and implement for other products. known_false_positives: unknown references: - https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/ @@ -19,43 +32,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a process $Image$ loading $ImageLoaded$ as a side load dll on $dest$ + risk_objects: + - field: dest + type: system + score: 35 + threat_objects: [] tags: analytic_story: - Brute Ratel C4 asset_type: Endpoint - confidence: 70 - impact: 50 - message: a process $Image$ loading $ImageLoaded$ as a side load dll in $dest$ mitre_attack_id: - T1574.001 - T1574 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Image - - ImageLoaded - - process_name - - dest - - EventCode - - Signed - - ProcessId - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_msiexec_with_network_connections.yml b/detections/endpoint/windows_http_network_communication_from_msiexec.yml similarity index 82% rename from detections/endpoint/windows_msiexec_with_network_connections.yml rename to detections/endpoint/windows_http_network_communication_from_msiexec.yml index d905f866d0..d312721aa7 100644 --- a/detections/endpoint/windows_msiexec_with_network_connections.yml +++ b/detections/endpoint/windows_http_network_communication_from_msiexec.yml @@ -1,14 +1,14 @@ -name: Windows MSIExec With Network Connections -id: 827409a1-5393-4d8d-8da4-bbb297c262a7 -version: 4 -date: '2024-09-30' +name: Windows HTTP Network Communication From MSIExec +id: b0fd38c7-f71a-43a2-870e-f3ca06bcdd99 +version: 2 +date: '2025-01-17' author: Michael Haag, Splunk status: production -type: TTP +type: Anomaly description: The following analytic detects MSIExec making network connections over ports 443 or 80. This behavior is identified by correlating process creation events from Endpoint Detection and Response (EDR) agents with network traffic logs. Typically, MSIExec does not perform network communication to the internet, making this activity unusual and potentially indicative of malicious behavior. If confirmed malicious, an attacker could be using MSIExec to download or communicate with external servers, potentially leading to data exfiltration, command and control (C2) communication, or further malware deployment. data_source: - Sysmon EventID 1 AND Sysmon EventID 3 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_msiexec` by _time Processes.user Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN ("80","443") by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` ] | table _time user dest parent_process_name process_name process_path process process_id dest_port dest_ip | `windows_msiexec_with_network_connections_filter`' +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_msiexec` by _time Processes.user Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN ("80","443") by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` ] | table _time user dest parent_process_name process_name process_path process process_id dest_port dest_ip | `windows_http_network_communication_from_msiexec_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: False positives will be present and filtering is required. references: @@ -23,49 +23,31 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $process_name$ was identified on endpoint $dest$ contacting + a remote destination $dest_ip$ + risk_objects: + - field: user + type: user + score: 35 + - field: dest + type: system + score: 35 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Windows System Binary Proxy Execution MSIExec asset_type: Endpoint - confidence: 50 - impact: 70 - message: An instance of $process_name$ was identified on endpoint $dest$ contacting a remote destination $dest_ip$ mitre_attack_id: - T1218.007 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process Name - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_id - - Processes.process_name - - Processes.dest - - Processes.process_path - - Processes.process - - Processes.parent_process_name - - All_Traffic.process_id - - All_Traffic.dest - - All_Traffic.dest_port - - All_Traffic.dest_ip - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test @@ -73,4 +55,3 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml b/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml index c2ae850c07..8dd3e10940 100644 --- a/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml +++ b/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml @@ -1,16 +1,30 @@ name: Windows Hunting System Account Targeting Lsass id: 1c6abb08-73d1-11ec-9ca0-acde48001122 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies processes attempting to access Lsass.exe, which may indicate credential dumping or applications needing credential access. It leverages Sysmon EventCode 10 to detect such activities by analyzing fields like TargetImage, GrantedAccess, and SourceImage. This behavior is significant as unauthorized access to Lsass.exe can lead to credential theft, posing a severe security risk. If confirmed malicious, attackers could gain access to sensitive credentials, potentially leading to privilege escalation and further compromise of the environment. +description: The following analytic identifies processes attempting to access Lsass.exe, + which may indicate credential dumping or applications needing credential access. + It leverages Sysmon EventCode 10 to detect such activities by analyzing fields like + TargetImage, GrantedAccess, and SourceImage. This behavior is significant as unauthorized + access to Lsass.exe can lead to credential theft, posing a severe security risk. + If confirmed malicious, attackers could gain access to sensitive credentials, potentially + leading to privilege escalation and further compromise of the environment. data_source: - Sysmon EventID 10 -search: '`sysmon` EventCode=10 TargetImage=*lsass.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetImage, GrantedAccess, SourceImage, SourceProcessId, SourceUser, TargetUser | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hunting_system_account_targeting_lsass_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required. -known_false_positives: False positives will occur based on GrantedAccess and SourceUser, filter based on source image as needed. Utilize this hunting analytic to tune out false positives in TTP or anomaly analytics. +search: '`sysmon` EventCode=10 TargetImage=*lsass.exe | stats count min(_time) as + firstTime max(_time) as lastTime by dest, TargetImage, GrantedAccess, SourceImage, + SourceProcessId, SourceUser, TargetUser | `security_content_ctime(firstTime)` | + `security_content_ctime(lastTime)` | `windows_hunting_system_account_targeting_lsass_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required. +known_false_positives: False positives will occur based on GrantedAccess and SourceUser, + filter based on source image as needed. Utilize this hunting analytic to tune out + false positives in TTP or anomaly analytics. references: - https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump @@ -22,39 +36,18 @@ tags: - CISA AA23-347A - Credential Dumping asset_type: Endpoint - confidence: 80 - impact: 80 - message: A process, $SourceImage$, has requested access to LSASS on $dest$. Review for further details. mitre_attack_id: - T1003.001 - T1003 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: SourceImage - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - TargetImage - - GrantedAccess - - SourceImage - - SourceProcessId - - SourceUser - - TargetUser - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_identify_powershell_web_access_iis_pool.yml b/detections/endpoint/windows_identify_powershell_web_access_iis_pool.yml index ec62c76be2..dd2523b526 100644 --- a/detections/endpoint/windows_identify_powershell_web_access_iis_pool.yml +++ b/detections/endpoint/windows_identify_powershell_web_access_iis_pool.yml @@ -1,16 +1,46 @@ name: Windows Identify PowerShell Web Access IIS Pool id: d8419343-f0f8-4d8e-91cc-18bb531df87d -version: 2 -date: '2024-10-17' +version: 3 +date: '2024-11-13' author: Michael Haag, Splunk data_source: - Windows Event Log Security 4648 type: Hunting status: production -description: This analytic detects and analyzes PowerShell Web Access (PSWA) usage in Windows environments. It tracks both connection attempts (EventID 4648) and successful logons (EventID 4624) associated with PSWA, providing a comprehensive view of access patterns. The analytic identifies PSWA's operational status, host servers, processes, and connection metrics. It highlights unique target accounts, domains accessed, and verifies logon types. This information is crucial for detecting potential misuse, such as lateral movement, brute force attempts, or unusual access patterns. By offering insights into PSWA activity, it enables security teams to quickly assess and investigate potential security incidents involving this powerful administrative tool. -search: '`wineventlog_security` (EventCode=4648 OR EventCode=4624 OR EventCode=4625) SubjectUserName="pswa_pool" | fields EventCode, SubjectUserName, TargetUserName, Computer, TargetDomainName, ProcessName, LogonType | rename Computer as dest | stats count(eval(EventCode=4648)) as "Connection Attempts", count(eval(EventCode=4624)) as "Successful Logons", count(eval(EventCode=4625)) as "Unsuccessful Logons", dc(TargetUserName) as "Unique Target Accounts", values(dest) as "PSWA Host", dc(TargetDomainName) as "Unique Target Domains", values(ProcessName) as "PSWA Process", values(TargetUserName) as "Target Users List", values(TargetServerName) as "Target Servers List", values(LogonType) as "Logon Types" | eval PSWA_Running = "Yes", "PSWA Process" = mvindex(split(mvindex("PSWA Process", 0), "\\"), -1) | fields PSWA_Running, "PSWA Host", "PSWA Process", "Connection Attempts", "Successful Logons","Unsuccessful Logons", "Unique Target Accounts", "Unique Target Domains", "Target Users List","Target Servers List", "Logon Types" | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_identify_powershell_web_access_iis_pool_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting Windows Security Event logs, specifically Event ID 4648 (A logon was attempted using explicit credentials). Ensure that your Windows systems are configured to audit logon events and that these logs are being forwarded to your SIEM or log management solution. You may need to enable advanced audit policy settings in Windows to capture these events. Additionally, make sure that your environment is set up to capture the necessary fields such as SubjectUserName, TargetUserName, Computer, TargetServerName, and ProcessName from these events. If you're using Splunk, ensure that you have the appropriate Windows TA installed and configured to collect these security logs. -known_false_positives: False positives may occur if legitimate PSWA processes are used for administrative tasks. Careful review of the logs is recommended to distinguish between legitimate and malicious activity. +description: This analytic detects and analyzes PowerShell Web Access (PSWA) usage + in Windows environments. It tracks both connection attempts (EventID 4648) and successful + logons (EventID 4624) associated with PSWA, providing a comprehensive view of access + patterns. The analytic identifies PSWA's operational status, host servers, processes, + and connection metrics. It highlights unique target accounts, domains accessed, + and verifies logon types. This information is crucial for detecting potential misuse, + such as lateral movement, brute force attempts, or unusual access patterns. By offering + insights into PSWA activity, it enables security teams to quickly assess and investigate + potential security incidents involving this powerful administrative tool. +search: '`wineventlog_security` (EventCode=4648 OR EventCode=4624 OR EventCode=4625) + SubjectUserName="pswa_pool" | fields EventCode, SubjectUserName, TargetUserName, + Computer, TargetDomainName, ProcessName, LogonType | rename Computer as dest | stats + count(eval(EventCode=4648)) as "Connection Attempts", count(eval(EventCode=4624)) + as "Successful Logons", count(eval(EventCode=4625)) as "Unsuccessful Logons", dc(TargetUserName) + as "Unique Target Accounts", values(dest) as "PSWA Host", dc(TargetDomainName) as + "Unique Target Domains", values(ProcessName) as "PSWA Process", values(TargetUserName) + as "Target Users List", values(TargetServerName) as "Target Servers List", values(LogonType) + as "Logon Types" | eval PSWA_Running = "Yes", "PSWA Process" = mvindex(split(mvindex("PSWA + Process", 0), "\\"), -1) | fields PSWA_Running, "PSWA Host", "PSWA Process", "Connection + Attempts", "Successful Logons","Unsuccessful Logons", "Unique Target Accounts", + "Unique Target Domains", "Target Users List","Target Servers List", "Logon Types" + | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_identify_powershell_web_access_iis_pool_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + Windows Security Event logs, specifically Event ID 4648 (A logon was attempted using + explicit credentials). Ensure that your Windows systems are configured to audit + logon events and that these logs are being forwarded to your SIEM or log management + solution. You may need to enable advanced audit policy settings in Windows to capture + these events. Additionally, make sure that your environment is set up to capture + the necessary fields such as SubjectUserName, TargetUserName, Computer, TargetServerName, + and ProcessName from these events. If you're using Splunk, ensure that you have + the appropriate Windows TA installed and configured to collect these security logs. +known_false_positives: False positives may occur if legitimate PSWA processes are + used for administrative tasks. Careful review of the logs is recommended to distinguish + between legitimate and malicious activity. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a - https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41 @@ -18,34 +48,18 @@ tags: analytic_story: - CISA AA24-241A asset_type: Endpoint - confidence: 80 - impact: 80 - message: PowerShell Web Access (PSWA) IIS Application Pool activity detected on $PSWA Host$. mitre_attack_id: - T1190 - observable: - - name: PSWA Host - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - SubjectUserName - - TargetUserName - - dest - - TargetServerName - - ProcessName - risk_score: 64 security_domain: endpoint cve: [] tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/pswa/4648_4624_pswa_pool.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/pswa/4648_4624_pswa_pool.log sourcetype: XmlWinEventLog source: XmlWinEventLog:Security diff --git a/detections/endpoint/windows_identify_protocol_handlers.yml b/detections/endpoint/windows_identify_protocol_handlers.yml index 5299a3c22a..f6b47a5ac9 100644 --- a/detections/endpoint/windows_identify_protocol_handlers.yml +++ b/detections/endpoint/windows_identify_protocol_handlers.yml @@ -1,18 +1,39 @@ name: Windows Identify Protocol Handlers id: bd5c311e-a6ea-48ae-a289-19a3398e3648 -version: 5 -date: '2024-10-17' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies the use of protocol handlers executed via the command line. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant because protocol handlers can be exploited to execute arbitrary commands or launch applications, potentially leading to unauthorized actions. If confirmed malicious, an attacker could use this technique to gain code execution, escalate privileges, or maintain persistence within the environment, posing a significant security risk. +description: The following analytic identifies the use of protocol handlers executed + via the command line. It leverages data from Endpoint Detection and Response (EDR) + agents, focusing on process and command-line telemetry. This activity is significant + because protocol handlers can be exploited to execute arbitrary commands or launch + applications, potentially leading to unauthorized actions. If confirmed malicious, + an attacker could use this technique to gain code execution, escalate privileges, + or maintain persistence within the environment, posing a significant security risk. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes by Processes.dest Processes.parent_process_name Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup windows_protocol_handlers handler AS process OUTPUT handler ishandler | where ishandler="TRUE" | `windows_identify_protocol_handlers_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives will be found. https and http is a URL Protocol handler that will trigger this analytic. Tune based on process or command-line. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime values(Processes.process) as process values(Processes.parent_process) + as parent_process from datamodel=Endpoint.Processes by Processes.dest Processes.parent_process_name + Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup + windows_protocol_handlers handler AS process OUTPUT handler ishandler | where ishandler="TRUE" + | `windows_identify_protocol_handlers_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives will be found. https and http is a URL Protocol + handler that will trigger this analytic. Tune based on process or command-line. references: - https://gist.github.com/MHaggis/a0d3edb57d36e0916c94c0a464b2722e - https://www.oreilly.com/library/view/learning-java/1565927184/apas02.html @@ -27,51 +48,17 @@ tags: analytic_story: - Living Off The Land asset_type: Endpoint - confidence: 20 - impact: 30 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing a protocol handler. mitre_attack_id: - T1059 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim - - name: parent_process_name - type: Process Name - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 6 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/protocol_handlers/protocolhandlers.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/protocol_handlers/protocolhandlers.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_iis_components_add_new_module.yml b/detections/endpoint/windows_iis_components_add_new_module.yml index 58cef41331..eb129002c3 100644 --- a/detections/endpoint/windows_iis_components_add_new_module.yml +++ b/detections/endpoint/windows_iis_components_add_new_module.yml @@ -1,18 +1,40 @@ name: Windows IIS Components Add New Module id: 38fe731c-1f13-43d4-b878-a5bbe44807e3 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic detects the execution of AppCmd.exe to install a new module in IIS. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries may use it to install webshells or backdoors, leading to credit card scraping, persistence, and further post-exploitation. If confirmed malicious, this could allow attackers to maintain persistent access, execute arbitrary code, and potentially exfiltrate sensitive information from the compromised web server. +description: The following analytic detects the execution of AppCmd.exe to install + a new module in IIS. This detection leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process names and command-line executions. This activity + is significant as adversaries may use it to install webshells or backdoors, leading + to credit card scraping, persistence, and further post-exploitation. If confirmed + malicious, this could allow attackers to maintain persistent access, execute arbitrary + code, and potentially exfiltrate sensitive information from the compromised web + server. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT (Processes.parent_process_name IN ("msiexec.exe", "iissetup.exe")) Processes.process_name=appcmd.exe Processes.process IN ("*install *", "*module *") AND Processes.process="*image*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_add_new_module_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be present until properly tuned. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where NOT (Processes.parent_process_name IN + ("msiexec.exe", "iissetup.exe")) Processes.process_name=appcmd.exe Processes.process + IN ("*install *", "*module *") AND Processes.process="*image*" by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_add_new_module_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present until properly tuned. Filter + as needed. references: - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/ - https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf @@ -26,59 +48,45 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to install a new IIS module. + risk_objects: + - field: user + type: user + score: 64 + - field: dest + type: system + score: 64 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - IIS Components asset_type: Endpoint - confidence: 80 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to install a new IIS module. mitre_attack_id: - T1505 - T1505.004 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/appcmd_install-windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/appcmd_install-windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_iis_components_get_webglobalmodule_module_query.yml b/detections/endpoint/windows_iis_components_get_webglobalmodule_module_query.yml index 2febc40bd3..25f6016ba5 100644 --- a/detections/endpoint/windows_iis_components_get_webglobalmodule_module_query.yml +++ b/detections/endpoint/windows_iis_components_get_webglobalmodule_module_query.yml @@ -1,16 +1,27 @@ name: Windows IIS Components Get-WebGlobalModule Module Query id: 20db5f70-34b4-4e83-8926-fa26119de173 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies the execution of the PowerShell cmdlet Get-WebGlobalModule, which lists all IIS Modules installed on a system. It leverages PowerShell input data to detect this activity by capturing the module names and the image paths of the DLLs. This activity is significant for a SOC because it can indicate an attempt to enumerate installed IIS modules, which could be a precursor to exploiting vulnerabilities or misconfigurations. If confirmed malicious, this could allow an attacker to gain insights into the web server's configuration, potentially leading to further exploitation or privilege escalation. +description: The following analytic identifies the execution of the PowerShell cmdlet + Get-WebGlobalModule, which lists all IIS Modules installed on a system. It leverages + PowerShell input data to detect this activity by capturing the module names and + the image paths of the DLLs. This activity is significant for a SOC because it can + indicate an attempt to enumerate installed IIS modules, which could be a precursor + to exploiting vulnerabilities or misconfigurations. If confirmed malicious, this + could allow an attacker to gain insights into the web server's configuration, potentially + leading to further exploitation or privilege escalation. data_source: - Powershell Installed IIS Modules -search: '`iis_get_webglobalmodule` | stats count min(_time) as firstTime max(_time) as lastTime by host name image | rename host as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_get_webglobalmodule_module_query_filter`' -how_to_implement: You must ingest the PwSh cmdlet Get-WebGlobalModule in order to utilize this analytic. Follow https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040 -known_false_positives: This analytic is meant to assist with hunting modules across a fleet of IIS servers. Filter and modify as needed. +search: '`iis_get_webglobalmodule` | stats count min(_time) as firstTime max(_time) + as lastTime by host name image | rename host as dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_iis_components_get_webglobalmodule_module_query_filter`' +how_to_implement: You must ingest the PwSh cmdlet Get-WebGlobalModule in order to + utilize this analytic. Follow https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040 +known_false_positives: This analytic is meant to assist with hunting modules across + a fleet of IIS servers. Filter and modify as needed. references: - https://docs.splunk.com/Documentation/Splunk/9.0.2/Data/MonitorWindowsdatawithPowerShellscripts - https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040 @@ -20,32 +31,18 @@ tags: - IIS Components - WS FTP Server Critical Vulnerabilities asset_type: Endpoint - confidence: 10 - impact: 10 - message: IIS Modules have been listed on $dest$. mitre_attack_id: - T1505.004 - T1505 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - host - - name - - image - risk_score: 1 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/pwsh_installediismodules.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/pwsh_installediismodules.log source: powershell://AppCmdModules sourcetype: Pwsh:InstalledIISModules - update_timestamp: true diff --git a/detections/endpoint/windows_iis_components_module_failed_to_load.yml b/detections/endpoint/windows_iis_components_module_failed_to_load.yml index 1bcc9ddeae..cf09db6fe1 100644 --- a/detections/endpoint/windows_iis_components_module_failed_to_load.yml +++ b/detections/endpoint/windows_iis_components_module_failed_to_load.yml @@ -1,16 +1,27 @@ name: Windows IIS Components Module Failed to Load id: 40c2ba5b-dd6a-496b-9e6e-c9524d0be167 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic detects when an IIS Module DLL fails to load due to a configuration problem, identified by EventCode 2282. This detection leverages Windows Application event logs to identify repeated failures in loading IIS modules. Such failures can indicate misconfigurations or potential tampering with IIS components. If confirmed malicious, this activity could lead to service disruptions or provide an attacker with opportunities to exploit vulnerabilities within the IIS environment. Immediate investigation is required to determine the legitimacy of the failing module and to mitigate any potential security risks. +description: The following analytic detects when an IIS Module DLL fails to load due + to a configuration problem, identified by EventCode 2282. This detection leverages + Windows Application event logs to identify repeated failures in loading IIS modules. + Such failures can indicate misconfigurations or potential tampering with IIS components. + If confirmed malicious, this activity could lead to service disruptions or provide + an attacker with opportunities to exploit vulnerabilities within the IIS environment. + Immediate investigation is required to determine the legitimacy of the failing module + and to mitigate any potential security risks. data_source: - Windows Event Log Application 2282 -search: '`wineventlog_application` EventCode=2282 | stats count min(_time) as firstTime max(_time) as lastTime by EventCode dest Name ModuleDll | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_module_failed_to_load_filter`' -how_to_implement: IIS must be installed and Application event logs must be collected in order to utilize this analytic. -known_false_positives: False positives will be present until all module failures are resolved or reviewed. +search: '`wineventlog_application` EventCode=2282 | stats count min(_time) as firstTime + max(_time) as lastTime by EventCode dest Name ModuleDll | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_iis_components_module_failed_to_load_filter`' +how_to_implement: IIS must be installed and Application event logs must be collected + in order to utilize this analytic. +known_false_positives: False positives will be present until all module failures are + resolved or reviewed. references: - https://social.technet.microsoft.com/wiki/contents/articles/21757.event-id-2282-iis-worker-process-availability.aspx - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/ @@ -25,40 +36,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A new IIS Module has been loaded and should be reviewed on $dest$. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - IIS Components asset_type: Endpoint - confidence: 50 - impact: 50 - message: A new IIS Module has been loaded and should be reviewed on $dest$. mitre_attack_id: - T1505 - T1505.004 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - OpCode - - EventCode - - ComputerName - - Message - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/2282_windows-application.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/2282_windows-application.log source: XmlWinEventLog:Application sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_iis_components_new_module_added.yml b/detections/endpoint/windows_iis_components_new_module_added.yml index 8c34e99e1e..6b24987b30 100644 --- a/detections/endpoint/windows_iis_components_new_module_added.yml +++ b/detections/endpoint/windows_iis_components_new_module_added.yml @@ -1,16 +1,27 @@ name: Windows IIS Components New Module Added id: 55f22929-cfd3-4388-ba5c-4d01fac7ee7e -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the addition of new IIS modules on a Windows IIS server. It leverages the Windows Event log - Microsoft-IIS-Configuration/Operational, specifically EventCode 29, to identify this activity. This behavior is significant because IIS modules are rarely added to production servers, and unauthorized modules could indicate malicious activity. If confirmed malicious, an attacker could use these modules to execute arbitrary code, escalate privileges, or maintain persistence within the environment, potentially compromising the server and sensitive data. +description: The following analytic detects the addition of new IIS modules on a Windows + IIS server. It leverages the Windows Event log - Microsoft-IIS-Configuration/Operational, + specifically EventCode 29, to identify this activity. This behavior is significant + because IIS modules are rarely added to production servers, and unauthorized modules + could indicate malicious activity. If confirmed malicious, an attacker could use + these modules to execute arbitrary code, escalate privileges, or maintain persistence + within the environment, potentially compromising the server and sensitive data. data_source: - Windows IIS 29 -search: '`iis_operational_logs` EventCode=29 | stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message | rename ComputerName AS dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_new_module_added_filter`' -how_to_implement: You must enabled the IIS Configuration Operational log before ingesting in Splunk. Setup and inputs may be found here https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040. -known_false_positives: False positives may be present when updates or an administrator adds a new module to IIS. Monitor and filter as needed. +search: '`iis_operational_logs` EventCode=29 | stats count min(_time) as firstTime + max(_time) as lastTime by OpCode EventCode ComputerName Message | rename ComputerName + AS dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_iis_components_new_module_added_filter`' +how_to_implement: You must enabled the IIS Configuration Operational log before ingesting + in Splunk. Setup and inputs may be found here https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040. +known_false_positives: False positives may be present when updates or an administrator + adds a new module to IIS. Monitor and filter as needed. references: - https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040 - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/ @@ -25,40 +36,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A new IIS Module has been loaded and should be reviewed on $dest$. + risk_objects: + - field: dest + type: system + score: 48 + threat_objects: [] tags: analytic_story: - IIS Components asset_type: Endpoint - confidence: 80 - impact: 60 - message: A new IIS Module has been loaded and should be reviewed on $dest$. mitre_attack_id: - T1505 - T1505.004 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - OpCode - - EventCode - - ComputerName - - Message - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/IIS-Configuration-Operational.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/IIS-Configuration-Operational.log source: IIS:Configuration:Operational sourcetype: IIS:Configuration:Operational - update_timestamp: true diff --git a/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml b/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml index d2c3561749..2bc0b705bb 100644 --- a/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml +++ b/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml @@ -1,53 +1,58 @@ name: Windows Impair Defense Add Xml Applocker Rules id: 467ed9d9-8035-470e-ad5e-ae5189283033 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the use of a PowerShell commandlet to import an AppLocker XML policy. This behavior is identified by monitoring processes that execute the "Import-Module Applocker" and "Set-AppLockerPolicy" commands with the "-XMLPolicy" parameter. This activity is significant because it can indicate an attempt to disable or bypass security controls, as seen in the Azorult malware. If confirmed malicious, this could allow an attacker to disable antivirus products, leading to further compromise and persistence within the environment. +description: The following analytic detects the use of a PowerShell commandlet to + import an AppLocker XML policy. This behavior is identified by monitoring processes + that execute the "Import-Module Applocker" and "Set-AppLockerPolicy" commands with + the "-XMLPolicy" parameter. This activity is significant because it can indicate + an attempt to disable or bypass security controls, as seen in the Azorult malware. + If confirmed malicious, this could allow an attacker to disable antivirus products, + leading to further compromise and persistence within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` AND Processes.process="*Import-Module Applocker*" AND Processes.process="*Set-AppLockerPolicy *" AND Processes.process="* -XMLPolicy *" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_add_xml_applocker_rules_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrators may execute this command that may cause some false positive. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where `process_powershell` AND Processes.process="*Import-Module Applocker*" AND + Processes.process="*Set-AppLockerPolicy *" AND Processes.process="* -XMLPolicy + *" by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_impair_defense_add_xml_applocker_rules_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators may execute this command that may cause some + false positive. references: - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ tags: analytic_story: - Azorult asset_type: Endpoint - confidence: 50 - impact: 50 - message: Applocker importing xml policy command was executed in $dest$ mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml b/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml index ef1d9823a0..c792290ae4 100644 --- a/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml +++ b/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml @@ -1,16 +1,33 @@ name: Windows Impair Defense Change Win Defender Health Check Intervals id: 5211c260-820e-4366-b983-84bbfb5c263a -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 13 -description: The following analytic detects modifications to the Windows registry that change the health check interval of Windows Defender. It leverages data from the Endpoint datamodel, specifically monitoring changes to the "ServiceKeepAlive" registry path with a value of "0x00000001". This activity is significant because altering Windows Defender settings can impair its ability to perform timely health checks, potentially leaving the system vulnerable. If confirmed malicious, this could allow an attacker to disable or delay security scans, increasing the risk of undetected malware or other malicious activities. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\ServiceKeepAlive" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_health_check_intervals_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -known_false_positives: It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. +description: The following analytic detects modifications to the Windows registry + that change the health check interval of Windows Defender. It leverages data from + the Endpoint datamodel, specifically monitoring changes to the "ServiceKeepAlive" + registry path with a value of "0x00000001". This activity is significant because + altering Windows Defender settings can impair its ability to perform timely health + checks, potentially leaving the system vulnerable. If confirmed malicious, this + could allow an attacker to disable or delay security scans, increasing the risk + of undetected malware or other malicious activities. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows + Defender\\ServiceKeepAlive" Registry.registry_value_data="0x00000001" by Registry.registry_key_name + Registry.user Registry.registry_path Registry.registry_value_data Registry.action + Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_health_check_intervals_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. +known_false_positives: It is unusual to turn this feature off a Windows system since + it is a default security control, although it is not rare for some policies to disable + it. Although no false positives have been identified, use the provided filter macro + to tune the search. references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy @@ -20,42 +37,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: change in the health check interval of Windows Defender on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: change in the health check interval of Windows Defender on $dest$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.action security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml b/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml index 94c6f8d4ef..a224548d49 100644 --- a/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml +++ b/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml @@ -1,16 +1,32 @@ name: Windows Impair Defense Change Win Defender Quick Scan Interval id: 783f0798-f679-4c17-b3b3-187febf0b9b8 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 13 -description: The following analytic detects modifications to the Windows registry that change the Windows Defender Quick Scan Interval. It leverages data from the Endpoint.Registry data model, focusing on changes to the "QuickScanInterval" registry path. This activity is significant because altering the scan interval can impair Windows Defender's ability to detect malware promptly, potentially allowing threats to persist undetected. If confirmed malicious, this modification could enable attackers to bypass security measures, maintain persistence, and execute further malicious activities without being detected by quick scans. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Scan\\QuickScanInterval" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_quick_scan_interval_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -known_false_positives: It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. +description: The following analytic detects modifications to the Windows registry + that change the Windows Defender Quick Scan Interval. It leverages data from the + Endpoint.Registry data model, focusing on changes to the "QuickScanInterval" registry + path. This activity is significant because altering the scan interval can impair + Windows Defender's ability to detect malware promptly, potentially allowing threats + to persist undetected. If confirmed malicious, this modification could enable attackers + to bypass security measures, maintain persistence, and execute further malicious + activities without being detected by quick scans. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows + Defender\\Scan\\QuickScanInterval" by Registry.registry_key_name Registry.user Registry.registry_path + Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_quick_scan_interval_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. +known_false_positives: It is unusual to turn this feature off a Windows system since + it is a default security control, although it is not rare for some policies to disable + it. Although no false positives have been identified, use the provided filter macro + to tune the search. references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy @@ -20,42 +36,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows Defender QuickScanInterval feature was modified on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: Windows Defender QuickScanInterval feature was modified on $dest$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.action security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml b/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml index 3c57475c12..e3a4566aee 100644 --- a/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml +++ b/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml @@ -1,16 +1,33 @@ name: Windows Impair Defense Change Win Defender Throttle Rate id: f7da5fca-9261-43de-a4d0-130dad1e4f4d -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 13 -description: The following analytic detects modifications to the ThrottleDetectionEventsRate registry setting in Windows Defender. It leverages data from the Endpoint.Registry datamodel to identify changes in the registry path related to Windows Defender's event logging rate. This activity is significant because altering the ThrottleDetectionEventsRate can reduce the frequency of logged detection events, potentially masking malicious activities. If confirmed malicious, this could allow an attacker to evade detection by decreasing the visibility of security events, thereby hindering incident response and forensic investigations. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\NIS\\Consumers\\IPS\\ThrottleDetectionEventsRate" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_throttle_rate_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -known_false_positives: It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. +description: The following analytic detects modifications to the ThrottleDetectionEventsRate + registry setting in Windows Defender. It leverages data from the Endpoint.Registry + datamodel to identify changes in the registry path related to Windows Defender's + event logging rate. This activity is significant because altering the ThrottleDetectionEventsRate + can reduce the frequency of logged detection events, potentially masking malicious + activities. If confirmed malicious, this could allow an attacker to evade detection + by decreasing the visibility of security events, thereby hindering incident response + and forensic investigations. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows + Defender\\NIS\\Consumers\\IPS\\ThrottleDetectionEventsRate" by Registry.registry_key_name + Registry.user Registry.registry_path Registry.registry_value_data Registry.action + Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_throttle_rate_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. +known_false_positives: It is unusual to turn this feature off a Windows system since + it is a default security control, although it is not rare for some policies to disable + it. Although no false positives have been identified, use the provided filter macro + to tune the search. references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy @@ -20,42 +37,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows Defender ThrottleDetectionEventsRate feature was modified on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: Windows Defender ThrottleDetectionEventsRate feature was modified on $dest$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.action security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml b/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml index cef41ea783..65ccb49c07 100644 --- a/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml +++ b/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml @@ -1,16 +1,33 @@ name: Windows Impair Defense Change Win Defender Tracing Level id: fe9391cd-952a-4c64-8f56-727cb0d4f2d4 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 13 -description: The following analytic detects modifications to the Windows registry specifically targeting the "WppTracingLevel" setting within Windows Defender. This detection leverages data from the Endpoint.Registry data model to identify changes in the registry path associated with Windows Defender tracing levels. Such modifications are significant as they can impair the diagnostic capabilities of Windows Defender, potentially hiding malicious activities. If confirmed malicious, this activity could allow an attacker to evade detection and maintain persistence within the environment, leading to further compromise and data exfiltration. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Reporting\\WppTracingLevel" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_tracing_level_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -known_false_positives: It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. +description: The following analytic detects modifications to the Windows registry + specifically targeting the "WppTracingLevel" setting within Windows Defender. This + detection leverages data from the Endpoint.Registry data model to identify changes + in the registry path associated with Windows Defender tracing levels. Such modifications + are significant as they can impair the diagnostic capabilities of Windows Defender, + potentially hiding malicious activities. If confirmed malicious, this activity could + allow an attacker to evade detection and maintain persistence within the environment, + leading to further compromise and data exfiltration. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows + Defender\\Reporting\\WppTracingLevel" Registry.registry_value_data="0x00000001" + by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data + Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_tracing_level_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. +known_false_positives: It is unusual to turn this feature off a Windows system since + it is a default security control, although it is not rare for some policies to disable + it. Although no false positives have been identified, use the provided filter macro + to tune the search. references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy @@ -20,42 +37,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows Defender WppTracingLevel registry was modified on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: Windows Defender WppTracingLevel registry was modified on $dest$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.action security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_impair_defense_configure_app_install_control.yml b/detections/endpoint/windows_impair_defense_configure_app_install_control.yml index 2b4073a4ba..37fa2f4bbf 100644 --- a/detections/endpoint/windows_impair_defense_configure_app_install_control.yml +++ b/detections/endpoint/windows_impair_defense_configure_app_install_control.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Configure App Install Control id: c54b7439-cfb1-44c3-bb35-b0409553077c -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-01-21' author: Teoderick Contreras, Splunk status: production type: TTP @@ -15,11 +15,11 @@ description: The following analytic detects modifications to the Windows registr increasing the risk of security vulnerabilities. If confirmed malicious, this action could lead to the installation of harmful applications, potentially compromising the system and exposing sensitive information. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path= "*\\Microsoft\\Windows Defender\\SmartScreen\\ConfigureAppInstallControl" - Registry.registry_value_data= "Anywhere") OR (Registry.registry_path= "*\\Microsoft\\Windows - Defender\\SmartScreen\\ConfigureAppInstallControlEnabled" Registry.registry_value_data= - "0x00000000") BY Registry.dest Registry.user Registry.registry_path +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Microsoft\\Windows + Defender\\SmartScreen\\ConfigureAppInstallControl" Registry.registry_value_data= + "Anywhere") OR (Registry.registry_path= "*\\Microsoft\\Windows Defender\\SmartScreen\\ConfigureAppInstallControlEnabled" + Registry.registry_value_data= "0x00000000") BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_configure_app_install_control_filter`' @@ -39,42 +39,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Define Windows Defender App Install Control registry set to disable on + $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: Define Windows Defender App Install Control registry set to disable on $dest$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.action security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml b/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml index 05f5946365..ce66a544a2 100644 --- a/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml +++ b/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml @@ -1,16 +1,33 @@ name: Windows Impair Defense Define Win Defender Threat Action id: 7215831c-8252-4ae3-8d43-db588e82f952 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 13 -description: The following analytic detects modifications to the Windows Defender ThreatSeverityDefaultAction registry setting. It leverages data from the Endpoint.Registry datamodel to identify changes in registry values that define how Windows Defender responds to threats. This activity is significant because altering these settings can impair the system's defense mechanisms, potentially allowing threats to go unaddressed. If confirmed malicious, this could enable attackers to bypass antivirus protections, leading to persistent threats and increased risk of data compromise or further system exploitation. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Threats\\ThreatSeverityDefaultAction*" Registry.registry_value_data IN ("0x00000001", "9") by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_define_win_defender_threat_action_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -known_false_positives: It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. +description: The following analytic detects modifications to the Windows Defender + ThreatSeverityDefaultAction registry setting. It leverages data from the Endpoint.Registry + datamodel to identify changes in registry values that define how Windows Defender + responds to threats. This activity is significant because altering these settings + can impair the system's defense mechanisms, potentially allowing threats to go unaddressed. + If confirmed malicious, this could enable attackers to bypass antivirus protections, + leading to persistent threats and increased risk of data compromise or further system + exploitation. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows + Defender\\Threats\\ThreatSeverityDefaultAction*" Registry.registry_value_data IN + ("0x00000001", "9") by Registry.registry_key_name Registry.user Registry.registry_path + Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_define_win_defender_threat_action_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. +known_false_positives: It is unusual to turn this feature off a Windows system since + it is a default security control, although it is not rare for some policies to disable + it. Although no false positives have been identified, use the provided filter macro + to tune the search. references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy @@ -20,42 +37,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Define Windows Defender threat action through registry on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: Define Windows Defender threat action through registry on $dest$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.action security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml b/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml index 6b47b19cec..22fd63a973 100644 --- a/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml +++ b/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml @@ -1,16 +1,33 @@ name: Windows Impair Defense Delete Win Defender Context Menu id: 395ed5fe-ad13-4366-9405-a228427bdd91 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the deletion of the Windows Defender context menu entry from the registry. It leverages data from the Endpoint datamodel, specifically monitoring registry actions where the path includes "*\\shellex\\ContextMenuHandlers\\EPP" and the action is 'deleted'. This activity is significant as it is commonly associated with Remote Access Trojan (RAT) malware attempting to disable security features. If confirmed malicious, this could allow an attacker to impair defenses, facilitating further malicious activities such as unauthorized access, persistence, and data exfiltration. +description: The following analytic detects the deletion of the Windows Defender context + menu entry from the registry. It leverages data from the Endpoint datamodel, specifically + monitoring registry actions where the path includes "*\\shellex\\ContextMenuHandlers\\EPP" + and the action is 'deleted'. This activity is significant as it is commonly associated + with Remote Access Trojan (RAT) malware attempting to disable security features. + If confirmed malicious, this could allow an attacker to impair defenses, facilitating + further malicious activities such as unauthorized access, persistence, and data + exfiltration. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\shellex\\ContextMenuHandlers\\EPP" Registry.action = deleted by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_delete_win_defender_context_menu_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -known_false_positives: It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\shellex\\ContextMenuHandlers\\EPP" + Registry.action = deleted by Registry.registry_path Registry.registry_value_name + Registry.registry_value_data Registry.process_guid Registry.action Registry.dest + Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_impair_defense_delete_win_defender_context_menu_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. +known_false_positives: It is unusual to turn this feature off a Windows system since + it is a default security control, although it is not rare for some policies to disable + it. Although no false positives have been identified, use the provided filter macro + to tune the search. references: - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/ - https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/ @@ -19,35 +36,18 @@ tags: - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - confidence: 50 - impact: 50 - message: Windows Defender context menu registry key deleted on $dest$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.action - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml b/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml index ea9100f47c..c6dc8fd606 100644 --- a/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml +++ b/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml @@ -1,16 +1,33 @@ name: Windows Impair Defense Delete Win Defender Profile Registry id: 65d4b105-ec52-48ec-ac46-289d0fbf7d96 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the deletion of the Windows Defender main profile registry key. It leverages data from the Endpoint.Registry datamodel, specifically monitoring for deleted actions within the Windows Defender registry path. This activity is significant as it indicates potential tampering with security defenses, often associated with Remote Access Trojans (RATs) and other malware. If confirmed malicious, this action could allow an attacker to disable Windows Defender, reducing the system's ability to detect and respond to further malicious activities, thereby compromising endpoint security. +description: The following analytic detects the deletion of the Windows Defender main + profile registry key. It leverages data from the Endpoint.Registry datamodel, specifically + monitoring for deleted actions within the Windows Defender registry path. This activity + is significant as it indicates potential tampering with security defenses, often + associated with Remote Access Trojans (RATs) and other malware. If confirmed malicious, + this action could allow an attacker to disable Windows Defender, reducing the system's + ability to detect and respond to further malicious activities, thereby compromising + endpoint security. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender" Registry.action = deleted by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_delete_win_defender_profile_registry_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -known_false_positives: It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Policies\\Microsoft\\Windows + Defender" Registry.action = deleted by Registry.registry_path Registry.registry_value_name + Registry.registry_value_data Registry.process_guid Registry.action Registry.user + Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_impair_defense_delete_win_defender_profile_registry_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. +known_false_positives: It is unusual to turn this feature off a Windows system since + it is a default security control, although it is not rare for some policies to disable + it. Although no false positives have been identified, use the provided filter macro + to tune the search. references: - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/ - https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/ @@ -20,43 +37,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows Defender Logger registry key set to 'disabled' on $dest$. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - confidence: 80 - impact: 80 - message: Windows Defender Logger registry key set to 'disabled' on $dest$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.action - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml b/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml index e3c5c39b98..219aaf132f 100644 --- a/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml +++ b/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml @@ -1,16 +1,38 @@ name: Windows Impair Defense Deny Security Software With Applocker id: e0b6ca60-9e29-4450-b51a-bba0abae2313 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects modifications in the Windows registry by the Applocker utility that deny the execution of various security products. This detection leverages data from the Endpoint.Registry datamodel, focusing on specific registry paths and values indicating a "Deny" action against known antivirus and security software. This activity is significant as it may indicate an attempt to disable security defenses, a tactic observed in malware like Azorult. If confirmed malicious, this could allow attackers to bypass security measures, facilitating further malicious activities and persistence within the environment. +description: The following analytic detects modifications in the Windows registry + by the Applocker utility that deny the execution of various security products. This + detection leverages data from the Endpoint.Registry datamodel, focusing on specific + registry paths and values indicating a "Deny" action against known antivirus and + security software. This activity is significant as it may indicate an attempt to + disable security defenses, a tactic observed in malware like Azorult. If confirmed + malicious, this could allow attackers to bypass security measures, facilitating + further malicious activities and persistence within the environment. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy Objects\\*" AND Registry.registry_path= "*}Machine\\Software\\Policies\\Microsoft\\Windows\\SrpV2*") OR Registry.registry_path="*\\Software\\Policies\\Microsoft\\Windows\\SrpV2*" AND Registry.registry_value_data = "*Action\=\"Deny\"*" AND Registry.registry_value_data IN("*O=SYMANTEC*","*O=MCAFEE*","*O=KASPERSKY*","*O=BLEEPING COMPUTER*", "*O=PANDA SECURITY*","*O=SYSTWEAK SOFTWARE*", "*O=TREND MICRO*", "*O=AVAST*", "*O=GRIDINSOFT*", "*O=MICROSOFT*", "*O=NANO SECURITY*", "*O=SUPERANTISPYWARE.COM*", "*O=DOCTOR WEB*", "*O=MALWAREBYTES*", "*O=ESET*", "*O=AVIRA*", "*O=WEBROOT*") by Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.registry_key_name Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_deny_security_software_with_applocker_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -known_false_positives: False positives may be present based on organization use of Applocker. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group + Policy Objects\\*" AND Registry.registry_path= "*}Machine\\Software\\Policies\\Microsoft\\Windows\\SrpV2*") + OR Registry.registry_path="*\\Software\\Policies\\Microsoft\\Windows\\SrpV2*" AND + Registry.registry_value_data = "*Action\=\"Deny\"*" AND Registry.registry_value_data + IN("*O=SYMANTEC*","*O=MCAFEE*","*O=KASPERSKY*","*O=BLEEPING COMPUTER*", "*O=PANDA + SECURITY*","*O=SYSTWEAK SOFTWARE*", "*O=TREND MICRO*", "*O=AVAST*", "*O=GRIDINSOFT*", + "*O=MICROSOFT*", "*O=NANO SECURITY*", "*O=SUPERANTISPYWARE.COM*", "*O=DOCTOR WEB*", + "*O=MALWAREBYTES*", "*O=ESET*", "*O=AVIRA*", "*O=WEBROOT*") by Registry.user Registry.registry_path + Registry.registry_value_data Registry.action Registry.registry_key_name Registry.dest + | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_impair_defense_deny_security_software_with_applocker_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure + that this registry was included in your config files ex. sysmon config to be monitored. +known_false_positives: False positives may be present based on organization use of + Applocker. Filter as needed. references: - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ - https://www.microsoftpressstore.com/articles/article.aspx?p=2228450&seqNum=11 @@ -20,47 +42,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Applocker registry modification to deny the action of several AV products + on $dest$. + risk_objects: + - field: dest + type: system + score: 100 + threat_objects: [] tags: analytic_story: - Azorult asset_type: Endpoint - confidence: 100 - impact: 100 - message: Applocker registry modification to deny the action of several AV products on $dest$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml b/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml index 85281a411f..a7442f29e8 100644 --- a/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml +++ b/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml @@ -1,16 +1,34 @@ name: Windows Impair Defense Disable Controlled Folder Access id: 3032741c-d6fc-4c69-8988-be8043d6478c -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 13 -description: The following analytic detects a modification in the Windows registry that disables the Windows Defender Controlled Folder Access feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the EnableControlledFolderAccess registry setting. This activity is significant because Controlled Folder Access is designed to protect critical folders from unauthorized access, including ransomware attacks. If this activity is confirmed malicious, it could allow attackers to bypass a key security feature, potentially leading to unauthorized access or modification of sensitive files. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\EnableControlledFolderAccess" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_controlled_folder_access_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -known_false_positives: It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. +description: The following analytic detects a modification in the Windows registry + that disables the Windows Defender Controlled Folder Access feature. It leverages + data from the Endpoint.Registry data model, specifically monitoring changes to the + EnableControlledFolderAccess registry setting. This activity is significant because + Controlled Folder Access is designed to protect critical folders from unauthorized + access, including ransomware attacks. If this activity is confirmed malicious, it + could allow attackers to bypass a key security feature, potentially leading to unauthorized + access or modification of sensitive files. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows + Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\EnableControlledFolderAccess" + Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user + Registry.registry_path Registry.registry_value_data Registry.action Registry.dest + | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_impair_defense_disable_controlled_folder_access_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. +known_false_positives: It is unusual to turn this feature off a Windows system since + it is a default security control, although it is not rare for some policies to disable + it. Although no false positives have been identified, use the provided filter macro + to tune the search. references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy @@ -20,42 +38,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows Defender ControlledFolderAccess feature set to disable on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: Windows Defender ControlledFolderAccess feature set to disable on $dest$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.action security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml b/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml index 71d9d59064..9b2e886cb7 100644 --- a/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml +++ b/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml @@ -1,16 +1,33 @@ name: Windows Impair Defense Disable Defender Firewall And Network id: 8467d8cd-b0f9-46fa-ac84-a30ad138983e -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 13 -description: The following analytic detects modifications in the Windows registry to disable firewall and network protection settings within Windows Defender Security Center. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the UILockdown registry value. This activity is significant as it may indicate an attempt to impair system defenses, potentially restricting users from modifying firewall or network protection settings. If confirmed malicious, this could allow an attacker to weaken the system's security posture, making it more vulnerable to further attacks and unauthorized access. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender Security Center\\Firewall and network protection\\UILockdown" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_defender_firewall_and_network_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -known_false_positives: It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. +description: The following analytic detects modifications in the Windows registry + to disable firewall and network protection settings within Windows Defender Security + Center. It leverages data from the Endpoint.Registry data model, specifically monitoring + changes to the UILockdown registry value. This activity is significant as it may + indicate an attempt to impair system defenses, potentially restricting users from + modifying firewall or network protection settings. If confirmed malicious, this + could allow an attacker to weaken the system's security posture, making it more + vulnerable to further attacks and unauthorized access. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows + Defender Security Center\\Firewall and network protection\\UILockdown" Registry.registry_value_data="0x00000001" + by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data + Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_defender_firewall_and_network_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. +known_false_positives: It is unusual to turn this feature off a Windows system since + it is a default security control, although it is not rare for some policies to disable + it. Although no false positives have been identified, use the provided filter macro + to tune the search. references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy @@ -20,42 +37,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows Defender firewall and network protection section feature set to + disable on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: Windows Defender firewall and network protection section feature set to disable on $dest$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.action security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml b/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml index 0ee6344574..ec4ffe1578 100644 --- a/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml +++ b/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml @@ -1,16 +1,33 @@ name: Windows Impair Defense Disable Defender Protocol Recognition id: b2215bfb-6171-4137-af17-1a02fdd8d043 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 13 -description: The following analytic detects modifications to the Windows registry that disable the Windows Defender protocol recognition feature. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the "DisableProtocolRecognition" setting. This activity is significant because disabling protocol recognition can hinder Windows Defender's ability to detect and respond to malware or suspicious software. If confirmed malicious, this action could allow an attacker to bypass antivirus defenses, facilitating further malicious activities such as data exfiltration or system compromise. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\NIS\\DisableProtocolRecognition" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_defender_protocol_recognition_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -known_false_positives: It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. +description: The following analytic detects modifications to the Windows registry + that disable the Windows Defender protocol recognition feature. It leverages data + from the Endpoint.Registry data model, specifically looking for changes to the "DisableProtocolRecognition" + setting. This activity is significant because disabling protocol recognition can + hinder Windows Defender's ability to detect and respond to malware or suspicious + software. If confirmed malicious, this action could allow an attacker to bypass + antivirus defenses, facilitating further malicious activities such as data exfiltration + or system compromise. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows + Defender\\NIS\\DisableProtocolRecognition" Registry.registry_value_data="0x00000001" + by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data + Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_defender_protocol_recognition_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. +known_false_positives: It is unusual to turn this feature off a Windows system since + it is a default security control, although it is not rare for some policies to disable + it. Although no false positives have been identified, use the provided filter macro + to tune the search. references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy @@ -20,42 +37,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows Defender Protocol Recognition set to disable on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: Windows Defender Protocol Recognition set to disable on $dest$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.action security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_impair_defense_disable_pua_protection.yml b/detections/endpoint/windows_impair_defense_disable_pua_protection.yml index cd7ef023c5..904441fc7d 100644 --- a/detections/endpoint/windows_impair_defense_disable_pua_protection.yml +++ b/detections/endpoint/windows_impair_defense_disable_pua_protection.yml @@ -1,16 +1,33 @@ name: Windows Impair Defense Disable PUA Protection id: fbfef407-cfee-4866-88c1-f8de1c16147c -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 13 -description: The following analytic detects a modification in the Windows registry to disable Windows Defender PUA protection by setting PUAProtection to 0. This detection leverages data from the Endpoint.Registry datamodel, focusing on registry path changes related to Windows Defender. Disabling PUA protection is significant as it reduces defenses against Potentially Unwanted Applications (PUAs), which, while not always malicious, can negatively impact user experience and security. If confirmed malicious, this activity could allow an attacker to introduce adware, browser toolbars, or other unwanted software, potentially compromising system integrity and user productivity. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\PUAProtection" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_pua_protection_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -known_false_positives: It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. +description: The following analytic detects a modification in the Windows registry + to disable Windows Defender PUA protection by setting PUAProtection to 0. This detection + leverages data from the Endpoint.Registry datamodel, focusing on registry path changes + related to Windows Defender. Disabling PUA protection is significant as it reduces + defenses against Potentially Unwanted Applications (PUAs), which, while not always + malicious, can negatively impact user experience and security. If confirmed malicious, + this activity could allow an attacker to introduce adware, browser toolbars, or + other unwanted software, potentially compromising system integrity and user productivity. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows + Defender\\PUAProtection" Registry.registry_value_data="0x00000000" by Registry.registry_key_name + Registry.user Registry.registry_path Registry.registry_value_data Registry.action + Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_pua_protection_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. +known_false_positives: It is unusual to turn this feature off a Windows system since + it is a default security control, although it is not rare for some policies to disable + it. Although no false positives have been identified, use the provided filter macro + to tune the search. references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy @@ -20,42 +37,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows Defender PUA protection set to disable on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: Windows Defender PUA protection set to disable on $dest$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.action security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml b/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml index f1f9073684..099cfdd44a 100644 --- a/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml +++ b/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml @@ -1,16 +1,33 @@ name: Windows Impair Defense Disable Realtime Signature Delivery id: ffd99aea-542f-448e-b737-091c1b417274 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 13 -description: The following analytic detects modifications to the Windows registry that disable the Windows Defender real-time signature delivery feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender signature updates. This activity is significant because disabling real-time signature delivery can prevent Windows Defender from receiving timely malware definitions, reducing its effectiveness. If confirmed malicious, this action could allow attackers to bypass malware detection, leading to potential system compromise and persistent threats. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Signature Updates\\RealtimeSignatureDelivery" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_realtime_signature_delivery_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -known_false_positives: It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. +description: The following analytic detects modifications to the Windows registry + that disable the Windows Defender real-time signature delivery feature. It leverages + data from the Endpoint.Registry data model, specifically monitoring changes to the + registry path associated with Windows Defender signature updates. This activity + is significant because disabling real-time signature delivery can prevent Windows + Defender from receiving timely malware definitions, reducing its effectiveness. + If confirmed malicious, this action could allow attackers to bypass malware detection, + leading to potential system compromise and persistent threats. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows + Defender\\Signature Updates\\RealtimeSignatureDelivery" Registry.registry_value_data="0x00000000" + by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data + Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_realtime_signature_delivery_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. +known_false_positives: It is unusual to turn this feature off a Windows system since + it is a default security control, although it is not rare for some policies to disable + it. Although no false positives have been identified, use the provided filter macro + to tune the search. references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy @@ -20,42 +37,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows Defender File realtime signature delivery set to disable on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: Windows Defender File realtime signature delivery set to disable on $dest$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.action security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml b/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml index 8d4428f317..65769893f7 100644 --- a/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml +++ b/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Disable Web Evaluation id: e234970c-dcf5-4f80-b6a9-3a562544ca5b -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-01-21' author: Teoderick Contreras, Splunk status: production type: TTP @@ -15,12 +15,12 @@ description: The following analytic detects modifications to the Windows registr malicious web content to bypass security checks. If confirmed malicious, this could lead to users interacting with harmful scripts or unsafe web elements, increasing the risk of system exploitation and security breaches. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE Registry.registry_path= "*\\Windows\\CurrentVersion\\AppHost\\EnableWebContentEvaluation" Registry.registry_value_data= - "0x00000000" BY Registry.dest Registry.user Registry.registry_path - Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data - Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_web_evaluation_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= "*\\Windows\\CurrentVersion\\AppHost\\EnableWebContentEvaluation" Registry.registry_value_data= + "0x00000000" BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name + Registry.registry_value_name Registry.registry_value_data Registry.process_guid + | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_impair_defense_disable_web_evaluation_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. @@ -37,42 +37,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows Defender web content evaluation feature set to disable on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: Windows Defender web content evaluation feature set to disable on $dest$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.action security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml index a984f8e37d..3f534d5b57 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml @@ -1,16 +1,33 @@ name: Windows Impair Defense Disable Win Defender App Guard id: 8b700d7e-54ad-4d7d-81cc-1456c4703306 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 13 -description: The following analytic detects modifications to the Windows registry that disable Windows Defender Application Guard auditing. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values. This activity is significant because disabling auditing can hinder security monitoring and threat detection within the isolated environment, making it easier for malicious activities to go unnoticed. If confirmed malicious, this action could allow attackers to bypass Windows Defender protections, potentially leading to unauthorized access, data exfiltration, or further system compromise. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Policies\\Microsoft\\AppHVSI\\AuditApplicationGuard" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_app_guard_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -known_false_positives: It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. +description: The following analytic detects modifications to the Windows registry + that disable Windows Defender Application Guard auditing. It leverages data from + the Endpoint.Registry data model, focusing on specific registry paths and values. + This activity is significant because disabling auditing can hinder security monitoring + and threat detection within the isolated environment, making it easier for malicious + activities to go unnoticed. If confirmed malicious, this action could allow attackers + to bypass Windows Defender protections, potentially leading to unauthorized access, + data exfiltration, or further system compromise. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Policies\\Microsoft\\AppHVSI\\AuditApplicationGuard" + Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user + Registry.registry_path Registry.registry_value_data Registry.action Registry.dest + | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_impair_defense_disable_win_defender_app_guard_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. +known_false_positives: It is unusual to turn this feature off a Windows system since + it is a default security control, although it is not rare for some policies to disable + it. Although no false positives have been identified, use the provided filter macro + to tune the search. references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy @@ -20,42 +37,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows Defender AuditApplicationGuard feature set to disable on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: Windows Defender AuditApplicationGuard feature set to disable on $dest$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.action security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml index 37a786d7e5..927ace7b58 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml @@ -1,16 +1,33 @@ name: Windows Impair Defense Disable Win Defender Compute File Hashes id: fe52c280-98bd-4596-b6f6-a13bbf8ac7c6 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 13 -description: The following analytic detects modifications to the Windows registry that disable Windows Defender's file hash computation by setting the EnableFileHashComputation value to 0. This detection leverages data from the Endpoint.Registry data model, focusing on changes to the specific registry path associated with Windows Defender. Disabling file hash computation can significantly impair Windows Defender's ability to detect and scan for malware, making it a critical behavior to monitor. If confirmed malicious, this activity could allow attackers to bypass Windows Defender, facilitating undetected malware execution and persistence in the environment. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\MpEngine\\EnableFileHashComputation" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_compute_file_hashes_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -known_false_positives: It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. +description: The following analytic detects modifications to the Windows registry + that disable Windows Defender's file hash computation by setting the EnableFileHashComputation + value to 0. This detection leverages data from the Endpoint.Registry data model, + focusing on changes to the specific registry path associated with Windows Defender. + Disabling file hash computation can significantly impair Windows Defender's ability + to detect and scan for malware, making it a critical behavior to monitor. If confirmed + malicious, this activity could allow attackers to bypass Windows Defender, facilitating + undetected malware execution and persistence in the environment. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows + Defender\\MpEngine\\EnableFileHashComputation" Registry.registry_value_data="0x00000000" + by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data + Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_compute_file_hashes_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. +known_false_positives: It is unusual to turn this feature off a Windows system since + it is a default security control, although it is not rare for some policies to disable + it. Although no false positives have been identified, use the provided filter macro + to tune the search. references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy @@ -20,42 +37,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows Defender File hashes computation set to disable on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: Windows Defender File hashes computation set to disable on $dest$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.action security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml index 0bb3f4d1fb..63d2ce14df 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml @@ -1,16 +1,33 @@ name: Windows Impair Defense Disable Win Defender Gen reports id: 93f114f6-cb1e-419b-ac3f-9e11a3045e70 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 13 -description: The following analytic detects modifications in the Windows registry to disable Windows Defender generic reports. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the "DisableGenericRePorts" registry value. This activity is significant as it can prevent the transmission of error reports to Microsoft's Windows Error Reporting service, potentially hiding malicious activities. If confirmed malicious, this action could allow attackers to bypass Windows Defender detections, reducing the visibility of their activities and increasing the risk of undetected system compromise. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Reporting\\DisableGenericRePorts" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_gen_reports_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -known_false_positives: It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. +description: The following analytic detects modifications in the Windows registry + to disable Windows Defender generic reports. It leverages data from the Endpoint.Registry + data model, specifically monitoring changes to the "DisableGenericRePorts" registry + value. This activity is significant as it can prevent the transmission of error + reports to Microsoft's Windows Error Reporting service, potentially hiding malicious + activities. If confirmed malicious, this action could allow attackers to bypass + Windows Defender detections, reducing the visibility of their activities and increasing + the risk of undetected system compromise. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows + Defender\\Reporting\\DisableGenericRePorts" Registry.registry_value_data="0x00000001" + by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data + Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_gen_reports_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. +known_false_positives: It is unusual to turn this feature off a Windows system since + it is a default security control, although it is not rare for some policies to disable + it. Although no false positives have been identified, use the provided filter macro + to tune the search. references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy @@ -20,42 +37,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows Defender DisableGenericRePorts registry is set to enable on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: Windows Defender DisableGenericRePorts registry is set to enable on $dest$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.action security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml index 32183d89c4..c065c6bc08 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml @@ -1,16 +1,34 @@ name: Windows Impair Defense Disable Win Defender Network Protection id: 8b6c15c7-5556-463d-83c7-986326c21f12 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 13 -description: The following analytic detects modifications to the Windows registry that disable Windows Defender Network Protection. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the EnableNetworkProtection registry entry. This activity is significant because disabling Network Protection can leave the system vulnerable to network-based threats by preventing Windows Defender from analyzing and blocking malicious network activity. If confirmed malicious, this action could allow attackers to bypass security measures, potentially leading to unauthorized access, data exfiltration, or further compromise of the network. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Windows Defender Exploit Guard\\Network Protection\\EnableNetworkProtection" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_network_protection_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -known_false_positives: It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. +description: The following analytic detects modifications to the Windows registry + that disable Windows Defender Network Protection. It leverages data from the Endpoint.Registry + data model, specifically monitoring changes to the EnableNetworkProtection registry + entry. This activity is significant because disabling Network Protection can leave + the system vulnerable to network-based threats by preventing Windows Defender from + analyzing and blocking malicious network activity. If confirmed malicious, this + action could allow attackers to bypass security measures, potentially leading to + unauthorized access, data exfiltration, or further compromise of the network. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows + Defender\\Windows Defender Exploit Guard\\Network Protection\\EnableNetworkProtection" + Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user + Registry.registry_path Registry.registry_value_data Registry.action Registry.dest + | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_impair_defense_disable_win_defender_network_protection_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. +known_false_positives: It is unusual to turn this feature off a Windows system since + it is a default security control, although it is not rare for some policies to disable + it. Although no false positives have been identified, use the provided filter macro + to tune the search. references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy @@ -20,42 +38,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows Defender Exploit Guard network protection set to disable on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: Windows Defender Exploit Guard network protection set to disable on $dest$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.action security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml index 09062e8ea1..0bdaa9b43a 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml @@ -1,16 +1,33 @@ name: Windows Impair Defense Disable Win Defender Report Infection id: 201946c6-b1d5-42bb-a7e0-5f7123f47fc4 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 13 -description: The following analytic detects modifications to the Windows registry that disable Windows Defender's infection reporting. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the "DontReportInfectionInformation" registry key. This activity is significant because it can prevent Windows Defender from reporting detailed threat information to Microsoft, potentially allowing malware to evade detection. If confirmed malicious, this action could enable attackers to bypass security measures, maintain persistence, and avoid detection, leading to prolonged unauthorized access and potential data breaches. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Microsoft\\MRT\\DontReportInfectionInformation" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_report_infection_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -known_false_positives: It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. +description: The following analytic detects modifications to the Windows registry + that disable Windows Defender's infection reporting. It leverages data from the + Endpoint.Registry datamodel, specifically monitoring changes to the "DontReportInfectionInformation" + registry key. This activity is significant because it can prevent Windows Defender + from reporting detailed threat information to Microsoft, potentially allowing malware + to evade detection. If confirmed malicious, this action could enable attackers to + bypass security measures, maintain persistence, and avoid detection, leading to + prolonged unauthorized access and potential data breaches. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Microsoft\\MRT\\DontReportInfectionInformation" + Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user + Registry.registry_path Registry.registry_value_data Registry.action Registry.dest + | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_impair_defense_disable_win_defender_report_infection_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. +known_false_positives: It is unusual to turn this feature off a Windows system since + it is a default security control, although it is not rare for some policies to disable + it. Although no false positives have been identified, use the provided filter macro + to tune the search. references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy @@ -20,42 +37,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows Defender DontReportInfectionInformation registry is enabled on + $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: Windows Defender DontReportInfectionInformation registry is enabled on $dest$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.action security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml index 8bfa01e62b..e0a0cb785c 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml @@ -1,16 +1,32 @@ name: Windows Impair Defense Disable Win Defender Scan On Update id: 0418e72f-e710-4867-b656-0688e1523e09 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 13 -description: The following analytic detects modifications to the Windows registry that disable the Windows Defender Scan On Update feature. It leverages data from the Endpoint.Registry datamodel, specifically looking for changes to the "DisableScanOnUpdate" registry setting with a value of "0x00000001". This activity is significant because disabling automatic scans can leave systems vulnerable to malware and other threats. If confirmed malicious, this action could allow attackers to bypass Windows Defender, facilitating further compromise and persistence within the environment. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Signature Updates\\DisableScanOnUpdate" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_scan_on_update_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -known_false_positives: It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. +description: The following analytic detects modifications to the Windows registry + that disable the Windows Defender Scan On Update feature. It leverages data from + the Endpoint.Registry datamodel, specifically looking for changes to the "DisableScanOnUpdate" + registry setting with a value of "0x00000001". This activity is significant because + disabling automatic scans can leave systems vulnerable to malware and other threats. + If confirmed malicious, this action could allow attackers to bypass Windows Defender, + facilitating further compromise and persistence within the environment. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows + Defender\\Signature Updates\\DisableScanOnUpdate" Registry.registry_value_data="0x00000001" + by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data + Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_scan_on_update_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. +known_false_positives: It is unusual to turn this feature off a Windows system since + it is a default security control, although it is not rare for some policies to disable + it. Although no false positives have been identified, use the provided filter macro + to tune the search. references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy @@ -20,42 +36,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows Defender DisableScanOnUpdate feature set to enable on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: Windows Defender DisableScanOnUpdate feature set to enable on $dest$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.action security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml index 3321663810..6a4c7e20ec 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml @@ -1,16 +1,33 @@ name: Windows Impair Defense Disable Win Defender Signature Retirement id: 7567a72f-bada-489d-aef1-59743fb64a66 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 13 -description: The following analytic detects modifications to the Windows registry that disable Windows Defender Signature Retirement. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the DisableSignatureRetirement registry setting. This activity is significant because disabling signature retirement can prevent Windows Defender from removing outdated antivirus signatures, potentially reducing its effectiveness in detecting threats. If confirmed malicious, this action could allow an attacker to evade detection by using older, less relevant signatures, thereby compromising the system's security posture. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\NIS\\Consumers\\IPS\\DisableSignatureRetirement" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_signature_retirement_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -known_false_positives: It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. +description: The following analytic detects modifications to the Windows registry + that disable Windows Defender Signature Retirement. It leverages data from the Endpoint.Registry + data model, specifically monitoring changes to the DisableSignatureRetirement registry + setting. This activity is significant because disabling signature retirement can + prevent Windows Defender from removing outdated antivirus signatures, potentially + reducing its effectiveness in detecting threats. If confirmed malicious, this action + could allow an attacker to evade detection by using older, less relevant signatures, + thereby compromising the system's security posture. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows + Defender\\NIS\\Consumers\\IPS\\DisableSignatureRetirement" Registry.registry_value_data="0x00000001" + by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data + Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_signature_retirement_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. +known_false_positives: It is unusual to turn this feature off a Windows system since + it is a default security control, although it is not rare for some policies to disable + it. Although no false positives have been identified, use the provided filter macro + to tune the search. references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy @@ -20,42 +37,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows Defender DisableSignatureRetirement registry is set to enable on + $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: Windows Defender DisableSignatureRetirement registry is set to enable on $dest$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.action security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml b/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml index b7166f5d4a..2cd9eba357 100644 --- a/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml +++ b/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml @@ -1,16 +1,34 @@ name: Windows Impair Defense Overide Win Defender Phishing Filter id: 10ca081c-57b1-4a78-ba56-14a40a7e116a -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 13 -description: The following analytic detects modifications to the Windows registry that disable the Windows Defender phishing filter. It leverages data from the Endpoint.Registry data model, focusing on changes to specific registry values related to Microsoft Edge's phishing filter settings. This activity is significant because disabling the phishing filter can allow attackers to deceive users into visiting malicious websites without triggering browser warnings. If confirmed malicious, this could lead to users unknowingly accessing harmful sites, resulting in potential security incidents or data compromises. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_key_name = "*\\MicrosoftEdge\\PhishingFilter" Registry.registry_value_name IN ("EnabledV9", "PreventOverride") Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_overide_win_defender_phishing_filter_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -known_false_positives: It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. +description: The following analytic detects modifications to the Windows registry + that disable the Windows Defender phishing filter. It leverages data from the Endpoint.Registry + data model, focusing on changes to specific registry values related to Microsoft + Edge's phishing filter settings. This activity is significant because disabling + the phishing filter can allow attackers to deceive users into visiting malicious + websites without triggering browser warnings. If confirmed malicious, this could + lead to users unknowingly accessing harmful sites, resulting in potential security + incidents or data compromises. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_key_name = + "*\\MicrosoftEdge\\PhishingFilter" Registry.registry_value_name IN ("EnabledV9", + "PreventOverride") Registry.registry_value_data="0x00000000" by Registry.registry_key_name + Registry.user Registry.registry_path Registry.registry_value_data Registry.action + Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_impair_defense_overide_win_defender_phishing_filter_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. +known_false_positives: It is unusual to turn this feature off a Windows system since + it is a default security control, although it is not rare for some policies to disable + it. Although no false positives have been identified, use the provided filter macro + to tune the search. references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy @@ -20,42 +38,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows Defender Phishing Filter registry was modified on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: Windows Defender Phishing Filter registry was modified on $dest$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.action security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml b/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml index eec17fd507..db3015d502 100644 --- a/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml +++ b/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Override SmartScreen Prompt id: 08058866-7987-486f-b042-275715ef6e9d -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-01-21' author: Teoderick Contreras, Splunk status: production type: TTP @@ -15,10 +15,10 @@ description: The following analytic detects modifications to the Windows registr users to bypass security warnings. If confirmed malicious, this could lead to users inadvertently executing or accessing harmful content, increasing the risk of security incidents or system compromises. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE Registry.registry_path= "*\\Microsoft\\Edge\\PreventSmartScreenPromptOverride" - Registry.registry_value_data= "0x00000000" BY Registry.dest Registry.user - Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= "*\\Microsoft\\Edge\\PreventSmartScreenPromptOverride" + Registry.registry_value_data= "0x00000000" BY Registry.dest Registry.user Registry.registry_path + Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_override_smartscreen_prompt_filter`' how_to_implement: To successfully implement this search you need to be ingesting information @@ -37,42 +37,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows Defender SmartScreen prompt was override on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: Windows Defender SmartScreen prompt was override on $dest$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.action security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml b/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml index 6e9ce080dd..a92fb2fbbe 100644 --- a/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml +++ b/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml @@ -1,16 +1,33 @@ name: Windows Impair Defense Set Win Defender Smart Screen Level To Warn id: cc2a3425-2703-47e7-818f-3dca1b0bc56f -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 13 -description: The following analytic detects modifications to the Windows registry that set the Windows Defender SmartScreen level to "warn." This detection leverages data from the Endpoint.Registry data model, specifically monitoring changes to the ShellSmartScreenLevel registry value. This activity is significant because altering SmartScreen settings to "warn" can reduce immediate suspicion from users, allowing potentially malicious executables to run with just a warning prompt. If confirmed malicious, this could enable attackers to execute harmful files, increasing the risk of successful malware deployment and subsequent system compromise. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Microsoft\\Windows\\System\\ShellSmartScreenLevel" Registry.registry_value_data="Warn" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_set_win_defender_smart_screen_level_to_warn_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -known_false_positives: It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. +description: The following analytic detects modifications to the Windows registry + that set the Windows Defender SmartScreen level to "warn." This detection leverages + data from the Endpoint.Registry data model, specifically monitoring changes to the + ShellSmartScreenLevel registry value. This activity is significant because altering + SmartScreen settings to "warn" can reduce immediate suspicion from users, allowing + potentially malicious executables to run with just a warning prompt. If confirmed + malicious, this could enable attackers to execute harmful files, increasing the + risk of successful malware deployment and subsequent system compromise. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Microsoft\\Windows\\System\\ShellSmartScreenLevel" + Registry.registry_value_data="Warn" by Registry.registry_key_name Registry.user + Registry.registry_path Registry.registry_value_data Registry.action Registry.dest + | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_impair_defense_set_win_defender_smart_screen_level_to_warn_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. +known_false_positives: It is unusual to turn this feature off a Windows system since + it is a default security control, although it is not rare for some policies to disable + it. Although no false positives have been identified, use the provided filter macro + to tune the search. references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy @@ -20,42 +37,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows Defender SmartScreen Level to Warn on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: Windows Defender SmartScreen Level to Warn on $dest$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.action security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_impair_defenses_disable_auto_logger_session.yml b/detections/endpoint/windows_impair_defenses_disable_auto_logger_session.yml index b907454d9f..5a904d707d 100644 --- a/detections/endpoint/windows_impair_defenses_disable_auto_logger_session.yml +++ b/detections/endpoint/windows_impair_defenses_disable_auto_logger_session.yml @@ -1,16 +1,34 @@ name: Windows Impair Defenses Disable Auto Logger Session id: dc6a5613-d024-47e7-9997-ab6477a483d3 -version: 1 -date: '2024-12-06' +version: 2 +date: '2025-01-07' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly -description: The following analytic detects the disabling of an AutoLogger session or one of its providers, by identifying changes to the Registry values "Start" and "Enabled" part of the "\WMI\Autologger\" key path. It leverages data from the Endpoint.Registry datamodel to monitor specific registry paths and values. This activity is significant as attackers and adversaries can leverage this in order to evade defense and blind EDRs and log ingest tooling. If confirmed malicious, this action could allow an attacker to conceal their activities, making it harder to detect further malicious actions and maintain persistence on the compromised endpoint. +description: The following analytic detects the disabling of an AutoLogger session + or one of its providers, by identifying changes to the Registry values "Start" and + "Enabled" part of the "\WMI\Autologger\" key path. It leverages data from the Endpoint.Registry + datamodel to monitor specific registry paths and values. This activity is significant + as attackers and adversaries can leverage this in order to evade defense and blind + EDRs and log ingest tooling. If confirmed malicious, this action could allow an + attacker to conceal their activities, making it harder to detect further malicious + actions and maintain persistence on the compromised endpoint. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\WMI\\Autologger\\*" (Registry.registry_value_name="Start" OR Registry.registry_value_name="Enabled") Registry.registry_value_data ="0x00000000" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defenses_disable_auto_logger_session_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -known_false_positives: It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\WMI\\Autologger\\*" + (Registry.registry_value_name="Start" OR Registry.registry_value_name="Enabled") + Registry.registry_value_data ="0x00000000" by Registry.registry_path Registry.registry_value_name + Registry.registry_value_data Registry.process_guid Registry.action Registry.dest + Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_impair_defenses_disable_auto_logger_session_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. +known_false_positives: It is unusual to turn this feature off a Windows system since + it is a default security control, although it is not rare for some policies to disable + it. Although no false positives have been identified, use the provided filter macro + to tune the search. references: - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/ - https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/ @@ -23,43 +41,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows Auto Logger Session or Provider registry value set to 'disabled' on $dest$ + risk_objects: + - field: dest + type: system + score: 81 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - confidence: 90 - impact: 90 - message: Windows Auto Logger Session or Provider registry value set to 'disabled' on $dest$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.action - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_defender_logging/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_defender_logging/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml b/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml index 356c13ac86..0499d7e3de 100644 --- a/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml +++ b/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml @@ -1,15 +1,34 @@ name: Windows Impair Defenses Disable AV AutoStart via Registry id: 31a13f43-812e-4752-a6ca-c6c87bf03e83 -version: 3 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 13 type: TTP status: production -description: The following analytic detects modifications to the registry related to the disabling of autostart functionality for certain antivirus products, such as Kingsoft and Tencent. Malware like ValleyRAT may alter specific registry keys to prevent these security tools from launching automatically at startup, thereby weakening system defenses. By monitoring changes in the registry entries associated with antivirus autostart settings, this detection enables security analysts to identify attempts to disable protective software. Detecting these modifications early is critical for maintaining system integrity and preventing further compromise by malicious actors. -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path IN("*\\kingsoft\\antivirus\\KAVReport\\*" , "*\\kingsoft\\antivirus\\KSetting\\*", "*\\kingsoft\\antivirus\\Windhunter\\*" ,"*\\Tencent\\QQPCMgr\\*") AND ((Registry.registry_value_name IN("autostart","kxesc", "WindhunterSwitch") AND Registry.registry_value_data = "0x00000000") OR (Registry.registry_value_name = "WindhunterLevel" AND Registry.registry_value_data = "0x00000004")) BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.registry_hive Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defenses_disable_av_autostart_via_registry_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 +description: The following analytic detects modifications to the registry related + to the disabling of autostart functionality for certain antivirus products, such + as Kingsoft and Tencent. Malware like ValleyRAT may alter specific registry keys + to prevent these security tools from launching automatically at startup, thereby + weakening system defenses. By monitoring changes in the registry entries associated + with antivirus autostart settings, this detection enables security analysts to identify + attempts to disable protective software. Detecting these modifications early is + critical for maintaining system integrity and preventing further compromise by malicious + actors. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry + WHERE Registry.registry_path IN("*\\kingsoft\\antivirus\\KAVReport\\*" , "*\\kingsoft\\antivirus\\KSetting\\*", + "*\\kingsoft\\antivirus\\Windhunter\\*" ,"*\\Tencent\\QQPCMgr\\*") AND ((Registry.registry_value_name + IN("autostart","kxesc", "WindhunterSwitch") AND Registry.registry_value_data = "0x00000000") + OR (Registry.registry_value_name = "WindhunterLevel" AND Registry.registry_value_data + = "0x00000004")) BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name + Registry.registry_value_name Registry.registry_value_data Registry.registry_hive + Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_impair_defenses_disable_av_autostart_via_registry_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the registry value name, registry path, and registry value data from your + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official + Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: - https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape @@ -20,43 +39,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: disable anti-virus autostart via registry on [$dest$]. + risk_objects: + - field: user + type: user + score: 90 + - field: dest + type: system + score: 90 + threat_objects: [] tags: analytic_story: - ValleyRAT asset_type: Endpoint - confidence: 100 - impact: 90 - message: disable anti-virus autostart via registry on [$dest$]. mitre_attack_id: - T1112 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/kingsoft_reg/kingsoft_reg.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/kingsoft_reg/kingsoft_reg.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_impair_defenses_disable_hvci.yml b/detections/endpoint/windows_impair_defenses_disable_hvci.yml index 19225b7bb7..ed0059edbf 100644 --- a/detections/endpoint/windows_impair_defenses_disable_hvci.yml +++ b/detections/endpoint/windows_impair_defenses_disable_hvci.yml @@ -1,16 +1,32 @@ name: Windows Impair Defenses Disable HVCI id: b061dfcc-f0aa-42cc-a6d4-a87f172acb79 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP data_source: - Sysmon EventID 13 -description: The following analytic detects the disabling of Hypervisor-protected Code Integrity (HVCI) by monitoring changes in the Windows registry. It leverages data from the Endpoint datamodel, specifically focusing on registry paths and values related to HVCI settings. This activity is significant because HVCI helps protect the kernel and system processes from tampering by malicious code. If confirmed malicious, disabling HVCI could allow attackers to execute unsigned kernel-mode code, potentially leading to kernel-level rootkits or other severe security breaches. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity\\Enabled" Registry.registry_value_data="0x00000000" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defenses_disable_hvci_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: False positives will be limited to administrative scripts disabling HVCI. Filter as needed. +description: The following analytic detects the disabling of Hypervisor-protected + Code Integrity (HVCI) by monitoring changes in the Windows registry. It leverages + data from the Endpoint datamodel, specifically focusing on registry paths and values + related to HVCI settings. This activity is significant because HVCI helps protect + the kernel and system processes from tampering by malicious code. If confirmed malicious, + disabling HVCI could allow attackers to execute unsigned kernel-mode code, potentially + leading to kernel-level rootkits or other severe security breaches. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity\\Enabled" + Registry.registry_value_data="0x00000000" by Registry.registry_path Registry.registry_value_name + Registry.registry_value_data Registry.process_guid Registry.action Registry.user + Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_impair_defenses_disable_hvci_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: False positives will be limited to administrative scripts disabling + HVCI. Filter as needed. references: - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ drilldown_searches: @@ -19,9 +35,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: HVCI has been disabled on $dest$. + risk_objects: + - field: dest + type: system + score: 70 + threat_objects: [] tags: analytic_story: - BlackLotus Campaign @@ -30,34 +58,18 @@ tags: asset_type: Endpoint atomic_guid: - 70bd71e6-eba4-4e00-92f7-617911dbe020 - confidence: 100 - impact: 70 - message: HVCI has been disabled on $dest$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Registry.registry_path - - Registry.registry_value_data - - Registry.registry_value_name - - Registry.process_guid - - Registry.action - - Registry.user - - Registry.dest - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/hvci_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/hvci_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml b/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml index a13b77afc6..26e0268183 100644 --- a/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml +++ b/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml @@ -1,16 +1,33 @@ name: Windows Impair Defenses Disable Win Defender Auto Logging id: 76406a0f-f5e0-4167-8e1f-337fdc0f1b0c -version: 4 -date: '2024-12-09' +version: 5 +date: '2024-12-16' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the disabling of Windows Defender logging by identifying changes to the Registry keys DefenderApiLogger or DefenderAuditLogger set to disable. It leverages data from the Endpoint.Registry datamodel to monitor specific registry paths and values. This activity is significant as it is commonly associated with Remote Access Trojan (RAT) malware attempting to evade detection. If confirmed malicious, this action could allow an attacker to conceal their activities, making it harder to detect further malicious actions and maintain persistence on the compromised endpoint. +description: The following analytic detects the disabling of Windows Defender logging + by identifying changes to the Registry keys DefenderApiLogger or DefenderAuditLogger + set to disable. It leverages data from the Endpoint.Registry datamodel to monitor + specific registry paths and values. This activity is significant as it is commonly + associated with Remote Access Trojan (RAT) malware attempting to evade detection. + If confirmed malicious, this action could allow an attacker to conceal their activities, + making it harder to detect further malicious actions and maintain persistence on + the compromised endpoint. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where (Registry.registry_path = "*WMI\\Autologger\\DefenderApiLogger\\Start" OR Registry.registry_path = "*WMI\\Autologger\\DefenderAuditLogger\\Start") Registry.registry_value_data ="0x00000000" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defenses_disable_win_defender_auto_logging_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -known_false_positives: It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where (Registry.registry_path = "*WMI\\Autologger\\DefenderApiLogger\\Start" + OR Registry.registry_path = "*WMI\\Autologger\\DefenderAuditLogger\\Start") Registry.registry_value_data + ="0x00000000" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data + Registry.process_guid Registry.action Registry.dest Registry.user | `drop_dm_object_name(Registry)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defenses_disable_win_defender_auto_logging_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. +known_false_positives: It is unusual to turn this feature off a Windows system since + it is a default security control, although it is not rare for some policies to disable + it. Although no false positives have been identified, use the provided filter macro + to tune the search. references: - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/ - https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/ @@ -22,44 +39,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows Defender Logger registry key set to 'disabled' on $dest$. + risk_objects: + - field: dest + type: system + score: 24 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics - CISA AA23-347A - Windows Registry Abuse asset_type: Endpoint - confidence: 80 - impact: 30 - message: Windows Defender Logger registry key set to 'disabled' on $dest$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.action - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_defender_logging/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_defender_logging/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_indicator_removal_via_rmdir.yml b/detections/endpoint/windows_indicator_removal_via_rmdir.yml index c022e3893a..34cb8e88a8 100644 --- a/detections/endpoint/windows_indicator_removal_via_rmdir.yml +++ b/detections/endpoint/windows_indicator_removal_via_rmdir.yml @@ -1,7 +1,7 @@ name: Windows Indicator Removal Via Rmdir id: c4566d2c-b094-48a1-9c59-d66e22065560 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -9,9 +9,30 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic detects the execution of the 'rmdir' command with '/s' and '/q' options to delete files and directory trees. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. This activity is significant as it may indicate malware attempting to remove traces or components during cleanup operations. If confirmed malicious, this behavior could allow attackers to eliminate forensic evidence, hinder incident response efforts, and maintain persistence by removing indicators of compromise. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*rmdir*" Processes.process = "* /s *" Processes.process = "* /q *" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indicator_removal_via_rmdir_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +description: The following analytic detects the execution of the 'rmdir' command with + '/s' and '/q' options to delete files and directory trees. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on command-line + executions and process metadata. This activity is significant as it may indicate + malware attempting to remove traces or components during cleanup operations. If + confirmed malicious, this behavior could allow attackers to eliminate forensic evidence, + hinder incident response efforts, and maintain persistence by removing indicators + of compromise. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process = "*rmdir*" + Processes.process = "* /s *" Processes.process = "* /q *" by Processes.process_name + Processes.original_file_name Processes.process Processes.process_id Processes.process_guid + Processes.parent_process_name Processes.parent_process Processes.parent_process_guid + Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_indicator_removal_via_rmdir_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: user and network administrator can execute this command. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate @@ -21,47 +42,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a process execute rmdir command to delete files and directory tree on $dest$. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - DarkGate Malware asset_type: Endpoint - confidence: 50 - impact: 50 - message: a process execute rmdir command to delete files and directory tree in $dest$. mitre_attack_id: - T1070 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 25 - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - - Processes.parent_process_guid - - Processes.process_guid security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/rmdir_delete_files_and_dir/rmdir.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/rmdir_delete_files_and_dir/rmdir.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml b/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml index 538eef61ae..76be5b45ff 100644 --- a/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml +++ b/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml @@ -1,18 +1,40 @@ name: Windows Indirect Command Execution Via forfiles id: 1fdf31c9-ff4d-4c48-b799-0e8666e08787 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Eric McGinnis, Splunk status: production type: TTP -description: The following analytic detects the execution of programs initiated by forfiles.exe. This command is typically used to run commands on multiple files, often within batch scripts. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where forfiles.exe is the parent process. This activity is significant because forfiles.exe can be exploited to bypass command line execution protections, making it a potential vector for malicious activity. If confirmed malicious, this could allow attackers to execute arbitrary commands, potentially leading to unauthorized access or further system compromise. +description: The following analytic detects the execution of programs initiated by + forfiles.exe. This command is typically used to run commands on multiple files, + often within batch scripts. The detection leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process creation events where forfiles.exe + is the parent process. This activity is significant because forfiles.exe can be + exploited to bypass command line execution protections, making it a potential vector + for malicious activity. If confirmed malicious, this could allow attackers to execute + arbitrary commands, potentially leading to unauthorized access or further system + compromise. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process="*forfiles* /c *" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indirect_command_execution_via_forfiles_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Some legacy applications may be run using pcalua.exe. Similarly, forfiles.exe may be used in legitimate batch scripts. Filter these results as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process="*forfiles* + /c *" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_indirect_command_execution_via_forfiles_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Some legacy applications may be run using pcalua.exe. Similarly, + forfiles.exe may be used in legitimate batch scripts. Filter these results as needed. references: - https://twitter.com/KyleHanslovan/status/912659279806640128 - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/forfiles @@ -22,46 +44,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The forfiles command (forfiles.exe) launched the process name - $process_name$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Living Off The Land - Windows Post-Exploitation asset_type: Endpoint - confidence: 50 - impact: 50 - message: The forfiles command (forfiles.exe) launched the process name - $process_name$ mitre_attack_id: - T1202 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - - Processes.process_path - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1202/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1202/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml b/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml index 43647e5f6c..ebea99f347 100644 --- a/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml +++ b/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml @@ -1,18 +1,39 @@ name: Windows Indirect Command Execution Via pcalua id: 3428ac18-a410-4823-816c-ce697d26f7a8 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Eric McGinnis, Splunk status: production type: TTP -description: The following analytic detects programs initiated by pcalua.exe, the Microsoft Windows Program Compatibility Assistant. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process information. While pcalua.exe can start legitimate programs, it is significant because attackers may use it to bypass command line execution protections. If confirmed malicious, this activity could allow attackers to execute arbitrary commands, potentially leading to unauthorized actions, privilege escalation, or persistence within the environment. +description: The following analytic detects programs initiated by pcalua.exe, the + Microsoft Windows Program Compatibility Assistant. This detection leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process and parent + process information. While pcalua.exe can start legitimate programs, it is significant + because attackers may use it to bypass command line execution protections. If confirmed + malicious, this activity could allow attackers to execute arbitrary commands, potentially + leading to unauthorized actions, privilege escalation, or persistence within the + environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process="*pcalua* -a*" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indirect_command_execution_via_pcalua_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Some legacy applications may be run using pcalua.exe. Filter these results as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process="*pcalua* + -a*" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_indirect_command_execution_via_pcalua_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Some legacy applications may be run using pcalua.exe. Filter + these results as needed. references: - https://twitter.com/KyleHanslovan/status/912659279806640128 - https://lolbas-project.github.io/lolbas/Binaries/Pcalua/ @@ -22,45 +43,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The Program Compatability Assistant (pcalua.exe) launched the process $process_name$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 50 - message: The Program Compatability Assistant (pcalua.exe) launched the process $process_name$ mitre_attack_id: - T1202 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - - Processes.process_path - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1202/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1202/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml b/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml index 091ecbc8ee..8a30dc7da3 100644 --- a/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml +++ b/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml @@ -1,17 +1,38 @@ name: Windows Indirect Command Execution Via Series Of Forfiles id: bfdaabe7-3db8-48c5-80c1-220f9b8f22be -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects excessive usage of the forfiles.exe process, which is often indicative of post-exploitation activities. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include process GUID, process name, and parent process. This activity is significant because forfiles.exe can be abused to execute commands on multiple files, a technique used by ransomware like Prestige. If confirmed malicious, this behavior could allow attackers to enumerate files, potentially leading to data exfiltration or further malicious actions. +description: The following analytic detects excessive usage of the forfiles.exe process, + which is often indicative of post-exploitation activities. The detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process execution + logs that include process GUID, process name, and parent process. This activity + is significant because forfiles.exe can be abused to execute commands on multiple + files, a technique used by ransomware like Prestige. If confirmed malicious, this + behavior could allow attackers to enumerate files, potentially leading to data exfiltration + or further malicious actions. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_guid) as process_guid values(Processes.process_name) as process_name count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "forfiles.exe" OR Processes.original_file_name = "forfiles.exe" by Processes.parent_process_name Processes.parent_process Processes.dest Processes.user _time span=1m | where count >=20 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indirect_command_execution_via_series_of_forfiles_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + values(Processes.process_guid) as process_guid values(Processes.process_name) as + process_name count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.process_name = "forfiles.exe" OR Processes.original_file_name = + "forfiles.exe" by Processes.parent_process_name Processes.parent_process Processes.dest + Processes.user _time span=1m | where count >=20 | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indirect_command_execution_via_series_of_forfiles_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/forfiles @@ -23,47 +44,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: excessive forfiles process execution on $dest$ + risk_objects: + - field: dest + type: system + score: 9 + threat_objects: [] tags: analytic_story: - Windows Post-Exploitation - Prestige Ransomware asset_type: Endpoint - confidence: 30 - impact: 30 - message: excessive forfiles process execution in $dest$ mitre_attack_id: - T1202 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_information_discovery_fsutil.yml b/detections/endpoint/windows_information_discovery_fsutil.yml index 62a9cb9657..f33a29088c 100644 --- a/detections/endpoint/windows_information_discovery_fsutil.yml +++ b/detections/endpoint/windows_information_discovery_fsutil.yml @@ -1,17 +1,38 @@ name: Windows Information Discovery Fsutil id: 2181f261-93e6-4166-a5a9-47deac58feff -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies the execution of the Windows built-in tool FSUTIL with the FSINFO parameter to discover file system information. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. Monitoring this activity is significant because FSUTIL can be abused by adversaries to gather detailed information about the file system, aiding in further exploitation. If confirmed malicious, this activity could enable attackers to map the file system, identify valuable data, and plan subsequent actions such as privilege escalation or persistence. +description: The following analytic identifies the execution of the Windows built-in + tool FSUTIL with the FSINFO parameter to discover file system information. This + detection leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process execution logs that include command-line details. Monitoring this activity + is significant because FSUTIL can be abused by adversaries to gather detailed information + about the file system, aiding in further exploitation. If confirmed malicious, this + activity could enable attackers to map the file system, identify valuable data, + and plan subsequent actions such as privilege escalation or persistence. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="fsutil.exe" OR Processes.original_file_name = "fsutil.exe" AND Processes.process = "*fsinfo*" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_information_discovery_fsutil_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name="fsutil.exe" + OR Processes.original_file_name = "fsutil.exe" AND Processes.process = "*fsinfo*" + by Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid + Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_information_discovery_fsutil_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil @@ -23,49 +44,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: process $process_name$ with commandline $process$ is executed on $dest$ + risk_objects: + - field: dest + type: system + score: 9 + threat_objects: [] tags: analytic_story: - Windows Post-Exploitation - Prestige Ransomware asset_type: Endpoint - confidence: 30 - impact: 30 - message: process $process_name$ with commandline $process$ is executed in $dest$ mitre_attack_id: - T1082 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - - Processes.parent_process_guid - - Processes.process_guid - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_fsutil/fsutil-fsinfo-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_fsutil/fsutil-fsinfo-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml b/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml index d9a303b109..75fd3bf93a 100644 --- a/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml +++ b/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml @@ -1,18 +1,41 @@ name: Windows Ingress Tool Transfer Using Explorer id: 76753bab-f116-4ea3-8fb9-89b638be58a9 -version: 5 -date: '2024-09-30' +version: 7 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies instances where the Windows Explorer process (explorer.exe) is executed with a URL in its command line. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because adversaries, such as those using DCRat malware, may abuse explorer.exe to open URLs with the default browser, which is an uncommon and suspicious behavior. If confirmed malicious, this technique could allow attackers to download and execute malicious payloads, leading to potential system compromise and further malicious activities. +description: The following analytic identifies instances where the Windows Explorer + process (explorer.exe) is executed with a URL in its command line. This detection + leverages data from Endpoint Detection and Response (EDR) agents, focusing on process + execution logs. This activity is significant because adversaries, such as those + using DCRat malware, may abuse explorer.exe to open URLs with the default browser, + which is an uncommon and suspicious behavior. If confirmed malicious, this technique + could allow attackers to download and execute malicious payloads, leading to potential + system compromise and further malicious activities. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = explorer.exe OR Processes.original_file_name = explorer.exe) AND NOT (Processes.parent_process_name IN("userinit.exe", "svchost.exe")) Processes.process IN ("* http://*", "* https://*") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_ingress_tool_transfer_using_explorer_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be present based on legitimate applications or third party utilities. Filter out any additional parent process names. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = explorer.exe + OR Processes.original_file_name = explorer.exe) AND NOT (Processes.parent_process_name + IN("userinit.exe", "svchost.exe")) Processes.process IN ("* http://*", "* https://*") + by Processes.parent_process_name Processes.parent_process Processes.process_name + Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id + Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_ingress_tool_transfer_using_explorer_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present based on legitimate applications + or third party utilities. Filter out any additional parent process names. references: - https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor drilldown_searches: @@ -21,58 +44,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to download a remote payload. + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - DarkCrystal RAT asset_type: Endpoint - confidence: 50 - impact: 50 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a remote payload. mitre_attack_id: - T1105 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_explorer_url/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_explorer_url/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_inprocserver32_new_outlook_form.yml b/detections/endpoint/windows_inprocserver32_new_outlook_form.yml index 35623e1240..1522f40488 100644 --- a/detections/endpoint/windows_inprocserver32_new_outlook_form.yml +++ b/detections/endpoint/windows_inprocserver32_new_outlook_form.yml @@ -1,16 +1,31 @@ name: Windows InProcServer32 New Outlook Form id: fedb49c4-4bd7-4d42-8fd9-f8c8538c73c4 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk data_source: - Sysmon EventID 13 type: Anomaly status: production -description: The following analytic detects the creation or modification of registry keys associated with new Outlook form installations, potentially indicating exploitation of CVE-2024-21378. It leverages data from the Endpoint.Registry datamodel, focusing on registry paths involving InProcServer32 keys linked to Outlook forms. This activity is significant as it may signify an attempt to achieve authenticated remote code execution via malicious form objects. If confirmed malicious, this could allow an attacker to create arbitrary files and registry keys, leading to remote code execution and potential full system compromise. -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path="*\\InProcServer32\\*" Registry.registry_value_data=*\\FORMS\\* by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.dest Registry.process_guid Registry.user | `drop_dm_object_name(Registry)` |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_inprocserver32_new_outlook_form_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -known_false_positives: False positives are possible if the organization adds new forms to Outlook via an automated method. Filter by name or path to reduce false positives. +description: The following analytic detects the creation or modification of registry + keys associated with new Outlook form installations, potentially indicating exploitation + of CVE-2024-21378. It leverages data from the Endpoint.Registry datamodel, focusing + on registry paths involving InProcServer32 keys linked to Outlook forms. This activity + is significant as it may signify an attempt to achieve authenticated remote code + execution via malicious form objects. If confirmed malicious, this could allow an + attacker to create arbitrary files and registry keys, leading to remote code execution + and potential full system compromise. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry + where Registry.registry_path="*\\InProcServer32\\*" Registry.registry_value_data=*\\FORMS\\* + by Registry.registry_path Registry.registry_key_name Registry.registry_value_name + Registry.registry_value_data Registry.dest Registry.process_guid Registry.user | + `drop_dm_object_name(Registry)` |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_inprocserver32_new_outlook_form_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. +known_false_positives: False positives are possible if the organization adds new forms + to Outlook via an automated method. Filter by name or path to reduce false positives. references: - https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/ drilldown_searches: @@ -19,43 +34,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A registry key associated with a new Outlook form installation was created + or modified. This could indicate exploitation of CVE-2024-21378 on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Outlook RCE CVE-2024-21378 cve: - CVE-2024-21378 asset_type: Endpoint - confidence: 70 - impact: 70 - message: A registry key associated with a new Outlook form installation was created or modified. This could indicate exploitation of CVE-2024-21378 on $dest$. mitre_attack_id: - T1566 - T1112 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Registry.registry_path - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.registry_value_data - - Registry.dest - - Registry.process_guid - - Registry.user - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/cve-2024-21378/inprocserver32_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/cve-2024-21378/inprocserver32_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml b/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml index af811a8eaa..2f551ec808 100644 --- a/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml +++ b/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml @@ -1,16 +1,30 @@ name: Windows Input Capture Using Credential UI Dll id: 406c21d6-6c75-4e9f-9ca9-48049a1dd90e -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects a process loading the credui.dll or wincredui.dll module. This detection leverages Sysmon EventCode 7 to identify instances where these DLLs are loaded by processes outside typical system directories. This activity is significant because adversaries often abuse these modules to create fake credential prompts or dump credentials, posing a risk of credential theft. If confirmed malicious, this activity could allow attackers to harvest user credentials, leading to unauthorized access and potential lateral movement within the network. +description: The following analytic detects a process loading the credui.dll or wincredui.dll + module. This detection leverages Sysmon EventCode 7 to identify instances where + these DLLs are loaded by processes outside typical system directories. This activity + is significant because adversaries often abuse these modules to create fake credential + prompts or dump credentials, posing a risk of credential theft. If confirmed malicious, + this activity could allow attackers to harvest user credentials, leading to unauthorized + access and potential lateral movement within the network. data_source: - Sysmon EventID 7 -search: '`sysmon` EventCode=7 (ImageLoaded = "*\\credui.dll" AND OriginalFileName = "credui.dll") OR (ImageLoaded = "*\\wincredui.dll" AND OriginalFileName = "wincredui.dll") AND NOT(Image IN("*\\windows\\explorer.exe", "*\\windows\\system32\\*", "*\\windows\\sysWow64\\*", "*:\\program files*")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName dest EventCode Signed ProcessId ProcessGuid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_input_capture_using_credential_ui_dll_filter`' -how_to_implement: The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products. -known_false_positives: this module can be loaded by a third party application. Filter is needed. +search: '`sysmon` EventCode=7 (ImageLoaded = "*\\credui.dll" AND OriginalFileName + = "credui.dll") OR (ImageLoaded = "*\\wincredui.dll" AND OriginalFileName = "wincredui.dll") + AND NOT(Image IN("*\\windows\\explorer.exe", "*\\windows\\system32\\*", "*\\windows\\sysWow64\\*", + "*:\\program files*")) | stats count min(_time) as firstTime max(_time) as lastTime + by Image ImageLoaded OriginalFileName dest EventCode Signed ProcessId ProcessGuid + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_input_capture_using_credential_ui_dll_filter`' +how_to_implement: The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 + will add the ImageLoaded name to the process_name field, allowing this query to + work. Use as an example and implement for other products. +known_false_positives: this module can be loaded by a third party application. Filter + is needed. references: - https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password @@ -18,36 +32,18 @@ tags: analytic_story: - Brute Ratel C4 asset_type: Endpoint - confidence: 30 - impact: 30 - message: a process $Image$ loaded $ImageLoaded$ in $dest$ mitre_attack_id: - T1056.002 - T1056 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Image - - ImageLoaded - - process_name - - dest - - EventCode - - Signed - - ProcessId - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_installutil_credential_theft.yml b/detections/endpoint/windows_installutil_credential_theft.yml index 5dcabf46d1..715a74abb6 100644 --- a/detections/endpoint/windows_installutil_credential_theft.yml +++ b/detections/endpoint/windows_installutil_credential_theft.yml @@ -1,16 +1,29 @@ name: Windows InstallUtil Credential Theft id: ccfeddec-43ec-11ec-b494-acde48001122 -version: 6 -date: '2024-09-30' +version: 7 +date: '2024-11-13' author: Michael Haag, Mauricio Velazo, Splunk status: production type: TTP -description: The following analytic detects instances where the Windows InstallUtil.exe binary loads `vaultcli.dll` and `Samlib.dll`. This detection leverages Sysmon EventCode 7 to identify these specific DLL loads. This activity is significant because it can indicate an attempt to execute code that bypasses application control and captures credentials using tools like Mimikatz. If confirmed malicious, this behavior could allow an attacker to steal credentials, potentially leading to unauthorized access and further compromise of the system. +description: The following analytic detects instances where the Windows InstallUtil.exe + binary loads `vaultcli.dll` and `Samlib.dll`. This detection leverages Sysmon EventCode + 7 to identify these specific DLL loads. This activity is significant because it + can indicate an attempt to execute code that bypasses application control and captures + credentials using tools like Mimikatz. If confirmed malicious, this behavior could + allow an attacker to steal credentials, potentially leading to unauthorized access + and further compromise of the system. data_source: - Sysmon EventID 7 -search: '`sysmon` EventCode=7 process_name=installutil.exe loaded_file_path IN ("*\\samlib.dll", "*\\vaultcli.dll") | stats count min(_time) as firstTime max(_time) as lastTime by user_id, dest, process_name, loaded_file, loaded_file_path, original_file_name, process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_credential_theft_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and module loads from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: Typically, this will not trigger because, by its very nature, InstallUtil does not require credentials. Filter as needed. +search: '`sysmon` EventCode=7 process_name=installutil.exe loaded_file_path IN ("*\\samlib.dll", + "*\\vaultcli.dll") | stats count min(_time) as firstTime max(_time) as lastTime + by user_id, dest, process_name, loaded_file, loaded_file_path, original_file_name, + process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_installutil_credential_theft_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and module loads from your endpoints. + If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +known_false_positives: Typically, this will not trigger because, by its very nature, + InstallUtil does not require credentials. Filter as needed. references: - https://gist.github.com/xorrior/bbac3919ca2aef8d924bdf3b16cce3d0 drilldown_searches: @@ -19,50 +32,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of process name [$process_name$] loading a file [$loaded_file$] + was identified on endpoint- [$dest$] to potentially capture credentials in memory. + risk_objects: + - field: dest + type: system + score: 80 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Signed Binary Proxy Execution InstallUtil asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of process name [$process_name$] loading a file [$loaded_file$] was identified on endpoint- [$dest$] to potentially capture credentials in memory. mitre_attack_id: - T1218.004 - T1218 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_installutil_in_non_standard_path.yml b/detections/endpoint/windows_installutil_in_non_standard_path.yml index b2a5405852..34a84e25f7 100644 --- a/detections/endpoint/windows_installutil_in_non_standard_path.yml +++ b/detections/endpoint/windows_installutil_in_non_standard_path.yml @@ -1,18 +1,41 @@ name: Windows InstallUtil in Non Standard Path id: dcf74b22-7933-11ec-857c-acde48001122 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the execution of InstallUtil.exe from non-standard paths. It leverages Endpoint Detection and Response (EDR) data, focusing on process names and original file names outside typical directories. This activity is significant because InstallUtil.exe is often used by attackers to execute malicious code or scripts. If confirmed malicious, this behavior could allow an attacker to bypass security controls, execute arbitrary code, and potentially gain unauthorized access or persist within the environment. +description: The following analytic detects the execution of InstallUtil.exe from + non-standard paths. It leverages Endpoint Detection and Response (EDR) data, focusing + on process names and original file names outside typical directories. This activity + is significant because InstallUtil.exe is often used by attackers to execute malicious + code or scripts. If confirmed malicious, this behavior could allow an attacker to + bypass security controls, execute arbitrary code, and potentially gain unauthorized + access or persist within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where `process_installutil` NOT (Processes.process_path IN ("*\\Windows\\ADWS\\*","*\\Windows\\SysWOW64*", "*\\Windows\\system32*", "*\\Windows\\NetworkController\\*", "*\\Windows\\SystemApps\\*", "*\\WinSxS\\*", "*\\Windows\\Microsoft.NET\\*")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_in_non_standard_path_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be present and filtering may be required. Certain utilities will run from non-standard paths based on the third-party application in use. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Processes where `process_installutil` NOT (Processes.process_path + IN ("*\\Windows\\ADWS\\*","*\\Windows\\SysWOW64*", "*\\Windows\\system32*", "*\\Windows\\NetworkController\\*", + "*\\Windows\\SystemApps\\*", "*\\WinSxS\\*", "*\\Windows\\Microsoft.NET\\*")) by + Processes.dest Processes.user Processes.parent_process_name Processes.parent_process + Processes.process_name Processes.process Processes.original_file_name Processes.process_id + Processes.parent_process_id Processes.process_hash | `drop_dm_object_name("Processes")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_in_non_standard_path_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present and filtering may be required. + Certain utilities will run from non-standard paths based on the third-party application + in use. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml - https://attack.mitre.org/techniques/T1036/003/ @@ -24,9 +47,29 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ from a non-standard + path was identified on endpoint $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 49 + - field: dest + type: system + score: 49 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Masquerading - Rename System Utilities @@ -37,53 +80,20 @@ tags: - Data Destruction - WhisperGate asset_type: Endpoint - confidence: 70 - impact: 70 - message: An instance of $parent_process_name$ spawning $process_name$ from a non-standard path was identified on endpoint $dest$ by user $user$. mitre_attack_id: - T1036 - T1036.003 - T1218 - T1218.004 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon_installutil_path.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon_installutil_path.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_installutil_remote_network_connection.yml b/detections/endpoint/windows_installutil_remote_network_connection.yml index 464d2ebc9f..63710acabf 100644 --- a/detections/endpoint/windows_installutil_remote_network_connection.yml +++ b/detections/endpoint/windows_installutil_remote_network_connection.yml @@ -1,7 +1,7 @@ name: Windows InstallUtil Remote Network Connection id: 4fbf9270-43da-11ec-9486-acde48001122 -version: '7' -date: '2024-11-28' +version: 9 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -53,61 +53,39 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ generating a remote download. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Living Off The Land - Compromised Windows Host - Signed Binary Proxy Execution InstallUtil asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ generating a remote download. mitre_attack_id: - T1218.004 - T1218 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - - Ports.process_guid - - Ports.dest - - Ports.dest_port - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_installutil_uninstall_option.yml b/detections/endpoint/windows_installutil_uninstall_option.yml index acb168c9ba..7a969b6004 100644 --- a/detections/endpoint/windows_installutil_uninstall_option.yml +++ b/detections/endpoint/windows_installutil_uninstall_option.yml @@ -1,7 +1,7 @@ name: Windows InstallUtil Uninstall Option id: cfa7b9ac-43f0-11ec-9b48-acde48001122 -version: '6' -date: '2024-11-28' +version: 8 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -54,58 +54,39 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ performing an uninstall. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Living Off The Land - Compromised Windows Host - Signed Binary Proxy Execution InstallUtil asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ performing an uninstall. mitre_attack_id: - T1218.004 - T1218 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_installutil_uninstall_option_with_network.yml b/detections/endpoint/windows_installutil_uninstall_option_with_network.yml index d6b6fe6f73..20601ae9a5 100644 --- a/detections/endpoint/windows_installutil_uninstall_option_with_network.yml +++ b/detections/endpoint/windows_installutil_uninstall_option_with_network.yml @@ -1,7 +1,7 @@ name: Windows InstallUtil Uninstall Option with Network id: 1a52c836-43ef-11ec-a36c-acde48001122 -version: '6' -date: '2024-11-28' +version: 8 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -55,61 +55,39 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ performing an uninstall. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Living Off The Land - Compromised Windows Host - Signed Binary Proxy Execution InstallUtil asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ performing an uninstall. mitre_attack_id: - T1218.004 - T1218 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - - Ports.process_guid - - Ports.dest - - Ports.dest_port - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_installutil_url_in_command_line.yml b/detections/endpoint/windows_installutil_url_in_command_line.yml index 179caebedb..980615a788 100644 --- a/detections/endpoint/windows_installutil_url_in_command_line.yml +++ b/detections/endpoint/windows_installutil_url_in_command_line.yml @@ -1,7 +1,7 @@ name: Windows InstallUtil URL in Command Line id: 28e06670-43df-11ec-a569-acde48001122 -version: '5' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -52,58 +52,39 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ passing a URL on the command-line. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Living Off The Land - Compromised Windows Host - Signed Binary Proxy Execution InstallUtil asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ passing a URL on the command-line. mitre_attack_id: - T1218.004 - T1218 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_iso_lnk_file_creation.yml b/detections/endpoint/windows_iso_lnk_file_creation.yml index 90eabdb216..fcbbbebeea 100644 --- a/detections/endpoint/windows_iso_lnk_file_creation.yml +++ b/detections/endpoint/windows_iso_lnk_file_creation.yml @@ -1,16 +1,33 @@ name: Windows ISO LNK File Creation id: d7c2c09b-9569-4a9e-a8b6-6a39a99c1d32 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Michael Haag, Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the creation of .iso.lnk files in the %USER%\AppData\Local\Temp\\ path, indicating that an ISO file has been mounted and accessed. This detection leverages the Endpoint.Filesystem data model, specifically monitoring file creation events in the Windows Recent folder. This activity is significant as it may indicate the delivery and execution of potentially malicious payloads via ISO files. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further system compromise. +description: The following analytic detects the creation of .iso.lnk files in the + %USER%\AppData\Local\Temp\\ path, indicating that an ISO file + has been mounted and accessed. This detection leverages the Endpoint.Filesystem + data model, specifically monitoring file creation events in the Windows Recent folder. + This activity is significant as it may indicate the delivery and execution of potentially + malicious payloads via ISO files. If confirmed malicious, this could lead to unauthorized + code execution, data exfiltration, or further system compromise. data_source: - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\Microsoft\\Windows\\Recent\\*") Filesystem.file_name IN ("*.iso.lnk", "*.img.lnk", "*.vhd.lnk", "*vhdx.lnk") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iso_lnk_file_creation_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: False positives may be high depending on the environment and consistent use of ISOs mounting. Restrict to servers, or filter out based on commonly used ISO names. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\Microsoft\\Windows\\Recent\\*") + Filesystem.file_name IN ("*.iso.lnk", "*.img.lnk", "*.vhd.lnk", "*vhdx.lnk") by + Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path + Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_iso_lnk_file_creation_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: False positives may be high depending on the environment and + consistent use of ISOs mounting. Restrict to servers, or filter out based on commonly + used ISO names. Filter as needed. references: - https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ - https://github.com/MHaggis/notes/blob/master/utilities/ISOBuilder.ps1 @@ -29,34 +46,20 @@ tags: - Amadey - Gozi Malware asset_type: Endpoint - confidence: 50 - impact: 80 - message: An ISO file was mounted on $dest$ and should be reviewed and filtered as needed. mitre_attack_id: - T1566.001 - T1566 - T1204.001 - T1204 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Filesystem.file_create_time - - Filesystem.process_id - - Filesystem.file_name - - Filesystem.file_path - - Filesystem.dest - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.001/atomic_red_team/iso_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.001/atomic_red_team/iso_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_java_spawning_shells.yml b/detections/endpoint/windows_java_spawning_shells.yml index bcee4e1dab..19a3260fbf 100644 --- a/detections/endpoint/windows_java_spawning_shells.yml +++ b/detections/endpoint/windows_java_spawning_shells.yml @@ -1,18 +1,38 @@ name: Windows Java Spawning Shells id: 28c81306-5c47-11ec-bfea-acde48001122 -version: 6 -date: '2024-12-11' +version: 8 +date: '2024-12-16' author: Michael Haag, Splunk status: experimental type: TTP -description: The following analytic identifies instances where java.exe or w3wp.exe spawns a Windows shell, such as cmd.exe or powershell.exe. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant as it may indicate exploitation attempts, such as those related to CVE-2021-44228 (Log4Shell). If confirmed malicious, attackers could execute arbitrary commands, potentially leading to system compromise, data exfiltration, or further lateral movement within the network. +description: The following analytic identifies instances where java.exe or w3wp.exe + spawns a Windows shell, such as cmd.exe or powershell.exe. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process and + parent process relationships. This activity is significant as it may indicate exploitation + attempts, such as those related to CVE-2021-44228 (Log4Shell). If confirmed malicious, + attackers could execute arbitrary commands, potentially leading to system compromise, + data exfiltration, or further lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=java.exe OR Processes.parent_process_name=w3wp.exe `windows_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_java_spawning_shells_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Filtering may be required on internal developer build systems or classify assets as web facing and restrict the analytic based on that. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=java.exe + OR Processes.parent_process_name=w3wp.exe `windows_shells` by Processes.dest Processes.user + Processes.parent_process_name Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_java_spawning_shells_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Filtering may be required on internal developer build systems + or classify assets as web facing and restrict the analytic based on that. references: - https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/ - https://gist.github.com/olafhartong/916ebc673ba066537740164f7e7e1d72 @@ -20,50 +40,32 @@ references: - https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py - https://blog.viettelcybersecurity.com/saml-show-stopper/ - https://www.horizon3.ai/manageengine-cve-2022-47966-iocs/ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ spawning a Windows shell, potentially indicative of exploitation. + risk_objects: + - field: dest + type: system + score: 40 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Log4Shell CVE-2021-44228 - SysAid On-Prem Software CVE-2023-47246 Vulnerability - Cleo File Transfer Software asset_type: Endpoint - confidence: 50 cve: - CVE-2021-44228 - CVE-2022-47966 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ spawning a Windows shell, potentially indicative of exploitation. mitre_attack_id: - T1190 - T1133 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 40 security_domain: endpoint diff --git a/detections/endpoint/windows_kerberos_local_successful_logon.yml b/detections/endpoint/windows_kerberos_local_successful_logon.yml index 79f9722335..f86999cc9b 100644 --- a/detections/endpoint/windows_kerberos_local_successful_logon.yml +++ b/detections/endpoint/windows_kerberos_local_successful_logon.yml @@ -1,7 +1,7 @@ name: Windows Kerberos Local Successful Logon id: 8309c3a8-4d34-48ae-ad66-631658214653 -version: '5' -date: '2024-11-28' +version: 6 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -40,41 +40,31 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A successful localhost Kerberos authentication event occurred on $dest$, + possibly indicative of Kerberos relay attack. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Local Privilege Escalation With KrbRelayUp - Active Directory Kerberos Attacks - Compromised Windows Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: A successful localhost Kerberos authentication event occurred on $dest$, - possibly indicative of Kerberos relay attack. mitre_attack_id: - T1558 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - subject - - action - - Security_ID - - user - - TargetUserName - - src_ip - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558/windows_kerberos_local_successful_logon/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558/windows_kerberos_local_successful_logon/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_known_abused_dll_created.yml b/detections/endpoint/windows_known_abused_dll_created.yml index d1996b5d71..8c1f4b886f 100644 --- a/detections/endpoint/windows_known_abused_dll_created.yml +++ b/detections/endpoint/windows_known_abused_dll_created.yml @@ -1,16 +1,50 @@ name: Windows Known Abused DLL Created id: ea91651a-772a-4b02-ac3d-985b364a5f07 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Steven Dick status: production type: Anomaly -description: The following analytic identifies the creation of Dynamic Link Libraries (DLLs) with a known history of exploitation in atypical locations. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and filesystem events. This activity is significant as it may indicate DLL search order hijacking or sideloading, techniques used by attackers to execute arbitrary code, maintain persistence, or escalate privileges. If confirmed malicious, this activity could allow attackers to blend in with legitimate operations, posing a severe threat to system integrity and security. +description: The following analytic identifies the creation of Dynamic Link Libraries + (DLLs) with a known history of exploitation in atypical locations. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process and + filesystem events. This activity is significant as it may indicate DLL search order + hijacking or sideloading, techniques used by attackers to execute arbitrary code, + maintain persistence, or escalate privileges. If confirmed malicious, this activity + could allow attackers to blend in with legitimate operations, posing a severe threat + to system integrity and security. data_source: - Sysmon EventID 1 AND Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name!="unknown" Processes.process_name=* Processes.process_guid!=null by _time span=1h Processes.dest Processes.user Processes.process_guid Processes.process_name Processes.process Processes.parent_process Processes.parent_process_name | `drop_dm_object_name(Processes)` | join max=0 process_guid dest [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\users\\*","*\\Windows\Temp\\*","*\\programdata\\*") Filesystem.file_name="*.dll" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` | lookup hijacklibs_loaded library AS file_name OUTPUT islibrary, ttp, comment as desc | lookup hijacklibs_loaded library AS file_name excludes as file_path OUTPUT islibrary as excluded | search islibrary = TRUE AND excluded != TRUE | stats latest(*) as * by dest process_guid ] | where isnotnull(file_name) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_known_abused_dll_created_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` and `Filesystem` nodes of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: This analytic may flag instances where DLLs are loaded by user mode programs for entirely legitimate and benign purposes. It is important for users to be aware that false positives are not only possible but likely, and that careful tuning of this analytic is necessary to distinguish between malicious activity and normal, everyday operations of applications. This may involve adjusting thresholds, whitelisting known good software, or incorporating additional context from other security tools and logs to reduce the rate of false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name!="unknown" + Processes.process_name=* Processes.process_guid!=null by _time span=1h Processes.dest + Processes.user Processes.process_guid Processes.process_name Processes.process Processes.parent_process + Processes.parent_process_name | `drop_dm_object_name(Processes)` | join max=0 process_guid + dest [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem + where Filesystem.file_path IN ("*\\users\\*","*\\Windows\Temp\\*","*\\programdata\\*") + Filesystem.file_name="*.dll" by _time span=1h Filesystem.dest Filesystem.file_create_time + Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` + | lookup hijacklibs_loaded library AS file_name OUTPUT islibrary, ttp, comment as + desc | lookup hijacklibs_loaded library AS file_name excludes as file_path OUTPUT + islibrary as excluded | search islibrary = TRUE AND excluded != TRUE | stats latest(*) + as * by dest process_guid ] | where isnotnull(file_name) | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_known_abused_dll_created_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` and `Filesystem` + nodes of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) + to normalize the field names and speed up the data modeling process. +known_false_positives: This analytic may flag instances where DLLs are loaded by user + mode programs for entirely legitimate and benign purposes. It is important for users + to be aware that false positives are not only possible but likely, and that careful + tuning of this analytic is necessary to distinguish between malicious activity and + normal, everyday operations of applications. This may involve adjusting thresholds, + whitelisting known good software, or incorporating additional context from other + security tools and logs to reduce the rate of false positives. references: - https://attack.mitre.org/techniques/T1574/002/ - https://hijacklibs.net/api/ @@ -22,61 +56,47 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The file [$file_name$] was written to an unusual location by [$process_name$] + on [$dest$]. + risk_objects: + - field: dest + type: system + score: 10 + - field: user + type: user + score: 10 + threat_objects: + - field: process_name + type: process_name + - field: file_name + type: file_name tags: analytic_story: - Windows Defense Evasion Tactics - Living Off The Land asset_type: Endpoint - confidence: 25 - impact: 40 - message: The file [$file_name$] was written to an unusual location by [$process_name$] on [$dest$]. mitre_attack_id: - T1574.001 - T1574.002 - T1574 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim - - name: process_name - type: Process - role: - - Attacker - - name: file_name - type: File - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.process_guid - - Processes.process_name - - Processes.process - - Processes.parent_process - - Processes.parent_process_name - - Filesystem.dest - - Filesystem.file_create_time - - Filesystem.file_name - - Filesystem.file_path - - Filesystem.process_guid - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/hijacklibs/hijacklibs_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/hijacklibs/hijacklibs_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml b/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml index 17d76102de..1509baa004 100644 --- a/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml +++ b/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml @@ -1,15 +1,33 @@ name: Windows Known Abused DLL Loaded Suspiciously id: dd6d1f16-adc0-4e87-9c34-06189516b803 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Steven Dick status: production type: TTP -description: The following analytic detects when DLLs with known abuse history are loaded from an unusual location. This activity may represent an attacker performing a DLL search order or sideload hijacking technique. These techniques are used to gain persistence as well as elevate privileges on the target system. This detection relies on Sysmon EID7 and is compatible with all Officla Sysmon TA versions. +description: The following analytic detects when DLLs with known abuse history are + loaded from an unusual location. This activity may represent an attacker performing + a DLL search order or sideload hijacking technique. These techniques are used to + gain persistence as well as elevate privileges on the target system. This detection + relies on Sysmon EID7 and is compatible with all Officla Sysmon TA versions. data_source: - Sysmon EventID 7 -search: '`sysmon` ImageLoaded EventCode=7 NOT ImageLoaded IN ("*\\Program Files*","*\\system32\\*", "*\\syswow64\\*","*\\winsxs\\*","*\\wbem\\*") | stats latest(ProcessGuid) as process_guid, count, min(_time) as firstTime, max(_time) as lastTime by User, Computer, Image, ImageLoaded | rename User as user, Computer as dest, Image as process, ImageLoaded as loaded_file | eval process_name = case(isnotnull(process),replace(process,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)","")), loaded_file_path = case(isnotnull(loaded_file), replace(loaded_file, "(:[\w\. ]+)", "")), loaded_file = case(isnotnull(loaded_file),replace(loaded_file,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)","")), user = case(NOT user IN ("-"), replace(user, "(.*)\\\(.+)$","\2")) | lookup hijacklibs_loaded library AS loaded_file OUTPUT islibrary comment as desc | lookup hijacklibs_loaded library AS loaded_file excludes as loaded_file_path OUTPUT islibrary as excluded | search islibrary = TRUE AND excluded = false | stats values(*) as * by dest, process_name, process, process_guid, loaded_file, loaded_file_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_known_abused_dll_loaded_suspiciously_filter`' -how_to_implement: The following analytic requires Sysmon operational logs to be imported, with EID7 being mapped to the process_name field. Modify the sysmon macro as needed to match the sourcetype or add index. +search: '`sysmon` ImageLoaded EventCode=7 NOT ImageLoaded IN ("*\\Program Files*","*\\system32\\*", + "*\\syswow64\\*","*\\winsxs\\*","*\\wbem\\*") | stats latest(ProcessGuid) as process_guid, + count, min(_time) as firstTime, max(_time) as lastTime by User, Computer, Image, + ImageLoaded | rename User as user, Computer as dest, Image as process, ImageLoaded + as loaded_file | eval process_name = case(isnotnull(process),replace(process,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)","")), + loaded_file_path = case(isnotnull(loaded_file), replace(loaded_file, "(:[\w\. ]+)", + "")), loaded_file = case(isnotnull(loaded_file),replace(loaded_file,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)","")), + user = case(NOT user IN ("-"), replace(user, "(.*)\\\(.+)$","\2")) | lookup hijacklibs_loaded + library AS loaded_file OUTPUT islibrary comment as desc | lookup hijacklibs_loaded + library AS loaded_file excludes as loaded_file_path OUTPUT islibrary as excluded + | search islibrary = TRUE AND excluded = false | stats values(*) as * by dest, process_name, + process, process_guid, loaded_file, loaded_file_path | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_known_abused_dll_loaded_suspiciously_filter`' +how_to_implement: The following analytic requires Sysmon operational logs to be imported, + with EID7 being mapped to the process_name field. Modify the sysmon macro as needed + to match the sourcetype or add index. known_false_positives: DLLs being loaded by user mode programs for legitimate reasons. references: - https://attack.mitre.org/techniques/T1574/002/ @@ -22,49 +40,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The module [$loaded_file$] was loaded from an unusual location by [$process$] + risk_objects: + - field: dest + type: system + score: 10 + - field: user + type: user + score: 10 + threat_objects: + - field: process + type: process tags: analytic_story: - Windows Defense Evasion Tactics - Living Off The Land asset_type: Endpoint - confidence: 25 - impact: 40 - message: The module [$loaded_file$] was loaded from an unusual location by [$process$] mitre_attack_id: - T1574.001 - T1574.002 - T1574 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim - - name: process - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Image - - ImageLoaded - - Computer - - ProcessGuid - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/hijacklibs/hijacklibs_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/hijacklibs/hijacklibs_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml b/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml index e52939872d..0aca5b42c9 100644 --- a/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml +++ b/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml @@ -1,15 +1,31 @@ name: Windows Known GraphicalProton Loaded Modules id: bf471c94-0324-4b19-a113-d02749b969bc -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 7 -description: The following analytic detects the loading of DLL modules associated with the GraphicalProton backdoor implant, commonly used by SVR in targeted attacks. It leverages Sysmon EventCode 7 to identify specific DLLs loaded by processes. This activity is significant as it may indicate the presence of a sophisticated backdoor, warranting immediate investigation. If confirmed malicious, the attacker could gain persistent access to the compromised host, potentially leading to further exploitation and data exfiltration. -search: '`sysmon` EventCode=7 ImageLoaded IN ("*\\AclNumsInvertHost.dll", "*\\ModeBitmapNumericAnimate.dll", "*\\UnregisterAncestorAppendAuto.dll", "*\\DeregisterSeekUsers.dll", "*\\ScrollbarHandleGet.dll", "*\\PerformanceCaptionApi.dll", "*\\WowIcmpRemoveReg.dll", "*\\BlendMonitorStringBuild.dll", "*\\HandleFrequencyAll.dll", "*\\HardSwapColor.dll", "*\\LengthInMemoryActivate.dll", "*\\ParametersNamesPopup.dll", "*\\ModeFolderSignMove.dll", "*\\ChildPaletteConnected.dll", "*\\AddressResourcesSpec.dll") | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode Signed ProcessId Hashes IMPHASH | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_known_graphicalproton_loaded_modules_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +description: The following analytic detects the loading of DLL modules associated + with the GraphicalProton backdoor implant, commonly used by SVR in targeted attacks. + It leverages Sysmon EventCode 7 to identify specific DLLs loaded by processes. This + activity is significant as it may indicate the presence of a sophisticated backdoor, + warranting immediate investigation. If confirmed malicious, the attacker could gain + persistent access to the compromised host, potentially leading to further exploitation + and data exfiltration. +search: '`sysmon` EventCode=7 ImageLoaded IN ("*\\AclNumsInvertHost.dll", "*\\ModeBitmapNumericAnimate.dll", + "*\\UnregisterAncestorAppendAuto.dll", "*\\DeregisterSeekUsers.dll", "*\\ScrollbarHandleGet.dll", + "*\\PerformanceCaptionApi.dll", "*\\WowIcmpRemoveReg.dll", "*\\BlendMonitorStringBuild.dll", + "*\\HandleFrequencyAll.dll", "*\\HardSwapColor.dll", "*\\LengthInMemoryActivate.dll", + "*\\ParametersNamesPopup.dll", "*\\ModeFolderSignMove.dll", "*\\ChildPaletteConnected.dll", + "*\\AddressResourcesSpec.dll") | stats count min(_time) as firstTime max(_time) + as lastTime by Image ImageLoaded process_name dest EventCode Signed ProcessId Hashes + IMPHASH | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_known_graphicalproton_loaded_modules_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name and imageloaded executions from your endpoints. If you + are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. known_false_positives: unknown references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a @@ -19,44 +35,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows Known GraphicalProton backdoor Loaded Modules on $dest$. + risk_objects: + - field: dest + type: system + score: 36 + threat_objects: [] tags: analytic_story: - CISA AA23-347A asset_type: Endpoint - confidence: 60 - impact: 60 - message: Windows Known GraphicalProton backdoor Loaded Modules on $dest$. mitre_attack_id: - T1574.002 - T1574 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 36 - required_fields: - - _time - - Image - - ImageLoaded - - process_name - - dest - - EventCode - - Signed - - ProcessId - - Hashes - - IMPHASH security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/svr_loaded_modules/loaded_module_svr.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/svr_loaded_modules/loaded_module_svr.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_krbrelayup_service_creation.yml b/detections/endpoint/windows_krbrelayup_service_creation.yml index 2b3f0cbe0c..c3c847f745 100644 --- a/detections/endpoint/windows_krbrelayup_service_creation.yml +++ b/detections/endpoint/windows_krbrelayup_service_creation.yml @@ -1,7 +1,7 @@ name: Windows KrbRelayUp Service Creation id: e40ef542-8241-4419-9af4-6324582ea60a -version: '5' -date: '2024-11-28' +version: 6 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -37,37 +37,29 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A service was created on $dest$, related to KrbRelayUp. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Local Privilege Escalation With KrbRelayUp - Compromised Windows Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: A service was created on $dest$, related to KrbRelayUp. mitre_attack_id: - T1543.003 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Service_File_Name - - Service_Name - - Service_Start_Type - - Service_Type - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/windows_krbrelayup_service_creation/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/windows_krbrelayup_service_creation/windows-xml.log source: XmlWinEventLog:System sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml b/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml index 366c9748e9..86f3c9da53 100644 --- a/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml +++ b/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml @@ -1,16 +1,30 @@ name: Windows Large Number of Computer Service Tickets Requested id: 386ad394-c9a7-4b4f-b66f-586252de20f0 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk type: Anomaly status: production data_source: - Windows Event Log Security 4769 -description: The following analytic detects a high volume of Kerberos service ticket requests, specifically more than 30, from a single source within a 5-minute window. It leverages Event ID 4769, which logs when a Kerberos service ticket is requested, focusing on requests with computer names as the Service Name. This behavior is significant as it may indicate malicious activities such as lateral movement, malware staging, or reconnaissance. If confirmed malicious, an attacker could gain unauthorized access to multiple endpoints, potentially compromising the entire network. -search: '`wineventlog_security` EventCode=4769 ServiceName="*$" TargetUserName!="*$" | bucket span=5m _time | stats dc(ServiceName) AS unique_targets values(ServiceName) as host_targets by _time, IpAddress, TargetUserName | where unique_targets > 30 | `windows_large_number_of_computer_service_tickets_requested_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -known_false_positives: An single endpoint requesting a large number of kerberos service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems. +description: The following analytic detects a high volume of Kerberos service ticket + requests, specifically more than 30, from a single source within a 5-minute window. + It leverages Event ID 4769, which logs when a Kerberos service ticket is requested, + focusing on requests with computer names as the Service Name. This behavior is significant + as it may indicate malicious activities such as lateral movement, malware staging, + or reconnaissance. If confirmed malicious, an attacker could gain unauthorized access + to multiple endpoints, potentially compromising the entire network. +search: '`wineventlog_security` EventCode=4769 ServiceName="*$" TargetUserName!="*$" + | bucket span=5m _time | stats dc(ServiceName) AS unique_targets values(ServiceName) + as host_targets by _time, IpAddress, TargetUserName | where unique_targets > 30 + | `windows_large_number_of_computer_service_tickets_requested_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + Domain Controller and Kerberos events. The Advanced Security Audit policy setting + `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. +known_false_positives: An single endpoint requesting a large number of kerberos service + tickets is not common behavior. Possible false positive scenarios include but are + not limited to vulnerability scanners, administration systems and missconfigured + systems. references: - https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/ - https://attack.mitre.org/techniques/T1135/ @@ -21,40 +35,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$IpAddress$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$IpAddress$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$IpAddress$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A large number of kerberos computer service tickets were requested by $IpAddress$ + within 5 minutes. + risk_objects: + - field: IpAddress + type: system + score: 30 + threat_objects: [] tags: analytic_story: - Active Directory Privilege Escalation - Active Directory Lateral Movement asset_type: Endpoint - confidence: 50 - impact: 60 - message: A large number of kerberos computer service tickets were requested by $IpAddress$ within 5 minutes. mitre_attack_id: - T1135 - T1078 - observable: - - name: IpAddress - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ServiceName - - TargetUserName - - IpAddress - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/large_number_computer_service_tickets/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/large_number_computer_service_tickets/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_ldifde_directory_object_behavior.yml b/detections/endpoint/windows_ldifde_directory_object_behavior.yml index 43e14d040d..30ab7ce4b3 100644 --- a/detections/endpoint/windows_ldifde_directory_object_behavior.yml +++ b/detections/endpoint/windows_ldifde_directory_object_behavior.yml @@ -1,7 +1,7 @@ name: Windows Ldifde Directory Object Behavior id: 35cd29ca-f08c-4489-8815-f715c45460d3 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP @@ -9,9 +9,29 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic identifies the use of Ldifde.exe, a command-line utility for creating, modifying, or deleting LDAP directory objects. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution and command-line arguments. Monitoring Ldifde.exe is significant because it can be used by attackers to manipulate directory objects, potentially leading to unauthorized changes or data exfiltration. If confirmed malicious, this activity could allow an attacker to gain control over directory services, escalate privileges, or access sensitive information within the network. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ldifde.exe Processes.process IN ("*-i *", "*-f *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_ldifde_directory_object_behavior_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +description: The following analytic identifies the use of Ldifde.exe, a command-line + utility for creating, modifying, or deleting LDAP directory objects. This detection + leverages data from Endpoint Detection and Response (EDR) agents, focusing on process + execution and command-line arguments. Monitoring Ldifde.exe is significant because + it can be used by attackers to manipulate directory objects, potentially leading + to unauthorized changes or data exfiltration. If confirmed malicious, this activity + could allow an attacker to gain control over directory services, escalate privileges, + or access sensitive information within the network. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ldifde.exe + Processes.process IN ("*-i *", "*-f *") by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_ldifde_directory_object_behavior_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: False positives may be present, filter as needed. references: - https://lolbas-project.github.io/lolbas/Binaries/Ldifde/ @@ -24,60 +44,47 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ utilizing ldifde on a domain controller. + risk_objects: + - field: user + type: user + score: 40 + - field: dest + type: system + score: 40 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Volt Typhoon asset_type: Endpoint atomic_guid: - 22cf8cb9-adb1-4e8c-80ca-7c723dfc8784 - confidence: 50 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing ldifde on a domain controller. mitre_attack_id: - T1105 - T1069.002 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/ldifde_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/ldifde_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml b/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml index bffdebe91a..f2b645134e 100644 --- a/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml +++ b/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml @@ -1,15 +1,28 @@ name: Windows Linked Policies In ADSI Discovery id: 510ea428-4731-4d2f-8829-a28293e427aa -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell Script Block Logging (EventCode=4104) to query Active Directory for domain organizational units. This detection leverages PowerShell operational logs to identify script blocks containing `[adsisearcher]`, `objectcategory=organizationalunit`, and `findAll()`. This activity is significant as it indicates potential reconnaissance efforts by adversaries to gain situational awareness of the domain structure. If confirmed malicious, this could lead to further exploitation, such as privilege escalation or lateral movement within the network. +description: The following analytic detects the use of the `[Adsisearcher]` type accelerator + in PowerShell Script Block Logging (EventCode=4104) to query Active Directory for + domain organizational units. This detection leverages PowerShell operational logs + to identify script blocks containing `[adsisearcher]`, `objectcategory=organizationalunit`, + and `findAll()`. This activity is significant as it indicates potential reconnaissance + efforts by adversaries to gain situational awareness of the domain structure. If + confirmed malicious, this could lead to further exploitation, such as privilege + escalation or lateral movement within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText = "*[adsisearcher]*" ScriptBlockText = "*objectcategory=organizationalunit*" ScriptBlockText = "*findAll()*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest, user_id as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_linked_policies_in_adsi_discovery_filter`' -how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +search: '`powershell` EventCode=4104 ScriptBlockText = "*[adsisearcher]*" ScriptBlockText + = "*objectcategory=organizationalunit*" ScriptBlockText = "*findAll()*" | stats + count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer user_id | rename Computer as dest, user_id as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_linked_policies_in_adsi_discovery_filter`' +how_to_implement: The following Hunting analytic requires PowerShell operational logs + to be imported. Modify the powershell macro as needed to match the sourcetype or + add index. This analytic is specific to 4104, or PowerShell Script Block Logging. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ @@ -20,41 +33,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows PowerShell [Adsisearcher] was used user enumeration on $user$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Data Destruction - Active Directory Discovery - Industroyer2 asset_type: Endpoint - confidence: 50 - impact: 50 - message: Windows PowerShell [Adsisearcher] was used user enumeration on $user$ mitre_attack_id: - T1087.002 - T1087 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ScriptBlockText - - Computer - - user_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/adsi_discovery/windows-powershell-xml2.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/adsi_discovery/windows-powershell-xml2.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_command_shell_fetch_env_variables.yml b/detections/endpoint/windows_list_env_variables_via_set_command_from_uncommon_parent.yml similarity index 58% rename from detections/endpoint/windows_command_shell_fetch_env_variables.yml rename to detections/endpoint/windows_list_env_variables_via_set_command_from_uncommon_parent.yml index 156004d4aa..713dc4223e 100644 --- a/detections/endpoint/windows_command_shell_fetch_env_variables.yml +++ b/detections/endpoint/windows_list_env_variables_via_set_command_from_uncommon_parent.yml @@ -1,18 +1,18 @@ -name: Windows Command Shell Fetch Env Variables -id: 048839e4-1eaa-43ff-8a22-86d17f6fcc13 -version: 3 -date: '2024-09-30' +name: Windows List ENV Variables Via SET Command From Uncommon Parent +id: aec157f4-8783-4584-aca6-754c4dc7fba9 +version: 1 +date: '2025-01-17' author: Teoderick Contreras, Splunk status: production -type: TTP -description: The following analytic identifies a suspicious process command line fetching environment variables with a non-shell parent process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and parent process names. This activity is significant as it is commonly associated with malware like Qakbot, which uses this technique to gather system information. If confirmed malicious, this behavior could indicate that the parent process has been compromised, potentially allowing attackers to execute arbitrary commands, escalate privileges, or persist within the environment. +type: Anomaly +description: The following analytic identifies a suspicious process command line fetching environment variables using the cmd.exe "set" command, with a non-shell parent process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and parent process names. This activity could be significant as it is commonly associated with malware like Qakbot, which uses this technique to gather system information. If confirmed malicious, this behavior could indicate that the parent process has been compromised, potentially allowing attackers to execute arbitrary commands, escalate privileges, or persist within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*cmd /c set" OR Processes.process = "*cmd.exe /c set" AND NOT (Processes.parent_process_name = "cmd.exe" OR Processes.parent_process_name = "powershell*" OR Processes.parent_process_name="pwsh.exe" OR Processes.parent_process_name = "explorer.exe") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_command_shell_fetch_env_variables_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="cmd.exe" Processes.process IN ("*/c set", "*/c \"set") AND NOT Processes.parent_process_name IN ("cmd.exe", "explorer.exe", "powershell*" "pwsh.exe") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_list_env_variables_via_set_command_from_uncommon_parent_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: shell process that are not included in this search may cause False positive. Filter is needed. +known_false_positives: shell process that are not included in this search may cause False positive. Filter as needed. references: - https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg drilldown_searches: @@ -24,38 +24,24 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: non-shell parent process has a child process $process_name$ with a commandline + $process$ to fetch env variables on $dest$ + risk_objects: + - field: dest + type: system + score: 56 + threat_objects: [] tags: analytic_story: - Qakbot asset_type: Endpoint - confidence: 70 - impact: 80 - message: non-shell parent process has a child process $process_name$ with a commandline $process$ to fetch env variables in $dest$ mitre_attack_id: - T1055 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test @@ -63,4 +49,3 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr/sysmon_wermgr.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_local_administrator_credential_stuffing.yml b/detections/endpoint/windows_local_administrator_credential_stuffing.yml index df396b920c..4669dc1fbe 100644 --- a/detections/endpoint/windows_local_administrator_credential_stuffing.yml +++ b/detections/endpoint/windows_local_administrator_credential_stuffing.yml @@ -1,17 +1,31 @@ name: Windows Local Administrator Credential Stuffing id: 09555511-aca6-484a-b6ab-72cd03d73c34 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk type: TTP status: production data_source: - Windows Event Log Security 4624 - Windows Event Log Security 4625 -description: The following analytic detects attempts to authenticate using the built-in local Administrator account across more than 30 endpoints within a 5-minute window. It leverages Windows Event Logs, specifically events 4625 and 4624, to identify this behavior. This activity is significant as it may indicate an adversary attempting to validate stolen local credentials across multiple hosts, potentially leading to privilege escalation. If confirmed malicious, this could allow the attacker to gain widespread access and control over numerous systems within the network, posing a severe security risk. -search: '`wineventlog_security` EventCode=4625 OR EventCode=4624 Logon_Type=3 TargetUserName=Administrator | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets by _time, IpAddress, TargetUserName, EventCode | where unique_targets > 30 | `windows_local_administrator_credential_stuffing_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -known_false_positives: Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed. +description: The following analytic detects attempts to authenticate using the built-in + local Administrator account across more than 30 endpoints within a 5-minute window. + It leverages Windows Event Logs, specifically events 4625 and 4624, to identify + this behavior. This activity is significant as it may indicate an adversary attempting + to validate stolen local credentials across multiple hosts, potentially leading + to privilege escalation. If confirmed malicious, this could allow the attacker to + gain widespread access and control over numerous systems within the network, posing + a severe security risk. +search: '`wineventlog_security` EventCode=4625 OR EventCode=4624 Logon_Type=3 TargetUserName=Administrator + | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as + host_targets by _time, IpAddress, TargetUserName, EventCode | where unique_targets + > 30 | `windows_local_administrator_credential_stuffing_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + Windows Event Logs from domain controllers as well as member servers and workstations. + The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs + to be enabled. +known_false_positives: Vulnerability scanners or system administration tools may also + trigger this detection. Filter as needed. references: - https://attack.mitre.org/techniques/T1110/004/ - https://attack.mitre.org/techniques/T1110/ @@ -25,45 +39,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$host_targets$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host_targets$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host_targets$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Local Administrator credential stuffing attack coming from $IpAddress$ + risk_objects: + - field: host_targets + type: system + score: 56 + threat_objects: + - field: IpAddress + type: ip_address tags: analytic_story: - Active Directory Privilege Escalation - Active Directory Lateral Movement asset_type: Endpoint - confidence: 80 - impact: 70 - message: Local Administrator credential stuffing attack coming from $IpAddress$ mitre_attack_id: - T1110 - T1110.004 - observable: - - name: host_targets - type: Endpoint - role: - - Victim - - name: IpAddress - type: Endpoint - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Logon_Type - - TargetUserName - - Computer - - IpAddress - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_lolbas_executed_as_renamed_file.yml b/detections/endpoint/windows_lolbas_executed_as_renamed_file.yml index e40bdd0830..6a79741770 100644 --- a/detections/endpoint/windows_lolbas_executed_as_renamed_file.yml +++ b/detections/endpoint/windows_lolbas_executed_as_renamed_file.yml @@ -1,18 +1,42 @@ name: Windows LOLBAS Executed As Renamed File id: fd496996-7d9e-4894-8d40-bb85b6192dc6 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Steven Dick status: production type: TTP -description: The following analytic identifies a LOLBAS process being executed where it's process name does not match it's original file name attribute. Processes that have been renamed and executed may be an indicator that an adversary is attempting to evade defenses or execute malicious code. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. +description: The following analytic identifies a LOLBAS process being executed where + it's process name does not match it's original file name attribute. Processes that + have been renamed and executed may be an indicator that an adversary is attempting + to evade defenses or execute malicious code. The LOLBAS project documents Windows + native binaries that can be abused by threat actors to perform tasks like executing + malicious code. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` latest(Processes.parent_process) as parent_process, latest(Processes.process) as process, latest(Processes.process_guid) as process_guid count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes where NOT Processes.original_file_name IN("-","unknown") AND NOT Processes.process_path IN ("*\\Program Files*","*\\PROGRA~*","*\\Windows\\System32\\*","*\\Windows\\Syswow64\\*") BY Processes.user Processes.dest Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process_path |`drop_dm_object_name(Processes)` | where NOT match(process_name, "(?i)".original_file_name) | lookup lolbas_file_path lolbas_file_name as original_file_name OUTPUT description as desc | search desc!="false" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_lolbas_executed_as_renamed_file_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: A certain amount of false positives are likely with this detection. MSI based installers often trigger for SETUPAPL.dll and vendors will often copy system exectables to a different path for application usage. +search: '| tstats `security_content_summariesonly` latest(Processes.parent_process) + as parent_process, latest(Processes.process) as process, latest(Processes.process_guid) + as process_guid count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes + where NOT Processes.original_file_name IN("-","unknown") AND NOT Processes.process_path + IN ("*\\Program Files*","*\\PROGRA~*","*\\Windows\\System32\\*","*\\Windows\\Syswow64\\*") + BY Processes.user Processes.dest Processes.parent_process_name Processes.process_name + Processes.original_file_name Processes.process_path |`drop_dm_object_name(Processes)` + | where NOT match(process_name, "(?i)".original_file_name) | lookup lolbas_file_path + lolbas_file_name as original_file_name OUTPUT description as desc | search desc!="false" + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_lolbas_executed_as_renamed_file_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: A certain amount of false positives are likely with this detection. + MSI based installers often trigger for SETUPAPL.dll and vendors will often copy + system exectables to a different path for application usage. references: - https://attack.mitre.org/techniques/T1036/ - https://attack.mitre.org/techniques/T1036/003/ @@ -22,51 +46,46 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The file originally named $original_file_name$ was executed as $process_name$ + on $dest$ + risk_objects: + - field: dest + type: system + score: 40 + - field: user + type: user + score: 40 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Living Off The Land - Masquerading - Rename System Utilities - Windows Defense Evasion Tactics asset_type: Endpoint - confidence: 50 - impact: 80 - message: The file originally named $original_file_name$ was executed as $process_name$ on $dest$ mitre_attack_id: - T1036 - T1036.003 - T1218.011 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim - - name: process_name - type: Process Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.user - - Processes.dest - - Processes.parent_process_name - - Processes.process_name - - Processes.original_file_name - - Processes.process_path - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml b/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml index db892d5a50..a11c57c45e 100644 --- a/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml +++ b/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml @@ -1,17 +1,33 @@ name: Windows LOLBAS Executed Outside Expected Path id: 326fdf44-b90c-4d2e-adca-1fd140b10536 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Steven Dick status: production type: TTP -description: The following analytic identifies a LOLBAS process being executed outside of it's expected location. Processes being executed outside of expected locations may be an indicator that an adversary is attempting to evade defenses or execute malicious code. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. +description: The following analytic identifies a LOLBAS process being executed outside + of it's expected location. Processes being executed outside of expected locations + may be an indicator that an adversary is attempting to evade defenses or execute + malicious code. The LOLBAS project documents Windows native binaries that can be + abused by threat actors to perform tasks like executing malicious code. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 -search: '| tstats `security_content_summariesonly` latest(Processes.parent_process) as parent_process, latest(Processes.process) as process, latest(Processes.process_guid) as process_guid count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes where Processes.process != "unknown" AND NOT Processes.process_path IN ("*\\Program Files*","*\\PROGRA~*","*\\Windows\\System32\\*","*\\Windows\\Syswow64\\*") BY Processes.user Processes.dest Processes.parent_process_name Processes.process_name Processes.process_path |`drop_dm_object_name(Processes)` | lookup lolbas_file_path lolbas_file_name as process_name OUTPUT description as desc | lookup lolbas_file_path lolbas_file_name as process_name lolbas_file_path as process_path OUTPUT description as is_lolbas_path | search desc!="false" AND is_lolbas_path="false" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_lolbas_executed_outside_expected_path_filter`' -how_to_implement: To implement this search, you must ingest logs that contain the process name and process path, such as with Sysmon EID 1. -known_false_positives: Vendors will often copy system exectables to a different path for application usage. +search: '| tstats `security_content_summariesonly` latest(Processes.parent_process) + as parent_process, latest(Processes.process) as process, latest(Processes.process_guid) + as process_guid count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes + where Processes.process != "unknown" AND NOT Processes.process_path IN ("*\\Program + Files*","*\\PROGRA~*","*\\Windows\\System32\\*","*\\Windows\\Syswow64\\*") BY Processes.user + Processes.dest Processes.parent_process_name Processes.process_name Processes.process_path + |`drop_dm_object_name(Processes)` | lookup lolbas_file_path lolbas_file_name as + process_name OUTPUT description as desc | lookup lolbas_file_path lolbas_file_name + as process_name lolbas_file_path as process_path OUTPUT description as is_lolbas_path + | search desc!="false" AND is_lolbas_path="false" | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_lolbas_executed_outside_expected_path_filter`' +how_to_implement: To implement this search, you must ingest logs that contain the + process name and process path, such as with Sysmon EID 1. +known_false_positives: Vendors will often copy system exectables to a different path + for application usage. references: - https://attack.mitre.org/techniques/T1036/ - https://attack.mitre.org/techniques/T1036/005/ @@ -21,51 +37,46 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The user $user$ executed a LOLBAS [$process_name$] from an unexpected location + on $dest$ + risk_objects: + - field: user + type: user + score: 40 + - field: dest + type: system + score: 40 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Living Off The Land - Masquerading - Rename System Utilities - Windows Defense Evasion Tactics asset_type: Endpoint - confidence: 50 - impact: 80 - message: The user $user$ executed a LOLBAS [$process_name$] from an unexpected location on $dest$ mitre_attack_id: - T1036 - T1036.005 - T1218.011 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.user - - Processes.dest - - Processes.parent_process_name - - Processes.process_name - - Processes.original_file_name - - Processes.process_path - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml b/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml index 205ed48841..f6ea3bcecd 100644 --- a/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml +++ b/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml @@ -1,7 +1,7 @@ name: Windows LSA Secrets NoLMhash Registry id: 48cc1605-538c-4223-8382-e36bee5b540d -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-01-21' author: Teoderick Contreras, Splunk status: production type: TTP @@ -15,10 +15,10 @@ description: The following analytic detects modifications to the Windows registr is crucial as it can indicate attempts to weaken password storage security. If confirmed malicious, this could allow attackers to exploit weaker LM hashes, potentially leading to unauthorized access and credential theft. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path= "*\\System\\CurrentControlSet\\Control\\Lsa\\NoLMHash" - Registry.registry_value_data = 0x00000000) BY Registry.dest Registry.user - Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\System\\CurrentControlSet\\Control\\Lsa\\NoLMHash" + Registry.registry_value_data = 0x00000000) BY Registry.dest Registry.user Registry.registry_path + Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_lsa_secrets_nolmhash_registry_filter`' how_to_implement: To successfully implement this search, you must be ingesting data @@ -36,47 +36,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows LSA Secrets NoLMhash Registry on $dest$ by $user$. + risk_objects: + - field: dest + type: system + score: 64 + - field: user + type: user + score: 64 + threat_objects: [] tags: analytic_story: - CISA AA23-347A asset_type: Endpoint - confidence: 80 - impact: 80 - message: Windows LSA Secrets NoLMhash Registry on $dest$ by $user$. mitre_attack_id: - T1003.004 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 - required_fields: - - _time - - Registry.registry_path - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.user - - Registry.dest - - Registry.action - - Registry.registry_value_data - - Registry.process_guid security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.004/NoLMHash/lsa-reg-settings-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.004/NoLMHash/lsa-reg-settings-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml b/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml index 30348e0e6c..f3b8b38435 100644 --- a/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml +++ b/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml @@ -1,16 +1,32 @@ name: Windows Mail Protocol In Non-Common Process Path id: ac3311f5-661d-4e99-bd1f-3ec665b05441 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects a Windows application establishing an SMTP connection from a non-common installation path. It leverages Sysmon EventCode 3 to identify processes not typically associated with email clients (e.g., Thunderbird, Outlook) making SMTP connections. This activity is significant as adversaries, including malware like AgentTesla, use such connections for Command and Control (C2) communication to exfiltrate stolen data. If confirmed malicious, this behavior could lead to unauthorized data exfiltration, including sensitive information like desktop screenshots, browser data, and system details, compromising the affected host. +description: The following analytic detects a Windows application establishing an + SMTP connection from a non-common installation path. It leverages Sysmon EventCode + 3 to identify processes not typically associated with email clients (e.g., Thunderbird, + Outlook) making SMTP connections. This activity is significant as adversaries, including + malware like AgentTesla, use such connections for Command and Control (C2) communication + to exfiltrate stolen data. If confirmed malicious, this behavior could lead to unauthorized + data exfiltration, including sensitive information like desktop screenshots, browser + data, and system details, compromising the affected host. data_source: - Sysmon EventID 3 -search: '`sysmon` EventCode=3 NOT(Image IN("*\\program files*", "*\\thunderbird.exe","*\\outlook.exe")) (DestinationPortName="smtp" OR DestinationPort=25 OR DestinationPort=587) | stats count min(_time) as firstTime max(_time) as lastTime by Image DestinationPort DestinationPortName DestinationHostname SourceHostname SourcePort SourcePortName Protocol DestinationIp dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mail_protocol_in_non_common_process_path_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 3 connection events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: third party application may use this network protocol as part of its feature. Filter is needed. +search: '`sysmon` EventCode=3 NOT(Image IN("*\\program files*", "*\\thunderbird.exe","*\\outlook.exe")) + (DestinationPortName="smtp" OR DestinationPort=25 OR DestinationPort=587) | stats + count min(_time) as firstTime max(_time) as lastTime by Image DestinationPort DestinationPortName + DestinationHostname SourceHostname SourcePort SourcePortName Protocol DestinationIp + dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_mail_protocol_in_non_common_process_path_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name and sysmon eventcode = 3 connection events from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. +known_false_positives: third party application may use this network protocol as part + of its feature. Filter is needed. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla drilldown_searches: @@ -19,47 +35,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a process $Image$ is having a SMTP connection to $DestinationHostname$ + on $dest$ + risk_objects: + - field: dest + type: system + score: 9 + threat_objects: [] tags: analytic_story: - AgentTesla asset_type: Endpoint - confidence: 30 - impact: 30 - message: a process $Image$ is having a SMTP connection to $DestinationHostname$ in $dest$ mitre_attack_id: - T1071.003 - T1071 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Image - - DestinationPort - - DestinationPortName - - DestinationHostname - - SourceHostname - - SourcePort - - SourcePortName - - Protocol - - DestinationIp - - dest - - user - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_smtp/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_smtp/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_mark_of_the_web_bypass.yml b/detections/endpoint/windows_mark_of_the_web_bypass.yml index 84aa37f7d8..c73d13fd93 100644 --- a/detections/endpoint/windows_mark_of_the_web_bypass.yml +++ b/detections/endpoint/windows_mark_of_the_web_bypass.yml @@ -1,15 +1,26 @@ name: Windows Mark Of The Web Bypass id: 8ca13343-7405-4916-a2d1-ae34ce0c28ae -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 23 -description: The following analytic identifies a suspicious process that deletes the Mark-of-the-Web (MOTW) data stream. It leverages Sysmon EventCode 23 to detect when a file's Zone.Identifier stream is removed. This activity is significant because it is a common technique used by malware, such as Ave Maria RAT, to bypass security restrictions on files downloaded from the internet. If confirmed malicious, this behavior could allow an attacker to execute potentially harmful files without triggering security warnings, leading to further compromise of the system. -search: '`sysmon` EventCode=23 TargetFilename = "*:Zone.Identifier" | stats min(_time) as firstTime max(_time) as lastTime count by user EventCode Image TargetFilename ProcessID dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mark_of_the_web_bypass_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the deleted target file name, process name and process id from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +description: The following analytic identifies a suspicious process that deletes the + Mark-of-the-Web (MOTW) data stream. It leverages Sysmon EventCode 23 to detect when + a file's Zone.Identifier stream is removed. This activity is significant because + it is a common technique used by malware, such as Ave Maria RAT, to bypass security + restrictions on files downloaded from the internet. If confirmed malicious, this + behavior could allow an attacker to execute potentially harmful files without triggering + security warnings, leading to further compromise of the system. +search: '`sysmon` EventCode=23 TargetFilename = "*:Zone.Identifier" | stats min(_time) + as firstTime max(_time) as lastTime count by user EventCode Image TargetFilename + ProcessID dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_mark_of_the_web_bypass_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the deleted target file name, process name and process id from your endpoints. + If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. known_false_positives: unknown references: - https://attack.mitre.org/techniques/T1553/005/ @@ -20,44 +31,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A mark-of-the-web data stream is deleted on $dest$ + risk_objects: + - field: user + type: user + score: 49 + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Warzone RAT asset_type: Endpoint - confidence: 70 - impact: 70 - message: A mark-of-the-web data stream is deleted on $dest$ mitre_attack_id: - T1553.005 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - EventCode - - TargetFilename - - dest - - user - - Image - - ProcessID - - _time security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.005/mark_of_the_web_bypass/possible-motw-deletion.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.005/mark_of_the_web_bypass/possible-motw-deletion.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_masquerading_explorer_as_child_process.yml b/detections/endpoint/windows_masquerading_explorer_as_child_process.yml index 138609188d..eba3eda086 100644 --- a/detections/endpoint/windows_masquerading_explorer_as_child_process.yml +++ b/detections/endpoint/windows_masquerading_explorer_as_child_process.yml @@ -1,7 +1,7 @@ name: Windows Masquerading Explorer As Child Process id: 61490da9-52a1-4855-a0c5-28233c88c481 -version: '4' -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: TTP @@ -50,46 +50,30 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: explorer.exe has a suspicious parent process $parent_process_name$ on $dest$ + risk_objects: + - field: dest + type: system + score: 81 + threat_objects: [] tags: analytic_story: - Qakbot - Compromised Windows Host asset_type: Endpoint - confidence: 90 - impact: 90 - message: explorer.exe hash a suspicious parent process $parent_process_name$ in - $dest$ mitre_attack_id: - T1574.002 - T1574 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_masquerading_msdtc_process.yml b/detections/endpoint/windows_masquerading_msdtc_process.yml index 9e47bf9948..82f5ed4dd0 100644 --- a/detections/endpoint/windows_masquerading_msdtc_process.yml +++ b/detections/endpoint/windows_masquerading_msdtc_process.yml @@ -1,7 +1,7 @@ name: Windows Masquerading Msdtc Process id: 238f3a07-8440-480b-b26f-462f41d9a47c -version: '4' -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: TTP @@ -50,43 +50,29 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: msdtc.exe process with process commandline used by PlugX malware on $dest$. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Compromised Windows Host - PlugX asset_type: Endpoint - confidence: 80 - impact: 80 - message: msdtc.exe process with process commandline used by PlugX malware in $dest$. mitre_attack_id: - T1036 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/msdtc_process_param/msdtc_a_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/msdtc_process_param/msdtc_a_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_mimikatz_binary_execution.yml b/detections/endpoint/windows_mimikatz_binary_execution.yml index a3f603e69c..8578d406d4 100644 --- a/detections/endpoint/windows_mimikatz_binary_execution.yml +++ b/detections/endpoint/windows_mimikatz_binary_execution.yml @@ -1,7 +1,7 @@ name: Windows Mimikatz Binary Execution id: a9e0d6d3-9676-4e26-994d-4e0406bb4467 -version: '5' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -52,6 +52,21 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting dump credentials. + risk_objects: + - field: user + type: user + score: 100 + - field: dest + type: system + score: 100 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Sandworm Tools @@ -62,52 +77,17 @@ tags: - Compromised Windows Host - Credential Dumping asset_type: Endpoint - confidence: 100 - impact: 100 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ attempting dump credentials. mitre_attack_id: - T1003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/mimikatzwindows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/mimikatzwindows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml b/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml index 81b30b8bc5..268990889c 100644 --- a/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml +++ b/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml @@ -1,16 +1,32 @@ name: Windows Mimikatz Crypto Export File Extensions id: 3a9a6806-16a8-4cda-8d73-b49d10a05b16 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic detects the creation of files with extensions commonly associated with the Mimikatz Crypto module. It leverages the Endpoint.Filesystem data model to identify specific file names indicative of certificate export activities. This behavior is significant as it may indicate the use of Mimikatz to export cryptographic keys, which is a common tactic for credential theft. If confirmed malicious, this activity could allow an attacker to exfiltrate sensitive cryptographic material, potentially leading to unauthorized access and further compromise of the environment. +description: The following analytic detects the creation of files with extensions + commonly associated with the Mimikatz Crypto module. It leverages the Endpoint.Filesystem + data model to identify specific file names indicative of certificate export activities. + This behavior is significant as it may indicate the use of Mimikatz to export cryptographic + keys, which is a common tactic for credential theft. If confirmed malicious, this + activity could allow an attacker to exfiltrate sensitive cryptographic material, + potentially leading to unauthorized access and further compromise of the environment. data_source: - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.keyx.rsa.pvk","*sign.rsa.pvk","*sign.dsa.pvk","*dsa.ec.p8k","*dh.ec.p8k", "*.pfx", "*.der") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Filesystem)` | `windows_mimikatz_crypto_export_file_extensions_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: False positives may be present and may need to be reviewed before this can be turned into a TTP. In addition, remove .pfx (standalone) if it's too much volume. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.keyx.rsa.pvk","*sign.rsa.pvk","*sign.dsa.pvk","*dsa.ec.p8k","*dh.ec.p8k", + "*.pfx", "*.der") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name + Filesystem.file_path | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` + | `drop_dm_object_name(Filesystem)` | `windows_mimikatz_crypto_export_file_extensions_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: False positives may be present and may need to be reviewed + before this can be turned into a TTP. In addition, remove .pfx (standalone) if it's + too much volume. references: - https://github.com/gentilkiwi/mimikatz/blob/master/mimikatz/modules/kuhl_m_crypto.c#L628-L645 drilldown_searches: @@ -19,41 +35,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Certificate file extensions realted to Mimikatz were identified on disk + on $dest$. + risk_objects: + - field: dest + type: system + score: 28 + threat_objects: [] tags: analytic_story: - Sandworm Tools - CISA AA23-347A - Windows Certificate Services asset_type: Endpoint - confidence: 70 - impact: 40 - message: Certificate file extensions realted to Mimikatz were identified on disk on $dest$. mitre_attack_id: - T1649 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.dest - - Filesystem.file_create_time - - Filesystem.file_name - - Filesystem.file_path - risk_score: 28 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/certwrite_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/certwrite_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml b/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml index f13bcab8f7..1cffc6a9e0 100644 --- a/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml +++ b/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml @@ -1,16 +1,32 @@ name: Windows Modify Registry AuthenticationLevelOverride id: 6410a403-36bb-490f-a06a-11c3be7d2a41 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 13 -description: The following analytic detects modifications to the Windows registry key "AuthenticationLevelOverride" within the Terminal Server Client settings. It leverages data from the Endpoint.Registry datamodel to identify changes where the registry value is set to 0x00000000. This activity is significant as it may indicate an attempt to override authentication levels for remote connections, a tactic used by DarkGate malware for malicious installations. If confirmed malicious, this could allow attackers to gain unauthorized remote access, potentially leading to data exfiltration or further system compromise. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Terminal Server Client\\AuthenticationLevelOverride" Registry.registry_value_data = 0x00000000 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_authenticationleveloverride_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -known_false_positives: Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed. +description: The following analytic detects modifications to the Windows registry + key "AuthenticationLevelOverride" within the Terminal Server Client settings. It + leverages data from the Endpoint.Registry datamodel to identify changes where the + registry value is set to 0x00000000. This activity is significant as it may indicate + an attempt to override authentication levels for remote connections, a tactic used + by DarkGate malware for malicious installations. If confirmed malicious, this could + allow attackers to gain unauthorized remote access, potentially leading to data + exfiltration or further system compromise. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Terminal + Server Client\\AuthenticationLevelOverride" Registry.registry_value_data = 0x00000000 + by Registry.registry_path Registry.registry_value_name Registry.registry_value_data + Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_authenticationleveloverride_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure + that this registry was included in your config files ex. sysmon config to be monitored. +known_false_positives: Administrators may enable or disable this feature that may + cause some false positive, however is not common. Filter as needed. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate drilldown_searches: @@ -19,40 +35,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: the registry for authentication level settings was modified on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - DarkGate Malware asset_type: Endpoint - confidence: 70 - impact: 70 - message: the registry for authentication level settings was modified on $dest$. mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/AuthenticationLevelOverride/auth_sys.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/AuthenticationLevelOverride/auth_sys.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_modify_registry_auto_minor_updates.yml b/detections/endpoint/windows_modify_registry_auto_minor_updates.yml index ef9599ab63..aff80c88d2 100644 --- a/detections/endpoint/windows_modify_registry_auto_minor_updates.yml +++ b/detections/endpoint/windows_modify_registry_auto_minor_updates.yml @@ -1,50 +1,49 @@ name: Windows Modify Registry Auto Minor Updates id: be498b9f-d804-4bbf-9fc0-d5448466b313 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting data_source: - Sysmon EventID 13 -description: The following analytic identifies a suspicious modification to the Windows auto update configuration registry. It detects changes to the registry path "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\AutoInstallMinorUpdates" with a value of "0x00000000". This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to bypass detection and deploy additional payloads. If confirmed malicious, this modification could allow attackers to evade defenses, potentially leading to further system compromise and exploitation of zero-day vulnerabilities. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\AutoInstallMinorUpdates" AND Registry.registry_value_data="0x00000000" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_auto_minor_updates_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: administrators may enable or disable this feature that may cause some false positive. +description: The following analytic identifies a suspicious modification to the Windows + auto update configuration registry. It detects changes to the registry path + "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\AutoInstallMinorUpdates" + with a value of "0x00000000". This activity is significant as it is commonly used + by adversaries, including malware like RedLine Stealer, to bypass detection and + deploy additional payloads. If confirmed malicious, this modification could allow + attackers to evade defenses, potentially leading to further system compromise and + exploitation of zero-day vulnerabilities. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\AutoInstallMinorUpdates" + AND Registry.registry_value_data="0x00000000" by Registry.dest Registry.user Registry.registry_path + Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` + | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_auto_minor_updates_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: administrators may enable or disable this feature that may + cause some false positive. references: - https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499 tags: analytic_story: - RedLine Stealer asset_type: Endpoint - confidence: 30 - impact: 30 - message: A registry modification in Windows auto update configuration on $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action - - Registry.registry_value_data - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_modify_registry_auto_update_notif.yml b/detections/endpoint/windows_modify_registry_auto_update_notif.yml index fce4a0d370..246a2d98f2 100644 --- a/detections/endpoint/windows_modify_registry_auto_update_notif.yml +++ b/detections/endpoint/windows_modify_registry_auto_update_notif.yml @@ -1,16 +1,32 @@ name: Windows Modify Registry Auto Update Notif id: 4d1409df-40c7-4b11-aec4-bd0e709dfc12 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 13 -description: The following analytic detects a suspicious modification to the Windows registry that changes the auto-update notification setting to "Notify before download." This detection leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values. This activity is significant because it is a known technique used by adversaries, including malware like RedLine Stealer, to evade detection and potentially deploy additional payloads. If confirmed malicious, this modification could allow attackers to bypass security measures, maintain persistence, and exploit vulnerabilities on the target host. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\AUOptions" AND Registry.registry_value_data="0x00000002" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_auto_update_notif_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: administrators may enable or disable this feature that may cause some false positive. +description: The following analytic detects a suspicious modification to the Windows + registry that changes the auto-update notification setting to "Notify before download." + This detection leverages data from the Endpoint.Registry data model, focusing on + specific registry paths and values. This activity is significant because it is a + known technique used by adversaries, including malware like RedLine Stealer, to + evade detection and potentially deploy additional payloads. If confirmed malicious, + this modification could allow attackers to bypass security measures, maintain persistence, + and exploit vulnerabilities on the target host. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\AUOptions" + AND Registry.registry_value_data="0x00000002" by Registry.dest Registry.user Registry.registry_path + Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` + | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_auto_update_notif_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: administrators may enable or disable this feature that may + cause some false positive. references: - https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499 drilldown_searches: @@ -19,43 +35,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A registry modification in Windows auto update notification on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - RedLine Stealer asset_type: Endpoint atomic_guid: - 12e03af7-79f9-4f95-af48-d3f12f28a260 - confidence: 50 - impact: 50 - message: A registry modification in Windows auto update notification on $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action - - Registry.registry_value_data - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_modify_registry_configure_bitlocker.yml b/detections/endpoint/windows_modify_registry_configure_bitlocker.yml index c265873f9f..b149441e61 100644 --- a/detections/endpoint/windows_modify_registry_configure_bitlocker.yml +++ b/detections/endpoint/windows_modify_registry_configure_bitlocker.yml @@ -1,16 +1,35 @@ name: Windows Modify Registry Configure BitLocker id: bd1c770f-1b55-411e-b49e-20d07bcac5f8 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 13 type: TTP status: production -description: This analytic is developed to detect suspicious registry modifications targeting BitLocker settings. The malware ShrinkLocker alters various registry keys to change how BitLocker handles encryption, potentially bypassing TPM requirements, enabling BitLocker without TPM, and enforcing specific startup key and PIN configurations. Such modifications can weaken system security, making it easier for unauthorized access and data breaches. Detecting these changes is crucial for maintaining robust encryption and data protection. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path= "*\\Policies\\Microsoft\\FVE\\*" Registry.registry_value_name IN("EnableBDEWithNoTPM", "EnableNonTPM", "UseAdvancedStartup") Registry.registry_value_data = 0x00000001) OR (Registry.registry_path= "*\\Policies\\Microsoft\\FVE\\*" Registry.registry_value_name IN("UsePIN", "UsePartialEncryptionKey", "UseTPM", "UseTPMKey", "UseTPMKeyPIN", "UseTPMPIN") Registry.registry_value_data = 0x00000002) by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest Registry.registry_value_name | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_configure_bitlocker_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: administrators may enable or disable this feature that may cause some false positive. +description: This analytic is developed to detect suspicious registry modifications + targeting BitLocker settings. The malware ShrinkLocker alters various registry keys + to change how BitLocker handles encryption, potentially bypassing TPM requirements, + enabling BitLocker without TPM, and enforcing specific startup key and PIN configurations. + Such modifications can weaken system security, making it easier for unauthorized + access and data breaches. Detecting these changes is crucial for maintaining robust + encryption and data protection. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path= "*\\Policies\\Microsoft\\FVE\\*" + Registry.registry_value_name IN("EnableBDEWithNoTPM", "EnableNonTPM", "UseAdvancedStartup") + Registry.registry_value_data = 0x00000001) OR (Registry.registry_path= "*\\Policies\\Microsoft\\FVE\\*" + Registry.registry_value_name IN("UsePIN", "UsePartialEncryptionKey", "UseTPM", "UseTPMKey", + "UseTPMKeyPIN", "UseTPMPIN") Registry.registry_value_data = 0x00000002) by Registry.registry_key_name + Registry.user Registry.registry_path Registry.registry_value_data Registry.action + Registry.dest Registry.registry_value_name | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_modify_registry_configure_bitlocker_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: administrators may enable or disable this feature that may + cause some false positive. references: - https://www.bleepingcomputer.com/news/security/new-shrinklocker-ransomware-uses-bitlocker-to-encrypt-your-files/ drilldown_searches: @@ -19,43 +38,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A registry modification in Windows bitlocker registry settings on $dest$ + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - ShrinkLocker asset_type: Endpoint - confidence: 80 - impact: 80 - message: A registry modification in Windows bitlocker registry settings on $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_path - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.user - - Registry.dest - - Registry.action - - Registry.registry_value_data - - Registry.process_guid - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/bitlocker_registry_setting//fve-reg.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/bitlocker_registry_setting//fve-reg.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_modify_registry_default_icon_setting.yml b/detections/endpoint/windows_modify_registry_default_icon_setting.yml index e3d8ea80bd..6c9cc5c4c2 100644 --- a/detections/endpoint/windows_modify_registry_default_icon_setting.yml +++ b/detections/endpoint/windows_modify_registry_default_icon_setting.yml @@ -1,15 +1,32 @@ name: Windows Modify Registry Default Icon Setting id: a7a7afdb-3c58-45b6-9bff-63e5acfd9d40 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects suspicious modifications to the Windows registry's default icon settings, a technique associated with Lockbit ransomware. It leverages data from the Endpoint Registry data model, focusing on changes to registry paths under "*HKCR\\*\\defaultIcon\\(Default)*". This activity is significant as it is uncommon for normal users to modify these settings, and such changes can indicate ransomware infection or other malware. If confirmed malicious, this could lead to system defacement and signal a broader ransomware attack, potentially compromising sensitive data and system integrity. +description: The following analytic detects suspicious modifications to the Windows + registry's default icon settings, a technique associated with Lockbit ransomware. + It leverages data from the Endpoint Registry data model, focusing on changes to + registry paths under "*HKCR\\*\\defaultIcon\\(Default)*". This activity is significant + as it is uncommon for normal users to modify these settings, and such changes can + indicate ransomware infection or other malware. If confirmed malicious, this could + lead to system defacement and signal a broader ransomware attack, potentially compromising + sensitive data and system integrity. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path ="*\\defaultIcon\\(Default)*" Registry.registry_path = "*HKCR\\*" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.action Registry.dest Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_modify_registry_default_icon_setting_filter`' -how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime + max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path + ="*\\defaultIcon\\(Default)*" Registry.registry_path = "*HKCR\\*" by Registry.registry_path + Registry.registry_key_name Registry.registry_value_name Registry.action Registry.dest Registry.user + | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` + | `windows_modify_registry_default_icon_setting_filter`' +how_to_implement: To successfully implement this search, you must be ingesting data + that records registry activity from your hosts to populate the endpoint data model + in the registry node. This is typically populated via endpoint detection-and-response + product, such as Carbon Black or endpoint data sources, such as Sysmon. The data + used for this search is typically generated via logs that report reads and writes + to the registry. known_false_positives: unknown references: - https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html @@ -20,45 +37,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A suspicious registry modification to change the default icon association + of windows to ransomware was detected on endpoint $dest$ by user $user$. + risk_objects: + - field: dest + type: system + score: 64 + - field: user + type: user + score: 64 + threat_objects: [] tags: analytic_story: - LockBit Ransomware asset_type: Endpoint - confidence: 80 - impact: 80 - message: A suspicious registry modification to change the default icon association of windows to ransomware was detected on endpoint $dest$ by user $user$. mitre_attack_id: - T1112 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.action - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/lockbit_ransomware/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/lockbit_ransomware/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml b/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml index fe58a5674c..971049a055 100644 --- a/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml +++ b/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml @@ -1,16 +1,29 @@ name: Windows Modify Registry Delete Firewall Rules id: 41c61539-98ca-4750-b3ec-7c29a2f06343 -version: 3 -date: '2024-12-08' +version: 4 +date: '2024-12-16' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 12 type: TTP status: production -description: The following analytic detects a potential deletion of firewall rules, indicating a possible security breach or unauthorized access attempt. It identifies actions where firewall rules are removed using commands like netsh advfirewall firewall delete rule, which can expose the network to external threats by disabling critical security measures. Monitoring these activities helps maintain network integrity and prevent malicious attacks. -search: '`sysmon` EventCode=12 TargetObject = "*\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\*" EventType=DeleteValue | rename Computer as dest | rename User as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode EventType TargetObject Image user dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_delete_firewall_rules_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 -known_false_positives: network admin may add/remove/modify public inbound firewall rule that may cause this rule to be triggered. +description: The following analytic detects a potential deletion of firewall rules, + indicating a possible security breach or unauthorized access attempt. It identifies + actions where firewall rules are removed using commands like netsh advfirewall firewall + delete rule, which can expose the network to external threats by disabling critical + security measures. Monitoring these activities helps maintain network integrity + and prevent malicious attacks. +search: '`sysmon` EventCode=12 TargetObject = "*\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\*" + EventType=DeleteValue | rename Computer as dest | rename User as user | stats + count min(_time) as firstTime max(_time) as lastTime by EventCode EventType TargetObject + Image user dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_modify_registry_delete_firewall_rules_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the registry value name, registry path, and registry value data from your + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official + Sysmon TA. https://splunkbase.splunk.com/app/5709 +known_false_positives: network admin may add/remove/modify public inbound firewall + rule that may cause this rule to be triggered. references: - https://www.bleepingcomputer.com/news/security/new-shrinklocker-ransomware-uses-bitlocker-to-encrypt-your-files/ drilldown_searches: @@ -19,45 +32,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: firewall deletion found in registry on $dest$ + risk_objects: + - field: user + type: user + score: 64 + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - ShrinkLocker - CISA AA24-241A asset_type: Endpoint - confidence: 80 - impact: 80 - message: firewall deletion found in registry in $dest$ mitre_attack_id: - T1112 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - EventType - - TargetObject - - Image - - user - - dest - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_mod_delete.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_mod_delete.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_modify_registry_disable_rdp.yml b/detections/endpoint/windows_modify_registry_disable_rdp.yml index 16e56f5a6d..92f43a1a5c 100644 --- a/detections/endpoint/windows_modify_registry_disable_rdp.yml +++ b/detections/endpoint/windows_modify_registry_disable_rdp.yml @@ -1,16 +1,31 @@ name: Windows Modify Registry Disable RDP id: 11ed764f-eb9c-4be7-bdad-2209b9d33ee1 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 13 type: Anomaly status: production -description: This analytic is developed to detect suspicious registry modifications that disable Remote Desktop Protocol (RDP) by altering the "fDenyTSConnections" key. Changing this key's value to 1 prevents remote connections, which can disrupt remote management and access. Such modifications could indicate an attempt to hinder remote administration or isolate the system from remote intervention, potentially signifying malicious activity. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Control\\Terminal Server\\fDenyTSConnections*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_rdp_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: administrators may enable or disable this feature that may cause some false positive. +description: This analytic is developed to detect suspicious registry modifications + that disable Remote Desktop Protocol (RDP) by altering the "fDenyTSConnections" + key. Changing this key's value to 1 prevents remote connections, which can disrupt + remote management and access. Such modifications could indicate an attempt to hinder + remote administration or isolate the system from remote intervention, potentially + signifying malicious activity. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Control\\Terminal + Server\\fDenyTSConnections*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name + Registry.user Registry.registry_path Registry.registry_value_data Registry.action + Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_rdp_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: administrators may enable or disable this feature that may + cause some false positive. references: - https://www.bleepingcomputer.com/news/security/new-shrinklocker-ransomware-uses-bitlocker-to-encrypt-your-files/ drilldown_searches: @@ -19,43 +34,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A registry modification in Windows RDP registry settings on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - ShrinkLocker asset_type: Endpoint - confidence: 50 - impact: 50 - message: A registry modification in Windows RDP registry settings on $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_path - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.user - - Registry.dest - - Registry.action - - Registry.registry_value_data - - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/disable_rdp//fdenytsconnection-reg.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/disable_rdp//fdenytsconnection-reg.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml b/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml index f945c369ac..ebbf87b79b 100644 --- a/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml +++ b/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Disable Restricted Admin id: cee573a0-7587-48e6-ae99-10e8c657e89a -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-01-21' author: Teoderick Contreras, Splunk status: production type: TTP @@ -14,10 +14,10 @@ description: The following analytic detects modifications to the Windows registr can disable a security feature that limits credential exposure during remote connections. If confirmed malicious, an attacker could weaken security controls, increasing the risk of credential theft and unauthorized access to sensitive systems. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path= "*\\System\\CurrentControlSet\\Control\\Lsa\\DisableRestrictedAdmin" - Registry.registry_value_data = 0x00000000) BY Registry.dest Registry.user - Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\System\\CurrentControlSet\\Control\\Lsa\\DisableRestrictedAdmin" + Registry.registry_value_data = 0x00000000) BY Registry.dest Registry.user Registry.registry_path + Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_restricted_admin_filter`' how_to_implement: To successfully implement this search, you must be ingesting data @@ -35,47 +35,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows Modify Registry Disable Restricted Admin on $dest$ by $user$. + risk_objects: + - field: dest + type: system + score: 64 + - field: user + type: user + score: 64 + threat_objects: [] tags: analytic_story: - CISA AA23-347A asset_type: Endpoint - confidence: 80 - impact: 80 - message: Windows Modify Registry Disable Restricted Admin on $dest$ by $user$. mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 - required_fields: - - _time - - Registry.registry_path - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.user - - Registry.dest - - Registry.action - - Registry.registry_value_data - - Registry.process_guid security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.004/NoLMHash/lsa-reg-settings-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.004/NoLMHash/lsa-reg-settings-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml b/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml index 5cfde44d06..74531253af 100644 --- a/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml +++ b/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml @@ -1,16 +1,33 @@ name: Windows Modify Registry Disable Toast Notifications id: ed4eeacb-8d5a-488e-bc97-1ce6ded63b84 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects modifications to the Windows registry that disable toast notifications. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PushNotifications\\ToastEnabled*" with a value set to "0x00000000". This activity is significant because disabling toast notifications can prevent users from receiving critical system and application updates, which adversaries like Azorult exploit for defense evasion. If confirmed malicious, this action could allow attackers to operate undetected, leading to prolonged persistence and potential further compromise of the system. +description: The following analytic detects modifications to the Windows registry + that disable toast notifications. It leverages data from the Endpoint.Registry datamodel, + specifically monitoring changes to the registry path + "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PushNotifications\\ToastEnabled*" + with a value set to "0x00000000". This activity is significant because disabling + toast notifications can prevent users from receiving critical system and application + updates, which adversaries like Azorult exploit for defense evasion. If confirmed + malicious, this action could allow attackers to operate undetected, leading to prolonged + persistence and potential further compromise of the system. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PushNotifications\\ToastEnabled*" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_toast_notifications_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -known_false_positives: administrators may enable or disable this feature that may cause some false positive. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PushNotifications\\ToastEnabled*" + Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user + Registry.registry_path Registry.registry_value_data Registry.action Registry.dest + | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_modify_registry_disable_toast_notifications_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure + that this registry was included in your config files ex. sysmon config to be monitored. +known_false_positives: administrators may enable or disable this feature that may + cause some false positive. references: - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ @@ -20,41 +37,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: the registry for DisallowRun settings was modified to enable on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Azorult asset_type: Endpoint - confidence: 70 - impact: 70 - message: the registry for DisallowRun settings was modified to enable in $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml b/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml index 03d7b63064..e9d22dcba0 100644 --- a/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml +++ b/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml @@ -1,16 +1,33 @@ name: Windows Modify Registry Disable Win Defender Raw Write Notif id: 0e5e25c3-32f4-46f7-ba4a-5b95c3b90f5b -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects modifications to the Windows registry that disable the Windows Defender raw write notification feature. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the registry path associated with Windows Defender's real-time protection settings. This activity is significant because disabling raw write notifications can allow malware, such as Azorult, to bypass Windows Defender's behavior monitoring, potentially leading to undetected malicious activities. If confirmed malicious, this could enable attackers to execute code, persist in the environment, and access sensitive information without detection. +description: The following analytic detects modifications to the Windows registry + that disable the Windows Defender raw write notification feature. It leverages data + from the Endpoint.Registry datamodel, specifically monitoring changes to the registry + path associated with Windows Defender's real-time protection settings. This activity + is significant because disabling raw write notifications can allow malware, such + as Azorult, to bypass Windows Defender's behavior monitoring, potentially leading + to undetected malicious activities. If confirmed malicious, this could enable attackers + to execute code, persist in the environment, and access sensitive information without + detection. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Real-Time Protection\\DisableRawWriteNotification*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_win_defender_raw_write_notif_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -known_false_positives: Administrators may enable or disable this feature that may cause some false positive. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows + Defender\\Real-Time Protection\\DisableRawWriteNotification*" Registry.registry_value_data="0x00000001" + by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data + Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_win_defender_raw_write_notif_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure + that this registry was included in your config files ex. sysmon config to be monitored. +known_false_positives: Administrators may enable or disable this feature that may + cause some false positive. Filter as needed. references: - https://admx.help/?Category=SystemCenterEndpointProtection&Policy=Microsoft.Policies.Antimalware::real-time_protection_disablerawwritenotification - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ @@ -20,42 +37,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The registry for raw write notification settings was modified to disable + on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Azorult - CISA AA23-347A asset_type: Endpoint - confidence: 70 - impact: 70 - message: The registry for raw write notification settings was modified to disable in $dest$. mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml b/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml index 3b34e9b906..07bb7c9a7e 100644 --- a/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml +++ b/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml @@ -1,16 +1,33 @@ name: Windows Modify Registry Disable WinDefender Notifications id: 8e207707-ad40-4eb3-b865-3a52aec91f26 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 13 -description: The following analytic detects a suspicious registry modification aimed at disabling Windows Defender notifications. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the registry path "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\Notifications\\DisableNotifications" with a value of "0x00000001". This activity is significant as it indicates an attempt to evade detection by disabling security alerts, a technique used by adversaries and malware like RedLine Stealer. If confirmed malicious, this could allow attackers to operate undetected, increasing the risk of further compromise and data exfiltration. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\Notifications\\DisableNotifications" AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_disable_windefender_notifications_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: administrators may enable or disable this feature that may cause some false positive. +description: The following analytic detects a suspicious registry modification aimed + at disabling Windows Defender notifications. It leverages data from the Endpoint.Registry + data model, specifically looking for changes to the registry path "*\\SOFTWARE\\Policies\\Microsoft\\Windows + Defender Security Center\\Notifications\\DisableNotifications" with a value of "0x00000001". + This activity is significant as it indicates an attempt to evade detection by disabling + security alerts, a technique used by adversaries and malware like RedLine Stealer. + If confirmed malicious, this could allow attackers to operate undetected, increasing + the risk of further compromise and data exfiltration. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows + Defender Security Center\\Notifications\\DisableNotifications" AND Registry.registry_value_data="0x00000001" + by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data + Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` + | `security_content_ctime(firstTime)` | `windows_modify_registry_disable_windefender_notifications_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: administrators may enable or disable this feature that may + cause some false positive. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer drilldown_searches: @@ -19,9 +36,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A registry modification to disable Windows Defender notification on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - CISA AA23-347A @@ -29,34 +58,17 @@ tags: asset_type: Endpoint atomic_guid: - 12e03af7-79f9-4f95-af48-d3f12f28a260 - confidence: 70 - impact: 70 - message: A registry modification to disable Windows Defender notification on $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action - - Registry.registry_value_data - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml b/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml index 5e334e2b9b..a5cfb1e84e 100644 --- a/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml +++ b/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml @@ -1,16 +1,33 @@ name: Windows Modify Registry Disable Windows Security Center Notif id: 27ed3e79-6d86-44dd-b9ab-524451c97a7b -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects modifications to the Windows registry aimed at disabling Windows Security Center notifications. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the registry path "*\\Windows\\CurrentVersion\\ImmersiveShell\\UseActionCenterExperience*" with a value of "0x00000000". This activity is significant as it can indicate an attempt by adversaries or malware, such as Azorult, to evade defenses by suppressing critical update notifications. If confirmed malicious, this could allow attackers to persist undetected, potentially leading to further exploitation and compromise of the host system. +description: The following analytic detects modifications to the Windows registry + aimed at disabling Windows Security Center notifications. It leverages data from + the Endpoint.Registry datamodel, specifically monitoring changes to the registry + path "*\\Windows\\CurrentVersion\\ImmersiveShell\\UseActionCenterExperience*" with + a value of "0x00000000". This activity is significant as it can indicate an attempt + by adversaries or malware, such as Azorult, to evade defenses by suppressing critical + update notifications. If confirmed malicious, this could allow attackers to persist + undetected, potentially leading to further exploitation and compromise of the host + system. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows\\CurrentVersion\\ImmersiveShell\\UseActionCenterExperience*" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_windows_security_center_notif_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -known_false_positives: administrators may enable or disable this feature that may cause some false positive. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows\\CurrentVersion\\ImmersiveShell\\UseActionCenterExperience*" + Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user + Registry.registry_path Registry.registry_value_data Registry.action Registry.dest + | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_modify_registry_disable_windows_security_center_notif_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure + that this registry was included in your config files ex. sysmon config to be monitored. +known_false_positives: administrators may enable or disable this feature that may + cause some false positive. references: - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ @@ -20,42 +37,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: the registry for security center notification settings was modified to + disable mode on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Azorult - CISA AA23-347A asset_type: Endpoint - confidence: 70 - impact: 70 - message: the registry for security center notification settings was modified to disable mode in $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml b/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml index 3eba5d75a6..fce52334a8 100644 --- a/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml +++ b/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml @@ -1,16 +1,32 @@ name: Windows Modify Registry DisableRemoteDesktopAntiAlias id: 4927c6f1-4667-42e6-bd7a-f5222116386b -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 13 -description: The following analytic detects modifications to the Windows registry key "DisableRemoteDesktopAntiAlias" with a value set to 0x00000001. This detection leverages data from the Endpoint datamodel, specifically monitoring changes in the Registry node. This activity is significant as it may indicate the presence of DarkGate malware, which alters this registry setting to enhance its remote desktop capabilities. If confirmed malicious, this modification could allow an attacker to maintain persistence and control over the compromised host, potentially leading to further exploitation and data exfiltration. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Terminal Services\\DisableRemoteDesktopAntiAlias" Registry.registry_value_data = 0x00000001 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disableremotedesktopantialias_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -known_false_positives: Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed. +description: The following analytic detects modifications to the Windows registry + key "DisableRemoteDesktopAntiAlias" with a value set to 0x00000001. This detection + leverages data from the Endpoint datamodel, specifically monitoring changes in the + Registry node. This activity is significant as it may indicate the presence of DarkGate + malware, which alters this registry setting to enhance its remote desktop capabilities. + If confirmed malicious, this modification could allow an attacker to maintain persistence + and control over the compromised host, potentially leading to further exploitation + and data exfiltration. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Terminal + Services\\DisableRemoteDesktopAntiAlias" Registry.registry_value_data = 0x00000001 + by Registry.registry_path Registry.registry_value_name Registry.registry_value_data + Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disableremotedesktopantialias_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure + that this registry was included in your config files ex. sysmon config to be monitored. +known_false_positives: Administrators may enable or disable this feature that may + cause some false positive, however is not common. Filter as needed. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate drilldown_searches: @@ -19,40 +35,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: the registry for remote desktop settings was modified to be DisableRemoteDesktopAntiAlias + on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - DarkGate Malware asset_type: Endpoint - confidence: 70 - impact: 70 - message: the registry for remote desktop settings was modified to be DisableRemoteDesktopAntiAlias on $dest$. mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/DisableRemoteDesktopAntiAlias/disable_remote_alias.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/DisableRemoteDesktopAntiAlias/disable_remote_alias.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml b/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml index 46afcf51c3..8f73c6e429 100644 --- a/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml +++ b/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml @@ -1,16 +1,32 @@ name: Windows Modify Registry DisableSecuritySettings id: 989019b4-b7aa-418a-9a17-2293e91288b6 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 13 -description: The following analytic detects modifications to the Windows registry that disable security settings for Terminal Services. It leverages the Endpoint data model, specifically monitoring changes to the registry path associated with Terminal Services security settings. This activity is significant because altering these settings can weaken the security posture of Remote Desktop Services, potentially allowing unauthorized remote access. If confirmed malicious, such modifications could enable attackers to gain persistent remote access to the system, facilitating further exploitation and data exfiltration. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Terminal Services\\DisableSecuritySettings" Registry.registry_value_data = 0x00000001 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disablesecuritysettings_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -known_false_positives: Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed. +description: The following analytic detects modifications to the Windows registry + that disable security settings for Terminal Services. It leverages the Endpoint + data model, specifically monitoring changes to the registry path associated with + Terminal Services security settings. This activity is significant because altering + these settings can weaken the security posture of Remote Desktop Services, potentially + allowing unauthorized remote access. If confirmed malicious, such modifications + could enable attackers to gain persistent remote access to the system, facilitating + further exploitation and data exfiltration. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Terminal + Services\\DisableSecuritySettings" Registry.registry_value_data = 0x00000001 by Registry.registry_path + Registry.registry_value_name Registry.registry_value_data Registry.process_guid + Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | + `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disablesecuritysettings_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure + that this registry was included in your config files ex. sysmon config to be monitored. +known_false_positives: Administrators may enable or disable this feature that may + cause some false positive, however is not common. Filter as needed. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate drilldown_searches: @@ -19,41 +35,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: the registry for terminal services settings was modified to disable security + settings on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - DarkGate Malware - CISA AA23-347A asset_type: Endpoint - confidence: 70 - impact: 70 - message: the registry for terminal services settings was modified to disable security settings on $dest$. mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/disablesecuritysetting.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/disablesecuritysetting.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml b/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml index 280bfce4e9..e71f0d6067 100644 --- a/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml +++ b/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml @@ -1,16 +1,31 @@ name: Windows Modify Registry Disabling WER Settings id: 21cbcaf1-b51f-496d-a0c1-858ff3070452 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects modifications in the Windows registry to disable Windows Error Reporting (WER) settings. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to registry paths related to WER with a value set to "0x00000001". This activity is significant as adversaries may disable WER to suppress error notifications, hiding the presence of malicious activities. If confirmed malicious, this could allow attackers to operate undetected, potentially leading to prolonged persistence and further exploitation within the environment. +description: The following analytic detects modifications in the Windows registry + to disable Windows Error Reporting (WER) settings. It leverages data from the Endpoint.Registry + datamodel, specifically monitoring changes to registry paths related to WER with + a value set to "0x00000001". This activity is significant as adversaries may disable + WER to suppress error notifications, hiding the presence of malicious activities. + If confirmed malicious, this could allow attackers to operate undetected, potentially + leading to prolonged persistence and further exploitation within the environment. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\disable*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disabling_wer_settings_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -known_false_positives: Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\Windows + Error Reporting\\disable*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name + Registry.user Registry.registry_path Registry.registry_value_data Registry.action + Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_modify_registry_disabling_wer_settings_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure + that this registry was included in your config files ex. sysmon config to be monitored. +known_false_positives: Administrators may enable or disable this feature that may + cause some false positive, however is not common. Filter as needed. references: - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ @@ -20,42 +35,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: the registry for WER settings was modified to be disabled on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Azorult - CISA AA23-347A asset_type: Endpoint - confidence: 70 - impact: 70 - message: the registry for WER settings was modified to be disabled on $dest$. mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_disallow_windows_app.yml b/detections/endpoint/windows_modify_registry_disallow_windows_app.yml index b202433525..5d3ad07dee 100644 --- a/detections/endpoint/windows_modify_registry_disallow_windows_app.yml +++ b/detections/endpoint/windows_modify_registry_disallow_windows_app.yml @@ -1,16 +1,32 @@ name: Windows Modify Registry DisAllow Windows App id: 4bc788d3-c83a-48c5-a4e2-e0c6dba57889 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects modifications to the Windows registry aimed at preventing the execution of specific computer programs. It leverages data from the Endpoint.Registry datamodel, focusing on changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun*" with a value of "0x00000001". This activity is significant as it can indicate an attempt to disable security tools, a tactic used by malware like Azorult. If confirmed malicious, this could allow an attacker to evade detection and maintain persistence on the compromised host. +description: The following analytic detects modifications to the Windows registry + aimed at preventing the execution of specific computer programs. It leverages data + from the Endpoint.Registry datamodel, focusing on changes to the registry path + "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun*" + with a value of "0x00000001". This activity is significant as it can indicate an + attempt to disable security tools, a tactic used by malware like Azorult. If confirmed + malicious, this could allow an attacker to evade detection and maintain persistence + on the compromised host. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disallow_windows_app_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -known_false_positives: Administrators may enable or disable this feature that may cause some false positive. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun*" + Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user + Registry.registry_path Registry.registry_value_data Registry.action Registry.dest + | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_modify_registry_disallow_windows_app_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure + that this registry was included in your config files ex. sysmon config to be monitored. +known_false_positives: Administrators may enable or disable this feature that may + cause some false positive. Filter as needed. references: - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ drilldown_searches: @@ -19,41 +35,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The registry for DisallowRun settings was modified to enable on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Azorult asset_type: Endpoint - confidence: 70 - impact: 70 - message: The registry for DisallowRun settings was modified to enable in $dest$. mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml b/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml index 1020e15789..43107ef9e5 100644 --- a/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml +++ b/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml @@ -1,16 +1,33 @@ name: Windows Modify Registry Do Not Connect To Win Update id: e09c598e-8dd0-4e73-b740-4b96b689199e -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 13 -description: The following analytic detects a suspicious modification to the Windows registry that disables automatic updates. It leverages data from the Endpoint datamodel, specifically monitoring changes to the registry path "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\DoNotConnectToWindowsUpdateInternetLocations" with a value of "0x00000001". This activity is significant as it can be used by adversaries, including malware like RedLine Stealer, to evade detection and prevent the system from receiving critical updates. If confirmed malicious, this could allow attackers to exploit vulnerabilities, persist in the environment, and potentially deploy additional payloads. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\DoNotConnectToWindowsUpdateInternetLocations" AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_do_not_connect_to_win_update_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: administrators may enable or disable this feature that may cause some false positive. +description: The following analytic detects a suspicious modification to the Windows + registry that disables automatic updates. It leverages data from the Endpoint datamodel, + specifically monitoring changes to the registry path + "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\DoNotConnectToWindowsUpdateInternetLocations" + with a value of "0x00000001". This activity is significant as it can be used by + adversaries, including malware like RedLine Stealer, to evade detection and prevent + the system from receiving critical updates. If confirmed malicious, this could allow + attackers to exploit vulnerabilities, persist in the environment, and potentially + deploy additional payloads. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\DoNotConnectToWindowsUpdateInternetLocations" + AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path + Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` + | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_do_not_connect_to_win_update_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: administrators may enable or disable this feature that may + cause some false positive. references: - https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsUpdate::DoNotConnectToWindowsUpdateInternetLocations @@ -20,43 +37,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a registry modification in Windows auto update configuration on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - RedLine Stealer asset_type: Endpoint atomic_guid: - 12e03af7-79f9-4f95-af48-d3f12f28a260 - confidence: 50 - impact: 50 - message: a registry modification in Windows auto update configuration in $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action - - Registry.registry_value_data - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_modify_registry_dontshowui.yml b/detections/endpoint/windows_modify_registry_dontshowui.yml index ac4f909313..ae79d024f8 100644 --- a/detections/endpoint/windows_modify_registry_dontshowui.yml +++ b/detections/endpoint/windows_modify_registry_dontshowui.yml @@ -1,16 +1,32 @@ name: Windows Modify Registry DontShowUI id: 4ff9767b-fdf2-489c-83a5-c6c34412d72e -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 13 -description: The following analytic detects modifications to the Windows Error Reporting registry key "DontShowUI" to suppress error reporting dialogs. It leverages data from the Endpoint datamodel's Registry node to identify changes where the registry value is set to 0x00000001. This activity is significant as it is commonly associated with DarkGate malware, which uses this modification to avoid detection during its installation. If confirmed malicious, this behavior could allow attackers to maintain a low profile, avoiding user alerts and potentially enabling further malicious activities without user intervention. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI" Registry.registry_value_data = 0x00000001 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_dontshowui_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -known_false_positives: Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed. +description: The following analytic detects modifications to the Windows Error Reporting + registry key "DontShowUI" to suppress error reporting dialogs. It leverages data + from the Endpoint datamodel's Registry node to identify changes where the registry + value is set to 0x00000001. This activity is significant as it is commonly associated + with DarkGate malware, which uses this modification to avoid detection during its + installation. If confirmed malicious, this behavior could allow attackers to maintain + a low profile, avoiding user alerts and potentially enabling further malicious activities + without user intervention. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\SOFTWARE\\Microsoft\\Windows\\Windows + Error Reporting\\DontShowUI" Registry.registry_value_data = 0x00000001 by Registry.registry_path + Registry.registry_value_name Registry.registry_value_data Registry.process_guid + Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | + `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_dontshowui_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure + that this registry was included in your config files ex. sysmon config to be monitored. +known_false_positives: Administrators may enable or disable this feature that may + cause some false positive, however is not common. Filter as needed. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate drilldown_searches: @@ -19,40 +35,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: the registry for WER settings was modified to be disable show UI on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - DarkGate Malware asset_type: Endpoint - confidence: 70 - impact: 70 - message: the registry for WER settings was modified to be disable show UI on $dest$. mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/wer_dontshowui/dontshowui_sys.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/wer_dontshowui/dontshowui_sys.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml b/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml index 0d934e7f42..893a5a8a45 100644 --- a/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml +++ b/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry EnableLinkedConnections id: 93048164-3358-4af0-8680-aa5f38440516 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-01-21' author: Teoderick Contreras, Splunk status: production type: TTP @@ -16,8 +16,8 @@ description: The following analytic detects a suspicious modification to the Win administrator-level privileges, a technique often abused by malware like BlackByte ransomware. If confirmed malicious, this could lead to unauthorized access to sensitive network resources, escalating the attacker's privileges. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path= "*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLinkedConnections" +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLinkedConnections" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` @@ -36,43 +36,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A registry modification in Windows EnableLinkedConnections configuration + on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - BlackByte Ransomware asset_type: Endpoint atomic_guid: - 4f4e2f9f-6209-4fcf-9b15-3b7455706f5b - confidence: 70 - impact: 70 - message: A registry modification in Windows EnableLinkedConnections configuration on $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action - - Registry.registry_value_data security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/blackbyte/enablelinkedconnections/blackbyte_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/blackbyte/enablelinkedconnections/blackbyte_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_modify_registry_longpathsenabled.yml b/detections/endpoint/windows_modify_registry_longpathsenabled.yml index c5a9d20a27..3fa4ef921e 100644 --- a/detections/endpoint/windows_modify_registry_longpathsenabled.yml +++ b/detections/endpoint/windows_modify_registry_longpathsenabled.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry LongPathsEnabled id: 36f9626c-4272-4808-aadd-267acce681c0 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-01-21' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -15,11 +15,11 @@ description: The following analytic detects a modification to the Windows regist path limitations, potentially aiding in evasion techniques. If confirmed malicious, this modification could facilitate the execution of long-path payloads, aiding in persistence and further system compromise. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path= "*\\CurrentControlSet\\Control\\FileSystem\\LongPathsEnabled" - Registry.registry_value_data = "0x00000001") BY Registry.registry_path - Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data - Registry.process_guid Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\CurrentControlSet\\Control\\FileSystem\\LongPathsEnabled" + Registry.registry_value_data = "0x00000001") BY Registry.registry_path Registry.registry_key_name + Registry.registry_value_name Registry.registry_value_data Registry.process_guid + Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_longpathsenabled_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from @@ -35,43 +35,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A registry modification in Windows LongPathEnable configuration on $dest$ + risk_objects: + - field: dest + type: system + score: 16 + threat_objects: [] tags: analytic_story: - BlackByte Ransomware asset_type: Endpoint atomic_guid: - 4f4e2f9f-6209-4fcf-9b15-3b7455706f5b - confidence: 40 - impact: 40 - message: A registry modification in Windows LongPathEnable configuration on $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 16 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action - - Registry.registry_value_data security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/blackbyte/longpathsenabled/longpath_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/blackbyte/longpathsenabled/longpath_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml b/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml index ff63454d93..c2891b41e5 100644 --- a/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml +++ b/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml @@ -1,16 +1,33 @@ name: Windows Modify Registry MaxConnectionPerServer id: 064cd09f-1ff4-4823-97e0-45c2f5b087ec -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 13 -description: The following analytic identifies a suspicious modification of the Windows registry setting for max connections per server. It detects changes to specific registry paths using data from the Endpoint.Registry datamodel. This activity is significant because altering this setting can be exploited by attackers to increase the number of concurrent connections to a remote server, potentially facilitating DDoS attacks or enabling more effective lateral movement within a compromised network. If confirmed malicious, this could lead to network disruption or further compromise of additional systems. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPerServer*" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPer1_0Server*") Registry.registry_value_data = "0x0000000a" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_maxconnectionperserver_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -known_false_positives: Administrators may enable or disable this feature that may cause some false positive. +description: The following analytic identifies a suspicious modification of the Windows + registry setting for max connections per server. It detects changes to specific + registry paths using data from the Endpoint.Registry datamodel. This activity is + significant because altering this setting can be exploited by attackers to increase + the number of concurrent connections to a remote server, potentially facilitating + DDoS attacks or enabling more effective lateral movement within a compromised network. + If confirmed malicious, this could lead to network disruption or further compromise + of additional systems. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet + Settings\\MaxConnectionsPerServer*" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet + Settings\\MaxConnectionsPer1_0Server*") Registry.registry_value_data = "0x0000000a" + by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data + Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_modify_registry_maxconnectionperserver_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure + that this registry was included in your config files ex. sysmon config to be monitored. +known_false_positives: Administrators may enable or disable this feature that may + cause some false positive. references: - https://asec.ahnlab.com/en/17692/ - https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/warzone#:~:text=Warzone%20RAT%20(AKA%20Ave%20Maria)%20is%20a%20remote%20access%20trojan,is%20as%20an%20information%20stealer. @@ -20,41 +37,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A registry modification in max connection per server configuration on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Warzone RAT asset_type: Endpoint - confidence: 50 - impact: 50 - message: A registry modification in max connection per server configuration in $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 25 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action - - Registry.registry_value_data security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/warzone_rat/maxconnectionperserver/registry_event.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/warzone_rat/maxconnectionperserver/registry_event.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml b/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml index 569becd740..4441685f2c 100644 --- a/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml +++ b/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml @@ -1,16 +1,32 @@ name: Windows Modify Registry No Auto Reboot With Logon User id: 6a12fa9f-580d-4627-8c7f-313e359bdc6a -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 13 -description: The following analytic detects a suspicious modification to the Windows registry that disables automatic reboot with a logged-on user. This detection leverages the Endpoint data model to identify changes to the registry path `SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoRebootWithLoggedOnUsers` with a value of `0x00000001`. This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to evade detection and maintain persistence. If confirmed malicious, this could allow attackers to bypass security measures and deploy additional payloads without interruption. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoRebootWithLoggedOnUsers" AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_no_auto_reboot_with_logon_user_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: Administrators may enable or disable this feature that may cause some false positive. +description: The following analytic detects a suspicious modification to the Windows + registry that disables automatic reboot with a logged-on user. This detection leverages + the Endpoint data model to identify changes to the registry path + `SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoRebootWithLoggedOnUsers` + with a value of `0x00000001`. This activity is significant as it is commonly used + by adversaries, including malware like RedLine Stealer, to evade detection and maintain + persistence. If confirmed malicious, this could allow attackers to bypass security + measures and deploy additional payloads without interruption. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoRebootWithLoggedOnUsers" + AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path + Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` + | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_no_auto_reboot_with_logon_user_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: Administrators may enable or disable this feature that may + cause some false positive. references: - https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499 drilldown_searches: @@ -19,43 +35,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A registry modification in Windows auto update configuration on $dest$ + risk_objects: + - field: dest + type: system + score: 9 + threat_objects: [] tags: analytic_story: - RedLine Stealer asset_type: Endpoint atomic_guid: - 12e03af7-79f9-4f95-af48-d3f12f28a260 - confidence: 30 - impact: 30 - message: A registry modification in Windows auto update configuration on $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action - - Registry.registry_value_data - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_modify_registry_no_auto_update.yml b/detections/endpoint/windows_modify_registry_no_auto_update.yml index 950987e85b..6387793974 100644 --- a/detections/endpoint/windows_modify_registry_no_auto_update.yml +++ b/detections/endpoint/windows_modify_registry_no_auto_update.yml @@ -1,16 +1,31 @@ name: Windows Modify Registry No Auto Update id: fbd4f333-17bb-4eab-89cb-860fa2e0600e -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 13 -description: The following analytic identifies a suspicious modification to the Windows registry that disables automatic updates. It detects changes to the registry path `SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate` with a value of `0x00000001`. This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to evade detection and maintain persistence. If confirmed malicious, this could allow attackers to bypass security updates, leaving the system vulnerable to further exploitation and potential zero-day attacks. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoUpdate" AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_no_auto_update_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: Administrators may enable or disable this feature that may cause some false positive. +description: The following analytic identifies a suspicious modification to the Windows + registry that disables automatic updates. It detects changes to the registry path + `SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate` with a value + of `0x00000001`. This activity is significant as it is commonly used by adversaries, + including malware like RedLine Stealer, to evade detection and maintain persistence. + If confirmed malicious, this could allow attackers to bypass security updates, leaving + the system vulnerable to further exploitation and potential zero-day attacks. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoUpdate" + AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path + Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` + | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_no_auto_update_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: Administrators may enable or disable this feature that may + cause some false positive. references: - https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499 drilldown_searches: @@ -19,9 +34,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A registry modification in Windows auto update configuration on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - CISA AA23-347A @@ -29,34 +56,17 @@ tags: asset_type: Endpoint atomic_guid: - 12e03af7-79f9-4f95-af48-d3f12f28a260 - confidence: 70 - impact: 70 - message: A registry modification in Windows auto update configuration on $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action - - Registry.registry_value_data - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml b/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml index f6f31ccaf5..fb5e6c54bc 100644 --- a/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml +++ b/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry NoChangingWallPaper id: a2276412-e254-4e9a-9082-4d92edb6a3e0 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-01-21' author: Teoderick Contreras, Splunk status: production type: TTP @@ -14,8 +14,8 @@ description: The following analytic detects modifications to the Windows registr to enforce a malicious wallpaper, thereby limiting user control over system settings. If confirmed malicious, this registry change could indicate a ransomware infection, leading to further system compromise and user disruption. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path= "*\\Windows\\CurrentVersion\\Policies\\ActiveDesktop\\NoChangingWallPaper" +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Windows\\CurrentVersion\\Policies\\ActiveDesktop\\NoChangingWallPaper" Registry.registry_value_data = 1) BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) @@ -34,40 +34,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: the registry settings was modified to disable changing of wallpaper on + $dest$. + risk_objects: + - field: dest + type: system + score: 36 + threat_objects: [] tags: analytic_story: - Rhysida Ransomware asset_type: Endpoint - confidence: 60 - impact: 60 - message: the registry settings was modified to disable changing of wallpaper on $dest$. mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 36 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/no_changing_wallpaper/NoChangingWallPaper.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/no_changing_wallpaper/NoChangingWallPaper.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml b/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml index 219c3672db..ed648702e8 100644 --- a/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml +++ b/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml @@ -1,16 +1,30 @@ name: Windows Modify Registry on Smart Card Group Policy id: 1522145a-8e86-4f83-89a8-baf62a8f489d -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 13 type: Anomaly status: production -description: This analytic is developed to detect suspicious registry modifications targeting the "scforceoption" key. Altering this key enforces smart card login for all users, potentially disrupting normal access methods. Unauthorized changes to this setting could indicate an attempt to restrict access or force a specific authentication method, possibly signifying malicious intent to manipulate system security protocols. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows\\CurrentVersion\\Policies\\System\\scforceoption*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_on_smart_card_group_policy_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: administrators may enable or disable this feature that may cause some false positive. +description: This analytic is developed to detect suspicious registry modifications + targeting the "scforceoption" key. Altering this key enforces smart card login for + all users, potentially disrupting normal access methods. Unauthorized changes to + this setting could indicate an attempt to restrict access or force a specific authentication + method, possibly signifying malicious intent to manipulate system security protocols. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows\\CurrentVersion\\Policies\\System\\scforceoption*" + Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user + Registry.registry_path Registry.registry_value_data Registry.action Registry.dest + | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_modify_registry_on_smart_card_group_policy_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: administrators may enable or disable this feature that may + cause some false positive. references: - https://www.bleepingcomputer.com/news/security/new-shrinklocker-ransomware-uses-bitlocker-to-encrypt-your-files/ drilldown_searches: @@ -19,43 +33,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A registry modification in Windows Smart Card Group Policy registry settings + on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - ShrinkLocker asset_type: Endpoint - confidence: 50 - impact: 50 - message: A registry modification in Windows Smart Card Group Policy registry settings on $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_path - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.user - - Registry.dest - - Registry.action - - Registry.registry_value_data - - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/smart_card_group_policy/scforceoption-reg.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/smart_card_group_policy/scforceoption-reg.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_modify_registry_proxyenable.yml b/detections/endpoint/windows_modify_registry_proxyenable.yml index 6a1734c0aa..252cefbfba 100644 --- a/detections/endpoint/windows_modify_registry_proxyenable.yml +++ b/detections/endpoint/windows_modify_registry_proxyenable.yml @@ -1,16 +1,32 @@ name: Windows Modify Registry ProxyEnable id: b27f20bd-ef20-41d1-a1e9-25dedd5bf2f5 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 13 -description: The following analytic detects modifications to the Windows registry key "ProxyEnable" to enable proxy settings. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the "Internet Settings\ProxyEnable" registry path. This activity is significant as it is commonly exploited by malware and adversaries to establish proxy communication, potentially connecting to malicious Command and Control (C2) servers. If confirmed malicious, this could allow attackers to redirect network traffic through a proxy, facilitating unauthorized communication and data exfiltration, thereby compromising the security of the affected host. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Internet Settings\\ProxyEnable" Registry.registry_value_data = 0x00000001 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_proxyenable_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -known_false_positives: Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed. +description: The following analytic detects modifications to the Windows registry + key "ProxyEnable" to enable proxy settings. It leverages data from the Endpoint.Registry + datamodel, specifically monitoring changes to the "Internet Settings\ProxyEnable" + registry path. This activity is significant as it is commonly exploited by malware + and adversaries to establish proxy communication, potentially connecting to malicious + Command and Control (C2) servers. If confirmed malicious, this could allow attackers + to redirect network traffic through a proxy, facilitating unauthorized communication + and data exfiltration, thereby compromising the security of the affected host. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Internet + Settings\\ProxyEnable" Registry.registry_value_data = 0x00000001 by Registry.registry_path + Registry.registry_value_name Registry.registry_value_data Registry.process_guid + Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | + `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_proxyenable_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure + that this registry was included in your config files ex. sysmon config to be monitored. +known_false_positives: Administrators may enable or disable this feature that may + cause some false positive, however is not common. Filter as needed. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate drilldown_searches: @@ -19,40 +35,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: the registry settings was modified to enable proxy on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - DarkGate Malware asset_type: Endpoint - confidence: 70 - impact: 70 - message: the registry settings was modified to enable proxy on $dest$. mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/proxy_enable/proxyenable.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/proxy_enable/proxyenable.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_modify_registry_proxyserver.yml b/detections/endpoint/windows_modify_registry_proxyserver.yml index 7e6f844128..573dcd0b1a 100644 --- a/detections/endpoint/windows_modify_registry_proxyserver.yml +++ b/detections/endpoint/windows_modify_registry_proxyserver.yml @@ -1,16 +1,31 @@ name: Windows Modify Registry ProxyServer id: 12bdaa0b-3c59-4489-aae1-bff6d67746ef -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 13 -description: The following analytic detects modifications to the Windows registry key for setting up a proxy server. It leverages data from the Endpoint.Registry datamodel, focusing on changes to the "Internet Settings\\ProxyServer" registry path. This activity is significant as it can indicate malware or adversaries configuring a proxy to facilitate unauthorized communication with Command and Control (C2) servers. If confirmed malicious, this could allow attackers to establish persistent, covert channels for data exfiltration or further exploitation of the compromised host. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Internet Settings\\ProxyServer" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_proxyserver_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -known_false_positives: Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed. +description: The following analytic detects modifications to the Windows registry + key for setting up a proxy server. It leverages data from the Endpoint.Registry + datamodel, focusing on changes to the "Internet Settings\\ProxyServer" registry + path. This activity is significant as it can indicate malware or adversaries configuring + a proxy to facilitate unauthorized communication with Command and Control (C2) servers. + If confirmed malicious, this could allow attackers to establish persistent, covert + channels for data exfiltration or further exploitation of the compromised host. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Internet + Settings\\ProxyServer" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data + Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` + | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_modify_registry_proxyserver_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure + that this registry was included in your config files ex. sysmon config to be monitored. +known_false_positives: Administrators may enable or disable this feature that may + cause some false positive, however is not common. Filter as needed. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate drilldown_searches: @@ -19,40 +34,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: the registry settings was modified to setup proxy server on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - DarkGate Malware asset_type: Endpoint - confidence: 70 - impact: 70 - message: the registry settings was modified to setup proxy server on $dest$. mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/proxy_server/ProxyServer_sys.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/proxy_server/ProxyServer_sys.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml b/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml index 956f20ea84..23415d8628 100644 --- a/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml +++ b/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml @@ -1,16 +1,47 @@ name: Windows Modify Registry Qakbot Binary Data Registry id: 2e768497-04e0-4188-b800-70dd2be0e30d -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Bhavin Patel, Splunk status: production type: Anomaly -description: The following analytic detects the creation of a suspicious registry entry by Qakbot malware, characterized by 8 random registry value names with encrypted binary data. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications under the "SOFTWARE\\Microsoft\\" path by processes like explorer.exe. This activity is significant as it indicates potential Qakbot infection, which uses the registry to store malicious code or configuration data. If confirmed malicious, this could allow attackers to maintain persistence and execute arbitrary code on the compromised system. +description: The following analytic detects the creation of a suspicious registry + entry by Qakbot malware, characterized by 8 random registry value names with encrypted + binary data. This detection leverages data from Endpoint Detection and Response + (EDR) agents, focusing on registry modifications under the "SOFTWARE\\Microsoft\\" + path by processes like explorer.exe. This activity is significant as it indicates + potential Qakbot infection, which uses the registry to store malicious code or configuration + data. If confirmed malicious, this could allow attackers to maintain persistence + and execute arbitrary code on the compromised system. data_source: - Sysmon EventID 1 AND Sysmon EventID 12 - Sysmon EventID 1 AND Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count dc(registry_value_name) as registry_value_name_count FROM datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Microsoft\\*" AND Registry.registry_value_data = "Binary Data" by _time span=1m Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.process_id Registry.registry_key_name | `drop_dm_object_name(Registry)` | eval registry_key_name_len = len(registry_key_name) | eval registry_value_name_len = len(registry_value_name) | regex registry_value_name="^[0-9a-fA-F]{8}" | where registry_key_name_len < 80 AND registry_value_name_len == 8 | join process_guid, _time [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN ("explorer.exe", "wermgr.exe","dxdiag.exe", "OneDriveSetup.exe", "mobsync.exe", "msra.exe", "xwizard.exe") by _time span=1m Processes.process_id Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid Processes.process_path | `drop_dm_object_name(Processes)` ] | stats min(_time) as firstTime max(_time) as lastTime values(registry_value_name) as registry_value_name dc(registry_value_name) as registry_value_name_count values(registry_key_name) by dest process_guid process_name parent_process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where registry_value_name_count >= 5 | `windows_modify_registry_qakbot_binary_data_registry_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count dc(registry_value_name) as + registry_value_name_count FROM datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Microsoft\\*" + AND Registry.registry_value_data = "Binary Data" by _time span=1m Registry.dest + Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data + Registry.process_guid Registry.process_id Registry.registry_key_name | `drop_dm_object_name(Registry)` + | eval registry_key_name_len = len(registry_key_name) | eval registry_value_name_len + = len(registry_value_name) | regex registry_value_name="^[0-9a-fA-F]{8}" | where + registry_key_name_len < 80 AND registry_value_name_len == 8 | join process_guid, + _time [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes + where Processes.process_name IN ("explorer.exe", "wermgr.exe","dxdiag.exe", "OneDriveSetup.exe", + "mobsync.exe", "msra.exe", "xwizard.exe") by _time span=1m Processes.process_id + Processes.process_name Processes.process Processes.dest Processes.parent_process_name + Processes.parent_process Processes.process_guid Processes.process_path | `drop_dm_object_name(Processes)` + ] | stats min(_time) as firstTime max(_time) as lastTime values(registry_value_name) + as registry_value_name dc(registry_value_name) as registry_value_name_count values(registry_key_name) + by dest process_guid process_name parent_process_name | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | where registry_value_name_count >= 5 | `windows_modify_registry_qakbot_binary_data_registry_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-qakbots-encrypted-registry-keys/ @@ -20,50 +51,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Registry with binary data created by $process_name$ on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Qakbot asset_type: Endpoint - confidence: 70 - impact: 70 - message: Registry with binary data created by $process_name$ on $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - user - - parent_process_name - - parent_process - - process_name - - process_path - - process - - proc_guid - - registry_path - - registry_value_name - - registry_value_data - - process_id - - registry_key_name - - registry_key_name_len - - registry_value_name_len - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot2/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot2/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml b/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml index f9997cd0cb..b434791ec5 100644 --- a/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml +++ b/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml @@ -1,18 +1,40 @@ name: Windows Modify Registry Regedit Silent Reg Import id: 824dd598-71be-4203-bc3b-024f4cda340e -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the modification of the Windows registry using the regedit.exe application with the silent mode parameter. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because the silent mode allows registry changes without user confirmation, which can be exploited by adversaries to import malicious registry settings. If confirmed malicious, this could enable attackers to persist in the environment, escalate privileges, or manipulate system configurations, leading to potential system compromise. +description: The following analytic detects the modification of the Windows registry + using the regedit.exe application with the silent mode parameter. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process names and + command-line executions. This activity is significant because the silent mode allows + registry changes without user confirmation, which can be exploited by adversaries + to import malicious registry settings. If confirmed malicious, this could enable + attackers to persist in the environment, escalate privileges, or manipulate system + configurations, leading to potential system compromise. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="regedit.exe" OR Processes.original_file_name="regedit.exe") AND Processes.process="* /s *" AND Processes.process="*.reg*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_regedit_silent_reg_import_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrators may execute this command that may cause some false positive. Filter as needed. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where (Processes.process_name="regedit.exe" OR Processes.original_file_name="regedit.exe") + AND Processes.process="* /s *" AND Processes.process="*.reg*" by Processes.dest + Processes.user Processes.parent_process Processes.process_name Processes.original_file_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_regedit_silent_reg_import_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators may execute this command that may cause some + false positive. Filter as needed. references: - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ - https://www.techtarget.com/searchwindowsserver/tip/Command-line-options-for-Regeditexe @@ -22,46 +44,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The regedit app was executed with silet mode parameter to import .reg file + on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Azorult asset_type: Endpoint - confidence: 70 - impact: 70 - message: The regedit app was executed with silet mode parameter to import .reg file on $dest$. mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_risk_behavior.yml b/detections/endpoint/windows_modify_registry_risk_behavior.yml index 41f59e8de0..ead7638542 100644 --- a/detections/endpoint/windows_modify_registry_risk_behavior.yml +++ b/detections/endpoint/windows_modify_registry_risk_behavior.yml @@ -1,15 +1,38 @@ name: Windows Modify Registry Risk Behavior id: 5eb479b1-a5ea-4e01-8365-780078613776 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Correlation data_source: [] -description: The following analytic identifies instances where three or more distinct registry modification events associated with MITRE ATT&CK Technique T1112 are detected. It leverages data from the Risk data model in Splunk, focusing on registry-related sources and MITRE technique annotations. This activity is significant because multiple registry modifications can indicate an attempt to persist, hide malicious configurations, or erase forensic evidence. If confirmed malicious, this behavior could allow attackers to maintain persistent access, execute malicious code, and evade detection, posing a severe threat to the integrity and security of the affected host. -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where source IN ("*registry*") All_Risk.annotations.mitre_attack.mitre_technique_id IN ("*T1112*") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 3 | `windows_modify_registry_risk_behavior_filter`' -how_to_implement: Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased base on internal testing. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance. -known_false_positives: False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers. +description: The following analytic identifies instances where three or more distinct + registry modification events associated with MITRE ATT&CK Technique T1112 are detected. + It leverages data from the Risk data model in Splunk, focusing on registry-related + sources and MITRE technique annotations. This activity is significant because multiple + registry modifications can indicate an attempt to persist, hide malicious configurations, + or erase forensic evidence. If confirmed malicious, this behavior could allow attackers + to maintain persistent access, execute malicious code, and evade detection, posing + a severe threat to the integrity and security of the affected host. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) + as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as + annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) + as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) + as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) + as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, + dc(source) as source_count from datamodel=Risk.All_Risk where source IN ("*registry*") + All_Risk.annotations.mitre_attack.mitre_technique_id IN ("*T1112*") by All_Risk.risk_object + All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where + source_count >= 3 | `windows_modify_registry_risk_behavior_filter`' +how_to_implement: Splunk Enterprise Security is required to utilize this correlation. + In addition, modify the source_count value to your environment. In our testing, + a count of 4 or 5 was decent in a lab, but the number may need to be increased base + on internal testing. In addition, based on false positives, modify any analytics + to be anomaly and lower or increase risk based on organization importance. +known_false_positives: False positives will be present based on many factors. Tune + the correlation as needed to reduce too many triggers. references: - https://www.splunk.com/en_us/blog/security/do-not-cross-the-redline-stealer-detections-and-analysis.html - https://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html @@ -21,39 +44,29 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$risk_object$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: analytic_story: - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 70 - message: An increase of Windows Modify Registry behavior has been detected on $risk_object$ mitre_attack_id: - T1112 - observable: - - name: risk_object - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - All_Risk.analyticstories - - All_Risk.risk_object_type - - All_Risk.risk_object - - All_Risk.annotations.mitre_attack.mitre_tactic - - source security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/windows_mod_reg_risk_behavior/modify_reg_risk.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/windows_mod_reg_risk_behavior/modify_reg_risk.log source: mod_reg sourcetype: stash diff --git a/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml b/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml index ec93b20920..fa8c764a16 100644 --- a/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml +++ b/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml @@ -1,16 +1,32 @@ name: Windows Modify Registry Suppress Win Defender Notif id: e3b42daf-fff4-429d-bec8-2a199468cea9 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects modifications in the Windows registry to suppress Windows Defender notifications. It leverages data from the Endpoint.Registry datamodel, specifically targeting changes to the "Notification_Suppress" registry value. This activity is significant because adversaries, including those deploying Azorult malware, use this technique to bypass Windows Defender and disable critical notifications. If confirmed malicious, this behavior could allow attackers to evade detection, maintain persistence, and execute further malicious activities without alerting the user or security tools. +description: The following analytic detects modifications in the Windows registry + to suppress Windows Defender notifications. It leverages data from the Endpoint.Registry + datamodel, specifically targeting changes to the "Notification_Suppress" registry + value. This activity is significant because adversaries, including those deploying + Azorult malware, use this technique to bypass Windows Defender and disable critical + notifications. If confirmed malicious, this behavior could allow attackers to evade + detection, maintain persistence, and execute further malicious activities without + alerting the user or security tools. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\UX Configuration\\Notification_Suppress*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_suppress_win_defender_notif_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -known_false_positives: administrators may enable or disable this feature that may cause some false positive. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows + Defender\\UX Configuration\\Notification_Suppress*" Registry.registry_value_data="0x00000001" + by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data + Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_modify_registry_suppress_win_defender_notif_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure + that this registry was included in your config files ex. sysmon config to be monitored. +known_false_positives: administrators may enable or disable this feature that may + cause some false positive. references: - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ @@ -20,42 +36,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: the registry for suppresing windows fdefender notification settings was + modified to disabled on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Azorult - CISA AA23-347A asset_type: Endpoint - confidence: 70 - impact: 70 - message: the registry for suppresing windows fdefender notification settings was modified to disabled in $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_tamper_protection.yml b/detections/endpoint/windows_modify_registry_tamper_protection.yml index 883688b690..c047de49e9 100644 --- a/detections/endpoint/windows_modify_registry_tamper_protection.yml +++ b/detections/endpoint/windows_modify_registry_tamper_protection.yml @@ -1,16 +1,33 @@ name: Windows Modify Registry Tamper Protection id: 12094335-88fc-4c3a-b55f-e62dd8c93c23 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 13 -description: The following analytic detects a suspicious modification to the Windows Defender Tamper Protection registry setting. It leverages data from the Endpoint datamodel, specifically targeting changes where the registry path is set to disable Tamper Protection. This activity is significant because disabling Tamper Protection can allow adversaries to make further undetected changes to Windows Defender settings, potentially leading to reduced security on the system. If confirmed malicious, this could enable attackers to evade detection, persist in the environment, and execute further malicious activities without interference from Windows Defender. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection" AND Registry.registry_value_data="0x00000000" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_tamper_protection_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: Administrators may enable or disable this feature that may cause some false positive. +description: The following analytic detects a suspicious modification to the Windows + Defender Tamper Protection registry setting. It leverages data from the Endpoint + datamodel, specifically targeting changes where the registry path is set to disable + Tamper Protection. This activity is significant because disabling Tamper Protection + can allow adversaries to make further undetected changes to Windows Defender settings, + potentially leading to reduced security on the system. If confirmed malicious, this + could enable attackers to evade detection, persist in the environment, and execute + further malicious activities without interference from Windows Defender. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Microsoft\\Windows + Defender\\Features\\TamperProtection" AND Registry.registry_value_data="0x00000000" + by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data + Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` + | `security_content_ctime(firstTime)` | `windows_modify_registry_tamper_protection_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: Administrators may enable or disable this feature that may + cause some false positive. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer drilldown_searches: @@ -19,43 +36,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A registry modification to tamper Windows Defender protection on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - RedLine Stealer asset_type: Endpoint atomic_guid: - 12e03af7-79f9-4f95-af48-d3f12f28a260 - confidence: 70 - impact: 70 - message: A registry modification to tamper Windows Defender protection on $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action - - Registry.registry_value_data - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml b/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml index 0f47593750..d5c5b2aa5e 100644 --- a/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml +++ b/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml @@ -8,18 +8,18 @@ data_source: - Sysmon EventID 14 type: Anomaly status: production -description: The following analytic detects a potential addition or modification of firewall rules, - signaling possible configuration changes or security policy adjustments. It tracks commands such as - netsh advfirewall firewall add rule and netsh advfirewall firewall set rule, which may indicate attempts - to alter network access controls. Monitoring these actions ensures the integrity of firewall settings and - helps prevent unauthorized network access. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE Registry.registry_path= "*\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\*" Registry.action = modified - BY Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user Registry.action - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_modify_registry_to_add_or_modify_firewall_rule_filter`' +description: The following analytic detects a potential addition or modification of + firewall rules, signaling possible configuration changes or security policy adjustments. + It tracks commands such as netsh advfirewall firewall add rule and netsh advfirewall + firewall set rule, which may indicate attempts to alter network access controls. + Monitoring these actions ensures the integrity of firewall settings and helps prevent + unauthorized network access. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= "*\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\*" Registry.action + = modified BY Registry.registry_path Registry.registry_key_name Registry.registry_value_name + Registry.registry_value_data Registry.process_guid Registry.dest Registry.user + Registry.action | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_modify_registry_to_add_or_modify_firewall_rule_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official @@ -34,46 +34,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: firewall deletion found in registry on $dest$ + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - ShrinkLocker - CISA AA24-241A asset_type: Endpoint - confidence: 50 - impact: 50 - message: firewall deletion found in registry in $dest$ mitre_attack_id: - T1112 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - - Registry.action - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_mod_delete.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_mod_delete.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml b/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml index 751e8632c2..9ba24b6408 100644 --- a/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml +++ b/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml @@ -1,16 +1,32 @@ name: Windows Modify Registry UpdateServiceUrlAlternate id: ca4e94fb-7969-4d63-8630-3625809a1f70 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 13 -description: The following analytic detects a suspicious modification to the Windows Update configuration registry key, specifically targeting the UpdateServiceUrlAlternate setting. It leverages data from the Endpoint.Registry datamodel to identify changes to this registry path. This activity is significant because adversaries, including malware like RedLine Stealer, exploit this technique to bypass detection and deploy additional payloads. If confirmed malicious, this modification could allow attackers to redirect update services, potentially leading to the execution of malicious code, further system compromise, and persistent evasion of security defenses. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\UpdateServiceUrlAlternate" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_updateserviceurlalternate_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: Administrators may enable or disable this feature that may cause some false positive. +description: The following analytic detects a suspicious modification to the Windows + Update configuration registry key, specifically targeting the UpdateServiceUrlAlternate + setting. It leverages data from the Endpoint.Registry datamodel to identify changes + to this registry path. This activity is significant because adversaries, including + malware like RedLine Stealer, exploit this technique to bypass detection and deploy + additional payloads. If confirmed malicious, this modification could allow attackers + to redirect update services, potentially leading to the execution of malicious code, + further system compromise, and persistent evasion of security defenses. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\UpdateServiceUrlAlternate" + by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data + Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` + | `security_content_ctime(firstTime)` | `windows_modify_registry_updateserviceurlalternate_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: Administrators may enable or disable this feature that may + cause some false positive. references: - https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499 drilldown_searches: @@ -19,41 +35,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A registry modification in Windows auto update configuration on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - RedLine Stealer asset_type: Endpoint - confidence: 50 - impact: 50 - message: A registry modification in Windows auto update configuration on $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action - - Registry.registry_value_data - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_modify_registry_usewuserver.yml b/detections/endpoint/windows_modify_registry_usewuserver.yml index 1e02e0ac7f..c2e2bde913 100644 --- a/detections/endpoint/windows_modify_registry_usewuserver.yml +++ b/detections/endpoint/windows_modify_registry_usewuserver.yml @@ -1,50 +1,49 @@ name: Windows Modify Registry USeWuServer id: c427bafb-0b2c-4b18-ad85-c03c6fed9e75 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting data_source: - Sysmon EventID 13 -description: The following analytic detects a suspicious modification to the Windows Update configuration registry key "UseWUServer." It leverages data from the Endpoint.Registry data model to identify changes where the registry value is set to "0x00000001." This activity is significant because it is commonly used by adversaries, including malware like RedLine Stealer, to bypass detection mechanisms and potentially exploit zero-day vulnerabilities. If confirmed malicious, this modification could allow attackers to evade defenses, persist on the target host, and deploy additional malicious payloads. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\UseWUServer" AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_usewuserver_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: administrators may enable or disable this feature that may cause some false positive. +description: The following analytic detects a suspicious modification to the Windows + Update configuration registry key "UseWUServer." It leverages data from the Endpoint.Registry + data model to identify changes where the registry value is set to "0x00000001." + This activity is significant because it is commonly used by adversaries, including + malware like RedLine Stealer, to bypass detection mechanisms and potentially exploit + zero-day vulnerabilities. If confirmed malicious, this modification could allow + attackers to evade defenses, persist on the target host, and deploy additional malicious + payloads. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\UseWUServer" + AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path + Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` + | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_usewuserver_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: administrators may enable or disable this feature that may + cause some false positive. references: - https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499 tags: analytic_story: - RedLine Stealer asset_type: Endpoint - confidence: 50 - impact: 50 - message: a registry modification in Windows auto update configuration in $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action - - Registry.registry_value_data - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_modify_registry_utilize_progids.yml b/detections/endpoint/windows_modify_registry_utilize_progids.yml index e59c2ab54f..f7f623b1bc 100644 --- a/detections/endpoint/windows_modify_registry_utilize_progids.yml +++ b/detections/endpoint/windows_modify_registry_utilize_progids.yml @@ -1,15 +1,30 @@ name: Windows Modify Registry Utilize ProgIDs id: 64fa82dd-fd11-472a-9e94-c221fffa591d -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 13 type: Anomaly status: production -description: The following analytic detects modifications to the Windows Registry specifically targeting Programmatic Identifier associations to bypass User Account Control (UAC) Windows OS feature. ValleyRAT may create or alter registry entries to targetted progIDs like `.pwn` files with malicious processes, allowing it to execute harmful scripts or commands when these files are opened. By monitoring for unusual changes in registry keys linked to ProgIDs, this detection enables security analysts to identify potential threats like ValleyRAT execution attempts. Early detection of these modifications helps mitigate unauthorized execution and prevents further exploitation of the system. -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= "*\\ms-settings\\CurVer\\(Default)" BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_utilize_progids_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 +description: The following analytic detects modifications to the Windows Registry + specifically targeting Programmatic Identifier associations to bypass User Account + Control (UAC) Windows OS feature. ValleyRAT may create or alter registry entries + to targetted progIDs like `.pwn` files with malicious processes, allowing it to + execute harmful scripts or commands when these files are opened. By monitoring for + unusual changes in registry keys linked to ProgIDs, this detection enables security + analysts to identify potential threats like ValleyRAT execution attempts. Early + detection of these modifications helps mitigate unauthorized execution and prevents + further exploitation of the system. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry + WHERE Registry.registry_path= "*\\ms-settings\\CurVer\\(Default)" BY Registry.dest + Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name + Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_utilize_progids_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the registry value name, registry path, and registry value data from your + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official + Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: - https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape @@ -21,43 +36,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A possible ValleyRAT Registry modification in [$dest$]. + risk_objects: + - field: user + type: user + score: 49 + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - ValleyRAT asset_type: Endpoint - confidence: 70 - impact: 70 - message: A possible ValleyRAT Registry modification in [$dest$]. mitre_attack_id: - T1112 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/pwn_reg/pwn_reg.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/pwn_reg/pwn_reg.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml b/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml index c7bca4ca0b..578bbc1b8d 100644 --- a/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml +++ b/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml @@ -1,15 +1,32 @@ name: Windows Modify Registry ValleyRAT C2 Config id: ac59298a-8d81-4c02-8c9b-ffdac993891f -version: 3 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 13 type: TTP status: production -description: "The following analytic detects modifications to theregistry related to ValleyRAT C2 configuration. Specifically, it monitors changes in registry keys where ValleyRAT saves the IP address and port information of its command-and-control (C2) server. This activity is a key indicator of ValleyRAT attempting to establish persistent communication with its C2 infrastructure. By identifying these unauthorized registry modifications, security analysts can quickly detect malicious configurations and investigate the associated threats. Early detection of these changes helps prevent further exploitation and limits the malware\u2019s ability to exfiltrate data or control infected systems." -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Console\\IpDateInfo" AND Registry.registry_value_data="Binary Data") OR (Registry.registry_path= "*\\Console\\SelfPath" AND Registry.registry_value_data="*.exe") BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.registry_hive Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_valleyrat_c2_config_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 +description: The following analytic detects modifications to theregistry related to + ValleyRAT C2 configuration. Specifically, it monitors changes in registry keys + where ValleyRAT saves the IP address and port information of its command-and-control + (C2) server. This activity is a key indicator of ValleyRAT attempting to establish + persistent communication with its C2 infrastructure. By identifying these unauthorized + registry modifications, security analysts can quickly detect malicious configurations + and investigate the associated threats. Early detection of these changes helps prevent + further exploitation and limits the malware’s ability to exfiltrate data or control + infected systems. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry + WHERE (Registry.registry_path= "*\\Console\\IpDateInfo" AND Registry.registry_value_data="Binary + Data") OR (Registry.registry_path= "*\\Console\\SelfPath" AND Registry.registry_value_data="*.exe") + BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name + Registry.registry_value_name Registry.registry_value_data Registry.registry_hive + Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_modify_registry_valleyrat_c2_config_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the registry value name, registry path, and registry value data from your + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official + Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: - https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape @@ -20,43 +37,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A registry modification related to ValleyRAT on [$dest$] + risk_objects: + - field: user + type: user + score: 90 + - field: dest + type: system + score: 90 + threat_objects: [] tags: analytic_story: - ValleyRAT asset_type: Endpoint - confidence: 100 - impact: 90 - message: A registry modification related to ValleyRAT on [$dest$] mitre_attack_id: - T1112 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/valleyrat_c2_reg2/valleyrat_c2_reg2.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/valleyrat_c2_reg2/valleyrat_c2_reg2.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml b/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml index aa14321c67..1f0d757c88 100644 --- a/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml +++ b/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml @@ -1,15 +1,30 @@ name: Windows Modify Registry ValleyRat PWN Reg Entry id: 6947c44e-be1f-4dd9-b198-bc42be5be196 -version: 4 -date: '2024-12-08' +version: 6 +date: '2024-12-16' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 13 type: TTP status: production -description: The following analytic detects modifications to the Windows Registry specifically targeting `.pwn` file associations related to the ValleyRAT malware. ValleyRAT may create or alter registry entries to associate `.pwn` files with malicious processes, allowing it to execute harmful scripts or commands when these files are opened. By monitoring for unusual changes in registry keys linked to `.pwn` extensions, this detection enables security analysts to identify potential ValleyRAT infection attempts. Early detection of these modifications helps mitigate unauthorized execution and prevents further exploitation of the system. -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*.pwn\\Shell\\Open\\command" OR Registry.registry_value_data = ".pwn") BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_valleyrat_pwn_reg_entry_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 +description: The following analytic detects modifications to the Windows Registry + specifically targeting `.pwn` file associations related to the ValleyRAT malware. + ValleyRAT may create or alter registry entries to associate `.pwn` files with malicious + processes, allowing it to execute harmful scripts or commands when these files are + opened. By monitoring for unusual changes in registry keys linked to `.pwn` extensions, + this detection enables security analysts to identify potential ValleyRAT infection + attempts. Early detection of these modifications helps mitigate unauthorized execution + and prevents further exploitation of the system. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry + WHERE (Registry.registry_path= "*.pwn\\Shell\\Open\\command" OR Registry.registry_value_data + = ".pwn") BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name + Registry.registry_value_name Registry.registry_value_data Registry.process_guid + | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_modify_registry_valleyrat_pwn_reg_entry_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the registry value name, registry path, and registry value data from your + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official + Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: - https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape @@ -20,43 +35,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A possible ValleyRAT Registry modification in [$dest$]. + risk_objects: + - field: user + type: user + score: 90 + - field: dest + type: system + score: 90 + threat_objects: [] tags: analytic_story: - ValleyRAT asset_type: Endpoint - confidence: 100 - impact: 90 - message: A possible ValleyRAT Registry modification in [$dest$]. mitre_attack_id: - T1112 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/pwn_reg/pwn_reg.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/pwn_reg/pwn_reg.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml b/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml index 2777250234..7e1490ba4b 100644 --- a/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml +++ b/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml @@ -1,15 +1,34 @@ name: Windows Modify Registry With MD5 Reg Key Name id: 4662c6b1-0754-455e-b9ff-3ee730af3ba8 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 13 -description: The following analytic detects potentially malicious registry modifications characterized by MD5-like registry key names. It leverages the Endpoint data model to identify registry entries under the SOFTWARE path with 32-character hexadecimal names, a technique often used by NjRAT malware for fileless storage of keylogs and .DLL plugins. This activity is significant as it can indicate the presence of NjRAT or similar malware, which can lead to unauthorized data access and persistent threats within the environment. If confirmed malicious, attackers could maintain persistence and exfiltrate sensitive information. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\SOFTWARE\\*" Registry.registry_value_data = "Binary Data" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | eval dropped_reg_path = split(registry_path, "\\") | eval dropped_reg_path_split_count = mvcount(dropped_reg_path) | eval validation_result= if(match(registry_value_name,"^[0-9a-fA-F]{32}$"),"md5","nonmd5") | where validation_result = "md5" AND dropped_reg_path_split_count <= 5 | table dest user registry_path registry_value_name registry_value_data registry_key_name reg_key_name dropped_reg_path_split_count validation_result | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_with_md5_reg_key_name_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. +description: The following analytic detects potentially malicious registry modifications + characterized by MD5-like registry key names. It leverages the Endpoint data model + to identify registry entries under the SOFTWARE path with 32-character hexadecimal + names, a technique often used by NjRAT malware for fileless storage of keylogs and + .DLL plugins. This activity is significant as it can indicate the presence of NjRAT + or similar malware, which can lead to unauthorized data access and persistent threats + within the environment. If confirmed malicious, attackers could maintain persistence + and exfiltrate sensitive information. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime + max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path + = "*\\SOFTWARE\\*" Registry.registry_value_data = "Binary Data" by Registry.dest + Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data + Registry.registry_key_name | `drop_dm_object_name(Registry)` | eval dropped_reg_path + = split(registry_path, "\\") | eval dropped_reg_path_split_count = mvcount(dropped_reg_path) + | eval validation_result= if(match(registry_value_name,"^[0-9a-fA-F]{32}$"),"md5","nonmd5") + | where validation_result = "md5" AND dropped_reg_path_split_count <= 5 | table + dest user registry_path registry_value_name registry_value_data registry_key_name + reg_key_name dropped_reg_path_split_count validation_result | `security_content_ctime(lastTime)` + | `security_content_ctime(firstTime)` | `windows_modify_registry_with_md5_reg_key_name_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the Filesystem responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Filesystem` node. known_false_positives: unknown references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat @@ -19,41 +38,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A md5 registry value name $registry_value_name$ is created on $dest$ + risk_objects: + - field: dest + type: system + score: 36 + threat_objects: [] tags: analytic_story: - NjRAT asset_type: Endpoint - confidence: 60 - impact: 60 - message: A md5 registry value name $registry_value_name$ is created on $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 36 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action - - Registry.registry_value_data security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/njrat_md5_registry_entry/njrat_reg_binary.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/njrat_md5_registry_entry/njrat_reg_binary.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_modify_registry_wuserver.yml b/detections/endpoint/windows_modify_registry_wuserver.yml index acc604be92..e3294e8379 100644 --- a/detections/endpoint/windows_modify_registry_wuserver.yml +++ b/detections/endpoint/windows_modify_registry_wuserver.yml @@ -1,50 +1,49 @@ name: Windows Modify Registry WuServer id: a02ad386-e26d-44ce-aa97-6a46cee31439 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting data_source: - Sysmon EventID 13 -description: The following analytic detects suspicious modifications to the Windows Update Server (WUServer) registry settings. It leverages data from the Endpoint.Registry data model to identify changes in the registry path associated with Windows Update configurations. This activity is significant because adversaries, including malware like RedLine Stealer, exploit this technique to bypass detection and deploy additional payloads. If confirmed malicious, this registry modification could allow attackers to evade defenses, potentially leading to further system compromise and persistent unauthorized access. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\WUServer" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_wuserver_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: Administrators may enable or disable this feature that may cause some false positive. +description: The following analytic detects suspicious modifications to the Windows + Update Server (WUServer) registry settings. It leverages data from the Endpoint.Registry + data model to identify changes in the registry path associated with Windows Update + configurations. This activity is significant because adversaries, including malware + like RedLine Stealer, exploit this technique to bypass detection and deploy additional + payloads. If confirmed malicious, this registry modification could allow attackers + to evade defenses, potentially leading to further system compromise and persistent + unauthorized access. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\WUServer" + by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data + Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` + | `security_content_ctime(firstTime)` | `windows_modify_registry_wuserver_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: Administrators may enable or disable this feature that may + cause some false positive. references: - https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499 tags: analytic_story: - RedLine Stealer asset_type: Endpoint - confidence: 50 - impact: 50 - message: A registry modification in Windows auto update configuration on $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action - - Registry.registry_value_data - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_modify_registry_wustatusserver.yml b/detections/endpoint/windows_modify_registry_wustatusserver.yml index a98858f7b5..21b08b4834 100644 --- a/detections/endpoint/windows_modify_registry_wustatusserver.yml +++ b/detections/endpoint/windows_modify_registry_wustatusserver.yml @@ -1,50 +1,49 @@ name: Windows Modify Registry wuStatusServer id: 073e69d0-68b2-4142-aa90-a7ee6f590676 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting data_source: - Sysmon EventID 13 -description: The following analytic identifies suspicious modifications to the Windows Update configuration registry, specifically targeting the WUStatusServer key. It leverages data from the Endpoint datamodel to detect changes in the registry path associated with Windows Update settings. This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to bypass detection and deploy additional payloads. If confirmed malicious, this modification could allow attackers to evade defenses, potentially leading to further system compromise and persistent unauthorized access. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\WUStatusServer" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_wustatusserver_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: administrators may enable or disable this feature that may cause some false positive. +description: The following analytic identifies suspicious modifications to the Windows + Update configuration registry, specifically targeting the WUStatusServer key. It + leverages data from the Endpoint datamodel to detect changes in the registry path + associated with Windows Update settings. This activity is significant as it is commonly + used by adversaries, including malware like RedLine Stealer, to bypass detection + and deploy additional payloads. If confirmed malicious, this modification could + allow attackers to evade defenses, potentially leading to further system compromise + and persistent unauthorized access. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\WUStatusServer" + by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data + Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` + | `security_content_ctime(firstTime)` | `windows_modify_registry_wustatusserver_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: administrators may enable or disable this feature that may + cause some false positive. references: - https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499 tags: analytic_story: - RedLine Stealer asset_type: Endpoint - confidence: 50 - impact: 50 - message: a registry modification in Windows auto update configuration in $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action - - Registry.registry_value_data - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml b/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml index 2fac0d45a1..706922d648 100644 --- a/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml +++ b/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml @@ -5,13 +5,20 @@ date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects suspicious modifications to the Windows registry keys related to file compression color and information tips. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the "ShowCompColor" and "ShowInfoTip" values under the "Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" path. This activity is significant as it was observed in the Hermetic Wiper malware, indicating potential malicious intent to alter file attributes and user interface elements. If confirmed malicious, this could signify an attempt to manipulate file visibility and deceive users, potentially aiding in further malicious activities. +description: The following analytic detects suspicious modifications to the Windows + registry keys related to file compression color and information tips. It leverages + data from the Endpoint.Registry data model, specifically monitoring changes to the + "ShowCompColor" and "ShowInfoTip" values under the "Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" + path. This activity is significant as it was observed in the Hermetic Wiper malware, + indicating potential malicious intent to alter file attributes and user interface + elements. If confirmed malicious, this could signify an attempt to manipulate file + visibility and deceive users, potentially aiding in further malicious activities. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path = "*\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced*" - AND Registry.registry_value_name IN("ShowCompColor", "ShowInfoTip")) BY - Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced*" + AND Registry.registry_value_name IN("ShowCompColor", "ShowInfoTip")) BY Registry.dest + Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_show_compress_color_and_info_tip_registry_filter`' @@ -28,9 +35,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Registry modification in "ShowCompColor" and "ShowInfoTips" on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Data Destruction @@ -38,33 +57,17 @@ tags: - Windows Registry Abuse - Hermetic Wiper asset_type: Endpoint - confidence: 50 - impact: 50 - message: Registry modification in "ShowCompColor" and "ShowInfoTips" on $dest$ mitre_attack_id: - T1112 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/globalfolderoptions_reg/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/globalfolderoptions_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml b/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml index dbc20481fd..3ace7c862d 100644 --- a/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml +++ b/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml @@ -1,7 +1,7 @@ name: Windows Modify System Firewall with Notable Process Path id: cd6d7410-9146-4471-a418-49edba6dadc4 -version: '4' -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Teoderick Contreras, Will Metcalf, Splunk status: production type: TTP @@ -55,41 +55,30 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: firewall allowed program commandline $process$ of $process_name$ on $dest$ + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - NjRAT - Compromised Windows Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: firewall allowed program commandline $process$ of $process_name$ on $dest$ mitre_attack_id: - T1562.004 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/njrat_firewall_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/njrat_firewall_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml b/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml index d105ab9d2b..5906eedfab 100644 --- a/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml +++ b/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml @@ -1,7 +1,7 @@ name: Windows MOF Event Triggered Execution via WMI id: e59b5a73-32bf-4467-a585-452c36ae10c1 -version: '6' -date: '2024-11-28' +version: 8 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -55,57 +55,37 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ loading a MOF file. + risk_objects: + - field: user + type: user + score: 64 + - field: dest + type: system + score: 64 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Living Off The Land - Compromised Windows Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ loading a MOF file. mitre_attack_id: - T1546.003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/mofcomp.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/mofcomp.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_moveit_transfer_writing_aspx.yml b/detections/endpoint/windows_moveit_transfer_writing_aspx.yml index 0aadd4c361..47eebe3109 100644 --- a/detections/endpoint/windows_moveit_transfer_writing_aspx.yml +++ b/detections/endpoint/windows_moveit_transfer_writing_aspx.yml @@ -1,58 +1,68 @@ name: Windows MOVEit Transfer Writing ASPX id: c0ed2aca-5666-45b3-813f-ddfac3f3eda0 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: experimental type: TTP data_source: - Sysmon EventID 11 -description: The following analytic detects the creation of new ASPX files in the MOVEit Transfer application's "wwwroot" directory. It leverages endpoint data on process and filesystem activity to identify processes responsible for creating these files. This activity is significant as it may indicate exploitation of a critical zero-day vulnerability in MOVEit Transfer, used by threat actors to install malicious ASPX files. If confirmed malicious, this could lead to exfiltration of sensitive data, including user credentials and file metadata, posing a severe risk to the organization's security. -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=System by _time span=1h Processes.process_id Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\MOVEitTransfer\\wwwroot\\*") Filesystem.file_name IN("*.aspx", "*.ashx", "*.asp*") OR Filesystem.file_name IN ("human2.aspx","_human2.aspx") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name | `windows_moveit_transfer_writing_aspx_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. -known_false_positives: The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product. +description: The following analytic detects the creation of new ASPX files in the + MOVEit Transfer application's "wwwroot" directory. It leverages endpoint data on + process and filesystem activity to identify processes responsible for creating these + files. This activity is significant as it may indicate exploitation of a critical + zero-day vulnerability in MOVEit Transfer, used by threat actors to install malicious + ASPX files. If confirmed malicious, this could lead to exfiltration of sensitive + data, including user credentials and file metadata, posing a severe risk to the + organization's security. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes + where Processes.process_name=System by _time span=1h Processes.process_id Processes.process_name + Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| + tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\MOVEitTransfer\\wwwroot\\*") + Filesystem.file_name IN("*.aspx", "*.ashx", "*.asp*") OR Filesystem.file_name IN + ("human2.aspx","_human2.aspx") by _time span=1h Filesystem.dest Filesystem.file_create_time + Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | + fields _time dest file_create_time file_name file_path process_name process_path + process] | dedup file_create_time | table dest file_create_time, file_name, file_path, + process_name | `windows_moveit_transfer_writing_aspx_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` + node. +known_false_positives: The query is structured in a way that `action` (read, create) + is not defined. Review the results of this query, filter, and tune as necessary. + It may be necessary to generate this query specific to your endpoint product. references: - https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023 - https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/ - https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/ - https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/ - https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft +rba: + message: The MOVEit application on $dest$ has written a new ASPX file to disk. + risk_objects: + - field: dest + type: system + score: 100 + threat_objects: [] tags: analytic_story: - MOVEit Transfer Critical Vulnerability asset_type: Endpoint atomic_guid: [] - confidence: 100 - impact: 100 - message: The MOVEit application on $dest$ has written a new ASPX file to disk. mitre_attack_id: - T1190 - T1133 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 - required_fields: - - _time - - Filesystem.file_path - - Filesystem.process_id - - Filesystem.file_name - - Filesystem.file_hash - - Filesystem.user - - Filesystem.file_create_time - - Processes.process_id - - Processes.process_name - - Processes.dest security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/moveit_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/moveit_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml b/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml index e57386c614..5e1bac285c 100644 --- a/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml +++ b/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml @@ -1,18 +1,32 @@ name: Windows MSExchange Management Mailbox Cmdlet Usage id: 396de86f-25e7-4b0e-be09-a330be35249d -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic identifies suspicious Cmdlet usage in Exchange Management logs, focusing on commands like New-MailboxExportRequest and New-ManagementRoleAssignment. It leverages EventCode 1 and specific Message patterns to detect potential ProxyShell and ProxyNotShell abuse. This activity is significant as it may indicate unauthorized access or manipulation of mailboxes and roles, which are critical for maintaining email security. If confirmed malicious, attackers could export mailbox data, assign new roles, or search mailboxes, leading to data breaches and privilege escalation. +description: The following analytic identifies suspicious Cmdlet usage in Exchange + Management logs, focusing on commands like New-MailboxExportRequest and New-ManagementRoleAssignment. + It leverages EventCode 1 and specific Message patterns to detect potential ProxyShell + and ProxyNotShell abuse. This activity is significant as it may indicate unauthorized + access or manipulation of mailboxes and roles, which are critical for maintaining + email security. If confirmed malicious, attackers could export mailbox data, assign + new roles, or search mailboxes, leading to data breaches and privilege escalation. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '`msexchange_management` EventCode=1 Message IN ("*New-MailboxExportRequest*", "*New-ManagementRoleAssignment*", "*New-MailboxSearch*", "*Get-Recipient*", "*Search-Mailbox*") | stats count min(_time) as firstTime max(_time) as lastTime by host Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename host AS dest | `windows_msexchange_management_mailbox_cmdlet_usage_filter`' -how_to_implement: The following analytic requires collecting the Exchange Management logs via a input. An example inputs is here https://gist.github.com/MHaggis/f66f1d608ea046efb9157020cd34c178. We used multiline as the XML format of the logs will require props/transforms. Multiline gives us everything we need in Message for now. Update the macro with your correct sourcetype. -known_false_positives: False positives may be present when an Administrator utilizes the cmdlets in the query. Filter or monitor as needed. +search: '`msexchange_management` EventCode=1 Message IN ("*New-MailboxExportRequest*", + "*New-ManagementRoleAssignment*", "*New-MailboxSearch*", "*Get-Recipient*", "*Search-Mailbox*") + | stats count min(_time) as firstTime max(_time) as lastTime by host Message | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | rename host AS dest | `windows_msexchange_management_mailbox_cmdlet_usage_filter`' +how_to_implement: The following analytic requires collecting the Exchange Management + logs via a input. An example inputs is here https://gist.github.com/MHaggis/f66f1d608ea046efb9157020cd34c178. + We used multiline as the XML format of the logs will require props/transforms. Multiline + gives us everything we need in Message for now. Update the macro with your correct + sourcetype. +known_false_positives: False positives may be present when an Administrator utilizes + the cmdlets in the query. Filter or monitor as needed. references: - https://gist.github.com/MHaggis/f66f1d608ea046efb9157020cd34c178 drilldown_searches: @@ -21,40 +35,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Cmdlets related to ProxyShell and ProxyNotShell have been identified on + $dest$. + risk_objects: + - field: dest + type: system + score: 32 + threat_objects: [] tags: analytic_story: - ProxyShell - BlackByte Ransomware - ProxyNotShell asset_type: Endpoint - confidence: 80 - impact: 40 - message: Cmdlets related to ProxyShell and ProxyNotShell have been identified on $dest$. mitre_attack_id: - T1059 - T1059.001 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Message - - dest - risk_score: 32 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/exchange/msexchangemanagement.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/exchange/msexchangemanagement.log source: WinEventLog:MSExchange Management sourcetype: MSExchange:management - update_timestamp: true diff --git a/detections/endpoint/windows_mshta_execution_in_registry.yml b/detections/endpoint/windows_mshta_execution_in_registry.yml index c471b7bf66..33625d809f 100644 --- a/detections/endpoint/windows_mshta_execution_in_registry.yml +++ b/detections/endpoint/windows_mshta_execution_in_registry.yml @@ -1,15 +1,32 @@ name: Windows Mshta Execution In Registry id: e13ceade-b673-4d34-adc4-4d9c01729753 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the execution of mshta.exe via registry entries to run malicious scripts. It leverages registry activity logs to identify entries containing "mshta," "javascript," "vbscript," or "WScript.Shell." This behavior is significant as it indicates potential fileless malware, such as Kovter, which uses encoded scripts in the registry to persist and execute without files. If confirmed malicious, this activity could allow attackers to maintain persistence, execute arbitrary code, and evade traditional file-based detection methods, posing a significant threat to system integrity and security. +description: The following analytic detects the execution of mshta.exe via registry + entries to run malicious scripts. It leverages registry activity logs to identify + entries containing "mshta," "javascript," "vbscript," or "WScript.Shell." This behavior + is significant as it indicates potential fileless malware, such as Kovter, which + uses encoded scripts in the registry to persist and execute without files. If confirmed + malicious, this activity could allow attackers to maintain persistence, execute + arbitrary code, and evade traditional file-based detection methods, posing a significant + threat to system integrity and security. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_value_data = "*mshta*" OR Registry.registry_value_data IN ("*javascript:*", "*vbscript:*","*WScript.Shell*") by Registry.registry_key_name Registry.registry_path Registry.registry_value_data Registry.action Registry.dest Registry.user| `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mshta_execution_in_registry_filter`' -how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_value_data + = "*mshta*" OR Registry.registry_value_data IN ("*javascript:*", "*vbscript:*","*WScript.Shell*") + by Registry.registry_key_name Registry.registry_path Registry.registry_value_data + Registry.action Registry.dest Registry.user| `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_mshta_execution_in_registry_filter`' +how_to_implement: To successfully implement this search, you must be ingesting data + that records registry activity from your hosts to populate the endpoint data model + in the registry node. This is typically populated via endpoint detection-and-response + product, such as Carbon Black or endpoint data sources, such as Sysmon. The data + used for this search is typically generated via logs that report reads and writes + to the registry. known_false_positives: unknown references: - https://redcanary.com/threat-detection-report/techniques/mshta/ @@ -20,45 +37,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A registry $registry_path$ contains mshta $registry_value_data$ on $dest$ + risk_objects: + - field: dest + type: system + score: 72 + - field: user + type: user + score: 72 + threat_objects: [] tags: analytic_story: - Suspicious Windows Registry Activities - Windows Persistence Techniques asset_type: Endpoint - confidence: 90 - impact: 80 - message: A registry $registry_path$ contains mshta $registry_value_data$ in $dest$ mitre_attack_id: - T1218.005 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.dest - - Registry.registry_value_data - - Registry.action - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/mshta_in_registry/sysmon3.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/mshta_in_registry/sysmon3.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml b/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml index e73e8b7050..29db36c412 100644 --- a/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml +++ b/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml @@ -1,16 +1,44 @@ name: Windows MSHTA Writing to World Writable Path id: efbcf8ee-bc75-47f1-8985-a5c638c4faf0 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk data_source: - Sysmon EventID 11 type: TTP status: production -description: The following analytic identifies instances of `mshta.exe` writing files to world-writable directories. It leverages Sysmon EventCode 11 logs to detect file write operations by `mshta.exe` to directories like `C:\Windows\Tasks` and `C:\Windows\Temp`. This activity is significant as it often indicates an attempt to establish persistence or execute malicious code, deviating from the utility's legitimate use. If confirmed malicious, this behavior could lead to the execution of multi-stage payloads, potentially resulting in full system compromise and unauthorized access to sensitive information. -search: '`sysmon` EventCode=11 Image="*\\mshta.exe" TargetFilename IN ("*\\Windows\\Tasks\\*", "*\\Windows\\Temp\\*", "*\\Windows\\tracing\\*", "*\\Windows\\PLA\\Reports\\*", "*\\Windows\\PLA\\Rules\\*", "*\\Windows\\PLA\\Templates\\*", "*\\Windows\\PLA\\Reports\\en-US\\*", "*\\Windows\\PLA\\Rules\\en-US\\*", "*\\Windows\\Registration\\CRMLog\\*", "*\\Windows\\System32\\Tasks\\*", "*\\Windows\\System32\\Com\\dmp\\*", "*\\Windows\\System32\\LogFiles\\WMI\\*", "*\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\*", "*\\Windows\\System32\\spool\\PRINTERS\\*", "*\\Windows\\System32\\spool\\SERVERS\\*", "*\\Windows\\System32\\spool\\drivers\\color\\*", "*\\Windows\\System32\\Tasks\\Microsoft\\Windows\\RemoteApp and Desktop Connections Update\\*", "*\\Windows\\SysWOW64\\Tasks\\*", "*\\Windows\\SysWOW64\\Com\\dmp\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\RemoteApp and Desktop Connections Update\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\*") | rename Computer as dest, User as user | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, Image, TargetFilename | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mshta_writing_to_world_writable_path_filter`' -how_to_implement: The analytic is designed to be run against Sysmon event logs collected from endpoints. The analytic requires the Sysmon event logs to be ingested into Splunk. The search focuses on EventCode 11 where the Image is `mshta.exe` and the TargetFilename is within world-writable directories such as `C:\Windows\Tasks`, `C:\Windows\Temp`, and others. The detection is designed to catch the initial file write operation by `mshta.exe` to these locations, which is indicative of an attempt to establish persistence or execute malicious code. The analytic can be modified to include additional world-writable directories as needed. -known_false_positives: False positives may occur if legitimate processes are writing to world-writable directories. It is recommended to investigate the context of the file write operation to determine if it is malicious or not. Modify the search to include additional known good paths for `mshta.exe` to reduce false positives. +description: The following analytic identifies instances of `mshta.exe` writing files + to world-writable directories. It leverages Sysmon EventCode 11 logs to detect file + write operations by `mshta.exe` to directories like `C:\Windows\Tasks` and `C:\Windows\Temp`. + This activity is significant as it often indicates an attempt to establish persistence + or execute malicious code, deviating from the utility's legitimate use. If confirmed + malicious, this behavior could lead to the execution of multi-stage payloads, potentially + resulting in full system compromise and unauthorized access to sensitive information. +search: '`sysmon` EventCode=11 Image="*\\mshta.exe" TargetFilename IN ("*\\Windows\\Tasks\\*", + "*\\Windows\\Temp\\*", "*\\Windows\\tracing\\*", "*\\Windows\\PLA\\Reports\\*", + "*\\Windows\\PLA\\Rules\\*", "*\\Windows\\PLA\\Templates\\*", "*\\Windows\\PLA\\Reports\\en-US\\*", + "*\\Windows\\PLA\\Rules\\en-US\\*", "*\\Windows\\Registration\\CRMLog\\*", "*\\Windows\\System32\\Tasks\\*", + "*\\Windows\\System32\\Com\\dmp\\*", "*\\Windows\\System32\\LogFiles\\WMI\\*", "*\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\*", + "*\\Windows\\System32\\spool\\PRINTERS\\*", "*\\Windows\\System32\\spool\\SERVERS\\*", + "*\\Windows\\System32\\spool\\drivers\\color\\*", "*\\Windows\\System32\\Tasks\\Microsoft\\Windows\\RemoteApp + and Desktop Connections Update\\*", "*\\Windows\\SysWOW64\\Tasks\\*", "*\\Windows\\SysWOW64\\Com\\dmp\\*", + "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\RemoteApp + and Desktop Connections Update\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\*") + | rename Computer as dest, User as user | stats count min(_time) as firstTime max(_time) + as lastTime by dest, user, Image, TargetFilename | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_mshta_writing_to_world_writable_path_filter`' +how_to_implement: The analytic is designed to be run against Sysmon event logs collected + from endpoints. The analytic requires the Sysmon event logs to be ingested into + Splunk. The search focuses on EventCode 11 where the Image is `mshta.exe` and the + TargetFilename is within world-writable directories such as `C:\Windows\Tasks`, + `C:\Windows\Temp`, and others. The detection is designed to catch the initial file + write operation by `mshta.exe` to these locations, which is indicative of an attempt + to establish persistence or execute malicious code. The analytic can be modified + to include additional world-writable directories as needed. +known_false_positives: False positives may occur if legitimate processes are writing + to world-writable directories. It is recommended to investigate the context of the + file write operation to determine if it is malicious or not. Modify the search to + include additional known good paths for `mshta.exe` to reduce false positives. references: - https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties - https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader @@ -20,9 +48,23 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $Image$ writing to $TargetFilename$ was detected on $dest$. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: + - field: Image + type: file_name tags: analytic_story: - APT29 Diplomatic Deceptions with WINELOADER @@ -32,35 +74,18 @@ tags: - Cozy Bear - Midnight Blizzard asset_type: Endpoint - confidence: 80 - impact: 80 - message: An instance of $Image$ writing to $TargetFilename$ was detected on $dest$. mitre_attack_id: - T1218.005 - observable: - - name: Image - type: File Name - role: - - Attacker - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - dest - - user - - Image - - TargetFilename - risk_score: 64 security_domain: endpoint cve: [] tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/mshta_tasks_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/mshta_tasks_windows-sysmon.log sourcetype: XmlWinEventLog source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_msiexec_dllregisterserver.yml b/detections/endpoint/windows_msiexec_dllregisterserver.yml index 68dc424b51..862e6c9f89 100644 --- a/detections/endpoint/windows_msiexec_dllregisterserver.yml +++ b/detections/endpoint/windows_msiexec_dllregisterserver.yml @@ -1,18 +1,39 @@ name: Windows MSIExec DLLRegisterServer id: fdb59aef-d88f-4909-8369-ec2afbd2c398 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the execution of msiexec.exe with the /y switch parameter, which enables the loading of DLLRegisterServer. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments and parent-child process relationships. This activity is significant because it can indicate an attempt to register malicious DLLs, potentially leading to code execution or persistence on the system. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment. +description: The following analytic detects the execution of msiexec.exe with the + /y switch parameter, which enables the loading of DLLRegisterServer. This detection + leverages data from Endpoint Detection and Response (EDR) agents, focusing on process + command-line arguments and parent-child process relationships. This activity is + significant because it can indicate an attempt to register malicious DLLs, potentially + leading to code execution or persistence on the system. If confirmed malicious, + this could allow an attacker to execute arbitrary code, escalate privileges, or + maintain persistence within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process IN ("*/y*", "*-y*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_dllregisterserver_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: This analytic will need to be tuned for your environment based on legitimate usage of msiexec.exe. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process + IN ("*/y*", "*-y*") by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_msiexec_dllregisterserver_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: This analytic will need to be tuned for your environment based + on legitimate usage of msiexec.exe. Filter as needed. references: - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md @@ -22,58 +43,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to register a file. + risk_objects: + - field: user + type: user + score: 35 + - field: dest + type: system + score: 35 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Windows System Binary Proxy Execution MSIExec asset_type: Endpoint - confidence: 50 - impact: 70 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to register a file. mitre_attack_id: - T1218.007 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process Name - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml b/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml index be28661ec7..92c0e1c8b6 100644 --- a/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml +++ b/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml @@ -1,7 +1,7 @@ name: Windows MsiExec HideWindow Rundll32 Execution id: 9683271d-92e4-43b5-a907-1983bfb9f7fd -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP @@ -9,10 +9,32 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic detects the execution of the msiexec.exe process with the /HideWindow and rundll32 command-line parameters. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line arguments. This activity is significant because it is a known tactic used by malware like QakBot to mask malicious operations under legitimate system processes. If confirmed malicious, this behavior could allow an attacker to download additional payloads, execute malicious code, or establish communication with remote servers, thereby evading detection and maintaining persistence. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = msiexec.exe Processes.process = "* /HideWindow *" Processes.process = "* rundll32*" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_hidewindow_rundll32_execution_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Other possible 3rd party msi software installers use this technique as part of its installation process. +description: The following analytic detects the execution of the msiexec.exe process + with the /HideWindow and rundll32 command-line parameters. It leverages data from + Endpoint Detection and Response (EDR) agents, focusing on process creation events + and command-line arguments. This activity is significant because it is a known tactic + used by malware like QakBot to mask malicious operations under legitimate system + processes. If confirmed malicious, this behavior could allow an attacker to download + additional payloads, execute malicious code, or establish communication with remote + servers, thereby evading detection and maintaining persistence. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name + = msiexec.exe Processes.process = "* /HideWindow *" Processes.process = "* rundll32*" + by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_msiexec_hidewindow_rundll32_execution_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Other possible 3rd party msi software installers use this technique + as part of its installation process. references: - https://twitter.com/Max_Mal_/status/1736392741758611607 - https://twitter.com/1ZRR4H/status/1735944522075386332 @@ -22,47 +44,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a msiexec parent process with /hidewindow rundll32 process commandline + on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Qakbot asset_type: Endpoint - confidence: 70 - impact: 70 - message: a msiexec parent process with /hidewindow rundll32 process commandline in $dest$ mitre_attack_id: - T1218.007 - T1218 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - - Processes.process_guid security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/msiexec-hidewindow-rundll32/hidewndw-rundll32.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/msiexec-hidewindow-rundll32/hidewndw-rundll32.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_msiexec_remote_download.yml b/detections/endpoint/windows_msiexec_remote_download.yml index f4f4d67833..ea822dfe4d 100644 --- a/detections/endpoint/windows_msiexec_remote_download.yml +++ b/detections/endpoint/windows_msiexec_remote_download.yml @@ -1,18 +1,38 @@ name: Windows MSIExec Remote Download id: 6aa49ff2-3c92-4586-83e0-d83eb693dfda -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the use of msiexec.exe with an HTTP or HTTPS URL in the command line, indicating a remote file download attempt. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant as it may indicate an attempt to download and execute potentially malicious software from a remote server. If confirmed malicious, this could lead to unauthorized code execution, system compromise, or further malware deployment within the network. +description: The following analytic detects the use of msiexec.exe with an HTTP or + HTTPS URL in the command line, indicating a remote file download attempt. This detection + leverages data from Endpoint Detection and Response (EDR) agents, focusing on process + execution logs that include command-line details. This activity is significant as + it may indicate an attempt to download and execute potentially malicious software + from a remote server. If confirmed malicious, this could lead to unauthorized code + execution, system compromise, or further malware deployment within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process IN ("*http://*", "*https://*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_remote_download_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be present, filter by destination or parent process as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process + IN ("*http://*", "*https://*") by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_msiexec_remote_download_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present, filter by destination or parent + process as needed. references: - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md @@ -22,58 +42,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to download a remote file. + risk_objects: + - field: user + type: user + score: 35 + - field: dest + type: system + score: 35 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Windows System Binary Proxy Execution MSIExec asset_type: Endpoint - confidence: 50 - impact: 70 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a remote file. mitre_attack_id: - T1218.007 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process Name - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_msiexec_spawn_discovery_command.yml b/detections/endpoint/windows_msiexec_spawn_discovery_command.yml index b69051b076..a604c6a7d5 100644 --- a/detections/endpoint/windows_msiexec_spawn_discovery_command.yml +++ b/detections/endpoint/windows_msiexec_spawn_discovery_command.yml @@ -1,18 +1,41 @@ name: Windows MSIExec Spawn Discovery Command id: e9d05aa2-32f0-411b-930c-5b8ca5c4fcee -version: 5 -date: '2024-11-26' +version: 7 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects MSIExec spawning multiple discovery commands, such as Cmd.exe or PowerShell.exe. This behavior is identified using data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where MSIExec is the parent process. This activity is significant because MSIExec typically does not spawn child processes other than itself, making this behavior highly suspicious. If confirmed malicious, an attacker could use these discovery commands to gather system information, potentially leading to further exploitation or lateral movement within the network. +description: The following analytic detects MSIExec spawning multiple discovery commands, + such as Cmd.exe or PowerShell.exe. This behavior is identified using data from Endpoint + Detection and Response (EDR) agents, focusing on process creation events where MSIExec + is the parent process. This activity is significant because MSIExec typically does + not spawn child processes other than itself, making this behavior highly suspicious. + If confirmed malicious, an attacker could use these discovery commands to gather + system information, potentially leading to further exploitation or lateral movement + within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=msiexec.exe Processes.process_name IN ("powershell.exe", "pwsh.exe","cmd.exe", "nltest.exe","ipconfig.exe","systeminfo.exe") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_spawn_discovery_command_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives will be present with MSIExec spawning Cmd or PowerShell. Filtering will be needed. In addition, add other known discovery processes to enhance query. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=msiexec.exe + Processes.process_name IN ("powershell.exe", "pwsh.exe","cmd.exe", "nltest.exe","ipconfig.exe","systeminfo.exe") + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_msiexec_spawn_discovery_command_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives will be present with MSIExec spawning Cmd or + PowerShell. Filtering will be needed. In addition, add other known discovery processes + to enhance query. references: - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md @@ -22,58 +45,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ running different discovery commands. + risk_objects: + - field: user + type: user + score: 35 + - field: dest + type: system + score: 35 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Windows System Binary Proxy Execution MSIExec asset_type: Endpoint - confidence: 50 - impact: 70 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ running different discovery commands. mitre_attack_id: - T1218.007 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process Name - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_msiexec_spawn_windbg.yml b/detections/endpoint/windows_msiexec_spawn_windbg.yml index add53dac8a..c80059d8d6 100644 --- a/detections/endpoint/windows_msiexec_spawn_windbg.yml +++ b/detections/endpoint/windows_msiexec_spawn_windbg.yml @@ -1,7 +1,7 @@ name: Windows MSIExec Spawn WinDBG id: 9a18f7c2-1fe3-47b8-9467-8b3976770a30 -version: '5' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -50,55 +50,38 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 100 + - field: dest + type: system + score: 100 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Compromised Windows Host - DarkGate Malware asset_type: Endpoint atomic_guid: [] - confidence: 100 - impact: 100 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$. mitre_attack_id: - T1218.007 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process Name - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process_path - - Processes.parent_process - - Processes.process_name - - Processes.process_path - - Processes.process - - Processes.process_id - - Processes.parent_process_id security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windbg_msiexec.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windbg_msiexec.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml b/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml index ab68d72960..697c254586 100644 --- a/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml +++ b/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml @@ -1,18 +1,39 @@ name: Windows MSIExec Unregister DLLRegisterServer id: a27db3c5-1a9a-46df-a577-765d3f1a3c24 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the use of msiexec.exe with the /z switch parameter, which is used to unload DLLRegisterServer. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs, including command-line arguments. This activity is significant because unloading DLLRegisterServer can be indicative of an attempt to deregister a DLL, potentially disrupting legitimate services or hiding malicious activity. If confirmed malicious, this could allow an attacker to disable security controls, evade detection, or disrupt system functionality, leading to further compromise of the environment. +description: The following analytic detects the use of msiexec.exe with the /z switch + parameter, which is used to unload DLLRegisterServer. This detection leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process execution + logs, including command-line arguments. This activity is significant because unloading + DLLRegisterServer can be indicative of an attempt to deregister a DLL, potentially + disrupting legitimate services or hiding malicious activity. If confirmed malicious, + this could allow an attacker to disable security controls, evade detection, or disrupt + system functionality, leading to further compromise of the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process IN ("*/z*", "*-z*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_unregister_dllregisterserver_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: This analytic will need to be tuned for your environment based on legitimate usage of msiexec.exe. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process + IN ("*/z*", "*-z*") by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_msiexec_unregister_dllregisterserver_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: This analytic will need to be tuned for your environment based + on legitimate usage of msiexec.exe. Filter as needed. references: - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md @@ -22,58 +43,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to unregister a file. + risk_objects: + - field: user + type: user + score: 35 + - field: dest + type: system + score: 35 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Windows System Binary Proxy Execution MSIExec asset_type: Endpoint - confidence: 50 - impact: 70 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to unregister a file. mitre_attack_id: - T1218.007 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process Name - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_multi_hop_proxy_tor_website_query.yml b/detections/endpoint/windows_multi_hop_proxy_tor_website_query.yml index f181dec4bf..382204bb18 100644 --- a/detections/endpoint/windows_multi_hop_proxy_tor_website_query.yml +++ b/detections/endpoint/windows_multi_hop_proxy_tor_website_query.yml @@ -1,16 +1,30 @@ name: Windows Multi hop Proxy TOR Website Query id: 4c2d198b-da58-48d7-ba27-9368732d0054 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies DNS queries to known TOR proxy websites, such as "*.torproject.org" and "www.theonionrouter.com". It leverages Sysmon EventCode 22 to detect these queries by monitoring DNS query events from endpoints. This activity is significant because adversaries often use TOR proxies to disguise the source of their malicious traffic, making it harder to trace their actions. If confirmed malicious, this behavior could indicate an attempt to obfuscate network traffic, potentially allowing attackers to exfiltrate data or communicate with command and control servers undetected. +description: The following analytic identifies DNS queries to known TOR proxy websites, + such as "*.torproject.org" and "www.theonionrouter.com". It leverages Sysmon EventCode + 22 to detect these queries by monitoring DNS query events from endpoints. This activity + is significant because adversaries often use TOR proxies to disguise the source + of their malicious traffic, making it harder to trace their actions. If confirmed + malicious, this behavior could indicate an attempt to obfuscate network traffic, + potentially allowing attackers to exfiltrate data or communicate with command and + control servers undetected. data_source: - Sysmon EventID 22 -search: '`sysmon` EventCode=22 QueryName IN ("*.torproject.org", "www.theonionrouter.com") | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus ProcessId Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_multi_hop_proxy_tor_website_query_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 22 dns query events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: third party application may use this proxies if allowed in production environment. Filter is needed. +search: '`sysmon` EventCode=22 QueryName IN ("*.torproject.org", "www.theonionrouter.com") + | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName + QueryStatus ProcessId Computer | rename Computer as dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_multi_hop_proxy_tor_website_query_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name and sysmon eventcode = 22 dns query events from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. +known_false_positives: third party application may use this proxies if allowed in + production environment. Filter is needed. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla drilldown_searches: @@ -19,41 +33,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a process $Image$ is having a dns query in a tor domain $QueryName$ in + $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - AgentTesla asset_type: Endpoint - confidence: 50 - impact: 50 - message: a process $Image$ is having a dns query in a tor domain $QueryName$ in $dest$ mitre_attack_id: - T1071.003 - T1071 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Image - - QueryName - - QueryStatus - - ProcessId - - dest - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_tor_dns_query/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_tor_dns_query/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_multiple_account_passwords_changed.yml b/detections/endpoint/windows_multiple_account_passwords_changed.yml index 966dcf2443..509ea8e8c0 100644 --- a/detections/endpoint/windows_multiple_account_passwords_changed.yml +++ b/detections/endpoint/windows_multiple_account_passwords_changed.yml @@ -1,16 +1,30 @@ name: Windows Multiple Account Passwords Changed id: faefb681-14be-4f0d-9cac-0bc0160c7280 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4724 type: TTP status: production -description: The following analytic detects instances where more than five unique Windows account passwords are changed within a 10-minute interval. It leverages Event Code 4724 from the Windows Security Event Log, using the wineventlog_security dataset to monitor and count distinct TargetUserName values. This behavior is significant as rapid password changes across multiple accounts are unusual and may indicate unauthorized access or internal compromise. If confirmed malicious, this activity could lead to widespread account compromise, unauthorized access to sensitive information, and potential disruption of services. -search: '`wineventlog_security` EventCode=4724 status=success | bucket span=10m _time | stats count dc(user) as unique_users values(user) as user by EventCode signature _time src_user SubjectDomainName TargetDomainName Logon_ID | where unique_users > 5 | `windows_multiple_account_passwords_changed_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller events with the Windows TA. The Advanced Security Audit policy setting `Audit User Account Management` within `Account Management` needs to be enabled. -known_false_positives: Service accounts may be responsible for the creation, deletion or modification of accounts for legitimate purposes. Filter as needed. +description: The following analytic detects instances where more than five unique + Windows account passwords are changed within a 10-minute interval. It leverages + Event Code 4724 from the Windows Security Event Log, using the wineventlog_security + dataset to monitor and count distinct TargetUserName values. This behavior is significant + as rapid password changes across multiple accounts are unusual and may indicate + unauthorized access or internal compromise. If confirmed malicious, this activity + could lead to widespread account compromise, unauthorized access to sensitive information, + and potential disruption of services. +search: '`wineventlog_security` EventCode=4724 status=success | bucket span=10m _time + | stats count dc(user) as unique_users values(user) as user by EventCode signature + _time src_user SubjectDomainName TargetDomainName Logon_ID | where unique_users + > 5 | `windows_multiple_account_passwords_changed_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + Domain Controller events with the Windows TA. The Advanced Security Audit policy + setting `Audit User Account Management` within `Account Management` needs to be + enabled. +known_false_positives: Service accounts may be responsible for the creation, deletion + or modification of accounts for legitimate purposes. Filter as needed. references: - https://attack.mitre.org/techniques/T1098/ drilldown_searches: @@ -19,44 +33,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $src_user$ changed the passwords of multiple accounts in a short period + of time. + risk_objects: + - field: src_user + type: user + score: 24 + threat_objects: [] tags: analytic_story: - Azure Active Directory Persistence asset_type: Endpoint - confidence: 60 - impact: 40 - message: User $src_user$ changed the passwords of multiple accounts in a short period of time. mitre_attack_id: - T1098 - T1078 - observable: - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - success - - TargetUserName - - SubjectUserName - - src_user - - SubjectDomainName - - TargetDomainName - - Logon_ID - - user - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/windows_multiple_passwords_changed/windows_multiple_passwords_changed.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/windows_multiple_passwords_changed/windows_multiple_passwords_changed.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_multiple_accounts_deleted.yml b/detections/endpoint/windows_multiple_accounts_deleted.yml index 128a70caac..255acdfca6 100644 --- a/detections/endpoint/windows_multiple_accounts_deleted.yml +++ b/detections/endpoint/windows_multiple_accounts_deleted.yml @@ -1,16 +1,29 @@ name: Windows Multiple Accounts Deleted id: 49c0d4d6-c55d-4d3a-b3d5-7709fafed70d -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4726 type: TTP status: production -description: The following analytic detects the deletion of more than five unique Windows accounts within a 10-minute period, using Event Code 4726 from the Windows Security Event Log. It leverages the `wineventlog_security` dataset, segmenting data into 10-minute intervals to identify suspicious account deletions. This activity is significant as it may indicate an attacker attempting to erase traces of their actions. If confirmed malicious, this could lead to unauthorized access removal, hindering incident response and forensic investigations. -search: '`wineventlog_security` EventCode=4726 status=success | bucket span=10m _time | stats count dc(user) as unique_users values(user) as user by EventCode signature _time src_user SubjectDomainName TargetDomainName Logon_ID | where unique_users > 5 | `windows_multiple_accounts_deleted_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller events with the Windows TA. The Advanced Security Audit policy setting `Audit User Account Management` within `Account Management` needs to be enabled. -known_false_positives: Service accounts may be responsible for the creation, deletion or modification of accounts for legitimate purposes. Filter as needed. +description: The following analytic detects the deletion of more than five unique + Windows accounts within a 10-minute period, using Event Code 4726 from the Windows + Security Event Log. It leverages the `wineventlog_security` dataset, segmenting + data into 10-minute intervals to identify suspicious account deletions. This activity + is significant as it may indicate an attacker attempting to erase traces of their + actions. If confirmed malicious, this could lead to unauthorized access removal, + hindering incident response and forensic investigations. +search: '`wineventlog_security` EventCode=4726 status=success | bucket span=10m _time + | stats count dc(user) as unique_users values(user) as user by EventCode signature + _time src_user SubjectDomainName TargetDomainName Logon_ID | where unique_users + > 5 | `windows_multiple_accounts_deleted_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + Domain Controller events with the Windows TA. The Advanced Security Audit policy + setting `Audit User Account Management` within `Account Management` needs to be + enabled. +known_false_positives: Service accounts may be responsible for the creation, deletion + or modification of accounts for legitimate purposes. Filter as needed. references: - https://attack.mitre.org/techniques/T1098/ drilldown_searches: @@ -19,44 +32,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $src_user$ deleted multiple accounts in a short period of time. + risk_objects: + - field: src_user + type: user + score: 18 + threat_objects: [] tags: analytic_story: - Azure Active Directory Persistence asset_type: Endpoint - confidence: 60 - impact: 30 - message: User $src_user$ deleted multiple accounts in a short period of time. mitre_attack_id: - T1098 - T1078 - observable: - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - success - - TargetUserName - - SubjectUserName - - src_user - - SubjectDomainName - - TargetDomainName - - Logon_ID - - user - risk_score: 18 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/windows_multiple_accounts_deleted/windows_multiple_accounts_deleted.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/windows_multiple_accounts_deleted/windows_multiple_accounts_deleted.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_multiple_accounts_disabled.yml b/detections/endpoint/windows_multiple_accounts_disabled.yml index 33a0ecb658..5976653e84 100644 --- a/detections/endpoint/windows_multiple_accounts_disabled.yml +++ b/detections/endpoint/windows_multiple_accounts_disabled.yml @@ -1,16 +1,30 @@ name: Windows Multiple Accounts Disabled id: 5d93894e-befa-4429-abde-7fc541020b7b -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4725 type: TTP status: production -description: The following analytic identifies instances where more than five unique Windows accounts are disabled within a 10-minute window, as indicated by Event Code 4725 in the Windows Security Event Log. It leverages the wineventlog_security dataset, grouping data into 10-minute segments and tracking the count and distinct count of TargetUserName. This behavior is significant as it may indicate internal policy breaches or an external attacker's attempt to disrupt operations. If confirmed malicious, this activity could lead to widespread account lockouts, hindering user access and potentially disrupting business operations. -search: '`wineventlog_security` EventCode=4725 status=success | bucket span=10m _time | stats count dc(user) as unique_users values(user) as user by EventCode signature _time src_user SubjectDomainName TargetDomainName Logon_ID | where unique_users > 5 | `windows_multiple_accounts_disabled_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller events with the Windows TA. The Advanced Security Audit policy setting `Audit User Account Management` within `Account Management` needs to be enabled. -known_false_positives: Service accounts may be responsible for the creation, deletion or modification of accounts for legitimate purposes. Filter as needed. +description: The following analytic identifies instances where more than five unique + Windows accounts are disabled within a 10-minute window, as indicated by Event Code + 4725 in the Windows Security Event Log. It leverages the wineventlog_security dataset, + grouping data into 10-minute segments and tracking the count and distinct count + of TargetUserName. This behavior is significant as it may indicate internal policy + breaches or an external attacker's attempt to disrupt operations. If confirmed malicious, + this activity could lead to widespread account lockouts, hindering user access and + potentially disrupting business operations. +search: '`wineventlog_security` EventCode=4725 status=success | bucket span=10m _time + | stats count dc(user) as unique_users values(user) as user by EventCode signature + _time src_user SubjectDomainName TargetDomainName Logon_ID | where unique_users + > 5 | `windows_multiple_accounts_disabled_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + Domain Controller events with the Windows TA. The Advanced Security Audit policy + setting `Audit User Account Management` within `Account Management` needs to be + enabled. +known_false_positives: Service accounts may be responsible for the creation, deletion + or modification of accounts for legitimate purposes. Filter as needed. references: - https://attack.mitre.org/techniques/T1098/ drilldown_searches: @@ -19,44 +33,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $src_user$ disabled multiple accounts in a short period of time. + risk_objects: + - field: src_user + type: user + score: 18 + threat_objects: [] tags: analytic_story: - Azure Active Directory Persistence asset_type: Endpoint - confidence: 60 - impact: 30 - message: User $src_user$ disabled multiple accounts in a short period of time. mitre_attack_id: - T1098 - T1078 - observable: - - name: src_user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - success - - TargetUserName - - SubjectUserName - - src_user - - SubjectDomainName - - TargetDomainName - - Logon_ID - - user - risk_score: 18 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/windows_multiple_accounts_disabled/windows_multiple_accounts_disabled.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/windows_multiple_accounts_disabled/windows_multiple_accounts_disabled.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml b/detections/endpoint/windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml index b8a3fb4f82..730fe3867d 100644 --- a/detections/endpoint/windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml +++ b/detections/endpoint/windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml @@ -1,12 +1,27 @@ +name: Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos +id: 98f22d82-9d62-11eb-9fcf-acde48001122 +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk +type: TTP +status: production data_source: - Windows Event Log Security 4768 -date: '2024-09-30' -description: The following analytic detects a single source endpoint failing to authenticate with 30 unique disabled domain users using the Kerberos protocol within 5 minutes. It leverages Windows Security Event 4768, focusing on failure code `0x12`, indicating revoked credentials. This activity is significant as it may indicate a Password Spraying attack targeting disabled accounts, a tactic used by adversaries to gain initial access or elevate privileges. If confirmed malicious, this could lead to unauthorized access or privilege escalation within the Active Directory environment, posing a severe security risk. -how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -id: 98f22d82-9d62-11eb-9fcf-acde48001122 -known_false_positives: A host failing to authenticate with multiple disabled domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems missconfigured systems. -name: Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos +description: The following analytic detects a single source endpoint failing to authenticate + with 30 unique disabled domain users using the Kerberos protocol within 5 minutes. + It leverages Windows Security Event 4768, focusing on failure code `0x12`, indicating + revoked credentials. This activity is significant as it may indicate a Password + Spraying attack targeting disabled accounts, a tactic used by adversaries to gain + initial access or elevate privileges. If confirmed malicious, this could lead to + unauthorized access or privilege escalation within the Active Directory environment, + posing a severe security risk. +how_to_implement: To successfully implement this search, you need to be ingesting + Domain Controller and Kerberos events. The Advanced Security Audit policy setting + `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. +known_false_positives: A host failing to authenticate with multiple disabled domain + users is not a common behavior for legitimate systems. Possible false positive scenarios + include but are not limited to vulnerability scanners, multi-user systems missconfigured + systems. references: - https://attack.mitre.org/techniques/T1110/003/ drilldown_searches: @@ -15,49 +30,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -search: '`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x12 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos_filter`' -status: production +search: '`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x12 | bucket + span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) + as user by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos_filter`' +rba: + message: Potential Kerberos based password spraying attack from $IpAddress$ + risk_objects: + - field: user + type: user + score: 49 + threat_objects: + - field: IpAddress + type: ip_address tags: analytic_story: - Active Directory Password Spraying - Active Directory Kerberos Attacks - Volt Typhoon asset_type: Endpoint - confidence: 70 - impact: 70 - message: Potential Kerberos based password spraying attack from $IpAddress$ mitre_attack_id: - T1110.003 - T1110 - observable: - - name: user - type: User - role: - - Victim - - name: IpAddress - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Status - - TargetUserName - - IpAddress - risk_score: 49 security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog name: True Positive Test -type: TTP -version: 4 diff --git a/detections/endpoint/windows_multiple_invalid_users_fail_to_authenticate_using_kerberos.yml b/detections/endpoint/windows_multiple_invalid_users_fail_to_authenticate_using_kerberos.yml index 5d5d46e86e..7696c03e9d 100644 --- a/detections/endpoint/windows_multiple_invalid_users_fail_to_authenticate_using_kerberos.yml +++ b/detections/endpoint/windows_multiple_invalid_users_fail_to_authenticate_using_kerberos.yml @@ -1,12 +1,27 @@ +name: Windows Multiple Invalid Users Fail To Authenticate Using Kerberos +id: 001266a6-9d5b-11eb-829b-acde48001122 +date: '2024-11-13' +version: 5 +type: TTP +status: production author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4768 -date: '2024-09-30' -description: The following analytic identifies a source endpoint failing to authenticate with 30 unique invalid domain users using the Kerberos protocol. This detection leverages EventCode 4768, specifically looking for failure code 0x6, indicating the user is not found in the Kerberos database. This activity is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this could lead to unauthorized access or privilege escalation within the Active Directory environment, posing a significant security risk. -how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -id: 001266a6-9d5b-11eb-829b-acde48001122 -known_false_positives: A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems and missconfigured systems. -name: Windows Multiple Invalid Users Fail To Authenticate Using Kerberos +description: The following analytic identifies a source endpoint failing to authenticate + with 30 unique invalid domain users using the Kerberos protocol. This detection + leverages EventCode 4768, specifically looking for failure code 0x6, indicating + the user is not found in the Kerberos database. This activity is significant as + it may indicate a Password Spraying attack, where an adversary attempts to gain + initial access or elevate privileges. If confirmed malicious, this could lead to + unauthorized access or privilege escalation within the Active Directory environment, + posing a significant security risk. +how_to_implement: To successfully implement this search, you need to be ingesting + Domain Controller and Kerberos events. The Advanced Security Audit policy setting + `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. +known_false_positives: A host failing to authenticate with multiple invalid domain + users is not a common behavior for legitimate systems. Possible false positive scenarios + include but are not limited to vulnerability scanners, multi-user systems and missconfigured + systems. references: - https://attack.mitre.org/techniques/T1110/003/ drilldown_searches: @@ -15,49 +30,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -search: '`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x6 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_invalid_users_fail_to_authenticate_using_kerberos_filter`' -status: production +search: '`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x6 | bucket + span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) + as user by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_invalid_users_fail_to_authenticate_using_kerberos_filter`' +rba: + message: Potential Kerberos based password spraying attack from $IpAddress$ + risk_objects: + - field: user + type: user + score: 49 + threat_objects: + - field: IpAddress + type: ip_address tags: analytic_story: - Active Directory Password Spraying - Active Directory Kerberos Attacks - Volt Typhoon asset_type: Endpoint - confidence: 70 - impact: 70 - message: Potential Kerberos based password spraying attack from $IpAddress$ mitre_attack_id: - T1110.003 - T1110 - observable: - - name: user - type: User - role: - - Victim - - name: IpAddress - type: Endpoint - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Status - - TargetUserName - - IpAddress - risk_score: 49 security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog name: True Positive Test -type: TTP -version: 4 diff --git a/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml b/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml index b953071f12..c8db8b309f 100644 --- a/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml +++ b/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml @@ -1,12 +1,28 @@ +name: Windows Multiple Invalid Users Failed To Authenticate Using NTLM +id: 57ad5a64-9df7-11eb-a290-acde48001122 +type: TTP +version: 6 author: Mauricio Velazco, Splunk +status: production data_source: - Windows Event Log Security 4776 -date: '2024-09-30' -description: The following analytic detects a single source endpoint failing to authenticate with 30 unique invalid users using the NTLM protocol. It leverages EventCode 4776 from Domain Controller logs, focusing on error code 0xC0000064, which indicates non-existent usernames. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information within the Active Directory environment. -how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation' within `Account Logon` needs to be enabled. -id: 57ad5a64-9df7-11eb-a290-acde48001122 -known_false_positives: A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts. -name: Windows Multiple Invalid Users Failed To Authenticate Using NTLM +date: '2024-11-13' +description: The following analytic detects a single source endpoint failing to authenticate + with 30 unique invalid users using the NTLM protocol. It leverages EventCode 4776 + from Domain Controller logs, focusing on error code 0xC0000064, which indicates + non-existent usernames. This behavior is significant as it may indicate a Password + Spraying attack, where an adversary attempts to gain initial access or elevate privileges. + If confirmed malicious, this activity could lead to unauthorized access, privilege + escalation, and potential compromise of sensitive information within the Active + Directory environment. +how_to_implement: To successfully implement this search, you need to be ingesting + Domain Controller events. The Advanced Security Audit policy setting `Audit Credential + Validation' within `Account Logon` needs to be enabled. +known_false_positives: A host failing to authenticate with multiple invalid domain + users is not a common behavior for legitimate systems. Possible false positive scenarios + include but are not limited to vulnerability scanners and missconfigured systems. + If this detection triggers on a host other than a Domain Controller, the behavior + could represent a password spraying attack against the host's local accounts. references: - https://attack.mitre.org/techniques/T1110/003/ - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation @@ -17,44 +33,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$Workstation$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Workstation$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Workstation$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -search: '`wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | where unique_accounts > 30 | `windows_multiple_invalid_users_failed_to_authenticate_using_ntlm_filter`' -status: production +search: '`wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064 + | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) + as tried_accounts by _time, Workstation | where unique_accounts > 30 | `windows_multiple_invalid_users_failed_to_authenticate_using_ntlm_filter`' +rba: + message: Potential NTLM based password spraying attack from $Workstation$ + risk_objects: + - field: Workstation + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Active Directory Password Spraying - Volt Typhoon asset_type: Endpoint - confidence: 70 - impact: 70 - message: Potential NTLM based password spraying attack from $Workstation$ mitre_attack_id: - T1110.003 - T1110 - observable: - - name: Workstation - role: - - Victim - type: Endpoint product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - TargetUserName - - Workstation - - Status - risk_score: 49 security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog name: True Positive Test -type: TTP -version: 5 diff --git a/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml b/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml index bd3b2b6dab..cda160cc85 100644 --- a/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml +++ b/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml @@ -1,16 +1,36 @@ name: Windows Multiple NTLM Null Domain Authentications id: c187ce2c-c88e-4cec-8a1c-607ca0dedd78 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Steven Dick status: production type: TTP -description: The following analytic detects when a device is the target of numerous NTLM authentications using a null domain. This activity generally results when an attacker attempts to brute force, password spray, or otherwise authenticate to a domain joined Windows device from a non-domain device. This activity may also generate a large number of EventID 4776 events in tandem, however these events will not indicate the attacker or target device +description: The following analytic detects when a device is the target of numerous + NTLM authentications using a null domain. This activity generally results when an + attacker attempts to brute force, password spray, or otherwise authenticate to a + domain joined Windows device from a non-domain device. This activity may also generate + a large number of EventID 4776 events in tandem, however these events will not indicate + the attacker or target device data_source: - NTLM Operational 8004,8005,8006 -search: '`ntlm_audit` EventCode IN (8004,8005,8006) DomainName=NULL UserName!=NULL | eval src = replace(WorkstationName,"\\\\","") ```CIM alignment, remove leading \\ from some auth attempts ``` | eval dest = SChannelName, user = UserName ``` CIM alignment``` | where SChannelName!=src ``` Remove NTLM auths to self, improves accuracy for certain applications``` | `windows_multiple_ntlm_null_domain_authentications_filter` | stats count min(_time) as firstTime max(_time) as lastTime dc(eval(upper(user))) as unique_count dc(eval(upper(src))) as src_count by dest | eventstats avg(unique_count) as unique_avg , stdev(unique_count) as unique_std | eval upperBound_unique=(1+unique_avg+unique_std*3) ``` adjust formula for sensitivity``` | eval isOutlier=CASE(unique_count > upperBound_unique, 1, true(), 0) | where isOutlier==1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' -how_to_implement: The following analytic requires that NTLM Operational logs to be imported from the environment Domain Controllers. This requires configuration of specific auditing settings, see Microsoft references for further guidance. This analytic is specific to EventID 8004~8006. -known_false_positives: Applications that deal with non-domain joined authentications. Recommend adjusting the upperBound_unique eval for tailoring the correlation to your environment, running with a 24hr search window will smooth out some statistical noise. +search: '`ntlm_audit` EventCode IN (8004,8005,8006) DomainName=NULL UserName!=NULL + | eval src = replace(WorkstationName,"\\\\","") ```CIM alignment, remove leading + \\ from some auth attempts ``` | eval dest = SChannelName, user = UserName ``` CIM + alignment``` | where SChannelName!=src ``` Remove NTLM auths to self, improves accuracy + for certain applications``` | `windows_multiple_ntlm_null_domain_authentications_filter` + | stats count min(_time) as firstTime max(_time) as lastTime dc(eval(upper(user))) + as unique_count dc(eval(upper(src))) as src_count by dest | eventstats avg(unique_count) + as unique_avg , stdev(unique_count) as unique_std | eval upperBound_unique=(1+unique_avg+unique_std*3) + ``` adjust formula for sensitivity``` | eval isOutlier=CASE(unique_count > upperBound_unique, + 1, true(), 0) | where isOutlier==1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +how_to_implement: The following analytic requires that NTLM Operational logs to be + imported from the environment Domain Controllers. This requires configuration of + specific auditing settings, see Microsoft references for further guidance. This + analytic is specific to EventID 8004~8006. +known_false_positives: Applications that deal with non-domain joined authentications. + Recommend adjusting the upperBound_unique eval for tailoring the correlation to + your environment, running with a 24hr search window will smooth out some statistical + noise. references: - https://attack.mitre.org/techniques/T1110/003/ - https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/ntlm-blocking-and-you-application-analysis-and-auditing/ba-p/397191 @@ -23,39 +43,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The device [$dest$] was the target of $count$ NTLM authentications from + $src_count$ sources using $unique_count$ unique user accounts. + risk_objects: + - field: dest + type: system + score: 75 + threat_objects: [] tags: analytic_story: - Active Directory Password Spraying asset_type: Endpoint - confidence: 100 - impact: 75 - message: The device [$dest$] was the target of $count$ NTLM authentications from $src_count$ sources using $unique_count$ unique user accounts. mitre_attack_id: - T1110 - T1110.003 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - DomainName - - Security - - WorkstationName - risk_score: 50 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log source: XmlWinEventLog:Microsoft-Windows-NTLM/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml b/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml index 536dd96b2e..c57c7baf7e 100644 --- a/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml +++ b/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml @@ -1,12 +1,29 @@ +name: Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials +id: e61918fa-9ca4-11eb-836c-acde48001122 +type: TTP +version: 6 +status: production author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4648 -date: '2024-09-30' -description: The following analytic identifies a source user failing to authenticate with 30 unique users using explicit credentials on a host. It leverages Windows Event 4648, which is generated when a process attempts an account logon by explicitly specifying account credentials. This detection is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information. -how_to_implement: To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -id: e61918fa-9ca4-11eb-836c-acde48001122 -known_false_positives: A source user failing attempting to authenticate multiple users on a host is not a common behavior for regular systems. Some applications, however, may exhibit this behavior in which case sets of users hosts can be added to an allow list. Possible false positive scenarios include systems where several users connect to like Mail servers, identity providers, remote desktop services, Citrix, etc. -name: Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials +date: '2024-11-13' +description: The following analytic identifies a source user failing to authenticate + with 30 unique users using explicit credentials on a host. It leverages Windows + Event 4648, which is generated when a process attempts an account logon by explicitly + specifying account credentials. This detection is significant as it may indicate + a Password Spraying attack, where an adversary attempts to gain initial access or + elevate privileges within an Active Directory environment. If confirmed malicious, + this activity could lead to unauthorized access, privilege escalation, and potential + compromise of sensitive information. +how_to_implement: To successfully implement this search, you need to be ingesting + Windows Event Logs from domain controllers as well as member servers and workstations. + The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs + to be enabled. +known_false_positives: A source user failing attempting to authenticate multiple users + on a host is not a common behavior for regular systems. Some applications, however, + may exhibit this behavior in which case sets of users hosts can be added to an allow + list. Possible false positive scenarios include systems where several users connect + to like Mail servers, identity providers, remote desktop services, Citrix, etc. references: - https://attack.mitre.org/techniques/T1110/003/ - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648 @@ -17,45 +34,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$Computer$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -search: '`wineventlog_security` EventCode=4648 Caller_User_Name!=*$ Target_User_Name!=*$ | bucket span=5m _time | stats dc(Target_User_Name) AS unique_accounts values(Target_User_Name) as tried_account by _time, Computer, Caller_User_Name | where unique_accounts > 30 | `windows_multiple_users_fail_to_authenticate_wth_explicitcredentials_filter`' -status: production +search: '`wineventlog_security` EventCode=4648 Caller_User_Name!=*$ Target_User_Name!=*$ + | bucket span=5m _time | stats dc(Target_User_Name) AS unique_accounts values(Target_User_Name) + as tried_account by _time, Computer, Caller_User_Name | where unique_accounts > + 30 | `windows_multiple_users_fail_to_authenticate_wth_explicitcredentials_filter`' +rba: + message: Potential password spraying attack from $Computer$ + risk_objects: + - field: Computer + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Active Directory Password Spraying - Insider Threat - Volt Typhoon asset_type: Endpoint - confidence: 70 - impact: 70 - message: Potential password spraying attack from $Computer$ mitre_attack_id: - T1110.003 - T1110 - observable: - - name: Computer - role: - - Victim - type: Endpoint product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Target_User_Name - - Caller_User_Name - - Computer - risk_score: 49 security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog name: True Positive Test -type: TTP -version: 5 diff --git a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml index 885809dda5..4791ed5824 100644 --- a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml +++ b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml @@ -1,12 +1,27 @@ +name: Windows Multiple Users Failed To Authenticate From Host Using NTLM +id: 7ed272a4-9c77-11eb-af22-acde48001122 author: Mauricio Velazco, Splunk +type: TTP +status: production +version: 6 data_source: - Windows Event Log Security 4776 -date: '2024-09-30' -description: The following analytic identifies a single source endpoint failing to authenticate with 30 unique valid users using the NTLM protocol. It leverages EventCode 4776 from Domain Controller logs, focusing on error code 0xC000006A, which indicates a bad password. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access to sensitive information or further compromise of the Active Directory environment. -how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation` within `Account Logon` needs to be enabled. -id: 7ed272a4-9c77-11eb-af22-acde48001122 -known_false_positives: A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts. -name: Windows Multiple Users Failed To Authenticate From Host Using NTLM +date: '2024-11-13' +description: The following analytic identifies a single source endpoint failing to + authenticate with 30 unique valid users using the NTLM protocol. It leverages EventCode + 4776 from Domain Controller logs, focusing on error code 0xC000006A, which indicates + a bad password. This behavior is significant as it may indicate a Password Spraying + attack, where an adversary attempts to gain initial access or elevate privileges. + If confirmed malicious, this activity could lead to unauthorized access to sensitive + information or further compromise of the Active Directory environment. +how_to_implement: To successfully implement this search, you need to be ingesting + Domain Controller events. The Advanced Security Audit policy setting `Audit Credential + Validation` within `Account Logon` needs to be enabled. +known_false_positives: A host failing to authenticate with multiple valid domain users + is not a common behavior for legitimate systems. Possible false positive scenarios + include but are not limited to vulnerability scanners and missconfigured systems. + If this detection triggers on a host other than a Domain Controller, the behavior + could represent a password spraying attack against the host's local accounts. references: - https://attack.mitre.org/techniques/T1110/003/ - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation @@ -17,44 +32,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$Workstation$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Workstation$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Workstation$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -search: '`wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xC000006A | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_from_host_using_ntlm_filter`' -status: production +search: '`wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xC000006A + | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) + as tried_accounts by _time, Workstation | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_from_host_using_ntlm_filter`' +rba: + message: Potential NTLM based password spraying attack from $Workstation$ + risk_objects: + - field: Workstation + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Active Directory Password Spraying - Volt Typhoon asset_type: Endpoint - confidence: 70 - impact: 70 - message: Potential NTLM based password spraying attack from $Workstation$ mitre_attack_id: - T1110.003 - T1110 - observable: - - name: Workstation - role: - - Victim - type: Endpoint product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Status - - TargetUserName - - Workstation - risk_score: 49 security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog name: True Positive Test -type: TTP -version: 5 diff --git a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml index 8f3dd04b5f..b4e4eb9ae2 100644 --- a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml +++ b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml @@ -1,12 +1,26 @@ +name: Windows Multiple Users Failed To Authenticate From Process +id: 9015385a-9c84-11eb-bef2-acde48001122 +type: TTP +version: 6 +status: production author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4625 -date: '2024-09-30' -description: The following analytic detects a source process failing to authenticate with 30 unique users, indicating a potential Password Spraying attack. It leverages Windows Event 4625 with Logon Type 2, collected from domain controllers, member servers, and workstations. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, this could lead to unauthorized access, privilege escalation, or further compromise of the network, posing a severe security risk. -how_to_implement: To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers aas well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -id: 9015385a-9c84-11eb-bef2-acde48001122 -known_false_positives: A process failing to authenticate with multiple users is not a common behavior for legitimate user sessions. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. -name: Windows Multiple Users Failed To Authenticate From Process +date: '2024-11-13' +description: The following analytic detects a source process failing to authenticate + with 30 unique users, indicating a potential Password Spraying attack. It leverages + Windows Event 4625 with Logon Type 2, collected from domain controllers, member + servers, and workstations. This activity is significant as it may represent an adversary + attempting to gain initial access or elevate privileges within an Active Directory + environment. If confirmed malicious, this could lead to unauthorized access, privilege + escalation, or further compromise of the network, posing a severe security risk. +how_to_implement: To successfully implement this search, you need to be ingesting + Windows Event Logs from domain controllers aas well as member servers and workstations. + The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs + to be enabled. +known_false_positives: A process failing to authenticate with multiple users is not + a common behavior for legitimate user sessions. Possible false positive scenarios + include but are not limited to vulnerability scanners and missconfigured systems. references: - https://attack.mitre.org/techniques/T1110/003/ - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 @@ -18,47 +32,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -search: '`wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!="-" | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, ProcessName, SubjectUserName, Computer | rename Computer as dest | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_from_process_filter`' -status: production +search: '`wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!="-" | bucket + span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) + as tried_accounts by _time, ProcessName, SubjectUserName, Computer | rename Computer + as dest | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_from_process_filter`' +rba: + message: Potential password spraying attack from $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Active Directory Password Spraying - Insider Threat - Volt Typhoon asset_type: Endpoint - confidence: 70 - impact: 70 - message: Potential password spraying attack from $dest$ mitre_attack_id: - T1110.003 - T1110 - observable: - - name: dest - role: - - Victim - type: Endpoint product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Logon_Type - - ProcessName - - SubjectUserName - - TargetUserName - - Computer - risk_score: 49 security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog name: True Positive Test -type: TTP -version: 5 diff --git a/detections/endpoint/windows_multiple_users_failed_to_authenticate_using_kerberos.yml b/detections/endpoint/windows_multiple_users_failed_to_authenticate_using_kerberos.yml index fddcd0c112..15df1ec8be 100644 --- a/detections/endpoint/windows_multiple_users_failed_to_authenticate_using_kerberos.yml +++ b/detections/endpoint/windows_multiple_users_failed_to_authenticate_using_kerberos.yml @@ -1,12 +1,27 @@ +name: Windows Multiple Users Failed To Authenticate Using Kerberos +id: 3a91a212-98a9-11eb-b86a-acde48001122 +type: TTP +version: 5 +date: '2024-11-13' +status: production author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4771 -date: '2024-09-30' -description: The following analytic identifies a single source endpoint failing to authenticate with 30 unique users using the Kerberos protocol. It leverages EventCode 4771 with Status 0x18, indicating wrong password attempts, and aggregates these events over a 5-minute window. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges in an Active Directory environment. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information. -how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -id: 3a91a212-98a9-11eb-b86a-acde48001122 -known_false_positives: A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, missconfigured systems and multi-user systems like Citrix farms. -name: Windows Multiple Users Failed To Authenticate Using Kerberos +description: The following analytic identifies a single source endpoint failing to + authenticate with 30 unique users using the Kerberos protocol. It leverages EventCode + 4771 with Status 0x18, indicating wrong password attempts, and aggregates these + events over a 5-minute window. This behavior is significant as it may indicate a + Password Spraying attack, where an adversary attempts to gain initial access or + elevate privileges in an Active Directory environment. If confirmed malicious, this + activity could lead to unauthorized access, privilege escalation, and potential + compromise of sensitive information. +how_to_implement: To successfully implement this search, you need to be ingesting + Domain Controller and Kerberos events. The Advanced Security Audit policy setting + `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. +known_false_positives: A host failing to authenticate with multiple valid domain users + is not a common behavior for legitimate systems. Possible false positive scenarios + include but are not limited to vulnerability scanners, missconfigured systems and + multi-user systems like Citrix farms. references: - https://attack.mitre.org/techniques/T1110/003/ - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319109(v=ws.11) @@ -17,49 +32,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -search: '`wineventlog_security` EventCode=4771 TargetUserName!="*$" Status=0x18 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_using_kerberos_filter`' -status: production +search: '`wineventlog_security` EventCode=4771 TargetUserName!="*$" Status=0x18 | + bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) + as user by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_using_kerberos_filter`' +rba: + message: Potential Kerberos based password spraying attack from $IpAddress$ + risk_objects: + - field: user + type: user + score: 49 + threat_objects: + - field: IpAddress + type: ip_address tags: analytic_story: - Active Directory Password Spraying - Active Directory Kerberos Attacks - Volt Typhoon asset_type: Endpoint - confidence: 70 - impact: 70 - message: Potential Kerberos based password spraying attack from $IpAddress$ mitre_attack_id: - T1110.003 - T1110 - observable: - - name: user - type: User - role: - - Victim - - name: IpAddress - role: - - Attacker - type: Endpoint product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Status - - TargetUserName - - IpAddress - risk_score: 49 security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog name: True Positive Test -type: TTP -version: 4 diff --git a/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml b/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml index 6de41fcf83..3c72e172b9 100644 --- a/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml +++ b/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml @@ -1,12 +1,28 @@ +name: Windows Multiple Users Remotely Failed To Authenticate From Host +id: 80f9d53e-9ca1-11eb-b0d6-acde48001122 author: Mauricio Velazco, Splunk +type: TTP +status: production +version: 6 +date: '2024-11-13' data_source: - Windows Event Log Security 4625 -date: '2024-09-30' -description: The following analytic identifies a source host failing to authenticate against a remote host with 30 unique users. It leverages Windows Event 4625 with Logon Type 3, indicating remote authentication attempts. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges in an Active Directory environment. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information. This detection is crucial for real-time security monitoring and threat hunting. -how_to_implement: To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -id: 80f9d53e-9ca1-11eb-b0d6-acde48001122 -known_false_positives: A host failing to authenticate with multiple valid users against a remote host is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, missconfigyred systems, etc. -name: Windows Multiple Users Remotely Failed To Authenticate From Host +description: The following analytic identifies a source host failing to authenticate + against a remote host with 30 unique users. It leverages Windows Event 4625 with + Logon Type 3, indicating remote authentication attempts. This behavior is significant + as it may indicate a Password Spraying attack, where an adversary attempts to gain + initial access or elevate privileges in an Active Directory environment. If confirmed + malicious, this activity could lead to unauthorized access, privilege escalation, + and potential compromise of sensitive information. This detection is crucial for + real-time security monitoring and threat hunting. +how_to_implement: To successfully implement this search, you need to be ingesting + Windows Event Logs from domain controllers as as well as member servers and workstations. + The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs + to be enabled. +known_false_positives: A host failing to authenticate with multiple valid users against + a remote host is not a common behavior for legitimate systems. Possible false positive + scenarios include but are not limited to vulnerability scanners, remote administration + tools, missconfigyred systems, etc. references: - https://attack.mitre.org/techniques/T1110/003/ - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 @@ -18,45 +34,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -search: '`wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!="-" | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress, Computer | rename Computer as dest| where unique_accounts > 30 | `windows_multiple_users_remotely_failed_to_authenticate_from_host_filter`' -status: production +search: '`wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!="-" | bucket + span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) + as tried_accounts by _time, IpAddress, Computer | rename Computer as dest| where + unique_accounts > 30 | `windows_multiple_users_remotely_failed_to_authenticate_from_host_filter`' +rba: + message: Potential password spraying attack on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Active Directory Password Spraying - Volt Typhoon asset_type: Endpoint - confidence: 70 - impact: 70 - message: Potential password spraying attack on $dest$ mitre_attack_id: - T1110.003 - T1110 - observable: - - name: dest - role: - - Victim - type: Endpoint product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Logon_Type - - TargetUserName - - Computer - - IpAddress - risk_score: 49 security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog name: True Positive Test -type: TTP -version: 5 diff --git a/detections/endpoint/network_connection_discovery_with_net.yml b/detections/endpoint/windows_network_connection_discovery_via_net.yml similarity index 53% rename from detections/endpoint/network_connection_discovery_with_net.yml rename to detections/endpoint/windows_network_connection_discovery_via_net.yml index f708fb4466..e746c54512 100644 --- a/detections/endpoint/network_connection_discovery_with_net.yml +++ b/detections/endpoint/windows_network_connection_discovery_via_net.yml @@ -1,16 +1,16 @@ -name: Network Connection Discovery With Net -id: 640337e5-6e41-4b7f-af06-9d9eab5e1e2d -version: 4 -date: '2024-11-26' +name: Windows Network Connection Discovery Via Net +id: 86a5b949-679b-4197-8d4c-9c180a818c45 +version: 1 +date: '2025-01-13' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic identifies the execution of `net.exe` or `net1.exe` with command-line arguments used to list network connections on a compromised system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential network reconnaissance by adversaries or Red Teams, aiming to gather situational awareness and Active Directory information. If confirmed malicious, this behavior could allow attackers to map the network, identify critical assets, and plan further attacks, potentially leading to data exfiltration or lateral movement. +description: The following analytic identifies the execution of `net.exe` with command-line arguments used to list or display information about computer connections. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity can be significant as it indicates potential network reconnaissance by adversaries or Red Teams, aiming to gather situational awareness and Active Directory information. If confirmed malicious, this behavior could allow attackers to map the network, identify critical assets, and plan further attacks, potentially leading to data exfiltration or lateral movement. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND (Processes.process=*use*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_net_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (`process_net` OR (Processes.process_name="net.exe" OR Processes.original_file_name="net.exe")) AND (Processes.process=*use) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_network_connection_discovery_via_net_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: @@ -22,33 +22,12 @@ tags: - Windows Post-Exploitation - Prestige Ransomware asset_type: Endpoint - confidence: 50 - impact: 30 - message: Network Connection discovery on $dest$ by $user$ mitre_attack_id: - T1049 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_network_share_interaction_with_net.yml b/detections/endpoint/windows_network_share_interaction_via_net.yml similarity index 58% rename from detections/endpoint/windows_network_share_interaction_with_net.yml rename to detections/endpoint/windows_network_share_interaction_via_net.yml index e526666d9d..b6fcefc3dc 100644 --- a/detections/endpoint/windows_network_share_interaction_with_net.yml +++ b/detections/endpoint/windows_network_share_interaction_via_net.yml @@ -1,16 +1,18 @@ -name: Windows Network Share Interaction With Net -id: 4dc3951f-b3f8-4f46-b412-76a483f72277 -version: 3 -date: '2024-11-26' +name: Windows Network Share Interaction Via Net +id: e51fbdb0-0be0-474f-92ea-d289f71a695e +version: 1 +date: '2025-01-20' author: Dean Luxton status: production -type: TTP +type: Anomaly data_source: - Sysmon EventID 1 -description: This analytic detects network share discovery and collection activities performed on Windows systems using the Net command. Attackers often use network share discovery to identify accessible shared resources within a network, which can be a precursor to privilege escalation or data exfiltration. By monitoring Windows Event Logs for the usage of the Net command to list and interact with network shares, this detection helps identify potential reconnaissance and collection activities. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.user_category) as user_category values(Processes.user_bunit) as user_bunit FROM datamodel=Endpoint.Processes WHERE `process_net` BY Processes.user Processes.dest Processes.process_exec Processes.parent_process_exec Processes.process Processes.parent_process | `drop_dm_object_name(Processes)` | regex process="net[\s\.ex1]+view|net[\s\.ex1]+share|net[\s\.ex1]+use\s" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_network_share_interaction_with_net_filter`' +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +description: The following analytic identifies network share discovery and collection activities performed on Windows systems using the Net command. Attackers often use network share discovery to identify accessible shared resources within a network, which can be a precursor to privilege escalation or data exfiltration. By monitoring Windows Event Logs for the usage of the Net command to list and interact with network shares, this detection helps identify potential reconnaissance and collection activities. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes WHERE (`process_net` OR (Processes.process_name="net.exe" OR Processes.original_file_name="net.exe")) AND Processes.process IN ("*use *", "*view*") BY Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_network_share_interaction_via_net_filter`' how_to_implement: The detection is based on data originating from either Endpoint Detection and Response (EDR) telemetry or EventCode 4688 with process command line logging enabled. These sources provide security-related telemetry from the endpoints. To implement this search, you must ingest logs that contain the process name, parent process, and complete command-line executions. These logs must be mapped to the Splunk Common Information Model (CIM) to normalize the field names capture the data within the datamodel schema. -known_false_positives: Unknown +known_false_positives: Administrators or power users may use this command. Additional filters needs to be applied. references: - https://attack.mitre.org/techniques/T1135/ drilldown_searches: @@ -22,6 +24,17 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ leveraged net.exe on $dest$ to interact with network shares, + executed by parent process $parent_process$ + risk_objects: + - field: dest + type: system + score: 20 + - field: user + type: user + score: 20 + threat_objects: [] tags: analytic_story: - Active Directory Discovery @@ -30,34 +43,13 @@ tags: asset_type: Endpoint atomic_guid: - ab39a04f-0c93-4540-9ff2-83f862c385ae - confidence: 100 - impact: 20 - message: User $user$ leveraged net.exe on $dest$ to interact with network shares, executed by parent process $parent_process$ mitre_attack_id: - T1135 - T1039 - required_fields: - - Processes.process_name - - Processes.user - - Processes.dest - - Processes.process_exec - - Processes.parent_process_exec - - Processes.process - - Processes.parent_process - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 20 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_new_custom_security_descriptor_set_on_eventlog_channel.yml b/detections/endpoint/windows_new_custom_security_descriptor_set_on_eventlog_channel.yml index 2b3f2f7255..bfeca92a28 100644 --- a/detections/endpoint/windows_new_custom_security_descriptor_set_on_eventlog_channel.yml +++ b/detections/endpoint/windows_new_custom_security_descriptor_set_on_eventlog_channel.yml @@ -1,16 +1,37 @@ name: Windows New Custom Security Descriptor Set On EventLog Channel id: c0e5dd5a-2117-41d5-a04c-82a762a86a38 -version: 1 -date: '2024-12-06' +version: 2 +date: '2025-01-07' author: Nasreddine Bencherchali, Michael Haag, Splunk status: production type: Anomaly -description: The following analytic detects suspicious modifications to the EventLog security descriptor registry value for defense evasion. It leverages data from the Endpoint.Registry data model, focusing on changes to the "CustomSD" value within the "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\\CustomSD" path. This activity is significant as changes to the access permissions of the event log could blind security products and help attackers evade defenses. If confirmed malicious, this could allow attackers to block users and security products from viewing, ingesting and interacting event logs. +description: The following analytic detects suspicious modifications to the EventLog + security descriptor registry value for defense evasion. It leverages data from the + Endpoint.Registry data model, focusing on changes to the "CustomSD" value within + the + "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\\CustomSD" + path. This activity is significant as changes to the access permissions of the event + log could blind security products and help attackers evade defenses. If confirmed + malicious, this could allow attackers to block users and security products from + viewing, ingesting and interacting event logs. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= "*\\Services\\Eventlog\\*" AND Registry.registry_value_name=CustomSD BY Registry.dest Registry.registry_value_data Registry.action Registry.process_guid Registry.process_id Registry.registry_key_name Registry.user Registry.registry_value_name | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_new_custom_security_descriptor_set_on_eventlog_channel_filter`' -how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 -known_false_positives: None identified, setting up the "CustomSD" value is considered a legacy option and shouldn't be a common activity. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= "*\\Services\\Eventlog\\*" + AND Registry.registry_value_name=CustomSD BY Registry.dest Registry.registry_value_data + Registry.action Registry.process_guid Registry.process_id Registry.registry_key_name + Registry.user Registry.registry_value_name Registry.registry_path | `drop_dm_object_name(Registry)` | where + isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_new_custom_security_descriptor_set_on_eventlog_channel_filter`' +how_to_implement: To successfully implement this search, you must be ingesting data + that records registry activity from your hosts to populate the endpoint data model + in the registry node. This is typically populated via endpoint detection-and-response + product, such as Carbon Black or endpoint data sources, such as Sysmon. The data + used for this search is typically generated via logs that report reads and writes + to the registry. If you are using Sysmon, you must have at least version 2.0 of + the official Sysmon TA. https://splunkbase.splunk.com/app/5709 +known_false_positives: None identified, setting up the "CustomSD" value is considered + a legacy option and shouldn't be a common activity. references: - https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/set-event-log-security-locally-or-via-group-policy - https://attack.mitre.org/techniques/T1562/002/ @@ -20,45 +41,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: modified/added/deleted registry entry $registry_path$ in $dest$ + risk_objects: + - field: dest + type: system + score: 64 + - field: user + type: user + score: 64 + threat_objects: [] tags: analytic_story: - LockBit Ransomware - Defense Evasion or Unauthorized Access Via SDDL Tampering asset_type: Endpoint - confidence: 80 - impact: 80 - message: modified/added/deleted registry entry $registry_path$ in $dest$ mitre_attack_id: - T1562.002 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.002/eventlog_sddl_tampering/eventlog_sddl_tampering_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.002/eventlog_sddl_tampering/eventlog_sddl_tampering_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/change_default_file_association.yml b/detections/endpoint/windows_new_default_file_association_value_set.yml similarity index 59% rename from detections/endpoint/change_default_file_association.yml rename to detections/endpoint/windows_new_default_file_association_value_set.yml index 950da24500..ad44980ccf 100644 --- a/detections/endpoint/change_default_file_association.yml +++ b/detections/endpoint/windows_new_default_file_association_value_set.yml @@ -1,16 +1,16 @@ -name: Change Default File Association -id: 462d17d8-1f71-11ec-ad07-acde48001122 -version: 3 -date: '2024-09-30' +name: Windows New Default File Association Value Set +id: 7d1f031f-f1c9-43be-8b0b-c4e3e8a8928a +version: 1 +date: '2025-01-15' author: Teoderick Contreras, Splunk status: production -type: TTP -description: The following analytic detects suspicious registry modifications that change the default file association to execute a malicious payload. It leverages data from the Endpoint data model, specifically monitoring registry paths under "*\\shell\\open\\command\\*" and "*HKCR\\*". This activity is significant because altering default file associations can allow attackers to execute arbitrary scripts or payloads when a user opens a file, leading to potential code execution. If confirmed malicious, this technique can enable attackers to persist on the compromised host and execute further malicious commands, posing a severe threat to the environment. +type: Hunting +description: The following analytic detects registry changes to the default file association value. It leverages data from the Endpoint data model, specifically monitoring registry paths under "HKCR\\*\\shell\\open\\command\\*". This activity can be significant because, attackers might alter the default file associations in order to execute arbitrary scripts or payloads when a user opens a file, leading to potential code execution. If confirmed malicious, this technique can enable attackers to persist on the compromised host and execute further malicious commands, posing a severe threat to the environment. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path ="*\\shell\\open\\command\\*" Registry.registry_path = "*HKCR\\*" by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `change_default_file_association_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path="*\\shell\\open\\command\\*" Registry.registry_path IN ("*HKCR\\*", "*HKEY_CLASSES_ROOT\\*") by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_new_default_file_association_value_set_filter`' how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -known_false_positives: unknown +known_false_positives: Windows and third party software will create and modify these file associations during installation or upgrades. Additional filters needs to be applied to tune environment specific false positives. references: - https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/privilege-escalation/untitled-3/accessibility-features drilldown_searches: @@ -31,33 +31,13 @@ tags: - Windows Persistence Techniques - Data Destruction asset_type: Endpoint - confidence: 100 - impact: 80 - message: Registry path $registry_path$ was modified, added, or deleted in $dest$. mitre_attack_id: - T1546.001 - T1546 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.registry_key_name - - Registry.registry_value_name - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml b/detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml index 0ca516e5f4..df82e6aa8b 100644 --- a/detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml +++ b/detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml @@ -1,18 +1,40 @@ name: Windows New Deny Permission Set On Service SD Via Sc.EXE id: d0f6a5e5-dbfd-46e1-8bd5-2e2905947c33 -version: 1 -date: '2024-12-05' +version: 2 +date: '2025-01-07' author: Nasreddine Bencherchali, Michael Haag, Splunk status: production type: Anomaly -description: The following analytic detects changes in a service security descriptor where a new deny ace has been added. It leverages data from Endpoint Detection and Response (EDR) agents, specifically searching for any process execution involving the "sc.exe" binary with the "sdset" flag targeting any service and adding a dedicated deny ace. If confirmed malicious, this could allow an attacker to escalate their privileges, blind defenses and more. +description: The following analytic detects changes in a service security descriptor + where a new deny ace has been added. It leverages data from Endpoint Detection and + Response (EDR) agents, specifically searching for any process execution involving + the "sc.exe" binary with the "sdset" flag targeting any service and adding a dedicated + deny ace. If confirmed malicious, this could allow an attacker to escalate their + privileges, blind defenses and more. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) Processes.process="*sdset *" Processes.process="*(D;*" Processes.process IN ("*;IU*", "*;S-1-5-4*", "*;SU*", "*;S-1-5-6*", "*;BA*", "*;S-1-5-32-544*", "*;SY*", "*;S-1-5-18*", "*;WD*", "*;S-1-1-0*", "*;AU*", "*;S-1-5-11*", "*;LS*", "*;S-1-5-19*") by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_new_deny_permission_set_on_service_sd_via_sc_exe_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process name, and process original file name. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: None identified. Attempts to add deny aces to services, especially security-related services should be immediately investigated. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) Processes.process="*sdset + *" Processes.process="*(D;*" Processes.process IN ("*;IU*", "*;S-1-5-4*", "*;SU*", + "*;S-1-5-6*", "*;BA*", "*;S-1-5-32-544*", "*;SY*", "*;S-1-5-18*", "*;WD*", "*;S-1-1-0*", + "*;AU*", "*;S-1-5-11*", "*;LS*", "*;S-1-5-19*") by Processes.dest Processes.user + Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_new_deny_permission_set_on_service_sd_via_sc_exe_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process name, and process original file name. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: None identified. Attempts to add deny aces to services, especially + security-related services should be immediately investigated. references: - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ - https://news.sophos.com/wp-content/uploads/2020/06/glupteba_final-1.pdf @@ -23,53 +45,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable security services on endpoint $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 30 + - field: dest + type: system + score: 30 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Defense Evasion or Unauthorized Access Via SDDL Tampering asset_type: Endpoint - confidence: 50 - impact: 60 - message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable security services on endpoint $dest$ by user $user$. mitre_attack_id: - T1564 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564/sc_sdset_tampering/sc_sdset_tampering_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564/sc_sdset_tampering/sc_sdset_tampering_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_new_eventlog_channelaccess_registry_value_set.yml b/detections/endpoint/windows_new_eventlog_channelaccess_registry_value_set.yml index 5d5e6a454a..30f031abec 100644 --- a/detections/endpoint/windows_new_eventlog_channelaccess_registry_value_set.yml +++ b/detections/endpoint/windows_new_eventlog_channelaccess_registry_value_set.yml @@ -1,16 +1,37 @@ name: Windows New EventLog ChannelAccess Registry Value Set id: 16eb11bc-ef42-42e8-9d0c-d21e0fa15725 -version: 1 -date: '2024-12-06' +version: 2 +date: '2025-01-07' author: Nasreddine Bencherchali, Michael Haag, Splunk status: production type: Anomaly -description: The following analytic detects suspicious modifications to the EventLog security descriptor registry value for defense evasion. It leverages data from the Endpoint.Registry data model, focusing on changes to the "CustomSD" value within the "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\\CustomSD" path. This activity is significant as changes to the access permissions of the event log could blind security products and help attackers evade defenses. If confirmed malicious, this could allow attackers to block users and security products from viewing, ingesting and interacting event logs. +description: The following analytic detects suspicious modifications to the EventLog + security descriptor registry value for defense evasion. It leverages data from the + Endpoint.Registry data model, focusing on changes to the "CustomSD" value within + the + "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\\CustomSD" + path. This activity is significant as changes to the access permissions of the event + log could blind security products and help attackers evade defenses. If confirmed + malicious, this could allow attackers to block users and security products from + viewing, ingesting and interacting event logs. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path IN ("*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\*", "*\Microsoft\Windows\EventLog\*") AND Registry.registry_value_name=ChannelAccess BY Registry.dest Registry.registry_value_data Registry.action Registry.process_guid Registry.process_id Registry.registry_key_name Registry.user Registry.registry_value_name | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_new_eventlog_channelaccess_registry_value_set_filter`' -how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 -known_false_positives: False positives may be triggered from newly installed event providers or windows updates, new "ChannelAccess" values must be investigated. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path IN ("*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\*", + "*\Microsoft\Windows\EventLog\*") AND Registry.registry_value_name=ChannelAccess + BY Registry.dest Registry.registry_value_data Registry.action Registry.process_guid + Registry.process_id Registry.registry_key_name Registry.user Registry.registry_value_name Registry.registry_path + | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_new_eventlog_channelaccess_registry_value_set_filter`' +how_to_implement: To successfully implement this search, you must be ingesting data + that records registry activity from your hosts to populate the endpoint data model + in the registry node. This is typically populated via endpoint detection-and-response + product, such as Carbon Black or endpoint data sources, such as Sysmon. The data + used for this search is typically generated via logs that report reads and writes + to the registry. If you are using Sysmon, you must have at least version 2.0 of + the official Sysmon TA. https://splunkbase.splunk.com/app/5709 +known_false_positives: False positives may be triggered from newly installed event + providers or windows updates, new "ChannelAccess" values must be investigated. references: - https://web.archive.org/web/20220710181255/https://blog.minerva-labs.com/lockbit-3.0-aka-lockbit-black-is-here-with-a-new-icon-new-ransom-note-new-wallpaper-but-less-evasiveness - https://attack.mitre.org/techniques/T1562/002/ @@ -20,45 +41,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: modified/added/deleted registry entry $registry_path$ in $dest$ + risk_objects: + - field: dest + type: system + score: 30 + - field: user + type: user + score: 30 + threat_objects: [] tags: analytic_story: - LockBit Ransomware - Defense Evasion or Unauthorized Access Via SDDL Tampering asset_type: Endpoint - confidence: 50 - impact: 60 - message: modified/added/deleted registry entry $registry_path$ in $dest$ mitre_attack_id: - T1562.002 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.002/eventlog_sddl_tampering/eventlog_sddl_tampering_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.002/eventlog_sddl_tampering/eventlog_sddl_tampering_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_new_inprocserver32_added.yml b/detections/endpoint/windows_new_inprocserver32_added.yml index 113a1c4a35..ac2d4ce5ad 100644 --- a/detections/endpoint/windows_new_inprocserver32_added.yml +++ b/detections/endpoint/windows_new_inprocserver32_added.yml @@ -1,51 +1,49 @@ name: Windows New InProcServer32 Added id: 0fa86e31-0f73-4ec7-9ca3-dc88e117f1db -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk data_source: - Sysmon EventID 13 type: Hunting status: production -description: The following analytic detects the addition of new InProcServer32 registry keys on Windows endpoints. It leverages data from the Endpoint.Registry datamodel to identify changes in registry paths associated with InProcServer32. This activity is significant because malware often uses this mechanism to achieve persistence or execute malicious code by registering a new InProcServer32 key pointing to a harmful DLL. If confirmed malicious, this could allow an attacker to persist in the environment or execute arbitrary code, posing a significant threat to system integrity and security. -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path="*\\InProcServer32\\*" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.dest Registry.process_guid Registry.user | `drop_dm_object_name(Registry)` |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_new_inprocserver32_added_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -known_false_positives: False positives are expected. Filtering will be needed to properly reduce legitimate applications from the results. +description: The following analytic detects the addition of new InProcServer32 registry + keys on Windows endpoints. It leverages data from the Endpoint.Registry datamodel + to identify changes in registry paths associated with InProcServer32. This activity + is significant because malware often uses this mechanism to achieve persistence + or execute malicious code by registering a new InProcServer32 key pointing to a + harmful DLL. If confirmed malicious, this could allow an attacker to persist in + the environment or execute arbitrary code, posing a significant threat to system + integrity and security. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry + where Registry.registry_path="*\\InProcServer32\\*" by Registry.registry_path Registry.registry_key_name + Registry.registry_value_name Registry.registry_value_data Registry.dest Registry.process_guid + Registry.user | `drop_dm_object_name(Registry)` |`security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_new_inprocserver32_added_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. +known_false_positives: False positives are expected. Filtering will be needed to properly + reduce legitimate applications from the results. references: - https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/ tags: analytic_story: - Outlook RCE CVE-2024-21378 asset_type: Endpoint - confidence: 20 - impact: 10 - message: A new InProcServer32 registry key was added to a Windows endpoint. This could indicate suspicious or malicious activity on the $dest$ . mitre_attack_id: - T1112 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Registry.registry_path - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.registry_value_data - - Registry.dest - - Registry.process_guid - - Registry.user - risk_score: 2 security_domain: endpoint cve: - CVE-2024-21378 tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/cve-2024-21378/inprocserver32_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/cve-2024-21378/inprocserver32_windows-sysmon.log sourcetype: XmlWinEventLog source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_new_service_security_descriptor_set_via_sc_exe.yml b/detections/endpoint/windows_new_service_security_descriptor_set_via_sc_exe.yml index 4b03015de1..73f25dd448 100644 --- a/detections/endpoint/windows_new_service_security_descriptor_set_via_sc_exe.yml +++ b/detections/endpoint/windows_new_service_security_descriptor_set_via_sc_exe.yml @@ -1,18 +1,38 @@ name: Windows New Service Security Descriptor Set Via Sc.EXE id: cde00c31-042a-4307-bf70-25e471da56e9 -version: 1 -date: '2024-12-05' +version: 2 +date: '2025-01-07' author: Nasreddine Bencherchali, Michael Haag, Splunk status: production type: Anomaly -description: The following analytic detects changes in a service security descriptor where a new deny ace has been added. It leverages data from Endpoint Detection and Response (EDR) agents, specifically searching for any process execution involving the "sc.exe" binary with the "sdset" flag targeting any service and adding a dedicated deny ace. If confirmed malicious, this could allow an attacker to escalate their privileges, blind defenses and more. +description: The following analytic detects changes in a service security descriptor + where a new deny ace has been added. It leverages data from Endpoint Detection and + Response (EDR) agents, specifically searching for any process execution involving + the "sc.exe" binary with the "sdset" flag targeting any service and adding a dedicated + deny ace. If confirmed malicious, this could allow an attacker to escalate their + privileges, blind defenses and more. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) Processes.process="*sdset *" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_new_service_security_descriptor_set_via_sc_exe_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process name, and process original file name. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: None identified. Attempts to disable security-related services should be identified and understood. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) Processes.process="*sdset + *" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_new_service_security_descriptor_set_via_sc_exe_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process name, and process original file name. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: None identified. Attempts to disable security-related services + should be identified and understood. references: - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ - https://news.sophos.com/wp-content/uploads/2020/06/glupteba_final-1.pdf @@ -23,53 +43,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable security services on endpoint $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 36 + - field: dest + type: system + score: 36 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Defense Evasion or Unauthorized Access Via SDDL Tampering asset_type: Endpoint - confidence: 60 - impact: 60 - message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable security services on endpoint $dest$ by user $user$. mitre_attack_id: - T1564 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564/sc_sdset_tampering/sc_sdset_tampering_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564/sc_sdset_tampering/sc_sdset_tampering_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml b/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml index 0457c425a3..aae826157a 100644 --- a/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml +++ b/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml @@ -1,18 +1,39 @@ name: Windows Ngrok Reverse Proxy Usage id: e2549f2c-0aef-408a-b0c1-e0f270623436 -version: 5 -date: '2024-09-30' +version: 7 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic detects the execution of ngrok.exe on a Windows operating system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because while ngrok is a legitimate tool for creating secure tunnels, it is increasingly used by adversaries to bypass network defenses and establish reverse proxies. If confirmed malicious, this could allow attackers to exfiltrate data, maintain persistence, or facilitate further attacks by tunneling traffic through the compromised system. +description: The following analytic detects the execution of ngrok.exe on a Windows + operating system. It leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process names and command-line arguments. This activity is significant + because while ngrok is a legitimate tool for creating secure tunnels, it is increasingly + used by adversaries to bypass network defenses and establish reverse proxies. If + confirmed malicious, this could allow attackers to exfiltrate data, maintain persistence, + or facilitate further attacks by tunneling traffic through the compromised system. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ngrok.exe Processes.process IN ("*start*", "*--config*","*http*","*authtoken*", "*http*", "*tcp*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_ngrok_reverse_proxy_usage_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives will be present based on organizations that allow the use of Ngrok. Filter or monitor as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ngrok.exe + Processes.process IN ("*start*", "*--config*","*http*","*authtoken*", "*http*", + "*tcp*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `windows_ngrok_reverse_proxy_usage_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives will be present based on organizations that + allow the use of Ngrok. Filter or monitor as needed. references: - https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf drilldown_searches: @@ -21,61 +42,48 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A reverse proxy was identified spawning from $parent_process_name$ - $process_name$ + on endpoint $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 50 + - field: dest + type: system + score: 50 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Reverse Network Proxy - CISA AA22-320A - CISA AA24-241A asset_type: Endpoint - confidence: 100 - impact: 50 - message: A reverse proxy was identified spawning from $parent_process_name$ - $process_name$ on endpoint $dest$ by user $user$. mitre_attack_id: - T1572 - T1090 - T1102 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 50 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ngrok/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ngrok/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_nirsoft_advancedrun.yml b/detections/endpoint/windows_nirsoft_advancedrun.yml index d792dbaad2..4a5461615e 100644 --- a/detections/endpoint/windows_nirsoft_advancedrun.yml +++ b/detections/endpoint/windows_nirsoft_advancedrun.yml @@ -1,18 +1,40 @@ name: Windows NirSoft AdvancedRun id: bb4f3090-7ae4-11ec-897f-acde48001122 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the execution of AdvancedRun.exe, a tool with capabilities similar to remote administration programs like PsExec. It identifies the process by its name or original file name and flags common command-line arguments. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. Monitoring this activity is crucial as AdvancedRun can be used for remote code execution and configuration-based automation. If malicious, this could allow attackers to execute arbitrary commands, escalate privileges, or maintain persistence within the environment. +description: The following analytic detects the execution of AdvancedRun.exe, a tool + with capabilities similar to remote administration programs like PsExec. It identifies + the process by its name or original file name and flags common command-line arguments. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process and command-line telemetry. Monitoring this activity is crucial + as AdvancedRun can be used for remote code execution and configuration-based automation. + If malicious, this could allow attackers to execute arbitrary commands, escalate + privileges, or maintain persistence within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=advancedrun.exe OR Processes.original_file_name=advancedrun.exe) Processes.process IN ("*EXEFilename*","*/cfg*","*RunAs*", "*WindowState*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_nirsoft_advancedrun_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives should be limited as it is specific to AdvancedRun. Filter as needed based on legitimate usage. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=advancedrun.exe + OR Processes.original_file_name=advancedrun.exe) Processes.process IN ("*EXEFilename*","*/cfg*","*RunAs*", + "*WindowState*") by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.process Processes.original_file_name Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)` | `windows_nirsoft_advancedrun_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives should be limited as it is specific to AdvancedRun. + Filter as needed based on legitimate usage. references: - http://www.nirsoft.net/utils/advanced_run.html - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ @@ -22,9 +44,29 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of advancedrun.exe, $process_name$, was spawned by $parent_process_name$ + on $dest$ by $user$. + risk_objects: + - field: user + type: user + score: 60 + - field: dest + type: system + score: 60 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Ransomware @@ -32,50 +74,17 @@ tags: - Data Destruction - WhisperGate asset_type: Endpoint - confidence: 100 - impact: 60 - message: An instance of advancedrun.exe, $process_name$, was spawned by $parent_process_name$ on $dest$ by $user$. mitre_attack_id: - T1588.002 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 60 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1588.002/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1588.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_nirsoft_utilities.yml b/detections/endpoint/windows_nirsoft_utilities.yml index 128e7e6716..feb2c85d6f 100644 --- a/detections/endpoint/windows_nirsoft_utilities.yml +++ b/detections/endpoint/windows_nirsoft_utilities.yml @@ -1,18 +1,38 @@ name: Windows NirSoft Utilities id: 5b2f4596-7d4c-11ec-88a7-acde48001122 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies the execution of commonly used NirSoft utilities on Windows systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution details such as process name, parent process, and command-line arguments. This activity is significant for a SOC because NirSoft utilities, while legitimate, can be used by adversaries for malicious purposes like credential theft or system reconnaissance. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or further system compromise. +description: The following analytic identifies the execution of commonly used NirSoft + utilities on Windows systems. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process execution details such as process name, parent + process, and command-line arguments. This activity is significant for a SOC because + NirSoft utilities, while legitimate, can be used by adversaries for malicious purposes + like credential theft or system reconnaissance. If confirmed malicious, this activity + could lead to unauthorized access, data exfiltration, or further system compromise. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_path Processes.process_id Processes.parent_process_id | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_nirsoft_software_macro` | `windows_nirsoft_utilities_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be present. Filtering may be required before setting to alert. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.process Processes.original_file_name Processes.process_path + Processes.process_id Processes.parent_process_id | `drop_dm_object_name("Processes")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_nirsoft_software_macro` + | `windows_nirsoft_utilities_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present. Filtering may be required before + setting to alert. references: - https://www.cisa.gov/uscert/ncas/alerts/TA18-201A - http://www.nirsoft.net/ @@ -22,50 +42,17 @@ tags: - Data Destruction - WhisperGate asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ related to NiRSoft software usage. mitre_attack_id: - T1588.002 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1588.002/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1588.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml b/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml index aecbd10aeb..4924b4b79e 100644 --- a/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml +++ b/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml @@ -1,15 +1,31 @@ name: Windows Njrat Fileless Storage via Registry id: a5fffbbd-271f-4980-94ed-4fbf17f0af1c -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 13 -description: The following analytic detects suspicious registry modifications indicative of NjRat's fileless storage technique. It leverages the Endpoint.Registry data model to identify specific registry paths and values commonly used by NjRat for keylogging and executing DLL plugins. This activity is significant as it helps evade traditional file-based detection systems, making it crucial for SOC analysts to monitor. If confirmed malicious, this behavior could allow attackers to persist on the host, execute arbitrary code, and capture sensitive keystrokes, leading to potential data breaches and further system compromise. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\[kl]" OR Registry.registry_value_data IN ("*[ENTER]*", "*[TAP]*", "*[Back]*") by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name Registry.registry_value_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_njrat_fileless_storage_via_registry_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. +description: The following analytic detects suspicious registry modifications indicative + of NjRat's fileless storage technique. It leverages the Endpoint.Registry data model + to identify specific registry paths and values commonly used by NjRat for keylogging + and executing DLL plugins. This activity is significant as it helps evade traditional + file-based detection systems, making it crucial for SOC analysts to monitor. If + confirmed malicious, this behavior could allow attackers to persist on the host, + execute arbitrary code, and capture sensitive keystrokes, leading to potential data + breaches and further system compromise. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\[kl]" + OR Registry.registry_value_data IN ("*[ENTER]*", "*[TAP]*", "*[Back]*") by Registry.dest + Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name + Registry.registry_value_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` + | `security_content_ctime(firstTime)` | `windows_njrat_fileless_storage_via_registry_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. known_false_positives: unknown references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat @@ -19,42 +35,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a suspicious registry entry related to NjRAT keylloging registry on $dest$ + risk_objects: + - field: dest + type: system + score: 100 + threat_objects: [] tags: analytic_story: - NjRAT asset_type: Endpoint - confidence: 100 - impact: 100 - message: a suspicious registry entry related to NjRAT keylloging registry in $dest$ mitre_attack_id: - T1027.011 - T1027 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action - - Registry.registry_value_data security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027.011/njrat_fileless_registry_entry/njrat_registry.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027.011/njrat_fileless_registry_entry/njrat_registry.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml b/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml index ad7883697f..df8ce72c4c 100644 --- a/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml +++ b/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml @@ -1,15 +1,28 @@ name: Windows Non Discord App Access Discord LevelDB id: 1166360c-d495-45ac-87a6-8948aac1fa07 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-22' author: Teoderick Contreras, Splunk data_source: - Windows Event Log Security 4663 type: Anomaly status: production -description: The following analytic detects non-Discord applications accessing the Discord LevelDB database. It leverages Windows Security Event logs, specifically event code 4663, to identify file access attempts to the LevelDB directory by processes other than Discord. This activity is significant as it may indicate attempts to steal Discord credentials or access sensitive user data. If confirmed malicious, this could lead to unauthorized access to user profiles, messages, and other critical information, potentially compromising the security and privacy of the affected users. -search: '`wineventlog_security` EventCode=4663 object_file_path IN ("*\\discord\\Local Storage\\leveldb*") AND process_name != *\\discord.exe AND NOT (process_path IN ("*:\\Windows\\System32\\*", "*:\\Windows\\SysWow64\\*", "*:\\Program Files*", "*:\\Windows\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_non_discord_app_access_discord_leveldb_filter`' -how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." +description: The following analytic detects non-Discord applications accessing the + Discord LevelDB database. It leverages Windows Security Event logs, specifically + event code 4663, to identify file access attempts to the LevelDB directory by processes + other than Discord. This activity is significant as it may indicate attempts to + steal Discord credentials or access sensitive user data. If confirmed malicious, + this could lead to unauthorized access to user profiles, messages, and other critical + information, potentially compromising the security and privacy of the affected users. +search: '`wineventlog_security` EventCode=4663 object_file_path IN ("*\\discord\\Local + Storage\\leveldb*") AND process_name != *\\discord.exe AND NOT (process_path IN + ("*:\\Windows\\System32\\*", "*:\\Windows\\SysWow64\\*", "*:\\Program Files*", "*:\\Windows\\*")) + | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name + object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_non_discord_app_access_discord_leveldb_filter`' +how_to_implement: To successfully implement this search, you must ingest Windows Security + Event logs and track event code 4663. For 4663, enable "Audit Object Access" in + Group Policy. Then check the two boxes listed for both "Success" and "Failure." known_false_positives: unknown references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger @@ -19,42 +32,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A non-discord process $process_name$ accessing discord "leveldb" file on + $dest$ + risk_objects: + - field: dest + type: system + score: 9 + threat_objects: [] tags: analytic_story: - Snake Keylogger - PXA Stealer asset_type: Endpoint - confidence: 30 - impact: 30 - message: A non-discord process $process_name$ accessing discord "leveldb" file on $dest$ mitre_attack_id: - T1012 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - object_file_name - - object_file_path - - process_name - - process_path - - process_id - - EventCode - - dest - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552/snakey_keylogger_outlook_reg_access/snakekeylogger_4663.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552/snakey_keylogger_outlook_reg_access/snakekeylogger_4663.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_non_system_account_targeting_lsass.yml b/detections/endpoint/windows_non_system_account_targeting_lsass.yml index 12977953b1..0a6c933bc2 100644 --- a/detections/endpoint/windows_non_system_account_targeting_lsass.yml +++ b/detections/endpoint/windows_non_system_account_targeting_lsass.yml @@ -1,16 +1,31 @@ name: Windows Non-System Account Targeting Lsass id: b1ce9a72-73cf-11ec-981b-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies non-SYSTEM accounts requesting access to lsass.exe. This detection leverages Sysmon EventCode 10 logs to monitor access attempts to the Local Security Authority Subsystem Service (lsass.exe) by non-SYSTEM users. This activity is significant as it may indicate credential dumping attempts or unauthorized access to sensitive credentials. If confirmed malicious, an attacker could potentially extract credentials from memory, leading to privilege escalation or lateral movement within the network. Immediate investigation is required to determine the legitimacy of the access request and to mitigate any potential threats. +description: The following analytic identifies non-SYSTEM accounts requesting access + to lsass.exe. This detection leverages Sysmon EventCode 10 logs to monitor access + attempts to the Local Security Authority Subsystem Service (lsass.exe) by non-SYSTEM + users. This activity is significant as it may indicate credential dumping attempts + or unauthorized access to sensitive credentials. If confirmed malicious, an attacker + could potentially extract credentials from memory, leading to privilege escalation + or lateral movement within the network. Immediate investigation is required to determine + the legitimacy of the access request and to mitigate any potential threats. data_source: - Sysmon EventID 10 -search: '`sysmon` EventCode=10 TargetImage=*lsass.exe NOT (SourceUser="NT AUTHORITY\\*") | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name, parent_process_path ,parent_process_id, TargetImage, GrantedAccess, SourceUser, TargetUser | rename TargetUser as user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_non_system_account_targeting_lsass_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required. -known_false_positives: False positives will occur based on legitimate application requests, filter based on source image as needed. +search: '`sysmon` EventCode=10 TargetImage=*lsass.exe NOT (SourceUser="NT AUTHORITY\\*") + | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name, + parent_process_path ,parent_process_id, TargetImage, GrantedAccess, SourceUser, + TargetUser | rename TargetUser as user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `windows_non_system_account_targeting_lsass_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required. +known_false_positives: False positives will occur based on legitimate application + requests, filter based on source image as needed. references: - https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump @@ -23,51 +38,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A process, $parent_process_path$, has loaded $TargetImage$ that are typically + related to credential dumping on $dest$. Review for further details. + risk_objects: + - field: user + type: user + score: 64 + - field: dest + type: system + score: 64 + threat_objects: + - field: parent_process_path + type: process tags: analytic_story: - CISA AA23-347A - Credential Dumping asset_type: Endpoint - confidence: 80 - impact: 80 - message: A process, $parent_process_path$, has loaded $TargetImage$ that are typically related to credential dumping on $dest$. Review for further details. mitre_attack_id: - T1003.001 - T1003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim - - name: parent_process_path - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - TargetImage - - GrantedAccess - - SourceImage - - SourceProcessId - - SourceUser - - TargetUser - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml b/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml new file mode 100644 index 0000000000..63b11d9fe4 --- /dev/null +++ b/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml @@ -0,0 +1,56 @@ +name: Windows Obfuscated Files or Information via RAR SFX +id: 4ab6862b-ce88-4223-96c0-f6da2cffb898 +version: 1 +date: '2024-12-12' +author: Teoderick Contreras, Splunk +data_source: +- Sysmon Event ID 11 +type: Anomaly +status: production +description: The following analytic detects the creation of RAR Self-Extracting (SFX) files by monitoring the generation of file related to rar sfx .tmp file creation during sfx installation. This method leverages a heuristic to identify RAR SFX archives based on specific markers that indicate a combination of executable code and compressed RAR data. By tracking such activity, the analytic helps pinpoint potentially unauthorized or suspicious file creation events, which are often associated with malware packaging or data exfiltration. Legitimate usage may include custom installers or compressed file delivery. +search: '`sysmon` EventCode=11 TargetFilename IN ("*__tmp_rar_sfx_access_check*") + | stats count min(_time) as firstTime max(_time) as lastTime by Image TargetFilename Computer + | rename Computer as dest + | rename TargetFilename as file_name + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_obfuscated_files_or_information_via_rar_sfx_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, TargetFilename, and eventcode 11 executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where rar sfx executable may be used. +known_false_positives: It can detect a third part utility software tool compiled to rar sfx. +references: +- https://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A process commandline- [$Image$] that drops [$file_name$] on [$dest$]. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: + - field: file_name + type: file_name +tags: + analytic_story: + - Crypto Stealer + asset_type: Endpoint + mitre_attack_id: + - T1027.013 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027.013/rar_sfx_execution/rar_sfx.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_odbcconf_hunting.yml b/detections/endpoint/windows_odbcconf_hunting.yml index 93ac6480dc..74f8eee1e3 100644 --- a/detections/endpoint/windows_odbcconf_hunting.yml +++ b/detections/endpoint/windows_odbcconf_hunting.yml @@ -1,18 +1,38 @@ name: Windows Odbcconf Hunting id: 0562ad4b-fdaa-4882-b12f-7b8e0034cd72 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies the execution of Odbcconf.exe within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the process name is Odbcconf.exe. This activity is significant because Odbcconf.exe can be used by attackers to execute arbitrary commands or load malicious DLLs, potentially leading to code execution or persistence. If confirmed malicious, this behavior could allow an attacker to maintain access to the system, execute further malicious activities, or escalate privileges, posing a significant threat to the environment. +description: The following analytic identifies the execution of Odbcconf.exe within + the environment. It leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process creation events where the process name is Odbcconf.exe. This + activity is significant because Odbcconf.exe can be used by attackers to execute + arbitrary commands or load malicious DLLs, potentially leading to code execution + or persistence. If confirmed malicious, this behavior could allow an attacker to + maintain access to the system, execute further malicious activities, or escalate + privileges, posing a significant threat to the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_odbcconf_hunting_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives will be present as this is meant to assist with filtering and tuning. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_odbcconf_hunting_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives will be present as this is meant to assist + with filtering and tuning. references: - https://strontic.github.io/xcyclopedia/library/odbcconf.exe-07FBA12552331355C103999806627314.html - https://twitter.com/redcanary/status/1541838407894171650?s=20&t=kp3WBPtfnyA3xW7D7wx0uw @@ -20,51 +40,17 @@ tags: analytic_story: - Living Off The Land asset_type: Endpoint - confidence: 20 - impact: 30 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to circumvent controls. mitre_attack_id: - T1218.008 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 6 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-regsvr.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-regsvr.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_odbcconf_load_dll.yml b/detections/endpoint/windows_odbcconf_load_dll.yml index 96b9cdee1b..f7a52f0e6a 100644 --- a/detections/endpoint/windows_odbcconf_load_dll.yml +++ b/detections/endpoint/windows_odbcconf_load_dll.yml @@ -1,18 +1,39 @@ name: Windows Odbcconf Load DLL id: 141e7fca-a9f0-40fd-a539-9aac8be41f1b -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the execution of odbcconf.exe with the regsvr action to load a DLL. This is identified by monitoring command-line arguments in process creation logs from Endpoint Detection and Response (EDR) agents. This activity is significant as it may indicate an attempt to execute arbitrary code via DLL loading, a common technique used in various attack vectors. If confirmed malicious, this could allow an attacker to execute code with the privileges of the odbcconf.exe process, potentially leading to system compromise or further lateral movement. +description: The following analytic detects the execution of odbcconf.exe with the + regsvr action to load a DLL. This is identified by monitoring command-line arguments + in process creation logs from Endpoint Detection and Response (EDR) agents. This + activity is significant as it may indicate an attempt to execute arbitrary code + via DLL loading, a common technique used in various attack vectors. If confirmed + malicious, this could allow an attacker to execute code with the privileges of the + odbcconf.exe process, potentially leading to system compromise or further lateral + movement. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe Processes.process IN ("*/a *", "*-a*") Processes.process="*regsvr*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_odbcconf_load_dll_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be present and filtering may need to occur based on legitimate application usage. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe + Processes.process IN ("*/a *", "*-a*") Processes.process="*regsvr*" by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_odbcconf_load_dll_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present and filtering may need to occur + based on legitimate application usage. Filter as needed. references: - https://strontic.github.io/xcyclopedia/library/odbcconf.exe-07FBA12552331355C103999806627314.html - https://twitter.com/redcanary/status/1541838407894171650?s=20&t=kp3WBPtfnyA3xW7D7wx0uw @@ -22,58 +43,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to circumvent controls. + risk_objects: + - field: user + type: user + score: 42 + - field: dest + type: system + score: 42 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Living Off The Land asset_type: Endpoint - confidence: 70 - impact: 60 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to circumvent controls. mitre_attack_id: - T1218.008 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process Name - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-regsvr.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-regsvr.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_odbcconf_load_response_file.yml b/detections/endpoint/windows_odbcconf_load_response_file.yml index 632d2600f5..7d234fd114 100644 --- a/detections/endpoint/windows_odbcconf_load_response_file.yml +++ b/detections/endpoint/windows_odbcconf_load_response_file.yml @@ -1,18 +1,39 @@ name: Windows Odbcconf Load Response File id: 1acafff9-1347-4b40-abae-f35aa4ba85c1 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the execution of odbcconf.exe with a response file, which may contain commands to load a DLL (REGSVR) or other instructions. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it may indicate an attempt to execute arbitrary code or load malicious DLLs, potentially leading to unauthorized actions. If confirmed malicious, this could allow an attacker to gain code execution, escalate privileges, or establish persistence within the environment. +description: The following analytic detects the execution of odbcconf.exe with a response + file, which may contain commands to load a DLL (REGSVR) or other instructions. This + detection leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process names and command-line arguments. This activity is significant as it + may indicate an attempt to execute arbitrary code or load malicious DLLs, potentially + leading to unauthorized actions. If confirmed malicious, this could allow an attacker + to gain code execution, escalate privileges, or establish persistence within the + environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe Processes.process IN ("*-f *","*/f *") Processes.process="*.rsp*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_odbcconf_load_response_file_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be present and filtering may need to occur based on legitimate application usage. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe + Processes.process IN ("*-f *","*/f *") Processes.process="*.rsp*" by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_odbcconf_load_response_file_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present and filtering may need to occur + based on legitimate application usage. Filter as needed. references: - https://strontic.github.io/xcyclopedia/library/odbcconf.exe-07FBA12552331355C103999806627314.html - https://twitter.com/redcanary/status/1541838407894171650?s=20&t=kp3WBPtfnyA3xW7D7wx0uw @@ -22,58 +43,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to circumvent controls. + risk_objects: + - field: user + type: user + score: 42 + - field: dest + type: system + score: 42 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Living Off The Land asset_type: Endpoint - confidence: 70 - impact: 60 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to circumvent controls. mitre_attack_id: - T1218.008 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process Name - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-rsp.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-rsp.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml b/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml new file mode 100644 index 0000000000..52313880e5 --- /dev/null +++ b/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml @@ -0,0 +1,69 @@ +name: Windows Office Product Dropped Cab or Inf File +id: dbdd251e-dd45-4ec9-a555-f5e151391746 +version: 1 +date: '2025-01-20' +author: Michael Haag, Splunk +status: production +type: TTP +description: The following analytic detects Office products writing .cab or .inf files, indicative of CVE-2021-40444 exploitation. It leverages the Endpoint.Processes and Endpoint.Filesystem data models to identify Office applications creating these file types. This activity is significant as it may signal an attempt to load malicious ActiveX controls and download remote payloads, a known attack vector. If confirmed malicious, this could lead to remote code execution, allowing attackers to gain control over the affected system and potentially compromise sensitive data. +data_source: +- Sysmon EventID 1 AND Sysmon EventID 11 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_office_products` by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | join proc_guid, _time [ | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.cab", "*.inf") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields _time dest file_create_time file_name file_path process_name process_path process proc_guid] | dedup file_create_time | table dest, process_name, process, file_create_time, file_name, file_path, proc_guid | `windows_office_product_dropped_cab_or_inf_file_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. +known_false_positives: The query is structured in a way that `action` (read, create) + is not defined. Review the results of this query, filter, and tune as necessary. + It may be necessary to generate this query specific to your endpoint product. +references: +- https://twitter.com/vxunderground/status/1436326057179860992?s=20 +- https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/ +- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 +- https://twitter.com/RonnyTNL/status/1436334640617373699?s=20 +- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/ +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: An instance of $process_name$ was identified on $dest$ writing an inf or + cab file to this. This is not typical of $process_name$. + risk_objects: + - field: dest + type: system + score: 80 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - Spearphishing Attachments + - Microsoft MSHTML Remote Code Execution CVE-2021-40444 + - Compromised Windows Host + asset_type: Endpoint + cve: + - CVE-2021-40444 + mitre_attack_id: + - T1566 + - T1566.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_cabinf.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_office_product_dropped_uncommon_file.yml b/detections/endpoint/windows_office_product_dropped_uncommon_file.yml new file mode 100644 index 0000000000..bf3090d832 --- /dev/null +++ b/detections/endpoint/windows_office_product_dropped_uncommon_file.yml @@ -0,0 +1,64 @@ +name: Windows Office Product Dropped Uncommon File +id: 7ac0fced-9eae-4381-a748-90dcd1aa9393 +version: 1 +date: '2025-01-20' +author: Teoderick Contreras, Michael Haag, Splunk, TheLawsOfChaos, Github +status: production +type: Anomaly +description: The following analytic detects Microsoft Office applications dropping or creating executables or scripts on a Windows OS. It leverages process creation and file system events from the Endpoint data model to identify Office applications like Word or Excel generating files with extensions such as ".exe", ".dll", or ".ps1". This behavior is significant as it is often associated with spear-phishing attacks where malicious files are dropped to compromise the host. If confirmed malicious, this activity could lead to code execution, privilege escalation, or persistent access, posing a severe threat to the environment. +data_source: +- Sysmon EventID 1 AND Sysmon EventID 11 +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_office_products` by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.dll", "*.exe", "*.js", "*.pif", "*.ps1", "*.scr", "*.vbe", "*.vbs") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process process_guid] | dedup file_create_time | table dest, process_name, process, file_create_time, file_name, file_path, process_guid | `windows_office_product_dropped_uncommon_file_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. +known_false_positives: office macro for automation may do this behavior +references: +- https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation +- https://attack.mitre.org/groups/G0046/ +- https://www.joesandbox.com/analysis/702680/0/html +- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/ +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: process $process_name$ drops a file $file_name$ in host $dest$ + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - CVE-2023-21716 Word RTF Heap Corruption + - Warzone RAT + - FIN7 + - Compromised Windows Host + - AgentTesla + - PlugX + asset_type: Endpoint + mitre_attack_id: + - T1566 + - T1566.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_macro_js_1/sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/mshtml_module_load_in_office_product.yml b/detections/endpoint/windows_office_product_loaded_mshtml_module.yml similarity index 72% rename from detections/endpoint/mshtml_module_load_in_office_product.yml rename to detections/endpoint/windows_office_product_loaded_mshtml_module.yml index adaaba6fd6..2d546a5b2b 100644 --- a/detections/endpoint/mshtml_module_load_in_office_product.yml +++ b/detections/endpoint/windows_office_product_loaded_mshtml_module.yml @@ -1,14 +1,14 @@ -name: MSHTML Module Load in Office Product -id: 5f1c168e-118b-11ec-84ff-acde48001122 -version: 5 -date: '2024-09-30' +name: Windows Office Product Loaded MSHTML Module +id: 4cc015c9-687c-40d2-adcc-46350f66e10c +version: 1 +date: '2025-01-20' author: Michael Haag, Mauricio Velazco, Splunk status: production -type: TTP +type: Anomaly description: The following analytic detects the loading of the mshtml.dll module into an Office product, which is indicative of CVE-2021-40444 exploitation. It leverages Sysmon EventID 7 to monitor image loads by specific Office processes. This activity is significant because it can indicate an attempt to exploit a vulnerability in the MSHTML component via a malicious document. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further network penetration. data_source: - Sysmon EventID 7 -search: '`sysmon` EventID=7 process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","wordpad.exe","wordview.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe", "msaccess.exe","Graph.exe","winproj.exe") loaded_file_path IN ("*\\mshtml.dll", "*\\Microsoft.mshtml.dll","*\\IE.Interop.MSHTML.dll","*\\MshtmlDac.dll","*\\MshtmlDed.dll","*\\MshtmlDer.dll") | stats count min(_time) as firstTime max(_time) as lastTime by user_id, dest, process_name, loaded_file, loaded_file_path, original_file_name, process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mshtml_module_load_in_office_product_filter`' +search: '`sysmon` EventID=7 process_name IN ("EQNEDT32.exe", "excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe", "wordpad.exe", "wordview.exe") loaded_file_path IN ("*\\mshtml.dll", "*\\Microsoft.mshtml.dll","*\\IE.Interop.MSHTML.dll","*\\MshtmlDac.dll","*\\MshtmlDed.dll","*\\MshtmlDer.dll") | stats count min(_time) as firstTime max(_time) as lastTime by user_id, dest, process_name, loaded_file, loaded_file_path, original_file_name, process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_office_product_loaded_mshtml_module_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process names and image loads from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. known_false_positives: Limited false positives will be present, however, tune as necessary. Some applications may legitimately load mshtml.dll. references: @@ -25,41 +25,31 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $process_name$ was identified on endpoint $dest$ loading + mshtml.dll. + risk_objects: + - field: dest + type: system + score: 80 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Spearphishing Attachments - Microsoft MSHTML Remote Code Execution CVE-2021-40444 - CVE-2023-36884 Office and Windows HTML RCE Vulnerability asset_type: Endpoint - confidence: 100 cve: - CVE-2021-40444 - impact: 80 - message: An instance of $process_name$ was identified on endpoint $dest$ loading mshtml.dll. mitre_attack_id: - T1566 - T1566.001 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ImageLoaded - - process_name - - OriginalFileName - - process_id - - dest - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_document_creating_schedule_task.yml b/detections/endpoint/windows_office_product_loading_taskschd_dll.yml similarity index 76% rename from detections/endpoint/office_document_creating_schedule_task.yml rename to detections/endpoint/windows_office_product_loading_taskschd_dll.yml index 9c3c447078..b16c25faa3 100644 --- a/detections/endpoint/office_document_creating_schedule_task.yml +++ b/detections/endpoint/windows_office_product_loading_taskschd_dll.yml @@ -1,14 +1,14 @@ -name: Office Document Creating Schedule Task -id: cc8b7b74-9d0f-11eb-8342-acde48001122 -version: 8 -date: '2024-09-30' +name: Windows Office Product Loading Taskschd DLL +id: d7297cfa-1f04-4714-bfbe-3679e0666959 +version: 1 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production -type: TTP +type: Anomaly description: The following analytic detects an Office document creating a scheduled task, either through a macro VBA API or by loading `taskschd.dll`. This detection leverages Sysmon EventCode 7 to identify when Office applications load the `taskschd.dll` file. This activity is significant as it is a common technique used by malicious macro malware to establish persistence or initiate beaconing. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary commands, or schedule future malicious activities, posing a significant threat to the environment. data_source: - Sysmon EventID 7 -search: '`sysmon` EventCode=7 process_name IN ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe", "msaccess.exe") loaded_file_path = "*\\taskschd.dll" | stats min(_time) as firstTime max(_time) as lastTime count by user_id, dest, process_name,loaded_file, loaded_file_path, original_file_name, process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_creating_schedule_task_filter`' +search: '`sysmon` EventCode=7 process_name IN ("EQNEDT32.exe", "excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe") loaded_file_path = "*\\taskschd.dll" | stats min(_time) as firstTime max(_time) as lastTime count by user_id, dest, process_name,loaded_file, loaded_file_path, original_file_name, process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_office_product_loading_taskschd_dll_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Also be sure to include those monitored dll to your own sysmon config. known_false_positives: False positives may occur if legitimate office documents are creating scheduled tasks. Ensure to investigate the scheduled task and the command to be executed. If the task is benign, add the task name to the exclusion list. Some applications may legitimately load taskschd.dll. references: @@ -24,36 +24,25 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An Office document was identified creating a scheduled task on $dest$. + Investigate further. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Spearphishing Attachments asset_type: Endpoint - confidence: 70 - impact: 70 - message: An Office document was identified creating a scheduled task on $dest$. Investigate further. mitre_attack_id: - T1566 - T1566.001 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - ImageLoaded - - AllImageLoaded - - dest - - EventCode - - Image - - process_name - - ProcessId - - ProcessGuid - - _time - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_document_executing_macro_code.yml b/detections/endpoint/windows_office_product_loading_vbe7_dll.yml similarity index 78% rename from detections/endpoint/office_document_executing_macro_code.yml rename to detections/endpoint/windows_office_product_loading_vbe7_dll.yml index 7cbe39d7e0..d4aa93a79a 100644 --- a/detections/endpoint/office_document_executing_macro_code.yml +++ b/detections/endpoint/windows_office_product_loading_vbe7_dll.yml @@ -1,14 +1,14 @@ -name: Office Document Executing Macro Code -id: b12c89bc-9d06-11eb-a592-acde48001122 -version: 7 -date: '2024-09-30' +name: Windows Office Product Loading VBE7 DLL +id: 7cfec906-2697-43f7-898b-83634a051d9a +version: 1 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production -type: TTP +type: Anomaly description: The following analytic identifies office documents executing macro code. It leverages Sysmon EventCode 7 to detect when processes like WINWORD.EXE or EXCEL.EXE load specific DLLs associated with macros (e.g., VBE7.DLL). This activity is significant because macros are a common attack vector for delivering malicious payloads, such as malware. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the system. Disabling macros by default is recommended to mitigate this risk. data_source: - Sysmon EventID 7 -search: '`sysmon` EventCode=7 process_name IN ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe") loaded_file_path IN ("*\\VBE7INTL.DLL","*\\VBE7.DLL", "*\\VBEUI.DLL") | stats min(_time) as firstTime max(_time) as lastTime values(loaded_file) as loaded_file count by dest EventCode process_name process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_executing_macro_code_filter`' +search: '`sysmon` EventCode=7 process_name IN ("EQNEDT32.exe", "excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe") loaded_file_path IN ("*\\VBE7INTL.DLL", "*\\VBE7.DLL", "*\\VBEUI.DLL") | stats min(_time) as firstTime max(_time) as lastTime values(loaded_file) as loaded_file count by dest EventCode process_name process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_office_product_loading_vbe7_dll_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Also be sure to include those monitored dll to your own sysmon config. known_false_positives: False positives may occur if legitimate office documents are executing macro code. Ensure to investigate the macro code and the command to be executed. If the macro code is benign, add the document name to the exclusion list. Some applications may legitimately load VBE7INTL.DLL, VBE7.DLL, or VBEUI.DLL. references: @@ -27,6 +27,13 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Office document executing a macro on $dest$ + risk_objects: + - field: dest + type: system + score: 35 + threat_objects: [] tags: analytic_story: - Spearphishing Attachments @@ -40,32 +47,13 @@ tags: - PlugX - NjRAT asset_type: Endpoint - confidence: 50 - impact: 70 - message: Office document executing a macro on $dest$ mitre_attack_id: - T1566 - T1566.001 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - ImageLoaded - - AllImageLoaded - - dest - - EventCode - - Image - - process_name - - ProcessId - - ProcessGuid - - _time - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_document_spawned_child_process_to_download.yml b/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml similarity index 72% rename from detections/endpoint/office_document_spawned_child_process_to_download.yml rename to detections/endpoint/windows_office_product_spawned_child_process_for_download.yml index 1eef641d0b..0b215898be 100644 --- a/detections/endpoint/office_document_spawned_child_process_to_download.yml +++ b/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml @@ -1,7 +1,7 @@ -name: Office Document Spawned Child Process To Download -id: 6fed27d2-9ec7-11eb-8fe4-aa665a019aa3 -version: 8 -date: '2024-09-30' +name: Windows Office Product Spawned Child Process For Download +id: f02b64b8-cbea-4f75-bf77-7a05111566b1 +version: 1 +date: '2025-01-14' author: Teoderick Contreras, Splunk status: production type: TTP @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe", "Graph.exe","winproj.exe") Processes.process IN ("*http:*","*https:*") NOT (Processes.original_file_name IN("firefox.exe", "chrome.exe","iexplore.exe","msedge.exe")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_spawned_child_process_to_download_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_office_products_parent` Processes.process IN ("*http:*","*https:*") NOT (Processes.original_file_name IN ("firefox.exe", "chrome.exe","iexplore.exe","msedge.exe")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_office_product_spawned_child_process_for_download_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Default browser not in the filter list. references: @@ -25,6 +25,13 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Office document spawning suspicious child process on $dest$ + risk_objects: + - field: dest + type: system + score: 35 + threat_objects: [] tags: analytic_story: - Spearphishing Attachments @@ -32,35 +39,13 @@ tags: - PlugX - NjRAT asset_type: Endpoint - confidence: 50 - impact: 70 - message: Office document spawning suspicious child process on $dest$ mitre_attack_id: - T1566 - T1566.001 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_office_product_spawned_control.yml b/detections/endpoint/windows_office_product_spawned_control.yml new file mode 100644 index 0000000000..314783f994 --- /dev/null +++ b/detections/endpoint/windows_office_product_spawned_control.yml @@ -0,0 +1,86 @@ +name: Windows Office Product Spawned Control +id: 081c485d-ac8d-4bee-ad4c-525772fead4d +version: 2 +date: '2025-01-14' +author: Michael Haag, Splunk +status: production +type: TTP +description: The following analytic identifies instances where `control.exe` is spawned + by a Microsoft Office product. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process and parent process relationships. This activity + is significant because it can indicate exploitation attempts related to CVE-2021-40444, + where `control.exe` is used to execute malicious .cpl or .inf files. If confirmed + malicious, this behavior could allow an attacker to execute arbitrary code, potentially + leading to system compromise, data exfiltration, or further lateral movement within + the network. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_office_products_parent` Processes.process_name=control.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `windows_office_product_spawned_control_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Limited false positives should be present. +references: +- https://strontic.github.io/xcyclopedia/library/control.exe-1F13E714A0FEA8887707DFF49287996F.html +- https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/ +- https://attack.mitre.org/techniques/T1218/011/ +- https://www.echotrail.io/insights/search/control.exe/ +- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.yaml +- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/ +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ clicking a suspicious attachment. + risk_objects: + - field: dest + type: system + score: 80 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name +tags: + analytic_story: + - Spearphishing Attachments + - Microsoft MSHTML Remote Code Execution CVE-2021-40444 + - Compromised Windows Host + asset_type: Endpoint + cve: + - CVE-2021-40444 + mitre_attack_id: + - T1566 + - T1566.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_control.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_office_product_spawned_msdt.yml b/detections/endpoint/windows_office_product_spawned_msdt.yml new file mode 100644 index 0000000000..446f762e55 --- /dev/null +++ b/detections/endpoint/windows_office_product_spawned_msdt.yml @@ -0,0 +1,89 @@ +name: Windows Office Product Spawned MSDT +id: a3148fad-3734-4b7f-9a71-62f08d39fab1 +version: 2 +date: '2025-01-14' +author: Michael Haag, Teoderick Contreras, Splunk +status: production +type: TTP +description: The following analytic detects a Microsoft Office product spawning the + Windows msdt.exe process. This detection leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process creation events where Office applications + are the parent process. This activity is significant as it may indicate an attempt + to exploit protocol handlers to bypass security controls, even if macros are disabled. + If confirmed malicious, this behavior could allow an attacker to execute arbitrary + code, potentially leading to system compromise, data exfiltration, or further lateral + movement within the network. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_office_products_parent` Processes.process_name=msdt.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_office_product_spawned_msdt_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives should be limited, however filter as needed. +references: +- https://isc.sans.edu/diary/rss/28694 +- https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e +- https://twitter.com/nao_sec/status/1530196847679401984?s=20&t=ZiXYI4dQuA-0_dzQzSUb3A +- https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/ +- https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection +- https://strontic.github.io/xcyclopedia/library/msdt.exe-152D4C9F63EFB332CCB134C6953C0104.html +- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/ +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Office process $parent_process_name$ has spawned a child process $process_name$ + on host $dest$. + risk_objects: + - field: user + type: user + score: 100 + - field: dest + type: system + score: 100 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name +tags: + analytic_story: + - Spearphishing Attachments + - Compromised Windows Host + - Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190 + asset_type: Endpoint + cve: + - CVE-2022-30190 + mitre_attack_id: + - T1566 + - T1566.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/msdt.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_office_product_spawned_rundll32_with_no_dll.yml b/detections/endpoint/windows_office_product_spawned_rundll32_with_no_dll.yml new file mode 100644 index 0000000000..21813278bb --- /dev/null +++ b/detections/endpoint/windows_office_product_spawned_rundll32_with_no_dll.yml @@ -0,0 +1,83 @@ +name: Windows Office Product Spawned Rundll32 With No DLL +id: f28e787e-69ca-480e-9f98-ab970e6d4bcc +version: 1 +date: '2025-01-14' +author: Michael Haag, Splunk +status: production +type: TTP +description: The following analytic detects any Windows Office Product spawning `rundll32.exe` + without a `.dll` file extension. This behavior is identified using Endpoint Detection + and Response (EDR) telemetry, focusing on process and parent process relationships. + This activity is significant as it is a known tactic of the IcedID malware family, + which can lead to unauthorized code execution. If confirmed malicious, this could + allow attackers to execute arbitrary code, potentially leading to data exfiltration, + system compromise, or further malware deployment. Immediate investigation and containment + are recommended. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_office_products_parent` `process_rundll32` (Processes.process!=*.dll*) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_office_product_spawned_rundll32_with_no_dll_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives should be limited, but if any are present, + filter as needed. +references: +- https://www.joesandbox.com/analysis/395471/0/html +- https://app.any.run/tasks/cef4b8ba-023c-4b3b-b2ef-6486a44f6ed9/ +- https://any.run/malware-trends/icedid +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Office process $parent_process_name$ observed executing a suspicious child + process $process_name$ with process id $process_id$ and no dll commandline $process$ + on host $dest$ + risk_objects: + - field: dest + type: system + score: 63 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - Spearphishing Attachments + - CVE-2023-36884 Office and Windows HTML RCE Vulnerability + - Compromised Windows Host + - Prestige Ransomware + - Graceful Wipe Out Attack + - Crypto Stealer + asset_type: Endpoint + mitre_attack_id: + - T1566 + - T1566.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_icedid.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_office_product_spawned_uncommon_process.yml b/detections/endpoint/windows_office_product_spawned_uncommon_process.yml new file mode 100644 index 0000000000..5dc516ea3d --- /dev/null +++ b/detections/endpoint/windows_office_product_spawned_uncommon_process.yml @@ -0,0 +1,109 @@ +name: Windows Office Product Spawned Uncommon Process +id: 55d8741c-fa32-4692-8109-410304961eb8 +version: 1 +date: '2025-01-13' +author: Michael Haag, Teoderick Contreras, Splunk +status: production +type: TTP +description: The following analytic detects a Microsoft Office product spawning uncommon processes. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where Office applications are the parent process. This activity is significant as it may indicate an attempt of a malicious macro execution or exploitation of an unknown vulnerability in an office product, in order to bypass security controls. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_office_products_parent` AND (`process_bitsadmin` OR `process_certutil` OR `process_cmd` OR `process_cscript` OR `process_mshta` OR `process_powershell` OR `process_regsvr32` OR `process_rundll32` OR `process_wmic` OR `process_wscript`) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_office_product_spawned_uncommon_process_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: False positives should be limited, however filter as needed. +references: +- https://any.run/malware-trends/trickbot +- https://any.run/report/47561b4e949041eff0a0f4693c59c81726591779fe21183ae9185b5eb6a69847/aba3722a-b373-4dae-8273-8730fb40cdbe +- https://app.any.run/tasks/fb894ab8-a966-4b72-920b-935f41756afd/ +- https://attack.mitre.org/techniques/T1047/ +- https://bazaar.abuse.ch/sample/02cbc1ab80695fc12ff8822b926957c3a600247b9ca412a137f69cb5716c8781/ +- https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/ +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md +- https://redcanary.com/threat-detection-report/threats/TA551/ +- https://twitter.com/cyb3rops/status/1416050325870587910?s=21 +- https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing +- https://www.joesandbox.com/analysis/380662/0/html +- https://www.joesandbox.com/analysis/702680/0/html +- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/ +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: User $user$ on $dest$ spawned Windows Script Host from Winword.exe + risk_objects: + - field: dest + type: system + score: 70 + - field: user + type: user + score: 70 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - AgentTesla + - Azorult + - Compromised Windows Host + - CVE-2023-21716 Word RTF Heap Corruption + - CVE-2023-36884 Office and Windows HTML RCE Vulnerability + - DarkCrystal RAT + - FIN7 + - IcedID + - NjRAT + - PlugX + - Qakbot + - Remcos + - Spearphishing Attachments + - Trickbot + - Warzone RAT + asset_type: Endpoint + mitre_attack_id: + - T1566 + - T1566.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test - Macro + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_macros.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/datasets/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog +- name: True Positive Test - IcedId + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/phish_icedid/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/atomic_red_team/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog +- name: True Positive Test - TrickBot + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/spear_phish/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_outlook_webview_registry_modification.yml b/detections/endpoint/windows_outlook_webview_registry_modification.yml index f399ceb9f6..5a60c562ed 100644 --- a/detections/endpoint/windows_outlook_webview_registry_modification.yml +++ b/detections/endpoint/windows_outlook_webview_registry_modification.yml @@ -1,16 +1,40 @@ name: Windows Outlook WebView Registry Modification id: 6e1ad5d4-d9af-496a-96ec-f31c11cd09f2 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Michael Haag, Splunk data_source: - Sysmon EventID 13 type: Anomaly status: production -description: The following analytic identifies modifications to specific Outlook registry values related to WebView and Today features. It detects when a URL is set in these registry locations, which could indicate attempts to manipulate Outlook's web-based components. The analytic focuses on changes to the "URL" value within Outlook's WebView and Today registry paths. This activity is significant as it may represent an attacker's effort to redirect Outlook's web content or inject malicious URLs. If successful, this technique could lead to phishing attempts, data theft, or serve as a stepping stone for further compromise of the user's email client and potentially sensitive information. -search: '| tstats `security_content_summariesonly` count values(Registry.registry_value_name) as registry_value_name values(Registry.registry_value_data) as registry_value_data min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where (Registry.registry_path="*\\Software\\Microsoft\\Office\\*\\Outlook\\WebView\\*" OR Registry.registry_path="*\\Software\\Microsoft\\Office\\*\\Outlook\\Today") AND Registry.registry_value_name="URL" by Registry.dest, Registry.user, Registry.registry_path | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_outlook_webview_registry_modification_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may occur if legitimate Outlook processes are modified. +description: The following analytic identifies modifications to specific Outlook registry + values related to WebView and Today features. It detects when a URL is set in these + registry locations, which could indicate attempts to manipulate Outlook's web-based + components. The analytic focuses on changes to the "URL" value within Outlook's + WebView and Today registry paths. This activity is significant as it may represent + an attacker's effort to redirect Outlook's web content or inject malicious URLs. + If successful, this technique could lead to phishing attempts, data theft, or serve + as a stepping stone for further compromise of the user's email client and potentially + sensitive information. +search: '| tstats `security_content_summariesonly` count values(Registry.registry_value_name) + as registry_value_name values(Registry.registry_value_data) as registry_value_data + min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry + where (Registry.registry_path="*\\Software\\Microsoft\\Office\\*\\Outlook\\WebView\\*" + OR Registry.registry_path="*\\Software\\Microsoft\\Office\\*\\Outlook\\Today") AND + Registry.registry_value_name="URL" by Registry.dest, Registry.user, Registry.registry_path + | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` + | `windows_outlook_webview_registry_modification_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may occur if legitimate Outlook processes are + modified. references: - https://gist.github.com/MHaggis/c6318acde2e2f691b550e3a491f49ff1 - https://github.com/trustedsec/specula/wiki @@ -20,39 +44,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Modification of Outlook WebView registry values on $dest$. + risk_objects: + - field: dest + type: system + score: 100 + threat_objects: [] tags: analytic_story: - Suspicious Windows Registry Activities asset_type: Endpoint - confidence: 100 - impact: 100 - message: Modification of Outlook WebView registry values on $dest$. mitre_attack_id: - T1112 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.registry_value_name - - Registry.registry_value_data - risk_score: 100 security_domain: endpoint cve: [] tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/windows-sysmon-webview.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/windows-sysmon-webview.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_papercut_ng_spawn_shell.yml b/detections/endpoint/windows_papercut_ng_spawn_shell.yml index 2f38d43132..d647e50311 100644 --- a/detections/endpoint/windows_papercut_ng_spawn_shell.yml +++ b/detections/endpoint/windows_papercut_ng_spawn_shell.yml @@ -1,7 +1,7 @@ name: Windows PaperCut NG Spawn Shell id: a602d9a2-aaea-45f8-bf0f-d851168d61ca -version: '5' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -51,55 +51,38 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The PaperCut NG application has spawned a shell $process_name$ on endpoint + $dest$ by $user$. + risk_objects: + - field: user + type: user + score: 90 + - field: dest + type: system + score: 90 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - PaperCut MF NG Vulnerability - Compromised Windows Host asset_type: Endpoint atomic_guid: [] - confidence: 90 - impact: 100 - message: The PaperCut NG application has spawned a shell $process_name$ on endpoint - $dest$ by $user$. mitre_attack_id: - T1059 - T1190 - T1133 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 90 - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/papercut/papercutng-app-spawn_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/papercut/papercutng-app-spawn_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml b/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml index 6338c69f03..11cc9f084e 100644 --- a/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml +++ b/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml @@ -1,7 +1,7 @@ name: Windows Parent PID Spoofing with Explorer id: 17f8f69c-5d00-4c88-9c6f-493bbdef20a1 -version: '4' -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: TTP @@ -48,44 +48,30 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An explorer.exe process with process commandline $process$ on dest $dest$ + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Compromised Windows Host - Windows Defense Evasion Tactics asset_type: Endpoint - confidence: 80 - impact: 80 - message: An explorer.exe process with process commandline $process$ on dest $dest$ mitre_attack_id: - T1134.004 - T1134 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134/explorer_root_proc_cmdline/explorer_root.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134/explorer_root_proc_cmdline/explorer_root.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_password_managers_discovery.yml b/detections/endpoint/windows_password_managers_discovery.yml index 03a3889740..61c3e4af03 100644 --- a/detections/endpoint/windows_password_managers_discovery.yml +++ b/detections/endpoint/windows_password_managers_discovery.yml @@ -1,17 +1,40 @@ name: Windows Password Managers Discovery id: a3b3bc96-1c4f-4eba-8218-027cac739a48 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies command-line activity that searches for files related to password manager software, such as "*.kdbx*" and "*credential*". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because attackers often target password manager databases to extract stored credentials, which can be used for further exploitation. If confirmed malicious, this behavior could lead to unauthorized access to sensitive information, enabling attackers to escalate privileges, move laterally, or exfiltrate critical data. +description: The following analytic identifies command-line activity that searches + for files related to password manager software, such as "*.kdbx*" and "*credential*". + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on + process execution logs. This activity is significant because attackers often target + password manager databases to extract stored credentials, which can be used for + further exploitation. If confirmed malicious, this behavior could lead to unauthorized + access to sensitive information, enabling attackers to escalate privileges, move + laterally, or exfiltrate critical data. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*dir *" OR Processes.process = "*findstr*" AND Processes.process IN ( "*.kdbx*", "*credential*", "*key3.db*","*pass*", "*cred*", "*key4.db*", "*accessTokens*", "*access_tokens*", "*.htpasswd*", "*Ntds.dit*") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_password_managers_discovery_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process = "*dir *" + OR Processes.process = "*findstr*" AND Processes.process IN ( "*.kdbx*", "*credential*", + "*key3.db*","*pass*", "*cred*", "*key4.db*", "*accessTokens*", "*access_tokens*", + "*.htpasswd*", "*Ntds.dit*") by Processes.process_name Processes.original_file_name + Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name + Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_password_managers_discovery_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://attack.mitre.org/techniques/T1555/005/ @@ -23,49 +46,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a process with commandline $process$ that can retrieve information related + to password manager databases on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Windows Post-Exploitation - Prestige Ransomware asset_type: Endpoint - confidence: 50 - impact: 50 - message: a process with commandline $process$ that can retrieve information related to password manager databases in $dest$ mitre_attack_id: - T1555.005 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - - Processes.parent_process_guid - - Processes.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_pwd_db/dir-db-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_pwd_db/dir-db-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/local_account_discovery_with_net.yml b/detections/endpoint/windows_password_policy_discovery_with_net.yml similarity index 52% rename from detections/endpoint/local_account_discovery_with_net.yml rename to detections/endpoint/windows_password_policy_discovery_with_net.yml index c9a24daa9a..42bbaeb646 100644 --- a/detections/endpoint/local_account_discovery_with_net.yml +++ b/detections/endpoint/windows_password_policy_discovery_with_net.yml @@ -1,47 +1,34 @@ -name: Local Account Discovery with Net -id: 5d0d4830-0133-11ec-bae3-acde48001122 -version: 4 -date: '2024-10-17' -author: Mauricio Velazco, Splunk +name: Windows Password Policy Discovery with Net +id: e52f7865-be78-46bf-b7ed-150fbe447613 +version: 1 +date: '2025-01-13' +author: Teoderick Contreras, Mauricio Velazco, Nasreddine Bencherchali, Splunk status: production type: Hunting -description: The following analytic detects the execution of `net.exe` or `net1.exe` with command-line arguments `user` or `users` to query local user accounts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate local users, which is a common step in situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further attacks, including privilege escalation and lateral movement within the network. +description: The following analytic identifies the execution of `net.exe` with command line arguments aimed at obtaining the computer or domain password policy. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to gather information about Active Directory password policies. If confirmed malicious, this behavior could allow attackers to understand password complexity requirements, aiding in brute-force or password-guessing attacks, ultimately compromising user accounts and gaining unauthorized access to the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` (Processes.process=*user OR Processes.process=*users) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `local_account_discovery_with_net_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process = "*accounts*" AND NOT Processes.process IN ("*/FORCELOGOFF*", "*/MINPWLEN*", "*/MAXPWAGE*", "*/MINPWAGE*", "*/UNIQUEPW*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_password_policy_discovery_with_net_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: -- https://attack.mitre.org/techniques/T1087/001/ +- https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet tags: analytic_story: - Active Directory Discovery - - Sandworm Tools asset_type: Endpoint - confidence: 50 - impact: 30 - message: Local user discovery enumeration on $dest$ by $user$ mitre_attack_id: - - T1087 - - T1087.001 - observable: - - name: dest - type: Endpoint - role: - - Victim + - T1201 product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml b/detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml index 460b042cd3..432163293e 100644 --- a/detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml +++ b/detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml @@ -1,15 +1,33 @@ name: Windows Phishing Outlook Drop Dll In FORM Dir id: fca01769-5163-4b3a-ae44-de874adfc9bc -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 11 type: TTP status: production -description: The following analytic detects the creation of a DLL file by an outlook.exe process in the AppData\Local\Microsoft\FORMS directory. This detection leverages data from the Endpoint.Processes and Endpoint.Filesystem datamodels, focusing on process and file creation events. This activity is significant as it may indicate an attempt to exploit CVE-2024-21378, where a custom MAPI form loads a potentially malicious DLL. If confirmed malicious, this could allow an attacker to execute arbitrary code, leading to further system compromise or data exfiltration. -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=outlook.exe by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid, _time [ | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name ="*.dll" Filesystem.file_path = "*\\AppData\\Local\\Microsoft\\FORMS\\IPM*" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` | fields file_name file_path process_name process_path process dest file_create_time _time process_guid] | `windows_phishing_outlook_drop_dll_in_form_dir_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. +description: The following analytic detects the creation of a DLL file by an outlook.exe + process in the AppData\Local\Microsoft\FORMS directory. This detection leverages + data from the Endpoint.Processes and Endpoint.Filesystem datamodels, focusing on + process and file creation events. This activity is significant as it may indicate + an attempt to exploit CVE-2024-21378, where a custom MAPI form loads a potentially + malicious DLL. If confirmed malicious, this could allow an attacker to execute arbitrary + code, leading to further system compromise or data exfiltration. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes + where Processes.process_name=outlook.exe by _time span=1h Processes.process_id Processes.process_name + Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` + | join process_guid, _time [ | tstats `security_content_summariesonly` count min(_time) + as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name + ="*.dll" Filesystem.file_path = "*\\AppData\\Local\\Microsoft\\FORMS\\IPM*" by _time + span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path + Filesystem.process_guid | `drop_dm_object_name(Filesystem)` | fields file_name file_path + process_name process_path process dest file_create_time _time process_guid] | `windows_phishing_outlook_drop_dll_in_form_dir_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. known_false_positives: unknown references: - https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/ @@ -19,43 +37,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: an outlook process dropped dll file into $file_path$ on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Outlook RCE CVE-2024-21378 asset_type: Endpoint - confidence: 70 - impact: 70 - message: an outlook process dropped dll file into $file_path$ on $dest$ mitre_attack_id: - T1566 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - file_create_time - - file_name - - file_path - - process_name - - process_path - - process - risk_score: 49 security_domain: endpoint cve: - CVE-2024-21378 tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/outlook_dropped_dll/outlook_phishing_form_dll.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/outlook_dropped_dll/outlook_phishing_form_dll.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml b/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml index f72c1f3832..18c5531a67 100644 --- a/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml +++ b/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml @@ -1,18 +1,38 @@ name: Windows Phishing PDF File Executes URL Link id: 2fa9dec8-9d8e-46d3-96c1-202c06f0e6e1 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects suspicious PDF viewer processes spawning browser application child processes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names. This activity is significant as it may indicate a PDF spear-phishing attempt where a malicious URL link is executed, leading to potential payload download. If confirmed malicious, this could allow attackers to execute code, escalate privileges, or persist in the environment by exploiting the user's browser to connect to a malicious site. +description: The following analytic detects suspicious PDF viewer processes spawning + browser application child processes. It leverages data from Endpoint Detection and + Response (EDR) agents, focusing on process and parent process names. This activity + is significant as it may indicate a PDF spear-phishing attempt where a malicious + URL link is executed, leading to potential payload download. If confirmed malicious, + this could allow attackers to execute code, escalate privileges, or persist in the + environment by exploiting the user's browser to connect to a malicious site. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("AcroRd32.exe", "FoxitPDFReader.exe") Processes.process_name IN ("firefox.exe", "chrome.exe", "iexplore.exe") by Processes.user Processes.parent_process_name Processes.process_name Processes.parent_process Processes.process Processes.process_id Processes.dest |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_phishing_pdf_file_executes_url_link_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives in PDF file opened PDF Viewer having legitimate URL link, however filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN + ("AcroRd32.exe", "FoxitPDFReader.exe") Processes.process_name IN ("firefox.exe", + "chrome.exe", "iexplore.exe") by Processes.user Processes.parent_process_name Processes.process_name Processes.parent_process + Processes.process Processes.process_id Processes.dest |`drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_phishing_pdf_file_executes_url_link_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives in PDF file opened PDF Viewer having legitimate + URL link, however filter as needed. references: - https://twitter.com/pr0xylife/status/1615382907446767616?s=20 drilldown_searches: @@ -21,48 +41,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a pdf file opened in pdf viewer process $parent_process_name$ has a child + process of a browser $process_name$ on $dest$ + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Spearphishing Attachments - Snake Keylogger asset_type: Endpoint - confidence: 80 - impact: 80 - message: a pdf file opened in pdf viewer process $parent_process_name$ has a child process of a browser $process_name$ in $dest$ mitre_attack_id: - T1566.001 - T1566 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/phishing_pdf_uri/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/phishing_pdf_uri/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml b/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml index a7941c799f..0dace855c1 100644 --- a/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml +++ b/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml @@ -1,16 +1,34 @@ name: Windows Phishing Recent ISO Exec Registry id: cb38ee66-8ae5-47de-bd66-231c7bbc0b2c -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the creation of registry artifacts when an ISO container is opened, clicked, or mounted on a Windows operating system. It leverages data from the Endpoint.Registry data model, specifically monitoring registry keys related to recent ISO or IMG file executions. This activity is significant as adversaries increasingly use container-based phishing campaigns to bypass macro-based document execution controls. If confirmed malicious, this behavior could indicate an initial access attempt, potentially leading to further exploitation, persistence, or data exfiltration within the environment. +description: The following analytic detects the creation of registry artifacts when + an ISO container is opened, clicked, or mounted on a Windows operating system. It + leverages data from the Endpoint.Registry data model, specifically monitoring registry + keys related to recent ISO or IMG file executions. This activity is significant + as adversaries increasingly use container-based phishing campaigns to bypass macro-based + document execution controls. If confirmed malicious, this behavior could indicate + an initial access attempt, potentially leading to further exploitation, persistence, + or data exfiltration within the environment. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_key_name= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs\\.iso" OR Registry.registry_key_name= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs\\.img" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_phishing_recent_iso_exec_registry_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: False positives may be high depending on the environment and consistent use of ISOs. Restrict to servers, or filter out based on commonly used ISO names. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_key_name= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs\\.iso" + OR Registry.registry_key_name= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs\\.img" + by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data + Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_phishing_recent_iso_exec_registry_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: False positives may be high depending on the environment and + consistent use of ISOs. Restrict to servers, or filter out based on commonly used + ISO names. Filter as needed. references: - https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ - https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/ @@ -27,35 +45,18 @@ tags: - Warzone RAT - Gozi Malware asset_type: Endpoint - confidence: 80 - impact: 50 - message: An ISO file was mounted on $dest$ and should be reviewed and filtered as needed. mitre_attack_id: - T1566.001 - T1566 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_key_name - - Registry.user - - Registry.registry_path - - Registry.registry_value_data - - Registry.action - - Registry.dest - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_possible_credential_dumping.yml b/detections/endpoint/windows_possible_credential_dumping.yml index f2b7d275dd..470fcafb77 100644 --- a/detections/endpoint/windows_possible_credential_dumping.yml +++ b/detections/endpoint/windows_possible_credential_dumping.yml @@ -1,16 +1,34 @@ name: Windows Possible Credential Dumping id: e4723b92-7266-11ec-af45-acde48001122 -version: 6 -date: '2024-09-30' +version: 7 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects potential credential dumping by identifying specific GrantedAccess permission requests and CallTrace DLLs targeting the LSASS process. It leverages Sysmon EventCode 10 logs, focusing on access requests to lsass.exe and call traces involving debug and native API DLLs like dbgcore.dll, dbghelp.dll, and ntdll.dll. This activity is significant as credential dumping can lead to unauthorized access to sensitive credentials. If confirmed malicious, attackers could gain elevated privileges and persist within the environment, posing a severe security risk. +description: The following analytic detects potential credential dumping by identifying + specific GrantedAccess permission requests and CallTrace DLLs targeting the LSASS + process. It leverages Sysmon EventCode 10 logs, focusing on access requests to lsass.exe + and call traces involving debug and native API DLLs like dbgcore.dll, dbghelp.dll, + and ntdll.dll. This activity is significant as credential dumping can lead to unauthorized + access to sensitive credentials. If confirmed malicious, attackers could gain elevated + privileges and persist within the environment, posing a severe security risk. data_source: - Sysmon EventID 10 -search: '`sysmon` EventCode=10 TargetImage=*\\lsass.exe granted_access IN ("0x01000", "0x1010", "0x1038", "0x40", "0x1400", "0x1fffff", "0x1410", "0x143a", "0x1438", "0x1000") CallTrace IN ("*dbgcore.dll*", "*dbghelp.dll*", "*ntdll.dll*", "*kernelbase.dll*", "*kernel32.dll*") NOT SourceUser IN ("NT AUTHORITY\\SYSTEM", "NT AUTHORITY\\NETWORK SERVICE") | stats count min(_time) as firstTime max(_time) as lastTime by dest, SourceImage, GrantedAccess, TargetImage, SourceProcessId, SourceUser, TargetUser | rename SourceUser as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_possible_credential_dumping_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required. -known_false_positives: False positives will occur based on GrantedAccess 0x1010 and 0x1400, filter based on source image as needed or remove them. Concern is Cobalt Strike usage of Mimikatz will generate 0x1010 initially, but later be caught. +search: '`sysmon` EventCode=10 TargetImage=*\\lsass.exe granted_access IN ("0x01000", + "0x1010", "0x1038", "0x40", "0x1400", "0x1fffff", "0x1410", "0x143a", "0x1438", + "0x1000") CallTrace IN ("*dbgcore.dll*", "*dbghelp.dll*", "*ntdll.dll*", "*kernelbase.dll*", + "*kernel32.dll*") NOT SourceUser IN ("NT AUTHORITY\\SYSTEM", "NT AUTHORITY\\NETWORK + SERVICE") | stats count min(_time) as firstTime max(_time) as lastTime by dest, + SourceImage, GrantedAccess, TargetImage, SourceProcessId, SourceUser, TargetUser + | rename SourceUser as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_possible_credential_dumping_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required. +known_false_positives: False positives will occur based on GrantedAccess 0x1010 and + 0x1400, filter based on source image as needed or remove them. Concern is Cobalt + Strike usage of Mimikatz will generate 0x1010 initially, but later be caught. references: - https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump @@ -24,9 +42,27 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A process, $SourceImage$, has loaded $TargetImage$ that are typically related + to credential dumping on $dest$. Review for further details. + risk_objects: + - field: user + type: user + score: 64 + - field: dest + type: system + score: 64 + threat_objects: + - field: SourceImage + type: process tags: analytic_story: - Detect Zerologon Attack @@ -36,43 +72,18 @@ tags: - DarkSide Ransomware - CISA AA22-257A asset_type: Endpoint - confidence: 80 - impact: 80 - message: A process, $SourceImage$, has loaded $TargetImage$ that are typically related to credential dumping on $dest$. Review for further details. mitre_attack_id: - T1003.001 - T1003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: SourceImage - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - TargetImage - - GrantedAccess - - SourceImage - - SourceProcessId - - SourceUser - - TargetUser - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_post_exploitation_risk_behavior.yml b/detections/endpoint/windows_post_exploitation_risk_behavior.yml index 98594f11a3..bd8d271f6e 100644 --- a/detections/endpoint/windows_post_exploitation_risk_behavior.yml +++ b/detections/endpoint/windows_post_exploitation_risk_behavior.yml @@ -1,15 +1,38 @@ name: Windows Post Exploitation Risk Behavior id: edb930df-64c2-4bb7-9b5c-889ed53fb973 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Correlation data_source: [] -description: The following analytic identifies four or more distinct post-exploitation behaviors on a Windows system. It leverages data from the Risk data model in Splunk Enterprise Security, focusing on multiple risk events and their associated MITRE ATT&CK tactics and techniques. This activity is significant as it indicates potential malicious actions following an initial compromise, such as persistence, privilege escalation, or data exfiltration. If confirmed malicious, this behavior could allow attackers to maintain control, escalate privileges, and further exploit the compromised environment, leading to significant security breaches and data loss. -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories IN ("*Windows Post-Exploitation*") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `windows_post_exploitation_risk_behavior_filter`' -how_to_implement: Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased base on internal testing. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance. -known_false_positives: False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers. +description: The following analytic identifies four or more distinct post-exploitation + behaviors on a Windows system. It leverages data from the Risk data model in Splunk + Enterprise Security, focusing on multiple risk events and their associated MITRE + ATT&CK tactics and techniques. This activity is significant as it indicates potential + malicious actions following an initial compromise, such as persistence, privilege + escalation, or data exfiltration. If confirmed malicious, this behavior could allow + attackers to maintain control, escalate privileges, and further exploit the compromised + environment, leading to significant security breaches and data loss. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) + as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as + annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) + as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) + as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) + as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, + dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories + IN ("*Windows Post-Exploitation*") by All_Risk.risk_object All_Risk.risk_object_type + All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where + source_count >= 4 | `windows_post_exploitation_risk_behavior_filter`' +how_to_implement: Splunk Enterprise Security is required to utilize this correlation. + In addition, modify the source_count value to your environment. In our testing, + a count of 4 or 5 was decent in a lab, but the number may need to be increased base + on internal testing. In addition, based on false positives, modify any analytics + to be anomaly and lower or increase risk based on organization importance. +known_false_positives: False positives will be present based on many factors. Tune + the correlation as needed to reduce too many triggers. references: - https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS/winPEASbat drilldown_searches: @@ -18,16 +41,18 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$risk_object$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: analytic_story: - Windows Post-Exploitation asset_type: Endpoint - confidence: 70 - impact: 70 - message: An increase of Windows Post Exploitation behavior has been detected on $risk_object$ mitre_attack_id: - T1012 - T1049 @@ -37,27 +62,15 @@ tags: - T1082 - T1115 - T1552 - observable: - - name: risk_object - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - All_Risk.analyticstories - - All_Risk.risk_object_type - - All_Risk.risk_object - - All_Risk.annotations.mitre_attack.mitre_tactic - - source security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552/windows_post_exploitation/windows_post_exploitation_risk.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552/windows_post_exploitation/windows_post_exploitation_risk.log source: wpe sourcetype: stash diff --git a/detections/endpoint/windows_powershell_add_module_to_global_assembly_cache.yml b/detections/endpoint/windows_powershell_add_module_to_global_assembly_cache.yml index e2535fc9c6..be0d947169 100644 --- a/detections/endpoint/windows_powershell_add_module_to_global_assembly_cache.yml +++ b/detections/endpoint/windows_powershell_add_module_to_global_assembly_cache.yml @@ -1,16 +1,29 @@ name: Windows PowerShell Add Module to Global Assembly Cache id: 3fc16961-97e5-4a5b-a079-e4ab0d9763eb -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the addition of a DLL to the Windows Global Assembly Cache (GAC) using PowerShell. It leverages PowerShell Script Block Logging to identify commands containing "system.enterpriseservices.internal.publish". This activity is significant because adding a DLL to the GAC allows it to be shared across multiple applications, potentially enabling an adversary to execute malicious code system-wide. If confirmed malicious, this could lead to widespread code execution, privilege escalation, and persistent access across the operating system, posing a severe security risk. +description: The following analytic detects the addition of a DLL to the Windows Global + Assembly Cache (GAC) using PowerShell. It leverages PowerShell Script Block Logging + to identify commands containing "system.enterpriseservices.internal.publish". This + activity is significant because adding a DLL to the GAC allows it to be shared across + multiple applications, potentially enabling an adversary to execute malicious code + system-wide. If confirmed malicious, this could lead to widespread code execution, + privilege escalation, and persistent access across the operating system, posing + a severe security risk. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText IN("*system.enterpriseservices.internal.publish*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_add_module_to_global_assembly_cache_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: False positives may be present based on developers or third party utilities adding items to the GAC. +search: '`powershell` EventCode=4104 ScriptBlockText IN("*system.enterpriseservices.internal.publish*") + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_powershell_add_module_to_global_assembly_cache_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: False positives may be present based on developers or third + party utilities adding items to the GAC. references: - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/ - https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/ @@ -20,39 +33,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$Computer$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: PowerShell was used to install a module to the Global Assembly Cache on + $Computer$. + risk_objects: + - field: Computer + type: system + score: 64 + threat_objects: [] tags: analytic_story: - IIS Components asset_type: Endpoint - confidence: 80 - impact: 80 - message: PowerShell was used to install a module to the Global Assembly Cache on $Computer$. mitre_attack_id: - T1505 - T1505.004 - observable: - - name: Computer - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Computer - - EventCode - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/pwsh_publish_powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/pwsh_publish_powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_powershell_cryptography_namespace.yml b/detections/endpoint/windows_powershell_cryptography_namespace.yml index 1948eb03b1..bf088f301f 100644 --- a/detections/endpoint/windows_powershell_cryptography_namespace.yml +++ b/detections/endpoint/windows_powershell_cryptography_namespace.yml @@ -1,15 +1,29 @@ name: Windows Powershell Cryptography Namespace id: f8b482f4-6d62-49fa-a905-dfa15698317b -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects suspicious PowerShell script execution involving the cryptography namespace via EventCode 4104. It leverages PowerShell Script Block Logging to identify scripts using cryptographic functions, excluding common hashes like SHA and MD5. This activity is significant as it is often associated with malware that decrypts or decodes additional malicious payloads. If confirmed malicious, this could allow an attacker to execute further code, escalate privileges, or establish persistence within the environment. Analysts should investigate the parent process, decrypted data, network connections, and the user executing the script. +description: The following analytic detects suspicious PowerShell script execution + involving the cryptography namespace via EventCode 4104. It leverages PowerShell + Script Block Logging to identify scripts using cryptographic functions, excluding + common hashes like SHA and MD5. This activity is significant as it is often associated + with malware that decrypts or decodes additional malicious payloads. If confirmed + malicious, this could allow an attacker to execute further code, escalate privileges, + or establish persistence within the environment. Analysts should investigate the + parent process, decrypted data, network connections, and the user executing the + script. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText = "*System.Security.Cryptography*" AND NOT(ScriptBlockText IN ("*SHA*", "*MD5*", "*DeriveBytes*")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_cryptography_namespace_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +search: '`powershell` EventCode=4104 ScriptBlockText = "*System.Security.Cryptography*" + AND NOT(ScriptBlockText IN ("*SHA*", "*MD5*", "*DeriveBytes*")) | stats count min(_time) + as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID + | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_powershell_cryptography_namespace_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: False positives should be limited. Filter as needed. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat @@ -19,45 +33,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A suspicious powershell script contains cryptography command detected on + host $dest$ + risk_objects: + - field: dest + type: system + score: 25 + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - AsyncRAT asset_type: Endpoint - confidence: 50 - impact: 50 - message: A suspicious powershell script contains cryptography command detected on host $dest$ mitre_attack_id: - T1059.001 - T1059 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCodes - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/asyncrat_crypto_pwh_namespace/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/asyncrat_crypto_pwh_namespace/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_powershell_disable_http_logging.yml b/detections/endpoint/windows_powershell_disable_http_logging.yml index 6fd500380d..4c3060bb6a 100644 --- a/detections/endpoint/windows_powershell_disable_http_logging.yml +++ b/detections/endpoint/windows_powershell_disable_http_logging.yml @@ -1,16 +1,30 @@ name: Windows PowerShell Disable HTTP Logging id: 27958de0-2857-43ca-9d4c-b255cf59dcab -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the use of `get-WebConfigurationProperty` and `Set-ItemProperty` commands in PowerShell to disable HTTP logging on Windows systems. This detection leverages PowerShell Script Block Logging, specifically looking for script blocks that reference HTTP logging properties and attempt to set them to "false" or "dontLog". Disabling HTTP logging is significant as it can be used by adversaries to cover their tracks and delete logs, hindering forensic investigations. If confirmed malicious, this activity could allow attackers to evade detection and persist in the environment undetected. +description: The following analytic detects the use of `get-WebConfigurationProperty` + and `Set-ItemProperty` commands in PowerShell to disable HTTP logging on Windows + systems. This detection leverages PowerShell Script Block Logging, specifically + looking for script blocks that reference HTTP logging properties and attempt to + set them to "false" or "dontLog". Disabling HTTP logging is significant as it can + be used by adversaries to cover their tracks and delete logs, hindering forensic + investigations. If confirmed malicious, this activity could allow attackers to evade + detection and persist in the environment undetected. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText IN("*get-WebConfigurationProperty*","*Set-ItemProperty*") AND ScriptBlockText IN ("*httpLogging*","*Logfile.enabled*") AND ScriptBlockText IN ("*dontLog*", "*false*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_disable_http_logging_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: It is possible administrators or scripts may run these commands, filtering may be required. +search: '`powershell` EventCode=4104 ScriptBlockText IN("*get-WebConfigurationProperty*","*Set-ItemProperty*") + AND ScriptBlockText IN ("*httpLogging*","*Logfile.enabled*") AND ScriptBlockText + IN ("*dontLog*", "*false*") | stats count min(_time) as firstTime max(_time) as + lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_powershell_disable_http_logging_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: It is possible administrators or scripts may run these commands, + filtering may be required. references: - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/ - https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf @@ -22,42 +36,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$Computer$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A PowerShell Cmdlet related to disable or modifying a IIS HTTP logging + has occurred on $Computer$. + risk_objects: + - field: Computer + type: system + score: 64 + threat_objects: [] tags: analytic_story: - IIS Components - Windows Defense Evasion Tactics asset_type: Endpoint - confidence: 80 - impact: 80 - message: A PowerShell Cmdlet related to disable or modifying a IIS HTTP logging has occurred on $Computer$. mitre_attack_id: - T1562 - T1562.002 - T1505 - T1505.004 - observable: - - name: Computer - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Computer - - EventCode - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/4104_disable_http_logging_windows-powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/4104_disable_http_logging_windows-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_powershell_export_certificate.yml b/detections/endpoint/windows_powershell_export_certificate.yml index cd7f13b1fb..bbe40a4adc 100644 --- a/detections/endpoint/windows_powershell_export_certificate.yml +++ b/detections/endpoint/windows_powershell_export_certificate.yml @@ -1,16 +1,29 @@ name: Windows PowerShell Export Certificate id: 5e38ded4-c964-41f4-8cb6-4a1a53c6929f -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic detects the use of the PowerShell Cmdlet `export-certificate` by leveraging Script Block Logging. This activity is significant as it may indicate an adversary attempting to exfiltrate certificates from the local Certificate Store on a Windows endpoint. Monitoring this behavior is crucial because stolen certificates can be used to impersonate users, decrypt sensitive data, or facilitate further attacks. If confirmed malicious, this activity could lead to unauthorized access to encrypted communications and sensitive information, posing a severe security risk. +description: The following analytic detects the use of the PowerShell Cmdlet `export-certificate` + by leveraging Script Block Logging. This activity is significant as it may indicate + an adversary attempting to exfiltrate certificates from the local Certificate Store + on a Windows endpoint. Monitoring this behavior is crucial because stolen certificates + can be used to impersonate users, decrypt sensitive data, or facilitate further + attacks. If confirmed malicious, this activity could lead to unauthorized access + to encrypted communications and sensitive information, posing a severe security + risk. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText IN ("*export-certificate*") | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_export_certificate_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: It is possible administrators or scripts may run these commands, filtering may be required. +search: '`powershell` EventCode=4104 ScriptBlockText IN ("*export-certificate*") | + rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime + by EventCode ScriptBlockText dest user_id | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_powershell_export_certificate_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: It is possible administrators or scripts may run these commands, + filtering may be required. references: - https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj - https://learn.microsoft.com/en-us/powershell/module/pki/export-certificate?view=windowsserver2022-ps @@ -20,39 +33,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A PowerShell Cmdlet related to exporting a Certificate was ran on $dest$, + attempting to export a certificate. + risk_objects: + - field: dest + type: system + score: 36 + threat_objects: [] tags: analytic_story: - Windows Certificate Services asset_type: Endpoint - confidence: 60 - impact: 60 - message: A PowerShell Cmdlet related to exporting a Certificate was ran on $dest$, attempting to export a certificate. mitre_attack_id: - T1552.004 - T1552 - T1649 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - dest - - EventCode - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4104_export_certificate.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4104_export_certificate.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_powershell_export_pfxcertificate.yml b/detections/endpoint/windows_powershell_export_pfxcertificate.yml index 097812a84d..7f493a22c9 100644 --- a/detections/endpoint/windows_powershell_export_pfxcertificate.yml +++ b/detections/endpoint/windows_powershell_export_pfxcertificate.yml @@ -1,16 +1,28 @@ name: Windows PowerShell Export PfxCertificate id: ed06725f-6da6-439f-9dcc-ab30e891297c -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic detects the use of the PowerShell cmdlet `export-pfxcertificate` by leveraging Script Block Logging. This activity is significant as it may indicate an adversary attempting to exfiltrate certificates from the Windows Certificate Store. Monitoring this behavior is crucial for identifying potential certificate theft, which can lead to unauthorized access and impersonation attacks. If confirmed malicious, this activity could allow attackers to compromise secure communications, authenticate as legitimate users, and escalate their privileges within the network. +description: The following analytic detects the use of the PowerShell cmdlet `export-pfxcertificate` + by leveraging Script Block Logging. This activity is significant as it may indicate + an adversary attempting to exfiltrate certificates from the Windows Certificate + Store. Monitoring this behavior is crucial for identifying potential certificate + theft, which can lead to unauthorized access and impersonation attacks. If confirmed + malicious, this activity could allow attackers to compromise secure communications, + authenticate as legitimate users, and escalate their privileges within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText IN ("*export-pfxcertificate*") | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_export_pfxcertificate_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: It is possible administrators or scripts may run these commands, filtering may be required. +search: '`powershell` EventCode=4104 ScriptBlockText IN ("*export-pfxcertificate*") + | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime + by EventCode ScriptBlockText dest user_id | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_powershell_export_pfxcertificate_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: It is possible administrators or scripts may run these commands, + filtering may be required. references: - https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj - https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps @@ -20,40 +32,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A PowerShell Cmdlet related to exporting a PFX Certificate was ran on $dest$, + attempting to export a certificate. + risk_objects: + - field: dest + type: system + score: 36 + threat_objects: [] tags: analytic_story: - Windows Certificate Services asset_type: Endpoint - confidence: 60 - impact: 60 - message: A PowerShell Cmdlet related to exporting a PFX Certificate was ran on $dest$, attempting to export a certificate. mitre_attack_id: - T1552.004 - T1552 - T1649 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - dest - - EventCode - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4104_export_pfxcertificate.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4104_export_pfxcertificate.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml b/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml index 49eeaf50d6..733a9addf8 100644 --- a/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml +++ b/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml @@ -1,16 +1,29 @@ name: Windows PowerShell Get CIMInstance Remote Computer id: d8c972eb-ed84-431a-8869-ca4bd83257d1 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk type: Anomaly status: production data_source: - Powershell Script Block Logging 4104 -description: The following analytic detects the use of the Get-CimInstance cmdlet with the -ComputerName parameter, indicating an attempt to retrieve information from a remote computer. It leverages PowerShell Script Block Logging to identify this specific command execution. This activity is significant as it may indicate unauthorized remote access or information gathering by an attacker. If confirmed malicious, this could allow the attacker to collect sensitive data from remote systems, potentially leading to further exploitation or lateral movement within the network. -search: '`powershell` EventCode=4104 ScriptBlockText="*get-ciminstance*" AND ScriptBlockText="*computername*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_get_ciminstance_remote_computer_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: This is meant to be a low risk RBA anomaly analytic or to be used for hunting. Enable this with a low risk score and let it generate risk in the risk index. +description: The following analytic detects the use of the Get-CimInstance cmdlet + with the -ComputerName parameter, indicating an attempt to retrieve information + from a remote computer. It leverages PowerShell Script Block Logging to identify + this specific command execution. This activity is significant as it may indicate + unauthorized remote access or information gathering by an attacker. If confirmed + malicious, this could allow the attacker to collect sensitive data from remote systems, + potentially leading to further exploitation or lateral movement within the network. +search: '`powershell` EventCode=4104 ScriptBlockText="*get-ciminstance*" AND ScriptBlockText="*computername*" | + stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_powershell_get_ciminstance_remote_computer_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: This is meant to be a low risk RBA anomaly analytic or to be + used for hunting. Enable this with a low risk score and let it generate risk in + the risk index. references: - https://learn.microsoft.com/en-us/powershell/module/cimcmdlets/get-ciminstance?view=powershell-7.3 drilldown_searches: @@ -19,37 +32,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$Computer$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A PowerShell Cmdlet Get-CIMInstnace was ran on $Computer$, attempting to + connect to a remote host. + risk_objects: + - field: Computer + type: system + score: 15 + threat_objects: [] tags: analytic_story: - Active Directory Lateral Movement asset_type: Endpoint - confidence: 50 - impact: 30 - message: A PowerShell Cmdlet Get-CIMInstnace was ran on $Computer$, attempting to connect to a remote host. mitre_attack_id: - T1059.001 - observable: - - name: Computer - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Computer - - EventCode - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/get_ciminstance_windows-powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/get_ciminstance_windows-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml b/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml index b920d8e261..ae73b3a6e6 100644 --- a/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml +++ b/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml @@ -1,16 +1,29 @@ name: Windows PowerShell IIS Components WebGlobalModule Usage id: 33fc9f6f-0ce7-4696-924e-a69ec61a3d57 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic detects the usage of PowerShell Cmdlets - New-WebGlobalModule, Enable-WebGlobalModule, and Set-WebGlobalModule, which are used to create, enable, or modify IIS Modules. This detection leverages PowerShell Script Block Logging, specifically monitoring EventCode 4104 for these cmdlets. This activity is significant as adversaries may use these lesser-known cmdlets to manipulate IIS configurations, similar to AppCmd.exe, potentially bypassing traditional defenses. If confirmed malicious, this could allow attackers to persist in the environment, manipulate web server behavior, or escalate privileges. +description: The following analytic detects the usage of PowerShell Cmdlets - New-WebGlobalModule, + Enable-WebGlobalModule, and Set-WebGlobalModule, which are used to create, enable, + or modify IIS Modules. This detection leverages PowerShell Script Block Logging, + specifically monitoring EventCode 4104 for these cmdlets. This activity is significant + as adversaries may use these lesser-known cmdlets to manipulate IIS configurations, + similar to AppCmd.exe, potentially bypassing traditional defenses. If confirmed + malicious, this could allow attackers to persist in the environment, manipulate + web server behavior, or escalate privileges. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText IN("*New-WebGlobalModule*","*Enable-WebGlobalModule*","*Set-WebGlobalModule*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_iis_components_webglobalmodule_usage_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: It is possible administrators or scripts may run these commands, filtering may be required. +search: '`powershell` EventCode=4104 ScriptBlockText IN("*New-WebGlobalModule*","*Enable-WebGlobalModule*","*Set-WebGlobalModule*") + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | + `windows_powershell_iis_components_webglobalmodule_usage_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: It is possible administrators or scripts may run these commands, + filtering may be required. references: - https://learn.microsoft.com/en-us/powershell/module/webadministration/new-webglobalmodule?view=windowsserver2022-ps - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/ @@ -24,39 +37,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$Computer$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A PowerShell Cmdlet related to enabling, creating or modifying a IIS module + has occurred on $Computer$. + risk_objects: + - field: Computer + type: system + score: 64 + threat_objects: [] tags: analytic_story: - IIS Components asset_type: Endpoint - confidence: 80 - impact: 80 - message: A PowerShell Cmdlet related to enabling, creating or modifying a IIS module has occurred on $Computer$. mitre_attack_id: - T1505 - T1505.004 - observable: - - name: Computer - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Computer - - EventCode - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/4104_windows-powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/4104_windows-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_powershell_import_applocker_policy.yml b/detections/endpoint/windows_powershell_import_applocker_policy.yml index 46eb025676..a2cfb60449 100644 --- a/detections/endpoint/windows_powershell_import_applocker_policy.yml +++ b/detections/endpoint/windows_powershell_import_applocker_policy.yml @@ -1,16 +1,30 @@ name: Windows Powershell Import Applocker Policy id: 102af98d-0ca3-4aa4-98d6-7ab2b98b955a -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the import of Windows PowerShell Applocker cmdlets, specifically identifying the use of "Import-Module Applocker" and "Set-AppLockerPolicy" with an XML policy. It leverages PowerShell Script Block Logging (EventCode 4104) to capture and analyze script block text. This activity is significant as it may indicate an attempt to enforce restrictive Applocker policies, potentially used by malware like Azorult to disable antivirus products. If confirmed malicious, this could allow an attacker to bypass security controls, leading to further system compromise and persistence. +description: The following analytic detects the import of Windows PowerShell Applocker + cmdlets, specifically identifying the use of "Import-Module Applocker" and "Set-AppLockerPolicy" + with an XML policy. It leverages PowerShell Script Block Logging (EventCode 4104) + to capture and analyze script block text. This activity is significant as it may + indicate an attempt to enforce restrictive Applocker policies, potentially used + by malware like Azorult to disable antivirus products. If confirmed malicious, this + could allow an attacker to bypass security controls, leading to further system compromise + and persistence. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText="*Import-Module Applocker*" ScriptBlockText="*Set-AppLockerPolicy *" ScriptBlockText="* -XMLPolicy *" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_import_applocker_policy_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: administrators may execute this command that may cause some false positive. +search: '`powershell` EventCode=4104 ScriptBlockText="*Import-Module Applocker*" ScriptBlockText="*Set-AppLockerPolicy + *" ScriptBlockText="* -XMLPolicy *" | stats count min(_time) as firstTime max(_time) + as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest + | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_powershell_import_applocker_policy_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: administrators may execute this command that may cause some + false positive. references: - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ drilldown_searches: @@ -19,45 +33,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A PowerShell script contains Import Applocker Policy command $ScriptBlockText$ + with EventCode $EventCode$ on host $dest$ + risk_objects: + - field: dest + type: system + score: 49 + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - Azorult asset_type: Endpoint - confidence: 70 - impact: 70 - message: A PowerShell script contains Import Applocker Policy command $ScriptBlockText$ with EventCode $EventCode$ on host $dest$ mitre_attack_id: - T1059.001 - T1059 - T1562.001 - T1562 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Computer - - EventCode - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/import_applocker_policy/windows-powershell-xml2.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/import_applocker_policy/windows-powershell-xml2.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_powershell_logoff_user_via_quser.yml b/detections/endpoint/windows_powershell_logoff_user_via_quser.yml new file mode 100644 index 0000000000..c22dd241a4 --- /dev/null +++ b/detections/endpoint/windows_powershell_logoff_user_via_quser.yml @@ -0,0 +1,55 @@ +name: Windows Powershell Logoff User via Quser +id: 6d70780d-4cfe-4820-bafd-1b43941986b5 +version: 1 +date: '2024-12-12' +author: Teoderick Contreras, Splunk +data_source: +- Powershell Script Block Logging 4104 +type: Anomaly +status: production +description: The following analytic detects the process of logging off a user through the use of the quser and logoff commands. By monitoring for these commands, the analytic identifies actions where a user session is forcibly terminated, which could be part of an administrative task or a potentially unauthorized access attempt. This detection helps identify potential misuse or malicious activity where a user’s access is revoked without proper authorization, providing insight into potential security incidents involving account management or session manipulation. +search: '`powershell` EventCode=4104 ScriptBlockText = "*quser*logoff*" + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText UserID Computer + | rename Computer as dest, UserID as user + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_powershell_logoff_user_via_quser_filter`' +how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +known_false_positives: Administrators or power users may use this command. +references: +- https://devblogs.microsoft.com/scripting/automating-quser-through-powershell/ +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Powershell process having commandline [$ScriptBlockText$] used to logoff user on [$dest$]. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] +tags: + analytic_story: + - Crypto Stealer + asset_type: Endpoint + mitre_attack_id: + - T1531 + - T1059.001 + - T1059 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1531/log_off_user/pwh_quser_logoff.log + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_powershell_remotesigned_file.yml b/detections/endpoint/windows_powershell_remotesigned_file.yml index d774044048..64bd011024 100644 --- a/detections/endpoint/windows_powershell_remotesigned_file.yml +++ b/detections/endpoint/windows_powershell_remotesigned_file.yml @@ -1,7 +1,7 @@ name: Windows Powershell RemoteSigned File id: f7f7456b-470d-4a95-9703-698250645ff4 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -9,10 +9,30 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic identifies the use of the "remotesigned" execution policy for PowerShell scripts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing "remotesigned" and "-File". This activity is significant because the "remotesigned" policy allows locally created scripts to run without restrictions, posing a potential security risk. If confirmed malicious, an attacker could execute unauthorized scripts, leading to code execution, privilege escalation, or persistence within the environment. -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process="* remotesigned *" Processes.process="* -File *" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_remotesigned_file_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: It is possible administrators or scripts may run these commands, filtering may be required. +description: The following analytic identifies the use of the "remotesigned" execution + policy for PowerShell scripts. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on command-line executions containing "remotesigned" and + "-File". This activity is significant because the "remotesigned" policy allows locally + created scripts to run without restrictions, posing a potential security risk. If + confirmed malicious, an attacker could execute unauthorized scripts, leading to + code execution, privilege escalation, or persistence within the environment. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process="* + remotesigned *" Processes.process="* -File *" by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_powershell_remotesigned_file_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: It is possible administrators or scripts may run these commands, + filtering may be required. references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3 drilldown_searches: @@ -21,47 +41,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A PowerShell commandline with remotesigned policy executed on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Amadey asset_type: Endpoint - confidence: 50 - impact: 50 - message: A PowerShell commandline with remotesigned policy executed on $dest$ mitre_attack_id: - T1059.001 - T1059 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 25 - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.original_file_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_remotesigned/remotesigned_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_remotesigned/remotesigned_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_powershell_scheduletask.yml b/detections/endpoint/windows_powershell_scheduletask.yml index 7df83b4de9..2cb840930a 100644 --- a/detections/endpoint/windows_powershell_scheduletask.yml +++ b/detections/endpoint/windows_powershell_scheduletask.yml @@ -1,64 +1,80 @@ name: Windows PowerShell ScheduleTask id: ddf82fcb-e9ee-40e3-8712-a50b5bf323fc -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Anomaly data_source: - Powershell Script Block Logging 4104 -description: The following analytic detects potential malicious activities involving PowerShell's task scheduling cmdlets. It leverages PowerShell Script Block Logging (EventCode 4104) to identify unusual or suspicious use of cmdlets like 'New-ScheduledTask' and 'Set-ScheduledTask'. This activity is significant as attackers often use these cmdlets for persistence and remote execution of malicious code. If confirmed malicious, this could allow attackers to maintain access, deliver additional payloads, or execute ransomware, leading to data theft or other severe impacts. Immediate investigation and mitigation are crucial to prevent further compromise. -search: '`powershell` EventCode=4104 ScriptBlockText IN ("*New-ScheduledTask*", "*New-ScheduledTaskAction*", "*New-ScheduledTaskSettingsSet*", "*New-ScheduledTaskTrigger*", "*Register-ClusteredScheduledTask*", "*Register-ScheduledTask*", "*Set-ClusteredScheduledTask*", "*Set-ScheduledTask*", "*Start-ScheduledTask*", "*Enable-ScheduledTask*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_scheduletask_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Benign administrative tasks can also trigger alerts, necessitating a firm understanding of the typical system behavior and precise tuning of the analytic to reduce false positives. +description: The following analytic detects potential malicious activities involving + PowerShell's task scheduling cmdlets. It leverages PowerShell Script Block Logging + (EventCode 4104) to identify unusual or suspicious use of cmdlets like 'New-ScheduledTask' + and 'Set-ScheduledTask'. This activity is significant as attackers often use these + cmdlets for persistence and remote execution of malicious code. If confirmed malicious, + this could allow attackers to maintain access, deliver additional payloads, or execute + ransomware, leading to data theft or other severe impacts. Immediate investigation + and mitigation are crucial to prevent further compromise. +search: '`powershell` EventCode=4104 ScriptBlockText IN ("*New-ScheduledTask*", "*New-ScheduledTaskAction*", + "*New-ScheduledTaskSettingsSet*", "*New-ScheduledTaskTrigger*", "*Register-ClusteredScheduledTask*", + "*Register-ScheduledTask*", "*Set-ClusteredScheduledTask*", "*Set-ScheduledTask*", + "*Start-ScheduledTask*", "*Enable-ScheduledTask*") | stats count min(_time) as firstTime + max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_powershell_scheduletask_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Benign administrative tasks can also trigger alerts, necessitating + a firm understanding of the typical system behavior and precise tuning of the analytic + to reduce false positives. references: - https://learn.microsoft.com/en-us/powershell/module/scheduledtasks/?view=windowsserver2022-ps - https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/ drilldown_searches: - name: View the detection results for - "$Computer$" and "$user_id$" - search: '%original_detection_search% | search Computer = "$Computer$" user_id = "$user_id$"' + search: '%original_detection_search% | search Computer = "$Computer$" user_id = + "$user_id$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$Computer$" and "$user_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", + "$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The PowerShell cmdlets related to task creation, modification and start + occurred on $Computer$ by $user_id$. + risk_objects: + - field: Computer + type: system + score: 25 + - field: user_id + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Scheduled Tasks asset_type: Endpoint atomic_guid: - af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd - confidence: 50 - impact: 50 - message: The PowerShell cmdlets related to task creation, modification and start occurred on $Computer$ by $user_id$. mitre_attack_id: - T1053.005 - T1059.001 - T1059 - observable: - - name: Computer - type: Hostname - role: - - Victim - - name: user_id - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Computer - - EventCode security_domain: endpoint - risk_score: 25 tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/pwsh_scheduledtask.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/pwsh_scheduledtask.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml b/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml index ea844f9a4b..358d2f9f2c 100644 --- a/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml +++ b/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml @@ -1,16 +1,32 @@ name: Windows PowerShell WMI Win32 ScheduledJob id: 47c69803-2c09-408b-b40a-063c064cbb16 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk type: TTP status: production data_source: - Powershell Script Block Logging 4104 -description: The following analytic detects the use of the Win32_ScheduledJob WMI class via PowerShell script block logging. This class, which manages scheduled tasks, is disabled by default due to security concerns and must be explicitly enabled through registry modifications. The detection leverages PowerShell event code 4104 and script block text analysis. Monitoring this activity is crucial as it may indicate malicious intent, especially if the class was enabled by an attacker. If confirmed malicious, this could allow attackers to persist in the environment by creating scheduled tasks. -search: '`powershell` EventCode=4104 ScriptBlockText="*win32_scheduledjob*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_wmi_win32_scheduledjob_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: False positives may be present based on legacy applications or utilities. Win32_ScheduledJob uses the Remote Procedure Call (RPC) protocol to create scheduled tasks on remote computers. It uses the DCOM (Distributed Component Object Model) infrastructure to establish a connection with the remote computer and invoke the necessary methods. The RPC service needs to be running on both the local and remote computers for the communication to take place. +description: The following analytic detects the use of the Win32_ScheduledJob WMI + class via PowerShell script block logging. This class, which manages scheduled tasks, + is disabled by default due to security concerns and must be explicitly enabled through + registry modifications. The detection leverages PowerShell event code 4104 and script + block text analysis. Monitoring this activity is crucial as it may indicate malicious + intent, especially if the class was enabled by an attacker. If confirmed malicious, + this could allow attackers to persist in the environment by creating scheduled tasks. +search: '`powershell` EventCode=4104 ScriptBlockText="*win32_scheduledjob*" | stats + count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_powershell_wmi_win32_scheduledjob_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: False positives may be present based on legacy applications + or utilities. Win32_ScheduledJob uses the Remote Procedure Call (RPC) protocol to + create scheduled tasks on remote computers. It uses the DCOM (Distributed Component + Object Model) infrastructure to establish a connection with the remote computer + and invoke the necessary methods. The RPC service needs to be running on both the + local and remote computers for the communication to take place. references: - https://securityonline.info/wmiexec-regout-get-outputdata-response-from-registry/ - https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob @@ -20,39 +36,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: PowerShell attempting to create a task via WMI - Win32_ScheduledJob, was + ran on $dest$. + risk_objects: + - field: dest + type: system + score: 40 + threat_objects: [] tags: analytic_story: - Active Directory Lateral Movement asset_type: Endpoint - confidence: 50 - impact: 80 - message: PowerShell attempting to create a task via WMI - Win32_ScheduledJob, was ran on $dest$. mitre_attack_id: - T1059.001 - T1059 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - dest - - EventCode - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/win32_scheduledjob_windows-powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/win32_scheduledjob_windows-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_powersploit_gpp_discovery.yml b/detections/endpoint/windows_powersploit_gpp_discovery.yml index f1383fa21d..ab9be17dd3 100644 --- a/detections/endpoint/windows_powersploit_gpp_discovery.yml +++ b/detections/endpoint/windows_powersploit_gpp_discovery.yml @@ -1,15 +1,27 @@ name: Windows PowerSploit GPP Discovery id: 0130a0df-83a1-4647-9011-841e950ff302 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - Powershell Script Block Logging 4104 -description: The following analytic detects the execution of the Get-GPPPassword PowerShell cmdlet, which is used to search for unsecured credentials in Group Policy Preferences (GPP). This detection leverages PowerShell Script Block Logging to identify specific script block text associated with this cmdlet. Monitoring this activity is crucial as it can indicate an attempt to retrieve and decrypt stored credentials from SYSVOL, potentially leading to unauthorized access. If confirmed malicious, this activity could allow an attacker to escalate privileges or move laterally within the network by exploiting exposed credentials. -search: '`powershell` EventCode=4104 (ScriptBlockText=Get-GPPPassword OR ScriptBlockText=Get-CachedGPPPassword) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powersploit_gpp_discovery_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +description: The following analytic detects the execution of the Get-GPPPassword PowerShell + cmdlet, which is used to search for unsecured credentials in Group Policy Preferences + (GPP). This detection leverages PowerShell Script Block Logging to identify specific + script block text associated with this cmdlet. Monitoring this activity is crucial + as it can indicate an attempt to retrieve and decrypt stored credentials from SYSVOL, + potentially leading to unauthorized access. If confirmed malicious, this activity + could allow an attacker to escalate privileges or move laterally within the network + by exploiting exposed credentials. +search: '`powershell` EventCode=4104 (ScriptBlockText=Get-GPPPassword OR ScriptBlockText=Get-CachedGPPPassword) + | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer + UserID EventCode ScriptBlockText | rename UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_powersploit_gpp_discovery_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: Unknown references: - https://attack.mitre.org/techniques/T1552/006/ @@ -19,49 +31,45 @@ references: - https://adsecurity.org/?p=2288 - https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30 drilldown_searches: -- name: View the detection results for - "$Computer$" and "$UserID$" - search: '%original_detection_search% | search Computer = "$Computer$" UserID = "$UserID$"' +- name: View the detection results for - "$Computer$" and "$user$" + search: '%original_detection_search% | search Computer = "$Computer$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$Computer$" and "$UserID$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$UserID$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Commandlets leveraged to discover GPP credentials were executed on $Computer$ + risk_objects: + - field: Computer + type: system + score: 56 + - field: user + type: user + score: 56 + threat_objects: [] tags: analytic_story: - Active Directory Privilege Escalation asset_type: Endpoint - confidence: 80 - impact: 70 - message: Commandlets leveraged to discover GPP credentials were executed on $Computer$ mitre_attack_id: - T1552 - T1552.006 - observable: - - name: Computer - type: Hostname - role: - - Victim - - name: UserID - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ScriptBlockText - - Opcode - - Computer - - UserID - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/powershell_gpp_discovery/win-powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/powershell_gpp_discovery/win-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml b/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml index ba23c518aa..8c07de753d 100644 --- a/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml +++ b/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml @@ -1,16 +1,29 @@ name: Windows PowerView AD Access Control List Enumeration id: 39405650-c364-4e1e-a740-32a63ef042a6 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - Powershell Script Block Logging 4104 -description: The following analytic detects the execution of PowerView PowerShell cmdlets `Get-ObjectAcl` or `Get-DomainObjectAcl`, which are used to enumerate Access Control List (ACL) permissions for Active Directory objects. It leverages Event ID 4104 from PowerShell Script Block Logging to identify this activity. This behavior is significant as it may indicate an attempt to discover weak permissions in Active Directory, potentially leading to privilege escalation. If confirmed malicious, attackers could exploit these permissions to gain unauthorized access or escalate their privileges within the network. -search: '`powershell` EventCode=4104 (ScriptBlockText=*get-objectacl* OR ScriptBlockText=*Get-DomainObjectAcl* ) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_ad_access_control_list_enumeration_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= -known_false_positives: Administrators may leverage PowerView for legitimate purposes, filter as needed. +description: The following analytic detects the execution of PowerView PowerShell + cmdlets `Get-ObjectAcl` or `Get-DomainObjectAcl`, which are used to enumerate Access + Control List (ACL) permissions for Active Directory objects. It leverages Event + ID 4104 from PowerShell Script Block Logging to identify this activity. This behavior + is significant as it may indicate an attempt to discover weak permissions in Active + Directory, potentially leading to privilege escalation. If confirmed malicious, + attackers could exploit these permissions to gain unauthorized access or escalate + their privileges within the network. +search: '`powershell` EventCode=4104 (ScriptBlockText=*get-objectacl* OR ScriptBlockText=*Get-DomainObjectAcl* + ) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer + UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_powerview_ad_access_control_list_enumeration_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= +known_false_positives: Administrators may leverage PowerView for legitimate purposes, + filter as needed. references: - https://attack.mitre.org/techniques/T1078/002/ - https://medium.com/r3d-buck3t/enumerating-access-controls-in-active-directory-c06e2efa8b89 @@ -22,41 +35,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$Computer$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: PowerView AD acccess control list enumeration detected on $Computer$ + risk_objects: + - field: Computer + type: system + score: 20 + threat_objects: [] tags: analytic_story: - Active Directory Discovery - Active Directory Privilege Escalation - Rhysida Ransomware asset_type: Endpoint - confidence: 50 - impact: 40 - message: PowerView AD acccess control list enumeration detected on $Computer$ mitre_attack_id: - T1078.002 - T1069 - observable: - - name: Computer - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ScriptBlockText - - Opcode - - UserID - risk_score: 20 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/powerview_acl_enumeration/windows-powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/powerview_acl_enumeration/windows-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_powerview_constrained_delegation_discovery.yml b/detections/endpoint/windows_powerview_constrained_delegation_discovery.yml index 5550a9d3c3..00983570e7 100644 --- a/detections/endpoint/windows_powerview_constrained_delegation_discovery.yml +++ b/detections/endpoint/windows_powerview_constrained_delegation_discovery.yml @@ -1,16 +1,30 @@ name: Windows PowerView Constrained Delegation Discovery id: 86dc8176-6e6c-42d6-9684-5444c6557ab3 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the use of PowerView commandlets to discover Windows endpoints with Kerberos Constrained Delegation. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific commandlets like `Get-DomainComputer` or `Get-NetComputer` with the `-TrustedToAuth` parameter. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to map out privileged delegation settings in Active Directory. If confirmed malicious, this could allow attackers to identify high-value targets for further exploitation, potentially leading to privilege escalation or lateral movement within the network. +description: The following analytic detects the use of PowerView commandlets to discover + Windows endpoints with Kerberos Constrained Delegation. It leverages PowerShell + Script Block Logging (EventCode=4104) to identify specific commandlets like `Get-DomainComputer` + or `Get-NetComputer` with the `-TrustedToAuth` parameter. This activity is significant + as it indicates potential reconnaissance efforts by adversaries or Red Teams to + map out privileged delegation settings in Active Directory. If confirmed malicious, + this could allow attackers to identify high-value targets for further exploitation, + potentially leading to privilege escalation or lateral movement within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainComputer*" OR ScriptBlockText = "*Get-NetComputer*") AND (ScriptBlockText = "*-TrustedToAuth*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_constrained_delegation_discovery_filter`' -how_to_implement: The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -known_false_positives: Administrators or power users may leverage PowerView for system management or troubleshooting. +search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainComputer*" OR + ScriptBlockText = "*Get-NetComputer*") AND (ScriptBlockText = "*-TrustedToAuth*") + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_powerview_constrained_delegation_discovery_filter`' +how_to_implement: The following analytic requires PowerShell operational logs to + be imported. Modify the powershell macro as needed to match the sourcetype or add + index. This analytic is specific to 4104, or PowerShell Script Block Logging. +known_false_positives: Administrators or power users may leverage PowerView for system + management or troubleshooting. references: - https://attack.mitre.org/techniques/T1018/ - https://adsecurity.org/?p=1667 @@ -24,44 +38,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious PowerShell Get-DomainComputer was identified on endpoint $dest$ + risk_objects: + - field: dest + type: system + score: 35 + - field: user + type: user + score: 35 + threat_objects: [] tags: analytic_story: - CISA AA23-347A - Rhysida Ransomware - Active Directory Kerberos Attacks asset_type: Endpoint - confidence: 70 - impact: 50 - message: Suspicious PowerShell Get-DomainComputer was identified on endpoint $dest$ mitre_attack_id: - T1018 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ScriptBlockText - - Computer - - UserID - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/windows_powerview_constrained_delegation_discovery/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/windows_powerview_constrained_delegation_discovery/windows-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml b/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml index b3dbd885fc..77bff74777 100644 --- a/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml +++ b/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml @@ -1,16 +1,29 @@ name: Windows PowerView Kerberos Service Ticket Request id: 970455a1-4ac2-47e1-a9a5-9e75443ddcb9 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production type: TTP -description: The following analytic detects the execution of the `Get-DomainSPNTicket` commandlet, part of the PowerView tool, by leveraging PowerShell Script Block Logging (EventCode=4104). This commandlet requests Kerberos service tickets for specified service principal names (SPNs). Monitoring this activity is crucial as it can indicate attempts to perform Kerberoasting, a technique used to extract SPN account passwords via cracking tools like hashcat. If confirmed malicious, this activity could allow attackers to gain unauthorized access to sensitive accounts, potentially leading to privilege escalation and further network compromise. +description: The following analytic detects the execution of the `Get-DomainSPNTicket` + commandlet, part of the PowerView tool, by leveraging PowerShell Script Block Logging + (EventCode=4104). This commandlet requests Kerberos service tickets for specified + service principal names (SPNs). Monitoring this activity is crucial as it can indicate + attempts to perform Kerberoasting, a technique used to extract SPN account passwords + via cracking tools like hashcat. If confirmed malicious, this activity could allow + attackers to gain unauthorized access to sensitive accounts, potentially leading + to privilege escalation and further network compromise. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText=*Get-DomainSPNTicket* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_kerberos_service_ticket_request_filter`' -how_to_implement: The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -known_false_positives: False positive may include Administrators using PowerView for troubleshooting and management. +search: '`powershell` EventCode=4104 ScriptBlockText=*Get-DomainSPNTicket* | stats + count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_powerview_kerberos_service_ticket_request_filter`' +how_to_implement: The following analytic requires PowerShell operational logs to be + imported. Modify the powershell macro as needed to match the sourcetype or add index. + This analytic is specific to 4104, or PowerShell Script Block Logging. +known_false_positives: False positive may include Administrators using PowerView for + troubleshooting and management. references: - https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainSPNTicket/ - https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/kerberoast @@ -23,39 +36,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: PowerView commandlets used for requesting SPN service ticket executed on + $dest$ + risk_objects: + - field: dest + type: system + score: 27 + threat_objects: [] tags: analytic_story: - Active Directory Kerberos Attacks - Rhysida Ransomware asset_type: Endpoint - confidence: 90 - impact: 30 - message: PowerView commandlets used for requesting SPN service ticket executed on $dest$ mitre_attack_id: - T1558 - T1558.003 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Computer - - ScriptBlockText - risk_score: 27 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/powerview/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/powerview/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_powerview_spn_discovery.yml b/detections/endpoint/windows_powerview_spn_discovery.yml index 043ec0299b..a3184c2941 100644 --- a/detections/endpoint/windows_powerview_spn_discovery.yml +++ b/detections/endpoint/windows_powerview_spn_discovery.yml @@ -1,16 +1,30 @@ name: Windows PowerView SPN Discovery id: a7093c28-796c-4ebb-9997-e2c18b870837 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production type: TTP -description: The following analytic detects the execution of the `Get-DomainUser` or `Get-NetUser` PowerShell cmdlets with the `-SPN` parameter, indicating the use of PowerView for SPN discovery. It leverages PowerShell Script Block Logging (EventCode=4104) to identify these specific commands. This activity is significant as it suggests an attempt to enumerate domain accounts associated with Service Principal Names (SPNs), a common precursor to Kerberoasting attacks. If confirmed malicious, this could allow an attacker to identify and target accounts for credential theft, potentially leading to unauthorized access and privilege escalation within the network. +description: The following analytic detects the execution of the `Get-DomainUser` + or `Get-NetUser` PowerShell cmdlets with the `-SPN` parameter, indicating the use + of PowerView for SPN discovery. It leverages PowerShell Script Block Logging (EventCode=4104) + to identify these specific commands. This activity is significant as it suggests + an attempt to enumerate domain accounts associated with Service Principal Names + (SPNs), a common precursor to Kerberoasting attacks. If confirmed malicious, this + could allow an attacker to identify and target accounts for credential theft, potentially + leading to unauthorized access and privilege escalation within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText =*Get-NetUser* OR ScriptBlockText=*Get-DomainUser*) ScriptBlockText= *-SPN* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_powerview_spn_discovery_filter`' -how_to_implement: The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -known_false_positives: False positive may include Administrators using PowerView for troubleshooting and management. +search: '`powershell` EventCode=4104 (ScriptBlockText =*Get-NetUser* OR ScriptBlockText=*Get-DomainUser*) + ScriptBlockText= *-SPN* | stats count min(_time) as firstTime max(_time) as lastTime + by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename + UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `windows_powerview_spn_discovery_filter`' +how_to_implement: The following analytic requires PowerShell operational logs to be + imported. Modify the powershell macro as needed to match the sourcetype or add index. + This analytic is specific to 4104, or PowerShell Script Block Logging. +known_false_positives: False positive may include Administrators using PowerView for + troubleshooting and management. references: - https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/kerberoast - https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 @@ -22,40 +36,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: PowerView commandlets used for SPN discovery executed on $dest$ + risk_objects: + - field: dest + type: system + score: 27 + threat_objects: [] tags: analytic_story: - CISA AA23-347A - Rhysida Ransomware - Active Directory Kerberos Attacks asset_type: Endpoint - confidence: 90 - impact: 30 - message: PowerView commandlets used for SPN discovery executed on $dest$ mitre_attack_id: - T1558 - T1558.003 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Computer - - ScriptBlockText - risk_score: 27 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/powerview-2/windows-powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/powerview-2/windows-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml b/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml index cc900f2545..6074178077 100644 --- a/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml +++ b/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml @@ -1,16 +1,30 @@ name: Windows PowerView Unconstrained Delegation Discovery id: fbf9e47f-e531-4fea-942d-5c95af7ed4d6 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the use of PowerView commandlets to discover Windows endpoints with Kerberos Unconstrained Delegation. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific commands like `Get-DomainComputer` or `Get-NetComputer` with the `-Unconstrained` parameter. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to map out privileged delegation settings in Active Directory. If confirmed malicious, this could allow attackers to identify high-value targets for further exploitation, potentially leading to privilege escalation or lateral movement within the network. +description: The following analytic detects the use of PowerView commandlets to discover + Windows endpoints with Kerberos Unconstrained Delegation. It leverages PowerShell + Script Block Logging (EventCode=4104) to identify specific commands like `Get-DomainComputer` + or `Get-NetComputer` with the `-Unconstrained` parameter. This activity is significant + as it indicates potential reconnaissance efforts by adversaries or Red Teams to + map out privileged delegation settings in Active Directory. If confirmed malicious, + this could allow attackers to identify high-value targets for further exploitation, + potentially leading to privilege escalation or lateral movement within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainComputer*" OR ScriptBlockText = "*Get-NetComputer*") AND (ScriptBlockText = "*-Unconstrained*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_unconstrained_delegation_discovery_filter`' -how_to_implement: The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -known_false_positives: Administrators or power users may leverage PowerView for system management or troubleshooting. +search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainComputer*" OR + ScriptBlockText = "*Get-NetComputer*") AND (ScriptBlockText = "*-Unconstrained*") + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_powerview_unconstrained_delegation_discovery_filter`' +how_to_implement: The following analytic requires PowerShell operational logs to + be imported. Modify the powershell macro as needed to match the sourcetype or add + index. This analytic is specific to 4104, or PowerShell Script Block Logging. +known_false_positives: Administrators or power users may leverage PowerView for system + management or troubleshooting. references: - https://attack.mitre.org/techniques/T1018/ - https://adsecurity.org/?p=1667 @@ -23,44 +37,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious PowerShell Get-DomainComputer was identified on endpoint $dest$ + risk_objects: + - field: dest + type: system + score: 35 + - field: user + type: user + score: 35 + threat_objects: [] tags: analytic_story: - CISA AA23-347A - Rhysida Ransomware - Active Directory Kerberos Attacks asset_type: Endpoint - confidence: 70 - impact: 50 - message: Suspicious PowerShell Get-DomainComputer was identified on endpoint $dest$ mitre_attack_id: - T1018 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ScriptBlockText - - Computer - - UserID - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/windows_powerview_constrained_delegation_discovery/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/windows_powerview_constrained_delegation_discovery/windows-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_private_keys_discovery.yml b/detections/endpoint/windows_private_keys_discovery.yml index 063d0148ce..27fffec337 100644 --- a/detections/endpoint/windows_private_keys_discovery.yml +++ b/detections/endpoint/windows_private_keys_discovery.yml @@ -1,17 +1,41 @@ name: Windows Private Keys Discovery id: 5c1c2877-06c0-40ee-a1a2-db71f1372b5b -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies processes that retrieve information related to private key files, often used by post-exploitation tools like winpeas. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that search for private key certificates. This activity is significant as it indicates potential attempts to locate insecurely stored credentials, which adversaries can exploit for privilege escalation, persistence, or remote service authentication. If confirmed malicious, this behavior could allow attackers to access sensitive information, escalate privileges, or maintain persistence within the compromised environment. +description: The following analytic identifies processes that retrieve information + related to private key files, often used by post-exploitation tools like winpeas. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on command-line executions that search for private key certificates. This + activity is significant as it indicates potential attempts to locate insecurely + stored credentials, which adversaries can exploit for privilege escalation, persistence, + or remote service authentication. If confirmed malicious, this behavior could allow + attackers to access sensitive information, escalate privileges, or maintain persistence + within the compromised environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*dir *" OR Processes.process = "*findstr*" AND Processes.process IN ( "*.rdg*", "*.gpg*", "*.pgp*", "*.p12*", "*.der*", "*.csr*", "*.cer*", "*.ovpn*", "*.key*", "*.ppk*", "*.p12*", "*.pem*", "*.pfx*", "*.p7b*", "*.asc*") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_private_keys_discovery_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process = "*dir *" + OR Processes.process = "*findstr*" AND Processes.process IN ( "*.rdg*", "*.gpg*", + "*.pgp*", "*.p12*", "*.der*", "*.csr*", "*.cer*", "*.ovpn*", "*.key*", "*.ppk*", + "*.p12*", "*.pem*", "*.pfx*", "*.p7b*", "*.asc*") by Processes.process_name Processes.original_file_name + Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name + Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_private_keys_discovery_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://attack.mitre.org/techniques/T1552/004/ @@ -23,50 +47,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a process with commandline $process$ that can retrieve information related + to private keys on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Windows Post-Exploitation - Prestige Ransomware asset_type: Endpoint - confidence: 50 - impact: 50 - message: a process with commandline $process$ that can retrieve information related to private keys in $dest$ mitre_attack_id: - T1552.004 - T1552 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - - Processes.parent_process_guid - - Processes.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_private_key/dir-private-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_private_key/dir-private-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml b/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml index 5fe5d28c60..c94417e9e5 100644 --- a/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml +++ b/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml @@ -1,18 +1,51 @@ name: Windows Privilege Escalation Suspicious Process Elevation id: 6a80300a-9f8a-4f22-bd3e-09ca577cfdfc -version: 3 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Steven Dick status: production type: TTP -description: The following analytic detects when a process running with low or medium integrity from a user account spawns an elevated process with high or system integrity in suspicious locations. This behavior is identified using process execution data from Windows process monitoring or Sysmon EventID 1. This activity is significant as it may indicate a threat actor successfully elevating privileges, which is a common tactic in advanced attacks. If confirmed malicious, this could allow the attacker to execute code with higher privileges, potentially leading to full system compromise and persistent access. +description: The following analytic detects when a process running with low or medium + integrity from a user account spawns an elevated process with high or system integrity + in suspicious locations. This behavior is identified using process execution data + from Windows process monitoring or Sysmon EventID 1. This activity is significant + as it may indicate a threat actor successfully elevating privileges, which is a + common tactic in advanced attacks. If confirmed malicious, this could allow the + attacker to execute code with higher privileges, potentially leading to full system + compromise and persistent access. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("low","medium","high") NOT Processes.user IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","DWM-*","*$") by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.parent_process, Processes.parent_process_name Processes.process_name Processes.process, Processes.process_path, Processes.process_guid, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | eval join_guid = process_guid, integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0) | rename user as src_user, parent_process* as orig_parent_process*, process* as parent_process* | join max=0 dest join_guid [| tstats `security_content_summariesonly` count max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_integrity_level IN ("system") NOT Processes.user IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","DWM-*","*$")) OR (Processes.process_integrity_level IN ("high","system") AND (Processes.parent_process_path IN ("*\\\\*","*\\Users\\*","*\\Temp\\*","*\\ProgramData\\*") OR Processes.process_path IN ("*\\\\*","*\\Users\\*","*\\Temp\\*","*\\ProgramData\\*"))) by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.process_name, Processes.process, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | eval elevated_integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0) | rename parent_process_guid as join_guid ] | where elevated_integrity_level > integrity_level OR user != elevated_user | fields dest, user, src_user, parent_process_name, parent_process, parent_process_path, parent_process_guid, parent_process_integrity_level, parent_process_current_directory, process_name, process, process_path, process_guid, process_integrity_level, process_current_directory, orig_parent_process_name, orig_parent_process, orig_parent_process_guid, firstTime, lastTime, count | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_privilege_escalation_suspicious_process_elevation_filter`' -how_to_implement: Target environment must ingest process execution data sources such as Windows process monitoring and/or Sysmon EID 1. -known_false_positives: False positives may be generated by administrators installing benign applications using run-as/elevation. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime from + datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("low","medium","high") + NOT Processes.user IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","DWM-*","*$") + by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.parent_process, + Processes.parent_process_name Processes.process_name Processes.process, Processes.process_path, + Processes.process_guid, Processes.process_integrity_level, Processes.process_current_directory + | `drop_dm_object_name(Processes)` | eval join_guid = process_guid, integrity_level + = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0) + | rename user as src_user, parent_process* as orig_parent_process*, process* as + parent_process* | join max=0 dest join_guid [| tstats `security_content_summariesonly` + count max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_integrity_level + IN ("system") NOT Processes.user IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","DWM-*","*$")) + OR (Processes.process_integrity_level IN ("high","system") AND (Processes.parent_process_path + IN ("*\\\\*","*\\Users\\*","*\\Temp\\*","*\\ProgramData\\*") OR Processes.process_path + IN ("*\\\\*","*\\Users\\*","*\\Temp\\*","*\\ProgramData\\*"))) by Processes.dest, + Processes.user, Processes.parent_process_guid, Processes.process_name, Processes.process, + Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory + | `drop_dm_object_name(Processes)` | eval elevated_integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0) + | rename parent_process_guid as join_guid ] | where elevated_integrity_level > integrity_level + OR user != elevated_user | fields dest, user, src_user, parent_process_name, parent_process, + parent_process_path, parent_process_guid, parent_process_integrity_level, parent_process_current_directory, + process_name, process, process_path, process_guid, process_integrity_level, process_current_directory, + orig_parent_process_name, orig_parent_process, orig_parent_process_guid, firstTime, + lastTime, count | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_privilege_escalation_suspicious_process_elevation_filter`' +how_to_implement: Target environment must ingest process execution data sources such + as Windows process monitoring and/or Sysmon EID 1. +known_false_positives: False positives may be generated by administrators installing + benign applications using run-as/elevation. references: - https://attack.mitre.org/techniques/T1068/ - https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor @@ -20,65 +53,53 @@ references: - https://atomicredteam.io/privilege-escalation/T1134.001/ drilldown_searches: - name: View the detection results for - "$dest$" and "$user$" - search: '%original_detection_search% | search dest = "$dest$" user = "$user$" src_user = "$src_user$"' + search: '%original_detection_search% | search dest = "$dest$" user = "$user$" src_user + = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime + max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) + as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The user $src_user$ launched a process [$parent_process_name$] which spawned + a suspicious elevated integrity process [$process_name$]. + risk_objects: + - field: dest + type: system + score: 40 + - field: user + type: user + score: 40 + - field: src_user + type: user + score: 40 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Windows Privilege Escalation - BlackSuit Ransomware asset_type: Endpoint - confidence: 40 - impact: 100 - message: The user $src_user$ launched a process [$parent_process_name$] which spawned a suspicious elevated integrity process [$process_name$]. mitre_attack_id: - T1068 - T1548 - T1134 - observable: - - name: dest - role: - - Victim - type: Hostname - - name: user - role: - - Victim - type: User - - name: src_user - role: - - Victim - type: User - - name: process_name - role: - - Attacker - type: Other product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_guid - - Processes.parent_process - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_path - - Processes.process_guid - - Processes.process_integrity_level - - Processes.process_current_directory - risk_score: 40 security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true name: True Positive Test diff --git a/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml b/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml index 4b1f065ec3..aa2a71407c 100644 --- a/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml +++ b/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml @@ -1,17 +1,30 @@ name: Windows Privilege Escalation System Process Without System Parent id: 5a5351cd-ba7e-499e-ad82-2ce160ffa637 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Steven Dick status: production type: TTP -description: The following analytic detects any system integrity level process spawned by a non-system account. It leverages Sysmon EventID 1, focusing on process integrity and parent user data. This behavior is significant as it often indicates successful privilege escalation to SYSTEM from a user-controlled process or service. If confirmed malicious, this activity could allow an attacker to gain full control over the system, execute arbitrary code, and potentially compromise the entire environment. +description: The following analytic detects any system integrity level process spawned + by a non-system account. It leverages Sysmon EventID 1, focusing on process integrity + and parent user data. This behavior is significant as it often indicates successful + privilege escalation to SYSTEM from a user-controlled process or service. If confirmed + malicious, this activity could allow an attacker to gain full control over the system, + execute arbitrary code, and potentially compromise the entire environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '`sysmon` EventCode=1 IntegrityLevel="system" ParentUser=* NOT ParentUser IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","*DWM-*","*$","-") | eval src_user = replace(ParentUser,"^[^\\\]+\\\\","") | stats count min(_time) as firstTime max(_time) as lastTime values(process_name) as process_name values(process) as process, values(process_path) as process_path, values(process_current_directory) as process_current_directory values(parent_process) as parent_process by dest, user, src_user, parent_process_name, parent_process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_privilege_escalation_system_process_without_system_parent_filter`' -how_to_implement: Target environment must ingest sysmon data, specifically Event ID 1 with process integrity and parent user data. +search: '`sysmon` EventCode=1 IntegrityLevel="system" ParentUser=* NOT ParentUser + IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","*DWM-*","*$","-") | eval src_user + = replace(ParentUser,"^[^\\\]+\\\\","") | stats count min(_time) as firstTime max(_time) + as lastTime values(process_name) as process_name values(process) as process, values(process_path) + as process_path, values(process_current_directory) as process_current_directory + values(parent_process) as parent_process by dest, user, src_user, parent_process_name, + parent_process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_privilege_escalation_system_process_without_system_parent_filter`' +how_to_implement: Target environment must ingest sysmon data, specifically Event ID + 1 with process integrity and parent user data. known_false_positives: Unknown references: - https://attack.mitre.org/techniques/T1068/ @@ -24,52 +37,45 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$src_user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The process [$process_name$] on $dest$ was launched with system level integrity + by $src_user$. + risk_objects: + - field: dest + type: system + score: 80 + - field: src_user + type: user + score: 80 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Windows Privilege Escalation - BlackSuit Ransomware asset_type: Endpoint - confidence: 80 - impact: 100 - message: The process [$process_name$] on $dest$ was launched with system level integrity by $src_user$. mitre_attack_id: - T1068 - T1548 - T1134 - observable: - - name: dest - role: - - Victim - type: Hostname - - name: src_user - role: - - Victim - type: User - - name: process_name - role: - - Attacker - type: Other product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - user - - ParentUser - - parent_process_name - - parent_process_guid - - IntegrityLevel - risk_score: 80 security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true name: True Positive Test diff --git a/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml b/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml index 53d6f73625..8fc375b1ca 100644 --- a/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml +++ b/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml @@ -1,7 +1,7 @@ name: Windows Privilege Escalation User Process Spawn System Process id: c9687a28-39ad-43c6-8bcf-eaf061ba0cbe -version: '4' -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Steven Dick status: production type: TTP @@ -59,51 +59,38 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The user $user$ launched the process $process_name$ which spawned a system + level integrity process $system_process$ . + risk_objects: + - field: dest + type: system + score: 80 + - field: user + type: user + score: 80 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Windows Privilege Escalation - Compromised Windows Host - BlackSuit Ransomware asset_type: Endpoint - confidence: 80 - impact: 100 - message: The user $user$ launched a process [$process_name$] which spawned a system - level integrity process [$system_process$]. mitre_attack_id: - T1068 - T1548 - T1134 - observable: - - name: dest - role: - - Victim - type: Hostname - - name: user - role: - - Victim - type: User - - name: process_name - role: - - Attacker - type: Other product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - user - - ParentUser - - parent_process_name - - parent_process_guid - - IntegrityLevel - risk_score: 80 security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true name: True Positive Test diff --git a/detections/endpoint/windows_privileged_group_modification.yml b/detections/endpoint/windows_privileged_group_modification.yml index 481dc3abb7..ce9f44c5be 100644 --- a/detections/endpoint/windows_privileged_group_modification.yml +++ b/detections/endpoint/windows_privileged_group_modification.yml @@ -1,7 +1,7 @@ name: Windows Privileged Group Modification id: b8cbef2c-2cc3-4550-b0fc-9715b7852df9 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Brandon Sternfield, Optiv + ClearShark data_source: - Windows Event Log Security 4727 @@ -14,10 +14,36 @@ data_source: - Windows Event Log Security 4790 type: TTP status: production -description: This analytic detects modifications to privileged groups in Active Directory, including creation, deletion, and changes to various types of groups such as local, global, universal, and LDAP query groups. It specifically monitors for changes to high-privilege groups like "Administrators", "Domain Admins", "Enterprise Admins", and "ESX Admins", among others. This detection is particularly relevant in the context of potential exploitation of vulnerabilities like the VMware ESXi Active Directory Integration Authentication Bypass (CVE-2024-37085), where attackers may attempt to manipulate privileged groups to gain unauthorized access to systems. -search: '`wineventlog_security` EventCode IN (4727,4731,4744,4749,4754,4759,4783,4790) TargetUserName IN ("Account Operators", "Administrators", "Admins DNS", "Backup Operators", "DnsAdmins", "Domain Admins", "Enterprise Admins", "Enterprise Key Admins", "ESX Admins", "ESXi Admins", "Group Policy Creator Owners", "Hyper-V Administrators", "Key Admins", "Print Operators", "Remote Desktop Users", "Remote Management Users", "Replicators", "Schema Admins", "Server Operators") | eval object_category=case( EventCode="4731", "Local Group (Security)", EventCode="4744", "Local Group (Distribution)", EventCode="4727", "Global Group (Security)", EventCode="4749", "Global Group (Distribution)", EventCode="4754", "Universal Group (Security)", EventCode="4759", "Universal Group (Distribution)", EventCode="4783", "Basic Application Group", EventCode="4790", "LDAP Query Group") | rename Computer as dest, result AS change_type, TargetUserName AS object, TargetSid AS object_path | stats count min(_time) as firstTime max(_time) as lastTime by EventCode src_user object_category object object_path dest change_type status | `windows_privileged_group_modification_filter`' -how_to_implement: To successfully implement this search, ensure that Windows Security Event logging is enabled and being ingested into Splunk, particularly for event codes 4727, 4730, and 4737. Configure Group Policy settings to audit these specific events. -known_false_positives: Legitimate administrators might create, delete, or modify an a privileged group for valid reasons. Verify that the group changes are authorized and part of normal administrative tasks. Consider the context of the action, such as the user performing it and any related activities. +description: This analytic detects modifications to privileged groups in Active Directory, + including creation, deletion, and changes to various types of groups such as local, + global, universal, and LDAP query groups. It specifically monitors for changes to + high-privilege groups like "Administrators", "Domain Admins", "Enterprise Admins", + and "ESX Admins", among others. This detection is particularly relevant in the context + of potential exploitation of vulnerabilities like the VMware ESXi Active Directory + Integration Authentication Bypass (CVE-2024-37085), where attackers may attempt + to manipulate privileged groups to gain unauthorized access to systems. +search: '`wineventlog_security` EventCode IN (4727,4731,4744,4749,4754,4759,4783,4790) + TargetUserName IN ("Account Operators", "Administrators", "Admins DNS", "Backup + Operators", "DnsAdmins", "Domain Admins", "Enterprise Admins", "Enterprise Key Admins", + "ESX Admins", "ESXi Admins", "Group Policy Creator Owners", "Hyper-V Administrators", + "Key Admins", "Print Operators", "Remote Desktop Users", "Remote Management Users", + "Replicators", "Schema Admins", "Server Operators") | eval object_category=case( + EventCode="4731", "Local Group (Security)", EventCode="4744", "Local Group (Distribution)", + EventCode="4727", "Global Group (Security)", EventCode="4749", "Global Group (Distribution)", + EventCode="4754", "Universal Group (Security)", EventCode="4759", "Universal Group + (Distribution)", EventCode="4783", "Basic Application Group", EventCode="4790", + "LDAP Query Group") | rename Computer as dest, result AS change_type, TargetUserName + AS object, TargetSid AS object_path | stats count min(_time) as firstTime max(_time) + as lastTime by EventCode src_user object_category object object_path dest change_type + status | `windows_privileged_group_modification_filter`' +how_to_implement: To successfully implement this search, ensure that Windows Security + Event logging is enabled and being ingested into Splunk, particularly for event + codes 4727, 4730, and 4737. Configure Group Policy settings to audit these specific + events. +known_false_positives: Legitimate administrators might create, delete, or modify an + a privileged group for valid reasons. Verify that the group changes are authorized + and part of normal administrative tasks. Consider the context of the action, such + as the user performing it and any related activities. references: - https://nvd.nist.gov/vuln/detail/CVE-2024-37085 - https://www.rapid7.com/blog/post/2024/07/30/vmware-esxi-cve-2024-37085-targeted-in-ransomware-campaigns/%5C @@ -28,49 +54,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src_user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A privileged group modification was detected. Group "$object$" ($object_category$) + was $change_type$ on $dest$ by user $src_user$. + risk_objects: + - field: src_user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: [] tags: analytic_story: - VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 asset_type: Endpoint - confidence: 80 - impact: 100 - message: A privileged group modification was detected. Group "$object$" ($object_category$) was $change_type$ on $dest$ by user $src_user$. mitre_attack_id: - T1136.001 - T1136.002 - observable: - - name: src_user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - EventCode - - src_user - - object_category - - TargetUserName - - TargetSid - - dest - - result - - status - - _time - risk_score: 80 security_domain: endpoint cve: - CVE-2024-37085 tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security-esxadmins.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security-esxadmins.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_process_commandline_discovery.yml b/detections/endpoint/windows_process_commandline_discovery.yml index 83bdadb474..0d1f5ce24d 100644 --- a/detections/endpoint/windows_process_commandline_discovery.yml +++ b/detections/endpoint/windows_process_commandline_discovery.yml @@ -1,7 +1,7 @@ name: Windows Process Commandline Discovery id: 67d2a52e-a7e2-4a5d-ae44-a21212048bc2 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting @@ -9,48 +9,49 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic detects the use of Windows Management Instrumentation Command-line (WMIC) to retrieve information about running processes, specifically targeting the command lines used to launch those processes. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on logs containing process details and command-line executions. This activity is significant as it may indicate suspicious behavior, such as a user or process gathering detailed process information, which is uncommon for non-technical users. If confirmed malicious, this could allow an attacker to gain insights into running processes, aiding in further exploitation or lateral movement. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process= "* process *" Processes.process= "* get commandline *" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_commandline_discovery_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrators or power users may use this command for troubleshooting. Filter as needed. +description: The following analytic detects the use of Windows Management Instrumentation + Command-line (WMIC) to retrieve information about running processes, specifically + targeting the command lines used to launch those processes. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on logs containing + process details and command-line executions. This activity is significant as it + may indicate suspicious behavior, such as a user or process gathering detailed process + information, which is uncommon for non-technical users. If confirmed malicious, + this could allow an attacker to gain insights into running processes, aiding in + further exploitation or lateral movement. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process= + "* process *" Processes.process= "* get commandline *" by Processes.dest Processes.user + Processes.parent_process Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_process_commandline_discovery_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators or power users may use this command for troubleshooting. + Filter as needed. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a tags: analytic_story: - CISA AA23-347A asset_type: Endpoint - confidence: 50 - impact: 30 - message: Activity related to process commandline discovery detected on $dest$ using wmic.exe. mitre_attack_id: - T1057 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 15 - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1057/process_commandline_discovery/wmic-cmdline-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1057/process_commandline_discovery/wmic-cmdline-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml b/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml index 7187177154..6f38c5850b 100644 --- a/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml +++ b/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml @@ -1,7 +1,7 @@ name: Windows Process Injection In Non-Service SearchIndexer id: d131673f-ede1-47f2-93a1-0108d3e7fafd -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP @@ -9,9 +9,29 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic identifies instances of the searchindexer.exe process that are not spawned by services.exe, indicating potential process injection. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes. This activity is significant because QakBot malware often uses a fake searchindexer.exe to evade detection and perform malicious actions such as data exfiltration and keystroke logging. If confirmed malicious, this activity could allow attackers to maintain persistence, steal sensitive information, and communicate with command and control servers. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name != services.exe Processes.process_name=searchindexer.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_in_non_service_searchindexer_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +description: The following analytic identifies instances of the searchindexer.exe + process that are not spawned by services.exe, indicating potential process injection. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process names and parent processes. This activity is significant because + QakBot malware often uses a fake searchindexer.exe to evade detection and perform + malicious actions such as data exfiltration and keystroke logging. If confirmed + malicious, this activity could allow attackers to maintain persistence, steal sensitive + information, and communicate with command and control servers. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name + != services.exe Processes.process_name=searchindexer.exe by Processes.dest Processes.user + Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_in_non_service_searchindexer_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://twitter.com/Max_Mal_/status/1736392741758611607 @@ -22,46 +42,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An uncommon non-service searchindexer.exe process on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Qakbot asset_type: Endpoint - confidence: 70 - impact: 70 - message: An uncommon non-service searchindexer.exe process in $dest$ mitre_attack_id: - T1055 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - - Processes.process_guid security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/non-service-searchindexer/seaarch-indexer-non-service.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/non-service-searchindexer/seaarch-indexer-non-service.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_process_injection_into_notepad.yml b/detections/endpoint/windows_process_injection_into_notepad.yml index d4f6fbca02..6e1e86e9f8 100644 --- a/detections/endpoint/windows_process_injection_into_notepad.yml +++ b/detections/endpoint/windows_process_injection_into_notepad.yml @@ -1,16 +1,32 @@ name: Windows Process Injection into Notepad id: b8340d0f-ba48-4391-bea7-9e793c5aae36 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk type: Anomaly status: production data_source: - Sysmon EventID 10 -description: The following analytic detects process injection into Notepad.exe using Sysmon EventCode 10. It identifies suspicious GrantedAccess requests (0x40 and 0x1fffff) to Notepad.exe, excluding common system paths like System32, Syswow64, and Program Files. This behavior is often associated with the SliverC2 framework by BishopFox. Monitoring this activity is crucial as it may indicate an initial payload attempting to execute malicious code within Notepad.exe. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment. -search: '`sysmon` EventCode=10 TargetImage IN (*\\notepad.exe) NOT (SourceImage IN ("*\\system32\\*","*\\syswow64\\*","*\\Program Files\\*")) GrantedAccess IN ("0x40","0x1fffff") | stats count min(_time) as firstTime max(_time) as lastTime by dest SourceImage TargetImage GrantedAccess CallTrace | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_into_notepad_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: False positives may be present based on SourceImage paths. If removing the paths is important, realize svchost and many native binaries inject into notepad consistently. Restrict or tune as needed. +description: The following analytic detects process injection into Notepad.exe using + Sysmon EventCode 10. It identifies suspicious GrantedAccess requests (0x40 and 0x1fffff) + to Notepad.exe, excluding common system paths like System32, Syswow64, and Program + Files. This behavior is often associated with the SliverC2 framework by BishopFox. + Monitoring this activity is crucial as it may indicate an initial payload attempting + to execute malicious code within Notepad.exe. If confirmed malicious, this could + allow attackers to execute arbitrary code, potentially leading to privilege escalation + or persistent access within the environment. +search: '`sysmon` EventCode=10 TargetImage IN (*\\notepad.exe) NOT (SourceImage IN + ("*\\system32\\*","*\\syswow64\\*","*\\Program Files\\*")) GrantedAccess IN ("0x40","0x1fffff") + | stats count min(_time) as firstTime max(_time) as lastTime by dest SourceImage + TargetImage GrantedAccess CallTrace | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_process_injection_into_notepad_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. +known_false_positives: False positives may be present based on SourceImage paths. + If removing the paths is important, realize svchost and many native binaries inject + into notepad consistently. Restrict or tune as needed. references: - https://dominicbreuker.com/post/learning_sliver_c2_08_implant_basics/ - https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors @@ -20,49 +36,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $SourceImage$ injecting into $TargetImage$ was identified + on endpoint $dest$. + risk_objects: + - field: dest + type: system + score: 32 + threat_objects: + - field: SourceImage + type: process + - field: TargetImage + type: process tags: analytic_story: - BishopFox Sliver Adversary Emulation Framework asset_type: Endpoint - confidence: 80 - impact: 40 - message: An instance of $SourceImage$ injecting into $TargetImage$ was identified on endpoint $dest$. mitre_attack_id: - T1055 - T1055.002 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: SourceImage - type: Process - role: - - Attacker - - name: TargetImage - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - SourceImage - - TargetImage - - GrantedAccess - - CallTrace - risk_score: 32 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/T1055_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/T1055_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml b/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml index b65afe13cc..7ca8139ceb 100644 --- a/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml +++ b/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml @@ -1,15 +1,30 @@ name: Windows Process Injection Of Wermgr to Known Browser id: aec755a5-3a2c-4be0-ab34-6540e68644e9 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic identifies the suspicious remote thread execution of the wermgr.exe process into known browsers such as firefox.exe, chrome.exe, and others. It leverages Sysmon EventCode 8 logs to detect this behavior by monitoring SourceImage and TargetImage fields. This activity is significant because it is indicative of Qakbot malware, which injects malicious code into legitimate processes to steal information. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, and exfiltrate sensitive data from the compromised host. +description: The following analytic identifies the suspicious remote thread execution + of the wermgr.exe process into known browsers such as firefox.exe, chrome.exe, and + others. It leverages Sysmon EventCode 8 logs to detect this behavior by monitoring + SourceImage and TargetImage fields. This activity is significant because it is indicative + of Qakbot malware, which injects malicious code into legitimate processes to steal + information. If confirmed malicious, this activity could allow attackers to execute + arbitrary code, escalate privileges, and exfiltrate sensitive data from the compromised + host. data_source: - Sysmon EventID 8 -search: '`sysmon` EventCode=8 SourceImage = "*\\wermgr.exe" TargetImage IN ("*\\firefox.exe", "*\\chrome.exe", "*\\iexplore.exe","*\\microsoftedgecp.exe") | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGuid SourceProcessId StartAddress StartFunction TargetProcessGuid TargetProcessId EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_of_wermgr_to_known_browser_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +search: '`sysmon` EventCode=8 SourceImage = "*\\wermgr.exe" TargetImage IN ("*\\firefox.exe", + "*\\chrome.exe", "*\\iexplore.exe","*\\microsoftedgecp.exe") | stats count min(_time) + as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGuid + SourceProcessId StartAddress StartFunction TargetProcessGuid TargetProcessId EventCode + dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_process_injection_of_wermgr_to_known_browser_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the SourceImage, TargetImage, and EventCode executions from your endpoints + related to create remote thread or injecting codes. If you are using Sysmon, you + must have at least version 6.0.4 of the Sysmon TA. known_false_positives: unknown references: - https://news.sophos.com/en-us/2022/03/10/qakbot-decoded/ @@ -20,46 +35,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: wermgr.exe process $SourceImage$ create a remote thread to a browser process + $TargetImage$ in host $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Qakbot asset_type: Endpoint - confidence: 70 - impact: 70 - message: wermgr.exe process $SourceImage$ create a remote thread to a browser process $TargetImage$ in host $dest$ mitre_attack_id: - T1055.001 - T1055 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - SourceImage - - TargetImage - - SourceProcessGuid - - SourceProcessId - - StartAddress - - StartFunction - - TargetProcessGuid - - TargetProcessId - - EventCode - - dest - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/remote_thread/sysmon_wermgr_remote.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/remote_thread/sysmon_wermgr_remote.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_process_injection_remote_thread.yml b/detections/endpoint/windows_process_injection_remote_thread.yml index 45c6f64419..acb2c928e0 100644 --- a/detections/endpoint/windows_process_injection_remote_thread.yml +++ b/detections/endpoint/windows_process_injection_remote_thread.yml @@ -1,15 +1,31 @@ name: Windows Process Injection Remote Thread id: 8a618ade-ca8f-4d04-b972-2d526ba59924 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects suspicious remote thread execution in processes such as Taskmgr.exe, calc.exe, and notepad.exe, which may indicate process injection by malware like Qakbot. This detection leverages Sysmon EventCode 8 to identify remote thread creation in specific target processes. This activity is significant as it often signifies an attempt by malware to inject malicious code into legitimate processes, potentially leading to unauthorized code execution. If confirmed malicious, this could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence on the compromised host. +description: The following analytic detects suspicious remote thread execution in + processes such as Taskmgr.exe, calc.exe, and notepad.exe, which may indicate process + injection by malware like Qakbot. This detection leverages Sysmon EventCode 8 to + identify remote thread creation in specific target processes. This activity is significant + as it often signifies an attempt by malware to inject malicious code into legitimate + processes, potentially leading to unauthorized code execution. If confirmed malicious, + this could allow attackers to execute arbitrary code, escalate privileges, or maintain + persistence on the compromised host. data_source: - Sysmon EventID 8 -search: '`sysmon` EventCode=8 TargetImage IN ("*\\Taskmgr.exe", "*\\calc.exe", "*\\notepad.exe", "*\\rdpclip.exe", "*\\explorer.exe", "*\\wermgr.exe", "*\\ping.exe", "*\\OneDriveSetup.exe", "*\\dxdiag.exe", "*\\mobsync.exe", "*\\msra.exe", "*\\xwizard.exe","*\\cmd.exe", "*\\powershell.exe") | stats count min(_time) as firstTime max(_time) as lastTime by TargetImage TargetProcessId SourceProcessId EventCode StartAddress SourceImage dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_remote_thread_filter`' -how_to_implement: To successfully implement this search, you must be ingesting data that records process activity from your hosts like remote thread EventCode=8 of sysmon. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +search: '`sysmon` EventCode=8 TargetImage IN ("*\\Taskmgr.exe", "*\\calc.exe", "*\\notepad.exe", + "*\\rdpclip.exe", "*\\explorer.exe", "*\\wermgr.exe", "*\\ping.exe", "*\\OneDriveSetup.exe", + "*\\dxdiag.exe", "*\\mobsync.exe", "*\\msra.exe", "*\\xwizard.exe","*\\cmd.exe", + "*\\powershell.exe") | stats count min(_time) as firstTime max(_time) as lastTime + by TargetImage TargetProcessId SourceProcessId EventCode StartAddress SourceImage + dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_process_injection_remote_thread_filter`' +how_to_implement: To successfully implement this search, you must be ingesting data + that records process activity from your hosts like remote thread EventCode=8 of + sysmon. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon + TA. known_false_positives: unknown references: - https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg @@ -20,53 +36,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: process $SourceImage$ create a remote thread to process $TargetImage$ on + host $dest$ + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: + - field: SourceImage + type: process tags: analytic_story: - Qakbot - Graceful Wipe Out Attack - Warzone RAT asset_type: Endpoint - confidence: 80 - impact: 80 - message: process $SourceImage$ create a remote thread to process $TargetImage$ on host $dest$ mitre_attack_id: - T1055 - T1055.002 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: SourceImage - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - SourceImage - - TargetImage - - TargetProcessId - - SourceProcessId - - StartAddress - - EventCode - - dest - - signature - - TargetProcessGuid - - SourceProcessGuid - - StartAddress - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr2/sysmon_wermgr2.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr2/sysmon_wermgr2.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_process_injection_wermgr_child_process.yml b/detections/endpoint/windows_process_injection_wermgr_child_process.yml index 85e8eec814..f639726685 100644 --- a/detections/endpoint/windows_process_injection_wermgr_child_process.yml +++ b/detections/endpoint/windows_process_injection_wermgr_child_process.yml @@ -1,17 +1,38 @@ name: Windows Process Injection Wermgr Child Process id: 360ae6b0-38b5-4328-9e2b-bc9436cddb17 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies a suspicious instance of wermgr.exe spawning a child process unrelated to error or fault handling. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process relationships and command-line executions. This activity is significant as it can indicate Qakbot malware, which injects malicious code into wermgr.exe to evade detection and execute malicious actions. If confirmed malicious, this behavior could allow an attacker to conduct reconnaissance, execute arbitrary code, and persist within the network, posing a severe security risk. +description: The following analytic identifies a suspicious instance of wermgr.exe + spawning a child process unrelated to error or fault handling. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process relationships + and command-line executions. This activity is significant as it can indicate Qakbot + malware, which injects malicious code into wermgr.exe to evade detection and execute + malicious actions. If confirmed malicious, this behavior could allow an attacker + to conduct reconnaissance, execute arbitrary code, and persist within the network, + posing a severe security risk. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = "wermgr.exe" AND NOT (Processes.process_name IN ("WerFaultSecure.exe", "wermgr.exe", "WerFault.exe")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_wermgr_child_process_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name + = "wermgr.exe" AND NOT (Processes.process_name IN ("WerFaultSecure.exe", "wermgr.exe", + "WerFault.exe")) by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_process_injection_wermgr_child_process_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg @@ -21,47 +42,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: wermgr parent process has a child process $process_name$ on $dest$ + risk_objects: + - field: dest + type: system + score: 56 + threat_objects: [] tags: analytic_story: - Qakbot - Windows Error Reporting Service Elevation of Privilege Vulnerability asset_type: Endpoint - confidence: 70 - impact: 80 - message: wermgr parent process has a child process $process_name$ in $dest$ mitre_attack_id: - T1055 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr/sysmon_wermgr.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr/sysmon_wermgr.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_process_injection_with_public_source_path.yml b/detections/endpoint/windows_process_injection_with_public_source_path.yml index c5ee001ef2..6ff6638edb 100644 --- a/detections/endpoint/windows_process_injection_with_public_source_path.yml +++ b/detections/endpoint/windows_process_injection_with_public_source_path.yml @@ -1,64 +1,49 @@ name: Windows Process Injection With Public Source Path id: 492f09cf-5d60-4d87-99dd-0bc325532dda -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects a process from a non-standard file path on Windows attempting to create a remote thread in another process. This is identified using Sysmon EventCode 8, focusing on processes not originating from typical system directories. This behavior is significant as it often indicates process injection, a technique used by adversaries to evade detection or escalate privileges. If confirmed malicious, this activity could allow an attacker to execute arbitrary code within another process, potentially leading to unauthorized actions and further compromise of the system. +description: The following analytic detects a process from a non-standard file path + on Windows attempting to create a remote thread in another process. This is identified + using Sysmon EventCode 8, focusing on processes not originating from typical system + directories. This behavior is significant as it often indicates process injection, + a technique used by adversaries to evade detection or escalate privileges. If confirmed + malicious, this activity could allow an attacker to execute arbitrary code within + another process, potentially leading to unauthorized actions and further compromise + of the system. data_source: - Sysmon EventID 8 -search: '`sysmon` EventCode=8 TargetImage = "*.exe" AND NOT(SourceImage IN("C:\\Windows\\*", "C:\\Program File*", "%systemroot%\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage signature TargetProcessGuid SourceProcessGuid TargetProcessId SourceProcessId StartAddress EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_with_public_source_path_filter`' -how_to_implement: To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: Some security products or third party applications may utilize CreateRemoteThread, filter as needed before enabling as a notable. +search: '`sysmon` EventCode=8 TargetImage = "*.exe" AND NOT(SourceImage IN("C:\\Windows\\*", + "C:\\Program File*", "%systemroot%\\*")) | stats count min(_time) as firstTime max(_time) + as lastTime by SourceImage TargetImage signature TargetProcessGuid SourceProcessGuid + TargetProcessId SourceProcessId StartAddress EventCode dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_process_injection_with_public_source_path_filter`' +how_to_implement: To successfully implement this search, you must be ingesting data + that records process activity from your hosts to populate the endpoint data model + in the processes node. If you are using Sysmon, you must have at least version 6.0.4 + of the Sysmon TA. +known_false_positives: Some security products or third party applications may utilize + CreateRemoteThread, filter as needed. references: - https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/ tags: analytic_story: - Brute Ratel C4 asset_type: Endpoint - confidence: 80 - impact: 80 - message: process $SourceImage$ create a remote thread to process $TargetImage$ on host $dest$ mitre_attack_id: - T1055 - T1055.002 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: SourceImage - type: Process - role: - - Attacker - - name: TargetImage - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - SourceImage - - TargetImage - - TargetProcessId - - SourceProcessId - - StartAddress - - EventCode - - dest - - signature - - TargetProcessGuid - - SourceProcessGuid - - StartAddress - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/create_remote_thread/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/create_remote_thread/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_process_with_namedpipe_commandline.yml b/detections/endpoint/windows_process_with_namedpipe_commandline.yml index beee7b3a2f..ea90eee485 100644 --- a/detections/endpoint/windows_process_with_namedpipe_commandline.yml +++ b/detections/endpoint/windows_process_with_namedpipe_commandline.yml @@ -1,18 +1,40 @@ name: Windows Process With NamedPipe CommandLine id: e64399d4-94a8-11ec-a9da-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects processes with command lines containing named pipes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line executions. This behavior is significant as it is often used by adversaries, such as those behind the Olympic Destroyer malware, for inter-process communication post-injection, aiding in defense evasion and privilege escalation. If confirmed malicious, this activity could allow attackers to maintain persistence, escalate privileges, or evade defenses, potentially leading to further compromise of the system. +description: The following analytic detects processes with command lines containing + named pipes. It leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process command-line executions. This behavior is significant as it + is often used by adversaries, such as those behind the Olympic Destroyer malware, + for inter-process communication post-injection, aiding in defense evasion and privilege + escalation. If confirmed malicious, this activity could allow attackers to maintain + persistence, escalate privileges, or evade defenses, potentially leading to further + compromise of the system. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*\\\\.\\pipe\\*" NOT (Processes.process_path IN ("*\\program files*")) by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_path Processes.process_guid Processes.parent_process_id Processes.dest Processes.user Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_with_namedpipe_commandline_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Normal browser application may use this technique. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process = "*\\\\.\\pipe\\*" + NOT (Processes.process_path IN ("*\\program files*")) by Processes.parent_process_name + Processes.parent_process Processes.process_name Processes.process Processes.original_file_name + Processes.process_id Processes.parent_process_path Processes.process_guid Processes.parent_process_id + Processes.dest Processes.user Processes.process_path | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_with_namedpipe_commandline_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Normal browser application may use this technique. Please update + the filter macros to remove false positives. references: - https://blog.talosintelligence.com/2018/02/olympic-destroyer.html drilldown_searches: @@ -21,46 +43,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Process with named pipe in $process$ on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics asset_type: Endpoint - confidence: 70 - impact: 70 - message: Process with named pipe in $process$ on $dest$ mitre_attack_id: - T1055 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - - Processes.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/olympic_destroyer/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/olympic_destroyer/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml index b59ae667e6..578832eea3 100644 --- a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml +++ b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml @@ -1,7 +1,7 @@ name: Windows Process With NetExec Command Line Parameters id: adbff89c-c1f2-4a2e-88a4-b5e645856510 -version: 1 -date: '2024-12-19' +version: 2 +date: '2025-01-09' author: Steven Dick, Github Community status: production type: TTP @@ -34,45 +34,33 @@ drilldown_searches: search: '| from datamodel:Endpoint.Processes | search dest=$dest$ process_name = $process_name$' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: NetExec command line parameters were used on $dest$ by $user$ + risk_objects: + - field: user + type: user + score: 64 + - field: dest + type: system + score: 64 + threat_objects: + - field: parent_process_name + type: parent_process_name tags: analytic_story: - Active Directory Kerberos Attacks - Active Directory Privilege Escalation asset_type: Endpoint - confidence: 80 - impact: 80 - message: NetExec command line parameters were used on $dest$ by $user$ mitre_attack_id: - T1550 - T1550.003 - T1558 - T1558.003 - T1558.004 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process - - Processes.user - - Processes.dest - - Processes.process_name - - Processes.parent_process_name - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_process_writing_file_to_world_writable_path.yml b/detections/endpoint/windows_process_writing_file_to_world_writable_path.yml index 9dea7b4e6c..454d390356 100644 --- a/detections/endpoint/windows_process_writing_file_to_world_writable_path.yml +++ b/detections/endpoint/windows_process_writing_file_to_world_writable_path.yml @@ -1,51 +1,64 @@ name: Windows Process Writing File to World Writable Path id: c051b68c-60f7-4022-b3ad-773bec7a225b -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk data_source: [] type: Hunting status: production -description: The following analytic identifies a process writing a .txt file to a world writable path. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on file creation events within specific directories. This activity is significant as adversaries often use such techniques to deliver payloads to a system, which is uncommon for legitimate processes. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a significant security risk. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name=*.txt Filesystem.file_path IN ("*\\Windows\\Tasks\\*", "*\\Windows\\Temp\\*", "*\\Windows\\tracing\\*", "*\\Windows\\PLA\\Reports\\*", "*\\Windows\\PLA\\Rules\\*", "*\\Windows\\PLA\\Templates\\*", "*\\Windows\\PLA\\Reports\\en-US\\*", "*\\Windows\\PLA\\Rules\\en-US\\*", "*\\Windows\\Registration\\CRMLog\\*", "*\\Windows\\System32\\Tasks\\*", "*\\Windows\\System32\\Com\\dmp\\*", "*\\Windows\\System32\\LogFiles\\WMI\\*", "*\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\*", "*\\Windows\\System32\\spool\\PRINTERS\\*", "*\\Windows\\System32\\spool\\SERVERS\\*", "*\\Windows\\System32\\spool\\drivers\\color\\*", "*\\Windows\\System32\\Tasks\\Microsoft\\Windows\\RemoteApp and Desktop Connections Update\\*", "*\\Windows\\SysWOW64\\Tasks\\*", "*\\Windows\\SysWOW64\\Com\\dmp\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\RemoteApp and Desktop Connections Update\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\*") by Filesystem.dest, Filesystem.user, Filesystem.file_name Filesystem.file_path | `drop_dm_object_name("Filesystem")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_writing_file_to_world_writable_path_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the file creation event, process name, file path and, file name. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Filesystem` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may occur if legitimate software writes to these paths. Modify the search to include additional file name extensions. To enhance it further, adding a join on Processes.process_name may assist with restricting the analytic to specific process names. Investigate the process and file to determine if it is malicious. +description: The following analytic identifies a process writing a .txt file to a + world writable path. This detection leverages data from Endpoint Detection and Response + (EDR) agents, focusing on file creation events within specific directories. This + activity is significant as adversaries often use such techniques to deliver payloads + to a system, which is uncommon for legitimate processes. If confirmed malicious, + this behavior could allow attackers to execute arbitrary code, escalate privileges, + or maintain persistence within the environment, posing a significant security risk. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name=*.txt + Filesystem.file_path IN ("*\\Windows\\Tasks\\*", "*\\Windows\\Temp\\*", "*\\Windows\\tracing\\*", + "*\\Windows\\PLA\\Reports\\*", "*\\Windows\\PLA\\Rules\\*", "*\\Windows\\PLA\\Templates\\*", + "*\\Windows\\PLA\\Reports\\en-US\\*", "*\\Windows\\PLA\\Rules\\en-US\\*", "*\\Windows\\Registration\\CRMLog\\*", + "*\\Windows\\System32\\Tasks\\*", "*\\Windows\\System32\\Com\\dmp\\*", "*\\Windows\\System32\\LogFiles\\WMI\\*", + "*\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\*", "*\\Windows\\System32\\spool\\PRINTERS\\*", + "*\\Windows\\System32\\spool\\SERVERS\\*", "*\\Windows\\System32\\spool\\drivers\\color\\*", + "*\\Windows\\System32\\Tasks\\Microsoft\\Windows\\RemoteApp and Desktop Connections + Update\\*", "*\\Windows\\SysWOW64\\Tasks\\*", "*\\Windows\\SysWOW64\\Com\\dmp\\*", + "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\RemoteApp + and Desktop Connections Update\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\*") + by Filesystem.dest, Filesystem.user, Filesystem.file_name Filesystem.file_path | + `drop_dm_object_name("Filesystem")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_process_writing_file_to_world_writable_path_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the file creation event, process name, file path + and, file name. These logs must be processed using the appropriate Splunk Technology + Add-ons that are specific to the EDR product. The logs must also be mapped to the + `Filesystem` node of the `Endpoint` data model. Use the Splunk Common Information + Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: False positives may occur if legitimate software writes to + these paths. Modify the search to include additional file name extensions. To enhance + it further, adding a join on Processes.process_name may assist with restricting + the analytic to specific process names. Investigate the process and file to determine + if it is malicious. references: - https://research.splunk.com/endpoint/efbcf8ee-bc75-47f1-8985-a5c638c4faf0/ tags: analytic_story: - APT29 Diplomatic Deceptions with WINELOADER asset_type: Endpoint - confidence: 50 - impact: 50 - message: A process wrote a file name- [$file_name$] to a world writable file path [$file_path$] on host- [$dest$]. mitre_attack_id: - T1218.005 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: file_name - type: File - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - user - - file_name - - file_path - risk_score: 25 security_domain: endpoint cve: [] tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/mshta_tasks_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/mshta_tasks_windows-sysmon.log sourcetype: XmlWinEventLog source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml b/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml index 9874d27257..505fbe4854 100644 --- a/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml +++ b/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml @@ -1,16 +1,30 @@ name: Windows Processes Killed By Industroyer2 Malware id: d8bea5ca-9d4a-4249-8b56-64a619109835 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the termination of specific processes by the Industroyer2 malware. It leverages Sysmon EventCode 5 to identify when processes like "PServiceControl.exe" and "PService_PPD.exe" are killed. This activity is significant as it targets processes related to energy facility networks, indicating a potential attack on critical infrastructure. If confirmed malicious, this could lead to disruption of essential services, loss of control over energy systems, and significant operational impact. Immediate investigation is required to determine the cause and mitigate any potential threats. +description: The following analytic detects the termination of specific processes + by the Industroyer2 malware. It leverages Sysmon EventCode 5 to identify when processes + like "PServiceControl.exe" and "PService_PPD.exe" are killed. This activity is significant + as it targets processes related to energy facility networks, indicating a potential + attack on critical infrastructure. If confirmed malicious, this could lead to disruption + of essential services, loss of control over energy systems, and significant operational + impact. Immediate investigation is required to determine the cause and mitigate + any potential threats. data_source: - Sysmon EventID 5 -search: '`sysmon` EventCode=5 process_name IN ("PServiceControl.exe", "PService_PPD.exe") | stats min(_time) as firstTime max(_time) as lastTime count by process_name process process_path process_guid process_id EventCode dest user_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_processes_killed_by_industroyer2_malware_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required. -known_false_positives: False positives are possible if legitimate applications are allowed to terminate this process during testing or updates. Filter as needed based on paths that are used legitimately. +search: '`sysmon` EventCode=5 process_name IN ("PServiceControl.exe", "PService_PPD.exe") + | stats min(_time) as firstTime max(_time) as lastTime count by process_name process + process_path process_guid process_id EventCode dest user_id | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)` | `windows_processes_killed_by_industroyer2_malware_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also + required. +known_false_positives: False positives are possible if legitimate applications are + allowed to terminate this process during testing or updates. Filter as needed based + on paths that are used legitimately. references: - https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ drilldown_searches: @@ -19,47 +33,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: process was terminated $process_name$ on $dest$ + risk_objects: + - field: dest + type: system + score: 36 + threat_objects: [] tags: analytic_story: - Data Destruction - Industroyer2 asset_type: Endpoint - confidence: 60 - impact: 60 - message: process was terminated $process_name$ in $dest$ mitre_attack_id: - T1489 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - - Processes.process_guid - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/industroyer2/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/industroyer2/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_protocol_tunneling_with_plink.yml b/detections/endpoint/windows_protocol_tunneling_with_plink.yml index eda2dab37e..b55caf7791 100644 --- a/detections/endpoint/windows_protocol_tunneling_with_plink.yml +++ b/detections/endpoint/windows_protocol_tunneling_with_plink.yml @@ -1,18 +1,44 @@ name: Windows Protocol Tunneling with Plink id: 8aac5e1e-0fab-4437-af0b-c6e60af23eed -version: 5 -date: '2024-09-30' +version: 7 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: This analytic detects the use of Plink (including renamed versions like pvhost.exe) for protocol tunneling, which may be used for egress or lateral movement within an organization. It identifies specific command-line options (-R, -L, -D, -l, -N, -P, -pw) commonly used for port forwarding and tunneling by analyzing process execution logs from Endpoint Detection and Response (EDR) agents. This activity is significant as it may indicate an attempt to bypass network security controls or establish unauthorized connections. If confirmed malicious, this could allow an attacker to exfiltrate data, move laterally across the network, or maintain persistent access, posing a severe threat to the organization's security. The detection covers both the original Plink executable and potential renamed versions, enhancing its ability to catch evasion attempts. +description: This analytic detects the use of Plink (including renamed versions like + pvhost.exe) for protocol tunneling, which may be used for egress or lateral movement + within an organization. It identifies specific command-line options (-R, -L, -D, + -l, -N, -P, -pw) commonly used for port forwarding and tunneling by analyzing process + execution logs from Endpoint Detection and Response (EDR) agents. This activity + is significant as it may indicate an attempt to bypass network security controls + or establish unauthorized connections. If confirmed malicious, this could allow + an attacker to exfiltrate data, move laterally across the network, or maintain persistent + access, posing a severe threat to the organization's security. The detection covers + both the original Plink executable and potential renamed versions, enhancing its + ability to catch evasion attempts. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=plink.exe OR Processes.process_name=pvhost.exe OR Processes.original_file_name=Plink) AND Processes.process IN ("*-R *", "*-L *", "*-D *", "*-l *", "*-N *", "*-P *", "*-pw *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_protocol_tunneling_with_plink_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be present if the organization allows for SSH tunneling outbound or internally. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=plink.exe + OR Processes.process_name=pvhost.exe OR Processes.original_file_name=Plink) AND + Processes.process IN ("*-R *", "*-L *", "*-D *", "*-l *", "*-N *", "*-P *", "*-pw + *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `windows_protocol_tunneling_with_plink_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present if the organization allows for + SSH tunneling outbound or internally. Filter as needed. references: - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ - https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html @@ -26,59 +52,45 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to tunnel to a remote destination. + risk_objects: + - field: user + type: user + score: 56 + - field: dest + type: system + score: 56 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - CISA AA22-257A asset_type: Endpoint - confidence: 80 - impact: 70 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to tunnel to a remote destination. mitre_attack_id: - T1572 - T1021.004 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/plink/plink-windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/plink/plink-windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_proxy_via_netsh.yml b/detections/endpoint/windows_proxy_via_netsh.yml index 22928e1535..66dcbfa6da 100644 --- a/detections/endpoint/windows_proxy_via_netsh.yml +++ b/detections/endpoint/windows_proxy_via_netsh.yml @@ -1,7 +1,7 @@ name: Windows Proxy Via Netsh id: c137bfe8-6036-4cff-b77b-4e327dd0a1cf -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -9,10 +9,33 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic identifies the use of netsh.exe to configure a connection proxy, which can be leveraged for persistence by executing a helper DLL. It detects this activity by analyzing process creation events from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving "portproxy" and "v4tov4" parameters. This activity is significant because it indicates potential unauthorized network configuration changes, which could be used to maintain persistence or redirect network traffic. If confirmed malicious, this could allow an attacker to maintain covert access or manipulate network communications, posing a significant security risk. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process = "* portproxy *" Processes.process = "* v4tov4 *" by Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.user Processes.dest |`drop_dm_object_name("Processes")` |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_proxy_via_netsh_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Some VPN applications are known to launch netsh.exe. Outside of these instances, it is unusual for an executable to launch netsh.exe and run commands. +description: The following analytic identifies the use of netsh.exe to configure a + connection proxy, which can be leveraged for persistence by executing a helper DLL. + It detects this activity by analyzing process creation events from Endpoint Detection + and Response (EDR) agents, focusing on command-line executions involving "portproxy" + and "v4tov4" parameters. This activity is significant because it indicates potential + unauthorized network configuration changes, which could be used to maintain persistence + or redirect network traffic. If confirmed malicious, this could allow an attacker + to maintain covert access or manipulate network communications, posing a significant + security risk. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process + = "* portproxy *" Processes.process = "* v4tov4 *" by Processes.parent_process_name + Processes.parent_process Processes.original_file_name Processes.process_name Processes.process + Processes.user Processes.dest |`drop_dm_object_name("Processes")` |`security_content_ctime(firstTime)` + |`security_content_ctime(lastTime)` | `windows_proxy_via_netsh_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Some VPN applications are known to launch netsh.exe. Outside + of these instances, it is unusual for an executable to launch netsh.exe and run + commands. references: - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ drilldown_searches: @@ -21,47 +44,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A process $process_name$ has launched netsh with command-line $process$ + on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - Volt Typhoon asset_type: Endpoint atomic_guid: - b8223ea9-4be2-44a6-b50a-9657a3d4e72a - confidence: 70 - impact: 70 - message: A process $process_name$ has launched netsh with command-line $process$ on $dest$. mitre_attack_id: - T1090.001 - T1090 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Processes.process - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_name - - Processes.user - - Processes.dest security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1090.001/netsh_portproxy/volt_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1090.001/netsh_portproxy/volt_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_proxy_via_registry.yml b/detections/endpoint/windows_proxy_via_registry.yml index b54a036cde..2fa1317db4 100644 --- a/detections/endpoint/windows_proxy_via_registry.yml +++ b/detections/endpoint/windows_proxy_via_registry.yml @@ -1,15 +1,30 @@ name: Windows Proxy Via Registry id: 0270455b-1385-4579-9ac5-e77046c508ae -version: 4 -date: '2024-12-08' +version: 5 +date: '2024-12-16' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 13 -description: The following analytic detects the modification of registry keys related to the Windows Proxy settings via netsh.exe. It leverages data from the Endpoint.Registry data model, focusing on changes to the registry path "*\\System\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp*". This activity is significant because netsh.exe can be used to establish a persistent proxy, potentially allowing an attacker to execute a helper DLL whenever netsh.exe runs. If confirmed malicious, this could enable the attacker to maintain persistence, manipulate network configurations, and potentially exfiltrate data or further compromise the system. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path ="*\\System\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp*" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.action Registry.dest Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_proxy_via_registry_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 +description: The following analytic detects the modification of registry keys related + to the Windows Proxy settings via netsh.exe. It leverages data from the Endpoint.Registry + data model, focusing on changes to the registry path "*\\System\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp*". + This activity is significant because netsh.exe can be used to establish a persistent + proxy, potentially allowing an attacker to execute a helper DLL whenever netsh.exe + runs. If confirmed malicious, this could enable the attacker to maintain persistence, + manipulate network configurations, and potentially exfiltrate data or further compromise + the system. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime + max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path + ="*\\System\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp*" by Registry.registry_path + Registry.registry_key_name Registry.registry_value_name Registry.action Registry.dest Registry.user + | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` + | `windows_proxy_via_registry_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the registry value name, registry path, and registry value data from your + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official + Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ @@ -19,44 +34,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A registry modification for port proxy in$dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Volt Typhoon asset_type: Endpoint atomic_guid: - b8223ea9-4be2-44a6-b50a-9657a3d4e72a - confidence: 70 - impact: 70 - message: A registry modification for port proxy in$dest$ mitre_attack_id: - T1090.001 - T1090 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action - - Registry.registry_value_data security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1090.001/netsh_portproxy/volt_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1090.001/netsh_portproxy/volt_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_query_registry_browser_list_application.yml b/detections/endpoint/windows_query_registry_browser_list_application.yml index 5d9478153b..891570d753 100644 --- a/detections/endpoint/windows_query_registry_browser_list_application.yml +++ b/detections/endpoint/windows_query_registry_browser_list_application.yml @@ -1,16 +1,31 @@ name: Windows Query Registry Browser List Application id: 45ebd21c-f4bf-4ced-bd49-d25b6526cebb -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Windows Event Log Security 4663 -description: The following analytic detects a suspicious process accessing the registry entries for default internet browsers. It leverages Windows Security Event logs, specifically event code 4663, to identify access attempts to these registry paths. This activity is significant because adversaries can exploit this registry key to gather information about installed browsers and their settings, potentially leading to the theft of sensitive data such as login credentials and browsing history. If confirmed malicious, this behavior could enable attackers to exfiltrate sensitive information and compromise user accounts. -search: '`wineventlog_security` EventCode=4663 object_file_path IN ("*\\SOFTWARE\\Clients\\StartMenuInternet\\*", "*\\SOFTWARE\\Clients\\StartMenuInternet\\*") AND NOT (process_path IN ("*:\\Windows\\System32\\*", "*:\\Windows\\SysWow64\\*", "*:\\Program Files*", "*:\\Windows\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_query_registry_browser_list_application_filter`' -how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -known_false_positives: uninstall application may access this registry to remove the entry of the target application. filter is needed. +description: The following analytic detects a suspicious process accessing the registry + entries for default internet browsers. It leverages Windows Security Event logs, + specifically event code 4663, to identify access attempts to these registry paths. + This activity is significant because adversaries can exploit this registry key to + gather information about installed browsers and their settings, potentially leading + to the theft of sensitive data such as login credentials and browsing history. If + confirmed malicious, this behavior could enable attackers to exfiltrate sensitive + information and compromise user accounts. +search: '`wineventlog_security` EventCode=4663 object_file_path IN ("*\\SOFTWARE\\Clients\\StartMenuInternet\\*", + "*\\SOFTWARE\\Clients\\StartMenuInternet\\*") AND NOT (process_path IN ("*:\\Windows\\System32\\*", + "*:\\Windows\\SysWow64\\*", "*:\\Program Files*", "*:\\Windows\\*")) | stats count + min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path + process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_query_registry_browser_list_application_filter`' +how_to_implement: To successfully implement this search, you must ingest Windows Security + Event logs and track event code 4663. For 4663, enable "Audit Object Access" in + Group Policy. Then check the two boxes listed for both "Success" and "Failure." +known_false_positives: uninstall application may access this registry to remove the + entry of the target application. filter is needed. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer drilldown_searches: @@ -19,41 +34,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A suspicious process accessing installed default browser registry on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - RedLine Stealer asset_type: Endpoint - confidence: 50 - impact: 50 - message: A suspicious process accessing installed default browser registry on $dest$ mitre_attack_id: - T1012 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - object_file_name - - object_file_path - - process_name - - process_path - - process_id - - EventCode - - dest - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/browser_list/ar3_4663_redline_reg.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/browser_list/ar3_4663_redline_reg.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_query_registry_uninstall_program_list.yml b/detections/endpoint/windows_query_registry_uninstall_program_list.yml index 00f207ec6c..7a3e64c8f2 100644 --- a/detections/endpoint/windows_query_registry_uninstall_program_list.yml +++ b/detections/endpoint/windows_query_registry_uninstall_program_list.yml @@ -1,16 +1,28 @@ name: Windows Query Registry UnInstall Program List id: 535fd4fc-7151-4062-9d7e-e896bea77bf6 -version: 4 -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Windows Event Log Security 4663 -description: The following analytic detects an access request on the uninstall registry key. It leverages Windows Security Event logs, specifically event code 4663. This activity is significant because adversaries or malware can exploit this key to gather information about installed applications, aiding in further attacks. If confirmed malicious, this behavior could allow attackers to map out installed software, potentially identifying vulnerabilities or software to exploit, leading to further system compromise. -search: '`wineventlog_security` EventCode=4663 object_file_path="*\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*" | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_query_registry_uninstall_program_list_filter`' -how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For Event code 4663, enable the "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -known_false_positives: Uninstallers may access this registry to remove the entry of the target application. Filter as needed. +description: The following analytic detects an access request on the uninstall registry + key. It leverages Windows Security Event logs, specifically event code 4663. This + activity is significant because adversaries or malware can exploit this key to gather + information about installed applications, aiding in further attacks. If confirmed + malicious, this behavior could allow attackers to map out installed software, potentially + identifying vulnerabilities or software to exploit, leading to further system compromise. +search: '`wineventlog_security` EventCode=4663 object_file_path="*\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*" + | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name + object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_query_registry_uninstall_program_list_filter`' +how_to_implement: To successfully implement this search, you must ingest Windows Security + Event logs and track event code 4663. For Event code 4663, enable the "Audit Object + Access" in Group Policy. Then check the two boxes listed for both "Success" and + "Failure." +known_false_positives: Uninstallers may access this registry to remove the entry of + the target application. Filter as needed. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer drilldown_searches: @@ -19,42 +31,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A suspicious process $process_name$ accessing uninstall registry on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - RedLine Stealer - Meduza Stealer asset_type: Endpoint - confidence: 50 - impact: 50 - message: A suspicious process $process_name$ accessing uninstall registry on $dest$ mitre_attack_id: - T1012 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - object_file_name - - object_file_path - - process_name - - process_path - - process_id - - EventCode - - dest - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/recon_registry/recon-reg-redline-security-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/recon_registry/recon-reg-redline-security-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_raccine_scheduled_task_deletion.yml b/detections/endpoint/windows_raccine_scheduled_task_deletion.yml index 8027002d0c..9e419ace18 100644 --- a/detections/endpoint/windows_raccine_scheduled_task_deletion.yml +++ b/detections/endpoint/windows_raccine_scheduled_task_deletion.yml @@ -1,7 +1,7 @@ name: Windows Raccine Scheduled Task Deletion id: c9f010da-57ab-11ec-82bd-acde48001122 -version: '5' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -49,56 +49,37 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to disable Raccines scheduled task. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Ransomware - Compromised Windows Host asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user user$ attempting to disable Raccines scheduled task. mitre_attack_id: - T1562.001 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon_raccine.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon_raccine.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml b/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml index b2838a4cec..d32b055b50 100644 --- a/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml +++ b/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml @@ -1,16 +1,29 @@ name: Windows Rapid Authentication On Multiple Hosts id: 62606c77-d53d-4182-9371-b02cdbbbcef7 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk type: TTP status: production data_source: - Windows Event Log Security 4624 -description: The following analytic detects a source computer authenticating to 30 or more remote endpoints within a 5-minute timespan using Event ID 4624. This behavior is identified by analyzing Windows Event Logs for LogonType 3 events and counting unique target computers. Such activity is significant as it may indicate lateral movement or network share enumeration by an adversary. If confirmed malicious, this could lead to unauthorized access to multiple systems, potentially compromising sensitive data and escalating privileges within the network. -search: '`wineventlog_security` EventCode=4624 LogonType=3 TargetUserName!="ANONYMOUS LOGON" TargetUserName!="*$" | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets by _time, IpAddress, TargetUserName | where unique_targets > 30 | `windows_rapid_authentication_on_multiple_hosts_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -known_false_positives: Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed. +description: The following analytic detects a source computer authenticating to 30 + or more remote endpoints within a 5-minute timespan using Event ID 4624. This behavior + is identified by analyzing Windows Event Logs for LogonType 3 events and counting + unique target computers. Such activity is significant as it may indicate lateral + movement or network share enumeration by an adversary. If confirmed malicious, this + could lead to unauthorized access to multiple systems, potentially compromising + sensitive data and escalating privileges within the network. +search: '`wineventlog_security` EventCode=4624 LogonType=3 TargetUserName!="ANONYMOUS + LOGON" TargetUserName!="*$" | bucket span=5m _time | stats dc(Computer) AS unique_targets + values(Computer) as host_targets by _time, IpAddress, TargetUserName | where unique_targets + > 30 | `windows_rapid_authentication_on_multiple_hosts_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + Windows Event Logs from domain controllers as well as member servers and workstations. + The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs + to be enabled. +known_false_positives: Vulnerability scanners or system administration tools may also + trigger this detection. Filter as needed. references: - https://attack.mitre.org/techniques/T1135/ - https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/ @@ -21,44 +34,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$host_targets$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host_targets$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host_targets$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The source computer with ip address $IpAddress$ authenticated to a large + number of remote endpoints within 5 minutes. + risk_objects: + - field: host_targets + type: system + score: 48 + threat_objects: + - field: IpAddress + type: ip_address tags: analytic_story: - Active Directory Privilege Escalation - Active Directory Lateral Movement asset_type: Endpoint - confidence: 80 - impact: 60 - message: The source computer with ip address $IpAddress$ authenticated to a large number of remote endpoints within 5 minutes. mitre_attack_id: - T1003.002 - observable: - - name: host_targets - type: Endpoint - role: - - Victim - - name: IpAddress - type: Endpoint - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Logon_Type - - TargetUserName - - Computer - - IpAddress - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/rapid_authentication_multiple_hosts/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/rapid_authentication_multiple_hosts/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_rasautou_dll_execution.yml b/detections/endpoint/windows_rasautou_dll_execution.yml index 3507ccdb90..47773b52e9 100644 --- a/detections/endpoint/windows_rasautou_dll_execution.yml +++ b/detections/endpoint/windows_rasautou_dll_execution.yml @@ -1,7 +1,7 @@ name: Windows Rasautou DLL Execution id: 6f42b8be-8e96-11ec-ad5a-acde48001122 -version: '5' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -53,54 +53,36 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ attempting to load a DLL in a suspicious manner. + risk_objects: + - field: dest + type: system + score: 80 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Compromised Windows Host - Windows Defense Evasion Tactics asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ attempting to load a DLL in a suspicious manner. mitre_attack_id: - T1055.001 - T1218 - T1055 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055.001/rasautou/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055.001/rasautou/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml b/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml index 7f68f0ad60..d6193ca528 100644 --- a/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml +++ b/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml @@ -1,16 +1,30 @@ name: Windows Raw Access To Disk Volume Partition id: a85aa37e-9647-11ec-90c5-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects suspicious raw access reads to the device disk partition of a host machine. It leverages Sysmon EventCode 9 logs to identify processes attempting to read or write to the boot sector, excluding legitimate system processes. This activity is significant as it is commonly associated with destructive actions by adversaries, such as wiping, encrypting, or overwriting the boot sector, as seen in attacks involving malware like HermeticWiper. If confirmed malicious, this behavior could lead to severe impacts, including system inoperability, data loss, or compromised boot integrity. +description: The following analytic detects suspicious raw access reads to the device + disk partition of a host machine. It leverages Sysmon EventCode 9 logs to identify + processes attempting to read or write to the boot sector, excluding legitimate system + processes. This activity is significant as it is commonly associated with destructive + actions by adversaries, such as wiping, encrypting, or overwriting the boot sector, + as seen in attacks involving malware like HermeticWiper. If confirmed malicious, + this behavior could lead to severe impacts, including system inoperability, data + loss, or compromised boot integrity. data_source: - Sysmon EventID 9 -search: '`sysmon` EventCode=9 Device = \\Device\\HarddiskVolume* NOT (Image IN("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id process_guid process_name process_path Device | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_disk_volume_partition_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the raw access read event (like sysmon eventcode 9), process name and process guid from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: This event is really notable but we found minimal number of normal application from system32 folder like svchost.exe accessing it too. In this case we used 'system32' and 'syswow64' path as a filter for this detection. +search: '`sysmon` EventCode=9 Device = \\Device\\HarddiskVolume* NOT (Image IN("*\\Windows\\System32\\*", + "*\\Windows\\SysWOW64\\*")) | stats count min(_time) as firstTime max(_time) as + lastTime by dest signature signature_id process_guid process_name process_path Device + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_disk_volume_partition_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the raw access read event (like sysmon eventcode 9), process name and + process guid from your endpoints. If you are using Sysmon, you must have at least + version 6.0.4 of the Sysmon TA. +known_false_positives: There are som minimal number of normal applications from system32 folder like svchost.exe accessing the MBR. In this + case we used 'system32' and 'syswow64' path as a filter for this detection. references: - https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html drilldown_searches: @@ -19,9 +33,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Process accessing disk partition $Device$ on $dest$ + risk_objects: + - field: dest + type: system + score: 90 + threat_objects: [] tags: analytic_story: - CISA AA22-264A @@ -32,37 +58,18 @@ tags: - BlackByte Ransomware - NjRAT asset_type: Endpoint - confidence: 100 - impact: 90 - message: Process accessing disk partition $Device$ in $dest$ mitre_attack_id: - T1561.002 - T1561 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - signature - - signature_id - - process_guid - - process_name - - process_path - - Device - - EventCode - - Image - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml b/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml index ca30f8c558..3692033d81 100644 --- a/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml +++ b/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml @@ -1,16 +1,30 @@ name: Windows Raw Access To Master Boot Record Drive id: 7b83f666-900c-11ec-a2d9-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects suspicious raw access reads to the drive containing the Master Boot Record (MBR). It leverages Sysmon EventCode 9 to identify processes attempting to read or write to the MBR sector, excluding legitimate system processes. This activity is significant because adversaries often target the MBR to wipe, encrypt, or overwrite it as part of their impact payload. If confirmed malicious, this could lead to system instability, data loss, or a complete system compromise, severely impacting the organization's operations. +description: The following analytic detects suspicious raw access reads to the drive + containing the Master Boot Record (MBR). It leverages Sysmon EventCode 9 to identify + processes attempting to read or write to the MBR sector, excluding legitimate system + processes. This activity is significant because adversaries often target the MBR + to wipe, encrypt, or overwrite it as part of their impact payload. If confirmed + malicious, this could lead to system instability, data loss, or a complete system + compromise, severely impacting the organization's operations. data_source: - Sysmon EventID 9 -search: '`sysmon` EventCode=9 Device = \\Device\\Harddisk0\\DR0 NOT (Image IN("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer Image Device ProcessGuid ProcessId EventDescription EventCode | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_master_boot_record_drive_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the raw access read event (like sysmon eventcode 9), process name and process guid from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: This event is really notable but we found minimal number of normal application from system32 folder like svchost.exe accessing it too. In this case we used 'system32' and 'syswow64' path as a filter for this detection. +search: '`sysmon` EventCode=9 Device = \\Device\\Harddisk0\\DR0 NOT (Image IN("*\\Windows\\System32\\*", + "*\\Windows\\SysWOW64\\*")) | stats count min(_time) as firstTime max(_time) as + lastTime by Computer Image Device ProcessGuid ProcessId EventDescription EventCode + | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_raw_access_to_master_boot_record_drive_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the raw access read event (like sysmon eventcode 9), process name and + process guid from your endpoints. If you are using Sysmon, you must have at least + version 6.0.4 of the Sysmon TA. +known_false_positives: There are som minimal number of normal applications from system32 folder like svchost.exe accessing the MBR. In this + case we used 'system32' and 'syswow64' path as a filter for this detection. references: - https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html - https://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware/ @@ -21,9 +35,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: process accessing MBR $Device$ on $dest$ + risk_objects: + - field: dest + type: system + score: 90 + threat_objects: [] tags: analytic_story: - CISA AA22-264A @@ -35,35 +61,18 @@ tags: - BlackByte Ransomware - NjRAT asset_type: Endpoint - confidence: 100 - impact: 90 - message: process accessing MBR $Device$ on $dest$ mitre_attack_id: - T1561.002 - T1561 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - Image - - Device - - ProcessGuid - - ProcessId - - EventDescription - - EventCode - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1561.002/mbr_raw_access/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1561.002/mbr_raw_access/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_rdp_connection_successful.yml b/detections/endpoint/windows_rdp_connection_successful.yml index 5822f1ef40..6d9f87d34c 100644 --- a/detections/endpoint/windows_rdp_connection_successful.yml +++ b/detections/endpoint/windows_rdp_connection_successful.yml @@ -1,16 +1,27 @@ name: Windows RDP Connection Successful id: ceaed840-56b3-4a70-b8e1-d762b1c5c08c -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting data_source: - Windows Event Log RemoteConnectionManager 1149 -description: The following analytic detects successful Remote Desktop Protocol (RDP) connections by monitoring EventCode 1149 from the Windows TerminalServices RemoteConnectionManager Operational log. This detection is significant as successful RDP connections can indicate remote access to a system, which may be leveraged by attackers to control or exfiltrate data. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further lateral movement within the network. Monitoring successful RDP connections is crucial for identifying potential security breaches and mitigating risks promptly. -search: '`remoteconnectionmanager` EventCode=1149 | stats count min(_time) as firstTime max(_time) as lastTime by Computer, user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename Computer as dest | `windows_rdp_connection_successful_filter`' -how_to_implement: The following analyic requires the WIndows TerminalServices RemoteConnectionManager Operational log to be enabled and ingested into Splunk. For the inputs, review https://gist.github.com/MHaggis/138c6bf563bacbda4a2524f089773706. -known_false_positives: False positives will be present, filter as needed or restrict to critical assets on the perimeter. +description: The following analytic detects successful Remote Desktop Protocol (RDP) + connections by monitoring EventCode 1149 from the Windows TerminalServices RemoteConnectionManager + Operational log. This detection is significant as successful RDP connections can + indicate remote access to a system, which may be leveraged by attackers to control + or exfiltrate data. If confirmed malicious, this activity could lead to unauthorized + access, data theft, or further lateral movement within the network. Monitoring successful + RDP connections is crucial for identifying potential security breaches and mitigating + risks promptly. +search: '`remoteconnectionmanager` EventCode=1149 | stats count min(_time) as firstTime + max(_time) as lastTime by Computer, user_id | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | rename Computer as dest | `windows_rdp_connection_successful_filter`' +how_to_implement: The following analyic requires the WIndows TerminalServices RemoteConnectionManager + Operational log to be enabled and ingested into Splunk. For the inputs, review https://gist.github.com/MHaggis/138c6bf563bacbda4a2524f089773706. +known_false_positives: False positives will be present, filter as needed or restrict + to critical assets on the perimeter. references: - https://gist.github.com/MHaggis/138c6bf563bacbda4a2524f089773706 - https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 @@ -20,31 +31,18 @@ tags: - BlackByte Ransomware asset_type: Endpoint atomic_guid: [] - confidence: 50 - impact: 50 - message: A successful RDP connection on $dest$ occurred. mitre_attack_id: - T1563.002 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - EventCode - - ComputerName - - Source_Network_Address - - User - - Message - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1563.002/windows_rdp_connection_successful/windows-xml.log - source: WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1563.002/windows_rdp_connection_successful/windows-xml.log + source: + WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_rdp_file_execution.yml b/detections/endpoint/windows_rdp_file_execution.yml index 7bb3814b57..dd590dc0e6 100644 --- a/detections/endpoint/windows_rdp_file_execution.yml +++ b/detections/endpoint/windows_rdp_file_execution.yml @@ -1,57 +1,53 @@ name: Windows RDP File Execution id: 0b6b12b9-8ba9-48fe-b3b8-b4e3e1cd22b4 -version: 1 -date: '2024-11-21' +version: 2 +date: '2025-01-21' author: Michael Haag, Splunk type: TTP status: production -description: The following analytic detects when a Windows RDP client attempts to execute an RDP file from a temporary directory, downloads directory, or Outlook directories. This detection is significant as it can indicate an attempt for an adversary to deliver a .rdp file, which may be leveraged by attackers to control or exfiltrate data. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further lateral movement within the network. +description: The following analytic detects when a Windows RDP client attempts to + execute an RDP file from a temporary directory, downloads directory, or Outlook + directories. This detection is significant as it can indicate an attempt for an + adversary to deliver a .rdp file, which may be leveraged by attackers to control + or exfiltrate data. If confirmed malicious, this activity could lead to unauthorized + access, data theft, or further lateral movement within the network. data_source: - - Sysmon EventID 1 - - Windows Event Log Security 4688 - - CrowdStrike ProcessRollup2 -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.process IN ("*\\AppData\\Local\\Temp\\*", "*\\Olk\\Attachments\\*", "*\\AppData\\Local\\Microsoft\\Outlook\\*", "*\\Content.Outlook\\*", "*\\Downloads\\*") - AND Processes.process="*.rdp*" - by Processes.process Processes.process_name Processes.user Processes.dest Processes.parent_process_name Processes.parent_process - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | eval - execution_type=case( - match(process, "\\\\Temp\\\\.*\\.(zip|7z|rar|cab|tgz|gz|tar|iso|img|vhd|vhdx).*\\.*\\.rdp"), "temp_archive_execution", - match(process, "\\\\Downloads\\\\"), "downloads_execution", - match(process, "\\\\Temp\\\\"), "temp_execution", - match(process, "\\\\Microsoft\\\\Outlook\\\\"), "outlook_execution", - match(process, "\\\\Olk\\\\Attachments\\\\"), "outlook_execution", - match(process, "\\\\Content.Outlook\\\\"), "outlook_execution", - true(), "other" - ), - risk_score=case( - execution_type="temp_archive_execution", "Critical", - execution_type IN ("temp_execution", "outlook_execution"), "High", - execution_type="downloads_execution", "Medium", - true(), "Low" - ), - risk_reason=case( - execution_type="temp_archive_execution", "RDP file executed directly from archive/disk image in Temp directory", - execution_type="downloads_execution", "RDP file executed from Downloads directory (Could be legitimate admin activity)", - execution_type="temp_execution", "RDP file executed from Temp directory", - execution_type="outlook_execution", "RDP file executed from Outlook directories", - true(), "Standard RDP file execution" - ) - | sort - risk_score - | rename - process_name as "RDP Process", - parent_process_name as "Parent Process", - process as "Command Line", - user as "User", - execution_type as "Execution Context", - risk_score as "Risk Level", - risk_reason as "Risk Details" - | fields - parent_process | `windows_rdp_file_execution_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be present based on administrators using RDP files for legitimate purposes. Filter as needed. +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.process IN ("*\\AppData\\Local\\Temp\\*", "*\\Olk\\Attachments\\*", + "*\\AppData\\Local\\Microsoft\\Outlook\\*", "*\\Content.Outlook\\*", "*\\Downloads\\*") + AND Processes.process="*.rdp*" by Processes.process Processes.process_name Processes.user + Processes.dest Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval + execution_type=case( match(process, "\\\\Temp\\\\.*\\.(zip|7z|rar|cab|tgz|gz|tar|iso|img|vhd|vhdx).*\\.*\\.rdp"), + "temp_archive_execution", match(process, "\\\\Downloads\\\\"), "downloads_execution", + match(process, "\\\\Temp\\\\"), "temp_execution", match(process, "\\\\Microsoft\\\\Outlook\\\\"), + "outlook_execution", match(process, "\\\\Olk\\\\Attachments\\\\"), "outlook_execution", + match(process, "\\\\Content.Outlook\\\\"), "outlook_execution", true(), "other" + ), risk_score=case( execution_type="temp_archive_execution", "Critical", execution_type + IN ("temp_execution", "outlook_execution"), "High", execution_type="downloads_execution", + "Medium", true(), "Low" ), risk_reason=case( execution_type="temp_archive_execution", + "RDP file executed directly from archive/disk image in Temp directory", execution_type="downloads_execution", + "RDP file executed from Downloads directory (Could be legitimate admin activity)", + execution_type="temp_execution", "RDP file executed from Temp directory", execution_type="outlook_execution", + "RDP file executed from Outlook directories", true(), "Standard RDP file execution" + ) | sort - risk_score | rename process_name as "RDP Process", parent_process_name + as "Parent Process", process as "Command Line", user as "User", execution_type as + "Execution Context", risk_score as "Risk Level", risk_reason as "Risk Details" | + fields - parent_process | `windows_rdp_file_execution_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present based on administrators using + RDP files for legitimate purposes. Filter as needed. references: - https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/ drilldown_searches: @@ -60,41 +56,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A Windows RDP client attempted to execute an RDP file from a temporary + directory, downloads directory, or Outlook directories on the endpoint $dest$. + risk_objects: + - field: dest + type: system + score: 42 + threat_objects: [] tags: analytic_story: - Spearphishing Attachments asset_type: Endpoint - confidence: 70 - impact: 60 - message: A Windows RDP client attempted to execute an RDP file from a temporary directory, downloads directory, or Outlook directories on the endpoint $dest$. mitre_attack_id: - T1598.002 - T1021.001 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - process_guid - - process_name - - process - - parent_process_name - - parent_process - - user - risk_score: 42 security_domain: endpoint cve: [] tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1598.002/rdp/mstsc_rdpfile-windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1598.002/rdp/mstsc_rdpfile-windows-sysmon.log sourcetype: XmlWinEventLog source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_rdpclient_connection_sequence_events.yml b/detections/endpoint/windows_rdpclient_connection_sequence_events.yml index df60b1340f..f50b20c891 100644 --- a/detections/endpoint/windows_rdpclient_connection_sequence_events.yml +++ b/detections/endpoint/windows_rdpclient_connection_sequence_events.yml @@ -1,19 +1,34 @@ name: Windows RDPClient Connection Sequence Events id: 67340df1-3f1d-4470-93c8-9ac7249d11b0 -version: 1 -date: '2024-11-21' +version: 2 +date: '2025-01-21' author: Michael Haag, Splunk type: Anomaly status: production -description: This analytic monitors Windows RDP client connection sequence events (EventCode 1024) from the Microsoft-Windows-TerminalServices-RDPClient/Operational log. These events track when RDP ClientActiveX initiates connection attempts to remote servers. The connection sequence is a critical phase of RDP where the client and server exchange settings and establish common parameters for the session. Monitoring these events can help identify unusual RDP connection patterns, potential lateral movement attempts, unauthorized remote access activity, and RDP connection chains that may indicate compromised systems. NOTE the analytic was written for Multi-Line as XML was not properly parsed out. +description: This analytic monitors Windows RDP client connection sequence events + (EventCode 1024) from the Microsoft-Windows-TerminalServices-RDPClient/Operational + log. These events track when RDP ClientActiveX initiates connection attempts to + remote servers. The connection sequence is a critical phase of RDP where the client + and server exchange settings and establish common parameters for the session. Monitoring + these events can help identify unusual RDP connection patterns, potential lateral + movement attempts, unauthorized remote access activity, and RDP connection chains + that may indicate compromised systems. NOTE the analytic was written for Multi-Line + as XML was not properly parsed out. data_source: - Windows Event Log Microsoft Windows TerminalServices RDPClient 1024 -search: '`wineventlog_rdp` EventCode=1024 - | rename host as dest - | stats count as "Event Count", min(_time) as firstTime, max(_time) as lastTime, values(Message) as messages by dest, source, LogName, EventCode, category - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rdpclient_connection_sequence_events_filter`' -how_to_implement: To successfully implement this detection, ensure Windows RDP Client Operational logs are being collected and forwarded to Splunk. Enable logging for "Microsoft-Windows-TerminalServices-RDPClient/Operational", via a new inputs.conf input. See references for more details. -known_false_positives: Legitimate RDP connections from authorized administrators and users will generate these events. To reduce false positives, you should baseline normal RDP connection patterns in your environment, whitelist expected RDP connection chains between known administrative workstations and servers, and track authorized remote support sessions. +search: '`wineventlog_rdp` EventCode=1024 | rename host as dest | stats count as "Event + Count", min(_time) as firstTime, max(_time) as lastTime, values(Message) as messages + by dest, source, LogName, EventCode, category | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_rdpclient_connection_sequence_events_filter`' +how_to_implement: To successfully implement this detection, ensure Windows RDP Client + Operational logs are being collected and forwarded to Splunk. Enable logging for + "Microsoft-Windows-TerminalServices-RDPClient/Operational", via a new inputs.conf + input. See references for more details. +known_false_positives: Legitimate RDP connections from authorized administrators and + users will generate these events. To reduce false positives, you should baseline + normal RDP connection patterns in your environment, whitelist expected RDP connection + chains between known administrative workstations and servers, and track authorized + remote support sessions. references: - https://gist.github.com/MHaggis/acd5dcbf1d4fb705b77f0a48e772eefc - https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/ @@ -23,39 +38,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A Windows RDP client initiated a connection sequence event (EventCode 1024) + on host $dest$. + risk_objects: + - field: dest + type: system + score: 7 + threat_objects: [] tags: analytic_story: - Spearphishing Attachments asset_type: Endpoint - confidence: 70 - impact: 10 - message: A Windows RDP client initiated a connection sequence event (EventCode 1024) on host $dest$. mitre_attack_id: - T1133 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - host - - source - - LogName - - EventCode - - category - risk_score: 7 security_domain: endpoint cve: [] tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1133/rdp/terminalservices-rdpclient.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1133/rdp/terminalservices-rdpclient.log sourcetype: WinEventLog source: WinEventLog:Microsoft-Windows-TerminalServices-RDPClient/Operational diff --git a/detections/endpoint/windows_registry_bootexecute_modification.yml b/detections/endpoint/windows_registry_bootexecute_modification.yml index e70f4bdff3..fe58557358 100644 --- a/detections/endpoint/windows_registry_bootexecute_modification.yml +++ b/detections/endpoint/windows_registry_bootexecute_modification.yml @@ -1,7 +1,7 @@ name: Windows Registry BootExecute Modification id: eabbac3a-45aa-4659-920f-6b8cff383fb8 -version: 5 -date: '2024-12-03' +version: 6 +date: '2024-12-16' author: Michael Haag, Teoderick Contreras, Splunk status: production type: TTP @@ -15,8 +15,8 @@ description: The following analytic detects modifications to the BootExecute reg to achieve persistence, load malicious code, or tamper with the boot process. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary code at boot, or disrupt system operations. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE Registry.registry_path="*\\System\\CurrentControlSet\\Control\\Session +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path="*\\System\\CurrentControlSet\\Control\\Session Manager\\BootExecute" BY Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid, Registry.action | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) @@ -35,43 +35,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The Registry BootExecute value was modified on $dest$ and should be reviewed + immediately. + risk_objects: + - field: dest + type: system + score: 100 + threat_objects: [] tags: analytic_story: - Windows BootKits asset_type: Endpoint atomic_guid: [] - confidence: 100 - impact: 100 - message: The Registry BootExecute value was modified on $dest$ and should be reviewed immediately. mitre_attack_id: - T1542 - T1547.001 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 - required_fields: - - _time - - Registry.dest - - Registry.registry_path - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.registry_value_data - - Registry.process_guid - - Registry.action security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.001/atomic_red_team/bootexecute-windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.001/atomic_red_team/bootexecute-windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_registry_certificate_added.yml b/detections/endpoint/windows_registry_certificate_added.yml index a2d5fde656..622710a169 100644 --- a/detections/endpoint/windows_registry_certificate_added.yml +++ b/detections/endpoint/windows_registry_certificate_added.yml @@ -1,18 +1,25 @@ name: Windows Registry Certificate Added id: 5ee98b2f-8b9e-457a-8bdc-dd41aaba9e87 -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-01-21' author: Michael Haag, Teodeerick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the installation of a root CA certificate by monitoring specific registry paths for SetValue events. It leverages data from the Endpoint datamodel, focusing on registry paths containing "certificates" and registry values named "Blob." This activity is significant because unauthorized root CA certificates can compromise the integrity of encrypted communications and facilitate man-in-the-middle attacks. If confirmed malicious, this could allow an attacker to intercept, decrypt, or manipulate sensitive data, leading to severe security breaches. +description: The following analytic detects the installation of a root CA certificate + by monitoring specific registry paths for SetValue events. It leverages data from + the Endpoint datamodel, focusing on registry paths containing "certificates" and + registry values named "Blob." This activity is significant because unauthorized + root CA certificates can compromise the integrity of encrypted communications and + facilitate man-in-the-middle attacks. If confirmed malicious, this could allow an + attacker to intercept, decrypt, or manipulate sensitive data, leading to severe + security breaches. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - where Registry.registry_path IN ("*\\certificates\\*") AND Registry.registry_value_name="Blob" - by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name - Registry.process_guid Registry.registry_key_name Registry.registry_value_data | - `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path IN ("*\\certificates\\*") + AND Registry.registry_value_name="Blob" by Registry.dest Registry.user Registry.registry_path + Registry.registry_value_name Registry.process_guid Registry.registry_key_name Registry.registry_value_data + | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_certificate_added_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from @@ -31,40 +38,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A root certificate was added on $dest$. + risk_objects: + - field: dest + type: system + score: 42 + threat_objects: [] tags: analytic_story: - Windows Drivers - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 60 - message: A root certificate was added on $dest$. mitre_attack_id: - T1553.004 - T1553 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_path - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.dest - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1587.002/atomic_red_team/certblob_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1587.002/atomic_red_team/certblob_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_registry_delete_task_sd.yml b/detections/endpoint/windows_registry_delete_task_sd.yml index 30dc8aa82d..29340bbd09 100644 --- a/detections/endpoint/windows_registry_delete_task_sd.yml +++ b/detections/endpoint/windows_registry_delete_task_sd.yml @@ -1,18 +1,25 @@ name: Windows Registry Delete Task SD id: ffeb7893-ff06-446f-815b-33ca73224e92 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-01-21' author: Michael Haag, Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects a process attempting to delete a scheduled task's Security Descriptor (SD) from the registry path of that task. It leverages the Endpoint.Registry data model to identify registry actions performed by the SYSTEM user, specifically targeting deletions or modifications of the SD value. This activity is significant as it may indicate an attempt to remove evidence of a scheduled task for defense evasion. If confirmed malicious, it suggests an attacker with privileged access trying to hide their tracks, potentially compromising system integrity and security. Immediate investigation is required. +description: The following analytic detects a process attempting to delete a scheduled + task's Security Descriptor (SD) from the registry path of that task. It leverages + the Endpoint.Registry data model to identify registry actions performed by the SYSTEM + user, specifically targeting deletions or modifications of the SD value. This activity + is significant as it may indicate an attempt to remove evidence of a scheduled task + for defense evasion. If confirmed malicious, it suggests an attacker with privileged + access trying to hide their tracks, potentially compromising system integrity and + security. Immediate investigation is required. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - where Registry.registry_path IN ("*\\Schedule\\TaskCache\\Tree\\*") Registry.user="SYSTEM" - Registry.registry_value_name="SD" (Registry.action=Deleted OR Registry.action=modified) - by Registry.dest Registry.process_guid Registry.user Registry.registry_path - Registry.registry_value_name Registry.registry_key_name Registry.registry_value_data +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path IN ("*\\Schedule\\TaskCache\\Tree\\*") + Registry.user="SYSTEM" Registry.registry_value_name="SD" (Registry.action=Deleted + OR Registry.action=modified) by Registry.dest Registry.process_guid Registry.user + Registry.registry_path Registry.registry_value_name Registry.registry_key_name Registry.registry_value_data Registry.status Registry.action | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_delete_task_sd_filter`' how_to_implement: To successfully implement this search you need to be ingesting information @@ -33,46 +40,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A scheduled task security descriptor was deleted from the registry on $dest$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Windows Registry Abuse - Windows Persistence Techniques - Scheduled Tasks asset_type: Endpoint - confidence: 70 - impact: 70 - message: A scheduled task security descriptor was deleted from the registry on $dest$. mitre_attack_id: - T1053.005 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_path - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.dest - - Processes.process_id - - Processes.process_name - - Processes.process - - Processes.dest - - Processes.process_guid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/taskschedule/sd_delete_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/taskschedule/sd_delete_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_registry_dotnet_etw_disabled_via_env_variable.yml b/detections/endpoint/windows_registry_dotnet_etw_disabled_via_env_variable.yml index f9675493ff..256ee2f8e3 100644 --- a/detections/endpoint/windows_registry_dotnet_etw_disabled_via_env_variable.yml +++ b/detections/endpoint/windows_registry_dotnet_etw_disabled_via_env_variable.yml @@ -1,16 +1,35 @@ name: Windows Registry Dotnet ETW Disabled Via ENV Variable id: 55502381-5cce-491b-9277-7cb1d10bc0df -version: 1 -date: '2024-12-08' +version: 3 +date: '2025-01-07' author: Nasreddine Bencherchali, Splunk status: production type: TTP -description: The following analytic detects a registry modification that disables the ETW for the .NET Framework. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the COMPlus_ETWEnabled registry value under the "Environment" registry key path for both user (HKCU\Environment) and machine (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment) scopes. This activity is significant because disabling ETW can allow attackers to evade Endpoint Detection and Response (EDR) tools and hide their execution from audit logs. If confirmed malicious, this action could enable attackers to operate undetected, potentially leading to further compromise and persistent access within the environment. +description: The following analytic detects a registry modification that disables + the ETW for the .NET Framework. It leverages data from the Endpoint.Registry data + model, specifically monitoring changes to the COMPlus_ETWEnabled registry value + under the "Environment" registry key path for both user (HKCU\Environment) and machine + (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment) scopes. This + activity is significant because disabling ETW can allow attackers to evade Endpoint + Detection and Response (EDR) tools and hide their execution from audit logs. If + confirmed malicious, this action could enable attackers to operate undetected, potentially + leading to further compromise and persistent access within the environment. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path="*\\Environment*" Registry.registry_value_name="COMPlus_ETWEnabled" (Registry.registry_value_data=0x000000000 OR Registry.registry_value_data=0) BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_dotnet_etw_disabled_via_env_variable_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 -known_false_positives: Setting the "COMPlus_ETWEnabled" value as a global environment variable either in user or machine scope should only happens during debugging use cases, hence the false positives rate should be very minimal. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path="*\\Environment*" + Registry.registry_value_name="COMPlus_ETWEnabled" (Registry.registry_value_data=0x000000000 + OR Registry.registry_value_data=0) BY Registry.dest Registry.user Registry.registry_path + Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_dotnet_etw_disabled_via_env_variable_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the registry value name, registry path, and registry value data from your + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official + Sysmon TA. https://splunkbase.splunk.com/app/5709 +known_false_positives: Setting the "COMPlus_ETWEnabled" value as a global environment + variable either in user or machine scope should only happens during debugging use + cases, hence the false positives rate should be very minimal. references: - https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3 - https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/ @@ -21,46 +40,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Modified registry entry $registry_path$ in $dest$ + risk_objects: + - field: dest + type: system + score: 90 + - field: user + type: user + score: 90 + threat_objects: [] tags: analytic_story: - Windows Registry Abuse - Windows Defense Evasion Tactics asset_type: Endpoint - confidence: 100 - impact: 90 - message: Modified registry entry $registry_path$ in $dest$ mitre_attack_id: - T1562.006 - T1562 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.006/dotnet_etw_bypass/dotnet_etw_bypass.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.006/dotnet_etw_bypass/dotnet_etw_bypass.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_query_registry_reg_save.yml b/detections/endpoint/windows_registry_entries_exported_via_reg.yml similarity index 53% rename from detections/endpoint/windows_query_registry_reg_save.yml rename to detections/endpoint/windows_registry_entries_exported_via_reg.yml index 62d4a5536e..b19bc42c31 100644 --- a/detections/endpoint/windows_query_registry_reg_save.yml +++ b/detections/endpoint/windows_registry_entries_exported_via_reg.yml @@ -1,16 +1,16 @@ -name: Windows Query Registry Reg Save -id: cbee60c1-b776-456f-83c2-faa56bdbe6c6 -version: 3 -date: '2024-10-17' +name: Windows Registry Entries Exported Via Reg +id: 466379bc-0f47-476c-8202-16ef38112e0d +version: 1 +date: '2025-01-15' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the execution of the reg.exe process with the "save" parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because threat actors often use the "reg save" command to dump credentials or test registry modification capabilities on compromised hosts. If confirmed malicious, this behavior could allow attackers to escalate privileges, persist in the environment, or access sensitive information stored in the registry. +description: The following analytic detects the execution of the reg.exe process with either the "save" or "export" parameters. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because threat actors often use the "reg save" or "reg export" command to dump credentials or test registry modification capabilities on compromised hosts. If confirmed malicious, this behavior could allow attackers to escalate privileges, persist in the environment, or access sensitive information stored in the registry. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = "* save *" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_query_registry_reg_save_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process IN ("* save *", "* export *") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_entries_exported_via_reg_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: network administrator can use this command tool to backup registry before updates or modifying critical registries. references: @@ -23,40 +23,12 @@ tags: - CISA AA23-347A - Prestige Ransomware asset_type: Endpoint - confidence: 30 - impact: 30 - message: execution of process $process_name$ in $dest$ mitre_attack_id: - T1012 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - - Processes.parent_process_guid - - Processes.process_guid - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -64,4 +36,3 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_reg_restore.yml b/detections/endpoint/windows_registry_entries_restored_via_reg.yml similarity index 68% rename from detections/endpoint/windows_modify_registry_reg_restore.yml rename to detections/endpoint/windows_registry_entries_restored_via_reg.yml index 5e6a9ed246..ae180959c0 100644 --- a/detections/endpoint/windows_modify_registry_reg_restore.yml +++ b/detections/endpoint/windows_registry_entries_restored_via_reg.yml @@ -1,7 +1,7 @@ -name: Windows Modify Registry Reg Restore -id: d0072bd2-6d73-4c1b-bc77-ded6d2da3a4e -version: 3 -date: '2024-10-17' +name: Windows Registry Entries Restored Via Reg +id: a17af481-e2ad-494c-9da6-afb4d243a019 +version: 1 +date: '2025-01-14' author: Teoderick Contreras, Splunk status: production type: Hunting @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = "* restore *" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_reg_restore_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = "* restore *" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_entries_restored_via_reg_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: network administrator can use this command tool to backup registry before updates or modifying critical registries. references: @@ -22,40 +22,12 @@ tags: - Windows Post-Exploitation - Prestige Ransomware asset_type: Endpoint - confidence: 30 - impact: 30 - message: execution of process $process_name$ in $dest$ mitre_attack_id: - T1012 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - - Processes.parent_process_guid - - Processes.process_guid - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test @@ -63,4 +35,3 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml b/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml index db314040c7..24e9c7a7fa 100644 --- a/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml +++ b/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml @@ -1,15 +1,22 @@ name: Windows Registry Modification for Safe Mode Persistence id: c6149154-c9d8-11eb-9da7-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2025-01-21' author: Teoderick Contreras, Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies modifications to the SafeBoot registry keys, specifically within the Minimal and Network paths. This detection leverages registry activity logs from endpoint data sources like Sysmon or EDR tools. Monitoring these keys is crucial as adversaries can use them to persist drivers or services in Safe Mode, with Network allowing network connections. If confirmed malicious, this activity could enable attackers to maintain persistence even in Safe Mode, potentially bypassing certain security measures and facilitating further malicious actions. +description: The following analytic identifies modifications to the SafeBoot registry + keys, specifically within the Minimal and Network paths. This detection leverages + registry activity logs from endpoint data sources like Sysmon or EDR tools. Monitoring + these keys is crucial as adversaries can use them to persist drivers or services + in Safe Mode, with Network allowing network connections. If confirmed malicious, + this activity could enable attackers to maintain persistence even in Safe Mode, + potentially bypassing certain security measures and facilitating further malicious + actions. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - where Registry.registry_path IN ("*SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Minimal\\*","*SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\*") +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path IN ("*SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Minimal\\*","*SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\*") by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_key_name Registry.registry_value_data | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` @@ -33,41 +40,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Safeboot registry $registry_path$ was added or modified with a new value + $registry_value_name$ on $dest$ + risk_objects: + - field: dest + type: system + score: 42 + threat_objects: [] tags: analytic_story: - Ransomware - Windows Registry Abuse - Windows Drivers asset_type: Endpoint - confidence: 70 - impact: 60 - message: Safeboot registry $registry_path$ was added or modified with a new value $registry_value_name$ on $dest$ mitre_attack_id: - T1547.001 - T1547 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_path - - Registry.registry_key_name - - Registry.registry_value_name - - Registry.dest - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_registry_payload_injection.yml b/detections/endpoint/windows_registry_payload_injection.yml index c7c051015c..9a2dcd0047 100644 --- a/detections/endpoint/windows_registry_payload_injection.yml +++ b/detections/endpoint/windows_registry_payload_injection.yml @@ -1,16 +1,43 @@ name: Windows Registry Payload Injection id: c6b2d80f-179a-41a1-b95e-ce5601d7427a -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Steven Dick status: production type: TTP -description: The following analytic detects suspiciously long data written to the Windows registry, a behavior often linked to fileless malware or persistence techniques. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on registry events with data lengths exceeding 512 characters. This activity is significant as it can indicate an attempt to evade traditional file-based defenses, making it crucial for SOC monitoring. If confirmed malicious, this technique could allow attackers to maintain persistence, execute code, or manipulate system configurations without leaving a conventional file footprint. +description: The following analytic detects suspiciously long data written to the + Windows registry, a behavior often linked to fileless malware or persistence techniques. + It leverages Endpoint Detection and Response (EDR) telemetry, focusing on registry + events with data lengths exceeding 512 characters. This activity is significant + as it can indicate an attempt to evade traditional file-based defenses, making it + crucial for SOC monitoring. If confirmed malicious, this technique could allow attackers + to maintain persistence, execute code, or manipulate system configurations without + leaving a conventional file footprint. data_source: - Sysmon EventID 1 AND Sysmon EventID 12 - Sysmon EventID 1 AND Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid| `drop_dm_object_name(Processes)` | join max=0 dest process_guid [| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_value_data=* by _time span=1h Registry.dest Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | eval reg_data_len = len(registry_value_data) | where reg_data_len > 512] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data)| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_registry_payload_injection_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) + AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id + Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name + Processes.parent_process Processes.process_guid| `drop_dm_object_name(Processes)` + | join max=0 dest process_guid [| tstats `security_content_summariesonly` count + from datamodel=Endpoint.Registry where Registry.registry_value_data=* by _time span=1h + Registry.dest Registry.registry_path Registry.registry_value_name Registry.process_guid + Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` + | eval reg_data_len = len(registry_value_data) | where reg_data_len > 512] | fields + firstTime lastTime dest user parent_process_name parent_process process_name process_path + process registry_key_name registry_path registry_value_name registry_value_data + process_guid | where isnotnull(registry_value_data)| `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `windows_registry_payload_injection_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Unknown, possible custom scripting. references: - https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations @@ -22,60 +49,45 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The process $process_name$ added a suspicious length of registry data on + $dest$. + risk_objects: + - field: dest + type: system + score: 60 + - field: user + type: user + score: 60 + threat_objects: + - field: process_name + type: process_name + - field: process_name + type: process_name tags: analytic_story: - Unusual Processes asset_type: Endpoint - confidence: 60 - impact: 100 - message: The process $process_name$ added a suspicious length of registry data on $dest$. mitre_attack_id: - T1027 - T1027.011 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim - - name: process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - user - - dest - - process_id - - process_name - - process - - process_path - - parent_process_name - - parent_process - - process_guid - - registry_path - - registry_value_name - - registry_value_data - - registry_key_name - risk_score: 60 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/gootloader/partial_ttps/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/gootloader/partial_ttps/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_registry_sip_provider_modification.yml b/detections/endpoint/windows_registry_sip_provider_modification.yml index fa52bee969..f5a089e6d2 100644 --- a/detections/endpoint/windows_registry_sip_provider_modification.yml +++ b/detections/endpoint/windows_registry_sip_provider_modification.yml @@ -1,16 +1,35 @@ name: Windows Registry SIP Provider Modification id: 3b4e18cb-497f-4073-85ad-1ada7c2107ab -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP data_source: - Sysmon EventID 13 -description: The following analytic detects modifications to the Windows Registry SIP Provider. It leverages Sysmon EventID 7 to monitor registry changes in paths and values related to Cryptography Providers and OID Encoding Types. This activity is significant as it may indicate an attempt to subvert trust controls, a common tactic for bypassing security measures and maintaining persistence. If confirmed malicious, an attacker could manipulate the system's cryptographic functions, potentially leading to unauthorized access, data theft, or other damaging outcomes. Review the modified registry paths and concurrent processes to identify the attack source. -search: '| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path IN ("*\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\*", "*\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType*", "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\*", "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType*") Registry.registry_value_name IN ("Dll","$DLL") by Registry.dest , Registry.user Registry.registry_value_name, Registry.registry_value_data | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)`| `windows_registry_sip_provider_modification_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: Be aware of potential false positives - legitimate applications may cause benign activities to be flagged. +description: The following analytic detects modifications to the Windows Registry + SIP Provider. It leverages Sysmon EventID 7 to monitor registry changes in paths + and values related to Cryptography Providers and OID Encoding Types. This activity + is significant as it may indicate an attempt to subvert trust controls, a common + tactic for bypassing security measures and maintaining persistence. If confirmed + malicious, an attacker could manipulate the system's cryptographic functions, potentially + leading to unauthorized access, data theft, or other damaging outcomes. Review the + modified registry paths and concurrent processes to identify the attack source. +search: '| tstats `security_content_summariesonly` count values(Registry.registry_key_name) + as registry_key_name values(Registry.registry_path) as registry_path min(_time) + as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path + IN ("*\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\*", "*\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType*", + "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\*", "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType*") + Registry.registry_value_name IN ("Dll","$DLL") by Registry.dest , Registry.user + Registry.registry_value_name, Registry.registry_value_data | `security_content_ctime(lastTime)` + | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)`| `windows_registry_sip_provider_modification_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: Be aware of potential false positives - legitimate applications + may cause benign activities to be flagged. references: - https://attack.mitre.org/techniques/T1553/003/ - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml @@ -24,38 +43,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows Registry SIP Provider Modification detected on $dest$. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Subvert Trust Controls SIP and Trust Provider Hijacking asset_type: Endpoint atomic_guid: [] - confidence: 80 - impact: 80 - message: Windows Registry SIP Provider Modification detected on $dest$. mitre_attack_id: - T1553.003 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 - required_fields: - - Registry.dest - - Registry.user - - Registry.registry_value_name - - Registry.registry_value_data security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.003/sip/sip_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.003/sip/sip_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_regsvr32_renamed_binary.yml b/detections/endpoint/windows_regsvr32_renamed_binary.yml index 62222f7411..64e9e406e3 100644 --- a/detections/endpoint/windows_regsvr32_renamed_binary.yml +++ b/detections/endpoint/windows_regsvr32_renamed_binary.yml @@ -1,7 +1,7 @@ name: Windows Regsvr32 Renamed Binary id: 7349a9e9-3cf6-4171-bb0c-75607a8dcd1a -version: '4' -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: TTP @@ -48,45 +48,30 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: regsvr32 was renamed as $process_name$ on $dest$ + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Qakbot - Compromised Windows Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: regsvr32 was renamed as $process_name$ in $dest$ mitre_attack_id: - T1218.010 - T1218 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_3/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_3/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml b/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml index a0a2556455..4c4fa2c437 100644 --- a/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml +++ b/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml @@ -1,16 +1,34 @@ name: Windows Remote Access Software BRC4 Loaded Dll id: 73cf5dcb-cf36-4167-8bbe-384fe5384d05 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies the loading of four specific Windows DLLs (credui.dll, dbghelp.dll, samcli.dll, winhttp.dll) by a non-standard process. This detection leverages Sysmon EventCode 7 to monitor DLL load events and flags when all four DLLs are loaded within a short time frame. This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities. If confirmed malicious, this behavior could lead to unauthorized access, credential theft, and further compromise of the affected system. +description: The following analytic identifies the loading of four specific Windows + DLLs (credui.dll, dbghelp.dll, samcli.dll, winhttp.dll) by a non-standard process. + This detection leverages Sysmon EventCode 7 to monitor DLL load events and flags + when all four DLLs are loaded within a short time frame. This activity is significant + as it may indicate the presence of Brute Ratel C4, a sophisticated remote access + tool used for credential dumping and other malicious activities. If confirmed malicious, + this behavior could lead to unauthorized access, credential theft, and further compromise + of the affected system. data_source: - Sysmon EventID 7 -search: '`sysmon` EventCode=7 |bin _time span=30s | eval BRC4_AnomalyLoadedDll=case(OriginalFileName=="credui.dll", 1, OriginalFileName=="DBGHELP.DLL", 1, OriginalFileName=="SAMCLI.DLL", 1, OriginalFileName=="winhttp.dll", 1, 1=1, 0) | eval BRC4_LoadedDllPath=case(match(ImageLoaded, "credui.dll"), 1, match(ImageLoaded, "dbghelp.dll"), 1, match(ImageLoaded, "samcli.dll"), 1, match(ImageLoaded, "winhttp.dll"), 1, 1=1, 0) | stats count min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as ImageLoaded values(OriginalFileName) as OriginalFileName dc(ImageLoaded) as ImageLoadedCount by Image BRC4_LoadedDllPath BRC4_AnomalyLoadedDll dest EventCode Signed | where ImageLoadedCount == 4 AND (BRC4_LoadedDllPath == 1 OR BRC4_AnomalyLoadedDll == 1) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_access_software_brc4_loaded_dll_filter`' -how_to_implement: The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products. -known_false_positives: This module can be loaded by a third party application. Filter is needed. +search: '`sysmon` EventCode=7 |bin _time span=30s | eval BRC4_AnomalyLoadedDll=case(OriginalFileName=="credui.dll", + 1, OriginalFileName=="DBGHELP.DLL", 1, OriginalFileName=="SAMCLI.DLL", 1, OriginalFileName=="winhttp.dll", + 1, 1=1, 0) | eval BRC4_LoadedDllPath=case(match(ImageLoaded, "credui.dll"), 1, match(ImageLoaded, + "dbghelp.dll"), 1, match(ImageLoaded, "samcli.dll"), 1, match(ImageLoaded, "winhttp.dll"), + 1, 1=1, 0) | stats count min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) + as ImageLoaded values(OriginalFileName) as OriginalFileName dc(ImageLoaded) as ImageLoadedCount + by Image BRC4_LoadedDllPath BRC4_AnomalyLoadedDll dest EventCode Signed | where ImageLoadedCount + == 4 AND (BRC4_LoadedDllPath == 1 OR BRC4_AnomalyLoadedDll == 1) | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_remote_access_software_brc4_loaded_dll_filter`' +how_to_implement: The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 + will add the ImageLoaded name to the process_name field, allowing this query to + work. Use as an example and implement for other products. +known_false_positives: This module can be loaded by a third party application. Filter + is needed. references: - https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/ - https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/ @@ -25,43 +43,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a process $Image$ loaded several modules $ImageLoaded$ that might related + to credential access on $dest$. + risk_objects: + - field: dest + type: system + score: 9 + threat_objects: [] tags: analytic_story: - Brute Ratel C4 asset_type: Endpoint - confidence: 30 - impact: 30 - message: a process $Image$ loaded several modules $ImageLoaded$ that might related to credential access on $dest$. mitre_attack_id: - T1219 - T1003 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Image - - ImageLoaded - - process_name - - dest - - EventCode - - Signed - - ProcessId - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_remote_access_software_hunt.yml b/detections/endpoint/windows_remote_access_software_hunt.yml index a7ae212c36..bc3712b667 100644 --- a/detections/endpoint/windows_remote_access_software_hunt.yml +++ b/detections/endpoint/windows_remote_access_software_hunt.yml @@ -1,18 +1,40 @@ name: Windows Remote Access Software Hunt id: 8bd22c9f-05a2-4db1-b131-29271f28cb0a -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies the use of remote access software within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This detection is significant as unauthorized remote access tools can be used by adversaries to maintain persistent access to compromised systems. If confirmed malicious, this activity could allow attackers to remotely control systems, exfiltrate data, or further infiltrate the network. Review the identified software to ensure it is authorized and take action against any unauthorized utilities. +description: The following analytic identifies the use of remote access software within + the environment. It leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process execution logs. This detection is significant as unauthorized + remote access tools can be used by adversaries to maintain persistent access to + compromised systems. If confirmed malicious, this activity could allow attackers + to remotely control systems, exfiltrate data, or further infiltrate the network. + Review the identified software to ensure it is authorized and take action against + any unauthorized utilities. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.user!=unknown by Processes.dest Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup remote_access_software remote_utility AS process_name OUTPUT isutility | search isutility = True | `windows_remote_access_software_hunt_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives will be found. Filter as needed and create higher fidelity analytics based off banned remote access software. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime values(Processes.process) as process values(Processes.parent_process) + as parent_process from datamodel=Endpoint.Processes where Processes.dest!=unknown + Processes.user!=unknown by Processes.dest Processes.user Processes.process_name + Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `drop_dm_object_name(Processes)` | lookup remote_access_software remote_utility + AS process_name OUTPUT isutility | search isutility = True | `windows_remote_access_software_hunt_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives will be found. Filter as needed and create + higher fidelity analytics based off banned remote access software. references: - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md @@ -23,42 +45,17 @@ tags: - Command And Control - Ransomware asset_type: Endpoint - confidence: 10 - impact: 10 - message: The following Remote Access Software $process_name$ was identified on $dest$. mitre_attack_id: - T1219 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 1 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_remote_access_software_rms_registry.yml b/detections/endpoint/windows_remote_access_software_rms_registry.yml index df5b6a9ddf..19dec11864 100644 --- a/detections/endpoint/windows_remote_access_software_rms_registry.yml +++ b/detections/endpoint/windows_remote_access_software_rms_registry.yml @@ -1,16 +1,31 @@ name: Windows Remote Access Software RMS Registry id: e5b7b5a9-e471-4be8-8c5d-4083983ba329 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the creation or modification of Windows registry entries related to the Remote Manipulator System (RMS) Remote Admin tool. It leverages data from the Endpoint.Registry datamodel, focusing on registry paths containing "SYSTEM\\Remote Manipulator System." This activity is significant because RMS, while legitimate, is often abused by adversaries, such as in the Azorult malware campaigns, to gain unauthorized remote access. If confirmed malicious, this could allow attackers to remotely control the targeted host, leading to potential data exfiltration, system manipulation, or further network compromise. +description: The following analytic detects the creation or modification of Windows + registry entries related to the Remote Manipulator System (RMS) Remote Admin tool. + It leverages data from the Endpoint.Registry datamodel, focusing on registry paths + containing "SYSTEM\\Remote Manipulator System." This activity is significant because + RMS, while legitimate, is often abused by adversaries, such as in the Azorult malware + campaigns, to gain unauthorized remote access. If confirmed malicious, this could + allow attackers to remotely control the targeted host, leading to potential data + exfiltration, system manipulation, or further network compromise. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SYSTEM\\Remote Manipulator System*" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_access_software_rms_registry_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -known_false_positives: administrators may enable or disable this feature that may cause some false positive. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SYSTEM\\Remote + Manipulator System*" by Registry.registry_key_name Registry.user Registry.registry_path + Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_access_software_rms_registry_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure + that this registry was included in your config files ex. sysmon config to be monitored. +known_false_positives: administrators may enable or disable this feature that may + cause some false positive. references: - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ - https://malpedia.caad.fkie.fraunhofer.de/details/win.rms @@ -20,41 +35,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: the registry related to RMS tool is created on $dest$ + risk_objects: + - field: dest + type: system + score: 90 + threat_objects: [] tags: analytic_story: - Azorult asset_type: Endpoint - confidence: 90 - impact: 100 - message: the registry related to RMS tool is created in $dest$ mitre_attack_id: - T1219 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_remote_assistance_spawning_process.yml b/detections/endpoint/windows_remote_assistance_spawning_process.yml index 828747b325..e6810e6c34 100644 --- a/detections/endpoint/windows_remote_assistance_spawning_process.yml +++ b/detections/endpoint/windows_remote_assistance_spawning_process.yml @@ -1,7 +1,7 @@ name: Windows Remote Assistance Spawning Process id: ced50492-8849-11ec-9f68-acde48001122 -version: '5' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -51,52 +51,34 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$, generating behavior not common with msra.exe. + risk_objects: + - field: dest + type: system + score: 80 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Unusual Processes - Compromised Windows Host asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$, generating behavior not common with msra.exe. mitre_attack_id: - T1055 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/msra/msra-windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/msra/msra-windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_remote_create_service.yml b/detections/endpoint/windows_remote_create_service.yml index 0ee559be20..c963d8e1d7 100644 --- a/detections/endpoint/windows_remote_create_service.yml +++ b/detections/endpoint/windows_remote_create_service.yml @@ -1,7 +1,7 @@ name: Windows Remote Create Service id: 0dc44d03-8c00-482d-ba7c-796ba7ab18c9 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Anomaly @@ -9,10 +9,31 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic identifies the creation of a new service on a remote endpoint using sc.exe. It leverages data from Endpoint Detection and Response (EDR) agents, specifically monitoring for EventCode 7045, which indicates a new service creation. This activity is significant as it may indicate lateral movement or remote code execution attempts by an attacker. If confirmed malicious, this could allow the attacker to establish persistence, escalate privileges, or execute arbitrary code on the remote system, potentially leading to further compromise of the network. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe Processes.process IN ("*create*") Processes.process="*\\\\*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_create_service_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Note that false positives may occur, and filtering may be necessary, especially when it comes to remote service creation by administrators or software management utilities. +description: The following analytic identifies the creation of a new service on a + remote endpoint using sc.exe. It leverages data from Endpoint Detection and Response + (EDR) agents, specifically monitoring for EventCode 7045, which indicates a new + service creation. This activity is significant as it may indicate lateral movement + or remote code execution attempts by an attacker. If confirmed malicious, this could + allow the attacker to establish persistence, escalate privileges, or execute arbitrary + code on the remote system, potentially leading to further compromise of the network. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe + Processes.process IN ("*create*") Processes.process="*\\\\*" by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_create_service_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Note that false positives may occur, and filtering may be necessary, + especially when it comes to remote service creation by administrators or software + management utilities. references: - https://attack.mitre.org/techniques/T1543/003/ drilldown_searches: @@ -21,61 +42,47 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to create a remote service. + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Active Directory Lateral Movement - CISA AA23-347A - BlackSuit Ransomware asset_type: Endpoint - confidence: 50 - impact: 50 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create a remote service. mitre_attack_id: - T1543 - T1543.003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/remote_service_create_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/remote_service_create_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_remote_management_execute_shell.yml b/detections/endpoint/windows_remote_management_execute_shell.yml new file mode 100644 index 0000000000..822b375a99 --- /dev/null +++ b/detections/endpoint/windows_remote_management_execute_shell.yml @@ -0,0 +1,55 @@ +name: Windows Remote Management Execute Shell +id: 28b80028-851d-4b8d-88a5-375ba115418a +version: 1 +date: '2024-12-12' +author: Teoderick Contreras, Splunk +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +type: Anomaly +status: production +description: The following analytic detects the execution of winrshost.exe initiating CMD or PowerShell processes as part of a potential payload execution. winrshost.exe is associated with Windows Remote Management (WinRM) and is typically used for remote execution. By monitoring for this behavior, the detection identifies instances where winrshost.exe is leveraged to run potentially malicious commands or payloads via CMD or PowerShell. This behavior may indicate exploitation of remote management tools for unauthorized access or lateral movement within a compromised environment, signaling a potential security incident. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.parent_process_name="winrshost.exe" AND Processes.process_name IN ("cmd.exe","*powershell*") + by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_remote_management_execute_shell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: administrator or power user can execute command shell or script remotely using WINRM. +references: +- https://strontic.github.io/xcyclopedia/library/winrshost.exe-6790044CEB4BA5BE6AA8161460D990FD.html +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: a winrm remote proces [$parent_process_name$] execute [$process_name$] shell on [$dest$]. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] +tags: + analytic_story: + - Crypto Stealer + asset_type: Endpoint + mitre_attack_id: + - T1021.006 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/wirm_execute_shell/winrshost_pwh.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml b/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml index cb0594307d..73d240c71e 100644 --- a/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml +++ b/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml @@ -1,7 +1,7 @@ name: Windows Remote Service Rdpwinst Tool Execution id: c8127f87-c7c9-4036-89ed-8fe4b30e678c -version: '4' -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: TTP @@ -51,45 +51,30 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Rdpwinst.exe executed on $dest$. + risk_objects: + - field: dest + type: system + score: 81 + threat_objects: [] tags: analytic_story: - Azorult - Compromised Windows Host asset_type: Endpoint - confidence: 90 - impact: 90 - message: Rdpwinst.exe executed on $dest$. mitre_attack_id: - T1021.001 - T1021 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml b/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml index 5d1a95ee08..01e73f560f 100644 --- a/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml +++ b/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml @@ -1,18 +1,42 @@ name: Windows Remote Services Allow Rdp In Firewall id: 9170cb54-ea15-41e1-9dfc-9f3363ce9b02 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects modifications to the Windows firewall to enable Remote Desktop Protocol (RDP) on a targeted machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving "netsh.exe" to allow TCP port 3389. This activity is significant as it may indicate an adversary attempting to gain remote access to a compromised host, a common tactic for lateral movement. If confirmed malicious, this could allow attackers to remotely control the system, leading to potential data exfiltration or further network compromise. +description: The following analytic detects modifications to the Windows firewall + to enable Remote Desktop Protocol (RDP) on a targeted machine. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on command-line executions + involving "netsh.exe" to allow TCP port 3389. This activity is significant as it + may indicate an adversary attempting to gain remote access to a compromised host, + a common tactic for lateral movement. If confirmed malicious, this could allow attackers + to remotely control the system, leading to potential data exfiltration or further + network compromise. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as cmdline values(Processes.parent_process_name) as parent_process values(Processes.process_name) count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = "netsh.exe" OR Processes.original_file_name= "netsh.exe") AND Processes.process = "*firewall*" AND Processes.process = "*add*" AND Processes.process = "*protocol=TCP*" AND Processes.process = "*localport=3389*" AND Processes.process = "*action=allow*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_allow_rdp_in_firewall_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: administrators may enable or disable this feature that may cause some false positive. +search: '| tstats `security_content_summariesonly` values(Processes.process) as cmdline + values(Processes.parent_process_name) as parent_process values(Processes.process_name) + count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where (Processes.process_name = "netsh.exe" OR Processes.original_file_name= "netsh.exe") + AND Processes.process = "*firewall*" AND Processes.process = "*add*" AND Processes.process + = "*protocol=TCP*" AND Processes.process = "*localport=3389*" AND Processes.process + = "*action=allow*" by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_allow_rdp_in_firewall_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: administrators may enable or disable this feature that may + cause some false positive. references: - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ drilldown_searches: @@ -21,44 +45,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: new firewall rules was added to allow rdp connection to $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Azorult asset_type: Endpoint - confidence: 70 - impact: 70 - message: new firewall rules was added to allow rdp connection to $dest$ mitre_attack_id: - T1021.001 - T1021 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_name - - Processes.process - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_id - - Processes.parent_process_id - - Processes.dest - - Processes.user - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_remote_services_allow_remote_assistance.yml b/detections/endpoint/windows_remote_services_allow_remote_assistance.yml index 51a884c1da..3bbd6e681b 100644 --- a/detections/endpoint/windows_remote_services_allow_remote_assistance.yml +++ b/detections/endpoint/windows_remote_services_allow_remote_assistance.yml @@ -1,16 +1,32 @@ name: Windows Remote Services Allow Remote Assistance id: 9bce3a97-bc97-4e89-a1aa-ead151c82fbb -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects modifications in the Windows registry to enable remote desktop assistance on a targeted machine. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the "Control\\Terminal Server\\fAllowToGetHelp" registry path. This activity is significant because enabling remote assistance via registry is uncommon and often associated with adversaries or malware like Azorult. If confirmed malicious, this could allow an attacker to remotely access and control the compromised host, leading to potential data exfiltration or further system compromise. +description: The following analytic detects modifications in the Windows registry + to enable remote desktop assistance on a targeted machine. It leverages data from + the Endpoint.Registry datamodel, specifically monitoring changes to the "Control\\Terminal + Server\\fAllowToGetHelp" registry path. This activity is significant because enabling + remote assistance via registry is uncommon and often associated with adversaries + or malware like Azorult. If confirmed malicious, this could allow an attacker to + remotely access and control the compromised host, leading to potential data exfiltration + or further system compromise. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Control\\Terminal Server\\fAllowToGetHelp*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_allow_remote_assistance_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -known_false_positives: administrators may enable or disable this feature that may cause some false positive. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Control\\Terminal + Server\\fAllowToGetHelp*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name + Registry.user Registry.registry_path Registry.registry_value_data Registry.action + Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_remote_services_allow_remote_assistance_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure + that this registry was included in your config files ex. sysmon config to be monitored. +known_false_positives: administrators may enable or disable this feature that may + cause some false positive. references: - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ @@ -20,42 +36,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: the registry for rdp protocol was modified to enable on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Azorult asset_type: Endpoint - confidence: 70 - impact: 70 - message: the registry for rdp protocol was modified to enable in $dest$ mitre_attack_id: - T1021.001 - T1021 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_remote_services_rdp_enable.yml b/detections/endpoint/windows_remote_services_rdp_enable.yml index 15663f8817..535ef3ca71 100644 --- a/detections/endpoint/windows_remote_services_rdp_enable.yml +++ b/detections/endpoint/windows_remote_services_rdp_enable.yml @@ -1,16 +1,32 @@ name: Windows Remote Services Rdp Enable id: 8fbd2e88-4ea5-40b9-9217-fd0855e08cc0 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects modifications in the Windows registry to enable Remote Desktop Protocol (RDP) on a targeted machine. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the "fDenyTSConnections" registry value. This activity is significant as enabling RDP via registry is uncommon and often associated with adversaries or malware attempting to gain remote access. If confirmed malicious, this could allow attackers to remotely control the compromised host, potentially leading to further exploitation and lateral movement within the network. +description: The following analytic detects modifications in the Windows registry + to enable Remote Desktop Protocol (RDP) on a targeted machine. It leverages data + from the Endpoint.Registry datamodel, specifically monitoring changes to the "fDenyTSConnections" + registry value. This activity is significant as enabling RDP via registry is uncommon + and often associated with adversaries or malware attempting to gain remote access. + If confirmed malicious, this could allow attackers to remotely control the compromised + host, potentially leading to further exploitation and lateral movement within the + network. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Control\\Terminal Server\\fDenyTSConnections*" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_rdp_enable_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -known_false_positives: administrators may enable or disable this feature that may cause some false positive. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Control\\Terminal + Server\\fDenyTSConnections*" Registry.registry_value_data="0x00000000" by Registry.registry_key_name + Registry.user Registry.registry_path Registry.registry_value_data Registry.action + Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_remote_services_rdp_enable_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure + that this registry was included in your config files ex. sysmon config to be monitored. +known_false_positives: administrators may enable or disable this feature that may + cause some false positive. references: - https://www.hybrid-analysis.com/sample/9d6611c2779316f1ef4b4a6edcfdfb5e770fe32b31ec2200df268c3bd236ed75?environmentId=100 drilldown_searches: @@ -19,43 +35,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: the registry for rdp protocol was modified to enable on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Azorult - BlackSuit Ransomware asset_type: Endpoint - confidence: 70 - impact: 70 - message: the registry for rdp protocol was modified to enable in $dest$ mitre_attack_id: - T1021.001 - T1021 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Registry.action - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_replication_through_removable_media.yml b/detections/endpoint/windows_replication_through_removable_media.yml index 4f615a959e..7817d86c25 100644 --- a/detections/endpoint/windows_replication_through_removable_media.yml +++ b/detections/endpoint/windows_replication_through_removable_media.yml @@ -1,16 +1,36 @@ name: Windows Replication Through Removable Media id: 60df805d-4605-41c8-bbba-57baa6a4eb97 -version: 3 -date: '2024-09-30' +version: 7 +date: '2025-01-27' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the creation or dropping of executable or script files in the root directory of a removable drive. It leverages data from the Endpoint.Filesystem datamodel, focusing on specific file types and their creation paths. This activity is significant as it may indicate an attempt to spread malware, such as ransomware, via removable media. If confirmed malicious, this behavior could lead to unauthorized code execution, lateral movement, or persistence within the network, potentially compromising sensitive data and systems. +description: The following analytic detects the creation or dropping of executable + or script files in the root directory of a removable drive. It leverages data from + the Endpoint.Filesystem datamodel, focusing on specific file types and their creation + paths. This activity is significant as it may indicate an attempt to spread malware, + such as ransomware, via removable media. If confirmed malicious, this behavior could + lead to unauthorized code execution, lateral movement, or persistence within the + network, potentially compromising sensitive data and systems. data_source: - Sysmon EventID 11 -search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name = *.exe OR Filesystem.file_name = *.dll OR Filesystem.file_name = *.sys OR Filesystem.file_name = *.com OR Filesystem.file_name = *.vbs OR Filesystem.file_name = *.vbe OR Filesystem.file_name = *.js OR Filesystem.file_name= *.bat OR Filesystem.file_name = *.cmd OR Filesystem.file_name = *.pif) by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.user Filesystem.dest | `drop_dm_object_name(Filesystem)` | eval dropped_file_path = split(file_path, "\\") | eval dropped_file_path_split_count = mvcount(dropped_file_path) | eval root_drive = mvindex(dropped_file_path,0) | where LIKE(root_drive, "%:") AND dropped_file_path_split_count = 2 AND root_drive!= "C:" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_replication_through_removable_media_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -known_false_positives: Administrators may allow creation of script or exe in the paths specified. Filter as needed. +search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name = *.exe + OR Filesystem.file_name = *.dll OR Filesystem.file_name = *.sys OR Filesystem.file_name + = *.com OR Filesystem.file_name = *.vbs OR Filesystem.file_name = *.vbe OR Filesystem.file_name + = *.js OR Filesystem.file_name= *.bat OR Filesystem.file_name = *.cmd OR Filesystem.file_name + = *.pif) by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name + Filesystem.file_path Filesystem.user Filesystem.dest | `drop_dm_object_name(Filesystem)` + | eval dropped_file_path = split(file_path, "\\") | eval dropped_file_path_split_count + = mvcount(dropped_file_path) | eval root_drive = mvindex(dropped_file_path,0) | + where LIKE(root_drive, "%:") AND dropped_file_path_split_count = 2 AND root_drive!= + "C:" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_replication_through_removable_media_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the Filesystem responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Filesystem` node. +known_false_positives: Administrators may allow creation of script or exe in the paths + specified. Filter as needed. references: - https://attack.mitre.org/techniques/T1204/002/ - https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia @@ -20,41 +40,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: executable or script $file_path$ was dropped in root drive $root_drive$ + on $dest$ + risk_objects: + - field: user + type: user + score: 64 + threat_objects: + - field: file_name + type: file_name tags: analytic_story: + - PlugX - Chaos Ransomware + - Derusbi + - Nexus APT Threat Activity + - Earth Estries - NjRAT - - PlugX asset_type: Endpoint - confidence: 80 - impact: 80 - message: executable or script $file_path$ was dropped in root drive $root_drive$ in $dest$ mitre_attack_id: - T1091 - observable: - - name: user - type: User - role: - - Victim - - name: file_name - type: File Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.file_path - - Filesystem.file_create_time - - Filesystem.process_id - - Filesystem.file_name - - Filesystem.user - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test @@ -62,4 +80,3 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/chaos_ransomware/spread_in_root_drives/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_root_domain_linked_policies_discovery.yml b/detections/endpoint/windows_root_domain_linked_policies_discovery.yml index 49652cb84d..f006024e2d 100644 --- a/detections/endpoint/windows_root_domain_linked_policies_discovery.yml +++ b/detections/endpoint/windows_root_domain_linked_policies_discovery.yml @@ -1,15 +1,27 @@ name: Windows Root Domain linked policies Discovery id: 80ffaede-1f12-49d5-a86e-b4b599b68b3c -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell to query Active Directory for root domain linked policies. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. This behavior is significant as it may indicate an attempt by adversaries or Red Teams to gain situational awareness and perform Active Directory Discovery. If confirmed malicious, this activity could allow attackers to map out domain policies, potentially aiding in further exploitation or lateral movement within the network. +description: The following analytic detects the use of the `[Adsisearcher]` type accelerator + in PowerShell to query Active Directory for root domain linked policies. It leverages + PowerShell Script Block Logging (EventCode=4104) to identify this activity. This + behavior is significant as it may indicate an attempt by adversaries or Red Teams + to gain situational awareness and perform Active Directory Discovery. If confirmed + malicious, this activity could allow attackers to map out domain policies, potentially + aiding in further exploitation or lateral movement within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText = "*[adsisearcher]*" ScriptBlockText = "*.SearchRooT*" ScriptBlockText = "*.gplink*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest, user_id as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_root_domain_linked_policies_discovery_filter`' -how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +search: '`powershell` EventCode=4104 ScriptBlockText = "*[adsisearcher]*" ScriptBlockText + = "*.SearchRooT*" ScriptBlockText = "*.gplink*" | stats count min(_time) as firstTime + max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer + as dest, user_id as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_root_domain_linked_policies_discovery_filter`' +how_to_implement: The following Hunting analytic requires PowerShell operational logs + to be imported. Modify the powershell macro as needed to match the sourcetype or + add index. This analytic is specific to 4104, or PowerShell Script Block Logging. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ @@ -20,41 +32,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows PowerShell [Adsisearcher] was used user enumeration on endpoint + $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Data Destruction - Active Directory Discovery - Industroyer2 asset_type: Endpoint - confidence: 50 - impact: 50 - message: Windows PowerShell [Adsisearcher] was used user enumeration on endpoint $dest$ mitre_attack_id: - T1087.002 - T1087 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - ScriptBlockText - - Computer - - user_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/adsi_discovery/windows-powershell-xml1.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/adsi_discovery/windows-powershell-xml1.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml b/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml index adcaa44b75..711d2c152e 100644 --- a/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml +++ b/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml @@ -1,7 +1,7 @@ name: Windows Rundll32 Apply User Settings Changes id: b9fb8d97-dbc9-4a09-804c-ff0e3862bb2d -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP @@ -9,9 +9,30 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic detects the execution of a suspicious rundll32 command line that updates user-specific system parameters, such as desktop backgrounds, display settings, and visual themes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving "user32.dll,UpdatePerUserSystemParameters." This activity is significant as it is uncommon for legitimate purposes and has been observed in Rhysida Ransomware for defense evasion. If confirmed malicious, this could allow an attacker to disguise activities or make unauthorized system changes, potentially leading to persistent unauthorized access. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process= "*user32.dll,UpdatePerUserSystemParameters*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rundll32_apply_user_settings_changes_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +description: The following analytic detects the execution of a suspicious rundll32 + command line that updates user-specific system parameters, such as desktop backgrounds, + display settings, and visual themes. It leverages data from Endpoint Detection and + Response (EDR) agents, focusing on command-line executions involving "user32.dll,UpdatePerUserSystemParameters." + This activity is significant as it is uncommon for legitimate purposes and has been + observed in Rhysida Ransomware for defense evasion. If confirmed malicious, this + could allow an attacker to disguise activities or make unauthorized system changes, + potentially leading to persistent unauthorized access. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe + Processes.process= "*user32.dll,UpdatePerUserSystemParameters*" by Processes.dest + Processes.user Processes.parent_process Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id Processes.parent_process_name | + `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_rundll32_apply_user_settings_changes_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a @@ -21,47 +42,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Process $process_name$ with cmdline $process$ in host $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Rhysida Ransomware asset_type: Endpoint - confidence: 50 - impact: 50 - message: Process $process_name$ with cmdline $process$ in host $dest$ mitre_attack_id: - T1218 - T1218.011 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/update_per_user_system/rundll32_updateperusersystem.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/update_per_user_system/rundll32_updateperusersystem.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_rundll32_webdav_request.yml b/detections/endpoint/windows_rundll32_webdav_request.yml index 0afab5a91f..68ccb04ab4 100644 --- a/detections/endpoint/windows_rundll32_webdav_request.yml +++ b/detections/endpoint/windows_rundll32_webdav_request.yml @@ -1,7 +1,7 @@ name: Windows Rundll32 WebDAV Request id: 320099b7-7eb1-4153-a2b4-decb53267de2 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk type: TTP status: production @@ -9,10 +9,30 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic identifies the execution of rundll32.exe with command-line arguments loading davclnt.dll and the davsetcookie function to access a remote WebDAV instance. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt to exploit CVE-2023-23397, a known vulnerability. If confirmed malicious, this could allow an attacker to execute remote code or exfiltrate data, posing a severe threat to the environment. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process IN ("*\\windows\\system32\\davclnt.dll,*davsetcookie*","*\\windows\\syswow64\\davclnt.dll,*davsetcookie*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rundll32_webdav_request_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives will be present based on legitimate software, filtering may need to occur. +description: The following analytic identifies the execution of rundll32.exe with + command-line arguments loading davclnt.dll and the davsetcookie function to access + a remote WebDAV instance. This detection leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process names and command-line executions. + This activity is significant as it may indicate an attempt to exploit CVE-2023-23397, + a known vulnerability. If confirmed malicious, this could allow an attacker to execute + remote code or exfiltrate data, posing a severe threat to the environment. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe + Processes.process IN ("*\\windows\\system32\\davclnt.dll,*davsetcookie*","*\\windows\\syswow64\\davclnt.dll,*davsetcookie*") + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rundll32_webdav_request_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives will be present based on legitimate software, + filtering may need to occur. references: - https://strontic.github.io/xcyclopedia/library/davclnt.dll-0EA3050E7CC710526E330C413C165DA0.html - https://twitter.com/ACEResponder/status/1636116096506818562?s=20 @@ -25,59 +45,46 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to contact a remote WebDav server. + risk_objects: + - field: user + type: user + score: 48 + - field: dest + type: system + score: 48 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - CVE-2023-23397 Outlook Elevation of Privilege asset_type: Endpoint cve: - CVE-2023-23397 - confidence: 60 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to contact a remote WebDav server. mitre_attack_id: - T1048.003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/cve-2023-23397/webdav_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/cve-2023-23397/webdav_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml b/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml index c59dcab6a2..8ef7992823 100644 --- a/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml +++ b/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml @@ -1,74 +1,79 @@ name: Windows Rundll32 WebDav With Network Connection id: f03355e0-28b5-4e9b-815a-6adffc63b38c -version: 4 -date: '2024-10-17' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk type: TTP status: experimental data_source: [] -description: The following analytic detects the execution of rundll32.exe with command-line arguments loading davclnt.dll and the davsetcookie function to access a remote WebDav instance. It uses data from Endpoint Detection and Response (EDR) agents, correlating process execution and network traffic data. This activity is significant as it may indicate exploitation of CVE-2023-23397, a known vulnerability. If confirmed malicious, this could allow an attacker to establish unauthorized remote connections, potentially leading to data exfiltration or further network compromise. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name=svchost.exe `process_rundll32` Processes.process IN ("*\\windows\\system32\\davclnt.dll,*davsetcookie*", "*\\windows\\syswow64\\davclnt.dll,*davsetcookie*") by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename dest as src | join host process_id [ | tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port!=0 NOT (All_Traffic.dest_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)) by host All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] | `windows_rundll32_webdav_with_network_connection_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives will be present based on legitimate software, filtering may need to occur. +description: The following analytic detects the execution of rundll32.exe with command-line + arguments loading davclnt.dll and the davsetcookie function to access a remote WebDav + instance. It uses data from Endpoint Detection and Response (EDR) agents, correlating + process execution and network traffic data. This activity is significant as it may + indicate exploitation of CVE-2023-23397, a known vulnerability. If confirmed malicious, + this could allow an attacker to establish unauthorized remote connections, potentially + leading to data exfiltration or further network compromise. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name=svchost.exe + `process_rundll32` Processes.process IN ("*\\windows\\system32\\davclnt.dll,*davsetcookie*", + "*\\windows\\syswow64\\davclnt.dll,*davsetcookie*") by host _time span=1h Processes.process_id + Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name + Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | rename dest as src | join host process_id + [ | tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest + latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port + FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port!=0 NOT (All_Traffic.dest_ip + IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)) by host All_Traffic.process_id + | `drop_dm_object_name(All_Traffic)`] | `windows_rundll32_webdav_with_network_connection_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives will be present based on legitimate software, + filtering may need to occur. references: - https://strontic.github.io/xcyclopedia/library/davclnt.dll-0EA3050E7CC710526E330C413C165DA0.html - https://twitter.com/ACEResponder/status/1636116096506818562?s=20 - https://twitter.com/domchell/status/1635999068282408962?s=20 - https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/ - https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to contact a remote WebDav server. + risk_objects: + - field: user + type: user + score: 48 + - field: dest + type: system + score: 48 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - CVE-2023-23397 Outlook Elevation of Privilege asset_type: Endpoint cve: - CVE-2023-23397 - confidence: 60 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to contact a remote WebDav server. mitre_attack_id: - T1048.003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - - All_Traffic.dest_port - - All_Traffic.dest_ip - - All_Traffic.dest - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/cve-2023-23397/webdav_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/cve-2023-23397/webdav_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_runmru_command_execution.yml b/detections/endpoint/windows_runmru_command_execution.yml index 1edfd9e447..f673019307 100644 --- a/detections/endpoint/windows_runmru_command_execution.yml +++ b/detections/endpoint/windows_runmru_command_execution.yml @@ -1,17 +1,41 @@ name: Windows RunMRU Command Execution id: a15aa1ab-2b79-467f-8201-65e0f32d5b1a -version: 1 -date: '2024-11-08' +version: 2 +date: '2025-01-21' author: Nasreddine Bencherchali, Michael Haag, Splunk -data_sources: +data_source: - Sysmon Event ID 11 - Sysmon Event ID 13 type: Anomaly status: production -description: The following analytic detects modifications to the Windows RunMRU registry key, which stores a history of commands executed through the Run dialog box (Windows+R). It leverages Endpoint Detection and Response (EDR) telemetry to monitor registry events targeting this key. This activity is significant as malware often uses the Run dialog to execute malicious commands while attempting to appear legitimate. If confirmed malicious, this could indicate an attacker using indirect command execution techniques for defense evasion or persistence. The detection excludes MRUList value changes to focus on actual command entries. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_key_name="*\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU*" NOT Registry.registry_key_name="*\\MRUList" by Registry.dest Registry.registry_value_data Registry.action Registry.process_guid Registry.process_id Registry.registry_key_name Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_runmru_command_execution_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Registry` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: This detection may generate a few false positives, such as legitimate software updates or legitimate system maintenance activities that modify the RunMRU key. However, the exclusion of MRUList value changes helps reduce the number of false positives by focusing only on actual command entries. Add any specific false positives to the built in filter to reduce notables as needed. +description: The following analytic detects modifications to the Windows RunMRU registry + key, which stores a history of commands executed through the Run dialog box (Windows+R). + It leverages Endpoint Detection and Response (EDR) telemetry to monitor registry + events targeting this key. This activity is significant as malware often uses the + Run dialog to execute malicious commands while attempting to appear legitimate. + If confirmed malicious, this could indicate an attacker using indirect command execution + techniques for defense evasion or persistence. The detection excludes MRUList value + changes to focus on actual command entries. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_key_name="*\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU*" + NOT Registry.registry_key_name="*\\MRUList" by Registry.dest Registry.registry_value_data + Registry.action Registry.process_guid Registry.process_id Registry.registry_key_name + Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_runmru_command_execution_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Registry` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: This detection may generate a few false positives, such as + legitimate software updates or legitimate system maintenance activities that modify + the RunMRU key. However, the exclusion of MRUList value changes helps reduce the + number of false positives by focusing only on actual command entries. Add any specific + false positives to the built in filter to reduce findings as needed. references: - https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf - https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71 @@ -23,50 +47,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $registry_value_data$ was identified on endpoint $dest$ + by user $user$ attempting to execute a command through the Run dialog box. + risk_objects: + - field: dest + type: system + score: 48 + - field: user + type: user + score: 48 + threat_objects: + - field: registry_value_data + type: registry_value_text tags: analytic_story: - Lumma Stealer asset_type: Endpoint - confidence: 60 - impact: 80 - message: An instance of $registry_value_data$ was identified on endpoint $dest$ by user $user$ attempting to execute a command through the Run dialog box. mitre_attack_id: - T1202 - observable: - - name: registry_value_data - type: Registry Value - role: - - Attacker - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_data - - Registry.action - - Registry.process_guid - - Registry.process_id - - Registry.registry_key_name - - Registry.user - risk_score: 80 security_domain: endpoint cve: [] tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1202/atomic_red_team/windows-sysmon_runmru.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1202/atomic_red_team/windows-sysmon_runmru.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_scheduled_task_created_via_xml.yml b/detections/endpoint/windows_scheduled_task_created_via_xml.yml index abf3fca2f4..b29963f952 100644 --- a/detections/endpoint/windows_scheduled_task_created_via_xml.yml +++ b/detections/endpoint/windows_scheduled_task_created_via_xml.yml @@ -1,7 +1,7 @@ name: Windows Scheduled Task Created Via XML id: 7e03b682-3965-4598-8e91-a60a40a3f7e4 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP @@ -9,10 +9,31 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic detects the creation of scheduled tasks in Windows using schtasks.exe with the -create flag and an XML parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it is a common technique for establishing persistence or achieving privilege escalation, often used by malware like Trickbot and Winter-Vivern. If confirmed malicious, this could allow attackers to maintain access, execute additional payloads, and potentially lead to data theft or ransomware deployment. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process=*create* Processes.process="* /xml *" by Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.process_id Processes.parent_process_guid Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_created_via_xml_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: It is possible scripts or administrators may trigger this analytic. Filter as needed based on parent process, application. +description: The following analytic detects the creation of scheduled tasks in Windows + using schtasks.exe with the -create flag and an XML parameter. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on command-line + executions and process details. This activity is significant as it is a common technique + for establishing persistence or achieving privilege escalation, often used by malware + like Trickbot and Winter-Vivern. If confirmed malicious, this could allow attackers + to maintain access, execute additional payloads, and potentially lead to data theft + or ransomware deployment. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe + Processes.process=*create* Processes.process="* /xml *" by Processes.user Processes.parent_process_name + Processes.parent_process Processes.process_name Processes.process Processes.process_guid + Processes.process_id Processes.parent_process_guid Processes.dest | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_created_via_xml_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: It is possible scripts or administrators may trigger this analytic. + Filter as needed based on parent process, application. references: - https://twitter.com/_CERT_UA/status/1620781684257091584 - https://cert.gov.ua/article/3761104 @@ -22,9 +43,25 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A scheduled task process, $process_name$, with 'create' or 'delete' commands + present in the command line. + risk_objects: + - field: dest + type: system + score: 49 + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - Winter Vivern @@ -32,44 +69,18 @@ tags: - Scheduled Tasks - MoonPeak asset_type: Endpoint - confidence: 70 - dataset: - - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/scheduledtask/sysmon.log - impact: 70 - message: A scheduled task process, $process_name$, with 'create' or 'delete' commands present in the command line. mitre_attack_id: - T1053.005 - T1053 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_name - - Processes.process_id - - Processes.process - - Processes.dest - - Processes.user - - Processes.process_id - - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/scheduledtask/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/scheduledtask/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_scheduled_task_dll_module_loaded.yml b/detections/endpoint/windows_scheduled_task_dll_module_loaded.yml index 716ebb75bf..21d9851f03 100644 --- a/detections/endpoint/windows_scheduled_task_dll_module_loaded.yml +++ b/detections/endpoint/windows_scheduled_task_dll_module_loaded.yml @@ -1,16 +1,32 @@ name: Windows Scheduled Task DLL Module Loaded id: bc5b2304-f241-419b-874a-e927f667b7b6 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 7 type: TTP status: production -description: The following analytic detects instances where the taskschd.dll is loaded by processes running in suspicious or writable directories. This activity is unusual, as legitimate processes that load taskschd.dll typically reside in protected system locations. Malware or threat actors may attempt to load this DLL from writable or non-standard directories to manipulate the Task Scheduler and execute malicious tasks. By identifying processes that load taskschd.dll in these unsafe locations, this detection helps security analysts flag potentially malicious activity and investigate further to prevent unauthorized system modifications. -search: '`sysmon` EventCode=7 Image IN ("*\\windows\\fonts\\*", "*\\windows\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*", "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*", "\\Windows\\repair\\*", "*\\temp\\*", "*\\PerfLogs\\*") ImageLoaded = "*\\taskschd.dll" | stats min(_time) as firstTime max(_time) as lastTime count by user_id, dest, Image ,ImageLoaded, , OriginalFileName, ProcessGuid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_dll_module_loaded_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: Third party Legitimate application may load this task schedule dll module. +description: The following analytic detects instances where the taskschd.dll is loaded + by processes running in suspicious or writable directories. This activity is unusual, + as legitimate processes that load taskschd.dll typically reside in protected system + locations. Malware or threat actors may attempt to load this DLL from writable or + non-standard directories to manipulate the Task Scheduler and execute malicious + tasks. By identifying processes that load taskschd.dll in these unsafe locations, + this detection helps security analysts flag potentially malicious activity and investigate + further to prevent unauthorized system modifications. +search: '`sysmon` EventCode=7 Image IN ("*\\windows\\fonts\\*", "*\\windows\\temp\\*", + "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*", + "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*", + "\\Windows\\repair\\*", "*\\temp\\*", "*\\PerfLogs\\*") ImageLoaded = "*\\taskschd.dll" + | stats min(_time) as firstTime max(_time) as lastTime count by user_id, dest, Image + ,ImageLoaded, , OriginalFileName, ProcessGuid | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_scheduled_task_dll_module_loaded_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name and imageloaded executions from your endpoints. If you + are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +known_false_positives: Third party Legitimate application may load this task schedule + dll module. references: - https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape - https://www.fortinet.com/blog/threat-research/valleyrat-campaign-targeting-chinese-speakers @@ -20,41 +36,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A taskschd.dll was loaded by a process - [$Image$] on [$dest$] + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - ValleyRAT asset_type: Endpoint - confidence: 80 - impact: 80 - message: A taskschd.dll was loaded by a process - [$Image$] on [$dest$] mitre_attack_id: - T1053 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Image - - ImageLoaded - - process_name - - dest - - EventCode - - Signed - - ProcessId - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053/taskschd_dll/taskschd_dll.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053/taskschd_dll/taskschd_dll.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml b/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml index f7017ddebe..39f06a3783 100644 --- a/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml +++ b/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml @@ -1,17 +1,41 @@ name: Windows Scheduled Task Service Spawned Shell id: d8120352-3b62-4e3c-8cb6-7b47584dd5e8 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Steven Dick status: production type: TTP -description: The following analytic detects when the Task Scheduler service ("svchost.exe -k netsvcs -p -s Schedule") spawns common command line, scripting, or shell execution binaries such as "powershell.exe" or "cmd.exe". This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant as attackers often abuse the Task Scheduler for execution and persistence, blending in with legitimate Windows operations. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, or escalate privileges within the environment. +description: The following analytic detects when the Task Scheduler service ("svchost.exe + -k netsvcs -p -s Schedule") spawns common command line, scripting, or shell execution + binaries such as "powershell.exe" or "cmd.exe". This detection leverages data from + Endpoint Detection and Response (EDR) agents, focusing on process and parent process + relationships. This activity is significant as attackers often abuse the Task Scheduler + for execution and persistence, blending in with legitimate Windows operations. If + confirmed malicious, this could allow attackers to execute arbitrary code, maintain + persistence, or escalate privileges within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process="*\\system32\\svchost.exe*" AND Processes.parent_process="*-k*" AND Processes.parent_process= "*netsvcs*" AND Processes.parent_process="*-p*" AND Processes.parent_process="*-s*" AND Processes.parent_process="*Schedule*" Processes.process_name IN("powershell.exe", "wscript.exe", "cscript.exe", "cmd.exe", "sh.exe", "ksh.exe", "zsh.exe", "bash.exe", "scrcons.exe","pwsh.exe") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_service_spawned_shell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process="*\\system32\\svchost.exe*" + AND Processes.parent_process="*-k*" AND Processes.parent_process= "*netsvcs*" AND + Processes.parent_process="*-p*" AND Processes.parent_process="*-s*" AND Processes.parent_process="*Schedule*" + Processes.process_name IN("powershell.exe", "wscript.exe", "cscript.exe", "cmd.exe", + "sh.exe", "ksh.exe", "zsh.exe", "bash.exe", "scrcons.exe","pwsh.exe") by Processes.dest + Processes.user Processes.parent_process Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id Processes.parent_process_name | + `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_scheduled_task_service_spawned_shell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Unknown, possible custom scripting. references: - https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations @@ -23,51 +47,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A windows scheduled task spawned the shell application $process_name$ on + $dest$. + risk_objects: + - field: dest + type: system + score: 20 + - field: user + type: user + score: 20 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Windows Persistence Techniques asset_type: Endpoint - confidence: 25 - impact: 80 - message: A windows scheduled task spawned the shell application $process_name$ on $dest$. mitre_attack_id: - T1053.005 - T1059 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim - - name: process_name - type: Process Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - - Processes.parent_process_name - risk_score: 20 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/gootloader/partial_ttps/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/gootloader/partial_ttps/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml index 3fbb615e1b..2111e93ad4 100644 --- a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml +++ b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml @@ -1,7 +1,7 @@ name: Windows Scheduled Task with Highest Privileges id: 2f15e1a4-0fc2-49dd-919e-cbbe60699218 -version: '4' -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: TTP @@ -51,6 +51,14 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A $process_name$ process created a scheduled task $process$ with highest + run level privilege on $dest$ + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - AsyncRAT @@ -59,41 +67,18 @@ tags: - Scheduled Tasks - RedLine Stealer asset_type: Endpoint - confidence: 80 - impact: 80 - message: a $process_name$ creating a schedule task $process$ with highest run level - privilege in $dest$ mitre_attack_id: - T1053 - T1053.005 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr.yml b/detections/endpoint/windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr.yml index 181be4f7dd..ab31ff0476 100644 --- a/detections/endpoint/windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr.yml +++ b/detections/endpoint/windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr.yml @@ -1,15 +1,29 @@ name: Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr id: feb43b86-8c38-46cd-865e-20ce8a96c26c -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk data_source: - Windows Security 4698 type: TTP status: production -description: The following analytic detects the creation or modification of Windows Scheduled Tasks related to CompMgmtLauncher or Eventvwr. These legitimate system utilities, used for launching the Computer Management Console and Event Viewer, can be abused by attackers to execute malicious payloads under the guise of normal system processes. By leveraging these tasks, adversaries can establish persistence or elevate privileges without raising suspicion. This detection helps security analysts identify unusual or unauthorized scheduled tasks involving these executables, allowing for timely investigation and remediation of potential threats. -search: '`wineventlog_security` EventCode=4698 TaskContent = "*<Command>C:\\Windows\\System32\\CompMgmtLauncher.exe</Command>*" OR TaskContent = "*<Command>C:\\Windows\\System32\\zh-CN\\eventvwr.msc</Command>*" OR TaskContent = "*<Command>C:\\Windows\\System32\\eventvwr.msc</Command>*" | stats count min(_time) as firstTime max(_time) as lastTime by dest action EventData_Xml TaskContent TaskName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA as well as the URL ToolBox application are also required. +description: The following analytic detects the creation or modification of Windows + Scheduled Tasks related to CompMgmtLauncher or Eventvwr. These legitimate system + utilities, used for launching the Computer Management Console and Event Viewer, + can be abused by attackers to execute malicious payloads under the guise of normal + system processes. By leveraging these tasks, adversaries can establish persistence + or elevate privileges without raising suspicion. This detection helps security analysts + identify unusual or unauthorized scheduled tasks involving these executables, allowing + for timely investigation and remediation of potential threats. +search: '`wineventlog_security` EventCode=4698 TaskContent = "*<Command>C:\\Windows\\System32\\CompMgmtLauncher.exe</Command>*" + OR TaskContent = "*<Command>C:\\Windows\\System32\\zh-CN\\eventvwr.msc</Command>*" + OR TaskContent = "*<Command>C:\\Windows\\System32\\eventvwr.msc</Command>*" + | stats count min(_time) as firstTime max(_time) as lastTime by dest action EventData_Xml + TaskContent TaskName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + Windows Security Event Logs with 4698 EventCode enabled. The Windows TA as well + as the URL ToolBox application are also required. known_false_positives: unknown references: - https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape @@ -20,38 +34,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A schedule task created for CompMgmtLauncher or Eventvwr on [$dest$]. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - ValleyRAT asset_type: Endpoint - confidence: 80 - impact: 80 - message: A schedule task created for CompMgmtLauncher or Eventvwr on [$dest$]. mitre_attack_id: - T1053 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - dest - - action - - EventData_Xml - - TaskContent - - TaskName - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053/valleyrat_schedtask/valleyrat_schedtask.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053/valleyrat_schedtask/valleyrat_schedtask.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_schtasks_create_run_as_system.yml b/detections/endpoint/windows_schtasks_create_run_as_system.yml index 76e810865f..0803309dab 100644 --- a/detections/endpoint/windows_schtasks_create_run_as_system.yml +++ b/detections/endpoint/windows_schtasks_create_run_as_system.yml @@ -1,18 +1,40 @@ name: Windows Schtasks Create Run As System id: 41a0e58e-884c-11ec-9976-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the creation of a new scheduled task using Schtasks.exe to run as the SYSTEM user. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it often indicates an attempt to gain elevated privileges or maintain persistence within the environment. If confirmed malicious, an attacker could execute code with SYSTEM-level privileges, potentially leading to data theft, ransomware deployment, or further system compromise. Immediate investigation and mitigation are crucial to prevent further damage. +description: The following analytic detects the creation of a new scheduled task using + Schtasks.exe to run as the SYSTEM user. This detection leverages data from Endpoint + Detection and Response (EDR) agents, focusing on command-line executions and process + details. This activity is significant as it often indicates an attempt to gain elevated + privileges or maintain persistence within the environment. If confirmed malicious, + an attacker could execute code with SYSTEM-level privileges, potentially leading + to data theft, ransomware deployment, or further system compromise. Immediate investigation + and mitigation are crucial to prevent further damage. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_schtasks` Processes.process="*/create *" AND Processes.process="*/ru *" AND Processes.process="*system*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_schtasks_create_run_as_system_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives will be limited to legitimate applications creating a task to run as SYSTEM. Filter as needed based on parent process, or modify the query to have world writeable paths to restrict it. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_schtasks` Processes.process="*/create + *" AND Processes.process="*/ru *" AND Processes.process="*system*" by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_schtasks_create_run_as_system_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives will be limited to legitimate applications + creating a task to run as SYSTEM. Filter as needed based on parent process, or modify + the query to have world writeable paths to restrict it. references: - https://pentestlab.blog/2019/11/04/persistence-scheduled-tasks/ - https://www.ired.team/offensive-security/persistence/t1053-schtask @@ -23,52 +45,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An $process_name$ was created on endpoint $dest$ attempting to spawn as + SYSTEM. + risk_objects: + - field: dest + type: system + score: 48 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Windows Persistence Techniques - Qakbot - Scheduled Tasks asset_type: Endpoint - confidence: 60 - impact: 80 - message: An $process_name$ was created on endpoint $dest$ attempting to spawn as SYSTEM. mitre_attack_id: - T1053.005 - T1053 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtask_system/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtask_system/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_scmanager_security_descriptor_tampering_via_sc_exe.yml b/detections/endpoint/windows_scmanager_security_descriptor_tampering_via_sc_exe.yml index e2d17aab1a..ed40b78862 100644 --- a/detections/endpoint/windows_scmanager_security_descriptor_tampering_via_sc_exe.yml +++ b/detections/endpoint/windows_scmanager_security_descriptor_tampering_via_sc_exe.yml @@ -1,18 +1,38 @@ name: Windows ScManager Security Descriptor Tampering Via Sc.EXE id: 04023928-0381-4935-82cb-03372b2ef644 -version: 1 -date: '2024-12-05' +version: 2 +date: '2025-01-07' author: Nasreddine Bencherchali, Michael Haag, Splunk status: production type: TTP -description: The following analytic detects changes in the ScManager service security descriptor settings. It leverages data from Endpoint Detection and Response (EDR) agents, specifically searching for any process execution involving the "sc.exe" binary with the "sdset" flag targeting the "scmanager" service. If confirmed malicious, this could allow an attacker to escalate their privileges. +description: The following analytic detects changes in the ScManager service security + descriptor settings. It leverages data from Endpoint Detection and Response (EDR) + agents, specifically searching for any process execution involving the "sc.exe" + binary with the "sdset" flag targeting the "scmanager" service. If confirmed malicious, + this could allow an attacker to escalate their privileges. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) Processes.process="*sdset *" Processes.process="*scmanager*" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scmanager_security_descriptor_tampering_via_sc_exe_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process name, and process original file name. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: None identified. Attempts to modify or tamper with the security descriptor settings of the scmanager service should be immediately investigated and understood. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) Processes.process="*sdset + *" Processes.process="*scmanager*" by Processes.dest Processes.user Processes.parent_process + Processes.parent_process_name Processes.process_name Processes.original_file_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scmanager_security_descriptor_tampering_via_sc_exe_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process name, and process original file name. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: None identified. Attempts to modify or tamper with the security + descriptor settings of the scmanager service should be immediately investigated + and understood. references: - https://github.com/redcanaryco/atomic-red-team/blob/8ac5c4f84692b11ea2832d18d3dc6f1ce7fb4e41/atomics/T1569.002/T1569.002.md#atomic-test-7---modifying-acl-of-service-control-manager-via-sdet - https://0xv1n.github.io/posts/scmanager/ @@ -23,53 +43,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable security services on endpoint $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 64 + - field: dest + type: system + score: 64 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Defense Evasion or Unauthorized Access Via SDDL Tampering asset_type: Endpoint - confidence: 80 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable security services on endpoint $dest$ by user $user$. mitre_attack_id: - T1569.002 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/scmanager_sddl_tamper/scmanager_sddl_tamper_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/scmanager_sddl_tamper/scmanager_sddl_tamper_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_screen_capture_in_temp_folder.yml b/detections/endpoint/windows_screen_capture_in_temp_folder.yml index cbdf0d19b7..c6f4d7a89c 100644 --- a/detections/endpoint/windows_screen_capture_in_temp_folder.yml +++ b/detections/endpoint/windows_screen_capture_in_temp_folder.yml @@ -1,19 +1,25 @@ name: Windows Screen Capture in TEMP folder id: 00524d1f-a032-46f5-9108-e7d9f01bfb3c -version: 1 -date: '2024-09-24' +version: 2 +date: '2024-11-13' author: Teoderick Contreras, Splunk -data_sources: +data_source: - Sysmon Event ID 11 type: TTP status: production -description: The following analytic detects the creation of screen capture files by the Braodo stealer malware. This stealer is known to capture screenshots of the victim's desktop as part of its data theft activities. The detection focuses on identifying unusual screen capture activity, especially when images are saved in directories often used by malware, such as temporary or hidden folders. Monitoring for these files helps to quickly identify malicious screen capture attempts, allowing security teams to respond and mitigate potential information exposure before sensitive data is compromised. -search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem - where Filesystem.file_name IN ("screenshot.png", "screenshot.jpg","screenshot.bmp") Filesystem.file_path = "*\\temp\\*" - by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time - | `drop_dm_object_name(Filesystem)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic detects the creation of screen capture files by + the Braodo stealer malware. This stealer is known to capture screenshots of the + victim's desktop as part of its data theft activities. The detection focuses on + identifying unusual screen capture activity, especially when images are saved in + directories often used by malware, such as temporary or hidden folders. Monitoring + for these files helps to quickly identify malicious screen capture attempts, allowing + security teams to respond and mitigate potential information exposure before sensitive + data is compromised. +search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("screenshot.png", + "screenshot.jpg","screenshot.bmp") Filesystem.file_path = "*\\temp\\*" by _time + Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time + | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_screen_capture_in_temp_folder_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from @@ -30,39 +36,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A screen capture named as $file_name$ was created on $dest$. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: + - Crypto Stealer - Braodo Stealer asset_type: Endpoint - confidence: 80 - impact: 80 - message: A screen capture named as $file_name$ was created on $dest$. mitre_attack_id: - T1113 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.dest - - Filesystem.file_create_time - - Filesystem.file_name - - Filesystem.user - - Filesystem.file_path - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1113/braodo_screenshot/braodo_screenshot.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1113/braodo_screenshot/braodo_screenshot.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_screen_capture_via_powershell.yml b/detections/endpoint/windows_screen_capture_via_powershell.yml index 73e0e709a8..b42642a01b 100644 --- a/detections/endpoint/windows_screen_capture_via_powershell.yml +++ b/detections/endpoint/windows_screen_capture_via_powershell.yml @@ -1,15 +1,27 @@ name: Windows Screen Capture Via Powershell id: 5e0b1936-8f99-4399-8ee2-9edc5b32e170 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Powershell Script Block Logging 4104 -description: The following analytic detects the execution of a PowerShell script designed to capture screen images on a host. It leverages PowerShell Script Block Logging to identify specific script block text patterns associated with screen capture activities. This behavior is significant as it may indicate an attempt to exfiltrate sensitive information by capturing desktop screenshots. If confirmed malicious, this activity could allow an attacker to gather visual data from the compromised system, potentially leading to data breaches or further exploitation. -search: '`powershell` EventCode=4104 ScriptBlockText = "*[Drawing.Graphics]::FromImage(*" AND ScriptBlockText = "*New-Object Drawing.Bitmap*" AND ScriptBlockText = "*.CopyFromScreen*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_screen_capture_via_powershell_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +description: The following analytic detects the execution of a PowerShell script designed + to capture screen images on a host. It leverages PowerShell Script Block Logging + to identify specific script block text patterns associated with screen capture activities. + This behavior is significant as it may indicate an attempt to exfiltrate sensitive + information by capturing desktop screenshots. If confirmed malicious, this activity + could allow an attacker to gather visual data from the compromised system, potentially + leading to data breaches or further exploitation. +search: '`powershell` EventCode=4104 ScriptBlockText = "*[Drawing.Graphics]::FromImage(*" + AND ScriptBlockText = "*New-Object Drawing.Bitmap*" AND ScriptBlockText = "*.CopyFromScreen*" + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_screen_capture_via_powershell_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: unknown references: - https://twitter.com/_CERT_UA/status/1620781684257091584 @@ -20,44 +32,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$Computer$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A PowerShell script was identified possibly performing screen captures + on $Computer$. + risk_objects: + - field: Computer + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Winter Vivern asset_type: Endpoint - confidence: 70 - context: - - Source:Endpoint - - Stage:Collection - dataset: - - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/pwh_exfiltration/windows-powershell-xml.log - impact: 70 - message: A PowerShell script was identified possibly performing screen captures on $Computer$. mitre_attack_id: - T1113 - observable: - - name: Computer - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Computer - - UserID - - EventCode - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/pwh_exfiltration/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/pwh_exfiltration/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_security_account_manager_stopped.yml b/detections/endpoint/windows_security_account_manager_stopped.yml index 648d924b5f..cba26b4c94 100644 --- a/detections/endpoint/windows_security_account_manager_stopped.yml +++ b/detections/endpoint/windows_security_account_manager_stopped.yml @@ -1,7 +1,7 @@ name: Windows Security Account Manager Stopped id: 69c12d59-d951-431e-ab77-ec426b8d65e6 -version: '5' -date: '2024-11-28' +version: 6 +date: '2024-12-10' author: Rod Soto, Jose Hernandez, Splunk status: production type: TTP @@ -49,41 +49,33 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: 'The Windows Security Account Manager (SAM) was stopped via cli by $user$ + on $dest$ by this command: $process$' + risk_objects: + - field: dest + type: system + score: 70 + - field: user + type: user + score: 70 + threat_objects: [] tags: analytic_story: - Compromised Windows Host - Ryuk Ransomware asset_type: Endpoint - confidence: 100 - impact: 70 - message: 'The Windows Security Account Manager (SAM) was stopped via cli by $user$ - on $dest$ by this command: $process$' mitre_attack_id: - T1489 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_name - - Processes.process - - Processes.dest - - Processes.user - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ryuk/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ryuk/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_security_support_provider_reg_query.yml b/detections/endpoint/windows_security_support_provider_reg_query.yml index 07039e1111..1ec47ad04d 100644 --- a/detections/endpoint/windows_security_support_provider_reg_query.yml +++ b/detections/endpoint/windows_security_support_provider_reg_query.yml @@ -1,17 +1,40 @@ name: Windows Security Support Provider Reg Query id: 31302468-93c9-4eca-9ae3-2d41f53a4e2b -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies command-line activity querying the registry for Security Support Providers (SSPs) related to Local Security Authority (LSA) protection and configuration. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on processes accessing specific LSA registry paths. Monitoring this activity is crucial as adversaries and post-exploitation tools like winpeas may use it to gather information on LSA protections, potentially leading to credential theft. If confirmed malicious, attackers could exploit this to scrape password hashes or plaintext passwords from memory, significantly compromising system security. +description: The following analytic identifies command-line activity querying the + registry for Security Support Providers (SSPs) related to Local Security Authority + (LSA) protection and configuration. This detection leverages Endpoint Detection + and Response (EDR) telemetry, focusing on processes accessing specific LSA registry + paths. Monitoring this activity is crucial as adversaries and post-exploitation + tools like winpeas may use it to gather information on LSA protections, potentially + leading to credential theft. If confirmed malicious, attackers could exploit this + to scrape password hashes or plaintext passwords from memory, significantly compromising + system security. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = "* query *" AND Processes.process = "*\\SYSTEM\\CurrentControlSet\\Control\\LSA*" Processes.process IN ("*RunAsPPL*" , "*LsaCfgFlags*") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_security_support_provider_reg_query_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process + = "* query *" AND Processes.process = "*\\SYSTEM\\CurrentControlSet\\Control\\LSA*" + Processes.process IN ("*RunAsPPL*" , "*LsaCfgFlags*") by Processes.process_name + Processes.original_file_name Processes.process Processes.process_id Processes.process_guid + Processes.parent_process_name Processes.parent_process Processes.parent_process_guid + Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_security_support_provider_reg_query_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://blog.netwrix.com/2022/01/11/understanding-lsa-protection/ @@ -23,51 +46,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: process with reg query command line $process$ on $dest$ + risk_objects: + - field: dest + type: system + score: 9 + threat_objects: [] tags: analytic_story: - Windows Post-Exploitation - Prestige Ransomware - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 30 - impact: 30 - message: process with reg query command line $process$ in $dest$ mitre_attack_id: - T1547.005 - T1547 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - - Processes.parent_process_guid - - Processes.process_guid - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/elevated_group_discovery_with_net.yml b/detections/endpoint/windows_sensitive_group_discovery_with_net.yml similarity index 62% rename from detections/endpoint/elevated_group_discovery_with_net.yml rename to detections/endpoint/windows_sensitive_group_discovery_with_net.yml index 8b4862a20d..6a7c924fe9 100644 --- a/detections/endpoint/elevated_group_discovery_with_net.yml +++ b/detections/endpoint/windows_sensitive_group_discovery_with_net.yml @@ -1,16 +1,16 @@ -name: Elevated Group Discovery With Net -id: a23a0e20-0b1b-4a07-82e5-ec5f70811e7a -version: 4 -date: '2024-11-26' +name: Windows Sensitive Group Discovery With Net +id: d9eb7cda-5622-4722-bc88-7f2442f4b5af +version: 1 +date: '2025-01-13' author: Mauricio Velazco, Splunk status: production -type: TTP -description: The following analytic detects the execution of `net.exe` or `net1.exe` with command-line arguments used to query elevated domain groups. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to identify high-privileged users within Active Directory. If confirmed malicious, this behavior could lead to further attacks aimed at compromising privileged accounts, escalating privileges, or gaining unauthorized access to sensitive systems and data. +type: Anomaly +description: The following analytic detects the execution of `net.exe` with command-line arguments used to query elevated domain or sensitive groups. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to identify high-privileged users within Active Directory. If confirmed malicious, this behavior could lead to further attacks aimed at compromising privileged accounts, escalating privileges, or gaining unauthorized access to sensitive systems and data. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND (Processes.process="*group*" AND Processes.process="*/do*") (Processes.process="*Domain Admins*" OR Processes.process="*Enterprise Admins*" OR Processes.process="*Schema Admins*" OR Processes.process="*Account Operators*" OR Processes.process="*Server Operators*" OR Processes.process="*Protected Users*" OR Processes.process="*Dns Admins*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `elevated_group_discovery_with_net_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` Processes.process="*group*" Processes.process IN ("*Domain Admins*", "*Enterprise Admins*", "*Schema Admins*", "*Account Operators*", "*Server Operators*", "*Protected Users*", "*Dns Admins*", "*Domain Computers*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_sensitive_group_discovery_with_net_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: @@ -18,6 +18,7 @@ references: - https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory - https://adsecurity.org/?p=3658 - https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF +- https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ drilldown_searches: - name: View the detection results for - "$dest$" search: '%original_detection_search% | search dest = "$dest$"' @@ -27,41 +28,28 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Elevated domain group discovery enumeration on $dest$ by $user$ + risk_objects: + - field: dest + type: system + score: 21 + threat_objects: [] tags: analytic_story: - Active Directory Discovery - Volt Typhoon - Rhysida Ransomware - BlackSuit Ransomware + - IcedID asset_type: Endpoint - confidence: 70 - impact: 30 - message: Elevated domain group discovery enumeration on $dest$ by $user$ mitre_attack_id: - T1069 - T1069.002 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 21 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/extraction_of_registry_hives.yml b/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml similarity index 71% rename from detections/endpoint/extraction_of_registry_hives.yml rename to detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml index ae858df02b..fe239f0596 100644 --- a/detections/endpoint/extraction_of_registry_hives.yml +++ b/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml @@ -1,8 +1,8 @@ -name: Extraction of Registry Hives -id: 8bbb7d58-b360-11eb-ba21-acde48001122 -version: 4 -date: '2024-09-30' -author: Michael Haag, Splunk +name: Windows Sensitive Registry Hive Dump Via CommandLine +id: 5aaff29d-0cce-405b-9ee8-5d06b49d045e +version: 2 +date: '2025-01-15' +author: Michael Haag, Patrick Bareiss, Nasreddine Bencherchali, Splunk status: production type: TTP description: The following analytic detects the use of `reg.exe` to export Windows Registry hives, which may contain sensitive credentials. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving `save` or `export` actions targeting the `sam`, `system`, or `security` hives. This activity is significant as it indicates potential offline credential access attacks, often executed from untrusted processes or scripts. If confirmed malicious, attackers could gain access to credential data, enabling further compromise and lateral movement within the network. @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` (Processes.process=*save* OR Processes.process=*export*) AND (Processes.process="*\sam *" OR Processes.process="*\system *" OR Processes.process="*\security *") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `extraction_of_registry_hives_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where ((`process_reg` Processes.process IN ("*save*", "*export*")) OR (`process_regedit` Processes.process IN ("*/E *", "*-E *"))) AND Processes.process IN ("*HKEY_LOCAL_MACHINE*", "*HKLM*") AND Processes.process IN ("*SAM*", "*System*", "*Security*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_sensitive_registry_hive_dump_via_commandline_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: It is possible some agent based products will generate false positives. Filter as needed. references: @@ -26,54 +26,41 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious use of `reg.exe` exporting Windows Registry hives containing + credentials executed on $dest$ by user $user$, with a parent process of $parent_process_id$ + risk_objects: + - field: user + type: user + score: 56 + - field: dest + type: system + score: 56 + threat_objects: + - field: parent_process_name + type: parent_process_name tags: analytic_story: - - Volt Typhoon - - Credential Dumping + - CISA AA22-257A - CISA AA23-347A + - Compromised Windows Host + - Credential Dumping - DarkSide Ransomware - - CISA AA22-257A + - Data Destruction + - Industroyer2 + - Volt Typhoon + - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 80 - message: Suspicious use of `reg.exe` exporting Windows Registry hives containing credentials executed on $dest$ by user $user$, with a parent process of $parent_process_id$ mitre_attack_id: - T1003.002 - T1003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: -- name: True Positive Test +- name: True Positive Test - Sysmon attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml b/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml index 940afc8267..ec7cef2ae6 100644 --- a/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml +++ b/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml @@ -1,18 +1,38 @@ name: Windows Server Software Component GACUtil Install to GAC id: 7c025ef0-9e65-4c57-be39-1c13dbb1613e -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the use of GACUtil.exe to add a DLL into the Global Assembly Cache (GAC). It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because adding a DLL to the GAC allows it to be called by any application, potentially enabling widespread code execution. If confirmed malicious, this could allow an attacker to execute arbitrary code across the operating system, leading to privilege escalation or persistent access. +description: The following analytic detects the use of GACUtil.exe to add a DLL into + the Global Assembly Cache (GAC). It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process names and command-line executions. This activity + is significant because adding a DLL to the GAC allows it to be called by any application, + potentially enabling widespread code execution. If confirmed malicious, this could + allow an attacker to execute arbitrary code across the operating system, leading + to privilege escalation or persistent access. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=gacutil.exe Processes.process IN ("*-i *","*/i *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_server_software_component_gacutil_install_to_gac_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be present if gacutil.exe is utilized day to day by developers. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=gacutil.exe + Processes.process IN ("*-i *","*/i *") by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_server_software_component_gacutil_install_to_gac_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present if gacutil.exe is utilized day + to day by developers. Filter as needed. references: - https://strontic.github.io/xcyclopedia/library/gacutil.exe-F2FE4DF74BD214EDDC1A658043828089.html - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/ @@ -24,59 +44,46 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to add a module to the global assembly + cache. + risk_objects: + - field: user + type: user + score: 49 + - field: dest + type: system + score: 49 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - IIS Components asset_type: Endpoint - confidence: 70 - impact: 70 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to add a module to the global assembly cache. mitre_attack_id: - T1505 - T1505.004 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/gacutil_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/gacutil_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_service_create_kernel_mode_driver.yml b/detections/endpoint/windows_service_create_kernel_mode_driver.yml index ffeb436072..a183f4a0d9 100644 --- a/detections/endpoint/windows_service_create_kernel_mode_driver.yml +++ b/detections/endpoint/windows_service_create_kernel_mode_driver.yml @@ -1,18 +1,39 @@ name: Windows Service Create Kernel Mode Driver id: 0b4e3b06-1b2b-4885-b752-cf06d12a90cb -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the creation of a new kernel mode driver using the sc.exe command. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. The activity is significant because adding a kernel driver is uncommon in regular operations and can indicate an attempt to gain low-level access to the system. If confirmed malicious, this could allow an attacker to execute code with high privileges, potentially compromising the entire system and evading traditional security measures. +description: The following analytic identifies the creation of a new kernel mode driver + using the sc.exe command. This detection leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process execution logs that include command-line + details. The activity is significant because adding a kernel driver is uncommon + in regular operations and can indicate an attempt to gain low-level access to the + system. If confirmed malicious, this could allow an attacker to execute code with + high privileges, potentially compromising the entire system and evading traditional + security measures. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe Processes.process="*kernel*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_kernel_mode_driver_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be present based on common applications adding new drivers, however, filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe + Processes.process="*kernel*" by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_service_create_kernel_mode_driver_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present based on common applications + adding new drivers, however, filter as needed. references: - https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ drilldown_searches: @@ -21,51 +42,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Service control, $process_name$, loaded a new kernel mode driver on $dest$ + by $user$. + risk_objects: + - field: user + type: user + score: 48 + - field: dest + type: system + score: 48 + threat_objects: [] tags: analytic_story: - Windows Drivers - CISA AA22-320A asset_type: Endpoint - confidence: 80 - impact: 60 - message: Service control, $process_name$, loaded a new kernel mode driver on $dest$ by $user$. mitre_attack_id: - T1543.003 - T1543 - T1068 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 48 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/sc_kernel.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/sc_kernel.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_service_create_remcomsvc.yml b/detections/endpoint/windows_service_create_remcomsvc.yml index b4a9f7f042..23e3442fbb 100644 --- a/detections/endpoint/windows_service_create_remcomsvc.yml +++ b/detections/endpoint/windows_service_create_remcomsvc.yml @@ -1,16 +1,28 @@ name: Windows Service Create RemComSvc id: 0be4b5d6-c449-4084-b945-2392b519c33b -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk type: Anomaly status: production data_source: - Windows Event Log System 7045 -description: The following analytic detects the creation of the RemComSvc service on a Windows endpoint, typically indicating lateral movement using RemCom.exe. It leverages Windows EventCode 7045 from the System event log, specifically looking for the "RemCom Service" name. This activity is significant as it often signifies unauthorized lateral movement within the network, which is a common tactic used by attackers to spread malware or gain further access. If confirmed malicious, this could lead to unauthorized access to sensitive systems, data exfiltration, or further compromise of the network. -search: '`wineventlog_system` EventCode=7045 ServiceName="RemCom Service" | stats count min(_time) as firstTime max(_time) as lastTime by dest ImagePath ServiceName ServiceType | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_remcomsvc_filter`' -how_to_implement: To implement this analytic, the Windows EventCode 7045 will need to be logged. The Windows TA for Splunk is also recommended. -known_false_positives: False positives may be present, filter as needed based on administrative activity. +description: The following analytic detects the creation of the RemComSvc service + on a Windows endpoint, typically indicating lateral movement using RemCom.exe. It + leverages Windows EventCode 7045 from the System event log, specifically looking + for the "RemCom Service" name. This activity is significant as it often signifies + unauthorized lateral movement within the network, which is a common tactic used + by attackers to spread malware or gain further access. If confirmed malicious, this + could lead to unauthorized access to sensitive systems, data exfiltration, or further + compromise of the network. +search: '`wineventlog_system` EventCode=7045 ServiceName="RemCom Service" | stats + count min(_time) as firstTime max(_time) as lastTime by dest ImagePath ServiceName + ServiceType | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_service_create_remcomsvc_filter`' +how_to_implement: To implement this analytic, the Windows EventCode 7045 will need + to be logged. The Windows TA for Splunk is also recommended. +known_false_positives: False positives may be present, filter as needed based on administrative + activity. references: - https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ - https://github.com/kavika13/RemCom @@ -20,41 +32,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A new service was created related to RemCom on $dest$. + risk_objects: + - field: dest + type: system + score: 32 + threat_objects: [] tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 80 - impact: 40 - message: A new service was created related to RemCom on $dest$. mitre_attack_id: - T1543.003 - T1543 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - EventCode - - ImagePath - - ServiceName - - ServiceType - risk_score: 32 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/remcom_windows-system.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/remcom_windows-system.log source: XmlWinEventLog:System sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_service_create_sliverc2.yml b/detections/endpoint/windows_service_create_sliverc2.yml index 0dd44af68e..43a0ccd75b 100644 --- a/detections/endpoint/windows_service_create_sliverc2.yml +++ b/detections/endpoint/windows_service_create_sliverc2.yml @@ -1,7 +1,7 @@ name: Windows Service Create SliverC2 id: 89dad3ee-57ec-43dc-9044-131c4edd663f -version: '4' -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Michael Haag, Splunk type: TTP status: production @@ -40,37 +40,30 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A user mode service was created on $dest$ related to SliverC2. + risk_objects: + - field: dest + type: system + score: 90 + threat_objects: [] tags: analytic_story: - BishopFox Sliver Adversary Emulation Framework - Compromised Windows Host asset_type: Endpoint - confidence: 100 - impact: 90 - message: A user mode service was created on $dest$ related to SliverC2. mitre_attack_id: - T1569 - T1569.002 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - EventCode - - Computer - - ServiceName - - ImagePath - - ServiceType - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/sliver_windows-system.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/sliver_windows-system.log source: XmlWinEventLog:System sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_service_create_with_tscon.yml b/detections/endpoint/windows_service_create_with_tscon.yml index 29dc9e3796..94c6c19992 100644 --- a/detections/endpoint/windows_service_create_with_tscon.yml +++ b/detections/endpoint/windows_service_create_with_tscon.yml @@ -1,7 +1,7 @@ name: Windows Service Create with Tscon id: c13b3d74-6b63-4db5-a841-4206f0370077 -version: '5' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Michael Haag, Splunk type: TTP status: production @@ -60,58 +60,39 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to hijack a RDP session. + risk_objects: + - field: user + type: user + score: 64 + - field: dest + type: system + score: 64 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Active Directory Lateral Movement - Compromised Windows Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ attempting to hijack a RDP session. mitre_attack_id: - T1563.002 - T1563 - T1543.003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1563.002/rdphijack/tscon_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1563.002/rdphijack/tscon_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml index 934a861942..9dfedd34e8 100644 --- a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml +++ b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml @@ -1,16 +1,30 @@ name: Windows Service Created with Suspicious Service Path id: 429141be-8311-11eb-adb6-acde48001122 -version: 7 -date: '2024-09-30' +version: 11 +date: '2025-01-27' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the creation of a Windows Service with a binary path located in uncommon directories, using Windows Event ID 7045. It leverages logs from the `wineventlog_system` to identify services installed outside typical system directories. This activity is significant as adversaries, including those deploying Clop ransomware, often create malicious services for lateral movement, remote code execution, persistence, and execution. If confirmed malicious, this could allow attackers to maintain persistence, execute arbitrary code, and potentially escalate privileges, posing a severe threat to the environment. +description: The following analytic detects the creation of a Windows Service with + a binary path located in uncommon directories, using Windows Event ID 7045. It leverages + logs from the `wineventlog_system` to identify services installed outside typical + system directories. This activity is significant as adversaries, including those + deploying Clop ransomware, often create malicious services for lateral movement, + remote code execution, persistence, and execution. If confirmed malicious, this + could allow attackers to maintain persistence, execute arbitrary code, and potentially + escalate privileges, posing a severe threat to the environment. data_source: - Windows Event Log System 7045 -search: '`wineventlog_system` EventCode=7045 ImagePath = "*.exe" NOT (ImagePath IN ("*:\\Windows\\*", "*:\\Program File*", "*:\\Programdata\\*", "*%systemroot%\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ImagePath ServiceName ServiceType StartType Computer UserID | rename Computer as dest| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_created_with_suspicious_service_path_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. -known_false_positives: Legitimate applications may install services with uncommon services paths. +search: '`wineventlog_system` EventCode=7045 ImagePath = "*.exe" NOT (ImagePath IN + ("*:\\Windows\\*", "*:\\Program File*", "*:\\Programdata\\*", "*%systemroot%\\*")) + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ImagePath + ServiceName ServiceType StartType Computer UserID | rename Computer as dest| `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_service_created_with_suspicious_service_path_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the Service name, Service File Name Service Start type, and Service Type + from your endpoints. +known_false_positives: Legitimate applications may install services with uncommon + services paths. references: - https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft - https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html @@ -20,48 +34,46 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A service $ImagePath$ was created from a non-standard path using $ServiceName$ + on $dest$ + risk_objects: + - field: dest + type: system + score: 56 + threat_objects: + - field: ImagePath + type: service tags: analytic_story: - - Clop Ransomware - - Active Directory Lateral Movement - Brute Ratel C4 - - Qakbot - - Snake Malware - Flax Typhoon - PlugX - CISA AA23-347A + - Qakbot + - Crypto Stealer + - Active Directory Lateral Movement + - Derusbi + - Nexus APT Threat Activity + - Snake Malware + - Clop Ransomware + - Earth Estries asset_type: Endpoint - confidence: 80 - impact: 70 - message: A service $ImagePath$ was created from a non-standard path using $ServiceName$ on $dest$ mitre_attack_id: - T1569 - T1569.002 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: ImagePath - type: File - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - EventCode - - Service_File_Name - - Service_Type - - _time - - Service_Name - - Service_Start_Type - - dest - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_service_created_within_public_path.yml b/detections/endpoint/windows_service_created_within_public_path.yml index 67ba6d45a0..6ff175c139 100644 --- a/detections/endpoint/windows_service_created_within_public_path.yml +++ b/detections/endpoint/windows_service_created_within_public_path.yml @@ -1,16 +1,30 @@ name: Windows Service Created Within Public Path id: 3abb2eda-4bb8-11ec-9ae4-3e22fbd008af -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the creation of a Windows Service with its binary path located in public directories using Windows Event ID 7045. This detection leverages logs from the `wineventlog_system` data source, focusing on the `ImagePath` field to identify services installed outside standard system directories. This activity is significant as it may indicate the installation of a malicious service, often used by adversaries for lateral movement or remote code execution. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, or further compromise the system. +description: The following analytic detects the creation of a Windows Service with + its binary path located in public directories using Windows Event ID 7045. This + detection leverages logs from the `wineventlog_system` data source, focusing on + the `ImagePath` field to identify services installed outside standard system directories. + This activity is significant as it may indicate the installation of a malicious + service, often used by adversaries for lateral movement or remote code execution. + If confirmed malicious, this could allow attackers to execute arbitrary code, maintain + persistence, or further compromise the system. data_source: - Windows Event Log System 7045 -search: '`wineventlog_system` EventCode=7045 ImagePath = "*.exe" NOT (ImagePath IN ("*:\\Windows\\*", "*:\\Program File*", "*:\\Programdata\\*", "*%systemroot%\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ImagePath ServiceName ServiceType StartType Computer UserID | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_created_within_public_path_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. -known_false_positives: Legitimate applications may install services with uncommon services paths. +search: '`wineventlog_system` EventCode=7045 ImagePath = "*.exe" NOT (ImagePath IN + ("*:\\Windows\\*", "*:\\Program File*", "*:\\Programdata\\*", "*%systemroot%\\*")) + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ImagePath + ServiceName ServiceType StartType Computer UserID | rename Computer as dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_service_created_within_public_path_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the Service name, Service File Name Service Start type, and Service Type + from your endpoints. +known_false_positives: Legitimate applications may install services with uncommon + services paths. references: - https://docs.microsoft.com/en-us/windows/win32/services/service-control-manager - https://pentestlab.blog/2020/07/21/lateral-movement-services/ @@ -20,45 +34,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A Windows Service $ServiceName$ with a public path was created on $dest$ + risk_objects: + - field: dest + type: system + score: 54 + threat_objects: + - field: ServiceName + type: service tags: analytic_story: - Active Directory Lateral Movement - Snake Malware asset_type: Endpoint - confidence: 60 - impact: 90 - message: A Windows Service $ServiceName$ with a public path was created on $dest$ mitre_attack_id: - T1543 - T1543.003 - observable: - - name: ServiceName - type: Other - role: - - Attacker - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - EventCode - - Service_File_Name - - Service_Type - - _time - - Service_Name - - Service_Start_Type - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/windows_service_created_with_suspicious_service_path/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/windows_service_created_with_suspicious_service_path/windows-xml.log source: XmlWinEventLog:System sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_service_creation_on_remote_endpoint.yml b/detections/endpoint/windows_service_creation_on_remote_endpoint.yml index 6831b353b4..19ea16bb63 100644 --- a/detections/endpoint/windows_service_creation_on_remote_endpoint.yml +++ b/detections/endpoint/windows_service_creation_on_remote_endpoint.yml @@ -1,18 +1,40 @@ name: Windows Service Creation on Remote Endpoint id: e0eea4fa-4274-11ec-882b-3e22fbd008af -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies the creation of a Windows Service on a remote endpoint using `sc.exe`. It detects this activity by analyzing process execution logs from Endpoint Detection and Response (EDR) agents, focusing on command-line arguments that include remote paths and service creation commands. This behavior is significant because adversaries often exploit the Service Control Manager for lateral movement and remote code execution. If confirmed malicious, this activity could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and persistence within the network. +description: The following analytic identifies the creation of a Windows Service on + a remote endpoint using `sc.exe`. It detects this activity by analyzing process + execution logs from Endpoint Detection and Response (EDR) agents, focusing on command-line + arguments that include remote paths and service creation commands. This behavior + is significant because adversaries often exploit the Service Control Manager for + lateral movement and remote code execution. If confirmed malicious, this activity + could allow attackers to execute arbitrary code on remote systems, potentially leading + to further compromise and persistence within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) (Processes.process=*\\\\* AND Processes.process=*create* AND Processes.process=*binpath*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_service_creation_on_remote_endpoint_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrators may create Windows Services on remote systems, but this activity is usually limited to a small set of hosts or users. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sc.exe + OR Processes.original_file_name=sc.exe) (Processes.process=*\\\\* AND Processes.process=*create* + AND Processes.process=*binpath*) by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `windows_service_creation_on_remote_endpoint_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators may create Windows Services on remote systems, + but this activity is usually limited to a small set of hosts or users. references: - https://docs.microsoft.com/en-us/windows/win32/services/service-control-manager - https://docs.microsoft.com/en-us/windows/win32/services/controlling-a-service-using-sc @@ -23,47 +45,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A Windows Service was created on a remote endpoint from $dest$ + risk_objects: + - field: dest + type: system + score: 54 + threat_objects: [] tags: analytic_story: - Active Directory Lateral Movement - CISA AA23-347A asset_type: Endpoint - confidence: 60 - impact: 90 - message: A Windows Service was created on a remote endpoint from $dest$ mitre_attack_id: - T1543 - T1543.003 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_service_creation_using_registry_entry.yml b/detections/endpoint/windows_service_creation_using_registry_entry.yml index 21bb07a803..57685573a3 100644 --- a/detections/endpoint/windows_service_creation_using_registry_entry.yml +++ b/detections/endpoint/windows_service_creation_using_registry_entry.yml @@ -1,16 +1,22 @@ name: Windows Service Creation Using Registry Entry id: 25212358-948e-11ec-ad47-acde48001122 -version: 7 -date: '2024-12-08' +version: 11 +date: '2025-01-27' author: Teoderick Contreras, Splunk, Steven Dick status: production -type: TTP -description: The following analytic detects the modification of registry keys that define Windows services using reg.exe. This detection leverages Splunk to search for specific keywords in the registry path, value name, and value data fields. This activity is significant because it indicates potential unauthorized changes to service configurations, a common persistence technique used by attackers. If confirmed malicious, this could allow an attacker to maintain access, escalate privileges, or move laterally within the network, leading to data theft, ransomware, or other damaging outcomes. +type: Anomaly +description: The following analytic detects the modification of registry keys that + define Windows services using reg.exe. This detection leverages Splunk to search + for specific keywords in the registry path, value name, and value data fields. This + activity is significant because it indicates potential unauthorized changes to service + configurations, a common persistence technique used by attackers. If confirmed malicious, + this could allow an attacker to maintain access, escalate privileges, or move laterally + within the network, leading to data theft, ransomware, or other damaging outcomes. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path="*\\SYSTEM\\CurrentControlSet\\Services*" Registry.registry_value_name - = ImagePath) BY Registry.dest Registry.user Registry.registry_path +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\SYSTEM\\CurrentControlSet\\Services*" + Registry.registry_value_name = ImagePath) BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_creation_using_registry_entry_filter`' @@ -28,42 +34,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A Windows Service was created on a endpoint from $dest$ using a registry + entry + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - - Active Directory Lateral Movement - - Suspicious Windows Registry Activities - - Windows Persistence Techniques - - Windows Registry Abuse - Brute Ratel C4 - PlugX + - Windows Persistence Techniques - CISA AA23-347A + - Windows Registry Abuse + - Suspicious Windows Registry Activities + - Active Directory Lateral Movement + - Crypto Stealer + - Derusbi + - Nexus APT Threat Activity + - Earth Estries asset_type: Endpoint - confidence: 80 - impact: 80 - message: A Windows Service was created on a endpoint from $dest$ using a registry entry mitre_attack_id: - T1574.011 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_service_deletion_in_registry.yml b/detections/endpoint/windows_service_deletion_in_registry.yml index a369a88aa2..726c49700d 100644 --- a/detections/endpoint/windows_service_deletion_in_registry.yml +++ b/detections/endpoint/windows_service_deletion_in_registry.yml @@ -1,16 +1,34 @@ name: Windows Service Deletion In Registry id: daed6823-b51c-4843-a6ad-169708f1323e -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the deletion of a service from the Windows Registry under CurrentControlSet\Services. It leverages data from the Endpoint.Registry datamodel, specifically monitoring registry paths and actions related to service deletion. This activity is significant as adversaries may delete services to evade detection and hinder incident response efforts. If confirmed malicious, this action could disrupt legitimate services, impair system functionality, and potentially allow attackers to maintain a lower profile within the environment, complicating detection and remediation efforts. +description: The following analytic detects the deletion of a service from the Windows + Registry under CurrentControlSet\Services. It leverages data from the Endpoint.Registry + datamodel, specifically monitoring registry paths and actions related to service + deletion. This activity is significant as adversaries may delete services to evade + detection and hinder incident response efforts. If confirmed malicious, this action + could disrupt legitimate services, impair system functionality, and potentially + allow attackers to maintain a lower profile within the environment, complicating + detection and remediation efforts. data_source: - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SYSTEM\\CurrentControlSet\\Services*" AND (Registry.action = deleted OR (Registry.registry_value_name = DeleteFlag AND Registry.registry_value_data = 0x00000001 AND Registry.action=modified)) by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_value_name Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_deletion_in_registry_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -known_false_positives: This event can be seen when administrator delete a service or uninstall/reinstall a software that creates service entry, but it is still recommended to check this alert with high priority. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SYSTEM\\CurrentControlSet\\Services*" + AND (Registry.action = deleted OR (Registry.registry_value_name = DeleteFlag AND + Registry.registry_value_data = 0x00000001 AND Registry.action=modified)) by Registry.registry_key_name + Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_value_name + Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_service_deletion_in_registry_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure + that this registry was included in your config files ex. sysmon config to be monitored. +known_false_positives: This event can be seen when administrator delete a service + or uninstall/reinstall a software that creates service entry, but it is still recommended + to check this alert with high priority. references: - https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/ drilldown_searches: @@ -19,48 +37,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A service was deleted on $dest$ within the Windows registry. + risk_objects: + - field: dest + type: system + score: 18 + threat_objects: [] tags: analytic_story: - - Brute Ratel C4 - PlugX + - Crypto Stealer + - Brute Ratel C4 asset_type: Endpoint - confidence: 30 - impact: 60 - message: A service was deleted on $dest$ within the Windows registry. mitre_attack_id: - T1489 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.registry_key_name - - Registry.registry_path - - Registry.user - - Registry.dest - - Registry.registry_value_name - - Processes.process_id - - Processes.process_name - - Processes.process - - Processes.dest - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_guid - risk_score: 18 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/service_deletion/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/service_deletion/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_service_execution_remcom.yml b/detections/endpoint/windows_service_execution_remcom.yml index 522fb40335..43198428c0 100644 --- a/detections/endpoint/windows_service_execution_remcom.yml +++ b/detections/endpoint/windows_service_execution_remcom.yml @@ -1,7 +1,7 @@ name: Windows Service Execution RemCom id: 7e3d68db-ea4d-419b-adbd-e14a525ecf09 -version: 1 -date: '2024-12-10' +version: 3 +date: '2025-01-07' author: Michael Haag, Splunk type: TTP status: production @@ -9,10 +9,31 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic identifies the execution of RemCom.exe, an open-source alternative to PsExec, used for lateral movement and remote command execution. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, original file names, and command-line arguments. This activity is significant as it indicates potential lateral movement within the network. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to further compromise and control over additional systems within the network. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=remcom.exe OR Processes.original_file_name=RemCom.exe) Processes.process="*\\*" Processes.process IN ("*/user:*", "*/pwd:*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_execution_remcom_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be present based on Administrative use. Filter as needed. +description: The following analytic identifies the execution of RemCom.exe, an open-source + alternative to PsExec, used for lateral movement and remote command execution. It + leverages data from Endpoint Detection and Response (EDR) agents, focusing on process + names, original file names, and command-line arguments. This activity is significant + as it indicates potential lateral movement within the network. If confirmed malicious, + this could allow an attacker to execute commands remotely, potentially leading to + further compromise and control over additional systems within the network. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=remcom.exe + OR Processes.original_file_name=RemCom.exe) Processes.process="*\\*" Processes.process + IN ("*/user:*", "*/pwd:*") by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_service_execution_remcom_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present based on Administrative use. + Filter as needed. references: - https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ - https://github.com/kavika13/RemCom @@ -22,57 +43,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to move laterally. + risk_objects: + - field: user + type: user + score: 40 + - field: dest + type: system + score: 40 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to move laterally. mitre_attack_id: - T1569.002 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/remcom/remcom_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/remcom/remcom_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml b/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml index 2a1b316fd6..2a3c2b3981 100644 --- a/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml +++ b/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml @@ -1,18 +1,38 @@ name: Windows Service Initiation on Remote Endpoint id: 3f519894-4276-11ec-ab02-3e22fbd008af -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the execution of `sc.exe` with command-line arguments used to start a Windows Service on a remote endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because adversaries may exploit the Service Control Manager for lateral movement and remote code execution. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and persistence within the network. +description: The following analytic detects the execution of `sc.exe` with command-line + arguments used to start a Windows Service on a remote endpoint. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process names and + command-line executions. This activity is significant because adversaries may exploit + the Service Control Manager for lateral movement and remote code execution. If confirmed + malicious, this could allow attackers to execute arbitrary code on remote systems, + potentially leading to further compromise and persistence within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) (Processes.process=*\\\\* AND Processes.process=*start*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_service_initiation_on_remote_endpoint_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrators may start Windows Services on remote systems, but this activity is usually limited to a small set of hosts or users. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sc.exe + OR Processes.original_file_name=sc.exe) (Processes.process=*\\\\* AND Processes.process=*start*) + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_service_initiation_on_remote_endpoint_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators may start Windows Services on remote systems, + but this activity is usually limited to a small set of hosts or users. references: - https://docs.microsoft.com/en-us/windows/win32/services/controlling-a-service-using-sc - https://attack.mitre.org/techniques/T1543/003/ @@ -22,47 +42,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A Windows Service was started on a remote endpoint from $dest$ + risk_objects: + - field: dest + type: system + score: 54 + threat_objects: [] tags: analytic_story: - Active Directory Lateral Movement - CISA AA23-347A asset_type: Endpoint - confidence: 60 - impact: 90 - message: A Windows Service was started on a remote endpoint from $dest$ mitre_attack_id: - T1543 - T1543.003 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_service_stop_attempt.yml b/detections/endpoint/windows_service_stop_attempt.yml new file mode 100644 index 0000000000..86253b0dc4 --- /dev/null +++ b/detections/endpoint/windows_service_stop_attempt.yml @@ -0,0 +1,50 @@ +name: Windows Service Stop Attempt +id: dd0f07ea-f08f-4d88-96e5-cb58156e82b6 +version: 1 +date: '2025-01-13' +author: Teoderick Contreras, Splunk +status: production +type: Hunting +description: The following analytic identifies attempts to stop services on a system using `net.exe`, `sc.exe` or the "Stop-Service" cmdlet. It leverages Endpoint Detection and Response (EDR) telemetry. This activity can be significant as adversaries often terminate security or critical services to evade detection and further their objectives. If confirmed malicious, this behavior could allow attackers to disable security defenses, facilitate ransomware encryption, or disrupt essential services, leading to potential data loss or system compromise. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where ((`process_net` OR `process_sc`) Processes.process="* stop *") OR Processes.process="*Stop-Service *" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_attempt_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Windows OS or software may stop and restart services due to some critical update. +references: +- https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Prestige Ransomware + - Graceful Wipe Out Attack + asset_type: Endpoint + mitre_attack_id: + - T1489 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/prestige_ransomware/sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_service_stop_by_deletion.yml b/detections/endpoint/windows_service_stop_by_deletion.yml index 0d00fde6cb..fc838572a7 100644 --- a/detections/endpoint/windows_service_stop_by_deletion.yml +++ b/detections/endpoint/windows_service_stop_by_deletion.yml @@ -1,18 +1,40 @@ name: Windows Service Stop By Deletion id: 196ff536-58d9-4d1b-9686-b176b04e430b -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the use of `sc.exe` to delete a Windows service. It leverages Endpoint Detection and Response (EDR) data, focusing on process execution logs that capture command-line arguments. This activity is significant because adversaries often delete services to disable security mechanisms or critical system functions, aiding in evasion and persistence. If confirmed malicious, this action could lead to the termination of essential security services, allowing attackers to operate undetected and potentially escalate their privileges or maintain long-term access to the compromised system. +description: The following analytic detects the use of `sc.exe` to delete a Windows + service. It leverages Endpoint Detection and Response (EDR) data, focusing on process + execution logs that capture command-line arguments. This activity is significant + because adversaries often delete services to disable security mechanisms or critical + system functions, aiding in evasion and persistence. If confirmed malicious, this + action could lead to the termination of essential security services, allowing attackers + to operate undetected and potentially escalate their privileges or maintain long-term + access to the compromised system. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = sc.exe OR Processes.original_file_name = sc.exe) Processes.process="* delete *" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_by_deletion_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: It is possible administrative scripts may start/stop/delete services. Filter as needed. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where (Processes.process_name = sc.exe OR Processes.original_file_name = sc.exe) + Processes.process="* delete *" by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_service_stop_by_deletion_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: It is possible administrative scripts may start/stop/delete + services. Filter as needed. references: - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ @@ -23,44 +45,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ attempting to delete a service. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Azorult - Graceful Wipe Out Attack + - Crypto Stealer asset_type: Endpoint - confidence: 70 - impact: 70 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ attempting to delete a service. mitre_attack_id: - T1489 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_name - - Processes.process - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_id - - Processes.parent_process_id - - Processes.dest - - Processes.user - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml b/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml deleted file mode 100644 index a610acb064..0000000000 --- a/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml +++ /dev/null @@ -1,67 +0,0 @@ -name: Windows Service Stop Via Net and SC Application -id: 827af04b-0d08-479b-9b84-b7d4644e4b80 -version: 3 -date: '2024-09-30' -author: Teoderick Contreras, Splunk -status: production -type: Anomaly -description: The following analytic identifies attempts to stop services on a system using `net.exe` or `sc.exe`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, GUIDs, and command-line executions. This activity is significant as adversaries often terminate security or critical services to evade detection and further their objectives. If confirmed malicious, this behavior could allow attackers to disable security defenses, facilitate ransomware encryption, or disrupt essential services, leading to potential data loss or system compromise. -data_source: -- Sysmon EventID 1 -- Windows Event Log Security 4688 -- CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = "sc.exe" OR Processes.original_file_name= "sc.exe" AND Processes.process="*stop*" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_via_net__and_sc_application_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Windows OS or software may stop and restart services due to some critical update. -references: -- https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ -drilldown_searches: -- name: View the detection results for - "$dest$" - search: '%original_detection_search% | search dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -tags: - analytic_story: - - Prestige Ransomware - - Graceful Wipe Out Attack - asset_type: Endpoint - confidence: 70 - impact: 70 - message: $process$ was executed on $dest$ attempting to stop service. - mitre_attack_id: - - T1489 - observable: - - name: dest - type: Hostname - role: - - Victim - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 49 - security_domain: endpoint -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/prestige_ransomware/sysmon.log - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_service_stop_win_updates.yml b/detections/endpoint/windows_service_stop_win_updates.yml index 76110d8b19..c28122bc0e 100644 --- a/detections/endpoint/windows_service_stop_win_updates.yml +++ b/detections/endpoint/windows_service_stop_win_updates.yml @@ -1,16 +1,31 @@ name: Windows Service Stop Win Updates id: 0dc25c24-6fcf-456f-b08b-dd55a183e4de -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Windows Event Log System 7040 -description: The following analytic detects the disabling of Windows Update services, such as "Update Orchestrator Service for Windows Update," "WaaSMedicSvc," and "Windows Update." It leverages Windows System Event ID 7040 logs to identify changes in service start modes to 'disabled.' This activity is significant as it can indicate an adversary's attempt to evade defenses by preventing critical updates, leaving the system vulnerable to exploits. If confirmed malicious, this could allow attackers to maintain persistence and exploit unpatched vulnerabilities, compromising the integrity and security of the affected host. -search: '`wineventlog_system` EventCode=7040 (service_name IN ("Update Orchestrator Service for Windows Update", "WaaSMedicSvc", "Windows Update") OR param1 IN ("UsoSvc", "WaaSMedicSvc", "wuauserv")) AND (param3=disabled OR start_mode = disabled) | stats count min(_time) as firstTime max(_time) as lastTime by Computer Error_Code service_name start_mode param1 param2 param3 param4 | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_win_updates_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints (like Windows system.log Event ID 7040) -known_false_positives: Network administrator may disable this services as part of its audit process within the network. Filter is needed. +description: The following analytic detects the disabling of Windows Update services, + such as "Update Orchestrator Service for Windows Update," "WaaSMedicSvc," and "Windows + Update." It leverages Windows System Event ID 7040 logs to identify changes in service + start modes to 'disabled.' This activity is significant as it can indicate an adversary's + attempt to evade defenses by preventing critical updates, leaving the system vulnerable + to exploits. If confirmed malicious, this could allow attackers to maintain persistence + and exploit unpatched vulnerabilities, compromising the integrity and security of + the affected host. +search: '`wineventlog_system` EventCode=7040 (service_name IN ("Update Orchestrator + Service for Windows Update", "WaaSMedicSvc", "Windows Update") OR param1 IN ("UsoSvc", + "WaaSMedicSvc", "wuauserv")) AND (param3=disabled OR start_mode = disabled) | stats + count min(_time) as firstTime max(_time) as lastTime by Computer Error_Code service_name + start_mode param1 param2 param3 param4 | rename Computer as dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_service_stop_win_updates_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the Service name, Service File Name Service Start type, and Service Type + from your endpoints (like Windows system.log Event ID 7040) +known_false_positives: Network administrator may disable this services as part of + its audit process within the network. Filter is needed. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer drilldown_searches: @@ -19,44 +34,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Windows update services $service_name$ was being disabled on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - CISA AA23-347A - RedLine Stealer asset_type: Endpoint - confidence: 70 - impact: 70 - message: Windows update services $service_name$ was being disabled on $dest$ mitre_attack_id: - T1489 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Computer - - EventCode - - Error_Code - - service_name - - start_mode - - param1 - - param2 - - param3 - - param4 - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/win_update_services_stop/system.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/win_update_services_stop/system.log source: XmlWinEventLog:System sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_set_account_password_policy_to_unlimited_via_net.yml b/detections/endpoint/windows_set_account_password_policy_to_unlimited_via_net.yml new file mode 100644 index 0000000000..9224034cad --- /dev/null +++ b/detections/endpoint/windows_set_account_password_policy_to_unlimited_via_net.yml @@ -0,0 +1,80 @@ +name: Windows Set Account Password Policy To Unlimited Via Net +id: 11f93009-8083-43fd-82a7-821fcbdc8342 +version: 1 +date: '2025-01-13' +author: Teoderick Contreras, Nasreddine Bencherchali, Splunk +status: production +type: Anomaly +description: The following analytic detects the use of net.exe to update user account + policies to set passwords as non-expiring. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on command-line executions involving "/maxpwage:unlimited" or "/maxpwage:49710", which achieve a similar outcome theoretically. + This activity is significant as it can indicate an attempt to maintain persistence, + escalate privileges, evade defenses, or facilitate lateral movement. If confirmed + malicious, this behavior could allow an attacker to maintain long-term access to + compromised accounts, potentially leading to further exploitation and unauthorized + access to sensitive information. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where `process_net` AND Processes.process="* accounts *" AND (Processes.process="* + /maxpwage:unlimited" OR Processes.process="/maxpwage:49710") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_set_account_password_policy_to_unlimited_via_net_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: This behavior is not commonly seen in production environment + and not advisable, filter as needed. +references: +- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ +- https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/net-commands-on-operating-systems +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ attempting to make non-expiring password on host user accounts. + risk_objects: + - field: dest + type: system + score: 100 + threat_objects: [] +tags: + analytic_story: + - Ransomware + - BlackByte Ransomware + - Crypto Stealer + - XMRig + asset_type: Endpoint + mitre_attack_id: + - T1489 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_sip_provider_inventory.yml b/detections/endpoint/windows_sip_provider_inventory.yml index 88203d9c78..a162a19b68 100644 --- a/detections/endpoint/windows_sip_provider_inventory.yml +++ b/detections/endpoint/windows_sip_provider_inventory.yml @@ -1,15 +1,26 @@ name: Windows SIP Provider Inventory id: 21c5af91-1a4a-4511-8603-64fb41df3fad -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting data_source: [] -description: The following analytic identifies all SIP (Subject Interface Package) providers on a Windows system using PowerShell scripted inputs. It detects SIP providers by capturing DLL paths from relevant events. This activity is significant because malicious SIP providers can be used to bypass trust controls, potentially allowing unauthorized code execution. If confirmed malicious, this activity could enable attackers to subvert system integrity, leading to unauthorized access or persistent threats within the environment. Analysts should review for new and non-standard paths to identify potential threats. -search: '`subjectinterfacepackage` Dll=*\\*.dll | stats count min(_time) as firstTime max(_time) as lastTime values(Dll) by Path host| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_sip_provider_inventory_filter`' -how_to_implement: To implement this analytic, one must first perform inventory using a scripted inputs. Review the following Gist - https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1 -known_false_positives: False positives are limited as this is a hunting query for inventory. +description: The following analytic identifies all SIP (Subject Interface Package) + providers on a Windows system using PowerShell scripted inputs. It detects SIP providers + by capturing DLL paths from relevant events. This activity is significant because + malicious SIP providers can be used to bypass trust controls, potentially allowing + unauthorized code execution. If confirmed malicious, this activity could enable + attackers to subvert system integrity, leading to unauthorized access or persistent + threats within the environment. Analysts should review for new and non-standard + paths to identify potential threats. +search: '`subjectinterfacepackage` Dll=*\\*.dll | stats count min(_time) as firstTime + max(_time) as lastTime values(Dll) by Path host| `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `windows_sip_provider_inventory_filter`' +how_to_implement: To implement this analytic, one must first perform inventory using + a scripted inputs. Review the following Gist - https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1 +known_false_positives: False positives are limited as this is a hunting query for + inventory. references: - https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1 tags: @@ -17,29 +28,17 @@ tags: - Subvert Trust Controls SIP and Trust Provider Hijacking asset_type: Endpoint atomic_guid: [] - confidence: 50 - impact: 50 - message: A list of SIP providers on the system is available. Review for new and non-standard paths for SIP providers on $host$. mitre_attack_id: - T1553.003 - observable: - - name: host - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 25 - required_fields: - - Path - - Dll - - host security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.003/sip/sip_inventory.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.003/sip/sip_inventory.log source: powershell://SubjectInterfacePackage sourcetype: PwSh:SubjectInterfacePackage diff --git a/detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml b/detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml index 59bfe6f7dc..1b4e98a8fa 100644 --- a/detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml +++ b/detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml @@ -1,16 +1,29 @@ name: Windows SIP WinVerifyTrust Failed Trust Validation id: 6ffc7f88-415b-4278-a80d-b957d6539e1a -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Anomaly data_source: - Windows Event Log CAPI2 81 -description: The following analytic detects failed trust validation attempts using Windows Event Log - CAPI2 (CryptoAPI 2). It specifically triggers on EventID 81, which indicates that "The digital signature of the object did not verify." This detection leverages the CAPI2 Operational log to identify instances where digital signatures fail to validate. Monitoring this activity is crucial as it can indicate attempts to execute untrusted or potentially malicious binaries. If confirmed malicious, this activity could allow attackers to bypass security controls and execute unauthorized code, leading to potential system compromise. -search: '`capi2_operational` EventID=81 "The digital signature of the object did not verify." | xmlkv UserData_Xml | stats count min(_time) as firstTime max(_time) as lastTime by Computer, UserData_Xml | rename Computer as dest | `windows_sip_winverifytrust_failed_trust_validation_filter`' -how_to_implement: To implement this analytic, one will need to enable the Microsoft-Windows-CAPI2/Operational log within the Windows Event Log. Note this is a debug log for many purposes, and the analytic only focuses in on EventID 81. Review the following gist for additional enabling information. -known_false_positives: False positives may be present in some instances of legitimate binaries with invalid signatures. Filter as needed. +description: The following analytic detects failed trust validation attempts using + Windows Event Log - CAPI2 (CryptoAPI 2). It specifically triggers on EventID 81, + which indicates that "The digital signature of the object did not verify." This + detection leverages the CAPI2 Operational log to identify instances where digital + signatures fail to validate. Monitoring this activity is crucial as it can indicate + attempts to execute untrusted or potentially malicious binaries. If confirmed malicious, + this activity could allow attackers to bypass security controls and execute unauthorized + code, leading to potential system compromise. +search: '`capi2_operational` EventID=81 "The digital signature of the object did not + verify." | xmlkv UserData_Xml | stats count min(_time) as firstTime max(_time) as + lastTime by Computer, UserData_Xml | rename Computer as dest | `windows_sip_winverifytrust_failed_trust_validation_filter`' +how_to_implement: To implement this analytic, one will need to enable the Microsoft-Windows-CAPI2/Operational + log within the Windows Event Log. Note this is a debug log for many purposes, and + the analytic only focuses in on EventID 81. Review the following gist for additional + enabling information. +known_false_positives: False positives may be present in some instances of legitimate + binaries with invalid signatures. Filter as needed. references: - https://attack.mitre.org/techniques/T1553/003/ - https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf @@ -23,37 +36,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Failed trust validation via the CryptoAPI 2 on $dest$ for a binary. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Subvert Trust Controls SIP and Trust Provider Hijacking asset_type: Endpoint atomic_guid: [] - confidence: 80 - impact: 80 - message: Failed trust validation via the CryptoAPI 2 on $dest$ for a binary. mitre_attack_id: - T1553.003 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 - required_fields: - - _time - - Computer - - UserData_Xml security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.003/sip/capi2-operational.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.003/sip/capi2-operational.log source: XmlWinEventLog:Microsoft-Windows-CAPI2/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_snake_malware_file_modification_crmlog.yml b/detections/endpoint/windows_snake_malware_file_modification_crmlog.yml index ce611929aa..7c955dcf60 100644 --- a/detections/endpoint/windows_snake_malware_file_modification_crmlog.yml +++ b/detections/endpoint/windows_snake_malware_file_modification_crmlog.yml @@ -1,16 +1,33 @@ name: Windows Snake Malware File Modification Crmlog id: 27187e0e-c221-471d-a7bd-04f698985ff6 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP data_source: - Sysmon EventID 11 -description: The following analytic identifies the creation of a .crmlog file within the %windows%\Registration directory, typically with a format of ..crmlog. This detection leverages the Endpoint.Filesystem datamodel to monitor file creation events in the specified directory. This activity is significant as it is associated with the Snake malware, which uses this file for its operations. If confirmed malicious, this could indicate the presence of Snake malware, leading to potential data exfiltration, system compromise, and further malicious activities. Immediate investigation is required to mitigate the threat. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path="*\\windows\\registration\\*" AND Filesystem.file_name="*.crmlog" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_snake_malware_file_modification_crmlog_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: False positives may be present as the file pattern does match legitimate files on disk. It is possible other native tools write the same file name scheme. +description: The following analytic identifies the creation of a .crmlog file within + the %windows%\Registration directory, typically with a format of ..crmlog. + This detection leverages the Endpoint.Filesystem datamodel to monitor file creation + events in the specified directory. This activity is significant as it is associated + with the Snake malware, which uses this file for its operations. If confirmed malicious, + this could indicate the presence of Snake malware, leading to potential data exfiltration, + system compromise, and further malicious activities. Immediate investigation is + required to mitigate the threat. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path="*\\windows\\registration\\*" + AND Filesystem.file_name="*.crmlog" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name + Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `windows_snake_malware_file_modification_crmlog_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: False positives may be present as the file pattern does match + legitimate files on disk. It is possible other native tools write the same file + name scheme. references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF drilldown_searches: @@ -19,41 +36,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A file related to Snake Malware has been identified on $dest$. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Snake Malware asset_type: Endpoint atomic_guid: - 7e47ee60-9dd1-4269-9c4f-97953b183268 - confidence: 50 - impact: 50 - message: A file related to Snake Malware has been identified on $dest$. mitre_attack_id: - T1027 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 25 - required_fields: - - _time - - Filesystem.file_create_time - - Filesystem.process_id - - Filesystem.file_name - - Filesystem.file_path - - Filesystem.dest security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/snake_crmlog-windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/snake_crmlog-windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml b/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml index f82922c957..d294b72c80 100644 --- a/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml +++ b/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml @@ -1,15 +1,30 @@ name: Windows Snake Malware Kernel Driver Comadmin id: 628d9c7c-3242-43b5-9620-7234c080a726 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP data_source: - Sysmon EventID 11 -description: The following analytic detects the creation of the comadmin.dat file in the %windows%\system32\Com directory, which is associated with Snake Malware. This detection leverages the Endpoint.Filesystem data model to identify file creation events matching the specified path and filename. This activity is significant because the comadmin.dat file is part of Snake Malware's installation process, which includes dropping a kernel driver and a custom DLL. If confirmed malicious, this activity could allow an attacker to load a malicious driver, potentially leading to privilege escalation and persistent access to the compromised system. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path="*\\windows\\system32\\com\\*" AND Filesystem.file_name="comadmin.dat" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_snake_malware_kernel_driver_comadmin_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. +description: The following analytic detects the creation of the comadmin.dat file + in the %windows%\system32\Com directory, which is associated with Snake Malware. + This detection leverages the Endpoint.Filesystem data model to identify file creation + events matching the specified path and filename. This activity is significant because + the comadmin.dat file is part of Snake Malware's installation process, which includes + dropping a kernel driver and a custom DLL. If confirmed malicious, this activity + could allow an attacker to load a malicious driver, potentially leading to privilege + escalation and persistent access to the compromised system. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path="*\\windows\\system32\\com\\*" + AND Filesystem.file_name="comadmin.dat" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name + Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_snake_malware_kernel_driver_comadmin_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. known_false_positives: False positives may be present, filter as needed. references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF @@ -19,41 +34,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A kernel driver comadmin.dat related to Snake Malware was written to disk + on $dest$. + risk_objects: + - field: dest + type: system + score: 56 + threat_objects: [] tags: analytic_story: - Snake Malware asset_type: Endpoint atomic_guid: - e5cb5564-cc7b-4050-86e8-f2d9eec1941f - confidence: 80 - impact: 70 - message: A kernel driver comadmin.dat related to Snake Malware was written to disk on $dest$. mitre_attack_id: - T1547.006 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 56 - required_fields: - - _time - - Filesystem.file_create_time - - Filesystem.process_id - - Filesystem.file_name - - Filesystem.file_path - - Filesystem.dest security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/comadmin_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/comadmin_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml b/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml index 42cffee82a..7c70bcea05 100644 --- a/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml +++ b/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml @@ -1,16 +1,33 @@ name: Windows Snake Malware Registry Modification wav OpenWithProgIds id: 13cf8b79-805d-443c-bf52-f55bd7610dfd -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP data_source: - Sysmon EventID 13 -description: The following analytic identifies modifications to the registry path .wav\\OpenWithProgIds, associated with the Snake Malware campaign. It leverages data from the Endpoint.Registry datamodel to detect changes in this specific registry location. This activity is significant because Snake's WerFault.exe uses this registry path to decrypt an encrypted blob containing critical components like the AES key, IV, and paths for its kernel driver and loader. If confirmed malicious, this could allow the attacker to load and execute Snake's kernel driver, leading to potential system compromise and persistent access. -search: '| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\.wav\\OpenWithProgIds\\*" by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_snake_malware_registry_modification_wav_openwithprogids_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: False positives may be present and will require tuning based on program Ids in large organizations. +description: The following analytic identifies modifications to the registry path + .wav\\OpenWithProgIds, associated with the Snake Malware campaign. It leverages + data from the Endpoint.Registry datamodel to detect changes in this specific registry + location. This activity is significant because Snake's WerFault.exe uses this registry + path to decrypt an encrypted blob containing critical components like the AES key, + IV, and paths for its kernel driver and loader. If confirmed malicious, this could + allow the attacker to load and execute Snake's kernel driver, leading to potential + system compromise and persistent access. +search: '| tstats `security_content_summariesonly` count values(Registry.registry_key_name) + as registry_key_name values(Registry.registry_path) as registry_path min(_time) + as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\.wav\\OpenWithProgIds\\*" by + Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name + | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` + | `windows_snake_malware_registry_modification_wav_openwithprogids_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: False positives may be present and will require tuning based + on program Ids in large organizations. references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF drilldown_searches: @@ -19,41 +36,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A registry modification related to Snake Malware has been identified on + $dest$. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Snake Malware asset_type: Endpoint atomic_guid: - 8318ad20-0488-4a64-98f4-72525a012f6b - confidence: 50 - impact: 50 - message: A registry modification related to Snake Malware has been identified on $dest$. mitre_attack_id: - T1112 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 25 - required_fields: - - _time - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.registry_key_name - - Registry.registry_value_name security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/snake_malware_regblob-windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/snake_malware_regblob-windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_snake_malware_service_create.yml b/detections/endpoint/windows_snake_malware_service_create.yml index 6cdd32f334..9e25ca43fe 100644 --- a/detections/endpoint/windows_snake_malware_service_create.yml +++ b/detections/endpoint/windows_snake_malware_service_create.yml @@ -1,7 +1,7 @@ name: Windows Snake Malware Service Create id: 64eb091f-8cab-4b41-9b09-8fb4942377df -version: '4' -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -40,6 +40,13 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A service, WerFaultSvc, was created on $dest$ and is related to Snake Malware. + risk_objects: + - field: dest + type: system + score: 72 + threat_objects: [] tags: analytic_story: - Snake Malware @@ -47,35 +54,18 @@ tags: asset_type: Endpoint atomic_guid: - b8db787e-dbea-493c-96cb-9272296ddc49 - confidence: 90 - impact: 80 - message: A service, WerFaultSvc, was created on $dest$ and is related to Snake Malware. mitre_attack_id: - T1547.006 - T1569.002 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 72 - required_fields: - - EventCode - - Service_File_Name - - Service_Type - - _time - - Service_Name - - Service_Start_Type - - Service_Account - - user security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/snake-service-windows-system.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/snake-service-windows-system.log source: XmlWinEventLog:System sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_soaphound_binary_execution.yml b/detections/endpoint/windows_soaphound_binary_execution.yml index acad428e13..cfe3f8ce09 100644 --- a/detections/endpoint/windows_soaphound_binary_execution.yml +++ b/detections/endpoint/windows_soaphound_binary_execution.yml @@ -1,7 +1,7 @@ name: Windows SOAPHound Binary Execution id: 8e53f839-e127-4d6d-a54d-a2f67044a57f -version: '5' -date: '2024-11-28' +version: 6 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -54,15 +54,21 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The process $process_name$ was executed on $dest$ related to SOAPHound. + risk_objects: + - field: dest + type: system + score: 80 + threat_objects: + - field: process_name + type: process tags: analytic_story: - Windows Discovery Techniques - Compromised Windows Host asset_type: Endpoint atomic_guid: [] - confidence: 100 - impact: 80 - message: The process $process_name$ was executed on $dest$ related to SOAPHound. mitre_attack_id: - T1087.002 - T1069.001 @@ -71,38 +77,15 @@ tags: - T1087 - T1069.002 - T1069 - observable: - - name: process_name - type: Process - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 80 - required_fields: - - Processes.process - - Processes.dest - - Processes.process_current_directory - - Processes.process_path - - Processes.process_integrity_level - - Processes.parent_process - - Processes.parent_process_path - - Processes.parent_process_guid - - Processes.parent_process_id - - Processes.process_guid - - Processes.process_id - - Processes.user - - Processes.original_file_nam security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/soaphound/sysmon_soaphound.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/soaphound/sysmon_soaphound.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml b/detections/endpoint/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml index 9ecf20bffb..9da99670ce 100644 --- a/detections/endpoint/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml +++ b/detections/endpoint/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml @@ -1,16 +1,31 @@ name: Windows Spearphishing Attachment Connect To None MS Office Domain id: 1cb40e15-cffa-45cc-abbd-e35884a49766 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic identifies suspicious Office documents that connect to non-Microsoft Office domains. It leverages Sysmon EventCode 22 to detect processes like winword.exe or excel.exe making DNS queries to domains outside of *.office.com or *.office.net. This activity is significant as it may indicate a spearphishing attempt using malicious documents to download or connect to harmful content. If confirmed malicious, this could lead to unauthorized data access, malware infection, or further network compromise. +description: The following analytic identifies suspicious Office documents that connect + to non-Microsoft Office domains. It leverages Sysmon EventCode 22 to detect processes + like winword.exe or excel.exe making DNS queries to domains outside of *.office.com + or *.office.net. This activity is significant as it may indicate a spearphishing + attempt using malicious documents to download or connect to harmful content. If + confirmed malicious, this could lead to unauthorized data access, malware infection, + or further network compromise. data_source: - Sysmon EventID 22 -search: '`sysmon` EventCode=22 Image IN ("*\\winword.exe","*\\excel.exe","*\\powerpnt.exe","*\\mspub.exe","*\\visio.exe","*\\wordpad.exe","*\\wordview.exe","*\\onenote.exe", "*\\onenotem.exe","*\\onenoteviewer.exe","*\\onenoteim.exe", "*\\msaccess.exe") AND NOT(QueryName IN ("*.office.com", "*.office.net")) | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryResults QueryStatus Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_spearphishing_attachment_connect_to_none_ms_office_domain_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: Windows Office document may contain legitimate url link other than MS office Domain. filter is needed +search: '`sysmon` EventCode=22 Image IN ("*\\winword.exe","*\\excel.exe","*\\powerpnt.exe","*\\mspub.exe","*\\visio.exe","*\\wordpad.exe","*\\wordview.exe","*\\onenote.exe", + "*\\onenotem.exe","*\\onenoteviewer.exe","*\\onenoteim.exe", "*\\msaccess.exe") + AND NOT(QueryName IN ("*.office.com", "*.office.net")) | stats count min(_time) + as firstTime max(_time) as lastTime by Image QueryName QueryResults QueryStatus + Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_spearphishing_attachment_connect_to_none_ms_office_domain_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. +known_false_positives: Windows Office document may contain legitimate url link other + than MS office Domain. filter is needed references: - https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader - https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat @@ -19,34 +34,18 @@ tags: - Spearphishing Attachments - AsyncRAT asset_type: Endpoint - confidence: 30 - impact: 30 - message: a office document process $Image$ connect to an URL link $QueryName$ in $dest$ mitre_attack_id: - T1566.001 - T1566 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Image - - QueryName - - QueryResults - - QueryStatus - - dest - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/office_doc_abuses_rels/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/office_doc_abuses_rels/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml b/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml index 85e8c67bd8..c11e520d5a 100644 --- a/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml +++ b/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml @@ -1,7 +1,7 @@ name: Windows Spearphishing Attachment Onenote Spawn Mshta id: 35aeb0e7-7de5-444a-ac45-24d6788796ec -version: '4' -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: TTP @@ -50,51 +50,34 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Office process $parent_process_name$ observed executing a suspicious child + process $process_name$ with process ID $process_id$ on host $dest$ + risk_objects: + - field: dest + type: system + score: 81 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Spearphishing Attachments - Compromised Windows Host - AsyncRAT asset_type: Endpoint - confidence: 90 - impact: 90 - message: office parent process $parent_process_name$ will execute a suspicious child - process $process_name$ with process id $process_id$ in host $dest$ mitre_attack_id: - T1566.001 - T1566 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/onenote_spear_phishing/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/onenote_spear_phishing/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml b/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml index ae173f579c..6f163201b7 100644 --- a/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml +++ b/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml @@ -1,7 +1,7 @@ name: Windows Special Privileged Logon On Multiple Hosts id: 4c461f5a-c2cc-4e86-b132-c262fc9edca7 -version: '6' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Mauricio Velazco, Splunk type: TTP status: production @@ -44,40 +44,33 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: 'A user $user$ obtained special privileges on a large number of endpoints + (Count: $unique_targets$) within 5 minutes.' + risk_objects: + - field: user + type: user + score: 64 + threat_objects: [] tags: analytic_story: - Active Directory Privilege Escalation - Active Directory Lateral Movement - Compromised Windows Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: 'A user $user$ obtained special privileges on a large number of endpoints - (Count: $unique_targets$) within 5 minutes.' mitre_attack_id: - T1087 - T1021.002 - T1135 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Caller_User_Name - - Computer - - PrivilegeList - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/special_logon_on_mulitple_hosts/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/special_logon_on_mulitple_hosts/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_sql_spawning_certutil.yml b/detections/endpoint/windows_sql_spawning_certutil.yml index 90317c4a6a..d612a17e7e 100644 --- a/detections/endpoint/windows_sql_spawning_certutil.yml +++ b/detections/endpoint/windows_sql_spawning_certutil.yml @@ -1,7 +1,7 @@ name: Windows SQL Spawning CertUtil id: dfc18a5a-946e-44ee-a373-c0f60d06e676 -version: 5 -date: '2024-12-07' +version: 7 +date: '2024-12-16' author: Michael Haag, Splunk status: experimental type: TTP @@ -9,48 +9,57 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic detects the use of certutil to download software, specifically when spawned by SQL-related processes. This detection leverages Endpoint Detection and Response (EDR) data, focusing on command-line executions involving certutil with parameters like *urlcache* and *split*. This activity is significant as it may indicate a compromise by threat actors, such as Flax Typhoon, who use certutil to establish persistent VPN connections. If confirmed malicious, this behavior could allow attackers to maintain access, monitor system availability, and potentially escalate to data theft or ransomware deployment. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("sqlservr.exe", "sqlagent.exe", "sqlps.exe", "launchpad.exe", "sqldumper.exe") `process_certutil` (Processes.process="*urlcache*" OR Processes.process="*verifyctl*") by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_sql_spawning_certutil_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: The occurrence of false positives should be minimal, given that the SQL agent does not typically download software using CertUtil. +description: The following analytic detects the use of certutil to download software, + specifically when spawned by SQL-related processes. This detection leverages Endpoint + Detection and Response (EDR) data, focusing on command-line executions involving + certutil with parameters like *urlcache* and *split*. This activity is significant + as it may indicate a compromise by threat actors, such as Flax Typhoon, who use + certutil to establish persistent VPN connections. If confirmed malicious, this behavior + could allow attackers to maintain access, monitor system availability, and potentially + escalate to data theft or ransomware deployment. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name + IN ("sqlservr.exe", "sqlagent.exe", "sqlps.exe", "launchpad.exe", "sqldumper.exe") + `process_certutil` (Processes.process="*urlcache*" OR Processes.process="*verifyctl*") + by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.original_file_name + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_sql_spawning_certutil_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: The occurrence of false positives should be minimal, given + that the SQL agent does not typically download software using CertUtil. references: - https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/ +rba: + message: $process_name$ was launched on $dest$ by $user$. This behavior is uncommon + with the SQL process identified. + risk_objects: + - field: dest + type: system + score: 90 + - field: user + type: user + score: 90 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Flax Typhoon asset_type: Endpoint atomic_guid: [] - confidence: 100 - impact: 90 - message: $process_name$ was launched on $dest$ by $user$. This behavior is uncommon with the SQL process identified. mitre_attack_id: - T1105 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 90 - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.original_file_name - - Processes.parent_process_id security_domain: endpoint diff --git a/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml b/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml index 8f4b00bc19..120c3b47ad 100644 --- a/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml +++ b/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml @@ -1,16 +1,37 @@ name: Windows SqlWriter SQLDumper DLL Sideload id: 2ed89ba9-c6c7-46aa-9f08-a2a1c2955aa3 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Teoderick Contreras, Splunk data_source: - Sysmon EventID 7 type: TTP status: production -description: The following analytic detects the abuse of SqlWriter and SQLDumper executables to sideload the vcruntime140.dll library. It leverages Sysmon EventCode 7 logs, focusing on instances where SQLDumper.exe or SQLWriter.exe load vcruntime140.dll, excluding legitimate loads from the System32 directory. This activity is significant as it indicates potential DLL sideloading, a technique used by adversaries to execute malicious code within trusted processes. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, and evade detection by blending with legitimate processes. -search: '`sysmon` EventCode=7 (Image="*\\SQLDumper.exe" OR Image="*\\SQLWriter.exe") ImageLoaded="*\\vcruntime140.dll" NOT ImageLoaded="C:\\Windows\\System32\\*" | stats values(ImageLoaded) count min(_time) as firstTime max(_time) as lastTime by Image,ImageLoaded, user, Computer, EventCode | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_sqlwriter_sqldumper_dll_sideload_filter`' -how_to_implement: The analytic is designed to be run against Sysmon event logs collected from endpoints. The analytic requires the Sysmon event logs to be ingested into Splunk. The analytic searches for EventCode 7 where the Image is either SQLDumper.exe or SQLWriter.exe and the ImageLoaded is vcruntime140.dll. The search also filters out the legitimate loading of vcruntime140.dll from the System32 directory to reduce false positives. The analytic can be modified to include additional known good paths for vcruntime140.dll to further reduce false positives. -known_false_positives: False positives are possible if legitimate processes are loading vcruntime140.dll from non-standard directories. It is recommended to investigate the context of the process loading vcruntime140.dll to determine if it is malicious or not. Modify the search to include additional known good paths for vcruntime140.dll to reduce false positives. +description: The following analytic detects the abuse of SqlWriter and SQLDumper executables + to sideload the vcruntime140.dll library. It leverages Sysmon EventCode 7 logs, + focusing on instances where SQLDumper.exe or SQLWriter.exe load vcruntime140.dll, + excluding legitimate loads from the System32 directory. This activity is significant + as it indicates potential DLL sideloading, a technique used by adversaries to execute + malicious code within trusted processes. If confirmed malicious, this could allow + attackers to execute arbitrary code, maintain persistence, and evade detection by + blending with legitimate processes. +search: '`sysmon` EventCode=7 (Image="*\\SQLDumper.exe" OR Image="*\\SQLWriter.exe") + ImageLoaded="*\\vcruntime140.dll" NOT ImageLoaded="C:\\Windows\\System32\\*" | stats + values(ImageLoaded) count min(_time) as firstTime max(_time) as lastTime by Image,ImageLoaded, + user, Computer, EventCode | rename Computer as dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `windows_sqlwriter_sqldumper_dll_sideload_filter`' +how_to_implement: The analytic is designed to be run against Sysmon event logs collected + from endpoints. The analytic requires the Sysmon event logs to be ingested into + Splunk. The analytic searches for EventCode 7 where the Image is either SQLDumper.exe + or SQLWriter.exe and the ImageLoaded is vcruntime140.dll. The search also filters + out the legitimate loading of vcruntime140.dll from the System32 directory to reduce + false positives. The analytic can be modified to include additional known good paths + for vcruntime140.dll to further reduce false positives. +known_false_positives: False positives are possible if legitimate processes are loading + vcruntime140.dll from non-standard directories. It is recommended to investigate + the context of the process loading vcruntime140.dll to determine if it is malicious + or not. Modify the search to include additional known good paths for vcruntime140.dll + to reduce false positives. references: - https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties - https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader @@ -20,9 +41,23 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $Image$ loading $ImageLoaded$ was detected on $dest$. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: + - field: Image + type: file_name tags: analytic_story: - APT29 Diplomatic Deceptions with WINELOADER @@ -31,36 +66,18 @@ tags: - Cozy Bear - Midnight Blizzard asset_type: Endpoint - confidence: 80 - impact: 80 - message: An instance of $Image$ loading $ImageLoaded$ was detected on $dest$. mitre_attack_id: - T1574.002 - observable: - - name: Image - type: File Name - role: - - Attacker - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Image - - ImageLoaded - - user - - Computer - - EventCode - risk_score: 64 security_domain: endpoint cve: [] tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/wineloader/sqlwriter_sqldumper_sideload_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/wineloader/sqlwriter_sqldumper_sideload_windows-sysmon.log sourcetype: XmlWinEventLog source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml b/detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml index 99252680f7..10ca564046 100644 --- a/detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml +++ b/detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml @@ -1,17 +1,44 @@ name: Windows Steal Authentication Certificates - ESC1 Abuse id: cbe761fc-d945-4c8c-a71d-e26d12255d32 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Steven Dick status: production type: TTP -description: The following analytic detects when a new certificate is requested or granted against Active Directory Certificate Services (AD CS) using a Subject Alternative Name (SAN). It leverages Windows Security Event Codes 4886 and 4887 to identify these actions. This activity is significant because improperly configured certificate templates can be exploited for privilege escalation and environment compromise. If confirmed malicious, an attacker could gain elevated privileges or persist within the environment, potentially leading to unauthorized access to sensitive information and further exploitation. +description: The following analytic detects when a new certificate is requested or + granted against Active Directory Certificate Services (AD CS) using a Subject Alternative + Name (SAN). It leverages Windows Security Event Codes 4886 and 4887 to identify + these actions. This activity is significant because improperly configured certificate + templates can be exploited for privilege escalation and environment compromise. + If confirmed malicious, an attacker could gain elevated privileges or persist within + the environment, potentially leading to unauthorized access to sensitive information + and further exploitation. data_source: - Windows Event Log Security 4886 - Windows Event Log Security 4887 -search: '`wineventlog_security` EventCode IN (4886,4887) Attributes="*SAN:*upn*" Attributes="*CertificateTemplate:*" | stats count min(_time) as firstTime max(_time) as lastTime values(name) as name values(status) as status values(Subject) as ssl_subject values(SubjectKeyIdentifier) as ssl_hash by Computer, EventCode, Requester, Attributes, RequestId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| fillnull | rex field=Attributes "(?i)CertificateTemplate:(?[^\r\n]+)" | rex field=Attributes "(?i)ccm:(?[^\r\n]+)" | rex max_match=10 field=Attributes "(?i)(upn=(?[^\r\n&]+))" | rex max_match=10 field=Attributes "(?i)(dns=(?[^\r\n&]+))" | rex field=Requester "(.+\\\\)?(?[^\r\n]+)" | eval flavor_text = case(EventCode=="4886","A suspicious certificate was requested using request ID: ".''RequestId'',EventCode=="4887", "A suspicious certificate was issued using request ID: ".''RequestId''.". To revoke this certifacte use this request ID or the SSL fingerprint [".''ssl_hash''."]"), dest = upper(coalesce(req_dest_1,req_dest_2)), src = upper(coalesce(req_src,Computer)) | fields - req_* | rename Attributes as object_attrs, EventCode as signature_id, name as signature, RequestId as ssl_serial, Requester as ssl_subject_common_name| `windows_steal_authentication_certificates___esc1_abuse_filter`' -how_to_implement: To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. Recommend throttle correlation by RequestId/ssl_serial at minimum. -known_false_positives: False positives may be generated in environments where administrative users or processes are allowed to generate certificates with Subject Alternative Names. Sources or templates used in these processes may need to be tuned out for accurate function. +search: "`wineventlog_security` EventCode IN (4886,4887) Attributes=\"*SAN:*upn*\"\ + \ Attributes=\"*CertificateTemplate:*\" | stats count min(_time) as firstTime max(_time) + as lastTime values(name) as name values(status) as status values(Subject) as ssl_subject + values(SubjectKeyIdentifier) as ssl_hash by Computer, EventCode, Requester, Attributes, + RequestId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + fillnull | rex field=Attributes \"(?i)CertificateTemplate:(?[^\\r\\n]+)\"\ + \ | rex field=Attributes \"(?i)ccm:(?[^\\r\\n]+)\" | rex max_match=10 field=Attributes + \"(?i)(upn=(?[^\\r\\n&]+))\" | rex max_match=10 field=Attributes \"\ + (?i)(dns=(?[^\\r\\n&]+))\" | rex field=Requester \"(.+\\\\\\\\)?(?[^\\\ + r\\n]+)\" | eval flavor_text = case(EventCode==\"4886\",\"A suspicious certificate + was requested using request ID: \".'RequestId',EventCode==\"4887\", \"A suspicious + certificate was issued using request ID: \".'RequestId'.\". To revoke this certifacte + use this request ID or the SSL fingerprint [\".'ssl_hash'.\"]\"), dest = upper(coalesce(req_dest_1,req_dest_2)), + src = upper(coalesce(req_src,Computer)) | fields - req_* | rename Attributes as + object_attrs, EventCode as signature_id, name as signature, RequestId as ssl_serial, + Requester as ssl_subject_common_name| `windows_steal_authentication_certificates___esc1_abuse_filter`" +how_to_implement: To implement this analytic, enhanced Audit Logging must be enabled + on AD CS and within Group Policy Management for CS server. See Page 115 of first + reference. Recommend throttle correlation by RequestId/ssl_serial at minimum. +known_false_positives: False positives may be generated in environments where administrative + users or processes are allowed to generate certificates with Subject Alternative + Names. Sources or templates used in these processes may need to be tuned out for + accurate function. references: - https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf - https://github.com/ly4k/Certipy#esc1 @@ -22,48 +49,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Possible AD CS ESC1 activity by $src_user$ - $flavor_text$ + risk_objects: + - field: src + type: system + score: 60 + - field: dest + type: system + score: 60 + - field: src_user + type: user + score: 60 + threat_objects: [] tags: analytic_story: - Windows Certificate Services asset_type: Endpoint - confidence: 60 - impact: 100 - message: Possible AD CS ESC1 activity by $src_user$ - $flavor_text$ mitre_attack_id: - T1649 - observable: - - name: src - type: Hostname - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: src_user - type: User - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Attributes - - Computer - - EventCode - - Requester - - RequestId - risk_score: 60 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_winsecurity.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_winsecurity.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml b/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml index fbeda4e2da..5fcaaba267 100644 --- a/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml +++ b/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml @@ -1,7 +1,7 @@ name: Windows Steal Authentication Certificates - ESC1 Authentication id: f0306acf-a6ab-437a-bbc6-8628f8d5c97e -version: '4' -date: '2024-11-28' +version: 6 +date: '2024-12-10' author: Steven Dick status: production type: TTP @@ -16,22 +16,24 @@ description: The following analytic detects when a suspicious certificate with a data_source: - Windows Event Log Security 4887 - Windows Event Log Security 4768 -search: '`wineventlog_security` EventCode IN (4887) Attributes="*SAN:*upn*" Attributes="*CertificateTemplate:*" - | stats count min(_time) as firstTime max(_time) as lastTime values(name) as name - values(status) as status values(Subject) as ssl_subject values(SubjectKeyIdentifier) +search: "`wineventlog_security` EventCode IN (4887) Attributes=\"*SAN:*upn*\" Attributes=\"\ + *CertificateTemplate:*\" | stats count min(_time) as firstTime max(_time) as lastTime + values(name) as name values(status) as status values(Subject) as ssl_subject values(SubjectKeyIdentifier) as ssl_hash by Computer, EventCode, Requester, Attributes, RequestId | rex field=Attributes - "(?i)CertificateTemplate:(?[^\r\n]+)" | rex field=Attributes "(?i)ccm:(?[^\r\n]+)" - | rex max_match=10 field=Attributes "(?i)(upn=(?[^\r\n&]+))" | rex max_match=10 - field=Attributes "(?i)(dns=(?[^\r\n&]+))" | rex field=Requester "(.+\\\\)?(?[^\r\n]+)" - | rename Attributes as object_attrs, EventCode as signature_id, name as signature, - RequestId as ssl_serial, Requester as ssl_subject_common_name | eval user = lower(coalesce(req_user_1,req_user_2)) | - join user [ | search `wineventlog_security` EventCode=4768 CertThumbprint=* | rename - TargetUserName as user, Computer as auth_dest, IpAddress as auth_src | fields auth_src,auth_dest,user - ] | eval src = upper(coalesce(auth_src,req_src)), dest = upper(coalesce(auth_dest,req_dest_1,req_dest_2)), - risk_score = 90 | eval flavor_text = case(signature_id=="4887", "User account [".''user''."] - authenticated after a suspicious certificate was issued for it by [".''src_user''."] - using certificate request ID: ".''ssl_serial'') | fields - req_* auth_* | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates___esc1_authentication_filter`' + \"(?i)CertificateTemplate:(?[^\\r\\n]+)\" | rex field=Attributes \"(?i)ccm:(?[^\\\ + r\\n]+)\" | rex max_match=10 field=Attributes \"(?i)(upn=(?[^\\r\\n&]+))\"\ + \ | rex max_match=10 field=Attributes \"(?i)(dns=(?[^\\r\\n&]+))\" | + rex field=Requester \"(.+\\\\\\\\)?(?[^\\r\\n]+)\" | rename Attributes + as object_attrs, EventCode as signature_id, name as signature, RequestId as ssl_serial, + Requester as ssl_subject_common_name | eval user = lower(coalesce(req_user_1,req_user_2))\ + \ | join user [ | search `wineventlog_security` EventCode=4768 CertThumbprint=* + | rename TargetUserName as user, Computer as auth_dest, IpAddress as auth_src | + fields auth_src,auth_dest,user ] | eval src = upper(coalesce(auth_src,req_src)), + dest = upper(coalesce(auth_dest,req_dest_1,req_dest_2)), risk_score = 90 | eval + flavor_text = case(signature_id==\"4887\", \"User account [\".'user'.\"] authenticated + after a suspicious certificate was issued for it by [\".'src_user'.\"] using certificate + request ID: \".'ssl_serial') | fields - req_* auth_* | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates___esc1_authentication_filter`" how_to_implement: To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. Recommend throttle correlation by RequestId/ssl_serial at minimum. @@ -58,62 +60,43 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Possible AD CS ESC1 authentication on $dest$ + risk_objects: + - field: src + type: system + score: 90 + - field: dest + type: system + score: 90 + - field: src_user + type: user + score: 90 + - field: user + type: user + score: 90 + threat_objects: + - field: ssl_hash + type: tls_hash + - field: ssl_serial + type: certificate_serial tags: analytic_story: - Windows Certificate Services - Compromised Windows Host asset_type: Endpoint - confidence: 90 - impact: 100 - message: Possible AD CS ESC1 authentication on $dest$ mitre_attack_id: - T1649 - T1550 - observable: - - name: src - type: Hostname - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: src_user - type: User - role: - - Victim - - name: user - type: User - role: - - Victim - - name: ssl_hash - type: Other - role: - - Attacker - - name: ssl_serial - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Attributes - - Computer - - EventCode - - Requester - - RequestId - - TargetUserName - - Computer - - IpAddress - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_winsecurity.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_winsecurity.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml b/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml index a4360ac56e..8185750b89 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml @@ -1,16 +1,28 @@ name: Windows Steal Authentication Certificates Certificate Issued id: 9b1a5385-0c31-4c39-9753-dc26b8ce64c2 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic identifies the issuance of a new certificate by Certificate Services - AD CS, detected via Event ID 4887. This event logs the requester user context, DNS hostname of the requesting machine, and the request time. Monitoring this activity is crucial as it can indicate potential misuse of authentication certificates. If confirmed malicious, an attacker could use the issued certificate to impersonate users, escalate privileges, or maintain persistence within the environment. This detection helps in identifying and correlating suspicious certificate-related activities for further investigation. +description: The following analytic identifies the issuance of a new certificate by + Certificate Services - AD CS, detected via Event ID 4887. This event logs the requester + user context, DNS hostname of the requesting machine, and the request time. Monitoring + this activity is crucial as it can indicate potential misuse of authentication certificates. + If confirmed malicious, an attacker could use the issued certificate to impersonate + users, escalate privileges, or maintain persistence within the environment. This + detection helps in identifying and correlating suspicious certificate-related activities + for further investigation. data_source: - Windows Event Log Security 4887 -search: '`wineventlog_security` EventCode=4887 | stats count min(_time) as firstTime max(_time) as lastTime by dest, name, Requester, action, Attributes, Subject | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_steal_authentication_certificates_certificate_issued_filter`' -how_to_implement: To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. -known_false_positives: False positives will be generated based on normal certificates issued. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. +search: '`wineventlog_security` EventCode=4887 | stats count min(_time) as firstTime + max(_time) as lastTime by dest, name, Requester, action, Attributes, Subject | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `windows_steal_authentication_certificates_certificate_issued_filter`' +how_to_implement: To implement this analytic, enhanced Audit Logging must be enabled + on AD CS and within Group Policy Management for CS server. See Page 115 of first + reference. +known_false_positives: False positives will be generated based on normal certificates + issued. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. references: - https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf drilldown_searches: @@ -19,40 +31,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A certificate was issued to $dest$. + risk_objects: + - field: dest + type: system + score: 8 + threat_objects: [] tags: analytic_story: - Windows Certificate Services asset_type: Endpoint - confidence: 80 - impact: 10 - message: A certificate was issued to $dest$. mitre_attack_id: - T1649 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - name - - Requester - - action - - Attributes - risk_score: 8 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4887_windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4887_windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml b/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml index 189ba19231..a36d244b26 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml @@ -1,16 +1,28 @@ name: Windows Steal Authentication Certificates Certificate Request id: 747d7800-2eaa-422d-b994-04d8bb9e06d0 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic detects when a new certificate is requested from Certificate Services - AD CS. It leverages Event ID 4886, which indicates that a certificate request has been received. This activity is significant because unauthorized certificate requests can be part of credential theft or lateral movement tactics. If confirmed malicious, an attacker could use the certificate to impersonate users, gain unauthorized access to resources, or establish persistent access within the environment. Monitoring and correlating this event with other suspicious activities is crucial for identifying potential security incidents. +description: The following analytic detects when a new certificate is requested from + Certificate Services - AD CS. It leverages Event ID 4886, which indicates that a + certificate request has been received. This activity is significant because unauthorized + certificate requests can be part of credential theft or lateral movement tactics. + If confirmed malicious, an attacker could use the certificate to impersonate users, + gain unauthorized access to resources, or establish persistent access within the + environment. Monitoring and correlating this event with other suspicious activities + is crucial for identifying potential security incidents. data_source: - Windows Event Log Security 4886 -search: '`wineventlog_security` EventCode=4886 | stats count min(_time) as firstTime max(_time) as lastTime by dest, name, Requester, action, Attributes | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_certificate_request_filter`' -how_to_implement: To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. -known_false_positives: False positives will be generated based on normal certificate requests. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. +search: '`wineventlog_security` EventCode=4886 | stats count min(_time) as firstTime + max(_time) as lastTime by dest, name, Requester, action, Attributes | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_certificate_request_filter`' +how_to_implement: To implement this analytic, enhanced Audit Logging must be enabled + on AD CS and within Group Policy Management for CS server. See Page 115 of first + reference. +known_false_positives: False positives will be generated based on normal certificate + requests. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. references: - https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf drilldown_searches: @@ -19,40 +31,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A certificate was requested by $dest$. + risk_objects: + - field: dest + type: system + score: 8 + threat_objects: [] tags: analytic_story: - Windows Certificate Services asset_type: Endpoint - confidence: 80 - impact: 10 - message: A certificate was requested by $dest$. mitre_attack_id: - T1649 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - name - - Requester - - action - - Attributes - risk_score: 8 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4886_windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4886_windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml b/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml index d1c21690df..9e7ceb2759 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml @@ -1,18 +1,40 @@ name: Windows Steal Authentication Certificates CertUtil Backup id: bac85b56-0b65-4ce5-aad5-d94880df0967 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic detects CertUtil.exe performing a backup of the Certificate Store. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line executions involving CertUtil with backup parameters. This activity is significant because it may indicate an attempt to steal authentication certificates, which are critical for secure communications. If confirmed malicious, an attacker could use the stolen certificates to impersonate users, decrypt sensitive data, or gain unauthorized access to systems, leading to severe security breaches. +description: The following analytic detects CertUtil.exe performing a backup of the + Certificate Store. It leverages data from Endpoint Detection and Response (EDR) + agents, focusing on specific command-line executions involving CertUtil with backup + parameters. This activity is significant because it may indicate an attempt to steal + authentication certificates, which are critical for secure communications. If confirmed + malicious, an attacker could use the stolen certificates to impersonate users, decrypt + sensitive data, or gain unauthorized access to systems, leading to severe security + breaches. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` Processes.process IN ("*-backupdb *", "*-backup *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_certutil_backup_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives will be generated based on normal certificate store backups. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. If CS backups are not normal, enable as TTP. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_certutil` Processes.process + IN ("*-backupdb *", "*-backup *") by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_certutil_backup_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives will be generated based on normal certificate + store backups. Leave enabled to generate Risk, as this is meant to be an anomaly + analytic. If CS backups are not normal, enable as TTP. references: - https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf drilldown_searches: @@ -21,58 +43,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to backup the Certificate Store. + risk_objects: + - field: user + type: user + score: 40 + - field: dest + type: system + score: 40 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Windows Certificate Services asset_type: Endpoint - confidence: 80 - impact: 50 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to backup the Certificate Store. mitre_attack_id: - T1649 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/backupdb_certutil_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/backupdb_certutil_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml b/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml index f9f54089c2..ab1ec9387f 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml @@ -1,16 +1,29 @@ name: Windows Steal Authentication Certificates CryptoAPI id: 905d5692-6d7c-432f-bc7e-a6b4f464d40e -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic detects the extraction of authentication certificates using Windows Event Log - CAPI2 (CryptoAPI 2). It leverages EventID 70, which is generated when a certificate's private key is acquired. This detection is significant because it can identify potential misuse of certificates, such as those extracted by tools like Mimikatz or Cobalt Strike. If confirmed malicious, this activity could allow attackers to impersonate users, escalate privileges, or access sensitive information, posing a severe risk to the organization's security. +description: The following analytic detects the extraction of authentication certificates + using Windows Event Log - CAPI2 (CryptoAPI 2). It leverages EventID 70, which is + generated when a certificate's private key is acquired. This detection is significant + because it can identify potential misuse of certificates, such as those extracted + by tools like Mimikatz or Cobalt Strike. If confirmed malicious, this activity could + allow attackers to impersonate users, escalate privileges, or access sensitive information, + posing a severe risk to the organization's security. data_source: - Windows Event Log CAPI2 70 -search: '`capi2_operational` EventCode=70 | xmlkv UserData_Xml | stats count min(_time) as firstTime max(_time) as lastTime by Computer, UserData_Xml | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_cryptoapi_filter`' -how_to_implement: To implement this analytic, one will need to enable the Microsoft-Windows-CAPI2/Operational log within the Windows Event Log. Note this is a debug log for many purposes, and the analytic only focuses in on EventID 70. Review the following gist for additional enabling information. -known_false_positives: False positives may be present in some instances of legitimate applications requiring to export certificates. Filter as needed. +search: '`capi2_operational` EventCode=70 | xmlkv UserData_Xml | stats count min(_time) + as firstTime max(_time) as lastTime by Computer, UserData_Xml | rename Computer + as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `windows_steal_authentication_certificates_cryptoapi_filter`' +how_to_implement: To implement this analytic, one will need to enable the Microsoft-Windows-CAPI2/Operational + log within the Windows Event Log. Note this is a debug log for many purposes, and + the analytic only focuses in on EventID 70. Review the following gist for additional + enabling information. +known_false_positives: False positives may be present in some instances of legitimate + applications requiring to export certificates. Filter as needed. references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749296(v=ws.10) drilldown_searches: @@ -19,37 +32,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Certificates were exported via the CryptoAPI 2 on $dest$. + risk_objects: + - field: dest + type: system + score: 24 + threat_objects: [] tags: analytic_story: - Windows Certificate Services asset_type: Endpoint - confidence: 80 - impact: 30 - message: Certificates were exported via the CryptoAPI 2 on $dest$. mitre_attack_id: - T1649 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Computer - - UserData_Xml - risk_score: 24 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/capi2-operational.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/capi2-operational.log source: XmlWinEventLog:Microsoft-Windows-CAPI2/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_steal_authentication_certificates_cs_backup.yml b/detections/endpoint/windows_steal_authentication_certificates_cs_backup.yml index 4de9440ec6..c1465d098d 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_cs_backup.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_cs_backup.yml @@ -1,16 +1,29 @@ name: Windows Steal Authentication Certificates CS Backup id: a2f4cc7f-6503-4078-b206-f83a29f408a7 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic identifies the backup of the Active Directory Certificate Services (AD CS) store, detected via Event ID 4876. This event is logged when a backup is performed using the CertSrv.msc UI or the CertUtil.exe -BackupDB command. Monitoring this activity is crucial as unauthorized backups can indicate an attempt to steal authentication certificates, which are critical for secure communications. If confirmed malicious, this activity could allow an attacker to impersonate users, escalate privileges, or access sensitive information, severely compromising the security of the environment. +description: The following analytic identifies the backup of the Active Directory + Certificate Services (AD CS) store, detected via Event ID 4876. This event is logged + when a backup is performed using the CertSrv.msc UI or the CertUtil.exe -BackupDB + command. Monitoring this activity is crucial as unauthorized backups can indicate + an attempt to steal authentication certificates, which are critical for secure communications. + If confirmed malicious, this activity could allow an attacker to impersonate users, + escalate privileges, or access sensitive information, severely compromising the + security of the environment. data_source: - Windows Event Log Security 4876 -search: '`wineventlog_security` EventCode=4876| stats count min(_time) as firstTime max(_time) as lastTime by dest, name, action, Caller_Domain ,Caller_User_Name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_cs_backup_filter`' -how_to_implement: To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 128 of first reference. -known_false_positives: False positives will be generated based on normal certificate store backups. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. If CS backups are not normal, enable as TTP. +search: '`wineventlog_security` EventCode=4876| stats count min(_time) as firstTime + max(_time) as lastTime by dest, name, action, Caller_Domain ,Caller_User_Name | + `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_cs_backup_filter`' +how_to_implement: To implement this analytic, enhanced Audit Logging must be enabled + on AD CS and within Group Policy Management for CS server. See Page 128 of first + reference. +known_false_positives: False positives will be generated based on normal certificate + store backups. Leave enabled to generate Risk, as this is meant to be an anomaly + analytic. If CS backups are not normal, enable as TTP. references: - https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf drilldown_searches: @@ -19,40 +32,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The Active Directory Certiciate Services was backed up on $dest$. + risk_objects: + - field: dest + type: system + score: 40 + threat_objects: [] tags: analytic_story: - Windows Certificate Services asset_type: Endpoint - confidence: 80 - impact: 50 - message: The Active Directory Certiciate Services was backed up on $dest$. mitre_attack_id: - T1649 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - name - - action - - Caller_Domain - - Caller_User_Name - risk_score: 40 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4876_windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4876_windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml b/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml index e8c0655a70..af44db774c 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml @@ -1,18 +1,38 @@ name: Windows Steal Authentication Certificates Export Certificate id: e39dc429-c2a5-4f1f-9c3c-6b211af6b332 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic detects the use of the PowerShell cmdlet 'export-certificate' executed via the command line, indicating an attempt to export a certificate from the local Windows Certificate Store. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. Exporting certificates is significant as it may indicate credential theft or preparation for man-in-the-middle attacks. If confirmed malicious, this activity could allow an attacker to impersonate users, decrypt sensitive communications, or gain unauthorized access to systems and data. +description: The following analytic detects the use of the PowerShell cmdlet 'export-certificate' + executed via the command line, indicating an attempt to export a certificate from + the local Windows Certificate Store. This detection leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process execution logs and command-line + arguments. Exporting certificates is significant as it may indicate credential theft + or preparation for man-in-the-middle attacks. If confirmed malicious, this activity + could allow an attacker to impersonate users, decrypt sensitive communications, + or gain unauthorized access to systems and data. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*export-certificate*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_export_certificate_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Filtering may be requried based on automated utilities and third party applications that may export certificates. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process="*export-certificate*" + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_export_certificate_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Filtering may be requried based on automated utilities and + third party applications that may export certificates. references: - https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj - https://learn.microsoft.com/en-us/powershell/module/pki/export-certificate?view=windowsserver2022-ps @@ -22,58 +42,45 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to export a certificate from the + local Windows Certificate Store. + risk_objects: + - field: user + type: user + score: 36 + - field: dest + type: system + score: 36 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Windows Certificate Services asset_type: Endpoint - confidence: 60 - impact: 60 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to export a certificate from the local Windows Certificate Store. mitre_attack_id: - T1649 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/export_certificate_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/export_certificate_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml b/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml index d052fdc760..2e01886698 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml @@ -1,18 +1,38 @@ name: Windows Steal Authentication Certificates Export PfxCertificate id: 391329f3-c14b-4b8d-8b37-ac5012637360 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic detects the use of the PowerShell cmdlet `export-pfxcertificate` on the command line, indicating an attempt to export a certificate from the local Windows Certificate Store. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it may indicate an attempt to exfiltrate authentication certificates, which can be used to impersonate users or decrypt sensitive data. If confirmed malicious, this could lead to unauthorized access and potential data breaches. +description: The following analytic detects the use of the PowerShell cmdlet `export-pfxcertificate` + on the command line, indicating an attempt to export a certificate from the local + Windows Certificate Store. This detection leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process execution logs and command-line arguments. + This activity is significant as it may indicate an attempt to exfiltrate authentication + certificates, which can be used to impersonate users or decrypt sensitive data. + If confirmed malicious, this could lead to unauthorized access and potential data + breaches. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*export-pfxcertificate*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_export_pfxcertificate_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Filtering may be requried based on automated utilities and third party applications that may export certificates. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process="*export-pfxcertificate*" + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_export_pfxcertificate_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Filtering may be requried based on automated utilities and + third party applications that may export certificates. references: - https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj - https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps @@ -22,58 +42,45 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to export a certificate from the + local Windows Certificate Store. + risk_objects: + - field: user + type: user + score: 36 + - field: dest + type: system + score: 36 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Windows Certificate Services asset_type: Endpoint - confidence: 60 - impact: 60 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to export a certificate from the local Windows Certificate Store. mitre_attack_id: - T1649 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/export_pfxcertificate_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/export_pfxcertificate_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml b/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml index 36edb55c16..5e796c0d8b 100644 --- a/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml +++ b/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml @@ -1,17 +1,38 @@ name: Windows Steal or Forge Kerberos Tickets Klist id: 09d88404-1e29-46cb-806c-1eedbc85ad5d -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic identifies the execution of the Windows OS tool klist.exe, often used by post-exploitation tools like winpeas. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process details. Monitoring klist.exe is significant as it can indicate attempts to list or gather cached Kerberos tickets, which are crucial for lateral movement or privilege escalation. If confirmed malicious, this activity could enable attackers to move laterally within the network or escalate privileges, posing a severe security risk. +description: The following analytic identifies the execution of the Windows OS tool + klist.exe, often used by post-exploitation tools like winpeas. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process and + parent process details. Monitoring klist.exe is significant as it can indicate attempts + to list or gather cached Kerberos tickets, which are crucial for lateral movement + or privilege escalation. If confirmed malicious, this activity could enable attackers + to move laterally within the network or escalate privileges, posing a severe security + risk. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="klist.exe" OR Processes.original_file_name = "klist.exe" Processes.parent_process_name IN ("cmd.exe", "powershell*") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_or_forge_kerberos_tickets_klist_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name="klist.exe" + OR Processes.original_file_name = "klist.exe" Processes.parent_process_name IN ("cmd.exe", + "powershell*") by Processes.process_name Processes.original_file_name Processes.process + Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process + Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_or_forge_kerberos_tickets_klist_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS @@ -21,41 +42,17 @@ tags: - Windows Post-Exploitation - Prestige Ransomware asset_type: Endpoint - confidence: 30 - impact: 30 - message: process klist.exe executed in $dest$ mitre_attack_id: - T1558 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - - Processes.parent_process_guid - - Processes.process_guid - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_subinacl_execution.yml b/detections/endpoint/windows_subinacl_execution.yml index 85d5ba0aa6..98c369178f 100644 --- a/detections/endpoint/windows_subinacl_execution.yml +++ b/detections/endpoint/windows_subinacl_execution.yml @@ -1,18 +1,41 @@ name: Windows SubInAcl Execution id: 12491419-1a6f-4af4-afc3-4e2052f0610e -version: 1 -date: '2024-12-05' +version: 2 +date: '2025-01-07' author: Nasreddine Bencherchali, Michael Haag, Splunk status: production type: Anomaly -description: The following analytic detects the execution of the SubInAcl utility. SubInAcl is a legacy Windows Resource Kit tool from the Windows 2003 era, used to manipulate security descriptors of securable objects. It leverages data from Endpoint Detection and Response (EDR) agents, specifically searching for any process execution involving "SubInAcl.exe" binary. This activity can be significant because the utility should be rarely found on modern Windows machines, which mean any execution could potentially be considered suspicious. If confirmed malicious, this could allow an attacker to blind defenses by tampering with EventLog ACLs or modifying the access to a previously denied resource. +description: The following analytic detects the execution of the SubInAcl utility. + SubInAcl is a legacy Windows Resource Kit tool from the Windows 2003 era, used to + manipulate security descriptors of securable objects. It leverages data from Endpoint + Detection and Response (EDR) agents, specifically searching for any process execution + involving "SubInAcl.exe" binary. This activity can be significant because the utility + should be rarely found on modern Windows machines, which mean any execution could + potentially be considered suspicious. If confirmed malicious, this could allow an + attacker to blind defenses by tampering with EventLog ACLs or modifying the access + to a previously denied resource. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=subinacl.exe OR Processes.original_file_name=SubInAcl.exe) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_subinacl_execution_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process name, and process original file name. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: None identified. Attempts to disable security-related services should be identified and understood. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where (Processes.process_name=subinacl.exe OR Processes.original_file_name=SubInAcl.exe) + by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_subinacl_execution_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process name, and process original file name. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: None identified. Attempts to disable security-related services + should be identified and understood. references: - https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf - https://attack.mitre.org/techniques/T1222/001/ @@ -22,53 +45,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable security services on endpoint $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 16 + - field: dest + type: system + score: 16 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Defense Evasion or Unauthorized Access Via SDDL Tampering asset_type: Endpoint - confidence: 40 - impact: 40 - message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable security services on endpoint $dest$ by user $user$. mitre_attack_id: - T1222.001 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 16 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/subinacl/subinacl_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/subinacl/subinacl_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml b/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml index cbf3b5539a..a9ace2226c 100644 --- a/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml +++ b/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml @@ -1,76 +1,84 @@ name: Windows Suspect Process With Authentication Traffic id: 953322db-128a-4ce9-8e89-56e039e33d98 -version: 3 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Steven Dick status: production type: Anomaly -description: The following analytic detects executables running from public or temporary locations that are communicating over Windows domain authentication ports/protocols such as LDAP (389), LDAPS (636), and Kerberos (88). It leverages network traffic data to identify processes originating from user-controlled directories. This activity is significant because legitimate applications rarely run from these locations and attempt domain authentication, making it a potential indicator of compromise. If confirmed malicious, attackers could leverage this to access domain resources, potentially leading to further exploitation and lateral movement within the network. +description: The following analytic detects executables running from public or temporary + locations that are communicating over Windows domain authentication ports/protocols + such as LDAP (389), LDAPS (636), and Kerberos (88). It leverages network traffic + data to identify processes originating from user-controlled directories. This activity + is significant because legitimate applications rarely run from these locations and + attempt domain authentication, making it a potential indicator of compromise. If + confirmed malicious, attackers could leverage this to access domain resources, potentially + leading to further exploitation and lateral movement within the network. data_source: - Sysmon EventID 3 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN ("88","389","636") AND All_Traffic.app IN ("*\\users\\*", "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", "*\\appdata\\*", "*\\perflogs\\*") by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip,All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rex field=app ".*\\\(?.*)$" | rename app as process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_suspect_process_with_authentication_traffic_filter`' -how_to_implement: To implement this analytic, Sysmon should be installed in the environment and generating network events for userland and/or known public writable locations. -known_false_positives: Known applications running from these locations for legitimate purposes. Targeting only kerberos (port 88) may significantly reduce noise. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic + where All_Traffic.dest_port IN ("88","389","636") AND All_Traffic.app IN ("*\\users\\*", + "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", "*\\appdata\\*", "*\\perflogs\\*") by + All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip,All_Traffic.dest_port + | `drop_dm_object_name(All_Traffic)` | rex field=app ".*\\\(?.*)$" + | rename app as process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_suspect_process_with_authentication_traffic_filter`' +how_to_implement: To implement this analytic, Sysmon should be installed in the environment + and generating network events for userland and/or known public writable locations. +known_false_positives: Known applications running from these locations for legitimate + purposes. Targeting only kerberos (port 88) may significantly reduce noise. references: - https://attack.mitre.org/techniques/T1069/002/ - https://book.hacktricks.xyz/network-services-pentesting/pentesting-kerberos-88 drilldown_searches: - name: View the detection results for - "$src$" and "$dest$" - search: '%original_detection_search% | search src = "$src$" dest = "$dest$" user = "$user$"' + search: '%original_detection_search% | search src = "$src$" dest = "$dest$" user + = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", + "$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The process $process_name$ on $src$ has been communicating with $dest$ + on $dest_port$. + risk_objects: + - field: src + type: system + score: 25 + - field: dest + type: system + score: 25 + - field: user + type: user + score: 25 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 50 - message: The process $process_name$ on $src$ has been communicating with $dest$ on $dest_port$. mitre_attack_id: - T1087 - T1087.002 - T1204 - T1204.002 - observable: - - name: src - type: Hostname - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Traffic.app - - All_Traffic.src - - All_Traffic.src_ip - - All_Traffic.user - - All_Traffic.dest - - All_Traffic.dest_ip - - All_Traffic.dest_port - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml b/detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml new file mode 100644 index 0000000000..57257bec13 --- /dev/null +++ b/detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml @@ -0,0 +1,103 @@ +name: Windows Suspicious Child Process Spawned From WebServer +id: 2d4470ef-7158-4b47-b68b-1f7f16382156 +version: 1 +date: '2025-01-13' +author: Steven Dick +status: production +type: TTP +description: The following analytic identifies the execution of suspicious processes + typically associated with WebShell activity on web servers. It detects when processes + like `cmd.exe`, `powershell.exe`, or `bash.exe` are spawned by web server processes + such as `w3wp.exe` or `nginx.exe`. This behavior is significant as it may indicate + an adversary exploiting a web application vulnerability to install a WebShell, providing + persistent access and command execution capabilities. If confirmed malicious, this + activity could allow attackers to maintain control over the compromised server, + execute arbitrary commands, and potentially escalate privileges or exfiltrate sensitive + data. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) + as firstTime from datamodel=Endpoint.Processes where (Processes.process_name IN + ("arp.exe","at.exe","bash.exe","bitsadmin.exe","certutil.exe","cmd.exe","cscript.exe", + "dsget.exe","dsquery.exe","find.exe","findstr.exe","fsutil.exe","hostname.exe","ipconfig.exe","ksh.exe","nbstat.exe", + "net.exe","net1.exe","netdom.exe","netsh.exe","netstat.exe","nltest.exe","nslookup.exe","ntdsutil.exe","pathping.exe", + "ping.exe","powershell.exe","pwsh.exe","qprocess.exe","query.exe","qwinsta.exe","reg.exe","rundll32.exe","sc.exe", + "scrcons.exe","schtasks.exe","sh.exe","systeminfo.exe","tasklist.exe","tracert.exe","ver.exe","vssadmin.exe", + "wevtutil.exe","whoami.exe","wmic.exe","wscript.exe","wusa.exe","zsh.exe") AND Processes.parent_process_name + IN ("w3wp.exe", "http*.exe", "nginx*.exe", "php*.exe", "php-cgi*.exe","tomcat*.exe")) + by Processes.dest,Processes.user,Processes.parent_process,Processes.parent_process_name,Processes.process,Processes.process_name + | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_suspicious_child_process_spawned_from_webserver_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Legitimate OS functions called by vendor applications, baseline + the environment and filter before enabling. Recommend throttle by dest/process_name +references: +- https://attack.mitre.org/techniques/T1505/003/ +- https://github.com/nsacyber/Mitigating-Web-Shells +- https://www.hackingarticles.in/multiple-ways-to-exploit-tomcat-manager/ +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Webshell Exploit Behavior - $parent_process_name$ spawned $process_name$ + on $dest$. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - ProxyNotShell + - CISA AA22-257A + - HAFNIUM Group + - Citrix ShareFile RCE CVE-2023-24489 + - ProxyShell + - Flax Typhoon + - CISA AA22-264A + - SysAid On-Prem Software CVE-2023-47246 Vulnerability + - Compromised Windows Host + - WS FTP Server Critical Vulnerabilities + - BlackByte Ransomware + asset_type: Endpoint + mitre_attack_id: + - T1505 + - T1505.003 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/generic_webshell_exploit/generic_webshell_exploit.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml b/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml index 8135f42b56..318fc412e7 100644 --- a/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml +++ b/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml @@ -1,7 +1,7 @@ name: Windows System Binary Proxy Execution Compiled HTML File Decompile id: 2acf0e19-4149-451c-a3f3-39cd3c77e37d -version: '5' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -51,55 +51,37 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $process_name$ has been identified using decompile against a CHM on $dest$ + under user $user$. + risk_objects: + - field: user + type: user + score: 90 + - field: dest + type: system + score: 90 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Suspicious Compiled HTML Activity - Living Off The Land - Compromised Windows Host asset_type: Endpoint - confidence: 90 - impact: 100 - message: $process_name$ has been identified using decompile against a CHM on $dest$ - under user $user$. mitre_attack_id: - T1218.001 - T1218 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/hh_decom_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/hh_decom_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml b/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml index bbc7a524b2..9fcc8dd10c 100644 --- a/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml +++ b/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml @@ -1,18 +1,40 @@ name: Windows System Discovery Using ldap Nslookup id: 2418780f-7c3e-4c45-b8b4-996ea850cd49 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the execution of nslookup.exe to query domain information using LDAP. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as nslookup.exe can be abused by malware like Qakbot to gather critical domain details, such as SRV records and server names. If confirmed malicious, this behavior could allow attackers to map the network, identify key servers, and plan further attacks, potentially leading to data exfiltration or lateral movement within the network. +description: The following analytic detects the execution of nslookup.exe to query + domain information using LDAP. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process names and command-line arguments. This activity + is significant as nslookup.exe can be abused by malware like Qakbot to gather critical + domain details, such as SRV records and server names. If confirmed malicious, this + behavior could allow attackers to map the network, identify key servers, and plan + further attacks, potentially leading to data exfiltration or lateral movement within + the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = "nslookup.exe" OR Processes.original_file_name = "nslookup.exe") AND Processes.process = "*_ldap._tcp.dc._msdcs*" by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_system_discovery_using_ldap_nslookup_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: dministrator may execute this commandline tool for auditing purposes. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = "nslookup.exe" + OR Processes.original_file_name = "nslookup.exe") AND Processes.process = "*_ldap._tcp.dc._msdcs*" + by Processes.parent_process Processes.parent_process_name Processes.process_name + Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest + Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name("Processes")` + | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_system_discovery_using_ldap_nslookup_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: dministrator may execute this commandline tool for auditing + purposes. Filter as needed. references: - https://securelist.com/qakbot-technical-analysis/103931/ - https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/verify-srv-dns-records-have-been-created @@ -22,46 +44,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: System nslookup domain discovery on $dest$ + risk_objects: + - field: dest + type: system + score: 1 + threat_objects: [] tags: analytic_story: - Qakbot asset_type: Endpoint - confidence: 10 - impact: 10 - message: System nslookup domain discovery on $dest$ mitre_attack_id: - T1033 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 1 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_system_discovery_using_qwinsta.yml b/detections/endpoint/windows_system_discovery_using_qwinsta.yml index 1b680dd7f2..0d47721044 100644 --- a/detections/endpoint/windows_system_discovery_using_qwinsta.yml +++ b/detections/endpoint/windows_system_discovery_using_qwinsta.yml @@ -1,18 +1,40 @@ name: Windows System Discovery Using Qwinsta id: 2e765c1b-144a-49f0-93d0-1df4287cca04 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the execution of "qwinsta.exe" on a Windows operating system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. The "qwinsta.exe" tool is significant because it can display detailed session information on a remote desktop session host server. This behavior is noteworthy as it is commonly abused by Qakbot malware to gather system information and send it back to its Command and Control (C2) server. If confirmed malicious, this activity could lead to unauthorized data exfiltration and further compromise of the host. +description: The following analytic detects the execution of "qwinsta.exe" on a Windows + operating system. This detection leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process execution logs. The "qwinsta.exe" tool is significant + because it can display detailed session information on a remote desktop session + host server. This behavior is noteworthy as it is commonly abused by Qakbot malware + to gather system information and send it back to its Command and Control (C2) server. + If confirmed malicious, this activity could lead to unauthorized data exfiltration + and further compromise of the host. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "qwinsta.exe" OR Processes.original_file_name = "qwinsta.exe" by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_system_discovery_using_qwinsta_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrator may execute this commandline tool for auditing purposes. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "qwinsta.exe" + OR Processes.original_file_name = "qwinsta.exe" by Processes.parent_process Processes.parent_process_name + Processes.process_name Processes.process_id Processes.process_guid Processes.process + Processes.user Processes.dest Processes.parent_process_id Processes.original_file_name + | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` + | `windows_system_discovery_using_qwinsta_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrator may execute this commandline tool for auditing + purposes. Filter as needed. references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/qwinsta - https://securelist.com/qakbot-technical-analysis/103931/ @@ -20,39 +42,17 @@ tags: analytic_story: - Qakbot asset_type: Endpoint - confidence: 50 - impact: 50 - message: System qwinsta domain discovery on $dest$ mitre_attack_id: - T1033 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_system_file_on_disk.yml b/detections/endpoint/windows_system_file_on_disk.yml index 5208b98aba..8550359fdd 100644 --- a/detections/endpoint/windows_system_file_on_disk.yml +++ b/detections/endpoint/windows_system_file_on_disk.yml @@ -1,54 +1,50 @@ name: Windows System File on Disk id: 993ce99d-9cdd-42c7-a2cf-733d5954e5a6 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic detects the creation of new .sys files on disk. It leverages the Endpoint.Filesystem data model to identify and log instances where .sys files are written to the filesystem. This activity is significant because .sys files are often used as kernel mode drivers, and their unauthorized creation can indicate malicious activity such as rootkit installation. If confirmed malicious, this could allow an attacker to gain kernel-level access, leading to full system compromise, persistent control, and the ability to bypass security mechanisms. +description: The following analytic detects the creation of new .sys files on disk. + It leverages the Endpoint.Filesystem data model to identify and log instances where + .sys files are written to the filesystem. This activity is significant because .sys + files are often used as kernel mode drivers, and their unauthorized creation can + indicate malicious activity such as rootkit installation. If confirmed malicious, + this could allow an attacker to gain kernel-level access, leading to full system + compromise, persistent control, and the ability to bypass security mechanisms. data_source: - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name="*.sys*" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.file_hash | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_system_file_on_disk_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on files from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. In addition, filtering may occur by adding NOT (Filesystem.file_path IN ("*\\Windows\\*", "*\\Program File*", "*\\systemroot\\*","%SystemRoot%*", "system32\*")). This will level out the noise generated to potentally lead to generating notables. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name="*.sys*" + by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name + Filesystem.file_path Filesystem.file_hash | `drop_dm_object_name(Filesystem)` | + `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_system_file_on_disk_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on files from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. + In addition, confirm the latest CIM App 4.20 or higher is installed and the latest + TA for the endpoint product. In addition, filtering may occur by adding NOT (Filesystem.file_path + IN ("*\\Windows\\*", "*\\Program File*", "*\\systemroot\\*","%SystemRoot%*", "system32\*")). + This will level out the noise generated to potentally lead to generating findings. known_false_positives: False positives will be present. Filter as needed. references: - https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/ tags: analytic_story: - - Windows Drivers - CISA AA22-264A + - Windows Drivers + - Crypto Stealer asset_type: Endpoint - confidence: 50 - impact: 20 - message: A new driver is present on $dest$. mitre_attack_id: - T1068 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/sysmon_sys_filemod.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/sysmon_sys_filemod.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_system_logoff_commandline.yml b/detections/endpoint/windows_system_logoff_commandline.yml index f87ed554a7..32c5a3eb5a 100644 --- a/detections/endpoint/windows_system_logoff_commandline.yml +++ b/detections/endpoint/windows_system_logoff_commandline.yml @@ -1,18 +1,41 @@ name: Windows System LogOff Commandline id: 74a8133f-93e7-4b71-9bd3-13a66124fd57 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the execution of the Windows command line to log off a host machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes involving `shutdown.exe` with specific parameters. This activity is significant as it is often associated with Advanced Persistent Threats (APTs) and Remote Access Trojans (RATs) like dcrat, which use this technique to disrupt operations, aid in system destruction, or inhibit recovery. If confirmed malicious, this could lead to system downtime, data loss, or hindered incident response efforts. +description: The following analytic detects the execution of the Windows command line + to log off a host machine. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on processes involving `shutdown.exe` with specific parameters. + This activity is significant as it is often associated with Advanced Persistent + Threats (APTs) and Remote Access Trojans (RATs) like dcrat, which use this technique + to disrupt operations, aid in system destruction, or inhibit recovery. If confirmed + malicious, this could lead to system downtime, data loss, or hindered incident response + efforts. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) Processes.process="*shutdown*" Processes.process IN ("* /l*", "* -l*") Processes.process IN ("* /t*","* -t*","* /f*","* -f*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_logoff_commandline_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrator may execute this commandline to trigger shutdown, logoff or restart the host machine. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) + Processes.process="*shutdown*" Processes.process IN ("* /l*", "* -l*") Processes.process + IN ("* /t*","* -t*","* /f*","* -f*") by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_system_logoff_commandline_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrator may execute this commandline to trigger shutdown, + logoff or restart the host machine. references: - https://attack.mitre.org/techniques/T1529/ - https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor @@ -22,47 +45,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Process name $process_name$ is seen to execute logoff commandline on $dest$ + risk_objects: + - field: dest + type: system + score: 56 + threat_objects: [] tags: analytic_story: - DarkCrystal RAT - NjRAT asset_type: Endpoint - confidence: 80 - impact: 70 - message: Process name $process_name$ is seen to execute logoff commandline on $dest$ mitre_attack_id: - T1529 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/reboot_logoff_commandline/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/reboot_logoff_commandline/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_system_network_config_discovery_display_dns.yml b/detections/endpoint/windows_system_network_config_discovery_display_dns.yml index 6d03253ec1..f81dd661ac 100644 --- a/detections/endpoint/windows_system_network_config_discovery_display_dns.yml +++ b/detections/endpoint/windows_system_network_config_discovery_display_dns.yml @@ -1,17 +1,38 @@ name: Windows System Network Config Discovery Display DNS id: e24f0a0e-41a9-419f-9999-eacab15efc36 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies the execution of the "ipconfig /displaydns" command, which retrieves DNS reply information using the built-in Windows tool IPConfig. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line executions. Monitoring this activity is significant as threat actors and post-exploitation tools like WINPEAS often abuse this command to gather network information. If confirmed malicious, this activity could allow attackers to map the network, identify DNS servers, and potentially facilitate further network-based attacks or lateral movement. +description: The following analytic identifies the execution of the "ipconfig /displaydns" + command, which retrieves DNS reply information using the built-in Windows tool IPConfig. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process command-line executions. Monitoring this activity is significant + as threat actors and post-exploitation tools like WINPEAS often abuse this command + to gather network information. If confirmed malicious, this activity could allow + attackers to map the network, identify DNS servers, and potentially facilitate further + network-based attacks or lateral movement. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="ipconfig.exe" OR Processes.original_file_name = "ipconfig.exe" AND Processes.process = "*/displaydns*" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_network_config_discovery_display_dns_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name="ipconfig.exe" + OR Processes.original_file_name = "ipconfig.exe" AND Processes.process = "*/displaydns*" + by Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid + Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_system_network_config_discovery_display_dns_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://superuser.com/questions/230308/explain-output-of-ipconfig-displaydns @@ -23,49 +44,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: process $process_name$ with commandline $process$ is executed on $dest$ + risk_objects: + - field: dest + type: system + score: 9 + threat_objects: [] tags: analytic_story: - Windows Post-Exploitation - Prestige Ransomware asset_type: Endpoint - confidence: 30 - impact: 30 - message: process $process_name$ with commandline $process$ is executed in $dest$ mitre_attack_id: - T1016 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - - Processes.parent_process_guid - - Processes.process_guid - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_system_network_connections_discovery_netsh.yml b/detections/endpoint/windows_system_network_connections_discovery_netsh.yml index a299267b23..b2fab9afe0 100644 --- a/detections/endpoint/windows_system_network_connections_discovery_netsh.yml +++ b/detections/endpoint/windows_system_network_connections_discovery_netsh.yml @@ -1,17 +1,38 @@ name: Windows System Network Connections Discovery Netsh id: abfb7cc5-c275-4a97-9029-62cd8d4ffeca -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the execution of the Windows built-in tool netsh.exe to display the state, configuration, and profile of the host firewall. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. Monitoring this activity is crucial as netsh.exe can be used by adversaries to bypass firewall rules or discover firewall settings. If confirmed malicious, this activity could allow attackers to manipulate firewall configurations, potentially leading to unauthorized network access or data exfiltration. +description: The following analytic detects the execution of the Windows built-in + tool netsh.exe to display the state, configuration, and profile of the host firewall. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on command-line executions and process metadata. Monitoring this activity + is crucial as netsh.exe can be used by adversaries to bypass firewall rules or discover + firewall settings. If confirmed malicious, this activity could allow attackers to + manipulate firewall configurations, potentially leading to unauthorized network + access or data exfiltration. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh`AND Processes.process = "* show *" Processes.process IN ("*state*", "*config*", "*wlan*", "*profile*") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_network_connections_discovery_netsh_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_netsh`AND Processes.process + = "* show *" Processes.process IN ("*state*", "*config*", "*wlan*", "*profile*") + by Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid + Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_system_network_connections_discovery_netsh_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: network administrator can use this tool for auditing process. references: - https://attack.mitre.org/techniques/T1049/ @@ -23,50 +44,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: netsh process with command line $process$ on $dest$ + risk_objects: + - field: dest + type: system + score: 9 + threat_objects: [] tags: analytic_story: - Windows Post-Exploitation - Prestige Ransomware - Snake Keylogger asset_type: Endpoint - confidence: 30 - impact: 30 - message: netsh process with command line $process$ in $dest$ mitre_attack_id: - T1049 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - - Processes.parent_process_guid - - Processes.process_guid - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_system_reboot_commandline.yml b/detections/endpoint/windows_system_reboot_commandline.yml index 875b57a13d..5826ccaf01 100644 --- a/detections/endpoint/windows_system_reboot_commandline.yml +++ b/detections/endpoint/windows_system_reboot_commandline.yml @@ -1,18 +1,41 @@ name: Windows System Reboot CommandLine id: 97fc2b60-c8eb-4711-93f7-d26fade3686f -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies the execution of the Windows command line to reboot a host machine using "shutdown.exe" with specific parameters. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it is often associated with advanced persistent threats (APTs) and remote access trojans (RATs) like dcrat, which may use system reboots to disrupt operations, aid in system destruction, or inhibit recovery. If confirmed malicious, this could lead to system downtime, data loss, or hindered incident response efforts. +description: The following analytic identifies the execution of the Windows command + line to reboot a host machine using "shutdown.exe" with specific parameters. This + detection leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process names and command-line arguments. This activity is significant as it + is often associated with advanced persistent threats (APTs) and remote access trojans + (RATs) like dcrat, which may use system reboots to disrupt operations, aid in system + destruction, or inhibit recovery. If confirmed malicious, this could lead to system + downtime, data loss, or hindered incident response efforts. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) Processes.process="*shutdown*" Processes.process IN ("* /r*", "* -r*") Processes.process IN ("* /t*","* -t*","* /f*","* -f*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_reboot_commandline_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrator may execute this commandline to trigger shutdown or restart the host machine. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) + Processes.process="*shutdown*" Processes.process IN ("* /r*", "* -r*") Processes.process + IN ("* /t*","* -t*","* /f*","* -f*") by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_system_reboot_commandline_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrator may execute this commandline to trigger shutdown + or restart the host machine. references: - https://attack.mitre.org/techniques/T1529/ - https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor @@ -22,9 +45,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Process $process_name$ that executed reboot via commandline on $dest$ + risk_objects: + - field: dest + type: system + score: 30 + threat_objects: [] tags: analytic_story: - DarkCrystal RAT @@ -32,39 +67,17 @@ tags: - DarkGate Malware - MoonPeak asset_type: Endpoint - confidence: 50 - impact: 60 - message: Process $process_name$ that executed reboot via commandline on $dest$ mitre_attack_id: - T1529 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/reboot_logoff_commandline/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/reboot_logoff_commandline/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_system_remote_discovery_with_query.yml b/detections/endpoint/windows_system_remote_discovery_with_query.yml new file mode 100644 index 0000000000..58b97c3df7 --- /dev/null +++ b/detections/endpoint/windows_system_remote_discovery_with_query.yml @@ -0,0 +1,64 @@ +name: Windows System Remote Discovery With Query +id: 94859172-a521-474f-97ac-4cf4b09634a3 +version: 1 +date: '2025-02-05' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic detects the execution of `query.exe` with command-line arguments aimed at discovering data on remote devices. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries may use `query.exe` to gain situational awareness and perform Active Directory discovery on compromised endpoints. If confirmed malicious, this behavior could allow attackers to identify various details about a system, aiding in further lateral movement and privilege escalation within the network. +data_source: +- Sysmon Event ID 1 +- Windows Security Event ID 4688 +- CrowdStrike ProcessRollup2 +search: |- + | tstats `security_content_summariesonly` values(Processes.process_current_directory) as Processes.process_current_directory values(Processes.process_id) as Processes.process_id values(Processes.process) as Processes.process values(Processes.parent_process_id) as Processes.parent_process_id values(Processes.parent_process) as Processes.parent_process count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="query.exe" OR Processes.original_file_name="query.exe") AND (Processes.process="*/server*") AND NOT Processes.process IN ("*/server:localhost*", "*/server:127.0.0.1*") by Processes.dest Processes.user Processes.process_name Processes.parent_process_name + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_system_remote_discovery_with_query_filter` +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Administrators or power users may use this command for troubleshooting. +references: +- https://attack.mitre.org/techniques/T1033/ +drilldown_searches: +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate processes on $dest$ + search: '| from datamodel:Endpoint.Processes | search dest=$dest$ process_name = $process_name|s$' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: The user $user$ ran the Query command to enumerate the remote system $dest$ + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - Active Directory Discovery + asset_type: Endpoint + mitre_attack_id: + - T1033 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/query_remote_usage/query_remote_usage.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml b/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml index 4631f15c22..151b86c366 100644 --- a/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml +++ b/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml @@ -1,18 +1,40 @@ name: Windows System Script Proxy Execution Syncappvpublishingserver id: 8dd73f89-682d-444c-8b41-8e679966ad3c -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the execution of Syncappvpublishingserver.vbs via wscript.exe or cscript.exe, which may indicate an attempt to download remote files or perform privilege escalation. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Monitoring this activity is crucial as it can signify malicious use of a native Windows script for unauthorized actions. If confirmed malicious, this behavior could lead to unauthorized file downloads or elevated privileges, posing a significant security risk. +description: The following analytic detects the execution of Syncappvpublishingserver.vbs + via wscript.exe or cscript.exe, which may indicate an attempt to download remote + files or perform privilege escalation. This detection leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names and command-line + executions. Monitoring this activity is crucial as it can signify malicious use + of a native Windows script for unauthorized actions. If confirmed malicious, this + behavior could lead to unauthorized file downloads or elevated privileges, posing + a significant security risk. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("wscript.exe","cscript.exe") Processes.process="*syncappvpublishingserver.vbs*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_script_proxy_execution_syncappvpublishingserver_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be present if the vbscript syncappvpublishingserver is used for legitimate purposes. Filter as needed. Adding a n; to the command-line arguments may help reduce any noise. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("wscript.exe","cscript.exe") + Processes.process="*syncappvpublishingserver.vbs*" by Processes.dest Processes.user + Processes.parent_process_name Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_system_script_proxy_execution_syncappvpublishingserver_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present if the vbscript syncappvpublishingserver + is used for legitimate purposes. Filter as needed. Adding a n; to the command-line + arguments may help reduce any noise. references: - https://lolbas-project.github.io/lolbas/Scripts/Syncappvpublishingserver/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md#atomic-test-1---syncappvpublishingserver-signed-script-powershell-command-execution @@ -22,59 +44,46 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to download files or evade critical + controls. + risk_objects: + - field: user + type: user + score: 30 + - field: dest + type: system + score: 30 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Living Off The Land asset_type: Endpoint - confidence: 50 - impact: 60 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download files or evade critical controls. mitre_attack_id: - T1216 - T1218 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1216/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1216/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_system_shutdown_commandline.yml b/detections/endpoint/windows_system_shutdown_commandline.yml index 3a5a4d3c45..67eee645fd 100644 --- a/detections/endpoint/windows_system_shutdown_commandline.yml +++ b/detections/endpoint/windows_system_shutdown_commandline.yml @@ -1,18 +1,40 @@ name: Windows System Shutdown CommandLine id: 4fee57b8-d825-4bf3-9ea8-bf405cdb614c -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies the execution of the Windows shutdown command via the command line interface. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because attackers may use the shutdown command to erase tracks, cause disruption, or ensure changes take effect after installing backdoors. If confirmed malicious, this activity could lead to system downtime, denial of service, or evasion of security tools, impacting the overall security posture of the network. +description: The following analytic identifies the execution of the Windows shutdown + command via the command line interface. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process names and command-line arguments. + This activity is significant because attackers may use the shutdown command to erase + tracks, cause disruption, or ensure changes take effect after installing backdoors. + If confirmed malicious, this activity could lead to system downtime, denial of service, + or evasion of security tools, impacting the overall security posture of the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) Processes.process="*shutdown*" AND Processes.process IN("* /s*", "* -s*") AND Processes.process IN ("* /t*","* -t*","* /f*","* -f*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_shutdown_commandline_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrator may execute this commandline to trigger shutdown or restart the host machine. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) + Processes.process="*shutdown*" AND Processes.process IN("* /s*", "* -s*") AND Processes.process + IN ("* /t*","* -t*","* /f*","* -f*") by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_system_shutdown_commandline_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrator may execute this commandline to trigger shutdown + or restart the host machine. references: - https://attack.mitre.org/techniques/T1529/ - https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor @@ -22,9 +44,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Process $process_name$ seen to execute shutdown via commandline on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - DarkCrystal RAT @@ -33,39 +67,17 @@ tags: - DarkGate Malware - MoonPeak asset_type: Endpoint - confidence: 70 - impact: 70 - message: Process $process_name$ seen to execute shutdown via commandline on $dest$ mitre_attack_id: - T1529 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/shutdown_commandline/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/shutdown_commandline/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml b/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml index eb3ffe0ab1..261aea1c1d 100644 --- a/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml +++ b/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml @@ -1,17 +1,39 @@ name: Windows System Time Discovery W32tm Delay id: b2cc69e7-11ba-42dc-a269-59c069a48870 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies the use of the w32tm.exe utility with the /stripchart function, which is indicative of DCRat malware delaying its payload execution. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line arguments used by w32tm.exe. This activity is significant as it may indicate an attempt to evade detection by delaying malicious actions such as C2 communication and beaconing. If confirmed malicious, this behavior could allow an attacker to maintain persistence and execute further malicious activities undetected. +description: The following analytic identifies the use of the w32tm.exe utility with + the /stripchart function, which is indicative of DCRat malware delaying its payload + execution. This detection leverages data from Endpoint Detection and Response (EDR) + agents, focusing on specific command-line arguments used by w32tm.exe. This activity + is significant as it may indicate an attempt to evade detection by delaying malicious + actions such as C2 communication and beaconing. If confirmed malicious, this behavior + could allow an attacker to maintain persistence and execute further malicious activities + undetected. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = w32tm.exe Processes.process= "* /stripchart *" Processes.process= "* /computer:localhost *" Processes.process= "* /period:*" Processes.process= "* /dataonly *" Processes.process= "* /samples:*" by Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_time_discovery_w32tm_delay_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.process_name = w32tm.exe Processes.process= "* /stripchart *" Processes.process= + "* /computer:localhost *" Processes.process= "* /period:*" Processes.process= "* + /dataonly *" Processes.process= "* /samples:*" by Processes.parent_process Processes.process_name + Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id + Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_system_time_discovery_w32tm_delay_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://cert.gov.ua/article/405538 @@ -23,46 +45,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Process name w32tm.exe is using suspcicious command line arguments $process$ + on host $dest$. + risk_objects: + - field: dest + type: system + score: 36 + threat_objects: [] tags: analytic_story: - DarkCrystal RAT asset_type: Endpoint - confidence: 60 - impact: 60 - message: Process name w32tm.exe is using suspcicious command line arguments $process$ on host $dest$. mitre_attack_id: - T1124 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_delay_execution/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_delay_execution/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_system_user_discovery_via_quser.yml b/detections/endpoint/windows_system_user_discovery_via_quser.yml index acac29b5ee..4febcf1910 100644 --- a/detections/endpoint/windows_system_user_discovery_via_quser.yml +++ b/detections/endpoint/windows_system_user_discovery_via_quser.yml @@ -1,62 +1,61 @@ name: Windows System User Discovery Via Quser id: 0c3f3e09-e47a-410e-856f-a02a5c5fafb0 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the execution of the Windows OS tool quser.exe, commonly used to gather information about user sessions on a Remote Desktop Session Host server. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. Monitoring this activity is crucial as quser.exe is often abused by post-exploitation tools like winpeas, used in ransomware attacks to enumerate user sessions. If confirmed malicious, attackers could leverage this information to further compromise the system, maintain persistence, or escalate privileges. +description: The following analytic detects the execution of the Windows OS tool quser.exe, + commonly used to gather information about user sessions on a Remote Desktop Session + Host server. This detection leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process execution logs. Monitoring this activity is crucial + as quser.exe is often abused by post-exploitation tools like winpeas, used in ransomware + attacks to enumerate user sessions. If confirmed malicious, attackers could leverage + this information to further compromise the system, maintain persistence, or escalate + privileges. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="quser.exe" OR Processes.original_file_name = "quser.exe" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_user_discovery_via_quser_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: network administrator can use this command tool to audit RDP access of user in specific network or host. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name="quser.exe" + OR Processes.original_file_name = "quser.exe" by Processes.process_name Processes.original_file_name + Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name + Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_system_user_discovery_via_quser_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: network administrator can use this command tool to audit RDP + access of user in specific network or host. references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/quser - https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS - https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ tags: analytic_story: - - Windows Post-Exploitation - Prestige Ransomware + - Crypto Stealer + - Windows Post-Exploitation asset_type: Endpoint - confidence: 30 - impact: 30 - message: execution of process $process_name$ in $dest$ mitre_attack_id: - T1033 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - - Processes.parent_process_guid - - Processes.process_guid - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_system_user_privilege_discovery.yml b/detections/endpoint/windows_system_user_privilege_discovery.yml index b2bd517595..fd3d9d521b 100644 --- a/detections/endpoint/windows_system_user_privilege_discovery.yml +++ b/detections/endpoint/windows_system_user_privilege_discovery.yml @@ -1,7 +1,7 @@ name: Windows System User Privilege Discovery id: 8c9a06bc-9939-4425-9bb9-be2371f7fb7e -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting @@ -9,10 +9,30 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic detects the execution of `whoami.exe` with the `/priv` parameter, which displays the privileges assigned to the current user account. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an adversary attempting to enumerate user privileges, a common step in the reconnaissance phase of an attack. If confirmed malicious, this could lead to privilege escalation or further exploitation within the environment. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="whoami.exe" Processes.process= "*/priv*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_user_privilege_discovery_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrators or power users may use this command for troubleshooting. Filter as needed. +description: The following analytic detects the execution of `whoami.exe` with the + `/priv` parameter, which displays the privileges assigned to the current user account. + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on + process names and command-line executions. This activity is significant as it may + indicate an adversary attempting to enumerate user privileges, a common step in + the reconnaissance phase of an attack. If confirmed malicious, this could lead to + privilege escalation or further exploitation within the environment. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name="whoami.exe" + Processes.process= "*/priv*" by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_system_user_privilege_discovery_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators or power users may use this command for troubleshooting. + Filter as needed. references: - https://attack.mitre.org/techniques/T1033/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a @@ -20,38 +40,17 @@ tags: analytic_story: - CISA AA23-347A asset_type: Endpoint - confidence: 50 - impact: 30 - message: Activity related to system user privilege discovery detected on $dest$ using whoami.exe. mitre_attack_id: - T1033 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 15 - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/whoami_priv/whoami-priv-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/whoami_priv/whoami-priv-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_terminating_lsass_process.yml b/detections/endpoint/windows_terminating_lsass_process.yml index 985833bc3c..1010e55878 100644 --- a/detections/endpoint/windows_terminating_lsass_process.yml +++ b/detections/endpoint/windows_terminating_lsass_process.yml @@ -1,15 +1,31 @@ name: Windows Terminating Lsass Process id: 7ab3c319-a4e7-4211-9e8c-40a049d0dba6 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects a suspicious process attempting to terminate the Lsass.exe process. It leverages Sysmon EventCode 10 logs to identify processes granted PROCESS_TERMINATE access to Lsass.exe. This activity is significant because Lsass.exe is a critical process responsible for enforcing security policies and handling user credentials. If confirmed malicious, this behavior could indicate an attempt to perform credential dumping, privilege escalation, or evasion of security policies, potentially leading to unauthorized access and persistence within the environment. +description: The following analytic detects a suspicious process attempting to terminate + the Lsass.exe process. It leverages Sysmon EventCode 10 logs to identify processes + granted PROCESS_TERMINATE access to Lsass.exe. This activity is significant because + Lsass.exe is a critical process responsible for enforcing security policies and + handling user credentials. If confirmed malicious, this behavior could indicate + an attempt to perform credential dumping, privilege escalation, or evasion of security + policies, potentially leading to unauthorized access and persistence within the + environment. data_source: - Sysmon EventID 10 -search: '`sysmon` EventCode=10 TargetImage=*lsass.exe GrantedAccess = 0x1 | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage, TargetImage, TargetProcessId, SourceProcessId, GrantedAccess CallTrace, dest | rename dest as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_terminating_lsass_process_filter`' -how_to_implement: This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. +search: '`sysmon` EventCode=10 TargetImage=*lsass.exe GrantedAccess = 0x1 | stats + count min(_time) as firstTime max(_time) as lastTime by SourceImage, TargetImage, + TargetProcessId, SourceProcessId, GrantedAccess CallTrace, dest | rename dest as + dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_terminating_lsass_process_filter`' +how_to_implement: This search requires Sysmon Logs and a Sysmon configuration, which + includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. + We strongly recommend that you specify your environment-specific configurations + (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition + with configurations for your Splunk environment. The search also uses a post-filter + macro designed to filter out known false positives. known_false_positives: unknown references: - https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html @@ -19,48 +35,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a process $SourceImage$ terminates Lsass process on $dest$ + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: + - field: TargetImage + type: process tags: analytic_story: - Data Destruction - Double Zero Destructor asset_type: Endpoint - confidence: 80 - impact: 80 - message: a process $SourceImage$ terminates Lsass process in $dest$ mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: TargetImage - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - TargetImage - - CallTrace - - dest - - TargetProcessId - - SourceImage - - SourceProcessId - - GrantedAccess - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/doublezero_wiper/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/doublezero_wiper/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_time_based_evasion.yml b/detections/endpoint/windows_time_based_evasion.yml index b679af1524..a6e2eda7af 100644 --- a/detections/endpoint/windows_time_based_evasion.yml +++ b/detections/endpoint/windows_time_based_evasion.yml @@ -1,7 +1,7 @@ name: Windows Time Based Evasion id: 34502357-deb1-499a-8261-ffe144abf561 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP @@ -9,9 +9,29 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic detects potentially malicious processes that initiate a ping delay using an invalid IP address. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving "ping 0 -n". This behavior is significant as it is commonly used by malware like NJRAT to introduce time delays for evasion tactics, such as delaying self-deletion. If confirmed malicious, this activity could indicate an active infection attempting to evade detection, potentially leading to further compromise and persistence within the environment. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "ping.exe" Processes.parent_process = "* ping 0 -n *" OR Processes.process = "* ping 0 -n *" by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_time_based_evasion_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +description: The following analytic detects potentially malicious processes that initiate + a ping delay using an invalid IP address. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on command-line executions involving "ping 0 + -n". This behavior is significant as it is commonly used by malware like NJRAT to + introduce time delays for evasion tactics, such as delaying self-deletion. If confirmed + malicious, this activity could indicate an active infection attempting to evade + detection, potentially leading to further compromise and persistence within the + environment. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "ping.exe" + Processes.parent_process = "* ping 0 -n *" OR Processes.process = "* ping 0 -n *" + by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid + Processes.process Processes.user Processes.dest | `drop_dm_object_name("Processes")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_time_based_evasion_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat @@ -21,43 +41,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A $process_name$ did a suspicious ping to invalid IP address on $dest$ + risk_objects: + - field: dest + type: system + score: 36 + threat_objects: [] tags: analytic_story: - NjRAT asset_type: Endpoint - confidence: 60 - impact: 60 - message: A $process_name$ did a suspicious ping to invalid IP address on $dest$ mitre_attack_id: - T1497 - T1497.003 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 36 - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1497.003/njrat_ping_delay_before_delete/ping_0.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1497.003/njrat_ping_delay_before_delete/ping_0.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml b/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml index cf6fb82dc2..69fcad7d31 100644 --- a/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml +++ b/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml @@ -1,7 +1,7 @@ name: Windows Time Based Evasion via Choice Exec id: d5f54b38-10bf-4b3a-b6fc-85949862ed50 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -9,10 +9,31 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic detects the use of choice.exe in batch files as a delay tactic, a technique observed in SnakeKeylogger malware. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential time-based evasion techniques used by malware to avoid detection. If confirmed malicious, this behavior could allow attackers to execute code stealthily, delete malicious files, and persist on compromised hosts, making it crucial for SOC analysts to investigate promptly. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name =choice.exe Processes.process = "*/T*" Processes.process = "*/N*" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_time_based_evasion_via_choice_exec_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: administrator may use choice.exe to allow user to choose from and indexes of choices from a batch script. +description: The following analytic detects the use of choice.exe in batch files as + a delay tactic, a technique observed in SnakeKeylogger malware. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process names and + command-line executions. This activity is significant as it indicates potential + time-based evasion techniques used by malware to avoid detection. If confirmed malicious, + this behavior could allow attackers to execute code stealthily, delete malicious + files, and persist on compromised hosts, making it crucial for SOC analysts to investigate + promptly. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name =choice.exe Processes.process + = "*/T*" Processes.process = "*/N*" by Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid + Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_time_based_evasion_via_choice_exec_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: administrator may use choice.exe to allow user to choose from + and indexes of choices from a batch script. references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/choice - https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger @@ -22,43 +43,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A $process_name$ has a choice time delay commandline on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Snake Keylogger asset_type: Endpoint - confidence: 50 - impact: 50 - message: A $process_name$ has a choice time delay commandline on $dest$ mitre_attack_id: - T1497.003 - T1497 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 25 - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1497.003/time_delay_using_choice_exe/snakekeylogger_choice.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1497.003/time_delay_using_choice_exe/snakekeylogger_choice.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml b/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml index 08783d9e3e..7921f897c6 100644 --- a/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml +++ b/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml @@ -1,18 +1,36 @@ name: Windows UAC Bypass Suspicious Child Process id: 453a6b0f-b0ea-48fa-9cf4-20537ffdd22c -version: 3 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Steven Dick status: production type: TTP -description: The following analytic detects when an executable known for User Account Control (UAC) bypass exploitation spawns a child process in a user-controlled location or a command shell executable (e.g., cmd.exe, powershell.exe). This detection leverages Sysmon EventID 1 data, focusing on high or system integrity level processes with specific parent-child process relationships. This activity is significant as it may indicate an attacker has successfully used a UAC bypass exploit to escalate privileges. If confirmed malicious, this could allow the attacker to execute arbitrary commands with elevated privileges, potentially compromising the entire system. +description: The following analytic detects when an executable known for User Account + Control (UAC) bypass exploitation spawns a child process in a user-controlled location + or a command shell executable (e.g., cmd.exe, powershell.exe). This detection leverages + Sysmon EventID 1 data, focusing on high or system integrity level processes with + specific parent-child process relationships. This activity is significant as it + may indicate an attacker has successfully used a UAC bypass exploit to escalate + privileges. If confirmed malicious, this could allow the attacker to execute arbitrary + commands with elevated privileges, potentially compromising the entire system. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("high","system") AND Processes.parent_process_name IN (`uacbypass_process_name`) AND (Processes.process_name IN ("cmd.exe","powershell.exe","pwsh.exe","wscript","cscript.exe","bash.exe","werfault.exe") OR Processes.process IN ("*\\\\*","*\\Users\\*","*\\ProgramData\\*","*\\Temp\\*")) by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.parent_process, Processes.parent_process_name Processes.process_name Processes.process, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | where parent_process_name != process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_uac_bypass_suspicious_child_process_filter`' -how_to_implement: Target environment must ingest sysmon data, specifically Event ID 1 with process integrity level data. -known_false_positives: Including Werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of UAC bypass techniques. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level + IN ("high","system") AND Processes.parent_process_name IN (`uacbypass_process_name`) + AND (Processes.process_name IN ("cmd.exe","powershell.exe","pwsh.exe","wscript","cscript.exe","bash.exe","werfault.exe") + OR Processes.process IN ("*\\\\*","*\\Users\\*","*\\ProgramData\\*","*\\Temp\\*")) + by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.parent_process, + Processes.parent_process_name Processes.process_name Processes.process, Processes.process_path, + Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` + | where parent_process_name != process_name | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_uac_bypass_suspicious_child_process_filter`' +how_to_implement: Target environment must ingest sysmon data, specifically Event ID + 1 with process integrity level data. +known_false_positives: Including Werfault.exe may cause some unintended false positives + related to normal application faulting, but is used in a number of UAC bypass techniques. references: - https://attack.mitre.org/techniques/T1548/002/ - https://atomicredteam.io/defense-evasion/T1548.002/ @@ -24,53 +42,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A UAC bypass parent process- $parent_process_name$ on host- $dest$ launched + a suspicious child process - $process_name$. + risk_objects: + - field: dest + type: system + score: 45 + - field: user + type: user + score: 45 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Windows Defense Evasion Tactics - Living Off The Land asset_type: Endpoint - confidence: 75 - impact: 60 - message: A UAC bypass parent process- $parent_process_name$ on host- $dest$ launched a suspicious child process - $process_name$. mitre_attack_id: - T1548 - T1548.002 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim - - name: process_name - type: Process Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_guid - - Processes.parent_process - - Processes.parent_process_name - - Processes.process_name Processes.process - - Processes.process_path - - Processes.process_integrity_level - - Processes.process_current_directory - risk_score: 45 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml b/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml index ae6dc7489f..977a72aeee 100644 --- a/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml +++ b/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml @@ -1,7 +1,7 @@ name: Windows UAC Bypass Suspicious Escalation Behavior id: 00d050d3-a5b4-4565-a6a5-a31f69681dc3 -version: '4' -date: '2024-11-28' +version: 6 +date: '2024-12-10' author: Steven Dick status: production type: TTP @@ -62,60 +62,41 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A UAC bypass behavior was detected by process $parent_process_name$ on + host $dest$ by $user$. + risk_objects: + - field: dest + type: system + score: 64 + - field: user + type: user + score: 64 + threat_objects: + - field: process_name + type: process_name + - field: process_name + type: process_name + - field: parent_process_name + type: parent_process_name tags: analytic_story: - Living Off The Land - Compromised Windows Host - Windows Defense Evasion Tactics asset_type: Endpoint - confidence: 80 - impact: 80 - message: A UAC bypass behavior was detected by parent process name- $parent_process_name$ - on host $dest$ by $user$. mitre_attack_id: - T1548 - T1548.002 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim - - name: process_name - type: Process - role: - - Attacker - - name: process_name - type: Process Name - role: - - Attacker - - name: parent_process_name - type: Process Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_guid - - Processes.parent_process - - Processes.parent_process_name - - Processes.process_name Processes.process - - Processes.process_path - - Processes.process_integrity_level - - Processes.process_current_directory - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml b/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml index 9e38291731..851179acf7 100644 --- a/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml +++ b/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml @@ -1,15 +1,29 @@ name: Windows Unsecured Outlook Credentials Access In Registry id: 36334123-077d-47a2-b70c-6c7b3cc85049 -version: 4 -date: '2024-11-28' +version: 5 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Windows Event Log Security 4663 -description: The following analytic detects unauthorized access to Outlook credentials stored in the Windows registry. It leverages Windows Security Event logs, specifically EventCode 4663, to identify access attempts to registry paths associated with Outlook profiles. This activity is significant as it may indicate attempts to steal sensitive email credentials, which could lead to unauthorized access to email accounts. If confirmed malicious, this could allow attackers to exfiltrate sensitive information, impersonate users, or execute further unauthorized actions within Outlook, posing a significant security risk. -search: '`wineventlog_security` EventCode=4663 object_file_path IN ("*\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676*", "*\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676*") AND process_name != *\\outlook.exe | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsecured_outlook_credentials_access_in_registry_filter`' -how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." +description: The following analytic detects unauthorized access to Outlook credentials + stored in the Windows registry. It leverages Windows Security Event logs, specifically + EventCode 4663, to identify access attempts to registry paths associated with Outlook + profiles. This activity is significant as it may indicate attempts to steal sensitive + email credentials, which could lead to unauthorized access to email accounts. If + confirmed malicious, this could allow attackers to exfiltrate sensitive information, + impersonate users, or execute further unauthorized actions within Outlook, posing + a significant security risk. +search: '`wineventlog_security` EventCode=4663 object_file_path IN ("*\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676*", + "*\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676*") AND + process_name != *\\outlook.exe | stats count min(_time) as firstTime max(_time) + as lastTime by object_file_name object_file_path process_name process_path process_id + EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_unsecured_outlook_credentials_access_in_registry_filter`' +how_to_implement: To successfully implement this search, you must ingest Windows Security + Event logs and track event code 4663. For 4663, enable "Audit Object Access" in + Group Policy. Then check the two boxes listed for both "Success" and "Failure." known_false_positives: third party software may access this outlook registry. references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/choice @@ -20,42 +34,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A suspicious process $process_name$ accessing outlook credentials registry + on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Snake Keylogger - Meduza Stealer asset_type: Endpoint - confidence: 70 - impact: 70 - message: A suspicious process $process_name$ accessing outlook credentials registry on $dest$ mitre_attack_id: - T1552 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - object_file_name - - object_file_path - - process_name - - process_path - - process_id - - EventCode - - dest security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552/snakey_keylogger_outlook_reg_access/snakekeylogger_4663.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552/snakey_keylogger_outlook_reg_access/snakekeylogger_4663.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_unsigned_dll_side_loading.yml b/detections/endpoint/windows_unsigned_dll_side_loading.yml index 6b38ae9e49..f6c7a56920 100644 --- a/detections/endpoint/windows_unsigned_dll_side_loading.yml +++ b/detections/endpoint/windows_unsigned_dll_side_loading.yml @@ -1,16 +1,30 @@ name: Windows Unsigned DLL Side-Loading id: 5a83ce44-8e0f-4786-a775-8249a525c879 -version: 3 -date: '2024-09-30' +version: 7 +date: '2025-01-27' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 7 -description: The following analytic detects the creation of potentially malicious unsigned DLLs in the c:\windows\system32 or c:\windows\syswow64 folders. It leverages Sysmon EventCode 7 logs to identify unsigned DLLs with unavailable signatures loaded in these critical directories. This activity is significant as it may indicate a DLL hijacking attempt, a technique used by attackers to gain unauthorized access and execute malicious code. If confirmed malicious, this could lead to privilege escalation, allowing the attacker to gain elevated privileges and further compromise the target system. -search: '`sysmon` EventCode=7 Signed=false OriginalFileName = "-" SignatureStatus="unavailable" ImageLoaded IN ("*:\\windows\\system32\\*", "*:\\windows\\syswow64\\*") | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed SignatureStatus OriginalFileName process_name dest EventCode ProcessId Hashes IMPHASH | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsigned_dll_side_loading_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: It is possible some Administrative utilities will load dismcore.dll outside of normal system paths, filter as needed. +description: The following analytic detects the creation of potentially malicious + unsigned DLLs in the c:\windows\system32 or c:\windows\syswow64 folders. It leverages + Sysmon EventCode 7 logs to identify unsigned DLLs with unavailable signatures loaded + in these critical directories. This activity is significant as it may indicate a + DLL hijacking attempt, a technique used by attackers to gain unauthorized access + and execute malicious code. If confirmed malicious, this could lead to privilege + escalation, allowing the attacker to gain elevated privileges and further compromise + the target system. +search: '`sysmon` EventCode=7 Signed=false OriginalFileName = "-" SignatureStatus="unavailable" + ImageLoaded IN ("*:\\windows\\system32\\*", "*:\\windows\\syswow64\\*") | stats + count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed + SignatureStatus OriginalFileName process_name dest EventCode ProcessId Hashes IMPHASH + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsigned_dll_side_loading_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name and imageloaded executions from your endpoints. If you + are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +known_false_positives: It is possible some Administrative utilities will load dismcore.dll + outside of normal system paths, filter as needed. references: - https://asec.ahnlab.com/en/17692/ - https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/warzone#:~:text=Warzone%20RAT%20(AKA%20Ave%20Maria)%20is%20a%20remote%20access%20trojan,is%20as%20an%20information%20stealer. @@ -20,42 +34,35 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An unsigned dll module was loaded on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Warzone RAT + - Derusbi + - Nexus APT Threat Activity + - Earth Estries - NjRAT asset_type: Endpoint - confidence: 70 - impact: 70 - message: An unsigned dll module was loaded on $dest$ mitre_attack_id: - T1574.002 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Image - - ImageLoaded - - Signed - - SignatureStatus - - OriginalFileName - - process_name - - dest - - EventCode - - ProcessId - - Hashes - - IMPHASH security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml index ae2fd31a3a..08803a7cd9 100644 --- a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml +++ b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml @@ -1,15 +1,32 @@ name: Windows Unsigned DLL Side-Loading In Same Process Path id: 3cf85c02-f9d6-4186-bf3c-e70ee99fbc7f -version: 2 -date: '2024-09-30' +version: 6 +date: '2025-01-27' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 7 type: TTP status: production -description: This detection identifies unsigned DLLs loaded through DLL side-loading with same file path with the process loaded the DLL, a technique observed in DarkGate malware. This detection monitors DLL loading, verifies signatures, and flags unsigned DLLs. Suspicious file paths and known executable associations are checked. Detecting such suspicious DLLs is crucial in preventing privilege escalation attacks and other potential security breaches. Regular security assessments, thorough monitoring, and implementing security best practices are essential in safeguarding systems from such threats. -search: '`sysmon` EventCode=7 Signed=false SignatureStatus != Valid NOT (Image IN ("*:\\windows\\system32\\*", "*:\\windows\\syswow64\\*", "c:\\Program Files*")) NOT (ImageLoaded IN ("*:\\windows\\system32\\*", "*:\\windows\\syswow64\\*", "c:\\Program Files*")) | rex field=Image "(?.+\\\)" | rex field=ImageLoaded "(?.+\\\)" | where ImageFolderPath = ImageLoadedFolderPath | stats count min(_time) as firstTime max(_time) as lastTime by Image ProcessGuid ImageLoaded user Computer EventCode ImageFolderPath ImageLoadedFolderPath Company Description Product Signed SignatureStatus | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsigned_dll_side_loading_in_same_process_path_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +description: This detection identifies unsigned DLLs loaded through DLL side-loading + with same file path with the process loaded the DLL, a technique observed in DarkGate + malware. This detection monitors DLL loading, verifies signatures, and flags unsigned + DLLs. Suspicious file paths and known executable associations are checked. Detecting + such suspicious DLLs is crucial in preventing privilege escalation attacks and other + potential security breaches. Regular security assessments, thorough monitoring, + and implementing security best practices are essential in safeguarding systems from + such threats. +search: '`sysmon` EventCode=7 Signed=false SignatureStatus != Valid NOT (Image IN + ("*:\\windows\\system32\\*", "*:\\windows\\syswow64\\*", "c:\\Program Files*")) + NOT (ImageLoaded IN ("*:\\windows\\system32\\*", "*:\\windows\\syswow64\\*", "c:\\Program + Files*")) | rex field=Image "(?.+\\\)" | rex field=ImageLoaded + "(?.+\\\)" | where ImageFolderPath = ImageLoadedFolderPath + | stats count min(_time) as firstTime max(_time) as lastTime by Image ProcessGuid + ImageLoaded user Computer EventCode ImageFolderPath ImageLoadedFolderPath Company + Description Product Signed SignatureStatus | rename Computer as dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_unsigned_dll_side_loading_in_same_process_path_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name and imageloaded executions from your endpoints. If you + are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. known_false_positives: unknown references: - https://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html @@ -20,43 +37,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An unsigned dll module was loaded on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - - DarkGate Malware - PlugX + - Derusbi + - Nexus APT Threat Activity + - DarkGate Malware + - Earth Estries asset_type: Endpoint - confidence: 70 - impact: 70 - message: An unsigned dll module was loaded on $dest$ mitre_attack_id: - T1574.002 - T1574 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - Image - - ImageLoaded - - Signed - - SignatureStatus - - OriginalFileName - - process_name - - dest - - EventCode - - ProcessId - - Hashes - - IMPHASH security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml b/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml index ef503de497..add7f13b4d 100644 --- a/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml +++ b/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml @@ -1,16 +1,41 @@ name: Windows Unsigned MS DLL Side-Loading id: 8d9e0e06-ba71-4dc5-be16-c1a46d58728c -version: 3 -date: '2024-09-30' +version: 7 +date: '2025-01-27' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 7 type: Anomaly status: production -description: The following analytic identifies potential DLL side-loading instances involving unsigned DLLs mimicking Microsoft signatures. It detects this activity by analyzing Sysmon logs for Event Code 7, where both the `Image` and `ImageLoaded` paths do not match system directories like `system32`, `syswow64`, and `programfiles`. This behavior is significant as adversaries often exploit DLL side-loading to execute malicious code via legitimate processes. If confirmed malicious, this activity could allow attackers to execute arbitrary code, potentially leading to privilege escalation, persistence, and unauthorized access to sensitive information. -search: '`sysmon` EventCode=7 Company="Microsoft Corporation" Signed=false SignatureStatus != Valid NOT (Image IN("C:\\Windows\\System32\\*", "C:\\Windows\\SysWow64\\*", "C:\\Program Files*")) NOT (ImageLoaded IN("C:\\Windows\\System32\\*", "C:\\Windows\\SysWow64\\*", "C:\\Program Files*")) | rex field=Image "(?.+\\\)" | rex field=ImageLoaded "(?.+\\\)" | where ImageFolderPath = ImageLoadedFolderPath | stats count min(_time) as firstTime max(_time) as lastTime by Image ProcessGuid ImageLoaded user Computer EventCode ImageFolderPath ImageLoadedFolderPath Company Description Product Signed SignatureStatus | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsigned_ms_dll_side_loading_filter`' -how_to_implement: The analytic is designed to be run against Sysmon event logs collected from endpoints. The analytic requires the Sysmon event logs to be ingested into Splunk. The analytic searches for EventCode 7 where the Image is either SQLDumper.exe or SQLWriter.exe and the ImageLoaded is vcruntime140.dll. The search also filters out the legitimate loading of vcruntime140.dll from the System32 directory to reduce false positives. The analytic can be modified to include additional known good paths for vcruntime140.dll to further reduce false positives. -known_false_positives: False positives are possible if legitimate processes are loading vcruntime140.dll from non-standard directories. It is recommended to investigate the context of the process loading vcruntime140.dll to determine if it is malicious or not. Modify the search to include additional known good paths for vcruntime140.dll to reduce false positives. +description: The following analytic identifies potential DLL side-loading instances + involving unsigned DLLs mimicking Microsoft signatures. It detects this activity + by analyzing Sysmon logs for Event Code 7, where both the `Image` and `ImageLoaded` + paths do not match system directories like `system32`, `syswow64`, and `programfiles`. + This behavior is significant as adversaries often exploit DLL side-loading to execute + malicious code via legitimate processes. If confirmed malicious, this activity could + allow attackers to execute arbitrary code, potentially leading to privilege escalation, + persistence, and unauthorized access to sensitive information. +search: '`sysmon` EventCode=7 Company="Microsoft Corporation" Signed=false SignatureStatus + != Valid NOT (Image IN("C:\\Windows\\System32\\*", "C:\\Windows\\SysWow64\\*", "C:\\Program + Files*")) NOT (ImageLoaded IN("C:\\Windows\\System32\\*", "C:\\Windows\\SysWow64\\*", + "C:\\Program Files*")) | rex field=Image "(?.+\\\)" | rex field=ImageLoaded + "(?.+\\\)" | where ImageFolderPath = ImageLoadedFolderPath + | stats count min(_time) as firstTime max(_time) as lastTime by Image ProcessGuid + ImageLoaded user Computer EventCode ImageFolderPath ImageLoadedFolderPath Company + Description Product Signed SignatureStatus | rename Computer as dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_unsigned_ms_dll_side_loading_filter`' +how_to_implement: The analytic is designed to be run against Sysmon event logs collected + from endpoints. The analytic requires the Sysmon event logs to be ingested into + Splunk. The analytic searches for EventCode 7 where the Image is either SQLDumper.exe + or SQLWriter.exe and the ImageLoaded is vcruntime140.dll. The search also filters + out the legitimate loading of vcruntime140.dll from the System32 directory to reduce + false positives. The analytic can be modified to include additional known good paths + for vcruntime140.dll to further reduce false positives. +known_false_positives: False positives are possible if legitimate processes are loading + vcruntime140.dll from non-standard directories. It is recommended to investigate + the context of the process loading vcruntime140.dll to determine if it is malicious + or not. Modify the search to include additional known good paths for vcruntime140.dll + to reduce false positives. references: - https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties - https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader @@ -20,43 +45,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $Image$ loading Unsigned $ImageLoaded$ was detected on $dest$. + risk_objects: + - field: dest + type: system + score: 9 + threat_objects: + - field: Image + type: file_name tags: analytic_story: + - Derusbi - APT29 Diplomatic Deceptions with WINELOADER + - Nexus APT Threat Activity + - Earth Estries group: - APT29 - Cozy Bear - Midnight Blizzard asset_type: Endpoint - confidence: 30 - impact: 30 - message: An instance of $Image$ loading Unsigned $ImageLoaded$ was detected on $dest$. mitre_attack_id: - T1574.002 - T1547 - observable: - - name: Image - type: File Name - role: - - Attacker - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Image - - ImageLoaded - - user - - Computer - - EventCode - risk_score: 9 security_domain: endpoint cve: [] tests: diff --git a/detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml b/detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml index 4bcefdccce..c2fca2d205 100644 --- a/detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml +++ b/detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml @@ -1,12 +1,27 @@ +name: Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos +id: f65aa026-b811-42ab-b4b9-d9088137648f +date: '2024-11-13' +type: Anomaly +version: 4 +status: production author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4768 -date: '2024-09-30' -description: The following analytic identifies a source endpoint failing to authenticate with multiple disabled domain users using the Kerberos protocol. It leverages EventCode 4768, which is generated when the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT) and detects failure code `0x12` (credentials revoked). This behavior is significant as it may indicate a Password Spraying attack targeting disabled accounts, potentially leading to initial access or privilege escalation. If confirmed malicious, attackers could gain unauthorized access or elevate privileges within the Active Directory environment. -how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -id: f65aa026-b811-42ab-b4b9-d9088137648f -known_false_positives: A host failing to authenticate with multiple disabled domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems missconfigured systems. -name: Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos +description: The following analytic identifies a source endpoint failing to authenticate + with multiple disabled domain users using the Kerberos protocol. It leverages EventCode + 4768, which is generated when the Key Distribution Center issues a Kerberos Ticket + Granting Ticket (TGT) and detects failure code `0x12` (credentials revoked). This + behavior is significant as it may indicate a Password Spraying attack targeting + disabled accounts, potentially leading to initial access or privilege escalation. + If confirmed malicious, attackers could gain unauthorized access or elevate privileges + within the Active Directory environment. +how_to_implement: To successfully implement this search, you need to be ingesting + Domain Controller and Kerberos events. The Advanced Security Audit policy setting + `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. +known_false_positives: A host failing to authenticate with multiple disabled domain + users is not a common behavior for legitimate systems. Possible false positive scenarios + include but are not limited to vulnerability scanners, multi-user systems missconfigured + systems. references: - https://attack.mitre.org/techniques/T1110/003/ drilldown_searches: @@ -15,49 +30,46 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -search: '`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x12 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_disabled_users_failed_auth_using_kerberos_filter`' -status: production +search: '`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x12 | bucket + span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) + as user by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) + as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts + > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_disabled_users_failed_auth_using_kerberos_filter`' +rba: + message: Potential Kerberos based password spraying attack from $IpAddress$ + risk_objects: + - field: user + type: user + score: 49 + threat_objects: + - field: IpAddress + type: ip_address tags: analytic_story: - Active Directory Password Spraying - Active Directory Kerberos Attacks - Volt Typhoon asset_type: Endpoint - confidence: 70 - impact: 70 - message: Potential Kerberos based password spraying attack from $IpAddress$ mitre_attack_id: - T1110.003 - T1110 - observable: - - name: user - type: User - role: - - Victim - - name: IpAddress - role: - - Attacker - type: Endpoint product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Status - - TargetUserName - - IpAddress - risk_score: 49 security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog name: True Positive Test -type: Anomaly -version: 3 diff --git a/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml b/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml index 69985257ed..99987eef1c 100644 --- a/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml +++ b/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml @@ -1,12 +1,27 @@ +name: Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos +id: f122cb2e-d773-4f11-8399-62a3572d8dd7 +type: Anomaly +version: 4 +date: '2024-11-13' +status: production author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4768 -date: '2024-09-30' -description: The following analytic identifies a source endpoint failing to authenticate with multiple invalid domain users using the Kerberos protocol. It leverages Event ID 4768, which is generated when the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT) and detects failure code 0x6, indicating the user is not found in the Kerberos database. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access and potential privilege escalation within the Active Directory environment. -how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -id: f122cb2e-d773-4f11-8399-62a3572d8dd7 -known_false_positives: A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems and missconfigured systems. -name: Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos +description: The following analytic identifies a source endpoint failing to authenticate + with multiple invalid domain users using the Kerberos protocol. It leverages Event + ID 4768, which is generated when the Key Distribution Center issues a Kerberos Ticket + Granting Ticket (TGT) and detects failure code 0x6, indicating the user is not found + in the Kerberos database. This behavior is significant as it may indicate a Password + Spraying attack, where an adversary attempts to gain initial access or elevate privileges. + If confirmed malicious, this activity could lead to unauthorized access and potential + privilege escalation within the Active Directory environment. +how_to_implement: To successfully implement this search, you need to be ingesting + Domain Controller and Kerberos events. The Advanced Security Audit policy setting + `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. +known_false_positives: A host failing to authenticate with multiple invalid domain + users is not a common behavior for legitimate systems. Possible false positive scenarios + include but are not limited to vulnerability scanners, multi-user systems and missconfigured + systems. references: - https://attack.mitre.org/techniques/T1110/003/ drilldown_searches: @@ -15,49 +30,46 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -search: '`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x6 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos_filter`' -status: production +search: '`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x6 | bucket + span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) + as user by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) + as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts + > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos_filter`' +rba: + message: Potential Kerberos based password spraying attack from $IpAddress$ + risk_objects: + - field: user + type: user + score: 49 + threat_objects: + - field: IpAddress + type: ip_address tags: analytic_story: - Active Directory Password Spraying - Active Directory Kerberos Attacks - Volt Typhoon asset_type: Endpoint - confidence: 70 - impact: 70 - message: Potential Kerberos based password spraying attack from $IpAddress$ mitre_attack_id: - T1110.003 - T1110 - observable: - - name: user - type: User - role: - - Victim - - name: IpAddress - role: - - Attacker - type: Endpoint product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Status - - TargetUserName - - IpAddress - risk_score: 49 security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog name: True Positive Test -type: Anomaly -version: 3 diff --git a/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml b/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml index 0857438d35..423d4f8f23 100644 --- a/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml +++ b/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml @@ -1,12 +1,28 @@ +name: Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM +id: 15603165-147d-4a6e-9778-bd0ff39e668f +type: Anomaly +version: 5 +status: production +date: '2024-11-13' author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4776 -date: '2024-09-30' -description: The following analytic identifies a source endpoint failing to authenticate with multiple invalid users using the NTLM protocol. It leverages EventCode 4776 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access or privilege escalation, posing a significant threat to the Active Directory environment. This detection is focused on domain controllers. -how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation' within `Account Logon` needs to be enabled. -id: 15603165-147d-4a6e-9778-bd0ff39e668f -known_false_positives: A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts. -name: Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM +description: The following analytic identifies a source endpoint failing to authenticate + with multiple invalid users using the NTLM protocol. It leverages EventCode 4776 + and calculates the standard deviation for each host, using the 3-sigma rule to detect + anomalies. This behavior is significant as it may indicate a Password Spraying attack, + where an adversary attempts to gain initial access or elevate privileges. If confirmed + malicious, this activity could lead to unauthorized access or privilege escalation, + posing a significant threat to the Active Directory environment. This detection + is focused on domain controllers. +how_to_implement: To successfully implement this search, you need to be ingesting + Domain Controller events. The Advanced Security Audit policy setting `Audit Credential + Validation' within `Account Logon` needs to be enabled. +known_false_positives: A host failing to authenticate with multiple invalid domain + users is not a common behavior for legitimate systems. Possible false positive scenarios + include but are not limited to vulnerability scanners and missconfigured systems. + If this detection triggers on a host other than a Domain Controller, the behavior + could represent a password spraying attack against the host's local accounts. references: - https://attack.mitre.org/techniques/T1110/003/ - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation @@ -17,48 +33,47 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -search: '`wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064 | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, Workstation | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Workstation | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | rename Workstation as src |`windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter`' -status: production +search: '`wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064 + | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) + as user by _time, Workstation | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) + as comp_std by Workstation | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts + > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | rename Workstation + as src |`windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter`' +rba: + message: Potential NTLM based password spraying attack from $src$ + risk_objects: + - field: user + type: user + score: 49 + - field: src + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Active Directory Password Spraying - Volt Typhoon asset_type: Endpoint - confidence: 70 - impact: 70 - message: Potential NTLM based password spraying attack from $src$ mitre_attack_id: - T1110.003 - T1110 - observable: - - name: user - type: User - role: - - Victim - - name: src - type: Endpoint - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - TargetUserName - - Workstation - - Status - risk_score: 49 security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog name: True Positive Test -type: Anomaly -version: 4 diff --git a/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml b/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml index c2668a46de..44f94c13c8 100644 --- a/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml +++ b/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml @@ -1,12 +1,28 @@ +name: Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials +id: 14f414cf-3080-4b9b-aaf6-55a4ce947b93 +type: Anomaly +version: 5 +status: production +date: '2024-11-13' author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4648 -date: '2024-09-30' -description: The following analytic identifies a source user failing to authenticate with multiple users using explicit credentials on a host. It leverages Windows Event Code 4648 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or further compromise of the Active Directory environment. -how_to_implement: To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -id: 14f414cf-3080-4b9b-aaf6-55a4ce947b93 -known_false_positives: A source user failing attempting to authenticate multiple users on a host is not a common behavior for regular systems. Some applications, however, may exhibit this behavior in which case sets of users hosts can be added to an allow list. Possible false positive scenarios include systems where several users connect to like Mail servers, identity providers, remote desktop services, Citrix, etc. -name: Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials +description: The following analytic identifies a source user failing to authenticate + with multiple users using explicit credentials on a host. It leverages Windows Event + Code 4648 and calculates the standard deviation for each host, using the 3-sigma + rule to detect anomalies. This behavior is significant as it may indicate a Password + Spraying attack, where an adversary attempts to gain initial access or elevate privileges. + If confirmed malicious, this activity could lead to unauthorized access, privilege + escalation, or further compromise of the Active Directory environment. +how_to_implement: To successfully implement this search, you need to be ingesting + Windows Event Logs from domain controllers as well as member servers and workstations. + The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs + to be enabled. +known_false_positives: A source user failing attempting to authenticate multiple users + on a host is not a common behavior for regular systems. Some applications, however, + may exhibit this behavior in which case sets of users hosts can be added to an allow + list. Possible false positive scenarios include systems where several users connect + to like Mail servers, identity providers, remote desktop services, Citrix, etc. references: - https://attack.mitre.org/techniques/T1110/003/ - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648 @@ -17,49 +33,48 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -search: '`wineventlog_security` EventCode=4648 Caller_User_Name!=*$ Target_User_Name!=*$ | bucket span=5m _time | stats dc(Target_User_Name) AS unique_accounts values(Target_User_Name) as user by _time, Computer, Caller_User_Name | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials_filter`' -status: production +search: '`wineventlog_security` EventCode=4648 Caller_User_Name!=*$ Target_User_Name!=*$ + | bucket span=5m _time | stats dc(Target_User_Name) AS unique_accounts values(Target_User_Name) + as user by _time, Computer, Caller_User_Name | eventstats avg(unique_accounts) + as comp_avg , stdev(unique_accounts) as comp_std by Computer | eval upperBound=(comp_avg+comp_std*3) + | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) + | search isOutlier=1 | `windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials_filter`' +rba: + message: Potential password spraying attack from $Computer$ + risk_objects: + - field: user + type: user + score: 49 + - field: Computer + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Active Directory Password Spraying - Insider Threat - Volt Typhoon asset_type: Endpoint - confidence: 70 - impact: 70 - message: Potential password spraying attack from $Computer$ mitre_attack_id: - T1110.003 - T1110 - observable: - - name: user - type: User - role: - - Victim - - name: Computer - role: - - Attacker - type: Endpoint product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Target_User_Name - - Caller_User_Name - - Computer - risk_score: 49 security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog name: True Positive Test -type: Anomaly -version: 4 diff --git a/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml b/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml index 5d29cbb5e7..437f332a2f 100644 --- a/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml +++ b/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml @@ -1,12 +1,27 @@ +name: Windows Unusual Count Of Users Failed To Auth Using Kerberos +id: bc9cb715-08ba-40c3-9758-6e2b26e455cb +date: '2024-11-13' +type: Anomaly +version: 4 +status: production author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4771 -date: '2024-09-30' -description: The following analytic identifies a source endpoint failing to authenticate multiple valid users using the Kerberos protocol, potentially indicating a Password Spraying attack. It leverages Event 4771, which is generated when the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT) due to a wrong password (failure code 0x18). This detection uses statistical analysis, specifically the 3-sigma rule, to identify unusual authentication failures. If confirmed malicious, this activity could allow an attacker to gain initial access or elevate privileges within an Active Directory environment. -how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -id: bc9cb715-08ba-40c3-9758-6e2b26e455cb -known_false_positives: A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, missconfigured systems and multi-user systems like Citrix farms. -name: Windows Unusual Count Of Users Failed To Auth Using Kerberos +description: The following analytic identifies a source endpoint failing to authenticate + multiple valid users using the Kerberos protocol, potentially indicating a Password + Spraying attack. It leverages Event 4771, which is generated when the Key Distribution + Center fails to issue a Kerberos Ticket Granting Ticket (TGT) due to a wrong password + (failure code 0x18). This detection uses statistical analysis, specifically the + 3-sigma rule, to identify unusual authentication failures. If confirmed malicious, + this activity could allow an attacker to gain initial access or elevate privileges + within an Active Directory environment. +how_to_implement: To successfully implement this search, you need to be ingesting + Domain Controller and Kerberos events. The Advanced Security Audit policy setting + `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. +known_false_positives: A host failing to authenticate with multiple valid domain users + is not a common behavior for legitimate systems. Possible false positive scenarios + include but are not limited to vulnerability scanners, missconfigured systems and + multi-user systems like Citrix farms. references: - https://attack.mitre.org/techniques/T1110/003/ - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319109(v=ws.11) @@ -17,49 +32,46 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -search: '`wineventlog_security` EventCode=4771 TargetUserName!="*$" Status=0x18 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_auth_using_kerberos_filter`' -status: production +search: '`wineventlog_security` EventCode=4771 TargetUserName!="*$" Status=0x18 | + bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) + as user by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) + as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts + > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_auth_using_kerberos_filter`' +rba: + message: Potential Kerberos based password spraying attack from $IpAddress$ + risk_objects: + - field: user + type: user + score: 49 + threat_objects: + - field: IpAddress + type: ip_address tags: analytic_story: - Active Directory Password Spraying - Active Directory Kerberos Attacks - Volt Typhoon asset_type: Endpoint - confidence: 70 - impact: 70 - message: Potential Kerberos based password spraying attack from $IpAddress$ mitre_attack_id: - T1110.003 - T1110 - observable: - - name: user - type: User - role: - - Victim - - name: IpAddress - role: - - Attacker - type: Endpoint product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Status - - TargetUserName - - IpAddress - risk_score: 49 security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog name: True Positive Test -type: Anomaly -version: 3 diff --git a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml index 72c00ef104..e7fa32d047 100644 --- a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml +++ b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml @@ -1,12 +1,27 @@ +name: Windows Unusual Count Of Users Failed To Authenticate From Process +id: 25bdb6cb-2e49-4d34-a93c-d6c567c122fe +type: Anomaly +version: 5 +status: production +date: '2024-11-13' author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4625 -date: '2024-09-30' -description: The following analytic identifies a source process failing to authenticate multiple users, potentially indicating a Password Spraying attack. It leverages Windows Event 4625, which logs failed logon attempts, and uses statistical analysis to detect anomalies. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, the attacker could compromise multiple accounts, leading to unauthorized access, data exfiltration, or further lateral movement within the network. -how_to_implement: To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers aas well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -id: 25bdb6cb-2e49-4d34-a93c-d6c567c122fe -known_false_positives: A process failing to authenticate with multiple users is not a common behavior for legitimate user sessions. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. -name: Windows Unusual Count Of Users Failed To Authenticate From Process +description: The following analytic identifies a source process failing to authenticate + multiple users, potentially indicating a Password Spraying attack. It leverages + Windows Event 4625, which logs failed logon attempts, and uses statistical analysis + to detect anomalies. This activity is significant as it may represent an adversary + attempting to gain initial access or elevate privileges within an Active Directory + environment. If confirmed malicious, the attacker could compromise multiple accounts, + leading to unauthorized access, data exfiltration, or further lateral movement within + the network. +how_to_implement: To successfully implement this search, you need to be ingesting + Windows Event Logs from domain controllers aas well as member servers and workstations. + The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs + to be enabled. +known_false_positives: A process failing to authenticate with multiple users is not + a common behavior for legitimate user sessions. Possible false positive scenarios + include but are not limited to vulnerability scanners and missconfigured systems. references: - https://attack.mitre.org/techniques/T1110/003/ - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 @@ -18,51 +33,48 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -search: '`wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!="-" | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, ProcessName, SubjectUserName, Computer | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by ProcessName, SubjectUserName, Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_authenticate_from_process_filter`' -status: production +search: '`wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!="-" | bucket + span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) + as user by _time, ProcessName, SubjectUserName, Computer | eventstats avg(unique_accounts) + as comp_avg , stdev(unique_accounts) as comp_std by ProcessName, SubjectUserName, + Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts + > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_authenticate_from_process_filter`' +rba: + message: Potential password spraying attack from $Computer$ + risk_objects: + - field: user + type: user + score: 49 + - field: Computer + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Active Directory Password Spraying - Insider Threat - Volt Typhoon asset_type: Endpoint - confidence: 70 - impact: 70 - message: Potential password spraying attack from $Computer$ mitre_attack_id: - T1110.003 - T1110 - observable: - - name: user - type: User - role: - - Victim - - name: Computer - role: - - Attacker - type: Endpoint product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Logon_Type - - ProcessName - - SubjectUserName - - TargetUserName - - Computer - risk_score: 49 security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog name: True Positive Test -type: Anomaly -version: 4 diff --git a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml index fb23accc7a..51d1787dea 100644 --- a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml +++ b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml @@ -1,12 +1,28 @@ +name: Windows Unusual Count Of Users Failed To Authenticate Using NTLM +id: 6f6c8fd7-6a6b-4af9-a0e9-57cfc47a58b4 +type: Anomaly +version: 5 +status: production +date: '2024-11-13' author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4776 -date: '2024-09-30' -description: The following analytic identifies a source endpoint failing to authenticate multiple valid users using the NTLM protocol, potentially indicating a Password Spraying attack. It leverages Event 4776 from Domain Controllers, calculating the standard deviation for each host and applying the 3-sigma rule to detect anomalies. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges. If confirmed malicious, the attacker could compromise multiple accounts, leading to unauthorized access and potential lateral movement within the network. -how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation` within `Account Logon` needs to be enabled. -id: 6f6c8fd7-6a6b-4af9-a0e9-57cfc47a58b4 -known_false_positives: A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts. -name: Windows Unusual Count Of Users Failed To Authenticate Using NTLM +description: The following analytic identifies a source endpoint failing to authenticate + multiple valid users using the NTLM protocol, potentially indicating a Password + Spraying attack. It leverages Event 4776 from Domain Controllers, calculating the + standard deviation for each host and applying the 3-sigma rule to detect anomalies. + This activity is significant as it may represent an adversary attempting to gain + initial access or elevate privileges. If confirmed malicious, the attacker could + compromise multiple accounts, leading to unauthorized access and potential lateral + movement within the network. +how_to_implement: To successfully implement this search, you need to be ingesting + Domain Controller events. The Advanced Security Audit policy setting `Audit Credential + Validation` within `Account Logon` needs to be enabled. +known_false_positives: A host failing to authenticate with multiple valid domain users + is not a common behavior for legitimate systems. Possible false positive scenarios + include but are not limited to vulnerability scanners and missconfigured systems. + If this detection triggers on a host other than a Domain Controller, the behavior + could represent a password spraying attack against the host's local accounts. references: - https://attack.mitre.org/techniques/T1110/003/ - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation @@ -17,44 +33,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$Workstation$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Workstation$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Workstation$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -search: '`wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xC000006A | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Workstation | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_authenticate_using_ntlm_filter`' -status: production +search: '`wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xC000006A + | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) + as tried_accounts by _time, Workstation | eventstats avg(unique_accounts) as comp_avg + , stdev(unique_accounts) as comp_std by Workstation | eval upperBound=(comp_avg+comp_std*3) + | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) + | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_authenticate_using_ntlm_filter`' +rba: + message: Potential NTLM based password spraying attack from $Workstation$ + risk_objects: + - field: Workstation + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Active Directory Password Spraying - Volt Typhoon asset_type: Endpoint - confidence: 70 - impact: 70 - message: Potential NTLM based password spraying attack from $Workstation$ mitre_attack_id: - T1110.003 - T1110 - observable: - - name: Workstation - role: - - Victim - type: Endpoint product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Status - - TargetUserName - - Workstation - risk_score: 49 security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog name: True Positive Test -type: Anomaly -version: 4 diff --git a/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml b/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml index 0dd4119bf6..f3cb730dff 100644 --- a/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml +++ b/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml @@ -1,12 +1,27 @@ +name: Windows Unusual Count Of Users Remotely Failed To Auth From Host +id: cf06a0ee-ffa9-4ed3-be77-0670ed9bab52 +type: Anomaly +version: 5 +status: production +date: '2024-11-13' author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4625 -date: '2024-09-30' -description: The following analytic identifies a source host failing to authenticate against a remote host with multiple users, potentially indicating a Password Spraying attack. It leverages Windows Event 4625 (failed logon attempts) and Logon Type 3 (remote authentication) to detect this behavior. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and further compromise of the network. -how_to_implement: To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -id: cf06a0ee-ffa9-4ed3-be77-0670ed9bab52 -known_false_positives: A host failing to authenticate with multiple valid users against a remote host is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, missconfigyred systems, etc. -name: Windows Unusual Count Of Users Remotely Failed To Auth From Host +description: The following analytic identifies a source host failing to authenticate + against a remote host with multiple users, potentially indicating a Password Spraying + attack. It leverages Windows Event 4625 (failed logon attempts) and Logon Type 3 + (remote authentication) to detect this behavior. This activity is significant as + it may represent an adversary attempting to gain initial access or elevate privileges + within an Active Directory environment. If confirmed malicious, this could lead + to unauthorized access, privilege escalation, and further compromise of the network. +how_to_implement: To successfully implement this search, you need to be ingesting + Windows Event Logs from domain controllers as as well as member servers and workstations. + The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs + to be enabled. +known_false_positives: A host failing to authenticate with multiple valid users against + a remote host is not a common behavior for legitimate systems. Possible false positive + scenarios include but are not limited to vulnerability scanners, remote administration + tools, missconfigyred systems, etc. references: - https://attack.mitre.org/techniques/T1110/003/ - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 @@ -18,45 +33,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$Computer$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -search: '`wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!="-" | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress, Computer | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress, Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_remotely_failed_to_auth_from_host_filter`' -status: production +search: '`wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!="-" | bucket + span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) + as tried_accounts by _time, IpAddress, Computer | eventstats avg(unique_accounts) + as comp_avg , stdev(unique_accounts) as comp_std by IpAddress, Computer | eval upperBound=(comp_avg+comp_std*3) + | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) + | search isOutlier=1 | `windows_unusual_count_of_users_remotely_failed_to_auth_from_host_filter`' +rba: + message: Potential password spraying attack on $Computer$ + risk_objects: + - field: Computer + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Active Directory Password Spraying - Volt Typhoon asset_type: Endpoint - confidence: 70 - impact: 70 - message: Potential password spraying attack on $Computer$ mitre_attack_id: - T1110.003 - T1110 - observable: - - name: Computer - role: - - Victim - type: Endpoint product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Logon_Type - - TargetUserName - - Computer - - IpAddress - risk_score: 49 security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog name: True Positive Test -type: Anomaly -version: 4 diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml index 32bdd62fbf..8a5066b1b8 100644 --- a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml +++ b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml @@ -1,16 +1,35 @@ name: Windows Unusual NTLM Authentication Destinations By Source id: ae9b0df5-5fb0-477f-abc9-47faf42aa91d -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Steven Dick status: production type: Anomaly -description: The following analytic detects when an unusual number NTLM authentications is attempted by the same source against multiple destinations. This activity generally results when an attacker attempts to brute force, password spray, or otherwise authenticate to a multiple domain joined Windows devices using an NTLM based process/attack. This same activity may also generate a large number of EventID 4776 events as well. +description: The following analytic detects when an unusual number NTLM authentications + is attempted by the same source against multiple destinations. This activity generally + results when an attacker attempts to brute force, password spray, or otherwise authenticate + to a multiple domain joined Windows devices using an NTLM based process/attack. + This same activity may also generate a large number of EventID 4776 events as well. data_source: - NTLM Operational 8004,8005,8006 -search: '`ntlm_audit` EventCode = 8004 SChannelName=* WorkstationName=* | eval src = replace(WorkstationName,"\\\\","") ```CIM alignment, remove leading \\ from some auth attempts ``` | eval dest = SChannelName, user = UserName ``` CIM alignment``` | where SChannelName!=src ``` Remove NTLM auths to self, improves accuracy for certain applications ``` | `windows_unusual_ntlm_authentication_destinations_by_source_filter` | stats count min(_time) as firstTime max(_time) as lastTime dc(eval(upper(dest))) as unique_count by src | eventstats avg(unique_count) as unique_avg , stdev(unique_count) as unique_std | eval upperBound_unique=(1+unique_avg+unique_std*3) ``` adjust formula for sensitivity``` | eval isOutlier=CASE(unique_count > upperBound_unique, 1, true(), 0) | where isOutlier==1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' -how_to_implement: The following analytic requires that NTLM Operational logs to be imported from the environment Domain Controllers. This requires configuration of specific auditing settings, see Microsoft references for further guidance. This analytic is specific to EventID 8004~8006. -known_false_positives: Vulnerability scanners, print servers, and applications that deal with non-domain joined authentications. Recommend adjusting the upperBound_unique eval for tailoring the correlation to your environment, running with a 24hr search window will smooth out some statistical noise. +search: '`ntlm_audit` EventCode = 8004 SChannelName=* WorkstationName=* | eval src + = replace(WorkstationName,"\\\\","") ```CIM alignment, remove leading \\ from some + auth attempts ``` | eval dest = SChannelName, user = UserName ``` CIM alignment``` + | where SChannelName!=src ``` Remove NTLM auths to self, improves accuracy for certain + applications ``` | `windows_unusual_ntlm_authentication_destinations_by_source_filter` + | stats count min(_time) as firstTime max(_time) as lastTime dc(eval(upper(dest))) + as unique_count by src | eventstats avg(unique_count) as unique_avg , stdev(unique_count) + as unique_std | eval upperBound_unique=(1+unique_avg+unique_std*3) ``` adjust formula + for sensitivity``` | eval isOutlier=CASE(unique_count > upperBound_unique, 1, true(), + 0) | where isOutlier==1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +how_to_implement: The following analytic requires that NTLM Operational logs to be + imported from the environment Domain Controllers. This requires configuration of + specific auditing settings, see Microsoft references for further guidance. This + analytic is specific to EventID 8004~8006. +known_false_positives: Vulnerability scanners, print servers, and applications that + deal with non-domain joined authentications. Recommend adjusting the upperBound_unique + eval for tailoring the correlation to your environment, running with a 24hr search + window will smooth out some statistical noise. references: - https://attack.mitre.org/techniques/T1110/003/ - https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/ntlm-blocking-and-you-application-analysis-and-auditing/ba-p/397191 @@ -23,39 +42,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The device [$src$] attempted $count$ NTLM authentications against $unique_count$ + destinations. + risk_objects: + - field: src + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Active Directory Password Spraying asset_type: Endpoint - confidence: 100 - impact: 25 - message: The device [$src$] attempted $count$ NTLM authentications against $unique_count$ destinations. mitre_attack_id: - T1110 - T1110.003 - observable: - - name: src - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - DomainName - - Security - - WorkstationName - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log source: XmlWinEventLog:Microsoft-Windows-NTLM/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml index a15464ddbf..f9d5c01f64 100644 --- a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml +++ b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml @@ -1,16 +1,35 @@ name: Windows Unusual NTLM Authentication Destinations By User id: a4d86702-402b-4a4f-8d06-9d61e6c39cad -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Steven Dick status: production type: Anomaly -description: The following analytic detects when an unusual number of NTLM authentications is attempted by the same user account against multiple destinations. This activity generally results when an attacker attempts to brute force, password spray, or otherwise authenticate to numerous domain joined Windows devices using an NTLM based process/attack. This same activity may also generate a large number of EventID 4776 events as well. +description: The following analytic detects when an unusual number of NTLM authentications + is attempted by the same user account against multiple destinations. This activity + generally results when an attacker attempts to brute force, password spray, or otherwise + authenticate to numerous domain joined Windows devices using an NTLM based process/attack. + This same activity may also generate a large number of EventID 4776 events as well. data_source: - NTLM Operational 8004,8005,8006 -search: '`ntlm_audit` EventCode = 8004 SChannelName=* WorkstationName=* | eval src = replace(WorkstationName,"\\\\","") ```CIM alignment, remove leading \\ from some auth attempts ``` | eval dest = SChannelName, user = UserName ``` CIM alignment``` | where SChannelName!=src ``` Remove NTLM auths to self, improves accuracy for certain applications ``` | `windows_unusual_ntlm_authentication_destinations_by_user_filter` | stats count min(_time) as firstTime max(_time) as lastTime dc(eval(upper(dest))) as unique_count by user | eventstats avg(unique_count) as unique_avg , stdev(unique_count) as unique_std | eval upperBound_unique=(1+unique_avg+unique_std*3) ``` adjust formula for sensitivity``` | eval isOutlier=CASE(unique_count > upperBound_unique, 1, true(), 0) | where isOutlier==1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' -how_to_implement: The following analytic requires that NTLM Operational logs to be imported from the environment Domain Controllers. This requires configuration of specific auditing settings, see Microsoft references for further guidance. This analytic is specific to EventID 8004~8006. -known_false_positives: Vulnerability scanners, print servers, and applications that deal with non-domain joined authentications. Recommend adjusting the upperBound_unique eval for tailoring the correlation to your environment, running with a 24hr search window will smooth out some statistical noise. +search: '`ntlm_audit` EventCode = 8004 SChannelName=* WorkstationName=* | eval src + = replace(WorkstationName,"\\\\","") ```CIM alignment, remove leading \\ from some + auth attempts ``` | eval dest = SChannelName, user = UserName ``` CIM alignment``` + | where SChannelName!=src ``` Remove NTLM auths to self, improves accuracy for certain + applications ``` | `windows_unusual_ntlm_authentication_destinations_by_user_filter` + | stats count min(_time) as firstTime max(_time) as lastTime dc(eval(upper(dest))) + as unique_count by user | eventstats avg(unique_count) as unique_avg , stdev(unique_count) + as unique_std | eval upperBound_unique=(1+unique_avg+unique_std*3) ``` adjust formula + for sensitivity``` | eval isOutlier=CASE(unique_count > upperBound_unique, 1, true(), + 0) | where isOutlier==1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +how_to_implement: The following analytic requires that NTLM Operational logs to be + imported from the environment Domain Controllers. This requires configuration of + specific auditing settings, see Microsoft references for further guidance. This + analytic is specific to EventID 8004~8006. +known_false_positives: Vulnerability scanners, print servers, and applications that + deal with non-domain joined authentications. Recommend adjusting the upperBound_unique + eval for tailoring the correlation to your environment, running with a 24hr search + window will smooth out some statistical noise. references: - https://attack.mitre.org/techniques/T1110/003/ - https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/ntlm-blocking-and-you-application-analysis-and-auditing/ba-p/397191 @@ -23,39 +42,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The user [$user$] attempted $count$ NTLM authentications against $unique_count$ + destinations. + risk_objects: + - field: user + type: user + score: 25 + threat_objects: [] tags: analytic_story: - Active Directory Password Spraying asset_type: Endpoint - confidence: 100 - impact: 25 - message: The user [$user$] attempted $count$ NTLM authentications against $unique_count$ destinations. mitre_attack_id: - T1110 - T1110.003 - observable: - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - DomainName - - Security - - WorkstationName - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log source: XmlWinEventLog:Microsoft-Windows-NTLM/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml index b1451a2b5a..7474361923 100644 --- a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml +++ b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml @@ -1,16 +1,37 @@ name: Windows Unusual NTLM Authentication Users By Destination id: 1120a204-8444-428b-8657-6ea4e1f3e840 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Steven Dick status: production type: Anomaly -description: The following analytic detects when a device is the target of numerous NTLM authentications using a null domain. This activity generally results when an attacker attempts to brute force, password spray, or otherwise authenticate to a domain joined Windows device from a non-domain device. This activity may also generate a large number of EventID 4776 events in tandem, however these events will not indicate the attacker or target device. +description: The following analytic detects when a device is the target of numerous + NTLM authentications using a null domain. This activity generally results when an + attacker attempts to brute force, password spray, or otherwise authenticate to a + domain joined Windows device from a non-domain device. This activity may also generate + a large number of EventID 4776 events in tandem, however these events will not indicate + the attacker or target device. data_source: - NTLM Operational 8004,8005,8006 -search: '`ntlm_audit` EventCode = 8004 SChannelName=* WorkstationName=* | eval src = replace(WorkstationName,"\\\\","") ```CIM alignment, remove leading \\ from some auth attempts ``` | eval dest = SChannelName, user = UserName ``` CIM alignment``` | where SChannelName!=src ``` Remove NTLM auths to self, improves accuracy for certain applications ``` | `windows_unusual_ntlm_authentication_users_by_destination_filter` | stats count min(_time) as firstTime max(_time) as lastTime dc(eval(upper(user))) as unique_count by dest | eventstats avg(unique_count) as unique_avg , stdev(unique_count) as unique_std | eval upperBound_unique=(1+unique_avg+unique_std*3) ``` adjust formula for sensitivity``` | eval isOutlier=CASE(unique_count > upperBound_unique, 1, true(), 0) | where isOutlier==1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' -how_to_implement: The following analytic detects when an unusual number of NTLM authentications is attempted against the same destination. This activity generally results when an attacker attempts to brute force, password spray, or otherwise authenticate to a domain joined Windows device using an NTLM based process/attack. This same activity may also generate a large number of EventID 4776 events as well. -known_false_positives: Vulnerability scanners, print servers, and applications that deal with non-domain joined authentications. Recommend adjusting the upperBound_unique eval for tailoring the correlation to your environment, running with a 24hr search window will smooth out some statistical noise. +search: '`ntlm_audit` EventCode = 8004 SChannelName=* WorkstationName=* | eval src + = replace(WorkstationName,"\\\\","") ```CIM alignment, remove leading \\ from some + auth attempts ``` | eval dest = SChannelName, user = UserName ``` CIM alignment``` + | where SChannelName!=src ``` Remove NTLM auths to self, improves accuracy for certain + applications ``` | `windows_unusual_ntlm_authentication_users_by_destination_filter` + | stats count min(_time) as firstTime max(_time) as lastTime dc(eval(upper(user))) + as unique_count by dest | eventstats avg(unique_count) as unique_avg , stdev(unique_count) + as unique_std | eval upperBound_unique=(1+unique_avg+unique_std*3) ``` adjust formula + for sensitivity``` | eval isOutlier=CASE(unique_count > upperBound_unique, 1, true(), + 0) | where isOutlier==1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +how_to_implement: The following analytic detects when an unusual number of NTLM authentications + is attempted against the same destination. This activity generally results when + an attacker attempts to brute force, password spray, or otherwise authenticate to + a domain joined Windows device using an NTLM based process/attack. This same activity + may also generate a large number of EventID 4776 events as well. +known_false_positives: Vulnerability scanners, print servers, and applications that + deal with non-domain joined authentications. Recommend adjusting the upperBound_unique + eval for tailoring the correlation to your environment, running with a 24hr search + window will smooth out some statistical noise. references: - https://attack.mitre.org/techniques/T1110/003/ - https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/ntlm-blocking-and-you-application-analysis-and-auditing/ba-p/397191 @@ -23,39 +44,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The device [$dest$] was the target of $count$ NTLM authentications using + $unique_count$ unique user accounts. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Active Directory Password Spraying asset_type: Endpoint - confidence: 100 - impact: 25 - message: The device [$dest$] was the target of $count$ NTLM authentications using $unique_count$ unique user accounts. mitre_attack_id: - T1110 - T1110.003 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - DomainName - - Security - - WorkstationName - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log source: XmlWinEventLog:Microsoft-Windows-NTLM/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml index ba01c79bac..d6a3b2c0de 100644 --- a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml +++ b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml @@ -1,16 +1,35 @@ name: Windows Unusual NTLM Authentication Users By Source id: 80fcc4d4-fd90-488e-b55a-4e7190ae6ce2 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-13' author: Steven Dick status: production type: Anomaly -description: The following analytic detects when an unusual number of NTLM authentications is attempted by the same source. This activity generally results when an attacker attempts to brute force, password spray, or otherwise authenticate to a domain joined Windows device using an NTLM based process/attack. This same activity may also generate a large number of EventID 4776 events in as well. +description: The following analytic detects when an unusual number of NTLM authentications + is attempted by the same source. This activity generally results when an attacker + attempts to brute force, password spray, or otherwise authenticate to a domain joined + Windows device using an NTLM based process/attack. This same activity may also generate + a large number of EventID 4776 events in as well. data_source: - NTLM Operational 8004,8005,8006 -search: '`ntlm_audit` EventCode = 8004 SChannelName=* WorkstationName=* | eval src = replace(WorkstationName,"\\\\","") ```CIM alignment, remove leading \\ from some auth attempts ``` | eval dest = SChannelName, user = UserName ``` CIM alignment``` | where SChannelName!=src ``` Remove NTLM auths to self, improves accuracy for certain applications ``` | `windows_unusual_ntlm_authentication_users_by_source_filter` | stats count min(_time) as firstTime max(_time) as lastTime dc(eval(upper(user))) as unique_count by src | eventstats avg(unique_count) as unique_avg , stdev(unique_count) as unique_std | eval upperBound_unique=(1+unique_avg+unique_std*3) ``` adjust formula for sensitivity``` | eval isOutlier=CASE(unique_count > upperBound_unique, 1, true(), 0) | where isOutlier==1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' -how_to_implement: The following analytic requires that NTLM Operational logs to be imported from the environment Domain Controllers. This requires configuration of specific auditing settings, see Microsoft references for further guidance. This analytic is specific to EventID 8004~8006. -known_false_positives: Vulnerability scanners, print servers, and applications that deal with non-domain joined authentications. Recommend adjusting the upperBound_unique eval for tailoring the correlation to your environment, running with a 24hr search window will smooth out some statistical noise. +search: '`ntlm_audit` EventCode = 8004 SChannelName=* WorkstationName=* | eval src + = replace(WorkstationName,"\\\\","") ```CIM alignment, remove leading \\ from some + auth attempts ``` | eval dest = SChannelName, user = UserName ``` CIM alignment``` + | where SChannelName!=src ``` Remove NTLM auths to self, improves accuracy for certain + applications ``` | `windows_unusual_ntlm_authentication_users_by_source_filter` + | stats count min(_time) as firstTime max(_time) as lastTime dc(eval(upper(user))) + as unique_count by src | eventstats avg(unique_count) as unique_avg , stdev(unique_count) + as unique_std | eval upperBound_unique=(1+unique_avg+unique_std*3) ``` adjust formula + for sensitivity``` | eval isOutlier=CASE(unique_count > upperBound_unique, 1, true(), + 0) | where isOutlier==1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +how_to_implement: The following analytic requires that NTLM Operational logs to be + imported from the environment Domain Controllers. This requires configuration of + specific auditing settings, see Microsoft references for further guidance. This + analytic is specific to EventID 8004~8006. +known_false_positives: Vulnerability scanners, print servers, and applications that + deal with non-domain joined authentications. Recommend adjusting the upperBound_unique + eval for tailoring the correlation to your environment, running with a 24hr search + window will smooth out some statistical noise. references: - https://attack.mitre.org/techniques/T1110/003/ - https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/ntlm-blocking-and-you-application-analysis-and-auditing/ba-p/397191 @@ -23,39 +42,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The device [$src$] attempted $count$ NTLM authentications using $unique_count$ + user accounts. + risk_objects: + - field: src + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Active Directory Password Spraying asset_type: Endpoint - confidence: 100 - impact: 25 - message: The device [$src$] attempted $count$ NTLM authentications using $unique_count$ user accounts. mitre_attack_id: - T1110 - T1110.003 - observable: - - name: src - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - DomainName - - Security - - WorkstationName - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log source: XmlWinEventLog:Microsoft-Windows-NTLM/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/deleting_of_net_users.yml b/detections/endpoint/windows_user_deletion_via_net.yml similarity index 62% rename from detections/endpoint/deleting_of_net_users.yml rename to detections/endpoint/windows_user_deletion_via_net.yml index a322d9c3e4..32bb43dd91 100644 --- a/detections/endpoint/deleting_of_net_users.yml +++ b/detections/endpoint/windows_user_deletion_via_net.yml @@ -1,16 +1,16 @@ -name: Deleting Of Net Users -id: 1c8c6f66-acce-11eb-aafb-acde48001122 -version: 5 -date: '2024-09-30' +name: Windows User Deletion Via Net +id: b0b6fd2c-8953-4d1b-8f7b-56075ea6ab3e +version: 2 +date: '2025-01-13' author: Teoderick Contreras, Splunk status: production -type: TTP +type: Anomaly description: The following analytic detects the use of net.exe or net1.exe command-line to delete a user account on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line execution logs. This activity is significant as it may indicate an attempt to impair user accounts or cover tracks during lateral movement. If confirmed malicious, this could lead to unauthorized access removal, disruption of legitimate user activities, or concealment of adversarial actions, complicating incident response and forensic investigations. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process="*user*" AND Processes.process="*/delete*" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `deleting_of_net_users_filter`' +search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process="*user*" AND Processes.process="*/delete*" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_user_deletion_via_net_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: System administrators or scripts may delete user accounts via this technique. Filter as needed. references: @@ -21,59 +21,46 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to delete accounts. + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - XMRig - Graceful Wipe Out Attack - DarkGate Malware asset_type: Endpoint - confidence: 50 - impact: 50 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to delete accounts. mitre_attack_id: - T1531 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/disabling_net_user_account.yml b/detections/endpoint/windows_user_disabled_via_net.yml similarity index 61% rename from detections/endpoint/disabling_net_user_account.yml rename to detections/endpoint/windows_user_disabled_via_net.yml index e7b75edae3..547248419e 100644 --- a/detections/endpoint/disabling_net_user_account.yml +++ b/detections/endpoint/windows_user_disabled_via_net.yml @@ -1,16 +1,16 @@ -name: Disabling Net User Account -id: c0325326-acd6-11eb-98c2-acde48001122 -version: 5 -date: '2024-09-30' +name: Windows User Disabled Via Net +id: b0359e05-c87b-4354-83d8-aee0d890243f +version: 2 +date: '2025-01-13' author: Teoderick Contreras, Splunk status: production -type: TTP +type: Anomaly description: The following analytic detects the use of the `net.exe` utility to disable a user account via the command line. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it may indicate an adversary's attempt to disrupt user availability, potentially as a precursor to further malicious actions. If confirmed malicious, this could lead to denial of service for legitimate users, aiding the attacker in maintaining control or covering their tracks. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process="*user*" AND Processes.process="*/active:no*" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_net_user_account_filter`' +search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process="*user*" AND Processes.process="*/active:no*" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_user_disabled_via_net_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: unknown references: @@ -21,57 +21,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + disabling a user account on endpoint $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 42 + - field: dest + type: system + score: 42 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - XMRig asset_type: Endpoint - confidence: 60 - impact: 70 - message: An instance of $parent_process_name$ spawning $process_name$ was identified disabling a user account on endpoint $dest$ by user $user$. mitre_attack_id: - T1531 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_user_discovery_via_net.yml b/detections/endpoint/windows_user_discovery_via_net.yml new file mode 100644 index 0000000000..9f736b6b2d --- /dev/null +++ b/detections/endpoint/windows_user_discovery_via_net.yml @@ -0,0 +1,44 @@ +name: Windows User Discovery Via Net +id: 7742987e-88c1-476b-a626-a869e088ab72 +version: 1 +date: '2025-01-13' +author: Mauricio Velazco, Teoderick Contreras, Nasreddine Bencherchali, Splunk +status: production +type: Hunting +description: The following analytic detects the execution of `net.exe` or `net1.exe` + with command-line arguments `user` or `users` to query local user accounts. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process names + and command-line executions. This activity is significant as it indicates potential + reconnaissance efforts by adversaries to enumerate local users, which is a common + step in situational awareness and Active Directory discovery. If confirmed malicious, + this behavior could lead to further attacks, including privilege escalation and + lateral movement within the network. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` (Processes.process="*user" OR Processes.process="*users" OR Processes.process="*users *" OR Processes.process="*user *") AND NOT (Processes.process="*/add" OR Processes.process="*/delete") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_user_discovery_via_net_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Administrators or power users may use this command for troubleshooting. +references: +- https://attack.mitre.org/techniques/T1087/001/ +tags: + analytic_story: + - Active Directory Discovery + - Sandworm Tools + asset_type: Endpoint + mitre_attack_id: + - T1087 + - T1087.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml index 1c25e72a0f..0ee3bb1eaa 100644 --- a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml +++ b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml @@ -1,16 +1,30 @@ name: Windows User Execution Malicious URL Shortcut File id: 5c7ee6ad-baf4-44fb-b2f0-0cfeddf82dbc -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the creation of suspicious URL shortcut link files, often used by malware like CHAOS ransomware. It leverages the Endpoint.Filesystem datamodel to identify .url files created outside standard directories, such as Program Files. This activity is significant as it may indicate an attempt to execute malicious code upon system reboot. If confirmed malicious, this could allow an attacker to achieve persistence and execute harmful payloads, potentially leading to further system compromise and data loss. +description: The following analytic detects the creation of suspicious URL shortcut + link files, often used by malware like CHAOS ransomware. It leverages the Endpoint.Filesystem + datamodel to identify .url files created outside standard directories, such as Program + Files. This activity is significant as it may indicate an attempt to execute malicious + code upon system reboot. If confirmed malicious, this could allow an attacker to + achieve persistence and execute harmful payloads, potentially leading to further + system compromise and data loss. data_source: - Sysmon EventID 11 -search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where NOT(Filesystem.file_path IN ("*\\Program Files*")) Filesystem.file_name = *.url by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.file_path Filesystem.process_guid Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_user_execution_malicious_url_shortcut_file_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -known_false_positives: Administrators may allow creation of script or exe in this path. +search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Filesystem where NOT(Filesystem.file_path IN + ("*\\Program Files*")) Filesystem.file_name = *.url by Filesystem.file_create_time + Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.file_path + Filesystem.process_guid Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_user_execution_malicious_url_shortcut_file_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the Filesystem responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Filesystem` node. +known_false_positives: Administrators may allow creation of script or exe in this + path. references: - https://attack.mitre.org/techniques/T1204/002/ - https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia @@ -20,49 +34,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: a process created URL shortcut file in $file_path$ of $dest$ + risk_objects: + - field: user + type: user + score: 64 + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Chaos Ransomware - NjRAT - Snake Keylogger asset_type: Endpoint - confidence: 80 - impact: 80 - message: a process created URL shortcut file in $file_path$ of $dest$ mitre_attack_id: - T1204.002 - T1204 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Filesystem.file_create_time - - Filesystem.process_id - - Filesystem.file_name - - Filesystem.user - - Filesystem.file_path - - Filesystem.process_guid - - Filesystem.dest - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/chaos_ransomware/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/chaos_ransomware/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_vulnerable_3cx_software.yml b/detections/endpoint/windows_vulnerable_3cx_software.yml index b5cd4abb4f..f3116312b8 100644 --- a/detections/endpoint/windows_vulnerable_3cx_software.yml +++ b/detections/endpoint/windows_vulnerable_3cx_software.yml @@ -1,7 +1,7 @@ name: Windows Vulnerable 3CX Software id: f2cc1584-46ee-485b-b905-977c067f36de -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk type: TTP status: production @@ -9,10 +9,23 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic detects instances of the 3CXDesktopApp.exe with a FileVersion of 18.12.x, leveraging Sysmon logs. This detection focuses on identifying vulnerable versions 18.12.407 and 18.12.416 of the 3CX desktop app. Monitoring this activity is crucial as these specific versions have known vulnerabilities that could be exploited by attackers. If confirmed malicious, exploitation of this vulnerability could lead to unauthorized access, code execution, or further compromise of the affected system, posing significant security risks. -search: '`sysmon` (process_name=3CXDesktopApp.exe OR OriginalFileName=3CXDesktopApp.exe) FileVersion=18.12.* | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name,process_name, OriginalFileName, CommandLine | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_vulnerable_3cx_software_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: False positives may be present based on file version, modify the analytic to only look for version between 18.12.407 and 18.12.416 as needed. +description: The following analytic detects instances of the 3CXDesktopApp.exe with + a FileVersion of 18.12.x, leveraging Sysmon logs. This detection focuses on identifying + vulnerable versions 18.12.407 and 18.12.416 of the 3CX desktop app. Monitoring this + activity is crucial as these specific versions have known vulnerabilities that could + be exploited by attackers. If confirmed malicious, exploitation of this vulnerability + could lead to unauthorized access, code execution, or further compromise of the + affected system, posing significant security risks. +search: '`sysmon` (process_name=3CXDesktopApp.exe OR OriginalFileName=3CXDesktopApp.exe) FileVersion=18.12.* + | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name,process_name, + OriginalFileName, CommandLine | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `windows_vulnerable_3cx_software_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. +known_false_positives: False positives may be present based on file version, modify + the analytic to only look for version between 18.12.407 and 18.12.416 as needed. references: - https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ - https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp @@ -25,46 +38,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A known vulnerable instance of 3CX Software $process_name$ ran on $dest$, + related to a supply chain attack. + risk_objects: + - field: dest + type: system + score: 90 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - 3CX Supply Chain Attack asset_type: Endpoint - confidence: 90 cve: - CVE-2023-29059 - impact: 100 - message: A known vulnerable instance of 3CX Software $process_name$ ran on $dest$, related to a supply chain attack. mitre_attack_id: - T1195.002 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - OriginalFileName - - process_name - - EventID - - CommandLine - - dest - - parent_process_name - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/3CX/3cx_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/3CX/3cx_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_vulnerable_driver_installed.yml b/detections/endpoint/windows_vulnerable_driver_installed.yml index d42e1eb3af..7fcf571c1a 100644 --- a/detections/endpoint/windows_vulnerable_driver_installed.yml +++ b/detections/endpoint/windows_vulnerable_driver_installed.yml @@ -1,16 +1,30 @@ name: Windows Vulnerable Driver Installed id: 1dda7586-57be-4a1b-8de1-a9ad802b9a7f -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Dean Luxton status: production type: TTP data_source: - Windows Event Log System 7045 -description: The following analytic detects the loading of known vulnerable Windows drivers, which may indicate potential persistence or privilege escalation attempts. It leverages Windows System service install EventCode 7045 to identify driver loading events and cross-references them with a list of vulnerable drivers. This activity is significant as attackers often exploit vulnerable drivers to gain elevated privileges or maintain persistence on a system. If confirmed malicious, this could allow attackers to execute arbitrary code with high privileges, leading to further system compromise and potential data exfiltration. This detection is a Windows Event Log adaptation of the Sysmon driver loaded detection written by Michael Haag. -search: '`wineventlog_system` EventCode=7045 ServiceType="kernel mode driver" | table _time dest EventCode ImagePath ServiceName ServiceType | lookup loldrivers driver_name AS ImagePath OUTPUT is_driver driver_description | search is_driver = TRUE | `windows_vulnerable_driver_installed_filter`' -how_to_implement: Ensure the Splunk is collecting XmlWinEventLog:System events and the EventCode 7045 is being ingested. -known_false_positives: False positives will be present. Drill down into the driver further by version number and cross reference by signer. Review the reference material in the lookup. In addition, modify the query to look within specific paths, which will remove a lot of "normal" drivers. +description: The following analytic detects the loading of known vulnerable Windows + drivers, which may indicate potential persistence or privilege escalation attempts. + It leverages Windows System service install EventCode 7045 to identify driver loading + events and cross-references them with a list of vulnerable drivers. This activity + is significant as attackers often exploit vulnerable drivers to gain elevated privileges + or maintain persistence on a system. If confirmed malicious, this could allow attackers + to execute arbitrary code with high privileges, leading to further system compromise + and potential data exfiltration. This detection is a Windows Event Log adaptation + of the Sysmon driver loaded detection written by Michael Haag. +search: '`wineventlog_system` EventCode=7045 ServiceType="kernel mode driver" | table + _time dest EventCode ImagePath ServiceName ServiceType | lookup loldrivers driver_name + AS ImagePath OUTPUT is_driver driver_description | search is_driver = TRUE | `windows_vulnerable_driver_installed_filter`' +how_to_implement: Ensure the Splunk is collecting XmlWinEventLog:System events and + the EventCode 7045 is being ingested. +known_false_positives: False positives will be present. Drill down into the driver + further by version number and cross reference by signer. Review the reference material + in the lookup. In addition, modify the query to look within specific paths, which + will remove a lot of "normal" drivers. references: - https://loldrivers.io/ - https://github.com/SpikySabra/Kernel-Cactus @@ -23,36 +37,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potentially vulnerable/malicious driver [$ImagePath$] has been installed + on $dest$ + risk_objects: + - field: dest + type: system + score: 50 + threat_objects: [] tags: analytic_story: - Windows Drivers asset_type: Endpoint - confidence: 50 - impact: 100 - message: Potentially vulnerable/malicious driver [$ImagePath$] has been installed on $dest$ mitre_attack_id: - T1543.003 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 50 - required_fields: - - ServiceType - - driver_name security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-system.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-system.log source: XmlWinEventLog:System sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_vulnerable_driver_loaded.yml b/detections/endpoint/windows_vulnerable_driver_loaded.yml index b34dfc2652..3cd36fdbad 100644 --- a/detections/endpoint/windows_vulnerable_driver_loaded.yml +++ b/detections/endpoint/windows_vulnerable_driver_loaded.yml @@ -1,16 +1,31 @@ name: Windows Vulnerable Driver Loaded id: a2b1f1ef-221f-4187-b2a4-d4b08ec745f4 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: experimental type: Hunting -description: The following analytic detects the loading of known vulnerable Windows drivers, which may indicate potential persistence or privilege escalation attempts. It leverages Sysmon EventCode 6 to identify driver loading events and cross-references them with a list of vulnerable drivers. This activity is significant as attackers often exploit vulnerable drivers to gain elevated privileges or maintain persistence on a system. If confirmed malicious, this could allow attackers to execute arbitrary code with high privileges, leading to further system compromise and potential data exfiltration. +description: The following analytic detects the loading of known vulnerable Windows + drivers, which may indicate potential persistence or privilege escalation attempts. + It leverages Sysmon EventCode 6 to identify driver loading events and cross-references + them with a list of vulnerable drivers. This activity is significant as attackers + often exploit vulnerable drivers to gain elevated privileges or maintain persistence + on a system. If confirmed malicious, this could allow attackers to execute arbitrary + code with high privileges, leading to further system compromise and potential data + exfiltration. data_source: - Sysmon EventID 6 -search: '`sysmon` EventCode=6 | stats min(_time) as firstTime max(_time) as lastTime count by dest ImageLoaded | lookup loldrivers driver_name AS ImageLoaded OUTPUT is_driver driver_description | search is_driver = TRUE | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_vulnerable_driver_loaded_filter`' -how_to_implement: Sysmon collects driver loads via EventID 6, however you may modify the query to utilize this lookup to identify potentially persistent drivers that are known to be vulnerable. -known_false_positives: False positives will be present. Drill down into the driver further by version number and cross reference by signer. Review the reference material in the lookup. In addition, modify the query to look within specific paths, which will remove a lot of "normal" drivers. +search: '`sysmon` EventCode=6 | stats min(_time) as firstTime max(_time) as lastTime + count by dest ImageLoaded | lookup loldrivers driver_name AS ImageLoaded OUTPUT + is_driver driver_description | search is_driver = TRUE | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_vulnerable_driver_loaded_filter`' +how_to_implement: Sysmon collects driver loads via EventID 6, however you may modify + the query to utilize this lookup to identify potentially persistent drivers that + are known to be vulnerable. +known_false_positives: False positives will be present. Drill down into the driver + further by version number and cross reference by signer. Review the reference material + in the lookup. In addition, modify the query to look within specific paths, which + will remove a lot of "normal" drivers. references: - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/driver_load/driver_load_vuln_drivers_names.yml - https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md @@ -30,30 +45,17 @@ tags: - Windows Drivers - BlackByte Ransomware asset_type: Endpoint - confidence: 50 - impact: 50 - message: An process has loaded a possible vulnerable driver on $dest$. Review and escalate as needed. mitre_attack_id: - T1543.003 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - ImageLoaded - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_windbg_spawning_autoit3.yml b/detections/endpoint/windows_windbg_spawning_autoit3.yml index acf4737e29..323c29de1d 100644 --- a/detections/endpoint/windows_windbg_spawning_autoit3.yml +++ b/detections/endpoint/windows_windbg_spawning_autoit3.yml @@ -1,7 +1,7 @@ name: Windows WinDBG Spawning AutoIt3 id: 7aec015b-cd69-46c3-85ed-dac152056aa4 -version: '5' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -52,53 +52,38 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 100 + - field: dest + type: system + score: 100 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Compromised Windows Host - DarkGate Malware asset_type: Endpoint atomic_guid: [] - confidence: 100 - impact: 100 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$. mitre_attack_id: - T1059 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process Name - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 100 - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.original_file_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/autoit/windbg_autoit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/autoit/windbg_autoit.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_winlogon_with_public_network_connection.yml b/detections/endpoint/windows_winlogon_with_public_network_connection.yml index f1109ffc2b..74422a9b7c 100644 --- a/detections/endpoint/windows_winlogon_with_public_network_connection.yml +++ b/detections/endpoint/windows_winlogon_with_public_network_connection.yml @@ -1,16 +1,41 @@ name: Windows WinLogon with Public Network Connection id: 65615b3a-62ea-4d65-bb9f-6f07c17df4ea -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Michael Haag, Splunk status: experimental type: Hunting data_source: - Sysmon EventID 1 AND Sysmon EventID 3 -description: The following analytic detects instances of Winlogon.exe, a critical Windows process, connecting to public IP addresses. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on network connections made by Winlogon.exe. Under normal circumstances, Winlogon.exe should not connect to public IPs, and such activity may indicate a compromise, such as the BlackLotus bootkit attack. This detection is significant as it highlights potential system integrity breaches. If confirmed malicious, attackers could maintain persistence, bypass security measures, and compromise the system at a fundamental level. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (winlogon.exe) Processes.process!=unknown by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 NOT (All_Traffic.dest IN (127.0.0.1,10.0.0.0/8,172.16.0.0/12, 192.168.0.0/16, 0:0:0:0:0:0:0:1)) by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as publicIp ] | table dest parent_process_name process_name process_path process process_id dest_port publicIp | `windows_winlogon_with_public_network_connection_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives will be present and filtering will be required. Legitimate IPs will be present and need to be filtered. +description: The following analytic detects instances of Winlogon.exe, a critical + Windows process, connecting to public IP addresses. This behavior is identified + using Endpoint Detection and Response (EDR) telemetry, focusing on network connections + made by Winlogon.exe. Under normal circumstances, Winlogon.exe should not connect + to public IPs, and such activity may indicate a compromise, such as the BlackLotus + bootkit attack. This detection is significant as it highlights potential system + integrity breaches. If confirmed malicious, attackers could maintain persistence, + bypass security measures, and compromise the system at a fundamental level. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (winlogon.exe) Processes.process!=unknown + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id + [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic + where All_Traffic.dest_port != 0 NOT (All_Traffic.dest IN (127.0.0.1,10.0.0.0/8,172.16.0.0/12, + 192.168.0.0/16, 0:0:0:0:0:0:0:1)) by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port + | `drop_dm_object_name(All_Traffic)` | rename dest as publicIp ] | table dest parent_process_name + process_name process_path process process_id dest_port publicIp | `windows_winlogon_with_public_network_connection_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives will be present and filtering will be required. + Legitimate IPs will be present and need to be filtered. references: - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ tags: @@ -18,34 +43,17 @@ tags: - BlackLotus Campaign asset_type: Endpoint atomic_guid: [] - confidence: 50 - impact: 50 - message: Winlogon.exe has generated a network connection to a remote destination on endpoint $dest$. mitre_attack_id: - T1542.003 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 25 - required_fields: - - dest - - parent_process_name - - process_name - - process_path - - process - - process_id - - dest_port - - publicIp security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1542.003/bootkits/network-winlogon-windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1542.003/bootkits/network-winlogon-windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_wmi_impersonate_token.yml b/detections/endpoint/windows_wmi_impersonate_token.yml index 14270d689d..eeabb1c807 100644 --- a/detections/endpoint/windows_wmi_impersonate_token.yml +++ b/detections/endpoint/windows_wmi_impersonate_token.yml @@ -1,16 +1,32 @@ name: Windows WMI Impersonate Token id: cf192860-2d94-40db-9a51-c04a2e8a8f8b -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects potential WMI token impersonation activities in a process or command. It leverages Sysmon EventCode 10 to identify instances where `wmiprvse.exe` has a duplicate handle or full granted access in a target process. This behavior is significant as it is commonly used by malware like Qakbot for privilege escalation or defense evasion. If confirmed malicious, this activity could allow an attacker to gain elevated privileges, evade defenses, and maintain persistence within the environment. +description: The following analytic detects potential WMI token impersonation activities + in a process or command. It leverages Sysmon EventCode 10 to identify instances + where `wmiprvse.exe` has a duplicate handle or full granted access in a target process. + This behavior is significant as it is commonly used by malware like Qakbot for privilege + escalation or defense evasion. If confirmed malicious, this activity could allow + an attacker to gain elevated privileges, evade defenses, and maintain persistence + within the environment. data_source: - Sysmon EventID 10 -search: '`sysmon` EventCode=10 SourceImage = "*\\wmiprvse.exe" GrantedAccess IN ("0x1478", "0x1fffff") | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_wmi_impersonate_token_filter`' -how_to_implement: This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -known_false_positives: administrator may execute impersonate wmi object script for auditing. Filter is needed. +search: '`sysmon` EventCode=10 SourceImage = "*\\wmiprvse.exe" GrantedAccess IN ("0x1478", + "0x1fffff") | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage + TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId + GrantedAccess CallTrace dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_wmi_impersonate_token_filter`' +how_to_implement: This search requires Sysmon Logs and a Sysmon configuration, which + includes EventCode 10. This search uses an input macro named `sysmon`. We strongly + recommend that you specify your environment-specific configurations (index, source, + sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations + for your Splunk environment. The search also uses a post-filter macro designed to + filter out known false positives. +known_false_positives: administrator may execute impersonate wmi object script for + auditing. Filter is needed. references: - https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/process-access.md - https://www.joesandbox.com/analysis/278341/0/html @@ -20,44 +36,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: wmiprvse.exe process having a duplicate or full Granted Access $GrantedAccess$ + to $TargetImage$ process on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Qakbot asset_type: Endpoint - confidence: 50 - impact: 50 - message: wmiprvse.exe process having a duplicate or full Granted Access $GrantedAccess$ to $TargetImage$ process in $dest$ mitre_attack_id: - T1047 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - SourceImage - - TargetImage - - SourceProcessGUID - - TargetProcessGUID - - SourceProcessId - - TargetProcessId - - GrantedAccess - - CallTrace - - dest - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/wmi_impersonate/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/wmi_impersonate/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_wmi_process_and_service_list.yml b/detections/endpoint/windows_wmi_process_and_service_list.yml index 425b511c0a..7282dac398 100644 --- a/detections/endpoint/windows_wmi_process_and_service_list.yml +++ b/detections/endpoint/windows_wmi_process_and_service_list.yml @@ -1,18 +1,40 @@ name: Windows WMI Process And Service List id: ef3c5ef2-3f6d-4087-aa75-49bf746dc907 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies suspicious WMI command lines querying for running processes or services. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific process and command-line events. This activity is significant as adversaries often use WMI to gather system information and identify services on compromised machines. If confirmed malicious, this behavior could allow attackers to map out the system, identify critical services, and plan further attacks, potentially leading to privilege escalation or persistence within the environment. +description: The following analytic identifies suspicious WMI command lines querying + for running processes or services. It leverages data from Endpoint Detection and + Response (EDR) agents, focusing on specific process and command-line events. This + activity is significant as adversaries often use WMI to gather system information + and identify services on compromised machines. If confirmed malicious, this behavior + could allow attackers to map out the system, identify critical services, and plan + further attacks, potentially leading to privilege escalation or persistence within + the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process IN ("*process list*", "*service list*") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_wmi_process_and_service_list_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: netowrk administrator or IT may execute this command for auditing processes and services. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process + IN ("*process list*", "*service list*") by Processes.process_name Processes.original_file_name + Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name + Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_wmi_process_and_service_list_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: netowrk administrator or IT may execute this command for auditing + processes and services. references: - https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS - https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ @@ -22,49 +44,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: wmi command $process$ to list processes and services on $dest$ + risk_objects: + - field: dest + type: system + score: 4 + threat_objects: [] tags: analytic_story: - Windows Post-Exploitation - Prestige Ransomware asset_type: Endpoint - confidence: 20 - impact: 20 - message: wmi command $process$ to list processes and services in $dest$ mitre_attack_id: - T1047 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - - Processes.parent_process_guid - - Processes.process_guid - risk_score: 4 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_wmi_process_call_create.yml b/detections/endpoint/windows_wmi_process_call_create.yml index c9ade54a7d..09fcfa736a 100644 --- a/detections/endpoint/windows_wmi_process_call_create.yml +++ b/detections/endpoint/windows_wmi_process_call_create.yml @@ -1,17 +1,39 @@ name: Windows WMI Process Call Create id: 0661c2de-93de-11ec-9833-acde48001122 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the execution of WMI command lines used to create or execute processes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line events that include specific keywords like "process," "call," and "create." This activity is significant because adversaries often use WMI to execute malicious payloads on local or remote hosts, potentially bypassing traditional security controls. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to organizational security. +description: The following analytic detects the execution of WMI command lines used + to create or execute processes. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on command-line events that include specific keywords like + "process," "call," and "create." This activity is significant because adversaries + often use WMI to execute malicious payloads on local or remote hosts, potentially + bypassing traditional security controls. If confirmed malicious, this behavior could + allow attackers to execute arbitrary code, escalate privileges, or maintain persistence + within the environment, posing a severe threat to organizational security. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process = "* process *" Processes.process = "* call *" Processes.process = "* create *" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_path Processes.process_guid Processes.parent_process_id Processes.dest Processes.user Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_wmi_process_call_create_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process + = "* process *" Processes.process = "* call *" Processes.process = "* create *" + by Processes.parent_process_name Processes.parent_process Processes.process_name + Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_path + Processes.process_guid Processes.parent_process_id Processes.dest Processes.user + Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_wmi_process_call_create_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators may execute this command for testing or auditing. references: - https://github.com/NVISOsecurity/sigma-public/blob/master/rules/windows/process_creation/win_susp_wmi_execution.yml @@ -26,43 +48,17 @@ tags: - Suspicious WMI Use - CISA AA23-347A asset_type: Endpoint - confidence: 50 - impact: 50 - message: process with $process$ commandline executed in $dest$ mitre_attack_id: - T1047 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - - Processes.process_guid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml b/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml index 4bc5955c4f..690c5bffb5 100644 --- a/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml +++ b/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml @@ -1,11 +1,10 @@ name: WinEvent Scheduled Task Created to Spawn Shell id: 203ef0ea-9bd8-11eb-8201-acde48001122 -version: '6' -date: '2024-11-28' +version: 8 +date: '2025-01-27' author: Michael Haag, Splunk status: production type: TTP -datamodel: [] description: The following analytic detects the creation of scheduled tasks designed to execute commands using native Windows shells like PowerShell, Cmd, Wscript, or Cscript. It leverages Windows Security EventCode 4698 to identify when such tasks @@ -45,40 +44,34 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: 'A Windows Scheduled Task was created (task name=$TaskName$) on $dest$ + with the following contents: $TaskContent$' + risk_objects: + - field: dest + type: system + score: 70 + threat_objects: [] tags: analytic_story: - Windows Persistence Techniques - - Windows Error Reporting Service Elevation of Privilege Vulnerability - - CISA AA22-257A - - Ryuk Ransomware - Ransomware + - Windows Error Reporting Service Elevation of Privilege Vulnerability - Scheduled Tasks - - Compromised Windows Host - Winter Vivern + - Nexus APT Threat Activity + - Compromised Windows Host + - Ryuk Ransomware + - Earth Estries + - CISA AA22-257A asset_type: Endpoint - confidence: 100 - impact: 70 - message: 'A windows scheduled task was created (task name=$TaskName$) on $dest$ - by the following command: $TaskContent$' mitre_attack_id: - T1053.005 - T1053 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - Task_Name - - Description - - Command - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml index 9c820fee99..7c383641be 100644 --- a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml +++ b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml @@ -1,11 +1,10 @@ name: WinEvent Scheduled Task Created Within Public Path id: 5d9c6eee-988c-11eb-8253-acde48001122 -version: '6' -date: '2024-11-28' +version: 8 +date: '2025-01-27' author: Michael Haag, Splunk status: production type: TTP -datamodel: [] description: The following analytic detects the creation of scheduled tasks within user-writable paths using Windows Security EventCode 4698. It identifies tasks registered via schtasks.exe or TaskService that execute commands from directories like Public, @@ -46,45 +45,39 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A windows scheduled task was created (task name=$TaskName$) on $dest$ + risk_objects: + - field: dest + type: system + score: 70 + threat_objects: [] tags: analytic_story: + - Data Destruction - Windows Persistence Techniques - - Active Directory Lateral Movement - - CISA AA22-257A - - IcedID - - Prestige Ransomware - - Industroyer2 - - Ryuk Ransomware - AsyncRAT - - Data Destruction - - Ransomware + - Industroyer2 - CISA AA23-347A + - Ransomware + - Prestige Ransomware - Scheduled Tasks - - Compromised Windows Host + - IcedID - Winter Vivern + - Active Directory Lateral Movement + - Nexus APT Threat Activity + - Compromised Windows Host + - Ryuk Ransomware + - Earth Estries + - CISA AA22-257A asset_type: Endpoint - confidence: 100 - impact: 70 - message: A windows scheduled task was created (task name=$TaskName$) on $dest$ mitre_attack_id: - T1053.005 - T1053 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - Task_Name - - Description - - Command - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml index a9312e619e..f20cf4265e 100644 --- a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml +++ b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml @@ -1,11 +1,18 @@ name: WinEvent Windows Task Scheduler Event Action Started id: b3632472-310b-11ec-9aab-acde48001122 -version: 5 -date: '2024-10-24' +version: 6 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic detects the execution of tasks registered in Windows Task Scheduler by monitoring EventID 200 (action run) and 201 (action completed) from the Task Scheduler logs. This detection leverages Task Scheduler logs to identify potentially suspicious or unauthorized task executions. Monitoring these events is significant for a SOC as it helps uncover evasive techniques used for persistence, unauthorized code execution, or other malicious activities. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or the execution of harmful payloads, posing a significant threat to the environment. +description: The following analytic detects the execution of tasks registered in Windows + Task Scheduler by monitoring EventID 200 (action run) and 201 (action completed) + from the Task Scheduler logs. This detection leverages Task Scheduler logs to identify + potentially suspicious or unauthorized task executions. Monitoring these events + is significant for a SOC as it helps uncover evasive techniques used for persistence, + unauthorized code execution, or other malicious activities. If confirmed malicious, + this activity could lead to unauthorized access, data exfiltration, or the execution + of harmful payloads, posing a significant threat to the environment. data_source: - Windows Event Log TaskScheduler 200 - Windows Event Log TaskScheduler 201 @@ -41,32 +48,17 @@ tags: - BlackSuit Ransomware - ValleyRAT asset_type: Endpoint - confidence: 100 - impact: 80 - message: A Scheduled Task was scheduled and ran on $dvc$. mitre_attack_id: - T1053.005 - observable: - - name: dvc - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - TaskName - - ActionName - - EventID - - dvc - - ProcessID - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/winevent_windows_task_scheduler_event_action_started/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/winevent_windows_task_scheduler_event_action_started/windows-xml.log source: XmlWinEventLog:Microsoft-Windows-TaskScheduler/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/winhlp32_spawning_a_process.yml b/detections/endpoint/winhlp32_spawning_a_process.yml index 0283a3dbe4..71018871f9 100644 --- a/detections/endpoint/winhlp32_spawning_a_process.yml +++ b/detections/endpoint/winhlp32_spawning_a_process.yml @@ -1,7 +1,7 @@ name: Winhlp32 Spawning a Process id: d17dae9e-2618-11ec-b9f5-acde48001122 -version: '5' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -52,56 +52,37 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$, and is not typical activity for this process. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Remcos - Compromised Windows Host asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$, and is not typical activity for this process. mitre_attack_id: - T1055 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/winrar_spawning_shell_application.yml b/detections/endpoint/winrar_spawning_shell_application.yml index 1b43d2c97f..104bc4f1d3 100644 --- a/detections/endpoint/winrar_spawning_shell_application.yml +++ b/detections/endpoint/winrar_spawning_shell_application.yml @@ -1,7 +1,7 @@ name: WinRAR Spawning Shell Application id: d2f36034-37fa-4bd4-8801-26807c15540f -version: '5' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -57,6 +57,21 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to decode a file. + risk_objects: + - field: user + type: user + score: 70 + - field: dest + type: system + score: 70 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Compromised Windows Host @@ -65,46 +80,17 @@ tags: - CVE-2023-38831 asset_type: Endpoint atomic_guid: [] - confidence: 70 - impact: 100 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ attempting to decode a file. mitre_attack_id: - T1105 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 70 - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/winrar.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/winrar.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/winrm_spawning_a_process.yml b/detections/endpoint/winrm_spawning_a_process.yml index 82df49e04d..f7edd2a522 100644 --- a/detections/endpoint/winrm_spawning_a_process.yml +++ b/detections/endpoint/winrm_spawning_a_process.yml @@ -1,56 +1,64 @@ name: WinRM Spawning a Process id: a081836a-ba4d-11eb-8593-acde48001122 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Drew Church, Michael Haag, Splunk status: experimental type: TTP -description: The following analytic detects suspicious processes spawned by WinRM (wsmprovhost.exe). It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific child processes like cmd.exe, powershell.exe, and others. This activity is significant as it may indicate exploitation attempts of vulnerabilities like CVE-2021-31166, which could lead to system instability or compromise. If confirmed malicious, attackers could execute arbitrary commands, escalate privileges, or maintain persistence, posing a severe threat to the environment. +description: The following analytic detects suspicious processes spawned by WinRM + (wsmprovhost.exe). It leverages data from Endpoint Detection and Response (EDR) + agents, focusing on specific child processes like cmd.exe, powershell.exe, and others. + This activity is significant as it may indicate exploitation attempts of vulnerabilities + like CVE-2021-31166, which could lead to system instability or compromise. If confirmed + malicious, attackers could execute arbitrary commands, escalate privileges, or maintain + persistence, posing a severe threat to the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wsmprovhost.exe Processes.process_name IN ("cmd.exe","sh.exe","bash.exe","powershell.exe","pwsh.exe","schtasks.exe","certutil.exe","whoami.exe","bitsadmin.exe","scp.exe") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winrm_spawning_a_process_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Unknown. Add new processes or filter as needed. It is possible system management software may spawn processes from `wsmprovhost.exe`. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wsmprovhost.exe + Processes.process_name IN ("cmd.exe","sh.exe","bash.exe","powershell.exe","pwsh.exe","schtasks.exe","certutil.exe","whoami.exe","bitsadmin.exe","scp.exe") + by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winrm_spawning_a_process_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Unknown. Add new processes or filter as needed. It is possible + system management software may spawn processes from `wsmprovhost.exe`. references: - https://github.com/SigmaHQ/sigma/blob/9b7fb0c0f3af2e53ed483e29e0d0f88ccf1c08ca/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml - https://www.zerodayinitiative.com/blog/2021/5/17/cve-2021-31166-a-wormable-code-execution-bug-in-httpsys - https://github.com/0vercl0k/CVE-2021-31166/blob/main/cve-2021-31166.py +rba: + message: winrm.exe spawning a process observed on $dest$ + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - CISA AA23-347A - Rhysida Ransomware - Unusual Processes asset_type: Endpoint - confidence: 50 cve: - CVE-2021-31166 - impact: 50 - message: tbd mitre_attack_id: - T1190 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/wmi_permanent_event_subscription.yml b/detections/endpoint/wmi_permanent_event_subscription.yml index f33ec6f8d9..d66bc7a9ba 100644 --- a/detections/endpoint/wmi_permanent_event_subscription.yml +++ b/detections/endpoint/wmi_permanent_event_subscription.yml @@ -1,39 +1,45 @@ name: WMI Permanent Event Subscription id: 71bfdb13-f200-4c6c-b2c9-a2e07adf437d -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Rico Valdez, Splunk status: experimental type: TTP -description: The following analytic detects the creation of permanent event subscriptions using Windows Management Instrumentation (WMI). It leverages Sysmon EventID 5 data to identify instances where the event consumers are not the expected "NTEventLogEventConsumer." This activity is significant because it suggests an attacker is attempting to achieve persistence by running malicious scripts or binaries in response to specific system events. If confirmed malicious, this could lead to severe impacts such as data theft, ransomware deployment, or other damaging outcomes. Investigate the associated scripts or binaries to identify the source of the attack. +description: The following analytic detects the creation of permanent event subscriptions + using Windows Management Instrumentation (WMI). It leverages Sysmon EventID 5 data + to identify instances where the event consumers are not the expected "NTEventLogEventConsumer." + This activity is significant because it suggests an attacker is attempting to achieve + persistence by running malicious scripts or binaries in response to specific system + events. If confirmed malicious, this could lead to severe impacts such as data theft, + ransomware deployment, or other damaging outcomes. Investigate the associated scripts + or binaries to identify the source of the attack. data_source: [] -search: '`wmi` EventCode=5861 Binding | rex field=Message "Consumer =\s+(?[^;|^$]+)" | search consumer!="NTEventLogEventConsumer=\"SCM Event Log Consumer\"" | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, consumer, Message | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | rename ComputerName as dest | `wmi_permanent_event_subscription_filter`' -how_to_implement: To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational]. -known_false_positives: Although unlikely, administrators may use event subscriptions for legitimate purposes. +search: '`wmi` EventCode=5861 Binding | rex field=Message "Consumer =\s+(?[^;|^$]+)" + | search consumer!="NTEventLogEventConsumer=\"SCM Event Log Consumer\"" | stats + count min(_time) as firstTime max(_time) as lastTime by ComputerName, consumer, + Message | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | rename ComputerName as dest | `wmi_permanent_event_subscription_filter`' +how_to_implement: To successfully implement this search, you must be ingesting the + Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on + the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational]. +known_false_positives: Although unlikely, administrators may use event subscriptions + for legitimate purposes. references: [] +rba: + message: WMI Permanent Event Subscription detected on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Suspicious WMI Use asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1047 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Message - - consumer - - ComputerName - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml b/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml index 740a35c3a2..e544a4480e 100644 --- a/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml +++ b/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml @@ -1,16 +1,28 @@ name: WMI Permanent Event Subscription - Sysmon id: ad05aae6-3b2a-4f73-af97-57bd26cee3b9 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-13' author: Rico Valdez, Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the creation of WMI permanent event subscriptions, which can be used to establish persistence or perform privilege escalation. It leverages Sysmon data, specifically EventCodes 19, 20, and 21, to detect the creation of WMI EventFilters, EventConsumers, and FilterToConsumerBindings. This activity is significant as it may indicate an attacker setting up mechanisms to execute code with elevated SYSTEM privileges when specific events occur. If confirmed malicious, this could allow the attacker to maintain persistence, escalate privileges, and execute arbitrary code, posing a severe threat to the environment. +description: The following analytic identifies the creation of WMI permanent event + subscriptions, which can be used to establish persistence or perform privilege escalation. + It leverages Sysmon data, specifically EventCodes 19, 20, and 21, to detect the + creation of WMI EventFilters, EventConsumers, and FilterToConsumerBindings. This + activity is significant as it may indicate an attacker setting up mechanisms to + execute code with elevated SYSTEM privileges when specific events occur. If confirmed + malicious, this could allow the attacker to maintain persistence, escalate privileges, + and execute arbitrary code, posing a severe threat to the environment. data_source: - Sysmon EventID 21 -search: '`sysmon` EventCode=21 | rename host as dest | table _time, dest, user, Operation, EventType, Query, Consumer, Filter | `wmi_permanent_event_subscription___sysmon_filter`' -how_to_implement: To successfully implement this search, you must be collecting Sysmon data using Sysmon version 6.1 or greater and have Sysmon configured to generate alerts for WMI activity (eventID= 19, 20, 21). In addition, you must have at least version 6.0.4 of the Sysmon TA installed to properly parse the fields. -known_false_positives: Although unlikely, administrators may use event subscriptions for legitimate purposes. +search: '`sysmon` EventCode=21 | rename host as dest | table _time, dest, user, Operation, + EventType, Query, Consumer, Filter | `wmi_permanent_event_subscription___sysmon_filter`' +how_to_implement: To successfully implement this search, you must be collecting Sysmon + data using Sysmon version 6.1 or greater and have Sysmon configured to generate + alerts for WMI activity (eventID= 19, 20, 21). In addition, you must have at least + version 6.0.4 of the Sysmon TA installed to properly parse the fields. +known_false_positives: Although unlikely, administrators may use event subscriptions + for legitimate purposes. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ @@ -22,47 +34,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: WMI Permanent Event Subscription detected on $dest$ by $user$ + risk_objects: + - field: dest + type: system + score: 30 + - field: user + type: user + score: 30 + threat_objects: [] tags: analytic_story: - Suspicious WMI Use asset_type: Endpoint - confidence: 100 - impact: 30 - message: WMI Permanent Event Subscription detected on $dest$ by $user$ mitre_attack_id: - T1546.003 - T1546 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - host - - user - - Operation - - EventType - - Query - - Consumer - - Filter - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/wmi_recon_running_process_or_services.yml b/detections/endpoint/wmi_recon_running_process_or_services.yml index b9fff187de..a9610ec77c 100644 --- a/detections/endpoint/wmi_recon_running_process_or_services.yml +++ b/detections/endpoint/wmi_recon_running_process_or_services.yml @@ -1,15 +1,28 @@ name: WMI Recon Running Process Or Services id: b5cd5526-cce7-11eb-b3bd-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies suspicious PowerShell script execution via EventCode 4104, where WMI performs an event query to list running processes or services. This detection leverages PowerShell Script Block Logging to capture and analyze script block text for specific WMI queries. This activity is significant as it is commonly used by malware and APT actors to map security applications or services on a compromised machine. If confirmed malicious, this could allow attackers to identify and potentially disable security defenses, facilitating further compromise and persistence within the environment. +description: The following analytic identifies suspicious PowerShell script execution + via EventCode 4104, where WMI performs an event query to list running processes + or services. This detection leverages PowerShell Script Block Logging to capture + and analyze script block text for specific WMI queries. This activity is significant + as it is commonly used by malware and APT actors to map security applications or + services on a compromised machine. If confirmed malicious, this could allow attackers + to identify and potentially disable security defenses, facilitating further compromise + and persistence within the environment. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText= "*SELECT*" AND (ScriptBlockText="*Win32_Process*" OR ScriptBlockText="*Win32_Service*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmi_recon_running_process_or_services_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +search: '`powershell` EventCode=4104 ScriptBlockText= "*SELECT*" AND (ScriptBlockText="*Win32_Process*" + OR ScriptBlockText="*Win32_Service*") | stats count min(_time) as firstTime max(_time) + as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest + | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `wmi_recon_running_process_or_services_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: Network administrator may used this command for checking purposes references: - https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/ @@ -22,45 +35,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious powerShell script execution by $user$ on $dest$ via EventCode + 4104, where WMI is performing an event query looking for running processes or + running services + risk_objects: + - field: dest + type: system + score: 20 + - field: user + type: user + score: 20 + threat_objects: [] tags: analytic_story: - Malicious PowerShell - Hermetic Wiper - Data Destruction asset_type: Endpoint - confidence: 100 - impact: 20 - message: Suspicious powerShell script execution by $user$ on $dest$ via EventCode 4104, where WMI is performing an event query looking for running processes or running services mitre_attack_id: - T1592 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCode - risk_score: 20 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/win32process.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/win32process.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/wmi_temporary_event_subscription.yml b/detections/endpoint/wmi_temporary_event_subscription.yml index c37ca459ca..3a378d03c4 100644 --- a/detections/endpoint/wmi_temporary_event_subscription.yml +++ b/detections/endpoint/wmi_temporary_event_subscription.yml @@ -1,38 +1,49 @@ name: WMI Temporary Event Subscription id: 38cbd42c-1098-41bb-99cf-9d6d2b296d83 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-13' author: Rico Valdez, Splunk status: experimental type: TTP -description: The following analytic detects the creation of WMI temporary event subscriptions. It leverages Windows Event Logs, specifically EventCode 5860, to identify these activities. This detection is significant because attackers often use WMI to execute commands, gather information, or maintain persistence within a compromised system. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, escalate privileges, or persist in the environment. Analysts should review the specific WMI queries and assess their intent, considering potential false positives from legitimate administrative tasks. +description: The following analytic detects the creation of WMI temporary event subscriptions. + It leverages Windows Event Logs, specifically EventCode 5860, to identify these + activities. This detection is significant because attackers often use WMI to execute + commands, gather information, or maintain persistence within a compromised system. + If confirmed malicious, this activity could allow an attacker to execute arbitrary + code, escalate privileges, or persist in the environment. Analysts should review + the specific WMI queries and assess their intent, considering potential false positives + from legitimate administrative tasks. data_source: [] -search: '`wmi` EventCode=5860 Temporary | rex field=Message "NotificationQuery =\s+(?[^;|^$]+)" | search query!="SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = ''wsmprovhost.exe''" AND query!="SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA ''AntiVirusProduct'' OR TargetInstance ISA ''FirewallProduct'' OR TargetInstance ISA ''AntiSpywareProduct''" | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, query | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `wmi_temporary_event_subscription_filter`' -how_to_implement: To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational]. -known_false_positives: Some software may create WMI temporary event subscriptions for various purposes. The included search contains an exception for two of these that occur by default on Windows 10 systems. You may need to modify the search to create exceptions for other legitimate events. +search: "`wmi` EventCode=5860 Temporary | rex field=Message \"NotificationQuery =\\\ + s+(?[^;|^$]+)\" | search query!=\"SELECT * FROM Win32_ProcessStartTrace WHERE + ProcessName = 'wsmprovhost.exe'\" AND query!=\"SELECT * FROM __InstanceOperationEvent + WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' + OR TargetInstance ISA 'AntiSpywareProduct'\" | stats count min(_time) as firstTime + max(_time) as lastTime by ComputerName, query | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)` | `wmi_temporary_event_subscription_filter`" +how_to_implement: To successfully implement this search, you must be ingesting the + Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on + the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational]. +known_false_positives: Some software may create WMI temporary event subscriptions + for various purposes. The included search contains an exception for two of these + that occur by default on Windows 10 systems. You may need to modify the search to + create exceptions for other legitimate events. references: [] +rba: + message: WMI Temporary event subscription detected on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Suspicious WMI Use asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1047 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - EventCode - - Message - - query - risk_score: 25 security_domain: endpoint diff --git a/detections/endpoint/wmic_group_discovery.yml b/detections/endpoint/wmic_group_discovery.yml index cc0bb3c0e5..1387e90ee7 100644 --- a/detections/endpoint/wmic_group_discovery.yml +++ b/detections/endpoint/wmic_group_discovery.yml @@ -1,17 +1,37 @@ name: Wmic Group Discovery id: 83317b08-155b-11ec-8e00-acde48001122 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-13' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies the use of `wmic.exe` to enumerate local groups on an endpoint. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs, including command-line details. Monitoring this activity is significant as it can indicate reconnaissance efforts by an attacker to understand group memberships, which could be a precursor to privilege escalation or lateral movement. If confirmed malicious, this activity could allow an attacker to map out privileged groups, aiding in further exploitation and persistence within the environment. +description: The following analytic identifies the use of `wmic.exe` to enumerate + local groups on an endpoint. This detection leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process execution logs, including command-line + details. Monitoring this activity is significant as it can indicate reconnaissance + efforts by an attacker to understand group memberships, which could be a precursor + to privilege escalation or lateral movement. If confirmed malicious, this activity + could allow an attacker to map out privileged groups, aiding in further exploitation + and persistence within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe (Processes.process="*group get name*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `wmic_group_discovery_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe + (Processes.process="*group get name*") by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.process Processes.original_file_name Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)` | `wmic_group_discovery_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1069/001/ @@ -20,43 +40,18 @@ tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 50 - impact: 30 - message: Local group discovery on $dest$ by $user$. mitre_attack_id: - T1069 - T1069.001 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/wmic_noninteractive_app_uninstallation.yml b/detections/endpoint/wmic_noninteractive_app_uninstallation.yml index 0b2b1c10ee..a45718c22e 100644 --- a/detections/endpoint/wmic_noninteractive_app_uninstallation.yml +++ b/detections/endpoint/wmic_noninteractive_app_uninstallation.yml @@ -1,18 +1,40 @@ name: Wmic NonInteractive App Uninstallation id: bff0e7a0-317f-11ec-ab4e-acde48001122 -version: 5 -date: '2024-10-17' +version: 6 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic identifies the use of the WMIC command-line tool attempting to uninstall applications non-interactively. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns associated with WMIC. This activity is significant because it is uncommon and may indicate an attempt to evade detection by uninstalling security software, as seen in IcedID malware campaigns. If confirmed malicious, this behavior could allow an attacker to disable security defenses, facilitating further compromise and persistence within the environment. +description: The following analytic identifies the use of the WMIC command-line tool + attempting to uninstall applications non-interactively. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on specific command-line patterns + associated with WMIC. This activity is significant because it is uncommon and may + indicate an attempt to evade detection by uninstalling security software, as seen + in IcedID malware campaigns. If confirmed malicious, this behavior could allow an + attacker to disable security defenses, facilitating further compromise and persistence + within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe Processes.process="* product *" Processes.process="*where name*" Processes.process="*call uninstall*" Processes.process="*/nointeractive*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmic_noninteractive_app_uninstallation_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Third party application may use this approach to uninstall applications. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe + Processes.process="* product *" Processes.process="*where name*" Processes.process="*call + uninstall*" Processes.process="*/nointeractive*" by Processes.dest Processes.user + Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmic_noninteractive_app_uninstallation_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Third party application may use this approach to uninstall + applications. references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ tags: @@ -20,47 +42,18 @@ tags: - IcedID - Azorult asset_type: Endpoint - confidence: 50 - impact: 50 - message: Wmic $process_name$ with command-line $process$ on $dest$ attempting to uninstall software. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon2.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon2.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/wmic_xsl_execution_via_url.yml b/detections/endpoint/wmic_xsl_execution_via_url.yml index 94fc0cec69..a9fa113597 100644 --- a/detections/endpoint/wmic_xsl_execution_via_url.yml +++ b/detections/endpoint/wmic_xsl_execution_via_url.yml @@ -1,7 +1,7 @@ name: WMIC XSL Execution via URL id: 787e9dd0-4328-11ec-a029-acde48001122 -version: '5' -date: '2024-11-28' +version: 7 +date: '2024-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -52,56 +52,37 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ utilizing wmic to download a remote XSL script. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Compromised Windows Host - Suspicious WMI Use asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ utilizing wmic to download a remote XSL script. mitre_attack_id: - T1220 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1220/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1220/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml b/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml index 18395735e0..1910e3c595 100644 --- a/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml @@ -1,18 +1,49 @@ name: Wmiprsve LOLBAS Execution Process Spawn id: 95a455f0-4c04-11ec-b8ac-3e22fbd008af -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects `wmiprvse.exe` spawning a LOLBAS execution process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where `wmiprvse.exe` is the parent process and the child process is a known LOLBAS binary. This activity is significant as it may indicate lateral movement or remote code execution by an adversary abusing Windows Management Instrumentation (WMI). If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe security risk. +description: The following analytic detects `wmiprvse.exe` spawning a LOLBAS execution + process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process creation events where `wmiprvse.exe` is the parent process and the child + process is a known LOLBAS binary. This activity is significant as it may indicate + lateral movement or remote code execution by an adversary abusing Windows Management + Instrumentation (WMI). If confirmed malicious, this behavior could allow attackers + to execute arbitrary code, escalate privileges, or maintain persistence within the + environment, posing a severe security risk. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe) (Processes.process_name IN ("Regsvcs.exe", "Ftp.exe", "OfflineScannerShell.exe", "Rasautou.exe", "Schtasks.exe", "Xwizard.exe", "Dllhost.exe", "Pnputil.exe", "Atbroker.exe", "Pcwrun.exe", "Ttdinject.exe","Mshta.exe", "Bitsadmin.exe", "Certoc.exe", "Ieexec.exe", "Microsoft.Workflow.Compiler.exe", "Runscripthelper.exe", "Forfiles.exe", "Msbuild.exe", "Register-cimprovider.exe", "Tttracer.exe", "Ie4uinit.exe", "Bash.exe", "Hh.exe", "SettingSyncHost.exe", "Cmstp.exe", "Mmc.exe", "Stordiag.exe", "Scriptrunner.exe", "Odbcconf.exe", "Extexport.exe", "Msdt.exe", "WorkFolders.exe", "Diskshadow.exe", "Mavinject.exe", "Regasm.exe", "Gpscript.exe", "Rundll32.exe", "Regsvr32.exe", "Msiexec.exe", "Wuauclt.exe", "Presentationhost.exe", "Wmic.exe", "Runonce.exe", "Syncappvpublishingserver.exe", "Verclsid.exe", "Infdefaultinstall.exe", "Explorer.exe", "Installutil.exe", "Netsh.exe", "Wab.exe", "Dnscmd.exe", "At.exe", "Pcalua.exe", "Msconfig.exe")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmiprsve_lolbas_execution_process_spawn_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Legitimate applications may trigger this behavior, filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe) + (Processes.process_name IN ("Regsvcs.exe", "Ftp.exe", "OfflineScannerShell.exe", + "Rasautou.exe", "Schtasks.exe", "Xwizard.exe", "Dllhost.exe", "Pnputil.exe", "Atbroker.exe", + "Pcwrun.exe", "Ttdinject.exe","Mshta.exe", "Bitsadmin.exe", "Certoc.exe", "Ieexec.exe", + "Microsoft.Workflow.Compiler.exe", "Runscripthelper.exe", "Forfiles.exe", "Msbuild.exe", + "Register-cimprovider.exe", "Tttracer.exe", "Ie4uinit.exe", "Bash.exe", "Hh.exe", + "SettingSyncHost.exe", "Cmstp.exe", "Mmc.exe", "Stordiag.exe", "Scriptrunner.exe", + "Odbcconf.exe", "Extexport.exe", "Msdt.exe", "WorkFolders.exe", "Diskshadow.exe", + "Mavinject.exe", "Regasm.exe", "Gpscript.exe", "Rundll32.exe", "Regsvr32.exe", "Msiexec.exe", + "Wuauclt.exe", "Presentationhost.exe", "Wmic.exe", "Runonce.exe", "Syncappvpublishingserver.exe", + "Verclsid.exe", "Infdefaultinstall.exe", "Explorer.exe", "Installutil.exe", "Netsh.exe", + "Wab.exe", "Dnscmd.exe", "At.exe", "Pcalua.exe", "Msconfig.exe")) by Processes.dest + Processes.user Processes.parent_process Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmiprsve_lolbas_execution_process_spawn_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Legitimate applications may trigger this behavior, filter as + needed. references: - https://attack.mitre.org/techniques/T1047/ - https://www.ired.team/offensive-security/lateral-movement/t1047-wmi-for-lateral-movement @@ -23,45 +54,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Wmiprsve.exe spawned a LOLBAS process on $dest$. + risk_objects: + - field: dest + type: system + score: 54 + threat_objects: [] tags: analytic_story: - Active Directory Lateral Movement asset_type: Endpoint - confidence: 60 - impact: 90 - message: Wmiprsve.exe spawned a LOLBAS process on $dest$. mitre_attack_id: - T1047 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/lateral_movement_lolbas/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/lateral_movement_lolbas/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml index daf0c89747..bdff837caf 100644 --- a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml +++ b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml @@ -1,18 +1,38 @@ name: Wscript Or Cscript Suspicious Child Process id: 1f35e1da-267b-11ec-90a9-acde48001122 -version: 4 -date: '2024-11-26' +version: 5 +date: '2024-12-10' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic identifies a suspicious spawned process by WScript or CScript process. This technique was a common technique used by adversaries and malware to execute different LOLBIN, other scripts like PowerShell or spawn a suspended process to inject its code as a defense evasion. This TTP may detect some normal script that uses several application tools that are in the list of the child process it detects but a good pivot and indicator that a script may execute suspicious code. +description: This analytic identifies a suspicious spawned process by WScript or CScript + process. This technique was a common technique used by adversaries and malware to + execute different LOLBIN, other scripts like PowerShell or spawn a suspended process + to inject its code as a defense evasion. This TTP may detect some normal script + that uses several application tools that are in the list of the child process it + detects but a good pivot and indicator that a script may execute suspicious code. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("cscript.exe", "wscript.exe") Processes.process_name IN ("regsvr32.exe", "rundll32.exe","winhlp32.exe","certutil.exe","msbuild.exe","cmd.exe","powershell*","pwsh.exe","wmic.exe","mshta.exe") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wscript_or_cscript_suspicious_child_process_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrators may create vbs or js script that use several tool as part of its execution. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name + IN ("cscript.exe", "wscript.exe") Processes.process_name IN ("regsvr32.exe", "rundll32.exe","winhlp32.exe","certutil.exe","msbuild.exe","cmd.exe","powershell*","pwsh.exe","wmic.exe","mshta.exe") + by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `wscript_or_cscript_suspicious_child_process_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators may create vbs or js script that use several + tool as part of its execution. Filter as needed. references: - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120 - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ @@ -22,9 +42,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: wscript or cscript parent process spawned $process_name$ on $dest$ + risk_objects: + - field: dest + type: system + score: 49 + - field: user + type: user + score: 49 + threat_objects: [] tags: analytic_story: - Remcos @@ -35,45 +70,20 @@ tags: - NjRAT - ShrinkLocker asset_type: Endpoint - confidence: 70 - impact: 70 - message: wscript or cscript parent process spawned $process_name$ in $dest$ mitre_attack_id: - T1055 - T1543 - T1134.004 - T1134 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/vbs_wscript/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/vbs_wscript/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml b/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml index 1238513d07..702bb0a66e 100644 --- a/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml @@ -1,18 +1,49 @@ name: Wsmprovhost LOLBAS Execution Process Spawn id: 2eed004c-4c0d-11ec-93e8-3e22fbd008af -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies `Wsmprovhost.exe` spawning a LOLBAS execution process. It leverages Endpoint Detection and Response (EDR) data to detect when `Wsmprovhost.exe` spawns child processes that are known LOLBAS (Living Off the Land Binaries and Scripts) executables. This activity is significant because it may indicate an adversary using Windows Remote Management (WinRM) to execute code on remote endpoints, a common technique for lateral movement. If confirmed malicious, this could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment. +description: The following analytic identifies `Wsmprovhost.exe` spawning a LOLBAS + execution process. It leverages Endpoint Detection and Response (EDR) data to detect + when `Wsmprovhost.exe` spawns child processes that are known LOLBAS (Living Off + the Land Binaries and Scripts) executables. This activity is significant because + it may indicate an adversary using Windows Remote Management (WinRM) to execute + code on remote endpoints, a common technique for lateral movement. If confirmed + malicious, this could allow attackers to execute arbitrary code, escalate privileges, + or maintain persistence within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wsmprovhost.exe) (Processes.process_name IN ("Regsvcs.exe", "Ftp.exe", "OfflineScannerShell.exe", "Rasautou.exe", "Schtasks.exe", "Xwizard.exe", "Dllhost.exe", "Pnputil.exe", "Atbroker.exe", "Pcwrun.exe", "Ttdinject.exe","Mshta.exe", "Bitsadmin.exe", "Certoc.exe", "Ieexec.exe", "Microsoft.Workflow.Compiler.exe", "Runscripthelper.exe", "Forfiles.exe", "Msbuild.exe", "Register-cimprovider.exe", "Tttracer.exe", "Ie4uinit.exe", "Bash.exe", "Hh.exe", "SettingSyncHost.exe", "Cmstp.exe", "Mmc.exe", "Stordiag.exe", "Scriptrunner.exe", "Odbcconf.exe", "Extexport.exe", "Msdt.exe", "WorkFolders.exe", "Diskshadow.exe", "Mavinject.exe", "Regasm.exe", "Gpscript.exe", "Rundll32.exe", "Regsvr32.exe", "Msiexec.exe", "Wuauclt.exe", "Presentationhost.exe", "Wmic.exe", "Runonce.exe", "Syncappvpublishingserver.exe", "Verclsid.exe", "Infdefaultinstall.exe", "Explorer.exe", "Installutil.exe", "Netsh.exe", "Wab.exe", "Dnscmd.exe", "At.exe", "Pcalua.exe", "Msconfig.exe")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `wsmprovhost_lolbas_execution_process_spawn_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Legitimate applications may trigger this behavior, filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wsmprovhost.exe) + (Processes.process_name IN ("Regsvcs.exe", "Ftp.exe", "OfflineScannerShell.exe", + "Rasautou.exe", "Schtasks.exe", "Xwizard.exe", "Dllhost.exe", "Pnputil.exe", "Atbroker.exe", + "Pcwrun.exe", "Ttdinject.exe","Mshta.exe", "Bitsadmin.exe", "Certoc.exe", "Ieexec.exe", + "Microsoft.Workflow.Compiler.exe", "Runscripthelper.exe", "Forfiles.exe", "Msbuild.exe", + "Register-cimprovider.exe", "Tttracer.exe", "Ie4uinit.exe", "Bash.exe", "Hh.exe", + "SettingSyncHost.exe", "Cmstp.exe", "Mmc.exe", "Stordiag.exe", "Scriptrunner.exe", + "Odbcconf.exe", "Extexport.exe", "Msdt.exe", "WorkFolders.exe", "Diskshadow.exe", + "Mavinject.exe", "Regasm.exe", "Gpscript.exe", "Rundll32.exe", "Regsvr32.exe", "Msiexec.exe", + "Wuauclt.exe", "Presentationhost.exe", "Wmic.exe", "Runonce.exe", "Syncappvpublishingserver.exe", + "Verclsid.exe", "Infdefaultinstall.exe", "Explorer.exe", "Installutil.exe", "Netsh.exe", + "Wab.exe", "Dnscmd.exe", "At.exe", "Pcalua.exe", "Msconfig.exe")) by Processes.dest + Processes.user Processes.parent_process Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `wsmprovhost_lolbas_execution_process_spawn_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Legitimate applications may trigger this behavior, filter as + needed. references: - https://attack.mitre.org/techniques/T1021/006/ - https://lolbas-project.github.io/ @@ -23,47 +54,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Wsmprovhost.exe spawned a LOLBAS process on $dest$. + risk_objects: + - field: dest + type: system + score: 54 + threat_objects: [] tags: analytic_story: - Active Directory Lateral Movement - CISA AA24-241A asset_type: Endpoint - confidence: 60 - impact: 90 - message: Wsmprovhost.exe spawned a LOLBAS process on $dest$. mitre_attack_id: - T1021 - T1021.006 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 54 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_lolbas/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_lolbas/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/wsreset_uac_bypass.yml b/detections/endpoint/wsreset_uac_bypass.yml index 67b3d9c1ef..14b7aa39d9 100644 --- a/detections/endpoint/wsreset_uac_bypass.yml +++ b/detections/endpoint/wsreset_uac_bypass.yml @@ -1,16 +1,43 @@ name: WSReset UAC Bypass id: 8b5901bc-da63-11eb-be43-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects a suspicious modification of the registry aimed at bypassing User Account Control (UAC) by leveraging WSReset.exe. It identifies the creation or modification of specific registry values under the path "*\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command*". This detection uses data from Endpoint Detection and Response (EDR) agents, focusing on process and registry events. This activity is significant because UAC bypass techniques can allow attackers to execute high-privilege actions without user consent. If confirmed malicious, this could lead to unauthorized code execution and potential system compromise. +description: The following analytic detects a suspicious modification of the registry + aimed at bypassing User Account Control (UAC) by leveraging WSReset.exe. It identifies + the creation or modification of specific registry values under the path "*\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command*". + This detection uses data from Endpoint Detection and Response (EDR) agents, focusing + on process and registry events. This activity is significant because UAC bypass + techniques can allow attackers to execute high-privilege actions without user consent. + If confirmed malicious, this could lead to unauthorized code execution and potential + system compromise. data_source: - Sysmon EventID 1 AND Sysmon EventID 12 - Sysmon EventID 1 AND Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= "*\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command*" AND (Registry.registry_value_name = "(Default)" OR Registry.registry_value_name = "DelegateExecute") by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wsreset_uac_bypass_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) + AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id + Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name + Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` + | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry + WHERE Registry.registry_path= "*\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command*" + AND (Registry.registry_value_name = "(Default)" OR Registry.registry_value_name + = "DelegateExecute") by _time span=1h Registry.dest Registry.user Registry.registry_path + Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime + dest user parent_process_name parent_process process_name process_path process registry_key_name + registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wsreset_uac_bypass_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://github.com/hfiref0x/UACME @@ -21,9 +48,22 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious modification of registry $registry_path$ with possible payload + path $registry_value_name$ on $dest$ + risk_objects: + - field: dest + type: system + score: 63 + threat_objects: [] tags: analytic_story: - Windows Defense Evasion Tactics @@ -31,43 +71,18 @@ tags: - Windows Registry Abuse - MoonPeak asset_type: Endpoint - confidence: 90 - impact: 70 - message: Suspicious modification of registry $registry_path$ with possible payload path $registry_value_name$ in $dest$ mitre_attack_id: - T1548.002 - T1548 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.user - - Processes.dest - - Processes.process_id - - Processes.process_name - - Processes.process - - Processes.process_path - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_guid - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/xmrig_driver_loaded.yml b/detections/endpoint/xmrig_driver_loaded.yml index 29ed54a869..475bc420de 100644 --- a/detections/endpoint/xmrig_driver_loaded.yml +++ b/detections/endpoint/xmrig_driver_loaded.yml @@ -1,15 +1,27 @@ name: XMRIG Driver Loaded id: 90080fa6-a8df-11eb-91e4-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the installation of the XMRIG coinminer driver on a system. It identifies the loading of the `WinRing0x64.sys` driver, commonly associated with XMRIG, by analyzing Sysmon EventCode 6 logs for specific signatures and image loads. This activity is significant because XMRIG is an open-source CPU miner frequently exploited by adversaries to mine cryptocurrency illicitly. If confirmed malicious, this activity could lead to unauthorized resource consumption, degraded system performance, and potential financial loss due to unauthorized cryptocurrency mining. +description: The following analytic detects the installation of the XMRIG coinminer + driver on a system. It identifies the loading of the `WinRing0x64.sys` driver, commonly + associated with XMRIG, by analyzing Sysmon EventCode 6 logs for specific signatures + and image loads. This activity is significant because XMRIG is an open-source CPU + miner frequently exploited by adversaries to mine cryptocurrency illicitly. If confirmed + malicious, this activity could lead to unauthorized resource consumption, degraded + system performance, and potential financial loss due to unauthorized cryptocurrency + mining. data_source: - Sysmon EventID 6 -search: '`sysmon` EventCode=6 Signature="Noriyuki MIYAZAKI" OR ImageLoaded= "*\\WinRing0x64.sys" | stats min(_time) as firstTime max(_time) as lastTime count by dest ImageLoaded Hashes IMPHASH Signature Signed | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `xmrig_driver_loaded_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the driver loaded and Signature from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +search: '`sysmon` EventCode=6 Signature="Noriyuki MIYAZAKI" OR ImageLoaded= "*\\WinRing0x64.sys" + | stats min(_time) as firstTime max(_time) as lastTime count by dest ImageLoaded + Hashes IMPHASH Signature Signed | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `xmrig_driver_loaded_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the driver loaded and Signature from your endpoints. If you are using + Sysmon, you must have at least version 6.0.4 of the Sysmon TA. known_false_positives: False positives should be limited. references: - https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/trojan.ps1.powtran.a/ @@ -19,42 +31,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A driver $ImageLoaded$ related to xmrig crytominer loaded in host $dest$ + risk_objects: + - field: dest + type: system + score: 80 + threat_objects: [] tags: analytic_story: - - XMRig - CISA AA22-320A + - Crypto Stealer + - XMRig asset_type: Endpoint - confidence: 100 - impact: 80 - message: A driver $ImageLoaded$ related to xmrig crytominer loaded in host $dest$ mitre_attack_id: - T1543.003 - T1543 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - ImageLoaded - - Hashes - - IMPHASH - - Signature - - Signed - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/xsl_script_execution_with_wmic.yml b/detections/endpoint/xsl_script_execution_with_wmic.yml index c616cfa960..28584c4d66 100644 --- a/detections/endpoint/xsl_script_execution_with_wmic.yml +++ b/detections/endpoint/xsl_script_execution_with_wmic.yml @@ -1,17 +1,37 @@ name: XSL Script Execution With WMIC id: 004e32e2-146d-11ec-a83f-acde48001122 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the execution of an XSL script using the WMIC process, which is often indicative of malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving WMIC and XSL files. This behavior is significant as it has been associated with the FIN7 group, known for using this technique to execute malicious scripts. If confirmed malicious, this activity could allow attackers to execute arbitrary code, potentially leading to system compromise and further malicious actions within the environment. +description: The following analytic detects the execution of an XSL script using the + WMIC process, which is often indicative of malicious activity. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on command-line executions + involving WMIC and XSL files. This behavior is significant as it has been associated + with the FIN7 group, known for using this technique to execute malicious scripts. + If confirmed malicious, this activity could allow attackers to execute arbitrary + code, potentially leading to system compromise and further malicious actions within + the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process = "*os get*" Processes.process="*/format:*" Processes.process = "*.xsl*" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `xsl_script_execution_with_wmic_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process + = "*os get*" Processes.process="*/format:*" Processes.process = "*.xsl*" by Processes.parent_process_name + Processes.parent_process Processes.process_name Processes.process_id Processes.process + Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `xsl_script_execution_with_wmic_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation @@ -24,54 +44,45 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ utilizing wmic to load a XSL script. + risk_objects: + - field: user + type: user + score: 49 + - field: dest + type: system + score: 49 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - FIN7 - Suspicious WMI Use asset_type: Endpoint - confidence: 70 - impact: 70 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing wmic to load a XSL script. mitre_attack_id: - T1220 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_name - - Processes.process_id - - Processes.process - - Processes.dest - - Processes.user - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_macro_js_1/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_macro_js_1/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/network/detect_arp_poisoning.yml b/detections/network/detect_arp_poisoning.yml index 4273b605a3..108276a3d7 100644 --- a/detections/network/detect_arp_poisoning.yml +++ b/detections/network/detect_arp_poisoning.yml @@ -1,45 +1,53 @@ name: Detect ARP Poisoning id: b44bebd6-bd39-467b-9321-73971bcd1aac -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-15' author: Mikael Bjerkeland, Splunk status: experimental type: TTP -description: The following analytic detects ARP Poisoning attacks by monitoring for Dynamic ARP Inspection (DAI) errors on Cisco network devices. It leverages logs from Cisco devices, specifically looking for events where the ARP inspection feature has disabled an interface due to suspicious activity. This activity is significant because ARP Poisoning can allow attackers to intercept, modify, or disrupt network traffic, leading to potential data breaches or denial of service. If confirmed malicious, this could enable attackers to perform man-in-the-middle attacks, compromising the integrity and confidentiality of network communications. +description: The following analytic detects ARP Poisoning attacks by monitoring for + Dynamic ARP Inspection (DAI) errors on Cisco network devices. It leverages logs + from Cisco devices, specifically looking for events where the ARP inspection feature + has disabled an interface due to suspicious activity. This activity is significant + because ARP Poisoning can allow attackers to intercept, modify, or disrupt network + traffic, leading to potential data breaches or denial of service. If confirmed malicious, + this could enable attackers to perform man-in-the-middle attacks, compromising the + integrity and confidentiality of network communications. data_source: [] -search: '`cisco_networks` facility="PM" mnemonic="ERR_DISABLE" disable_cause="arp-inspection" | eval src_interface=src_int_prefix_long+src_int_suffix | stats min(_time) AS firstTime max(_time) AS lastTime count BY host src_interface | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `detect_arp_poisoning_filter`' -how_to_implement: This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with DHCP Snooping (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html) and Dynamic ARP Inspection (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-2_2_e/security/configuration_guide/b_sec_1522e_2960x_cg/b_sec_1522e_2960x_cg_chapter_01111.html) and log with a severity level of minimum "5 - notification". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices. -known_false_positives: This search might be prone to high false positives if DHCP Snooping or ARP inspection has been incorrectly configured, or if a device normally sends many ARP packets (unlikely). +search: '`cisco_networks` facility="PM" mnemonic="ERR_DISABLE" disable_cause="arp-inspection" + | eval src_interface=src_int_prefix_long+src_int_suffix | stats min(_time) AS firstTime + max(_time) AS lastTime count BY host src_interface | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| + `detect_arp_poisoning_filter`' +how_to_implement: This search uses a standard SPL query on logs from Cisco Network + devices. The network devices must be configured with DHCP Snooping (see + https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html) + and Dynamic ARP Inspection (see + https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-2_2_e/security/configuration_guide/b_sec_1522e_2960x_cg/b_sec_1522e_2960x_cg_chapter_01111.html) + and log with a severity level of minimum "5 - notification". The search also requires + that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) + is used to parse the logs from the Cisco network devices. +known_false_positives: This search might be prone to high false positives if DHCP + Snooping or ARP inspection has been incorrectly configured, or if a device normally + sends many ARP packets (unlikely). references: [] +rba: + message: Potential ARP poisoning detected on $host$ + risk_objects: + - field: host + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Router and Infrastructure Security asset_type: Infrastructure - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1200 - T1498 - T1557 - T1557.002 - observable: - - name: dest - type: Other - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - facility - - mnemonic - - disable_cause - - src_int_prefix_long - - src_int_suffix - - host - - src_interface - risk_score: 25 security_domain: network diff --git a/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml b/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml index 4ea1f1f9c7..55d18f58b5 100644 --- a/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml +++ b/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml @@ -1,35 +1,57 @@ name: Detect DGA domains using pretrained model in DSDL id: 92e24f32-9b9a-4060-bba2-2a0eb31f3493 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-15' author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk status: experimental type: Anomaly -description: The following analytic identifies Domain Generation Algorithm (DGA) generated domains using a pre-trained deep learning model. It leverages the Network Resolution data model to analyze domain names and detect unusual character sequences indicative of DGA activity. This behavior is significant as adversaries often use DGAs to generate numerous domain names for command-and-control servers, making it harder to block malicious traffic. If confirmed malicious, this activity could enable attackers to maintain persistent communication with compromised systems, evade detection, and execute further malicious actions. +description: The following analytic identifies Domain Generation Algorithm (DGA) generated + domains using a pre-trained deep learning model. It leverages the Network Resolution + data model to analyze domain names and detect unusual character sequences indicative + of DGA activity. This behavior is significant as adversaries often use DGAs to generate + numerous domain names for command-and-control servers, making it harder to block + malicious traffic. If confirmed malicious, this activity could enable attackers + to maintain persistent communication with compromised systems, evade detection, + and execute further malicious actions. data_source: [] -search: '| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(DNS)` | rename query AS domain | fields IPs, src, domain, firstTime, lastTime | apply pretrained_dga_model_dsdl | rename pred_dga_proba AS dga_score | where dga_score>0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table src, domain, IPs, firstTime, lastTime, dga_score | `detect_dga_domains_using_pretrained_model_in_dsdl_filter`' -how_to_implement: 'Steps to deploy DGA detection model into Splunk App DSDL.\ This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - https://splunkbase.splunk.com/app/4607/ and the Network Resolution datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. The detection uses a pre-trained deep learning model that needs to be deployed in DSDL app. Follow the steps for deployment here - https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU. * Download the artifacts .tar.gz file from the link `https://seal.splunkresearch.com/pretrained_dga_model_dsdl.tar.gz` - - * Download the pretrained_dga_model_dsdl.ipynb Jupyter notebook from `https://github.com/splunk/security_content/notebooks` - - * Login to the Jupyter Lab for pretrained_dga_model_dsdl container. This container should be listed on Containers page for DSDL app. - - * Below steps need to be followed inside Jupyter lab - - * Upload the pretrained_dga_model_dsdl.tar.gz file into `app/model/data` path using the upload option in the jupyter notebook. - - * Untar the artifact `pretrained_dga_model_dsdl.tar.gz` using `tar -xf app/model/data/pretrained_dga_model_dsdl.tar.gz -C app/model/data` - - * Upload `pretrained_dga_model_dsdl.pynb` into Jupyter lab notebooks folder using the upload option in Jupyter lab - - * Save the notebook using the save option in jupyter notebook. - - * Upload `pretrained_dga_model_dsdl.json` into `notebooks/data` folder.' -known_false_positives: False positives may be present if domain name is similar to dga generated domains. +search: '| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) + as firstTime max(_time) as lastTime from datamodel=Network_Resolution by DNS.src, + DNS.query | `drop_dm_object_name(DNS)` | rename query AS domain | fields IPs, src, + domain, firstTime, lastTime | apply pretrained_dga_model_dsdl | rename pred_dga_proba + AS dga_score | where dga_score>0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | table src, domain, IPs, firstTime, lastTime, dga_score | `detect_dga_domains_using_pretrained_model_in_dsdl_filter`' +how_to_implement: "Steps to deploy DGA detection model into Splunk App DSDL.\\ This + detection depends on the Splunk app for Data Science and Deep Learning which can + be found here - https://splunkbase.splunk.com/app/4607/ and the Network Resolution + datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. The + detection uses a pre-trained deep learning model that needs to be deployed in DSDL + app. Follow the steps for deployment here - https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU. + * Download the artifacts .tar.gz file from the link `https://seal.splunkresearch.com/pretrained_dga_model_dsdl.tar.gz`\n + * Download the pretrained_dga_model_dsdl.ipynb Jupyter notebook from `https://github.com/splunk/security_content/notebooks`\n + * Login to the Jupyter Lab for pretrained_dga_model_dsdl container. This container + should be listed on Containers page for DSDL app.\n* Below steps need to be followed + inside Jupyter lab\n* Upload the pretrained_dga_model_dsdl.tar.gz file into `app/model/data` + path using the upload option in the jupyter notebook.\n* Untar the artifact `pretrained_dga_model_dsdl.tar.gz` + using `tar -xf app/model/data/pretrained_dga_model_dsdl.tar.gz -C app/model/data`\n + * Upload `pretrained_dga_model_dsdl.pynb` into Jupyter lab notebooks folder using + the upload option in Jupyter lab\n* Save the notebook using the save option in jupyter + notebook.\n* Upload `pretrained_dga_model_dsdl.json` into `notebooks/data` folder." +known_false_positives: False positives may be present if domain name is similar to + dga generated domains. references: - https://attack.mitre.org/techniques/T1568/002/ - https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/ - https://en.wikipedia.org/wiki/Domain_generation_algorithm +rba: + message: A potential connection to a DGA domain $domain$ was detected from host + $src$, kindly review. + risk_objects: + - field: src + type: system + score: 63 + threat_objects: + - field: domain + type: url tags: analytic_story: - Data Exfiltration @@ -38,29 +60,10 @@ tags: - Dynamic DNS - Command And Control asset_type: Endpoint - confidence: 90 - impact: 70 - message: A potential connection to a DGA domain $domain$ was detected from host $src$, kindly review. mitre_attack_id: - T1568.002 - observable: - - name: src - type: Hostname - role: - - Victim - - name: domain - type: URL String - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - IPs - - src - - domain - - firstTime - - lastTime - risk_score: 63 security_domain: network diff --git a/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml b/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml index e5a6b2fd24..10055327b4 100644 --- a/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml +++ b/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml @@ -1,49 +1,71 @@ name: Detect DNS Data Exfiltration using pretrained model in DSDL id: 92f65c3a-168c-11ed-71eb-0242ac120012 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-15' status: experimental author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk type: Anomaly data_source: [] -description: The following analytic identifies potential DNS data exfiltration using a pre-trained deep learning model. It leverages DNS request data from the Network Resolution datamodel and computes features from past events between the same source and domain. The model generates a probability score (pred_is_exfiltration_proba) indicating the likelihood of data exfiltration. This activity is significant as DNS tunneling can be used by attackers to covertly exfiltrate sensitive data. If confirmed malicious, this could lead to unauthorized data access and potential data breaches, compromising the organization's security posture. -search: '| tstats `security_content_summariesonly` count from datamodel=Network_Resolution by DNS.src _time DNS.query | `drop_dm_object_name("DNS")` | sort - _time,src, query | streamstats count as rank by src query | where rank < 10 | table src,query,rank,_time | apply detect_dns_data_exfiltration_using_pretrained_model_in_dsdl | table src,_time,query,rank,pred_is_dns_data_exfiltration_proba,pred_is_dns_data_exfiltration | where rank == 1 | rename pred_is_dns_data_exfiltration_proba as is_exfiltration_score | rename pred_is_dns_data_exfiltration as is_exfiltration | where is_exfiltration_score > 0.5 | `security_content_ctime(_time)` | table src, _time,query,is_exfiltration_score,is_exfiltration | `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_filter`' -how_to_implement: "Steps to deploy detect DNS data exfiltration model into Splunk App DSDL. This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - https://splunkbase.splunk.com/app/4607/ and the Network Resolution datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. The detection uses a pre-trained deep learning model that needs to be deployed in DSDL app. Follow the steps for deployment here - `https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU`.\n * Download the `artifacts .tar.gz` file from the link - https://seal.splunkresearch.com/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz Download the `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.ipynb` Jupyter notebook from https://github.com/splunk/security_content/notebooks\n* Login to the Jupyter Lab assigned for detect_dns_data_exfiltration_using_pretrained_model_in_dsdl container. This container should be listed on Containers page for DSDL app.\n* Below steps need to be followed inside Jupyter lab\n* Upload the detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz file into `app/model/data` path using the upload option in the jupyter notebook.\n * Untar the artifact detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz using `tar -xf app/model/data/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz -C app/model/data`\n* Upload detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.pynb into Jupyter lab notebooks folder using the upload option in Jupyter lab\n* Save the notebook using the save option in jupyter notebook.\n* Upload `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.json` into `notebooks/data` folder." -known_false_positives: False positives may be present if DNS data exfiltration request look very similar to benign DNS requests. +description: The following analytic identifies potential DNS data exfiltration using + a pre-trained deep learning model. It leverages DNS request data from the Network + Resolution datamodel and computes features from past events between the same source + and domain. The model generates a probability score (pred_is_exfiltration_proba) + indicating the likelihood of data exfiltration. This activity is significant as + DNS tunneling can be used by attackers to covertly exfiltrate sensitive data. If + confirmed malicious, this could lead to unauthorized data access and potential data + breaches, compromising the organization's security posture. +search: '| tstats `security_content_summariesonly` count from datamodel=Network_Resolution + by DNS.src _time DNS.query | `drop_dm_object_name("DNS")` | sort - _time,src, query + | streamstats count as rank by src query | where rank < 10 | table src,query,rank,_time + | apply detect_dns_data_exfiltration_using_pretrained_model_in_dsdl | table src,_time,query,rank,pred_is_dns_data_exfiltration_proba,pred_is_dns_data_exfiltration + | where rank == 1 | rename pred_is_dns_data_exfiltration_proba as is_exfiltration_score + | rename pred_is_dns_data_exfiltration as is_exfiltration | where is_exfiltration_score + > 0.5 | `security_content_ctime(_time)` | table src, _time,query,is_exfiltration_score,is_exfiltration + | `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_filter`' +how_to_implement: "Steps to deploy detect DNS data exfiltration model into Splunk + App DSDL. This detection depends on the Splunk app for Data Science and Deep Learning + which can be found here - https://splunkbase.splunk.com/app/4607/ and the Network + Resolution datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. + The detection uses a pre-trained deep learning model that needs to be deployed in + DSDL app. Follow the steps for deployment here - `https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU`.\n + * Download the `artifacts .tar.gz` file from the link - https://seal.splunkresearch.com/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz + Download the `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.ipynb` + Jupyter notebook from https://github.com/splunk/security_content/notebooks\n* Login + to the Jupyter Lab assigned for detect_dns_data_exfiltration_using_pretrained_model_in_dsdl + container. This container should be listed on Containers page for DSDL app.\n* Below + steps need to be followed inside Jupyter lab\n* Upload the detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz + file into `app/model/data` path using the upload option in the jupyter notebook.\n + * Untar the artifact detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz + using `tar -xf app/model/data/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz + -C app/model/data`\n* Upload detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.pynb + into Jupyter lab notebooks folder using the upload option in Jupyter lab\n* Save + the notebook using the save option in jupyter notebook.\n* Upload `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.json` + into `notebooks/data` folder." +known_false_positives: False positives may be present if DNS data exfiltration request + look very similar to benign DNS requests. references: - https://attack.mitre.org/techniques/T1048/003/ - https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/ - https://en.wikipedia.org/wiki/Data_exfiltration +rba: + message: A DNS data exfiltration request was sent by this host $src$ , kindly review. + risk_objects: + - field: src + type: system + score: 45 + threat_objects: + - field: query + type: domain tags: analytic_story: - DNS Hijacking - Suspicious DNS Traffic - Command And Control asset_type: Endpoint - confidence: 90 - impact: 50 - message: A DNS data exfiltration request was sent by this host $src$ , kindly review. mitre_attack_id: - T1048.003 - observable: - - name: query - type: Other - role: - - Attacker - - name: src - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - DNS.message_type - - DNS.record_type - - DNS.src - - DNS.dest - - DNS.answer - risk_score: 45 security_domain: network diff --git a/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml b/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml index 15626d03da..c5f4d94b92 100644 --- a/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml +++ b/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml @@ -1,26 +1,40 @@ name: Detect hosts connecting to dynamic domain providers id: a1e761ac-1344-4dbd-88b2-3f34c912d359 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-15' author: Bhavin Patel, Splunk status: production type: TTP -description: The following analytic identifies DNS queries from internal hosts to dynamic domain providers. It leverages DNS query logs from the `Network_Resolution` data model and cross-references them with a lookup file containing known dynamic DNS providers. This activity is significant because attackers often use dynamic DNS services to host malicious payloads or command-and-control servers, making it crucial for security teams to monitor. If confirmed malicious, this activity could allow attackers to bypass firewall blocks, evade detection, and maintain persistent access to the network. +description: The following analytic identifies DNS queries from internal hosts to + dynamic domain providers. It leverages DNS query logs from the `Network_Resolution` + data model and cross-references them with a lookup file containing known dynamic + DNS providers. This activity is significant because attackers often use dynamic + DNS services to host malicious payloads or command-and-control servers, making it + crucial for security teams to monitor. If confirmed malicious, this activity could + allow attackers to bypass firewall blocks, evade detection, and maintain persistent + access to the network. data_source: - Sysmon EventID 22 -search: '| tstats `security_content_summariesonly` count values(DNS.answer) as answer min(_time) as firstTime from datamodel=Network_Resolution by DNS.query host | `drop_dm_object_name("DNS")` | `security_content_ctime(firstTime)` | `dynamic_dns_providers` | `detect_hosts_connecting_to_dynamic_domain_providers_filter`' -how_to_implement: 'First, you''ll need to ingest data from your DNS operations. This can be done by ingesting logs from your server or data, collected passively by Splunk Stream or a similar solution. Specifically, data that contains the domain that is being queried and the IP of the host originating the request must be populating the `Network_Resolution` data model. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of Dynamic DNS providers. Please consider updating the local lookup periodically by adding new domains to the list of `dynamic_dns_providers_local.csv`. - - This search produces fields (query, answer, isDynDNS) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable event. To see the additional metadata, add the following fields, if not already present, to Incident Review. Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry): - - * **Label:** DNS Query, **Field:** query - - * **Label:** DNS Answer, **Field:** answer - - * **Label:** IsDynamicDNS, **Field:** isDynDNS - - Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`' -known_false_positives: Some users and applications may leverage Dynamic DNS to reach out to some domains on the Internet since dynamic DNS by itself is not malicious, however this activity must be verified. +search: '| tstats `security_content_summariesonly` count values(DNS.answer) as answer + min(_time) as firstTime from datamodel=Network_Resolution by DNS.query host | `drop_dm_object_name("DNS")` + | `security_content_ctime(firstTime)` | `dynamic_dns_providers` | `detect_hosts_connecting_to_dynamic_domain_providers_filter`' +how_to_implement: "First, you'll need to ingest data from your DNS operations. This + can be done by ingesting logs from your server or data, collected passively by Splunk + Stream or a similar solution. Specifically, data that contains the domain that is + being queried and the IP of the host originating the request must be populating + the `Network_Resolution` data model. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, + which contains a non-exhaustive list of Dynamic DNS providers. Please consider updating + the local lookup periodically by adding new domains to the list of `dynamic_dns_providers_local.csv`.\n + This search produces fields (query, answer, isDynDNS) that are not yet supported + by ES Incident Review and therefore cannot be viewed when a finding is raised. + These fields contribute additional context to the finding. To see the additional + metadata, add the following fields, if not already present, to Incident Review. + Event Attributes (Configure > Incident Management > Incident Review Settings > Add + New Entry):\n* **Label:** DNS Query, **Field:** query\n* **Label:** DNS Answer, + **Field:** answer\n* **Label:** IsDynamicDNS, **Field:** isDynDNS\n" +known_false_positives: Some users and applications may leverage Dynamic DNS to reach + out to some domains on the Internet since dynamic DNS by itself is not malicious, + however this activity must be verified. references: [] drilldown_searches: - name: View the detection results for - "$host$" @@ -28,9 +42,22 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$host$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A dns query $query$ from your infra connecting to suspicious domain in + host $host$ + risk_objects: + - field: host + type: system + score: 56 + threat_objects: [] tags: analytic_story: - Data Protection @@ -40,30 +67,17 @@ tags: - Dynamic DNS - Command And Control asset_type: Endpoint - confidence: 80 - impact: 70 - message: A dns query $query$ from your infra connecting to suspicious domain in host $host$ mitre_attack_id: - T1189 - observable: - - name: host - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - DNS.answer - - DNS.query - - host - risk_score: 56 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/dyn_dns_site/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/dyn_dns_site/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/network/detect_ipv6_network_infrastructure_threats.yml b/detections/network/detect_ipv6_network_infrastructure_threats.yml index 139bd9c2f3..a45007b944 100644 --- a/detections/network/detect_ipv6_network_infrastructure_threats.yml +++ b/detections/network/detect_ipv6_network_infrastructure_threats.yml @@ -1,14 +1,33 @@ name: Detect IPv6 Network Infrastructure Threats id: c3be767e-7959-44c5-8976-0e9c12a91ad2 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-15' author: Mikael Bjerkeland, Splunk status: experimental type: TTP -description: The following analytic detects IPv6 network infrastructure threats by identifying suspicious activities such as IP and MAC address theft or packet drops. It leverages logs from Cisco network devices configured with First Hop Security measures like RA Guard and DHCP Guard. This activity is significant as it can indicate attempts to compromise network integrity and security. If confirmed malicious, attackers could manipulate network traffic, leading to potential data interception, unauthorized access, or network disruption. +description: The following analytic detects IPv6 network infrastructure threats by + identifying suspicious activities such as IP and MAC address theft or packet drops. + It leverages logs from Cisco network devices configured with First Hop Security + measures like RA Guard and DHCP Guard. This activity is significant as it can indicate + attempts to compromise network integrity and security. If confirmed malicious, attackers + could manipulate network traffic, leading to potential data interception, unauthorized + access, or network disruption. data_source: [] -search: '`cisco_networks` facility="SISF" mnemonic IN ("IP_THEFT","MAC_THEFT","MAC_AND_IP_THEFT","PAK_DROP") | eval src_interface=src_int_prefix_long+src_int_suffix | eval dest_interface=dest_int_prefix_long+dest_int_suffix | stats min(_time) AS firstTime max(_time) AS lastTime values(src_mac) AS src_mac values(src_vlan) AS src_vlan values(mnemonic) AS mnemonic values(vendor_explanation) AS vendor_explanation values(src_ip) AS src_ip values(dest_ip) AS dest_ip values(dest_interface) AS dest_interface values(action) AS action count BY host src_interface | table host src_interface dest_interface src_mac src_ip dest_ip src_vlan mnemonic vendor_explanation action count | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `detect_ipv6_network_infrastructure_threats_filter`' -how_to_implement: This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with one or more First Hop Security measures such as RA Guard, DHCP Guard and/or device tracking. See References for more information. The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices. +search: '`cisco_networks` facility="SISF" mnemonic IN ("IP_THEFT","MAC_THEFT","MAC_AND_IP_THEFT","PAK_DROP") + | eval src_interface=src_int_prefix_long+src_int_suffix | eval dest_interface=dest_int_prefix_long+dest_int_suffix + | stats min(_time) AS firstTime max(_time) AS lastTime values(src_mac) AS src_mac + values(src_vlan) AS src_vlan values(mnemonic) AS mnemonic values(vendor_explanation) + AS vendor_explanation values(src_ip) AS src_ip values(dest_ip) AS dest_ip values(dest_interface) + AS dest_interface values(action) AS action count BY host src_interface | table host + src_interface dest_interface src_mac src_ip dest_ip src_vlan mnemonic vendor_explanation + action count | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` + | `detect_ipv6_network_infrastructure_threats_filter`' +how_to_implement: This search uses a standard SPL query on logs from Cisco Network + devices. The network devices must be configured with one or more First Hop Security + measures such as RA Guard, DHCP Guard and/or device tracking. See References for + more information. The search also requires that the Cisco Networks Add-on for Splunk + (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco + network devices. known_false_positives: None currently known references: - https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3200.pdf @@ -19,38 +38,24 @@ references: - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-dhcpv6-guard.html - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-src-guard.html - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ipv6-dest-guard.html +rba: + message: Suspicious IPv6 Activity on $host$ + risk_objects: + - field: host + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Router and Infrastructure Security asset_type: Infrastructure - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1200 - T1498 - T1557 - T1557.002 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - facility - - mnemonic - - src_int_prefix_long - - src_int_suffix - - dest_int_prefix_long - - dest_int_suffix - - src_mac - - src_vlan - - vendor_explanation - - action - risk_score: 25 security_domain: network diff --git a/detections/network/detect_large_outbound_icmp_packets.yml b/detections/network/detect_large_outbound_icmp_packets.yml index 7ee2582c6a..9fa1a7f4b5 100644 --- a/detections/network/detect_large_outbound_icmp_packets.yml +++ b/detections/network/detect_large_outbound_icmp_packets.yml @@ -1,22 +1,28 @@ name: Detect Large Outbound ICMP Packets id: e9c102de-4d43-42a7-b1c8-8062ea297419 -version: 6 -date: '2024-11-06' +version: 9 +date: '2025-01-27' author: Rico Valdez, Dean Luxton, Splunk status: production type: TTP -description: The following analytic identifies outbound ICMP packets with a size larger than 1,000 bytes. It leverages the Network_Traffic data model to detect unusually large ICMP packets that are not blocked and are destined for external IP addresses. This activity is significant because threat actors often use ICMP for command and control communication, and large ICMP packets can indicate data exfiltration or other malicious activities. If confirmed malicious, this could allow attackers to maintain covert communication channels, exfiltrate sensitive data, or further compromise the network. +description: The following analytic identifies outbound ICMP packets with a size larger + than 1,000 bytes. It leverages the Network_Traffic data model to detect unusually + large ICMP packets that are not blocked and are destined for external IP addresses. + This activity is significant because threat actors often use ICMP for command and + control communication, and large ICMP packets can indicate data exfiltration or + other malicious activities. If confirmed malicious, this could allow attackers to + maintain covert communication channels, exfiltrate sensitive data, or further compromise + the network. data_source: - Palo Alto Network Traffic -search: >- - | tstats `security_content_summariesonly` count earliest(_time) as firstTime - latest(_time) as lastTime values(All_Traffic.action) as action values(All_Traffic.bytes) as bytes from - datamodel=Network_Traffic where All_Traffic.action !=blocked (All_Traffic.protocol=icmp OR All_Traffic.transport=icmp) All_Traffic.bytes - > 1000 AND NOT All_Traffic.dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.protocol - | `drop_dm_object_name("All_Traffic")` - | iplocation dest_ip - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `detect_large_outbound_icmp_packets_filter` +search: "| tstats `security_content_summariesonly` count earliest(_time) as firstTime\n\ + \ latest(_time) as lastTime values(All_Traffic.action) as action values(All_Traffic.bytes)\n\ + as bytes from\n datamodel=Network_Traffic where All_Traffic.action !=blocked (All_Traffic.protocol=icmp\n\ + OR All_Traffic.transport=icmp) All_Traffic.bytes\n > 1000 AND NOT All_Traffic.dest_ip\ + \ IN (\"10.0.0.0/8\",\"172.16.0.0/12\",\"192.168.0.0/16\")\nby All_Traffic.src_ip\ + \ All_Traffic.dest_ip All_Traffic.protocol | `drop_dm_object_name(\"All_Traffic\"\ + )` | iplocation dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`\ + \ | `detect_large_outbound_icmp_packets_filter`" how_to_implement: 'In order to run this search effectively, we highly recommend that you leverage the Assets and Identity framework. It is important that you have a good understanding of how your network segments are designed and that you are able @@ -40,41 +46,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src_ip$" and "$dest_ip$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$", "$dest_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$", + "$dest_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Detect Large Outbound ICMP Packets detected from $src_ip$ to $dest_ip$ + risk_objects: + - field: dest_ip + type: system + score: 25 + - field: src_ip + type: system + score: 25 + threat_objects: [] tags: analytic_story: + - Backdoor Pingpong + - Nexus APT Threat Activity - Command And Control asset_type: Endpoint - confidence: 50 - impact: 50 - message: Detect Large Outbound ICMP Packets detected from $src_ip$ to $dest_ip$ mitre_attack_id: - T1095 - observable: - - name: dest_ip - type: IP Address - role: - - Victim - - name: src_ip - type: IP Address - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Traffic.action - - All_Traffic.bytes - - All_Traffic.dest_category - - All_Traffic.protocol - - All_Traffic.transport - - All_Traffic.src_ip - - All_Traffic.dest_ip - risk_score: 25 security_domain: network tests: - name: True Positive Test diff --git a/detections/network/detect_outbound_ldap_traffic.yml b/detections/network/detect_outbound_ldap_traffic.yml index 44b24ed199..b50a17a3f6 100644 --- a/detections/network/detect_outbound_ldap_traffic.yml +++ b/detections/network/detect_outbound_ldap_traffic.yml @@ -1,53 +1,53 @@ name: Detect Outbound LDAP Traffic id: 5e06e262-d7cd-4216-b2f8-27b437e18458 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-15' author: Bhavin Patel, Johan Bjerke, Splunk status: production type: Hunting -description: The following analytic identifies outbound LDAP traffic to external IP addresses. It leverages the Network_Traffic data model to detect connections on ports 389 or 636 that are not directed to private IP ranges (RFC1918). This activity is significant because outbound LDAP traffic can indicate potential data exfiltration or unauthorized access attempts. If confirmed malicious, attackers could exploit this to access sensitive directory information, leading to data breaches or further network compromise. +description: The following analytic identifies outbound LDAP traffic to external IP + addresses. It leverages the Network_Traffic data model to detect connections on + ports 389 or 636 that are not directed to private IP ranges (RFC1918). This activity + is significant because outbound LDAP traffic can indicate potential data exfiltration + or unauthorized access attempts. If confirmed malicious, attackers could exploit + this to access sensitive directory information, leading to data breaches or further + network compromise. data_source: - Bro -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.dest_ip) as dest_ip from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port = 389 OR All_Traffic.dest_port = 636 AND NOT (All_Traffic.dest_ip = 10.0.0.0/8 OR All_Traffic.dest_ip=192.168.0.0/16 OR All_Traffic.dest_ip = 172.16.0.0/12) by All_Traffic.src_ip All_Traffic.dest_ip |`drop_dm_object_name("All_Traffic")` | where src_ip != dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`detect_outbound_ldap_traffic_filter`' -how_to_implement: In order to properly run this search, Splunk needs to ingest data from Next Generation Firewalls like Palo Alto Networks Firewalls or other network control devices that mediate the traffic allowed into an environment. The search requires the Network_Traffic data model to be populated. -known_false_positives: Unknown at this moment. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. Please check those servers to verify if the activity is legitimate. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime values(All_Traffic.dest_ip) as dest_ip from datamodel=Network_Traffic.All_Traffic + where All_Traffic.dest_port = 389 OR All_Traffic.dest_port = 636 AND NOT (All_Traffic.dest_ip + = 10.0.0.0/8 OR All_Traffic.dest_ip=192.168.0.0/16 OR All_Traffic.dest_ip = 172.16.0.0/12) + by All_Traffic.src_ip All_Traffic.dest_ip |`drop_dm_object_name("All_Traffic")` + | where src_ip != dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + |`detect_outbound_ldap_traffic_filter`' +how_to_implement: In order to properly run this search, Splunk needs to ingest data + from Next Generation Firewalls like Palo Alto Networks Firewalls or other network + control devices that mediate the traffic allowed into an environment. The search + requires the Network_Traffic data model to be populated. +known_false_positives: Unknown at this moment. Outbound LDAP traffic should not be + allowed outbound through your perimeter firewall. Please check those servers to + verify if the activity is legitimate. references: - https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/ tags: analytic_story: - Log4Shell CVE-2021-44228 asset_type: Endpoint - confidence: 80 cve: - CVE-2021-44228 - impact: 70 - message: An outbound LDAP connection from $src_ip$ in your infrastructure connecting to dest ip $dest_ip$ mitre_attack_id: - T1190 - T1059 - observable: - - name: src_ip - type: IP Address - role: - - Victim - - name: dest_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Traffic.dest_ip - - All_Traffic.dest_port - - All_Traffic.src_ip - risk_score: 56 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/log4shell_ldap_traffic/pantraffic.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/log4shell_ldap_traffic/pantraffic.log sourcetype: pan:traffic source: pan:traffic diff --git a/detections/network/detect_outbound_smb_traffic.yml b/detections/network/detect_outbound_smb_traffic.yml index 8917f723bc..3a2cbf6989 100644 --- a/detections/network/detect_outbound_smb_traffic.yml +++ b/detections/network/detect_outbound_smb_traffic.yml @@ -1,68 +1,68 @@ name: Detect Outbound SMB Traffic id: 1bed7774-304a-4e8f-9d72-d80e45ff492b -version: 6 -date: '2024-10-16' +version: 7 +date: '2024-11-15' author: Bhavin Patel, Stuart Hopkins, Patrick Bareiss status: experimental type: TTP -description: The following analytic detects outbound SMB (Server Message Block) connections from internal hosts to external servers. It identifies this activity by monitoring network traffic for SMB requests directed towards the Internet, which are unusual for standard operations. This detection is significant for a SOC as it can indicate an attacker's attempt to retrieve credential hashes through compromised servers, a key step in lateral movement and privilege escalation. If confirmed malicious, this activity could lead to unauthorized access to sensitive data and potential full system compromise. +description: The following analytic detects outbound SMB (Server Message Block) connections + from internal hosts to external servers. It identifies this activity by monitoring + network traffic for SMB requests directed towards the Internet, which are unusual + for standard operations. This detection is significant for a SOC as it can indicate + an attacker's attempt to retrieve credential hashes through compromised servers, + a key step in lateral movement and privilege escalation. If confirmed malicious, + this activity could lead to unauthorized access to sensitive data and potential + full system compromise. data_source: [] search: >- - | tstats `security_content_summariesonly` earliest(_time) as start_time latest(_time) as end_time values(All_Traffic.action) as action values(All_Traffic.app) as app values(sourcetype) as sourcetype count from datamodel=Network_Traffic where (All_Traffic.action=allowed All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app="smb") AND All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") AND NOT All_Traffic.dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","100.64.0.0/10") by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port - | `drop_dm_object_name("All_Traffic")` - | `security_content_ctime(start_time)` - | `security_content_ctime(end_time)` - | iplocation dest_ip + | tstats `security_content_summariesonly` earliest(_time) as start_time latest(_time) + as end_time values(All_Traffic.action) as action values(All_Traffic.app) as app + values(sourcetype) as sourcetype count from datamodel=Network_Traffic where (All_Traffic.action=allowed + All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app="smb") + AND All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") AND NOT + All_Traffic.dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","100.64.0.0/10") + by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port + | `drop_dm_object_name("All_Traffic")` | `security_content_ctime(start_time)` | + `security_content_ctime(end_time)` | iplocation dest_ip | `detect_outbound_smb_traffic_filter` -how_to_implement: 'This search also requires you to be ingesting your network traffic - and populating the Network_Traffic data model' +how_to_implement: This search also requires you to be ingesting your network traffic + and populating the Network_Traffic data model known_false_positives: It is likely that the outbound Server Message Block (SMB) traffic is legitimate, if the company's internal networks are not well-defined in the Assets and Identity Framework. Categorize the internal CIDR blocks as `internal` in the - lookup file to avoid creating notable events for traffic destined to those CIDR + lookup file to avoid creating findings for traffic destined to those CIDR blocks. Any other network connection that is going out to the Internet should be investigated and blocked. Best practices suggest preventing external communications of all SMB versions and related protocols at the network boundary. references: [] +rba: + message: An outbound SMB connection from $src_ip$ in your infrastructure connecting + to dest ip $dest_ip$ + risk_objects: + - field: src_ip + type: system + score: 25 + threat_objects: + - field: dest_ip + type: ip_address tags: analytic_story: - Hidden Cobra Malware - DHS Report TA18-074A - NOBELIUM Group asset_type: Endpoint - confidence: 50 - impact: 50 - message: An outbound SMB connection from $src_ip$ in your infrastructure connecting to dest ip $dest_ip$ mitre_attack_id: - T1071.002 - T1071 - observable: - - name: src_ip - type: IP Address - role: - - Victim - - name: dest_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Traffic.action - - All_Traffic.app - - All_Traffic.dest_ip - - All_Traffic.dest_port - - sourcetype - - All_Traffic.src_ip - - All_Traffic.direction - risk_score: 25 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.002/outbound_smb_traffic/zeek_conn.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.002/outbound_smb_traffic/zeek_conn.log sourcetype: bro:conn:json source: conn.log diff --git a/detections/network/detect_port_security_violation.yml b/detections/network/detect_port_security_violation.yml index e131336825..66a16461fd 100644 --- a/detections/network/detect_port_security_violation.yml +++ b/detections/network/detect_port_security_violation.yml @@ -1,48 +1,53 @@ name: Detect Port Security Violation id: 2de3d5b8-a4fa-45c5-8540-6d071c194d24 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-15' author: Mikael Bjerkeland, Splunk status: experimental type: TTP -description: The following analytic detects port security violations on Cisco switches. It leverages logs from Cisco network devices, specifically looking for events with mnemonics indicating port security violations. This activity is significant because it indicates an unauthorized device attempting to connect to a secured port, potentially bypassing network access controls. If confirmed malicious, this could allow an attacker to gain unauthorized access to the network, leading to data exfiltration, network disruption, or further lateral movement within the environment. +description: The following analytic detects port security violations on Cisco switches. + It leverages logs from Cisco network devices, specifically looking for events with + mnemonics indicating port security violations. This activity is significant because + it indicates an unauthorized device attempting to connect to a secured port, potentially + bypassing network access controls. If confirmed malicious, this could allow an attacker + to gain unauthorized access to the network, leading to data exfiltration, network + disruption, or further lateral movement within the environment. data_source: [] -search: '`cisco_networks` (facility="PM" mnemonic="ERR_DISABLE" disable_cause="psecure-violation") OR (facility="PORT_SECURITY" mnemonic="PSECURE_VIOLATION" OR mnemonic="PSECURE_VIOLATION_VLAN") | eval src_interface=src_int_prefix_long+src_int_suffix | stats min(_time) AS firstTime max(_time) AS lastTime values(disable_cause) AS disable_cause values(src_mac) AS src_mac values(src_vlan) AS src_vlan values(action) AS action count by host src_interface | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_port_security_violation_filter`' -how_to_implement: This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with Port Security and Error Disable for this to work (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html) and log with a severity level of minimum "5 - notification". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices. -known_false_positives: This search might be prone to high false positives if you have malfunctioning devices connected to your ethernet ports or if end users periodically connect physical devices to the network. +search: '`cisco_networks` (facility="PM" mnemonic="ERR_DISABLE" disable_cause="psecure-violation") + OR (facility="PORT_SECURITY" mnemonic="PSECURE_VIOLATION" OR mnemonic="PSECURE_VIOLATION_VLAN") + | eval src_interface=src_int_prefix_long+src_int_suffix | stats min(_time) AS firstTime + max(_time) AS lastTime values(disable_cause) AS disable_cause values(src_mac) AS + src_mac values(src_vlan) AS src_vlan values(action) AS action count by host src_interface + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_port_security_violation_filter`' +how_to_implement: This search uses a standard SPL query on logs from Cisco Network + devices. The network devices must be configured with Port Security and Error Disable + for this to work (see + https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html) + and log with a severity level of minimum "5 - notification". The search also requires + that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) + is used to parse the logs from the Cisco network devices. +known_false_positives: This search might be prone to high false positives if you have + malfunctioning devices connected to your ethernet ports or if end users periodically + connect physical devices to the network. references: [] +rba: + message: Port Securtiy Violation on $host$ + risk_objects: + - field: host + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Router and Infrastructure Security asset_type: Infrastructure - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1200 - T1498 - T1557 - T1557.002 - observable: - - name: dest - type: Other - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - facility - - mnemonic - - disable_cause - - src_int_prefix_long - - src_int_suffix - - src_mac - - src_vlan - - action - - host - - src_interface - risk_score: 25 security_domain: network diff --git a/detections/network/detect_remote_access_software_usage_dns.yml b/detections/network/detect_remote_access_software_usage_dns.yml index 5026122208..f7744a4f63 100644 --- a/detections/network/detect_remote_access_software_usage_dns.yml +++ b/detections/network/detect_remote_access_software_usage_dns.yml @@ -1,16 +1,39 @@ name: Detect Remote Access Software Usage DNS id: a16b797d-e309-41bd-8ba0-5067dae2e4be -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-15' author: Steven Dick status: production type: Anomaly -description: The following analytic detects DNS queries to domains associated with known remote access software such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This detection is crucial as adversaries often use these tools to maintain access and control over compromised environments. Identifying such behavior is vital for a Security Operations Center (SOC) because unauthorized remote access can lead to data breaches, ransomware attacks, and other severe impacts if these threats are not mitigated promptly. +description: The following analytic detects DNS queries to domains associated with + known remote access software such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. + This detection is crucial as adversaries often use these tools to maintain access + and control over compromised environments. Identifying such behavior is vital for + a Security Operations Center (SOC) because unauthorized remote access can lead to + data breaches, ransomware attacks, and other severe impacts if these threats are + not mitigated promptly. data_source: - Sysmon EventID 22 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(DNS.answer) as answer from datamodel=Network_Resolution by DNS.src DNS.query | `drop_dm_object_name("DNS")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | lookup remote_access_software remote_domain AS query OUTPUT isutility, description as signature, comment_reference as desc, category | eval dest = query | search isutility = True | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_dns_filter`' -how_to_implement: To implement this search, you must ingest logs that contain the DNS query and the source of the query. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the DNS logs. The logs must also be mapped to the `Network_Resolution` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. The "exceptions" macro leverages both an Assets and Identities lookup, as well as a KVStore collection called "remote_software_exceptions" that lets you track and maintain device-based exceptions for this set of detections. -known_false_positives: It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment. Known false positives can be added to the remote_access_software_usage_exception.csv lookup to globally suppress these situations across all remote access content +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime values(DNS.answer) as answer from datamodel=Network_Resolution by DNS.src + DNS.query | `drop_dm_object_name("DNS")` | `security_content_ctime(firstTime)` | + `security_content_ctime(lastTime)` | lookup remote_access_software remote_domain + AS query OUTPUT isutility, description as signature, comment_reference as desc, + category | eval dest = query | search isutility = True | `remote_access_software_usage_exceptions` + | `detect_remote_access_software_usage_dns_filter`' +how_to_implement: To implement this search, you must ingest logs that contain the + DNS query and the source of the query. These logs must be processed using the appropriate + Splunk Technology Add-ons that are specific to the DNS logs. The logs must also + be mapped to the `Network_Resolution` data model. Use the Splunk Common Information + Model (CIM) to normalize the field names and speed up the data modeling process. + The "exceptions" macro leverages both an Assets and Identities lookup, as well as + a KVStore collection called "remote_software_exceptions" that lets you track and + maintain device-based exceptions for this set of detections. +known_false_positives: It is possible that legitimate remote access software is used + within the environment. Ensure that the lookup is reviewed and updated with any + additional remote access software that is used within the environment. Known false + positives can be added to the remote_access_software_usage_exception.csv lookup + to globally suppress these situations across all remote access content references: - https://attack.mitre.org/techniques/T1219/ - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ @@ -21,45 +44,49 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +- name: Investigate traffic to $query$ + search: '| from datamodel:Network_Resolution.DNS | search src=$src$ query=$query$' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A domain for a known remote access software $query$ was contacted by $src$. + risk_objects: + - field: src + type: system + score: 25 + threat_objects: + - field: query + type: domain + - field: signature + type: signature tags: analytic_story: - Insider Threat - Command And Control - Ransomware - CISA AA24-241A + - Remote Monitoring and Management Software asset_type: Endpoint - confidence: 20 - impact: 20 - message: A domain for a known remote access software $query$ was contacted by $src$. mitre_attack_id: - T1219 - observable: - - name: src - type: Hostname - role: - - Victim - - name: query - type: Hostname - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - DNS.src - - DNS.query - - DNS.answer - risk_score: 4 security_domain: endpoint manual_test: This detection uses A&I lookups from Enterprise Security. tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/network/detect_remote_access_software_usage_traffic.yml b/detections/network/detect_remote_access_software_usage_traffic.yml index 032d96a64a..526fe6f906 100644 --- a/detections/network/detect_remote_access_software_usage_traffic.yml +++ b/detections/network/detect_remote_access_software_usage_traffic.yml @@ -1,16 +1,38 @@ name: Detect Remote Access Software Usage Traffic id: 885ea672-07ee-475a-879e-60d28aa5dd42 -version: 4 -date: '2024-09-30' +version: 6 +date: '2024-11-15' author: Steven Dick status: production type: Anomaly -description: The following analytic detects network traffic associated with known remote access software applications, such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. It leverages Palo Alto traffic logs mapped to the Network_Traffic data model in Splunk. This activity is significant because adversaries often use remote access tools to maintain unauthorized access to compromised environments. If confirmed malicious, this activity could allow attackers to control systems remotely, exfiltrate data, or deploy additional malware, posing a severe threat to the organization's security. +description: The following analytic detects network traffic associated with known + remote access software applications, such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. + It leverages Palo Alto traffic logs mapped to the Network_Traffic data model in + Splunk. This activity is significant because adversaries often use remote access + tools to maintain unauthorized access to compromised environments. If confirmed + malicious, this activity could allow attackers to control systems remotely, exfiltrate + data, or deploy additional malware, posing a severe threat to the organization's + security. data_source: - Palo Alto Network Traffic -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.dest_port) as dest_port latest(user) as user from datamodel=Network_Traffic by All_Traffic.src All_Traffic.dest, All_Traffic.app | `drop_dm_object_name("All_Traffic")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | lookup remote_access_software remote_appid AS app OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = True | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_traffic_filter`' -how_to_implement: The following analytic was developed with Palo Alto traffic logs. Ensure that the logs are being ingested into Splunk and mapped to the Network_Traffic data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. The "exceptions" macro leverages both an Assets and Identities lookup, as well as a KVStore collection called "remote_software_exceptions" that lets you track and maintain device- based exceptions for this set of detections. -known_false_positives: It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment. Known false positives can be added to the remote_access_software_usage_exception.csv lookup to globally suppress these situations across all remote access content +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime values(All_Traffic.dest_port) as dest_port latest(user) as user from + datamodel=Network_Traffic by All_Traffic.src All_Traffic.dest, All_Traffic.app | + `drop_dm_object_name("All_Traffic")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | lookup remote_access_software remote_appid AS app OUTPUT isutility, description + as signature, comment_reference as desc, category | search isutility = True | `remote_access_software_usage_exceptions` + | `detect_remote_access_software_usage_traffic_filter`' +how_to_implement: The following analytic was developed with Palo Alto traffic logs. + Ensure that the logs are being ingested into Splunk and mapped to the Network_Traffic + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. The "exceptions" macro leverages both + an Assets and Identities lookup, as well as a KVStore collection called "remote_software_exceptions" + that lets you track and maintain device- based exceptions for this set of detections. +known_false_positives: It is possible that legitimate remote access software is used + within the environment. Ensure that the lookup is reviewed and updated with any + additional remote access software that is used within the environment. Known false + positives can be added to the remote_access_software_usage_exception.csv lookup + to globally suppress these situations across all remote access content references: - https://attack.mitre.org/techniques/T1219/ - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ @@ -22,42 +44,50 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +- name: Investigate application traffic for $app$ + search: '| from datamodel:Network_Traffic.All_Traffic | search src=$src$ app=$app$' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Application traffic for a known remote access software [$signature$] was + detected from $src$. + risk_objects: + - field: src + type: system + score: 25 + - field: user + type: user + score: 25 + threat_objects: + - field: signature + type: signature tags: analytic_story: - Insider Threat - Command And Control - Ransomware + - Remote Monitoring and Management Software asset_type: Network - confidence: 50 - impact: 50 - message: Application traffic for a known remote access software [$signature$] was detected from $src$. mitre_attack_id: - T1219 - observable: - - name: src - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Traffic.src - - All_Traffic.dest - - All_Traffic.app - - All_Traffic.dest_port - - user - risk_score: 25 security_domain: network manual_test: This detection uses A&I lookups from Enterprise Security. tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_palo_traffic.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_palo_traffic.log source: screenconnect_palo_traffic sourcetype: pan:traffic diff --git a/detections/network/detect_rogue_dhcp_server.yml b/detections/network/detect_rogue_dhcp_server.yml index c147af50ac..bd2155d10b 100644 --- a/detections/network/detect_rogue_dhcp_server.yml +++ b/detections/network/detect_rogue_dhcp_server.yml @@ -1,42 +1,49 @@ name: Detect Rogue DHCP Server id: 6e1ada88-7a0d-4ac1-92c6-03d354686079 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-15' author: Mikael Bjerkeland, Splunk status: experimental type: TTP -description: The following analytic identifies the presence of unauthorized DHCP servers on the network. It leverages logs from Cisco network devices with DHCP Snooping enabled, specifically looking for events where DHCP leases are issued from untrusted ports. This activity is significant because rogue DHCP servers can facilitate Man-in-the-Middle attacks, leading to potential data interception and network disruption. If confirmed malicious, this could allow attackers to redirect network traffic, capture sensitive information, and compromise the integrity of the network. +description: The following analytic identifies the presence of unauthorized DHCP servers + on the network. It leverages logs from Cisco network devices with DHCP Snooping + enabled, specifically looking for events where DHCP leases are issued from untrusted + ports. This activity is significant because rogue DHCP servers can facilitate Man-in-the-Middle + attacks, leading to potential data interception and network disruption. If confirmed + malicious, this could allow attackers to redirect network traffic, capture sensitive + information, and compromise the integrity of the network. data_source: [] -search: '`cisco_networks` facility="DHCP_SNOOPING" mnemonic="DHCP_SNOOPING_UNTRUSTED_PORT" | stats min(_time) AS firstTime max(_time) AS lastTime count values(message_type) AS message_type values(src_mac) AS src_mac BY host | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `detect_rogue_dhcp_server_filter`' -how_to_implement: This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with DHCP Snooping enabled (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html) and log with a severity level of minimum "5 - notification". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices. -known_false_positives: This search might be prone to high false positives if DHCP Snooping has been incorrectly configured or in the unlikely event that the DHCP server has been moved to another network interface. +search: '`cisco_networks` facility="DHCP_SNOOPING" mnemonic="DHCP_SNOOPING_UNTRUSTED_PORT" + | stats min(_time) AS firstTime max(_time) AS lastTime count values(message_type) + AS message_type values(src_mac) AS src_mac BY host | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| + `detect_rogue_dhcp_server_filter`' +how_to_implement: This search uses a standard SPL query on logs from Cisco Network + devices. The network devices must be configured with DHCP Snooping enabled (see + https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html) + and log with a severity level of minimum "5 - notification". The search also requires + that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) + is used to parse the logs from the Cisco network devices. +known_false_positives: This search might be prone to high false positives if DHCP + Snooping has been incorrectly configured or in the unlikely event that the DHCP + server has been moved to another network interface. references: [] +rba: + message: DHCP Snooping detected by $host$ + risk_objects: + - field: host + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Router and Infrastructure Security asset_type: Infrastructure - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1200 - T1498 - T1557 - observable: - - name: dest - type: Other - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - facility - - mnemonic - - message_type - - src_mac - - host - risk_score: 25 security_domain: network diff --git a/detections/network/detect_snicat_sni_exfiltration.yml b/detections/network/detect_snicat_sni_exfiltration.yml index c9ccd011f4..764d23f8b2 100644 --- a/detections/network/detect_snicat_sni_exfiltration.yml +++ b/detections/network/detect_snicat_sni_exfiltration.yml @@ -1,41 +1,47 @@ name: Detect SNICat SNI Exfiltration id: 82d06410-134c-11eb-adc1-0242ac120002 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-15' author: Shannon Davis, Splunk status: experimental type: TTP -description: The following analytic identifies the use of SNICat tool commands within the TLS SNI field, indicating potential data exfiltration attempts. It leverages Zeek SSL data to detect specific SNICat commands such as LIST, LS, SIZE, LD, CB, EX, ALIVE, EXIT, WHERE, and finito in the server_name field. This activity is significant as SNICat is a known tool for covert data exfiltration using TLS. If confirmed malicious, this could allow attackers to exfiltrate sensitive data undetected, posing a severe threat to data confidentiality and integrity. +description: The following analytic identifies the use of SNICat tool commands within + the TLS SNI field, indicating potential data exfiltration attempts. It leverages + Zeek SSL data to detect specific SNICat commands such as LIST, LS, SIZE, LD, CB, + EX, ALIVE, EXIT, WHERE, and finito in the server_name field. This activity is significant + as SNICat is a known tool for covert data exfiltration using TLS. If confirmed malicious, + this could allow attackers to exfiltrate sensitive data undetected, posing a severe + threat to data confidentiality and integrity. data_source: [] -search: '`zeek_ssl` | rex field=server_name "(?(LIST|LS|SIZE|LD|CB|CD|EX|ALIVE|EXIT|WHERE|finito)-[A-Za-z0-9]{16}\.)" | stats count by src_ip dest_ip server_name snicat | where count>0 | table src_ip dest_ip server_name snicat | `detect_snicat_sni_exfiltration_filter`' -how_to_implement: You must be ingesting Zeek SSL data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when any of the predefined SNICat commands are found within the server_name (SNI) field. These commands are LIST, LS, SIZE, LD, CB, EX, ALIVE, EXIT, WHERE, and finito. You can go further once this has been detected, and run other searches to decode the SNI data to prove or disprove if any data exfiltration has taken place. +search: '`zeek_ssl` | rex field=server_name "(?(LIST|LS|SIZE|LD|CB|CD|EX|ALIVE|EXIT|WHERE|finito)-[A-Za-z0-9]{16}\.)" + | stats count by src_ip dest_ip server_name snicat | where count>0 | table src_ip + dest_ip server_name snicat | `detect_snicat_sni_exfiltration_filter`' +how_to_implement: You must be ingesting Zeek SSL data into Splunk. Zeek data should + also be getting ingested in JSON format. We are detecting when any of the predefined + SNICat commands are found within the server_name (SNI) field. These commands are + LIST, LS, SIZE, LD, CB, EX, ALIVE, EXIT, WHERE, and finito. You can go further + once this has been detected, and run other searches to decode the SNI data to prove + or disprove if any data exfiltration has taken place. known_false_positives: Unknown references: - https://www.mnemonic.io/resources/blog/introducing-snicat/ - https://github.com/mnemonic-no/SNIcat - https://attack.mitre.org/techniques/T1041/ +rba: + message: Possible SNICat activity from $src_ip$ + risk_objects: + - field: src_ip + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Data Exfiltration asset_type: Network - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1041 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - server_name - - src_ip - - dest_ip - risk_score: 25 security_domain: network diff --git a/detections/network/detect_software_download_to_network_device.yml b/detections/network/detect_software_download_to_network_device.yml index 48bdda0511..d11e5395c6 100644 --- a/detections/network/detect_software_download_to_network_device.yml +++ b/detections/network/detect_software_download_to_network_device.yml @@ -1,42 +1,52 @@ name: Detect Software Download To Network Device id: cc590c66-f65f-48f2-986a-4797244762f8 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-15' author: Mikael Bjerkeland, Splunk status: experimental type: TTP -description: The following analytic identifies unauthorized software downloads to network devices via TFTP, FTP, or SSH/SCP. It detects this activity by analyzing network traffic events on specific ports (69, 21, 22) from devices categorized as network, router, or switch. This activity is significant because adversaries may exploit netbooting to load unauthorized operating systems, potentially compromising network integrity. If confirmed malicious, this could lead to unauthorized control over network devices, enabling further attacks, data exfiltration, or persistent access within the network. +description: The following analytic identifies unauthorized software downloads to + network devices via TFTP, FTP, or SSH/SCP. It detects this activity by analyzing + network traffic events on specific ports (69, 21, 22) from devices categorized as + network, router, or switch. This activity is significant because adversaries may + exploit netbooting to load unauthorized operating systems, potentially compromising + network integrity. If confirmed malicious, this could lead to unauthorized control + over network devices, enabling further attacks, data exfiltration, or persistent + access within the network. data_source: [] -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.transport=udp AND All_Traffic.dest_port=69) OR (All_Traffic.transport=tcp AND All_Traffic.dest_port=21) OR (All_Traffic.transport=tcp AND All_Traffic.dest_port=22) AND All_Traffic.dest_category!=common_software_repo_destination AND All_Traffic.src_category=network OR All_Traffic.src_category=router OR All_Traffic.src_category=switch by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name("All_Traffic")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_software_download_to_network_device_filter`' -how_to_implement: This search looks for Network Traffic events to TFTP, FTP or SSH/SCP ports from network devices. Make sure to tag any network devices as network, router or switch in order for this detection to work. If the TFTP traffic doesn't traverse a firewall nor packet inspection, these events will not be logged. This is typically an issue if the TFTP server is on the same subnet as the network device. There is also a chance of the network device loading software using a DHCP assigned IP address (netboot) which is not in the Asset inventory. -known_false_positives: This search will also report any legitimate attempts of software downloads to network devices as well as outbound SSH sessions from network devices. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Network_Traffic where (All_Traffic.transport=udp AND + All_Traffic.dest_port=69) OR (All_Traffic.transport=tcp AND All_Traffic.dest_port=21) + OR (All_Traffic.transport=tcp AND All_Traffic.dest_port=22) AND All_Traffic.dest_category!=common_software_repo_destination + AND All_Traffic.src_category=network OR All_Traffic.src_category=router OR All_Traffic.src_category=switch + by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name("All_Traffic")` + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_software_download_to_network_device_filter`' +how_to_implement: This search looks for Network Traffic events to TFTP, FTP or SSH/SCP + ports from network devices. Make sure to tag any network devices as network, router + or switch in order for this detection to work. If the TFTP traffic doesn't traverse + a firewall nor packet inspection, these events will not be logged. This is typically + an issue if the TFTP server is on the same subnet as the network device. There is + also a chance of the network device loading software using a DHCP assigned IP address + (netboot) which is not in the Asset inventory. +known_false_positives: This search will also report any legitimate attempts of software + downloads to network devices as well as outbound SSH sessions from network devices. references: [] +rba: + message: Potentially unauthorized software download to $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Router and Infrastructure Security asset_type: Infrastructure - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1542.005 - T1542 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Traffic.transport - - All_Traffic.dest_port - - All_Traffic.dest_category - - All_Traffic.src_category - - All_Traffic.src - - All_Traffic.dest - risk_score: 25 security_domain: network diff --git a/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml b/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml index f10c2c5a70..65c406f40c 100644 --- a/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml +++ b/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml @@ -1,67 +1,68 @@ name: Detect suspicious DNS TXT records using pretrained model in DSDL id: 92f65c3a-968c-11ed-a1eb-0242ac120002 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-15' author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk status: experimental type: Anomaly -description: The following analytic identifies suspicious DNS TXT records using a pre-trained deep learning model. It leverages DNS response data from the Network Resolution data model, categorizing TXT records into known types via regular expressions. Records that do not match known patterns are flagged as suspicious. This activity is significant as DNS TXT records can be used for data exfiltration or command-and-control communication. If confirmed malicious, attackers could use these records to covertly transfer data or receive instructions, posing a severe threat to network security. +description: The following analytic identifies suspicious DNS TXT records using a + pre-trained deep learning model. It leverages DNS response data from the Network + Resolution data model, categorizing TXT records into known types via regular expressions. + Records that do not match known patterns are flagged as suspicious. This activity + is significant as DNS TXT records can be used for data exfiltration or command-and-control + communication. If confirmed malicious, attackers could use these records to covertly + transfer data or receive instructions, posing a severe threat to network security. data_source: [] -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type | `drop_dm_object_name("DNS")` | rename answer as text | fields firstTime, lastTime, message_type,record_type,src,dest, text | apply detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl | rename predicted_is_unknown as is_suspicious_score | where is_suspicious_score > 0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table src,dest,text,record_type, firstTime, lastTime,is_suspicious_score | `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_filter`' -how_to_implement: 'Steps to deploy detect suspicious DNS TXT records model into Splunk App DSDL. This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - `https://splunkbase.splunk.com/app/4607/` and the Network Resolution datamodel which can be found here - `https://splunkbase.splunk.com/app/1621/`. The detection uses a pre-trained deep learning model that needs to be deployed in DSDL app. Follow the steps for deployment here - `https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU`. - - * Download the `artifacts .tar.gz` file from the link - `https://seal.splunkresearch.com/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz`. - - * Download the `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.ipynb` Jupyter notebook from `https://github.com/splunk/security_content/notebooks`. - - * Login to the Jupyter Lab assigned for `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl` container. This container should be listed on Containers page for DSDL app. - - * Below steps need to be followed inside Jupyter lab. - - * Upload the `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz` file into `app/model/data` path using the upload option in the jupyter notebook. - - * Untar the artifact `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz` using `tar -xf app/model/data/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz -C app/model/data`. - - * Upload detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.ipynb` into Jupyter lab notebooks folder using the upload option in Jupyter lab. - - * Save the notebook using the save option in Jupyter notebook. - - * Upload `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.json` into `notebooks/data` folder.' -known_false_positives: False positives may be present if DNS TXT record contents are similar to benign DNS TXT record contents. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND + DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type | `drop_dm_object_name("DNS")` + | rename answer as text | fields firstTime, lastTime, message_type,record_type,src,dest, + text | apply detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl | + rename predicted_is_unknown as is_suspicious_score | where is_suspicious_score > + 0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | + table src,dest,text,record_type, firstTime, lastTime,is_suspicious_score | `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_filter`' +how_to_implement: "Steps to deploy detect suspicious DNS TXT records model into Splunk + App DSDL. This detection depends on the Splunk app for Data Science and Deep Learning + which can be found here - `https://splunkbase.splunk.com/app/4607/` and the Network + Resolution datamodel which can be found here - `https://splunkbase.splunk.com/app/1621/`. + The detection uses a pre-trained deep learning model that needs to be deployed in + DSDL app. Follow the steps for deployment here - `https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU`.\n + * Download the `artifacts .tar.gz` file from the link - `https://seal.splunkresearch.com/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz`.\n + * Download the `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.ipynb` + Jupyter notebook from `https://github.com/splunk/security_content/notebooks`.\n + * Login to the Jupyter Lab assigned for `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl` + container. This container should be listed on Containers page for DSDL app.\n* Below + steps need to be followed inside Jupyter lab.\n* Upload the `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz` + file into `app/model/data` path using the upload option in the jupyter notebook.\n + * Untar the artifact `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz` + using `tar -xf app/model/data/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz + -C app/model/data`.\n* Upload detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.ipynb` + into Jupyter lab notebooks folder using the upload option in Jupyter lab.\n* Save + the notebook using the save option in Jupyter notebook.\n* Upload `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.json` + into `notebooks/data` folder." +known_false_positives: False positives may be present if DNS TXT record contents are + similar to benign DNS TXT record contents. references: - https://attack.mitre.org/techniques/T1071/004/ - https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/ - https://en.wikipedia.org/wiki/TXT_record +rba: + message: A suspicious DNS TXT response was detected on host $src$ , kindly review. + risk_objects: + - field: src + type: system + score: 45 + threat_objects: [] tags: analytic_story: - DNS Hijacking - Suspicious DNS Traffic - Command And Control asset_type: Endpoint - confidence: 90 - impact: 50 - message: A suspicious DNS TXT response was detected on host $src$ , kindly review. mitre_attack_id: - T1568.002 - observable: - - name: answer - type: Other - role: - - Attacker - - name: src - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - DNS.message_type - - DNS.record_type - - DNS.src - - DNS.dest - - DNS.answer - risk_score: 45 security_domain: network diff --git a/detections/network/detect_traffic_mirroring.yml b/detections/network/detect_traffic_mirroring.yml index fb4ac5bf17..a8121dd68b 100644 --- a/detections/network/detect_traffic_mirroring.yml +++ b/detections/network/detect_traffic_mirroring.yml @@ -1,41 +1,52 @@ name: Detect Traffic Mirroring id: 42b3b753-5925-49c5-9742-36fa40a73990 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-15' author: Mikael Bjerkeland, Splunk status: experimental type: TTP -description: The following analytic detects the initiation of traffic mirroring sessions on Cisco network devices. It leverages logs with specific mnemonics and facilities related to traffic mirroring, such as "ETH_SPAN_SESSION_UP" and "PKTCAP_START." This activity is significant because adversaries may use traffic mirroring to exfiltrate data by duplicating and forwarding network traffic to an external destination. If confirmed malicious, this could allow attackers to capture sensitive information, monitor network communications, and potentially compromise the integrity and confidentiality of the network. +description: The following analytic detects the initiation of traffic mirroring sessions + on Cisco network devices. It leverages logs with specific mnemonics and facilities + related to traffic mirroring, such as "ETH_SPAN_SESSION_UP" and "PKTCAP_START." + This activity is significant because adversaries may use traffic mirroring to exfiltrate + data by duplicating and forwarding network traffic to an external destination. If + confirmed malicious, this could allow attackers to capture sensitive information, + monitor network communications, and potentially compromise the integrity and confidentiality + of the network. data_source: [] -search: '`cisco_networks` (facility="MIRROR" mnemonic="ETH_SPAN_SESSION_UP") OR (facility="SPAN" mnemonic="SESSION_UP") OR (facility="SPAN" mnemonic="PKTCAP_START") OR (mnemonic="CFGLOG_LOGGEDCMD" command="monitor session*") | stats min(_time) AS firstTime max(_time) AS lastTime count BY host facility mnemonic | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_traffic_mirroring_filter`' -how_to_implement: This search uses a standard SPL query on logs from Cisco Network devices. The network devices must log with a severity level of minimum "5 - notification". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices and that the devices have been configured according to the documentation of the Cisco Networks Add-on. Also note that an attacker may disable logging from the device prior to enabling traffic mirroring. -known_false_positives: This search will return false positives for any legitimate traffic captures by network administrators. +search: '`cisco_networks` (facility="MIRROR" mnemonic="ETH_SPAN_SESSION_UP") OR (facility="SPAN" + mnemonic="SESSION_UP") OR (facility="SPAN" mnemonic="PKTCAP_START") OR (mnemonic="CFGLOG_LOGGEDCMD" + command="monitor session*") | stats min(_time) AS firstTime max(_time) AS lastTime + count BY host facility mnemonic | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` + | `detect_traffic_mirroring_filter`' +how_to_implement: This search uses a standard SPL query on logs from Cisco Network + devices. The network devices must log with a severity level of minimum "5 - notification". + The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) + is used to parse the logs from the Cisco network devices and that the devices have + been configured according to the documentation of the Cisco Networks Add-on. Also + note that an attacker may disable logging from the device prior to enabling traffic + mirroring. +known_false_positives: This search will return false positives for any legitimate + traffic captures by network administrators. references: [] +rba: + message: Traffic Mirroring Session observed on $host$ + risk_objects: + - field: host + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Router and Infrastructure Security asset_type: Infrastructure - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1200 - T1020 - T1498 - T1020.001 - observable: - - name: dest - type: Other - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - facility - - mnemonic - - host - risk_score: 25 security_domain: network diff --git a/detections/network/detect_unauthorized_assets_by_mac_address.yml b/detections/network/detect_unauthorized_assets_by_mac_address.yml index 7ca657267b..8462ce9b21 100644 --- a/detections/network/detect_unauthorized_assets_by_mac_address.yml +++ b/detections/network/detect_unauthorized_assets_by_mac_address.yml @@ -1,36 +1,48 @@ name: Detect Unauthorized Assets by MAC address id: dcfd6b40-42f9-469d-a433-2e53f7489ff4 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-15' author: Bhavin Patel, Splunk status: experimental type: TTP -description: The following analytic identifies unauthorized devices attempting to connect to the organization's network by inspecting DHCP request packets. It detects this activity by comparing the MAC addresses in DHCP requests against a list of known authorized devices stored in the assets_by_str.csv file. This activity is significant for a SOC because unauthorized devices can pose security risks, including potential data breaches or network disruptions. If confirmed malicious, this activity could allow an attacker to gain unauthorized network access, potentially leading to further exploitation or data exfiltration. +description: The following analytic identifies unauthorized devices attempting to + connect to the organization's network by inspecting DHCP request packets. It detects + this activity by comparing the MAC addresses in DHCP requests against a list of + known authorized devices stored in the assets_by_str.csv file. This activity is + significant for a SOC because unauthorized devices can pose security risks, including + potential data breaches or network disruptions. If confirmed malicious, this activity + could allow an attacker to gain unauthorized network access, potentially leading + to further exploitation or data exfiltration. data_source: [] -search: '| tstats `security_content_summariesonly` count from datamodel=Network_Sessions where nodename=All_Sessions.DHCP All_Sessions.tag=dhcp by All_Sessions.dest_ip All_Sessions.dest_mac | dedup All_Sessions.dest_mac| `drop_dm_object_name("Network_Sessions")`|`drop_dm_object_name("All_Sessions")` | search NOT [| inputlookup asset_lookup_by_str |rename mac as dest_mac | fields + dest_mac] | `detect_unauthorized_assets_by_mac_address_filter`' -how_to_implement: This search uses the Network_Sessions data model shipped with Enterprise Security. It leverages the Assets and Identity framework to populate the assets_by_str.csv file located in SA-IdentityManagement, which will contain a list of known authorized organizational assets including their MAC addresses. Ensure that all inventoried systems have their MAC address populated. -known_false_positives: This search might be prone to high false positives. Please consider this when conducting analysis or investigations. Authorized devices may be detected as unauthorized. If this is the case, verify the MAC address of the system responsible for the false positive and add it to the Assets and Identity framework with the proper information. +search: '| tstats `security_content_summariesonly` count from datamodel=Network_Sessions + where nodename=All_Sessions.DHCP All_Sessions.tag=dhcp by All_Sessions.dest_ip All_Sessions.dest_mac + | dedup All_Sessions.dest_mac| `drop_dm_object_name("Network_Sessions")`|`drop_dm_object_name("All_Sessions")` + | search NOT [| inputlookup asset_lookup_by_str |rename mac as dest_mac | fields + + dest_mac] | `detect_unauthorized_assets_by_mac_address_filter`' +how_to_implement: This search uses the Network_Sessions data model shipped with Enterprise + Security. It leverages the Assets and Identity framework to populate the assets_by_str.csv + file located in SA-IdentityManagement, which will contain a list of known authorized + organizational assets including their MAC addresses. Ensure that all inventoried + systems have their MAC address populated. +known_false_positives: This search might be prone to high false positives. Please + consider this when conducting analysis or investigations. Authorized devices may + be detected as unauthorized. If this is the case, verify the MAC address of the + system responsible for the false positive and add it to the Assets and Identity + framework with the proper information. references: [] +rba: + message: Potentially Unauthorized Device observed + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Asset Tracking asset_type: Infrastructure - confidence: 50 - impact: 50 - message: tbd - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Sessions.signature - - All_Sessions.src_ip - - All_Sessions.dest_mac - risk_score: 25 security_domain: network diff --git a/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml b/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml index 589e454499..b38c1ece41 100644 --- a/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml +++ b/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml @@ -1,37 +1,46 @@ name: Detect Windows DNS SIGRed via Splunk Stream id: babd8d10-d073-11ea-87d0-0242ac130003 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-15' author: Shannon Davis, Splunk status: experimental type: TTP -description: The following analytic detects attempts to exploit the SIGRed vulnerability (CVE-2020-1350) in Windows DNS servers. It leverages Splunk Stream DNS and TCP data to identify DNS SIG and KEY records, as well as TCP payloads exceeding 65KB. This activity is significant because SIGRed is a critical wormable vulnerability that allows remote code execution. If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary code, and potentially disrupt services, leading to severe data breaches and infrastructure compromise. Immediate investigation and remediation are crucial to mitigate these risks. +description: The following analytic detects attempts to exploit the SIGRed vulnerability + (CVE-2020-1350) in Windows DNS servers. It leverages Splunk Stream DNS and TCP data + to identify DNS SIG and KEY records, as well as TCP payloads exceeding 65KB. This + activity is significant because SIGRed is a critical wormable vulnerability that + allows remote code execution. If confirmed malicious, an attacker could gain unauthorized + access, execute arbitrary code, and potentially disrupt services, leading to severe + data breaches and infrastructure compromise. Immediate investigation and remediation + are crucial to mitigate these risks. data_source: [] -search: '`stream_dns` | spath "query_type{}" | search "query_type{}" IN (SIG,KEY) | spath protocol_stack | search protocol_stack="ip:tcp:dns" | append [search `stream_tcp` bytes_out>65000] | `detect_windows_dns_sigred_via_splunk_stream_filter` | stats count by flow_id | where count>1 | fields - count' -how_to_implement: You must be ingesting Splunk Stream DNS and Splunk Stream TCP. We are detecting SIG and KEY records via stream:dns and TCP payload over 65KB in size via stream:tcp. Replace the macro definitions ('stream:dns' and 'stream:tcp') with configurations for your Splunk environment. +search: '`stream_dns` | spath "query_type{}" | search "query_type{}" IN (SIG,KEY) + | spath protocol_stack | search protocol_stack="ip:tcp:dns" | append [search `stream_tcp` + bytes_out>65000] | `detect_windows_dns_sigred_via_splunk_stream_filter` | stats + count by flow_id | where count>1 | fields - count' +how_to_implement: You must be ingesting Splunk Stream DNS and Splunk Stream TCP. We + are detecting SIG and KEY records via stream:dns and TCP payload over 65KB in size + via stream:tcp. Replace the macro definitions ('stream:dns' and 'stream:tcp') with + configurations for your Splunk environment. known_false_positives: unknown references: [] +rba: + message: Potential SIGRed activity detected + risk_objects: + - field: flow_id + type: other + score: 25 + threat_objects: [] tags: analytic_story: - Windows DNS SIGRed CVE-2020-1350 asset_type: Endpoint - confidence: 50 cve: - CVE-2020-1350 - impact: 50 - message: tbd mitre_attack_id: - T1203 - observable: - - name: flow_id - type: Other - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: network diff --git a/detections/network/detect_windows_dns_sigred_via_zeek.yml b/detections/network/detect_windows_dns_sigred_via_zeek.yml index 8349550848..6b0df85392 100644 --- a/detections/network/detect_windows_dns_sigred_via_zeek.yml +++ b/detections/network/detect_windows_dns_sigred_via_zeek.yml @@ -1,41 +1,48 @@ name: Detect Windows DNS SIGRed via Zeek id: c5c622e4-d073-11ea-87d0-0242ac130003 -version: 5 -date: '2024-10-17' +version: 6 +date: '2024-11-15' author: Shannon Davis, Splunk status: experimental type: TTP -description: The following analytic detects the presence of SIGRed, a critical DNS vulnerability, using Zeek DNS and Zeek Conn data. It identifies specific DNS query types (SIG and KEY) and checks for high data transfer within a flow. This detection is significant because SIGRed allows attackers to execute remote code on Windows DNS servers, potentially leading to unauthorized access and control. If confirmed malicious, this activity could result in data exfiltration, service disruption, or further network compromise. Immediate investigation and mitigation, such as patching or isolating the affected server, are crucial. +description: The following analytic detects the presence of SIGRed, a critical DNS + vulnerability, using Zeek DNS and Zeek Conn data. It identifies specific DNS query + types (SIG and KEY) and checks for high data transfer within a flow. This detection + is significant because SIGRed allows attackers to execute remote code on Windows + DNS servers, potentially leading to unauthorized access and control. If confirmed + malicious, this activity could result in data exfiltration, service disruption, + or further network compromise. Immediate investigation and mitigation, such as patching + or isolating the affected server, are crucial. data_source: [] -search: '| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.query_type IN (SIG,KEY) by DNS.flow_id | rename DNS.flow_id as flow_id | append [| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.bytes_in>65000 by All_Traffic.flow_id | rename All_Traffic.flow_id as flow_id] | `detect_windows_dns_sigred_via_zeek_filter` | stats count by flow_id | where count>1 | fields - count' -how_to_implement: You must be ingesting Zeek DNS and Zeek Conn data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting SIG and KEY records via bro:dns:json and TCP payload over 65KB in size via bro:conn:json. The Network Resolution and Network Traffic datamodels are in use for this search. +search: '| tstats `security_content_summariesonly` count from datamodel=Network_Resolution + where DNS.query_type IN (SIG,KEY) by DNS.flow_id | rename DNS.flow_id as flow_id + | append [| tstats `security_content_summariesonly` count from datamodel=Network_Traffic + where All_Traffic.bytes_in>65000 by All_Traffic.flow_id | rename All_Traffic.flow_id + as flow_id] | `detect_windows_dns_sigred_via_zeek_filter` | stats count by flow_id + | where count>1 | fields - count' +how_to_implement: You must be ingesting Zeek DNS and Zeek Conn data into Splunk. Zeek + data should also be getting ingested in JSON format. We are detecting SIG and KEY + records via bro:dns:json and TCP payload over 65KB in size via bro:conn:json. The + Network Resolution and Network Traffic datamodels are in use for this search. known_false_positives: unknown references: [] +rba: + message: Potential SIGRed activity detected + risk_objects: + - field: flow_id + type: other + score: 25 + threat_objects: [] tags: analytic_story: - Windows DNS SIGRed CVE-2020-1350 asset_type: Endpoint - confidence: 50 cve: - CVE-2020-1350 - impact: 50 - message: tbd mitre_attack_id: - T1203 - observable: - - name: flow_id - type: Other - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - DNS.query_type - - DNS.flow_id - - All_Traffic.bytes_in - - All_Traffic.flow_id - risk_score: 25 security_domain: endpoint diff --git a/detections/network/detect_zerologon_via_zeek.yml b/detections/network/detect_zerologon_via_zeek.yml index 732d12911e..94fadd635c 100644 --- a/detections/network/detect_zerologon_via_zeek.yml +++ b/detections/network/detect_zerologon_via_zeek.yml @@ -1,43 +1,52 @@ name: Detect Zerologon via Zeek id: bf7a06ec-f703-11ea-adc1-0242ac120002 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-15' author: Shannon Davis, Splunk status: experimental type: TTP -description: 'The following analytic detects attempts to exploit the Zerologon CVE-2020-1472 vulnerability via Zeek RPC. It leverages Zeek DCE-RPC data to identify specific operations: NetrServerPasswordSet2, NetrServerReqChallenge, and NetrServerAuthenticate3. This activity is significant because it indicates an attempt to gain unauthorized access to a domain controller, potentially leading to a complete takeover of an organization''s IT infrastructure. If confirmed malicious, the impact could be severe, including data theft, ransomware deployment, or other devastating outcomes. Immediate investigation of the identified IP addresses and RPC operations is crucial.' +description: "The following analytic detects attempts to exploit the Zerologon CVE-2020-1472 + vulnerability via Zeek RPC. It leverages Zeek DCE-RPC data to identify specific + operations: NetrServerPasswordSet2, NetrServerReqChallenge, and NetrServerAuthenticate3. + This activity is significant because it indicates an attempt to gain unauthorized + access to a domain controller, potentially leading to a complete takeover of an + organization's IT infrastructure. If confirmed malicious, the impact could be severe, + including data theft, ransomware deployment, or other devastating outcomes. Immediate + investigation of the identified IP addresses and RPC operations is crucial." data_source: [] -search: '`zeek_rpc` operation IN (NetrServerPasswordSet2,NetrServerReqChallenge,NetrServerAuthenticate3) | bin span=5m _time | stats values(operation) dc(operation) as opscount count(eval(operation=="NetrServerReqChallenge")) as challenge count(eval(operation=="NetrServerAuthenticate3")) as authcount count(eval(operation=="NetrServerPasswordSet2")) as passcount count as totalcount by _time,src_ip,dest_ip | search opscount=3 authcount>4 passcount>0 | search `detect_zerologon_via_zeek_filter`' -how_to_implement: You must be ingesting Zeek DCE-RPC data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when all three RPC operations (NetrServerReqChallenge, NetrServerAuthenticate3, NetrServerPasswordSet2) are splunk_security_essentials_app via bro:rpc:json. These three operations are then correlated on the Zeek UID field. +search: '`zeek_rpc` operation IN (NetrServerPasswordSet2,NetrServerReqChallenge,NetrServerAuthenticate3) + | bin span=5m _time | stats values(operation) dc(operation) as opscount count(eval(operation=="NetrServerReqChallenge")) + as challenge count(eval(operation=="NetrServerAuthenticate3")) as authcount count(eval(operation=="NetrServerPasswordSet2")) + as passcount count as totalcount by _time,src_ip,dest_ip | search opscount=3 authcount>4 + passcount>0 | search `detect_zerologon_via_zeek_filter`' +how_to_implement: You must be ingesting Zeek DCE-RPC data into Splunk. Zeek data should + also be getting ingested in JSON format. We are detecting when all three RPC operations + (NetrServerReqChallenge, NetrServerAuthenticate3, NetrServerPasswordSet2) are splunk_security_essentials_app + via bro:rpc:json. These three operations are then correlated on the Zeek UID field. known_false_positives: unknown references: - https://www.secura.com/blog/zero-logon - https://github.com/SecuraBV/CVE-2020-1472 - https://msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a +rba: + message: Potential Zerologon activity detected + risk_objects: + - field: dest_ip + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Detect Zerologon Attack - Rhysida Ransomware asset_type: Network - confidence: 50 cve: - CVE-2020-1472 - impact: 50 - message: tbd mitre_attack_id: - T1190 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - operation - risk_score: 25 security_domain: network diff --git a/detections/network/dns_query_length_outliers___mltk.yml b/detections/network/dns_query_length_outliers___mltk.yml index 6746816a73..629215e272 100644 --- a/detections/network/dns_query_length_outliers___mltk.yml +++ b/detections/network/dns_query_length_outliers___mltk.yml @@ -1,42 +1,64 @@ name: DNS Query Length Outliers - MLTK id: 85fbcfe8-9718-4911-adf6-7000d077a3a9 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-15' author: Rico Valdez, Splunk status: experimental type: Anomaly -description: The following analytic identifies DNS requests with unusually large query lengths for the record type being requested. It leverages the Network_Resolution data model and applies a machine learning model to detect outliers in DNS query lengths. This activity is significant because unusually large DNS queries can indicate data exfiltration or command-and-control communication attempts. If confirmed malicious, this activity could allow attackers to exfiltrate sensitive data or maintain persistent communication channels with compromised systems. +description: The following analytic identifies DNS requests with unusually large query + lengths for the record type being requested. It leverages the Network_Resolution + data model and applies a machine learning model to detect outliers in DNS query + lengths. This activity is significant because unusually large DNS queries can indicate + data exfiltration or command-and-control communication attempts. If confirmed malicious, + this activity could allow attackers to exfiltrate sensitive data or maintain persistent + communication channels with compromised systems. data_source: [] -search: '| tstats `security_content_summariesonly` count min(_time) as start_time max(_time) as end_time values(DNS.src) as src values(DNS.dest) as dest from datamodel=Network_Resolution by DNS.query DNS.record_type | search DNS.record_type=* | `drop_dm_object_name(DNS)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval query_length = len(query) | apply dns_query_pdfmodel threshold=0.01 | rename "IsOutlier(query_length)" as isOutlier | search isOutlier > 0 | sort -query_length | table start_time end_time query record_type count src dest query_length | `dns_query_length_outliers___mltk_filter`' -how_to_implement: "To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. In addition, the Machine Learning Toolkit (MLTK) version 4.2 or greater must be installed on your search heads, along with any required dependencies. Finally, the support search \"Baseline of DNS Query Length - MLTK\" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment.\nThis search produces fields (`query`,`query_length`,`count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n * **Label:** DNS Query, **Field:** query\n* **Label:** DNS Query Length, **Field:** query_length\n* **Label:** Number of events, **Field:** count\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`" -known_false_positives: If you are seeing more results than desired, you may consider reducing the value for threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data. +search: '| tstats `security_content_summariesonly` count min(_time) as start_time + max(_time) as end_time values(DNS.src) as src values(DNS.dest) as dest from datamodel=Network_Resolution + by DNS.query DNS.record_type | search DNS.record_type=* | `drop_dm_object_name(DNS)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval + query_length = len(query) | apply dns_query_pdfmodel threshold=0.01 | rename "IsOutlier(query_length)" + as isOutlier | search isOutlier > 0 | sort -query_length | table start_time end_time + query record_type count src dest query_length | `dns_query_length_outliers___mltk_filter`' +how_to_implement: "To successfully implement this search, you will need to ensure + that DNS data is populating the Network_Resolution data model. In addition, the + Machine Learning Toolkit (MLTK) version 4.2 or greater must be installed on your + search heads, along with any required dependencies. Finally, the support search + \"Baseline of DNS Query Length - MLTK\" must be executed before this detection search, + because it builds a machine-learning (ML) model over the historical data used by + this search. It is important that this search is run in the same app context as + the associated support search, so that the model created by the support search is + available for use. You should periodically re-run the support search to rebuild + the model with the latest data available in your environment.\nThis search produces + fields (`query`,`query_length`,`count`) that are not yet supported by ES Incident + Review and therefore cannot be viewed when a finding event is raised. These fields + contribute additional context to the finding. To see the additional metadata, add + the following fields, if not already present, to Incident Review - Event Attributes + (Configure > Incident Management > Incident Review Settings > Add New Entry):\n + * **Label:** DNS Query, **Field:** query\n* **Label:** DNS Query Length, **Field:** + query_length\n* **Label:** Number of events, **Field:** count\n" +known_false_positives: If you are seeing more results than desired, you may consider + reducing the value for threshold in the search. You should also periodically re-run + the support search to re-build the ML model on the latest data. references: [] +rba: + message: DNS Query Length Outliers + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Hidden Cobra Malware - Suspicious DNS Traffic - Command And Control asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1071.004 - T1071 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - DNS.src - - DNS.dest - - DNS.query - - DNS.record_type - risk_score: 25 security_domain: network diff --git a/detections/network/dns_query_length_with_high_standard_deviation.yml b/detections/network/dns_query_length_with_high_standard_deviation.yml index aaa29461f3..744203b569 100644 --- a/detections/network/dns_query_length_with_high_standard_deviation.yml +++ b/detections/network/dns_query_length_with_high_standard_deviation.yml @@ -1,15 +1,29 @@ name: DNS Query Length With High Standard Deviation id: 1a67f15a-f4ff-4170-84e9-08cf6f75d6f5 -version: 7 -date: '2024-09-30' +version: 8 +date: '2024-11-15' author: Bhavin Patel, Splunk status: production type: Anomaly -description: The following analytic identifies DNS queries with unusually large lengths by computing the standard deviation of query lengths and filtering those exceeding twice the standard deviation. It leverages DNS query data from the Network_Resolution data model, focusing on the length of the domain names being resolved. This activity is significant as unusually long DNS queries can indicate data exfiltration or command-and-control communication attempts. If confirmed malicious, this activity could allow attackers to stealthily transfer data or maintain persistent communication channels within the network. +description: The following analytic identifies DNS queries with unusually large lengths + by computing the standard deviation of query lengths and filtering those exceeding + twice the standard deviation. It leverages DNS query data from the Network_Resolution + data model, focusing on the length of the domain names being resolved. This activity + is significant as unusually long DNS queries can indicate data exfiltration or command-and-control + communication attempts. If confirmed malicious, this activity could allow attackers + to stealthily transfer data or maintain persistent communication channels within + the network. data_source: - Sysmon EventID 22 -search: '| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where NOT DNS.record_type IN("Pointer","PTR") by DNS.query host| `drop_dm_object_name("DNS")` | eval tlds=split(query,".") | eval tld=mvindex(tlds,-1) | eval tld_len=len(tld) | search tld_len<=24 | eval query_length = len(query) | table host query query_length record_type count | eventstats stdev(query_length) AS stdev avg(query_length) AS avg p50(query_length) AS p50| where query_length>(avg+stdev*2) | eval z_score=(query_length-avg)/stdev | `dns_query_length_with_high_standard_deviation_filter`' -how_to_implement: To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. +search: '| tstats `security_content_summariesonly` count from datamodel=Network_Resolution + where NOT DNS.record_type IN("Pointer","PTR") by DNS.query host| `drop_dm_object_name("DNS")` + | eval tlds=split(query,".") | eval tld=mvindex(tlds,-1) | eval tld_len=len(tld) + | search tld_len<=24 | eval query_length = len(query) | table host query query_length + record_type count | eventstats stdev(query_length) AS stdev avg(query_length) AS + avg p50(query_length) AS p50| where query_length>(avg+stdev*2) | eval z_score=(query_length-avg)/stdev + | `dns_query_length_with_high_standard_deviation_filter`' +how_to_implement: To successfully implement this search, you will need to ensure that + DNS data is populating the Network_Resolution data model. known_false_positives: It's possible there can be long domain names that are legitimate. references: [] drilldown_searches: @@ -18,38 +32,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$host$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A dns query $query$ with 2 time standard deviation of name len of the dns + query in host $host$ + risk_objects: + - field: host + type: system + score: 56 + threat_objects: [] tags: analytic_story: - Hidden Cobra Malware - Suspicious DNS Traffic - Command And Control asset_type: Endpoint - confidence: 80 - impact: 70 - message: A dns query $query$ with 2 time standard deviation of name len of the dns query in host $host$ mitre_attack_id: - T1048.003 - T1048 - observable: - - name: host - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - DNS.query - risk_score: 56 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/long_dns_queries/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/long_dns_queries/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/network/excessive_dns_failures.yml b/detections/network/excessive_dns_failures.yml index 82dda35400..96cd124e74 100644 --- a/detections/network/excessive_dns_failures.yml +++ b/detections/network/excessive_dns_failures.yml @@ -1,40 +1,51 @@ name: Excessive DNS Failures id: 104658f4-afdc-499e-9719-17243f9826f1 -version: 5 -date: '2024-10-17' +version: 6 +date: '2024-11-15' author: bowesmana, Bhavin Patel, Splunk status: experimental type: Anomaly -description: The following analytic identifies excessive DNS query failures by counting DNS responses that do not indicate success, triggering when there are more than 50 occurrences. It leverages the Network_Resolution data model, focusing on DNS reply codes that signify errors. This activity is significant because a high number of DNS failures can indicate potential network misconfigurations, DNS poisoning attempts, or malware communication issues. If confirmed malicious, this activity could lead to disrupted network services, hindered communication, or data exfiltration attempts by attackers. +description: The following analytic identifies excessive DNS query failures by counting + DNS responses that do not indicate success, triggering when there are more than + 50 occurrences. It leverages the Network_Resolution data model, focusing on DNS + reply codes that signify errors. This activity is significant because a high number + of DNS failures can indicate potential network misconfigurations, DNS poisoning + attempts, or malware communication issues. If confirmed malicious, this activity + could lead to disrupted network services, hindered communication, or data exfiltration + attempts by attackers. data_source: [] -search: '| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where nodename=DNS "DNS.reply_code"!="No Error" "DNS.reply_code"!="NoError" DNS.reply_code!="unknown" NOT "DNS.query"="*.arpa" "DNS.query"="*.*" by "DNS.src" "DNS.query" "DNS.reply_code" | `drop_dm_object_name("DNS")` | lookup cim_corporate_web_domain_lookup domain as query OUTPUT domain | where isnull(domain) | lookup update=true alexa_lookup_by_str domain as query OUTPUT rank | where isnull(rank) | eventstats max(count) as mc by src reply_code | eval mode_query=if(count=mc, query, null()) | stats sum(count) as count values(mode_query) as query values(mc) as max_query_count by src reply_code | where count>50 | `get_asset(src)` | `excessive_dns_failures_filter`' -how_to_implement: To successfully implement this search you must ensure that DNS data is populating the Network_Resolution data model. -known_false_positives: It is possible legitimate traffic can trigger this rule. Please investigate as appropriate. The threshold for generating an event can also be customized to better suit your environment. +search: '| tstats `security_content_summariesonly` count from datamodel=Network_Resolution + where nodename=DNS "DNS.reply_code"!="No Error" "DNS.reply_code"!="NoError" DNS.reply_code!="unknown" + NOT "DNS.query"="*.arpa" "DNS.query"="*.*" by "DNS.src" "DNS.query" "DNS.reply_code" + | `drop_dm_object_name("DNS")` | lookup cim_corporate_web_domain_lookup domain as + query OUTPUT domain | where isnull(domain) | lookup update=true alexa_lookup_by_str + domain as query OUTPUT rank | where isnull(rank) | eventstats max(count) as mc by + src reply_code | eval mode_query=if(count=mc, query, null()) | stats sum(count) + as count values(mode_query) as query values(mc) as max_query_count by src reply_code + | where count>50 | `get_asset(src)` | `excessive_dns_failures_filter`' +how_to_implement: To successfully implement this search you must ensure that DNS data + is populating the Network_Resolution data model. +known_false_positives: It is possible legitimate traffic can trigger this rule. Please + investigate as appropriate. The threshold for generating an event can also be customized + to better suit your environment. references: [] +rba: + message: Excessive DNS failures detected on $src$ + risk_objects: + - field: src + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Suspicious DNS Traffic - Command And Control asset_type: Endpoint - confidence: 50 - impact: 50 - message: Excessive DNS failures detected on $src$ mitre_attack_id: - T1071.004 - T1071 - observable: - - name: src - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - DNS.query - - DNS.reply_code - - DNS.src - risk_score: 25 security_domain: network diff --git a/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml b/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml index aa9a9ee643..572478664e 100644 --- a/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml +++ b/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml @@ -1,16 +1,30 @@ name: F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 id: bb1c2c30-107a-4e56-a4b9-1f7022867bfe -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects attempts to exploit the F5 BIG-IP iControl REST API vulnerability (CVE-2022-1388) for unauthenticated remote code execution. It identifies suspicious URI paths and POST HTTP methods, along with specific request headers containing potential commands in the `utilcmdargs` field and a random base64 encoded value in the `X-F5-Auth-Token` field. This activity is significant as it targets a critical vulnerability that can allow attackers to execute arbitrary commands on the affected system. If confirmed malicious, this could lead to full system compromise and unauthorized access to sensitive data. +description: The following analytic detects attempts to exploit the F5 BIG-IP iControl + REST API vulnerability (CVE-2022-1388) for unauthenticated remote code execution. + It identifies suspicious URI paths and POST HTTP methods, along with specific request + headers containing potential commands in the `utilcmdargs` field and a random base64 + encoded value in the `X-F5-Auth-Token` field. This activity is significant as it + targets a critical vulnerability that can allow attackers to execute arbitrary commands + on the affected system. If confirmed malicious, this could lead to full system compromise + and unauthorized access to sensitive data. data_source: - Palo Alto Network Threat -search: '| tstats count from datamodel=Web where Web.url="*/mgmt/tm/util/bash*" Web.http_method="POST" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good. -known_false_positives: False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed. +search: '| tstats count from datamodel=Web where Web.url="*/mgmt/tm/util/bash*" Web.http_method="POST" + by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest + | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + web or proxy logs, or ensure it is being filled by a proxy like device, into the + Web Datamodel. For additional filtering, allow list private IP space or restrict + by known good. +known_false_positives: False positives may be present if the activity is blocked or + was not successful. Filter known vulnerablity scanners. Filter as needed. references: - https://github.com/dk4trin/templates-nuclei/blob/main/CVE-2022-1388.yaml - https://www.randori.com/blog/vulnerability-analysis-cve-2022-1388/ @@ -23,44 +37,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An attempt to exploit CVE-2022-1388 against an F5 appliance $dest$ has + occurred. + risk_objects: + - field: dest + type: system + score: 70 + threat_objects: [] tags: analytic_story: - F5 BIG-IP Vulnerability CVE-2022-1388 - CISA AA24-241A asset_type: Web Server - confidence: 70 cve: - CVE-2022-1388 - impact: 100 - message: An attempt to exploit CVE-2022-1388 against an F5 appliance $dest$ has occurred. mitre_attack_id: - T1190 - T1133 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Web.http_method - - Web.url - - Web.url_length - - Web.src - - Web.dest - - Web.http_user_agent - risk_score: 70 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/f5/f5.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/f5/f5.log source: pan:threat sourcetype: pan:threat - update_timestamp: true diff --git a/detections/network/hosts_receiving_high_volume_of_network_traffic_from_email_server.yml b/detections/network/hosts_receiving_high_volume_of_network_traffic_from_email_server.yml index b130bf67ff..16c268125d 100644 --- a/detections/network/hosts_receiving_high_volume_of_network_traffic_from_email_server.yml +++ b/detections/network/hosts_receiving_high_volume_of_network_traffic_from_email_server.yml @@ -1,39 +1,59 @@ name: Hosts receiving high volume of network traffic from email server id: 7f5fb3e1-4209-4914-90db-0ec21b556368 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-15' author: Bhavin Patel, Splunk status: experimental type: Anomaly -description: The following analytic identifies hosts receiving an unusually high volume of network traffic from an email server. It leverages the Network_Traffic data model to sum incoming bytes to clients from email servers, comparing current traffic against historical averages and standard deviations. This activity is significant as it may indicate data exfiltration by a malicious actor using the email server. If confirmed malicious, this could lead to unauthorized data access and potential data breaches, compromising sensitive information and impacting organizational security. +description: The following analytic identifies hosts receiving an unusually high volume + of network traffic from an email server. It leverages the Network_Traffic data model + to sum incoming bytes to clients from email servers, comparing current traffic against + historical averages and standard deviations. This activity is significant as it + may indicate data exfiltration by a malicious actor using the email server. If confirmed + malicious, this could lead to unauthorized data access and potential data breaches, + compromising sensitive information and impacting organizational security. data_source: [] -search: '| tstats `security_content_summariesonly` sum(All_Traffic.bytes_in) as bytes_in from datamodel=Network_Traffic where All_Traffic.dest_category=email_server by All_Traffic.src_ip _time span=1d | `drop_dm_object_name("All_Traffic")` | eventstats avg(bytes_in) as avg_bytes_in stdev(bytes_in) as stdev_bytes_in | eventstats count as num_data_samples avg(eval(if(_time < relative_time(now(), "@d"), bytes_in, null))) as per_source_avg_bytes_in stdev(eval(if(_time < relative_time(now(), "@d"), bytes_in, null))) as per_source_stdev_bytes_in by src_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples >= minimum_data_samples AND bytes_in > (avg_bytes_in + (deviation_threshold * stdev_bytes_in)) AND bytes_in > (per_source_avg_bytes_in + (deviation_threshold * per_source_stdev_bytes_in)) AND _time >= relative_time(now(), "@d") | eval num_standard_deviations_away_from_server_average = round(abs(bytes_in - avg_bytes_in) / stdev_bytes_in, 2), num_standard_deviations_away_from_client_average = round(abs(bytes_in - per_source_avg_bytes_in) / per_source_stdev_bytes_in, 2) | table src_ip, _time, bytes_in, avg_bytes_in, per_source_avg_bytes_in, num_standard_deviations_away_from_server_average, num_standard_deviations_away_from_client_average | `hosts_receiving_high_volume_of_network_traffic_from_email_server_filter`' -how_to_implement: This search requires you to be ingesting your network traffic and populating the Network_Traffic data model. Your email servers must be categorized as "email_server" for the search to work, as well. You may need to adjust the deviation_threshold and minimum_data_samples values based on the network traffic in your environment. The "deviation_threshold" field is a multiplying factor to control how much variation you're willing to tolerate. The "minimum_data_samples" field is the minimum number of connections of data samples required for the statistic to be valid. -known_false_positives: The false-positive rate will vary based on how you set the deviation_threshold and data_samples values. Our recommendation is to adjust these values based on your network traffic to and from your email servers. +search: '| tstats `security_content_summariesonly` sum(All_Traffic.bytes_in) as bytes_in + from datamodel=Network_Traffic where All_Traffic.dest_category=email_server by All_Traffic.src_ip + _time span=1d | `drop_dm_object_name("All_Traffic")` | eventstats avg(bytes_in) + as avg_bytes_in stdev(bytes_in) as stdev_bytes_in | eventstats count as num_data_samples + avg(eval(if(_time < relative_time(now(), "@d"), bytes_in, null))) as per_source_avg_bytes_in + stdev(eval(if(_time < relative_time(now(), "@d"), bytes_in, null))) as per_source_stdev_bytes_in + by src_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples + >= minimum_data_samples AND bytes_in > (avg_bytes_in + (deviation_threshold * stdev_bytes_in)) + AND bytes_in > (per_source_avg_bytes_in + (deviation_threshold * per_source_stdev_bytes_in)) + AND _time >= relative_time(now(), "@d") | eval num_standard_deviations_away_from_server_average + = round(abs(bytes_in - avg_bytes_in) / stdev_bytes_in, 2), num_standard_deviations_away_from_client_average + = round(abs(bytes_in - per_source_avg_bytes_in) / per_source_stdev_bytes_in, 2) + | table src_ip, _time, bytes_in, avg_bytes_in, per_source_avg_bytes_in, num_standard_deviations_away_from_server_average, + num_standard_deviations_away_from_client_average | `hosts_receiving_high_volume_of_network_traffic_from_email_server_filter`' +how_to_implement: This search requires you to be ingesting your network traffic and + populating the Network_Traffic data model. Your email servers must be categorized + as "email_server" for the search to work, as well. You may need to adjust the deviation_threshold + and minimum_data_samples values based on the network traffic in your environment. + The "deviation_threshold" field is a multiplying factor to control how much variation + you're willing to tolerate. The "minimum_data_samples" field is the minimum number + of connections of data samples required for the statistic to be valid. +known_false_positives: The false-positive rate will vary based on how you set the + deviation_threshold and data_samples values. Our recommendation is to adjust these + values based on your network traffic to and from your email servers. references: [] +rba: + message: High volume of traffic from email servers to $src_ip$ + risk_objects: + - field: src_ip + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Collection and Staging asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1114.002 - T1114 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Traffic.bytes_in - - All_Traffic.dest_category - - All_Traffic.src_ip - risk_score: 25 security_domain: network diff --git a/detections/network/internal_horizontal_port_scan.yml b/detections/network/internal_horizontal_port_scan.yml index 413608fe6a..a694e24f75 100644 --- a/detections/network/internal_horizontal_port_scan.yml +++ b/detections/network/internal_horizontal_port_scan.yml @@ -1,15 +1,34 @@ name: Internal Horizontal Port Scan id: 1ff9eb9a-7d72-4993-a55e-59a839e607f1 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Dean Luxton status: production type: TTP data_source: - AWS CloudWatchLogs VPCflow -description: This analytic identifies instances where an internal host has attempted to communicate with 250 or more destination IP addresses using the same port and protocol. Horizontal port scans from internal hosts can indicate reconnaissance or scanning activities, potentially signaling malicious intent or misconfiguration. By monitoring network traffic logs, this detection helps detect and respond to such behavior promptly, enhancing network security and preventing potential threats. -search: '| tstats `security_content_summariesonly` values(All_Traffic.action) as action values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone) as dest_zone values(All_Traffic.src_zone) as src_zone count from datamodel=Network_Traffic where All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") by All_Traffic.src_ip All_Traffic.dest_port All_Traffic.dest_ip span=1s _time All_Traffic.transport | `drop_dm_object_name("All_Traffic")` | eval gtime=_time | bin span=1h gtime | stats min(_time) as _time values(action) as action dc(dest_ip) as totalDestIPCount values(src_category) as src_category values(dest_zone) as dest_zone values(src_zone) as src_zone by src_ip dest_port gtime transport | where totalDestIPCount>=250 | eval dest_port=transport + "/" + dest_port | stats min(_time) as _time values(action) as action sum(totalDestIPCount) as totalDestIPCount values(src_category) as src_category values(dest_port) as dest_ports values(dest_zone) as dest_zone values(src_zone) as src_zone by src_ip gtime | fields - gtime | `internal_horizontal_port_scan_filter`' -how_to_implement: To properly run this search, Splunk needs to ingest data from networking telemetry sources such as firewalls, NetFlow, or host-based networking events. Ensure that the Network_Traffic data model is populated to enable this search effectively. +description: This analytic identifies instances where an internal host has attempted + to communicate with 250 or more destination IP addresses using the same port and + protocol. Horizontal port scans from internal hosts can indicate reconnaissance + or scanning activities, potentially signaling malicious intent or misconfiguration. + By monitoring network traffic logs, this detection helps detect and respond to such + behavior promptly, enhancing network security and preventing potential threats. +search: '| tstats `security_content_summariesonly` values(All_Traffic.action) as action + values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone) as + dest_zone values(All_Traffic.src_zone) as src_zone count from datamodel=Network_Traffic + where All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") by All_Traffic.src_ip + All_Traffic.dest_port All_Traffic.dest_ip span=1s _time All_Traffic.transport | + `drop_dm_object_name("All_Traffic")` | eval gtime=_time | bin span=1h gtime | stats + min(_time) as _time values(action) as action dc(dest_ip) as totalDestIPCount values(src_category) + as src_category values(dest_zone) as dest_zone values(src_zone) as src_zone by src_ip + dest_port gtime transport | where totalDestIPCount>=250 | eval dest_port=transport + + "/" + dest_port | stats min(_time) as _time values(action) as action sum(totalDestIPCount) + as totalDestIPCount values(src_category) as src_category values(dest_port) as dest_ports + values(dest_zone) as dest_zone values(src_zone) as src_zone by src_ip gtime | fields + - gtime | `internal_horizontal_port_scan_filter`' +how_to_implement: To properly run this search, Splunk needs to ingest data from networking + telemetry sources such as firewalls, NetFlow, or host-based networking events. Ensure + that the Network_Traffic data model is populated to enable this search effectively. known_false_positives: Unknown references: [] drilldown_searches: @@ -18,39 +37,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src_ip$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $src_ip$ has scanned for ports $dest_ports$ across $totalDestIPCount$ destination + IPs + risk_objects: + - field: src_ip + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Network Discovery asset_type: Endpoint - confidence: 80 - impact: 80 - message: $src_ip$ has scanned for ports $dest_ports$ across $totalDestIPCount$ destination IPs mitre_attack_id: - T1046 - observable: - - name: src_ip - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 - required_fields: - - _time - - All_Traffic.action - - All_Traffic.src_ip - - All_Traffic.dest_ip - - All_Traffic.dest_port security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/nmap/horizontal.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/nmap/horizontal.log source: aws:cloudwatchlogs:vpcflow sourcetype: aws:cloudwatchlogs:vpcflow - update_timestamp: true diff --git a/detections/network/internal_horizontal_port_scan_nmap_top_20.yml b/detections/network/internal_horizontal_port_scan_nmap_top_20.yml index 816b6d3af9..42b955182e 100644 --- a/detections/network/internal_horizontal_port_scan_nmap_top_20.yml +++ b/detections/network/internal_horizontal_port_scan_nmap_top_20.yml @@ -1,32 +1,35 @@ name: Internal Horizontal Port Scan NMAP Top 20 id: 3141a041-4f57-4277-9faa-9305ca1f8e5b -version: 1 -date: '2024-09-25' +version: 2 +date: '2024-11-15' author: Dean Luxton status: production type: TTP data_source: - AWS CloudWatchLogs VPCflow -description: This analytic identifies instances where an internal host has attempted to communicate - with 250 or more destination IP addresses using on of the NMAP top 20 ports. Horizontal - port scans from internal hosts can indicate reconnaissance or scanning activities, - potentially signaling malicious intent or misconfiguration. By monitoring network - traffic logs, this detection helps detect and respond to such behavior promptly, - enhancing network security and preventing potential threats. +description: This analytic identifies instances where an internal host has attempted + to communicate with 250 or more destination IP addresses using on of the NMAP top + 20 ports. Horizontal port scans from internal hosts can indicate reconnaissance + or scanning activities, potentially signaling malicious intent or misconfiguration. + By monitoring network traffic logs, this detection helps detect and respond to such + behavior promptly, enhancing network security and preventing potential threats. search: >- - | tstats `security_content_summariesonly` values(All_Traffic.action) as action values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone) as dest_zone values(All_Traffic.src_zone) as src_zone count from datamodel=Network_Traffic where All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") AND All_Traffic.dest_port IN (21, 22, 23, 25, 53, 80, 110, 111, 135, 139, 143, 443, 445, 993, 995, 1723, 3306, 3389, 5900, 8080) by All_Traffic.src_ip All_Traffic.dest_port All_Traffic.dest_ip span=1s _time All_Traffic.transport - | `drop_dm_object_name("All_Traffic")` - | eval gtime=_time - | bin span=1h gtime - | stats min(_time) as _time values(action) as action dc(dest_ip) as totalDestIPCount values(src_category) as src_category values(dest_zone) as dest_zone values(src_zone) as src_zone by src_ip dest_port gtime transport - | where totalDestIPCount>=250 - | eval dest_port=transport + "/" + dest_port - | stats min(_time) as _time values(action) as action sum(totalDestIPCount) as totalDestIPCount values(src_category) as src_category values(dest_port) as dest_ports values(dest_zone) as dest_zone values(src_zone) as src_zone by src_ip gtime - | fields - gtime - | `internal_horizontal_port_scan_nmap_top_20_filter` -how_to_implement: To properly run this search, Splunk needs to ingest data from networking telemetry sources such as - firewalls, NetFlow, or host-based networking events. Ensure that the Network_Traffic data model is populated to - enable this search effectively. + | tstats `security_content_summariesonly` values(All_Traffic.action) as action values(All_Traffic.src_category) + as src_category values(All_Traffic.dest_zone) as dest_zone values(All_Traffic.src_zone) + as src_zone count from datamodel=Network_Traffic where All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") + AND All_Traffic.dest_port IN (21, 22, 23, 25, 53, 80, 110, 111, 135, 139, 143, 443, + 445, 993, 995, 1723, 3306, 3389, 5900, 8080) by All_Traffic.src_ip All_Traffic.dest_port + All_Traffic.dest_ip span=1s _time All_Traffic.transport | `drop_dm_object_name("All_Traffic")` | + eval gtime=_time | bin span=1h gtime | stats min(_time) as _time values(action) + as action dc(dest_ip) as totalDestIPCount values(src_category) as src_category values(dest_zone) + as dest_zone values(src_zone) as src_zone by src_ip dest_port gtime transport | + where totalDestIPCount>=250 | eval dest_port=transport + "/" + dest_port | stats + min(_time) as _time values(action) as action sum(totalDestIPCount) as totalDestIPCount + values(src_category) as src_category values(dest_port) as dest_ports values(dest_zone) + as dest_zone values(src_zone) as src_zone by src_ip gtime | fields - gtime | `internal_horizontal_port_scan_nmap_top_20_filter` +how_to_implement: To properly run this search, Splunk needs to ingest data from networking + telemetry sources such as firewalls, NetFlow, or host-based networking events. Ensure + that the Network_Traffic data model is populated to enable this search effectively. known_false_positives: Unknown references: [] drilldown_searches: @@ -35,39 +38,37 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for $src_ip$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_ip$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_ip$) + starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $src_ip$ has scanned for ports $dest_ports$ across $totalDestIPCount$ destination + IPs + risk_objects: + - field: src_ip + type: system + score: 72 + threat_objects: [] tags: analytic_story: - Network Discovery asset_type: Endpoint - confidence: 80 - impact: 90 - message: $src_ip$ has scanned for ports $dest_ports$ across $totalDestIPCount$ destination IPs mitre_attack_id: - T1046 - observable: - - name: src_ip - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 72 - required_fields: - - _time - - All_Traffic.action - - All_Traffic.src_ip - - All_Traffic.dest_ip - - All_Traffic.dest_port security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/nmap/horizontal.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/nmap/horizontal.log source: aws:cloudwatchlogs:vpcflow sourcetype: aws:cloudwatchlogs:vpcflow - update_timestamp: true \ No newline at end of file diff --git a/detections/network/internal_vertical_port_scan.yml b/detections/network/internal_vertical_port_scan.yml index 3198a824b2..ecee156769 100644 --- a/detections/network/internal_vertical_port_scan.yml +++ b/detections/network/internal_vertical_port_scan.yml @@ -1,15 +1,35 @@ name: Internal Vertical Port Scan id: 40d2dc41-9bbf-421a-a34b-8611271a6770 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-15' author: Dean Luxton status: production type: TTP data_source: - AWS CloudWatchLogs VPCflow -description: This analytic detects instances where an internal host attempts to communicate with over 500 ports on a single destination IP address. It includes filtering criteria to exclude applications performing scans over ephemeral port ranges, focusing on potential reconnaissance or scanning activities. Monitoring network traffic logs allows for timely detection and response to such behavior, enhancing network security by identifying and mitigating potential threats promptly. -search: '| tstats `security_content_summariesonly` values(All_Traffic.action) as action values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone) as dest_zone values(All_Traffic.src_zone) as src_zone count from datamodel=Network_Traffic where All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") by All_Traffic.src_ip All_Traffic.dest_port All_Traffic.dest_ip All_Traffic.transport span=1s _time | `drop_dm_object_name("All_Traffic")` | eval gtime=_time | bin span=1h gtime | stats min(_time) as _time values(action) as action dc(eval(if(dest_port<1024 AND transport="tcp",dest_port,null))) as privilegedDestTcpPortCount dc(eval(if(transport="tcp",dest_port,null))) as totalDestTcpPortCount dc(eval(if(dest_port<1024 AND transport="udp",dest_port,null))) as privilegedDestUdpPortCount dc(eval(if(transport="udp",dest_port,null))) as totalDestUdpPortCount values(src_category) as src_category values(dest_zone) as dest_zone values(src_zone) as src_zone by src_ip dest_ip transport gtime | eval totalDestPortCount=totalDestUdpPortCount+totalDestTcpPortCount, privilegedDestPortCount=privilegedDestTcpPortCount+privilegedDestUdpPortCount| where (totalDestPortCount>=500 AND privilegedDestPortCount>=20) | fields - gtime | `internal_vertical_port_scan_filter`' -how_to_implement: To properly run this search, Splunk needs to ingest data from networking telemetry sources such as firewalls, NetFlow, or host-based networking events. Ensure that the Network_Traffic data model is populated to enable this search effectively. +description: This analytic detects instances where an internal host attempts to communicate + with over 500 ports on a single destination IP address. It includes filtering criteria + to exclude applications performing scans over ephemeral port ranges, focusing on + potential reconnaissance or scanning activities. Monitoring network traffic logs + allows for timely detection and response to such behavior, enhancing network security + by identifying and mitigating potential threats promptly. +search: '| tstats `security_content_summariesonly` values(All_Traffic.action) as action + values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone) as + dest_zone values(All_Traffic.src_zone) as src_zone count from datamodel=Network_Traffic + where All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") by All_Traffic.src_ip + All_Traffic.dest_port All_Traffic.dest_ip All_Traffic.transport span=1s _time | + `drop_dm_object_name("All_Traffic")` | eval gtime=_time | bin span=1h gtime | stats + min(_time) as _time values(action) as action dc(eval(if(dest_port<1024 AND transport="tcp",dest_port,null))) + as privilegedDestTcpPortCount dc(eval(if(transport="tcp",dest_port,null))) as totalDestTcpPortCount + dc(eval(if(dest_port<1024 AND transport="udp",dest_port,null))) as privilegedDestUdpPortCount + dc(eval(if(transport="udp",dest_port,null))) as totalDestUdpPortCount values(src_category) + as src_category values(dest_zone) as dest_zone values(src_zone) as src_zone by src_ip + dest_ip transport gtime | eval totalDestPortCount=totalDestUdpPortCount+totalDestTcpPortCount, + privilegedDestPortCount=privilegedDestTcpPortCount+privilegedDestUdpPortCount| where + (totalDestPortCount>=500 AND privilegedDestPortCount>=20) | fields - gtime | `internal_vertical_port_scan_filter`' +how_to_implement: To properly run this search, Splunk needs to ingest data from networking + telemetry sources such as firewalls, NetFlow, or host-based networking events. Ensure + that the Network_Traffic data model is populated to enable this search effectively. known_false_positives: Unknown references: [] drilldown_searches: @@ -18,39 +38,36 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src_ip$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $src_ip$ has scanned $totalDestPortCount$ ports on $dest_ip$ + risk_objects: + - field: src_ip + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Network Discovery asset_type: Endpoint - confidence: 80 - impact: 80 - message: $src_ip$ has scanned $totalDestPortCount$ ports on $dest_ip$ mitre_attack_id: - T1046 - observable: - - name: src_ip - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 - required_fields: - - _time - - All_Traffic.action - - All_Traffic.src_ip - - All_Traffic.dest_ip - - All_Traffic.dest_port security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/nmap/vertical.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/nmap/vertical.log source: aws:cloudwatchlogs:vpcflow sourcetype: aws:cloudwatchlogs:vpcflow - update_timestamp: trues diff --git a/detections/network/internal_vulnerability_scan.yml b/detections/network/internal_vulnerability_scan.yml index b154e2a680..a02dfe5494 100644 --- a/detections/network/internal_vulnerability_scan.yml +++ b/detections/network/internal_vulnerability_scan.yml @@ -1,43 +1,53 @@ name: Internal Vulnerability Scan id: 46f946ed-1c78-4e96-9906-c7a4be15e39b -version: 2 -date: '2024-10-17' +version: 3 +date: '2024-11-15' author: Dean Luxton status: experimental type: TTP data_source: [] -description: This analytic detects internal hosts triggering multiple IDS signatures, which may include either more than 25 signatures against a single host or a single signature across over 25 destination IP addresses. Such patterns can indicate active vulnerability scanning activities within the network. By monitoring IDS logs, this detection helps identify and respond to potential vulnerability scanning attempts, enhancing the network's security posture and preventing potential exploits. -search: '| tstats `security_content_summariesonly` values(IDS_Attacks.action) as action values(IDS_Attacks.src_category) as src_category values(IDS_Attacks.dest_category) as dest_category count from datamodel=Intrusion_Detection.IDS_Attacks where IDS_Attacks.src IN (10.0.0.0/8,192.168.0.0/16,172.16.0.0/12) IDS_Attacks.severity IN (critical, high, medium) by IDS_Attacks.src IDS_Attacks.severity IDS_Attacks.signature IDS_Attacks.dest IDS_Attacks.dest_port IDS_Attacks.transport span=1s _time | `drop_dm_object_name("IDS_Attacks")` | eval gtime=_time | bin span=1h gtime | eventstats count as sevCount by severity src | eventstats count as sigCount by signature src | eval severity=severity +"("+sevCount+")" | eval signature=signature +"("+sigCount+")" | eval dest_port=transport + "/" + dest_port | stats min(_time) as _time values(action) as action dc(dest) as destCount dc(signature) as sigCount values(signature) values(src_category) as src_category values(dest_category) as dest_category values(severity) as severity values(dest_port) as dest_ports by src gtime | fields - gtime | where destCount>25 OR sigCount>25 | `internal_vulnerability_scan_filter`' -how_to_implement: For this detection to function effectively, it is essential to ingest IDS/IPS logs that are mapped to the Common Information Model (CIM). These logs provide the necessary security-related telemetry and contextual information needed to accurately identify and analyze potential threats. +description: This analytic detects internal hosts triggering multiple IDS signatures, + which may include either more than 25 signatures against a single host or a single + signature across over 25 destination IP addresses. Such patterns can indicate active + vulnerability scanning activities within the network. By monitoring IDS logs, this + detection helps identify and respond to potential vulnerability scanning attempts, + enhancing the network's security posture and preventing potential exploits. +search: '| tstats `security_content_summariesonly` values(IDS_Attacks.action) as action + values(IDS_Attacks.src_category) as src_category values(IDS_Attacks.dest_category) + as dest_category count from datamodel=Intrusion_Detection.IDS_Attacks where IDS_Attacks.src + IN (10.0.0.0/8,192.168.0.0/16,172.16.0.0/12) IDS_Attacks.severity IN (critical, + high, medium) by IDS_Attacks.src IDS_Attacks.severity IDS_Attacks.signature IDS_Attacks.dest + IDS_Attacks.dest_port IDS_Attacks.transport span=1s _time | `drop_dm_object_name("IDS_Attacks")` + | eval gtime=_time | bin span=1h gtime | eventstats count as sevCount by severity + src | eventstats count as sigCount by signature src | eval severity=severity +"("+sevCount+")" + | eval signature=signature +"("+sigCount+")" | eval dest_port=transport + "/" + + dest_port | stats min(_time) as _time values(action) as action dc(dest) as destCount + dc(signature) as sigCount values(signature) values(src_category) as src_category + values(dest_category) as dest_category values(severity) as severity values(dest_port) + as dest_ports by src gtime | fields - gtime | where destCount>25 OR sigCount>25 + | `internal_vulnerability_scan_filter`' +how_to_implement: For this detection to function effectively, it is essential to ingest + IDS/IPS logs that are mapped to the Common Information Model (CIM). These logs provide + the necessary security-related telemetry and contextual information needed to accurately + identify and analyze potential threats. known_false_positives: Internal vulnerability scanners will trigger this detection. references: [] +rba: + message: Large volume of IDS signatures triggered by $src$ + risk_objects: + - field: src + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Network Discovery asset_type: Endpoint - confidence: 80 - impact: 80 - message: Large volume of IDS signatures triggered by $src$ mitre_attack_id: - T1595.002 - T1046 - observable: - - name: src - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 - required_fields: - - _time - - IDS_Attacks.action - - IDS_Attacks.src - - IDS_Attacks.dest - - IDS_Attacks.dest_port - - IDS_Attacks.severity - - IDS_Attacks.signature - - IDS_Attacks.transport security_domain: network diff --git a/detections/network/large_volume_of_dns_any_queries.yml b/detections/network/large_volume_of_dns_any_queries.yml index 45393b2161..b73ca41645 100644 --- a/detections/network/large_volume_of_dns_any_queries.yml +++ b/detections/network/large_volume_of_dns_any_queries.yml @@ -1,39 +1,44 @@ name: Large Volume of DNS ANY Queries id: 8fa891f7-a533-4b3c-af85-5aa2e7c1f1eb -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-15' author: Bhavin Patel, Splunk status: experimental type: Anomaly -description: The following analytic identifies a large volume of DNS ANY queries, which may indicate a DNS amplification attack. It leverages the Network_Resolution data model to count DNS queries of type "ANY" directed to specific destinations. This activity is significant because DNS amplification attacks can overwhelm network resources, leading to Denial of Service (DoS) conditions. If confirmed malicious, this activity could disrupt services, degrade network performance, and potentially be part of a larger Distributed Denial of Service (DDoS) attack, impacting the availability of critical infrastructure. +description: The following analytic identifies a large volume of DNS ANY queries, + which may indicate a DNS amplification attack. It leverages the Network_Resolution + data model to count DNS queries of type "ANY" directed to specific destinations. + This activity is significant because DNS amplification attacks can overwhelm network + resources, leading to Denial of Service (DoS) conditions. If confirmed malicious, + this activity could disrupt services, degrade network performance, and potentially + be part of a larger Distributed Denial of Service (DDoS) attack, impacting the availability + of critical infrastructure. data_source: [] -search: '| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" "DNS.record_type"="ANY" by "DNS.dest" | `drop_dm_object_name("DNS")` | where count>200 | `large_volume_of_dns_any_queries_filter`' -how_to_implement: To successfully implement this search you must ensure that DNS data is populating the Network_Resolution data model. -known_false_positives: Legitimate ANY requests may trigger this search, however it is unusual to see a large volume of them under typical circumstances. You may modify the threshold in the search to better suit your environment. +search: '| tstats `security_content_summariesonly` count from datamodel=Network_Resolution + where nodename=DNS "DNS.message_type"="QUERY" "DNS.record_type"="ANY" by "DNS.dest" + | `drop_dm_object_name("DNS")` | where count>200 | `large_volume_of_dns_any_queries_filter`' +how_to_implement: To successfully implement this search you must ensure that DNS data + is populating the Network_Resolution data model. +known_false_positives: Legitimate ANY requests may trigger this search, however it + is unusual to see a large volume of them under typical circumstances. You may modify + the threshold in the search to better suit your environment. references: [] +rba: + message: Large Volume of DNS ANY Queries by $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - DNS Amplification Attacks asset_type: DNS Servers - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1498 - T1498.002 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - DNS.message_type - - DNS.record_type - - DNS.dest - risk_score: 25 security_domain: network diff --git a/detections/network/ngrok_reverse_proxy_on_network.yml b/detections/network/ngrok_reverse_proxy_on_network.yml index d978609d71..a8cf6de84a 100644 --- a/detections/network/ngrok_reverse_proxy_on_network.yml +++ b/detections/network/ngrok_reverse_proxy_on_network.yml @@ -1,16 +1,28 @@ name: Ngrok Reverse Proxy on Network id: 5790a766-53b8-40d3-a696-3547b978fcf0 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic detects DNS queries to common Ngrok domains, indicating potential use of the Ngrok reverse proxy tool. It leverages the Network Resolution datamodel to identify queries to domains such as "*.ngrok.com" and "*.ngrok.io". While Ngrok usage is not inherently malicious, it has been increasingly adopted by adversaries for covert communication and data exfiltration. If confirmed malicious, this activity could allow attackers to bypass network defenses, establish persistent connections, and exfiltrate sensitive data, posing a significant threat to the network's security. +description: The following analytic detects DNS queries to common Ngrok domains, indicating + potential use of the Ngrok reverse proxy tool. It leverages the Network Resolution + datamodel to identify queries to domains such as "*.ngrok.com" and "*.ngrok.io". + While Ngrok usage is not inherently malicious, it has been increasingly adopted + by adversaries for covert communication and data exfiltration. If confirmed malicious, + this activity could allow attackers to bypass network defenses, establish persistent + connections, and exfiltrate sensitive data, posing a significant threat to the network's + security. data_source: - Sysmon EventID 22 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.query IN ("*.ngrok.com","*.ngrok.io", "ngrok.*.tunnel.com", "korgn.*.lennut.com") by DNS.src DNS.query DNS.answer | `drop_dm_object_name("DNS")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ngrok_reverse_proxy_on_network_filter`' -how_to_implement: The Network Resolution Datamodel will need to have data mapped to it regarding DNS queries. Modify query as needed to use another source. -known_false_positives: False positives will be present based on organizations that allow the use of Ngrok. Filter or monitor as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Network_Resolution where DNS.query IN ("*.ngrok.com","*.ngrok.io", + "ngrok.*.tunnel.com", "korgn.*.lennut.com") by DNS.src DNS.query DNS.answer | `drop_dm_object_name("DNS")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ngrok_reverse_proxy_on_network_filter`' +how_to_implement: The Network Resolution Datamodel will need to have data mapped to + it regarding DNS queries. Modify query as needed to use another source. +known_false_positives: False positives will be present based on organizations that + allow the use of Ngrok. Filter or monitor as needed. references: - https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf drilldown_searches: @@ -19,41 +31,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An endpoint, $src$, is beaconing out to the reverse proxy service of Ngrok. + risk_objects: + - field: src + type: system + score: 50 + threat_objects: [] tags: analytic_story: - Reverse Network Proxy - CISA AA22-320A - CISA AA24-241A asset_type: Endpoint - confidence: 100 - impact: 50 - message: An endpoint, $src$, is beaconing out to the reverse proxy service of Ngrok. mitre_attack_id: - T1572 - T1090 - T1102 - observable: - - name: src - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - DNS.src - - DNS.query - - DNS.answer - risk_score: 50 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ngrok/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ngrok/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/network/prohibited_network_traffic_allowed.yml b/detections/network/prohibited_network_traffic_allowed.yml index e3caba6ac3..be2edfc03a 100644 --- a/detections/network/prohibited_network_traffic_allowed.yml +++ b/detections/network/prohibited_network_traffic_allowed.yml @@ -1,14 +1,30 @@ name: Prohibited Network Traffic Allowed id: ce5a0962-849f-4720-a678-753fe6674479 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-15' author: Rico Valdez, Splunk status: production type: TTP -description: The following analytic detects instances where network traffic, identified by port and transport layer protocol as prohibited in the "lookup_interesting_ports" table, is allowed. It uses the Network_Traffic data model to cross-reference traffic data against predefined security policies. This activity is significant for a SOC as it highlights potential misconfigurations or policy violations that could lead to unauthorized access or data exfiltration. If confirmed malicious, this could allow attackers to bypass network defenses, leading to potential data breaches and compromising the organization's security posture. +description: The following analytic detects instances where network traffic, identified + by port and transport layer protocol as prohibited in the "lookup_interesting_ports" + table, is allowed. It uses the Network_Traffic data model to cross-reference traffic + data against predefined security policies. This activity is significant for a SOC + as it highlights potential misconfigurations or policy violations that could lead + to unauthorized access or data exfiltration. If confirmed malicious, this could + allow attackers to bypass network defenses, leading to potential data breaches and + compromising the organization's security posture. data_source: [] -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.action = allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | lookup update=true interesting_ports_lookup dest_port as All_Traffic.dest_port OUTPUT app is_prohibited note transport | search is_prohibited=true | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` | `prohibited_network_traffic_allowed_filter`' -how_to_implement: In order to properly run this search, Splunk needs to ingest data from firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model be populated. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Network_Traffic where All_Traffic.action = allowed by + All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action + | lookup update=true interesting_ports_lookup dest_port as All_Traffic.dest_port + OUTPUT app is_prohibited note transport | search is_prohibited=true | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` | `prohibited_network_traffic_allowed_filter`' +how_to_implement: In order to properly run this search, Splunk needs to ingest data + from firewalls or other network control devices that mediate the traffic allowed + into an environment. This is necessary so that the search can identify an 'action' + taken on the traffic of interest. The search requires the Network_Traffic data model + be populated. known_false_positives: None identified references: [] drilldown_searches: @@ -17,45 +33,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src_ip$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potentially Prohibited Network Traffic allowed + risk_objects: + - field: src_ip + type: system + score: 25 + threat_objects: + - field: dest_ip + type: ip_address tags: analytic_story: - Prohibited Traffic Allowed or Protocol Mismatch - Ransomware - Command And Control asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1048 - observable: - - name: src_ip - type: IP Address - role: - - Victim - - name: dest_ip - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Traffic.action - - All_Traffic.src_ip - - All_Traffic.dest_ip - - All_Traffic.dest_port - risk_score: 25 security_domain: network manual_test: This detection uses builtin lookup from Enterprise Security. tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048/ftp_connection/zeek_conn.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048/ftp_connection/zeek_conn.log sourcetype: bro:conn:json source: conn.log diff --git a/detections/network/protocol_or_port_mismatch.yml b/detections/network/protocol_or_port_mismatch.yml index c9c993d2b3..d935eff540 100644 --- a/detections/network/protocol_or_port_mismatch.yml +++ b/detections/network/protocol_or_port_mismatch.yml @@ -1,41 +1,50 @@ name: Protocol or Port Mismatch id: 54dc1265-2f74-4b6d-b30d-49eb506a31b3 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-15' author: Rico Valdez, Splunk status: experimental type: Anomaly -description: The following analytic identifies network traffic where the higher layer protocol does not match the expected port, such as non-HTTP traffic on TCP port 80. It leverages data from network traffic inspection technologies like Bro or Palo Alto Networks firewalls. This activity is significant because it may indicate attempts to bypass firewall restrictions or conceal malicious communications. If confirmed malicious, this behavior could allow attackers to evade detection, maintain persistence, or exfiltrate data through commonly allowed ports, posing a significant threat to network security. +description: The following analytic identifies network traffic where the higher layer + protocol does not match the expected port, such as non-HTTP traffic on TCP port + 80. It leverages data from network traffic inspection technologies like Bro or Palo + Alto Networks firewalls. This activity is significant because it may indicate attempts + to bypass firewall restrictions or conceal malicious communications. If confirmed + malicious, this behavior could allow attackers to evade detection, maintain persistence, + or exfiltrate data through commonly allowed ports, posing a significant threat to + network security. data_source: [] -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.app=dns NOT All_Traffic.dest_port=53) OR ((All_Traffic.app=web-browsing OR All_Traffic.app=http) NOT (All_Traffic.dest_port=80 OR All_Traffic.dest_port=8080 OR All_Traffic.dest_port=8000)) OR (All_Traffic.app=ssl NOT (All_Traffic.dest_port=443 OR All_Traffic.dest_port=8443)) OR (All_Traffic.app=smtp NOT All_Traffic.dest_port=25) by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.dest_port |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` | `protocol_or_port_mismatch_filter`' -how_to_implement: Running this search properly requires a technology that can inspect network traffic and identify common protocols. Technologies such as Bro and Palo Alto Networks firewalls are two examples that will identify protocols via inspection, and not just assume a specific protocol based on the transport protocol and ports. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Network_Traffic where (All_Traffic.app=dns NOT All_Traffic.dest_port=53) + OR ((All_Traffic.app=web-browsing OR All_Traffic.app=http) NOT (All_Traffic.dest_port=80 + OR All_Traffic.dest_port=8080 OR All_Traffic.dest_port=8000)) OR (All_Traffic.app=ssl + NOT (All_Traffic.dest_port=443 OR All_Traffic.dest_port=8443)) OR (All_Traffic.app=smtp + NOT All_Traffic.dest_port=25) by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, + All_Traffic.dest_port |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `drop_dm_object_name("All_Traffic")` | `protocol_or_port_mismatch_filter`' +how_to_implement: Running this search properly requires a technology that can inspect + network traffic and identify common protocols. Technologies such as Bro and Palo + Alto Networks firewalls are two examples that will identify protocols via inspection, + and not just assume a specific protocol based on the transport protocol and ports. known_false_positives: None identified references: [] +rba: + message: Port or Protocol Traffic Mismatch + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Prohibited Traffic Allowed or Protocol Mismatch - Command And Control asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1048.003 - T1048 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Traffic.app - - All_Traffic.dest_port - - All_Traffic.src_ip - - All_Traffic.dest_ip - risk_score: 25 security_domain: network diff --git a/detections/network/protocols_passing_authentication_in_cleartext.yml b/detections/network/protocols_passing_authentication_in_cleartext.yml index 2c96157842..ba3d3d5577 100644 --- a/detections/network/protocols_passing_authentication_in_cleartext.yml +++ b/detections/network/protocols_passing_authentication_in_cleartext.yml @@ -1,45 +1,51 @@ name: Protocols passing authentication in cleartext id: 6923cd64-17a0-453c-b945-81ac2d8c6db9 -version: 5 -date: '2024-10-17' +version: 6 +date: '2024-11-15' author: Rico Valdez, Splunk status: experimental type: TTP -description: The following analytic identifies the use of cleartext protocols that risk leaking sensitive information. It detects network traffic on legacy protocols such as Telnet (port 23), POP3 (port 110), IMAP (port 143), and non-anonymous FTP (port 21). The detection leverages the Network_Traffic data model to identify TCP traffic on these ports. Monitoring this activity is crucial as it can expose credentials and other sensitive data to interception. If confirmed malicious, attackers could capture authentication details, leading to unauthorized access and potential data breaches. +description: The following analytic identifies the use of cleartext protocols that + risk leaking sensitive information. It detects network traffic on legacy protocols + such as Telnet (port 23), POP3 (port 110), IMAP (port 143), and non-anonymous FTP + (port 21). The detection leverages the Network_Traffic data model to identify TCP + traffic on these ports. Monitoring this activity is crucial as it can expose credentials + and other sensitive data to interception. If confirmed malicious, attackers could + capture authentication details, leading to unauthorized access and potential data + breaches. data_source: [] -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.action!=blocked AND All_Traffic.transport="tcp" AND (All_Traffic.dest_port="23" OR All_Traffic.dest_port="143" OR All_Traffic.dest_port="110" OR (All_Traffic.dest_port="21" AND All_Traffic.user != "anonymous")) by All_Traffic.user All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` | `protocols_passing_authentication_in_cleartext_filter`' -how_to_implement: This search requires you to be ingesting your network traffic, and populating the Network_Traffic data model. For more accurate result it's better to limit destination to organization private and public IP range, like All_Traffic.dest IN(192.168.0.0/16,172.16.0.0/12,10.0.0.0/8, x.x.x.x/22) -known_false_positives: Some networks may use kerberized FTP or telnet servers, however, this is rare. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Network_Traffic where All_Traffic.action!=blocked AND + All_Traffic.transport="tcp" AND (All_Traffic.dest_port="23" OR All_Traffic.dest_port="143" + OR All_Traffic.dest_port="110" OR (All_Traffic.dest_port="21" AND All_Traffic.user + != "anonymous")) by All_Traffic.user All_Traffic.src All_Traffic.dest All_Traffic.dest_port + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` + | `protocols_passing_authentication_in_cleartext_filter`' +how_to_implement: This search requires you to be ingesting your network traffic, and + populating the Network_Traffic data model. For more accurate result it's better + to limit destination to organization private and public IP range, like All_Traffic.dest + IN(192.168.0.0/16,172.16.0.0/12,10.0.0.0/8, x.x.x.x/22) +known_false_positives: Some networks may use kerberized FTP or telnet servers, however, + this is rare. references: - https://www.rackaid.com/blog/secure-your-email-and-file-transfers/ - https://www.infosecmatter.com/capture-passwords-using-wireshark/ +rba: + message: Potential Authentication in cleartext + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Use of Cleartext Protocols asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Traffic.transport - - All_Traffic.dest_port - - All_Traffic.user - - All_Traffic.src - - All_Traffic.dest - - All_Traffic.action - risk_score: 25 security_domain: network diff --git a/detections/network/remote_desktop_network_bruteforce.yml b/detections/network/remote_desktop_network_bruteforce.yml index 2634f6b9cf..35dcd16a5c 100644 --- a/detections/network/remote_desktop_network_bruteforce.yml +++ b/detections/network/remote_desktop_network_bruteforce.yml @@ -1,53 +1,51 @@ name: Remote Desktop Network Bruteforce id: a98727cc-286b-4ff2-b898-41df64695923 -version: 5 -date: '2024-10-16' +version: 6 +date: '2024-11-15' author: Jose Hernandez, Splunk status: experimental type: TTP -description: The following analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. It detects anomalies by filtering source and destination pairs that generate traffic exceeding twice the standard deviation of the average traffic. This method leverages the Network_Traffic data model to identify unusual patterns indicative of brute force attempts. This activity is significant as it may indicate an attacker attempting to gain unauthorized access to systems via RDP. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further network compromise. +description: The following analytic identifies potential Remote Desktop Protocol (RDP) + brute force attacks by monitoring network traffic for RDP application activity. + It detects anomalies by filtering source and destination pairs that generate traffic + exceeding twice the standard deviation of the average traffic. This method leverages + the Network_Traffic data model to identify unusual patterns indicative of brute + force attempts. This activity is significant as it may indicate an attacker attempting + to gain unauthorized access to systems via RDP. If confirmed malicious, this could + lead to unauthorized access, data exfiltration, or further network compromise. data_source: [] search: >- - | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.app=rdp OR All_Traffic.dest_port=3389) AND All_Traffic.action=allowed by All_Traffic.src All_Traffic.dest All_Traffic.dest_port - | eventstats stdev(count) AS stdev avg(count) AS avg p50(count) AS p50 - | where count>(avg + stdev*2) - | rename All_Traffic.src AS src All_Traffic.dest AS dest - | table firstTime lastTime src dest count avg p50 stdev - | `remote_desktop_network_bruteforce_filter` + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Network_Traffic where (All_Traffic.app=rdp OR All_Traffic.dest_port=3389) + AND All_Traffic.action=allowed by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | + eventstats stdev(count) AS stdev avg(count) AS avg p50(count) AS p50 | where count>(avg + + stdev*2) | rename All_Traffic.src AS src All_Traffic.dest AS dest | table firstTime + lastTime src dest count avg p50 stdev | `remote_desktop_network_bruteforce_filter` how_to_implement: You must ensure that your network traffic data is populating the Network_Traffic data model. known_false_positives: RDP gateways may have unusually high amounts of traffic from all other hosts' RDP applications in the network. references: [] +rba: + message: $dest$ may be the target of an RDP Bruteforce + risk_objects: + - field: dest + type: system + score: 25 + - field: src + type: system + score: 25 + threat_objects: [] tags: analytic_story: - SamSam Ransomware - Ryuk Ransomware asset_type: Endpoint - confidence: 50 - impact: 50 - message: $dest$ may be the target of an RDP Bruteforce mitre_attack_id: - T1021.001 - T1021 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: src - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Traffic.app - - All_Traffic.src - - All_Traffic.dest - - All_Traffic.dest_port - risk_score: 25 security_domain: network diff --git a/detections/network/remote_desktop_network_traffic.yml b/detections/network/remote_desktop_network_traffic.yml index 0fdb8716b0..dea3884a91 100644 --- a/detections/network/remote_desktop_network_traffic.yml +++ b/detections/network/remote_desktop_network_traffic.yml @@ -1,14 +1,34 @@ name: Remote Desktop Network Traffic id: 272b8407-842d-4b3d-bead-a704584003d3 -version: 7 -date: '2024-10-16' +version: 8 +date: '2024-11-15' author: David Dorsey, Splunk status: production type: Anomaly -description: The following analytic detects unusual Remote Desktop Protocol (RDP) traffic on TCP/3389 by filtering out known RDP sources and destinations, focusing on atypical connections within the network. This detection leverages network traffic data to identify potentially unauthorized RDP access. Monitoring this activity is crucial for a SOC as unauthorized RDP access can indicate an attacker's attempt to control networked systems, leading to data theft, ransomware deployment, or further network compromise. If confirmed malicious, this activity could result in significant data breaches or complete system and network control loss. +description: The following analytic detects unusual Remote Desktop Protocol (RDP) + traffic on TCP/3389 by filtering out known RDP sources and destinations, focusing + on atypical connections within the network. This detection leverages network traffic + data to identify potentially unauthorized RDP access. Monitoring this activity is + crucial for a SOC as unauthorized RDP access can indicate an attacker's attempt + to control networked systems, leading to data theft, ransomware deployment, or further + network compromise. If confirmed malicious, this activity could result in significant + data breaches or complete system and network control loss. data_source: [] -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.dest_port=3389 AND All_Traffic.dest_category!=common_rdp_destination AND All_Traffic.src_category!=common_rdp_source AND All_Traffic.action="allowed" by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name("All_Traffic")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_desktop_network_traffic_filter`' -how_to_implement: To successfully implement this search you need to identify systems that commonly originate remote desktop traffic and that commonly receive remote desktop traffic. You can use the included support search "Identify Systems Creating Remote Desktop Traffic" to identify systems that originate the traffic and the search "Identify Systems Receiving Remote Desktop Traffic" to identify systems that receive a lot of remote desktop traffic. After identifying these systems, you will need to add the "common_rdp_source" or "common_rdp_destination" category to that system depending on the usage, using the Enterprise Security Assets and Identities framework. This can be done by adding an entry in the assets.csv file located in SA-IdentityManagement/lookups. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Network_Traffic where All_Traffic.dest_port=3389 AND + All_Traffic.dest_category!=common_rdp_destination AND All_Traffic.src_category!=common_rdp_source + AND All_Traffic.action="allowed" by All_Traffic.src All_Traffic.dest All_Traffic.dest_port + | `drop_dm_object_name("All_Traffic")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `remote_desktop_network_traffic_filter`' +how_to_implement: To successfully implement this search you need to identify systems + that commonly originate remote desktop traffic and that commonly receive remote + desktop traffic. You can use the included support search "Identify Systems Creating + Remote Desktop Traffic" to identify systems that originate the traffic and the search + "Identify Systems Receiving Remote Desktop Traffic" to identify systems that receive + a lot of remote desktop traffic. After identifying these systems, you will need + to add the "common_rdp_source" or "common_rdp_destination" category to that system + depending on the usage, using the Enterprise Security Assets and Identities framework. This + can be done by adding an entry in the assets.csv file located in SA-IdentityManagement/lookups. known_false_positives: Remote Desktop may be used legitimately by users on the network. references: [] drilldown_searches: @@ -17,9 +37,23 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Remote Desktop Network Traffic Anomaly Detected from $src$ to $dest$ + risk_objects: + - field: src + type: system + score: 25 + threat_objects: + - field: dest + type: ip_address tags: analytic_story: - SamSam Ransomware @@ -27,39 +61,19 @@ tags: - Hidden Cobra Malware - Active Directory Lateral Movement asset_type: Endpoint - confidence: 50 - impact: 50 - message: Remote Desktop Network Traffic Anomaly Detected from $src$ to $dest$ mitre_attack_id: - T1021.001 - T1021 - observable: - - name: src - type: IP Address - role: - - Victim - - name: dest - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Traffic.dest_port - - All_Traffic.dest_category - - All_Traffic.src_category - - All_Traffic.src - - All_Traffic.dest - - All_Traffic.dest_port - risk_score: 25 security_domain: network manual_test: This detection uses builtin lookup from Enterprise Security. tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/remote_desktop_connection/zeek_conn.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/remote_desktop_connection/zeek_conn.log sourcetype: bro:conn:json source: conn.log diff --git a/detections/network/smb_traffic_spike.yml b/detections/network/smb_traffic_spike.yml index 6240cd584a..7154a35162 100644 --- a/detections/network/smb_traffic_spike.yml +++ b/detections/network/smb_traffic_spike.yml @@ -1,16 +1,39 @@ name: SMB Traffic Spike id: 7f5fb3e1-4209-4914-90db-0ec21b936378 -version: 5 -date: '2024-10-17' +version: 6 +date: '2024-11-15' author: David Dorsey, Splunk status: experimental type: Anomaly -description: The following analytic detects spikes in Server Message Block (SMB) traffic connections, which are used for sharing files and resources between computers. It leverages network traffic logs to monitor connections on ports 139 and 445, and SMB application usage. By calculating the average and standard deviation of SMB connections over the past 70 minutes, it identifies sources exceeding two standard deviations from the average. This activity is significant as it may indicate potential SMB-based attacks, such as ransomware or data theft. If confirmed malicious, attackers could exfiltrate data or spread malware within the network. +description: The following analytic detects spikes in Server Message Block (SMB) traffic + connections, which are used for sharing files and resources between computers. It + leverages network traffic logs to monitor connections on ports 139 and 445, and + SMB application usage. By calculating the average and standard deviation of SMB + connections over the past 70 minutes, it identifies sources exceeding two standard + deviations from the average. This activity is significant as it may indicate potential + SMB-based attacks, such as ransomware or data theft. If confirmed malicious, attackers + could exfiltrate data or spread malware within the network. data_source: [] -search: '| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | `drop_dm_object_name("All_Traffic")` | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, "-70m@m"), count, null))) as count avg(eval(if(_time upperBound AND num_data_samples >=50, 1, 0) | where isOutlier=1 | table src count | `smb_traffic_spike_filter`' -how_to_implement: This search requires you to be ingesting your network traffic logs and populating the `Network_Traffic` data model. -known_false_positives: A file server may experience high-demand loads that could cause this analytic to trigger. +search: '| tstats `security_content_summariesonly` count from datamodel=Network_Traffic + where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb + by _time span=1h, All_Traffic.src | `drop_dm_object_name("All_Traffic")` | eventstats + max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, + "-70m@m"), count, null))) as count avg(eval(if(_time upperBound + AND num_data_samples >=50, 1, 0) | where isOutlier=1 | table src count | `smb_traffic_spike_filter`' +how_to_implement: This search requires you to be ingesting your network traffic logs + and populating the `Network_Traffic` data model. +known_false_positives: A file server may experience high-demand loads that could cause + this analytic to trigger. references: [] +rba: + message: Anomalous splike of SMB traffic sent from $src$ + risk_objects: + - field: src + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Emotet Malware DHS Report TA18-201A @@ -18,25 +41,11 @@ tags: - Ransomware - DHS Report TA18-074A asset_type: Endpoint - confidence: 50 - impact: 50 - message: Anomalous splike of SMB traffic sent from $src$ mitre_attack_id: - T1021.002 - T1021 - observable: - - name: src - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Traffic.dest_port - - All_Traffic.app - - All_Traffic.src - risk_score: 25 security_domain: network diff --git a/detections/network/smb_traffic_spike___mltk.yml b/detections/network/smb_traffic_spike___mltk.yml index 8500e94944..0ec7d9fe16 100644 --- a/detections/network/smb_traffic_spike___mltk.yml +++ b/detections/network/smb_traffic_spike___mltk.yml @@ -1,22 +1,53 @@ name: SMB Traffic Spike - MLTK id: d25773ba-9ad8-48d1-858e-07ad0bbeb828 -version: 5 -date: '2024-10-17' +version: 6 +date: '2024-11-15' author: Rico Valdez, Splunk status: experimental type: Anomaly -description: The following analytic identifies spikes in the number of Server Message Block (SMB) connections using the Machine Learning Toolkit (MLTK). It leverages the Network_Traffic data model to monitor SMB traffic on ports 139 and 445, applying a machine learning model to detect anomalies. This activity is significant because sudden increases in SMB traffic can indicate lateral movement or data exfiltration attempts by attackers. If confirmed malicious, this behavior could lead to unauthorized access, data theft, or further compromise of the network. +description: The following analytic identifies spikes in the number of Server Message + Block (SMB) connections using the Machine Learning Toolkit (MLTK). It leverages + the Network_Traffic data model to monitor SMB traffic on ports 139 and 445, applying + a machine learning model to detect anomalies. This activity is significant because + sudden increases in SMB traffic can indicate lateral movement or data exfiltration + attempts by attackers. If confirmed malicious, this behavior could lead to unauthorized + access, data theft, or further compromise of the network. data_source: [] -search: '| tstats `security_content_summariesonly` count values(All_Traffic.dest_ip) as dest values(All_Traffic.dest_port) as port from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | eval HourOfDay=strftime(_time, "%H") | eval DayOfWeek=strftime(_time, "%A") | `drop_dm_object_name(All_Traffic)` | apply smb_pdfmodel threshold=0.001 | rename "IsOutlier(count)" as isOutlier | search isOutlier > 0 | sort -count | table _time src dest port count | `smb_traffic_spike___mltk_filter`' -how_to_implement: 'To successfully implement this search, you will need to ensure that DNS data is populating the Network_Traffic data model. In addition, the latest version of Machine Learning Toolkit (MLTK) must be installed on your search heads, along with any required dependencies. Finally, the support search "Baseline of SMB Traffic - MLTK" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment. - - This search produces a field (Number of events,count) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. This field contributes additional context to the notable. To see the additional metadata, add the following field, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry): - - * **Label:** Number of events, **Field:** count - - Detailed documentation on how to create a new field within Incident Review is found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`' -known_false_positives: If you are seeing more results than desired, you may consider reducing the value of the threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data. Please update the `smb_traffic_spike_mltk_filter` macro to filter out false positive results +search: '| tstats `security_content_summariesonly` count values(All_Traffic.dest_ip) + as dest values(All_Traffic.dest_port) as port from datamodel=Network_Traffic where + All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by + _time span=1h, All_Traffic.src | eval HourOfDay=strftime(_time, "%H") | eval DayOfWeek=strftime(_time, + "%A") | `drop_dm_object_name(All_Traffic)` | apply smb_pdfmodel threshold=0.001 + | rename "IsOutlier(count)" as isOutlier | search isOutlier > 0 | sort -count | + table _time src dest port count | `smb_traffic_spike___mltk_filter`' +how_to_implement: "To successfully implement this search, you will need to ensure + that DNS data is populating the Network_Traffic data model. In addition, the latest + version of Machine Learning Toolkit (MLTK) must be installed on your search heads, + along with any required dependencies. Finally, the support search \"Baseline of + SMB Traffic - MLTK\" must be executed before this detection search, because it builds + a machine-learning (ML) model over the historical data used by this search. It is + important that this search is run in the same app context as the associated support + search, so that the model created by the support search is available for use. You + should periodically re-run the support search to rebuild the model with the latest + data available in your environment.\nThis search produces a field (Number of events,count) + that are not yet supported by ES Incident Review and therefore cannot be viewed + when a finding is raised. This field contributes additional context to the + finding. To see the additional metadata, add the following field, if not already + present, to Incident Review - Event Attributes (Configure > Incident Management + > Incident Review Settings > Add New Entry):\n* **Label:** Number of events, **Field:** + count" +known_false_positives: If you are seeing more results than desired, you may consider + reducing the value of the threshold in the search. You should also periodically + re-run the support search to re-build the ML model on the latest data. Please update + the `smb_traffic_spike_mltk_filter` macro to filter out false positive results references: [] +rba: + message: SMB Traffic Spike from $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Emotet Malware DHS Report TA18-201A @@ -24,26 +55,11 @@ tags: - Ransomware - DHS Report TA18-074A asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1021.002 - T1021 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Traffic.dest_ip - - All_Traffic.dest_port - - All_Traffic.app - - All_Traffic.src - risk_score: 25 security_domain: network diff --git a/detections/network/ssl_certificates_with_punycode.yml b/detections/network/ssl_certificates_with_punycode.yml index 89c12e2ed3..c19238b392 100644 --- a/detections/network/ssl_certificates_with_punycode.yml +++ b/detections/network/ssl_certificates_with_punycode.yml @@ -1,15 +1,31 @@ name: SSL Certificates with Punycode id: 696694df-5706-495a-81f2-79501fa11b90 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk status: experimental type: Hunting -description: The following analytic detects SSL certificates with Punycode domains in the SSL issuer email domain, identified by the prefix "xn--". It leverages the Certificates Datamodel to flag these domains and uses CyberChef for decoding. This activity is significant as Punycode can be used for domain spoofing and phishing attacks. If confirmed malicious, attackers could deceive users and systems, potentially leading to unauthorized access and data breaches. +description: The following analytic detects SSL certificates with Punycode domains + in the SSL issuer email domain, identified by the prefix "xn--". It leverages the + Certificates Datamodel to flag these domains and uses CyberChef for decoding. This + activity is significant as Punycode can be used for domain spoofing and phishing + attacks. If confirmed malicious, attackers could deceive users and systems, potentially + leading to unauthorized access and data breaches. data_source: [] -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Certificates.All_Certificates by All_Certificates.SSL.ssl_issuer_email_domain All_Certificates.SSL.ssl_issuer All_Certificates.SSL.ssl_subject_email All_Certificates.SSL.dest All_Certificates.SSL.src All_Certificates.SSL.sourcetype All_Certificates.SSL.ssl_subject_email_domain | `drop_dm_object_name("All_Certificates.SSL")` | eval punycode=if(like(ssl_issuer_email_domain,"%xn--%"),1,0) | where punycode=1 | cyberchef infield="ssl_issuer_email_domain" outfield="convertedPuny" jsonrecipe="[{"op":"From Punycode","args":[true]}]" | table ssl_issuer_email_domain convertedPuny ssl_issuer ssl_subject_email dest src sourcetype ssl_subject_email_domain | `ssl_certificates_with_punycode_filter`' -how_to_implement: Ensure data is properly being ingested into the Certificates datamodel. If decoding the of interest, the CyberChef app is needed https://splunkbase.splunk.com/app/5348. If decoding is not needed, remove the cyberchef lines. -known_false_positives: False positives may be present if the organization works with international businesses. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Certificates.All_Certificates by All_Certificates.SSL.ssl_issuer_email_domain + All_Certificates.SSL.ssl_issuer All_Certificates.SSL.ssl_subject_email All_Certificates.SSL.dest + All_Certificates.SSL.src All_Certificates.SSL.sourcetype All_Certificates.SSL.ssl_subject_email_domain + | `drop_dm_object_name("All_Certificates.SSL")` | eval punycode=if(like(ssl_issuer_email_domain,"%xn--%"),1,0) + | where punycode=1 | cyberchef infield="ssl_issuer_email_domain" outfield="convertedPuny" + jsonrecipe="[{"op":"From Punycode","args":[true]}]" | table ssl_issuer_email_domain + convertedPuny ssl_issuer ssl_subject_email dest src sourcetype ssl_subject_email_domain + | `ssl_certificates_with_punycode_filter`' +how_to_implement: Ensure data is properly being ingested into the Certificates datamodel. + If decoding the of interest, the CyberChef app is needed https://splunkbase.splunk.com/app/5348. + If decoding is not needed, remove the cyberchef lines. +known_false_positives: False positives may be present if the organization works with + international businesses. Filter as needed. references: - https://www.splunk.com/en_us/blog/security/nothing-puny-about-cve-2022-3602.html - https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/ @@ -19,27 +35,10 @@ tags: analytic_story: - OpenSSL CVE-2022-3602 asset_type: Network - confidence: 30 - impact: 50 - message: A x509 certificate has been identified to have punycode in the SSL issuer email domain on $dest$. mitre_attack_id: - T1573 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - All_Certificates.SSL.ssl_issuer_email_domain - - All_Certificates.SSL.ssl_issuer - - All_Certificates.SSL.ssl_subject_email - - All_Certificates.SSL.dest - - All_Certificates.SSL.src - - All_Certificates.SSL.sourcetype - - All_Certificates.SSL.ssl_subject_email_domain - risk_score: 15 security_domain: network diff --git a/detections/network/tor_traffic.yml b/detections/network/tor_traffic.yml index c755e011b2..07c2e15ab9 100644 --- a/detections/network/tor_traffic.yml +++ b/detections/network/tor_traffic.yml @@ -1,15 +1,30 @@ name: TOR Traffic id: ea688274-9c06-4473-b951-e4cb7a5d7a45 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-15' author: David Dorsey, Bhavin Patel, Splunk status: production type: TTP -description: The following analytic identifies allowed network traffic to The Onion Router (TOR), an anonymity network often exploited for malicious activities. It leverages data from Next Generation Firewalls, using the Network_Traffic data model to detect traffic where the application is TOR and the action is allowed. This activity is significant as TOR can be used to bypass conventional monitoring, facilitating hacking, data breaches, and illicit content dissemination. If confirmed malicious, this could lead to unauthorized access, data exfiltration, and severe compliance violations, compromising the integrity and security of the network. +description: The following analytic identifies allowed network traffic to The Onion + Router (TOR), an anonymity network often exploited for malicious activities. It + leverages data from Next Generation Firewalls, using the Network_Traffic data model + to detect traffic where the application is TOR and the action is allowed. This activity + is significant as TOR can be used to bypass conventional monitoring, facilitating + hacking, data breaches, and illicit content dissemination. If confirmed malicious, + this could lead to unauthorized access, data exfiltration, and severe compliance + violations, compromising the integrity and security of the network. data_source: - Palo Alto Network Traffic -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=tor AND All_Traffic.action=allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` | `tor_traffic_filter`' -how_to_implement: In order to properly run this search, Splunk needs to ingest data from Next Generation Firewalls like Palo Alto Networks Firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model to be populated. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Network_Traffic where All_Traffic.app=tor AND All_Traffic.action=allowed + by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` + | `tor_traffic_filter`' +how_to_implement: In order to properly run this search, Splunk needs to ingest data + from Next Generation Firewalls like Palo Alto Networks Firewalls or other network + control devices that mediate the traffic allowed into an environment. This is necessary + so that the search can identify an 'action' taken on the traffic of interest. The + search requires the Network_Traffic data model to be populated. known_false_positives: None at this time references: - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRtCAK @@ -20,9 +35,22 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src_ip$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious network traffic allowed using TOR has been detected from $src_ip$ + to $dest_ip$ + risk_objects: + - field: src_ip + type: system + score: 80 + threat_objects: [] tags: analytic_story: - Prohibited Traffic Allowed or Protocol Mismatch @@ -30,33 +58,18 @@ tags: - NOBELIUM Group - Command And Control asset_type: Endpoint - confidence: 80 - impact: 100 - message: Suspicious network traffic allowed using TOR has been detected from $src_ip$ to $dest_ip$ mitre_attack_id: - T1090 - T1090.003 - observable: - - name: src_ip - type: IP Address - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - All_Traffic.app - - All_Traffic.action - - All_Traffic.src_ip - - All_Traffic.dest_ip - - All_Traffic.dest_port - risk_score: 80 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1090.003/pan_tor_allowed/pan_tor_allowed.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1090.003/pan_tor_allowed/pan_tor_allowed.log source: pan_tor_allowed sourcetype: pan:traffic diff --git a/detections/network/windows_ad_replication_service_traffic.yml b/detections/network/windows_ad_replication_service_traffic.yml index 60ebda269e..17845e1f82 100644 --- a/detections/network/windows_ad_replication_service_traffic.yml +++ b/detections/network/windows_ad_replication_service_traffic.yml @@ -1,46 +1,52 @@ name: Windows AD Replication Service Traffic id: c6e24183-a5f4-4b2a-ad01-2eb456d09b67 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-15' author: Steven Dick type: TTP status: experimental data_source: [] -description: The following analytic identifies unexpected Active Directory replication traffic from non-domain controller sources. It leverages data from the Network Traffic datamodel, specifically looking for applications related to AD replication. This activity is significant because AD replication traffic should typically only occur between domain controllers. Detection of such traffic from other sources may indicate malicious activities like DCSync or DCShadow, which are used for credential dumping. If confirmed malicious, this could allow attackers to exfiltrate sensitive credentials, leading to unauthorized access and potential domain-wide compromise. -search: '| tstats `security_content_summariesonly` count values(All_Traffic.transport) as transport values(All_Traffic.user) as user values(All_Traffic.src_category) as src_category values(All_Traffic.dest_category) as dest_category min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app IN ("ms-dc-replication","*drsr*","ad drs") by All_Traffic.src All_Traffic.dest All_Traffic.app | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` | `windows_ad_replication_service_traffic_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting application aware firewall or proxy logs into the Network Datamodel. Categorize all known domain controller Assets servers with an appropriate category for filtering. +description: The following analytic identifies unexpected Active Directory replication + traffic from non-domain controller sources. It leverages data from the Network Traffic + datamodel, specifically looking for applications related to AD replication. This + activity is significant because AD replication traffic should typically only occur + between domain controllers. Detection of such traffic from other sources may indicate + malicious activities like DCSync or DCShadow, which are used for credential dumping. + If confirmed malicious, this could allow attackers to exfiltrate sensitive credentials, + leading to unauthorized access and potential domain-wide compromise. +search: '| tstats `security_content_summariesonly` count values(All_Traffic.transport) + as transport values(All_Traffic.user) as user values(All_Traffic.src_category) as + src_category values(All_Traffic.dest_category) as dest_category min(_time) as firstTime + max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app IN ("ms-dc-replication","*drsr*","ad + drs") by All_Traffic.src All_Traffic.dest All_Traffic.app | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` | `windows_ad_replication_service_traffic_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + application aware firewall or proxy logs into the Network Datamodel. Categorize + all known domain controller Assets servers with an appropriate category for filtering. known_false_positives: New domain controllers or certian scripts run by administrators. references: - https://adsecurity.org/?p=1729 - https://attack.mitre.org/techniques/T1003/006/ - https://attack.mitre.org/techniques/T1207/ +rba: + message: Active Directory Replication Traffic from Unknown Source - $src$ + risk_objects: + - field: dest + type: system + score: 100 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 100 - impact: 100 - message: Active Directory Replication Traffic from Unknown Source - $src$ mitre_attack_id: - T1003 - T1003.006 - T1207 - observable: - - name: dest - type: IP Address - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - All_Traffic.src - - All_Traffic.dest - - All_Traffic.app - risk_score: 100 security_domain: network diff --git a/detections/network/windows_ad_rogue_domain_controller_network_activity.yml b/detections/network/windows_ad_rogue_domain_controller_network_activity.yml index 440d5240a1..d1f364dbfb 100644 --- a/detections/network/windows_ad_rogue_domain_controller_network_activity.yml +++ b/detections/network/windows_ad_rogue_domain_controller_network_activity.yml @@ -1,42 +1,45 @@ name: Windows AD Rogue Domain Controller Network Activity id: c4aeeeef-da7f-4338-b3ba-553cbcbe2138 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-15' author: Dean Luxton type: TTP status: experimental data_source: [] -description: The following analytic identifies unauthorized replication RPC calls from non-domain controller devices. It leverages Zeek wire data to detect specific RPC operations like DrsReplicaAdd and DRSGetNCChanges, filtering out legitimate domain controllers. This activity is significant as it may indicate an attempt to introduce a rogue domain controller, which can compromise the integrity of the Active Directory environment. If confirmed malicious, this could allow attackers to manipulate directory data, escalate privileges, and persist within the network, posing a severe security risk. -search: '`zeek_rpc` DrsReplicaAdd OR DRSGetNCChanges | where NOT (dest_category="Domain Controller") OR NOT (src_category="Domain Controller") | fillnull value="Unknown" src_category, dest_category | table _time endpoint operation src src_category dest dest_category | `windows_ad_rogue_domain_controller_network_activity_filter`' -how_to_implement: Run zeek on domain controllers to capture the DCE RPC calls, ensure the domain controller categories are defined in Assets and Identities. +description: The following analytic identifies unauthorized replication RPC calls + from non-domain controller devices. It leverages Zeek wire data to detect specific + RPC operations like DrsReplicaAdd and DRSGetNCChanges, filtering out legitimate + domain controllers. This activity is significant as it may indicate an attempt to + introduce a rogue domain controller, which can compromise the integrity of the Active + Directory environment. If confirmed malicious, this could allow attackers to manipulate + directory data, escalate privileges, and persist within the network, posing a severe + security risk. +search: '`zeek_rpc` DrsReplicaAdd OR DRSGetNCChanges | where NOT (dest_category="Domain + Controller") OR NOT (src_category="Domain Controller") | fillnull value="Unknown" + src_category, dest_category | table _time endpoint operation src src_category dest + dest_category | `windows_ad_rogue_domain_controller_network_activity_filter`' +how_to_implement: Run zeek on domain controllers to capture the DCE RPC calls, ensure + the domain controller categories are defined in Assets and Identities. known_false_positives: None. references: - https://adsecurity.org/?p=1729 +rba: + message: Rogue DC Activity Detected from $src_category$ device $src$ to $dest$ ($dest_category$) + risk_objects: + - field: dest + type: system + score: 100 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 100 - impact: 100 - message: Rogue DC Activity Detected from $src_category$ device $src$ to $dest$ ($dest_category$) mitre_attack_id: - T1207 - observable: - - name: src - type: IP Address - role: - - Attacker - - name: dest - type: IP Address - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - src - - dest - risk_score: 100 security_domain: network diff --git a/detections/network/zeek_x509_certificate_with_punycode.yml b/detections/network/zeek_x509_certificate_with_punycode.yml index 6e781a5f27..f22ab38c2e 100644 --- a/detections/network/zeek_x509_certificate_with_punycode.yml +++ b/detections/network/zeek_x509_certificate_with_punycode.yml @@ -1,15 +1,29 @@ name: Zeek x509 Certificate with Punycode id: 029d6fe4-a5fe-43af-827e-c78c50e81d81 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk status: experimental type: Hunting -description: The following analytic detects the presence of punycode within x509 certificates using Zeek x509 logs. It identifies punycode in the subject alternative name email and other fields by searching for the "xn--" prefix. This activity is significant as punycode can be used in phishing attacks or to bypass domain filters, posing a security risk. If confirmed malicious, attackers could use these certificates to impersonate legitimate domains, potentially leading to unauthorized access or data breaches. +description: The following analytic detects the presence of punycode within x509 certificates + using Zeek x509 logs. It identifies punycode in the subject alternative name email + and other fields by searching for the "xn--" prefix. This activity is significant + as punycode can be used in phishing attacks or to bypass domain filters, posing + a security risk. If confirmed malicious, attackers could use these certificates + to impersonate legitimate domains, potentially leading to unauthorized access or + data breaches. data_source: [] -search: '`zeek_x509` | rex field=san.email{} "\@(?xn--.*)" | rex field=san.other_fields{} "\@(?xn--.*)" | stats values(domain_detected) by basic_constraints.ca source host | `zeek_x509_certificate_with_punycode_filter`' -how_to_implement: The following analytic requires x509 certificate data to be logged entirely. In particular, for CVE-2022-3602, the punycode will be within the leaf certificate. The analytic may be modified to look for all xn--, or utilize a network IDS/monitoring tool like Zeek or Suricata to drill down into cert captured. Note for Suricata, the certificate is base64 encoded and will need to be decoded to capture the punycode (punycode will need to be decoded after). -known_false_positives: False positives may be present if the organization works with international businesses. Filter as needed. +search: '`zeek_x509` | rex field=san.email{} "\@(?xn--.*)" | rex + field=san.other_fields{} "\@(?xn--.*)" | stats values(domain_detected) + by basic_constraints.ca source host | `zeek_x509_certificate_with_punycode_filter`' +how_to_implement: The following analytic requires x509 certificate data to be logged + entirely. In particular, for CVE-2022-3602, the punycode will be within the leaf + certificate. The analytic may be modified to look for all xn--, or utilize a network + IDS/monitoring tool like Zeek or Suricata to drill down into cert captured. Note + for Suricata, the certificate is base64 encoded and will need to be decoded to capture + the punycode (punycode will need to be decoded after). +known_false_positives: False positives may be present if the organization works with + international businesses. Filter as needed. references: - https://community.emergingthreats.net/t/out-of-band-ruleset-update-summary-2022-11-01/117 - https://github.com/corelight/CVE-2022-3602/tree/master/scripts @@ -21,24 +35,10 @@ tags: analytic_story: - OpenSSL CVE-2022-3602 asset_type: Network - confidence: 30 - impact: 50 - message: A x509 certificate has been identified to have punycode in the subject alternative name on $dest$. mitre_attack_id: - T1573 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - domain_detected - - basic_constraints.ca - - source - - host - risk_score: 15 security_domain: network diff --git a/detections/web/access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint.yml b/detections/web/access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint.yml index e7f94b3f08..d77b3ca65e 100644 --- a/detections/web/access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint.yml +++ b/detections/web/access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint.yml @@ -1,16 +1,32 @@ name: Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint id: 15838756-f425-43fa-9d88-a7f88063e81a -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: TTP data_source: - Suricata -description: The following analytic identifies access to the /api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark endpoint, which is associated with CVE-2023-46805 and CVE-2024-21887 vulnerabilities. It detects this activity by monitoring for GET requests that receive a 403 Forbidden response with an empty body. This behavior is significant as it indicates potential exploitation attempts against Ivanti Connect Secure systems. If confirmed malicious, attackers could exploit these vulnerabilities to gain unauthorized access or control over the affected systems, leading to potential data breaches or system compromise. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url="*/api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark*" Web.http_method=GET Web.status=403 by Web.src, Web.dest, Web.http_user_agent, Web.status, Web.url source | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint_filter`' -how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -known_false_positives: This analytic is limited to HTTP Status 403; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. +description: The following analytic identifies access to the + /api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark + endpoint, which is associated with CVE-2023-46805 and CVE-2024-21887 vulnerabilities. + It detects this activity by monitoring for GET requests that receive a 403 Forbidden + response with an empty body. This behavior is significant as it indicates potential + exploitation attempts against Ivanti Connect Secure systems. If confirmed malicious, + attackers could exploit these vulnerabilities to gain unauthorized access or control + over the affected systems, leading to potential data breaches or system compromise. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url="*/api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark*" + Web.http_method=GET Web.status=403 by Web.src, Web.dest, Web.http_user_agent, Web.status, + Web.url source | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint_filter`' +how_to_implement: This detection requires the Web datamodel to be populated from a + supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, + or Splunk for Palo Alto. +known_false_positives: This analytic is limited to HTTP Status 403; adjust as necessary. + False positives may occur if the URI path is IP-restricted or externally blocked. + It's recommended to review the context of the alerts and adjust the analytic parameters + to better fit the specific environment. references: - https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve2023-46805_2024_21887.nse - https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml @@ -21,9 +37,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Possible exploitation of CVE-2023-46805 and CVE-2024-21887 against $dest$. + risk_objects: + - field: dest + type: system + score: 72 + threat_objects: [] tags: cve: - CVE-2023-46805 @@ -33,31 +61,17 @@ tags: - CISA AA24-241A asset_type: VPN Appliance atomic_guid: [] - confidence: 80 - impact: 90 - message: Possible exploitation of CVE-2023-46805 and CVE-2024-21887 against $dest$. mitre_attack_id: - T1190 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 72 - required_fields: - - Web.src - - Web.dest - - Web.http_user_agent - - Web.status - - Web.url security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/ivanti_bookmark_web_access.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/ivanti_bookmark_web_access.log source: suricata sourcetype: suricata diff --git a/detections/web/adobe_coldfusion_access_control_bypass.yml b/detections/web/adobe_coldfusion_access_control_bypass.yml index 71ebc5963a..c89e2113e8 100644 --- a/detections/web/adobe_coldfusion_access_control_bypass.yml +++ b/detections/web/adobe_coldfusion_access_control_bypass.yml @@ -1,16 +1,35 @@ name: Adobe ColdFusion Access Control Bypass id: d6821c0b-fcdc-4c95-a77f-e10752fae41a -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: TTP data_source: - Suricata -description: The following analytic detects potential exploitation attempts against Adobe ColdFusion vulnerabilities CVE-2023-29298 and CVE-2023-26360. It monitors requests to specific ColdFusion Administrator endpoints, especially those with an unexpected additional forward slash, using the Web datamodel. This activity is significant for a SOC as it indicates attempts to bypass access controls, which can lead to unauthorized access to ColdFusion administration endpoints. If confirmed malicious, this could result in data theft, brute force attacks, or further exploitation of other vulnerabilities, posing a serious security risk to the environment. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("//restplay*", "//CFIDE/restplay*", "//CFIDE/administrator*", "//CFIDE/adminapi*", "//CFIDE/main*", "//CFIDE/componentutils*", "//CFIDE/wizards*", "//CFIDE/servermanager*","/restplay*", "/CFIDE/restplay*", "/CFIDE/administrator*", "/CFIDE/adminapi*", "/CFIDE/main*", "/CFIDE/componentutils*", "/CFIDE/wizards*", "/CFIDE/servermanager*") Web.status=200 by Web.http_user_agent, Web.status, Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `adobe_coldfusion_access_control_bypass_filter`' -how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -known_false_positives: This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. +description: The following analytic detects potential exploitation attempts against + Adobe ColdFusion vulnerabilities CVE-2023-29298 and CVE-2023-26360. It monitors + requests to specific ColdFusion Administrator endpoints, especially those with an + unexpected additional forward slash, using the Web datamodel. This activity is significant + for a SOC as it indicates attempts to bypass access controls, which can lead to + unauthorized access to ColdFusion administration endpoints. If confirmed malicious, + this could result in data theft, brute force attacks, or further exploitation of + other vulnerabilities, posing a serious security risk to the environment. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("//restplay*", "//CFIDE/restplay*", "//CFIDE/administrator*", + "//CFIDE/adminapi*", "//CFIDE/main*", "//CFIDE/componentutils*", "//CFIDE/wizards*", + "//CFIDE/servermanager*","/restplay*", "/CFIDE/restplay*", "/CFIDE/administrator*", + "/CFIDE/adminapi*", "/CFIDE/main*", "/CFIDE/componentutils*", "/CFIDE/wizards*", + "/CFIDE/servermanager*") Web.status=200 by Web.http_user_agent, Web.status, Web.http_method, + Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `adobe_coldfusion_access_control_bypass_filter`' +how_to_implement: This detection requires the Web datamodel to be populated from a + supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk + for Palo Alto. +known_false_positives: This analytic is limited to HTTP Status 200; adjust as necessary. + False positives may occur if the URI path is IP-restricted or externally blocked. + It's recommended to review the context of the alerts and adjust the analytic parameters + to better fit the specific environment. references: - https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass/ drilldown_searches: @@ -19,9 +38,23 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Possible exploitation of CVE-2023-29298 against $dest$. + risk_objects: + - field: dest + type: system + score: 45 + threat_objects: + - field: src + type: ip_address tags: cve: - CVE-2023-29298 @@ -29,39 +62,17 @@ tags: - Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360 asset_type: Network atomic_guid: [] - confidence: 50 - impact: 90 - message: Possible exploitation of CVE-2023-29298 against $dest$. mitre_attack_id: - T1190 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 45 - required_fields: - - _time - - Web.http_method - - Web.url - - Web.url_length - - Web.src - - Web.dest - - Web.http_user_agent - - Web.status - - sourcetype security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/adobe/coldfusion_cve_2023_29298.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/adobe/coldfusion_cve_2023_29298.log source: suricata sourcetype: suricata diff --git a/detections/web/adobe_coldfusion_unauthenticated_arbitrary_file_read.yml b/detections/web/adobe_coldfusion_unauthenticated_arbitrary_file_read.yml index af082fb832..6db52e23c4 100644 --- a/detections/web/adobe_coldfusion_unauthenticated_arbitrary_file_read.yml +++ b/detections/web/adobe_coldfusion_unauthenticated_arbitrary_file_read.yml @@ -1,16 +1,34 @@ name: Adobe ColdFusion Unauthenticated Arbitrary File Read id: 695aceae-21db-4e7f-93ac-a52e39d02b93 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: TTP data_source: - Suricata -description: The following analytic detects potential exploitation of the Adobe ColdFusion vulnerability, CVE-2023-26360, which allows unauthenticated arbitrary file read. It monitors web requests to the "/cf_scripts/scripts/ajax/ckeditor/*" path using the Web datamodel, focusing on specific ColdFusion paths to differentiate malicious activity from normal traffic. This activity is significant due to the vulnerability's high CVSS score of 9.8, indicating severe risk. If confirmed malicious, it could lead to unauthorized data access, further attacks, or severe operational disruptions, necessitating immediate investigation. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/cf_scripts/scripts/ajax/ckeditor/*") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `adobe_coldfusion_unauthenticated_arbitrary_file_read_filter`' -how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -known_false_positives: 'In the wild, we have observed three different types of attempts that could potentially trigger false positives if the HTTP status code is not in the query. Please check this github gist for the specific URIs : https://gist.github.com/patel-bhavin/d10830f3f375a2397233f6a4fe38d5c9 . These could be legitimate requests depending on the context of your organization. Therefore, it is recommended to modify the analytic as needed to suit your specific environment.' +description: The following analytic detects potential exploitation of the Adobe ColdFusion + vulnerability, CVE-2023-26360, which allows unauthenticated arbitrary file read. + It monitors web requests to the "/cf_scripts/scripts/ajax/ckeditor/*" path using + the Web datamodel, focusing on specific ColdFusion paths to differentiate malicious + activity from normal traffic. This activity is significant due to the vulnerability's + high CVSS score of 9.8, indicating severe risk. If confirmed malicious, it could + lead to unauthorized data access, further attacks, or severe operational disruptions, + necessitating immediate investigation. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("/cf_scripts/scripts/ajax/ckeditor/*") Web.status=200 by Web.http_user_agent, + Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype + | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `adobe_coldfusion_unauthenticated_arbitrary_file_read_filter`' +how_to_implement: This detection requires the Web datamodel to be populated from a + supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk + for Palo Alto. +known_false_positives: 'In the wild, we have observed three different types of attempts + that could potentially trigger false positives if the HTTP status code is not in + the query. Please check this github gist for the specific URIs : https://gist.github.com/patel-bhavin/d10830f3f375a2397233f6a4fe38d5c9 + . These could be legitimate requests depending on the context of your organization. + Therefore, it is recommended to modify the analytic as needed to suit your specific + environment.' references: - https://www.rapid7.com/db/modules/auxiliary/gather/adobe_coldfusion_fileread_cve_2023_26360/ - https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-26360.yaml @@ -20,9 +38,23 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Possible exploitation of CVE-2023-26360 against $dest$. + risk_objects: + - field: dest + type: system + score: 45 + threat_objects: + - field: src + type: ip_address tags: cve: - CVE-2023-26360 @@ -30,39 +62,17 @@ tags: - Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360 asset_type: Network atomic_guid: [] - confidence: 50 - impact: 90 - message: Possible exploitation of CVE-2023-26360 against $dest$. mitre_attack_id: - T1190 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 45 - required_fields: - - _time - - Web.http_method - - Web.url - - Web.url_length - - Web.src - - Web.dest - - Web.http_user_agent - - Web.status - - sourcetype security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/adobe/cve_2023_29360_coldfusion.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/adobe/cve_2023_29360_coldfusion.log source: suricata sourcetype: suricata diff --git a/detections/web/cisco_ios_xe_implant_access.yml b/detections/web/cisco_ios_xe_implant_access.yml index b085133dbd..804b64d152 100644 --- a/detections/web/cisco_ios_xe_implant_access.yml +++ b/detections/web/cisco_ios_xe_implant_access.yml @@ -1,16 +1,31 @@ name: Cisco IOS XE Implant Access id: 07c36cda-6567-43c3-bc1a-89dff61e2cd9 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: TTP data_source: - Suricata -description: The following analytic identifies the potential exploitation of a vulnerability (CVE-2023-20198) in the Web User Interface of Cisco IOS XE software. It detects suspicious account creation and subsequent actions, including the deployment of a non-persistent implant configuration file. The detection leverages the Web datamodel, focusing on specific URL patterns and HTTP methods. This activity is significant as it indicates unauthorized administrative access, which can lead to full control of the device. If confirmed malicious, attackers could maintain privileged access, compromising the device's integrity and security. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/webui/logoutconfirm.html?logon_hash=*") Web.http_method=POST Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `cisco_ios_xe_implant_access_filter`' -how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -known_false_positives: False positives may be present, restrict to Cisco IOS XE devices or perimeter appliances. Modify the analytic as needed based on hunting for successful exploitation of CVE-2023-20198. +description: The following analytic identifies the potential exploitation of a vulnerability + (CVE-2023-20198) in the Web User Interface of Cisco IOS XE software. It detects + suspicious account creation and subsequent actions, including the deployment of + a non-persistent implant configuration file. The detection leverages the Web datamodel, + focusing on specific URL patterns and HTTP methods. This activity is significant + as it indicates unauthorized administrative access, which can lead to full control + of the device. If confirmed malicious, attackers could maintain privileged access, + compromising the device's integrity and security. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("/webui/logoutconfirm.html?logon_hash=*") Web.http_method=POST + Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, + Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `cisco_ios_xe_implant_access_filter`' +how_to_implement: This detection requires the Web datamodel to be populated from a + supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk + for Palo Alto. +known_false_positives: False positives may be present, restrict to Cisco IOS XE devices + or perimeter appliances. Modify the analytic as needed based on hunting for successful + exploitation of CVE-2023-20198. references: - https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/ - https://github.com/vulncheck-oss/cisco-ios-xe-implant-scanner @@ -20,9 +35,23 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Possible exploitation of CVE-2023-20198 against $dest$ by $src$. + risk_objects: + - field: dest + type: system + score: 81 + threat_objects: + - field: src + type: ip_address tags: cve: - CVE-2023-20198 @@ -30,36 +59,17 @@ tags: - Cisco IOS XE Software Web Management User Interface vulnerability asset_type: Network atomic_guid: [] - confidence: 90 - impact: 90 - message: Possible exploitation of CVE-2023-20198 against $dest$ by $src$. mitre_attack_id: - T1190 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 81 - required_fields: - - _time - - Web.http_method - - Web.url - - Web.url_length - - Web.src - - Web.dest security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/cisco/iosxe/ciscocve202320198.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/cisco/iosxe/ciscocve202320198.log source: suricata sourcetype: suricata diff --git a/detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml b/detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml index f614457fee..e17f9a29b1 100644 --- a/detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml +++ b/detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml @@ -1,16 +1,33 @@ name: Citrix ADC and Gateway Unauthorized Data Disclosure id: b593cac5-dd20-4358-972a-d945fefdaf17 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: TTP data_source: - Suricata -description: The following analytic detects attempts to exploit the Citrix Bleed vulnerability (CVE-2023-4966), which can lead to the leaking of session tokens. It identifies HTTP requests with a 200 status code targeting the /oauth/idp/.well-known/openid-configuration URL endpoint. By parsing web traffic and filtering based on user agent details, HTTP method, source and destination IPs, and sourcetype, it aims to identify potentially malicious requests. This activity is significant for a SOC because successful exploitation can allow attackers to impersonate legitimate users, bypass authentication, and access sensitive data. If confirmed malicious, it could lead to unauthorized data access, network propagation, and critical information exfiltration. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/oauth/idp/.well-known/openid-configuration*") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `citrix_adc_and_gateway_unauthorized_data_disclosure_filter`' -how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. We recommend hunting in the environment first to understand the scope of the issue and then deploying this detection to monitor for future exploitation attempts. Limit or restrict to Citrix devices only if possible. -known_false_positives: False positives may be present based on organization use of Citrix ADC and Gateway. Filter, or restrict the analytic to Citrix devices only. +description: The following analytic detects attempts to exploit the Citrix Bleed vulnerability + (CVE-2023-4966), which can lead to the leaking of session tokens. It identifies + HTTP requests with a 200 status code targeting the /oauth/idp/.well-known/openid-configuration + URL endpoint. By parsing web traffic and filtering based on user agent details, + HTTP method, source and destination IPs, and sourcetype, it aims to identify potentially + malicious requests. This activity is significant for a SOC because successful exploitation + can allow attackers to impersonate legitimate users, bypass authentication, and + access sensitive data. If confirmed malicious, it could lead to unauthorized data + access, network propagation, and critical information exfiltration. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("*/oauth/idp/.well-known/openid-configuration*") Web.status=200 + by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, + Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `citrix_adc_and_gateway_unauthorized_data_disclosure_filter`' +how_to_implement: This detection requires the Web datamodel to be populated from a + supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk + for Palo Alto. We recommend hunting in the environment first to understand the scope + of the issue and then deploying this detection to monitor for future exploitation + attempts. Limit or restrict to Citrix devices only if possible. +known_false_positives: False positives may be present based on organization use of + Citrix ADC and Gateway. Filter, or restrict the analytic to Citrix devices only. references: - https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 - https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966 @@ -20,46 +37,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Possible exploitation of Citrix Bleed vulnerability against $dest$ fron + $src$. + risk_objects: + - field: dest + type: system + score: 90 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966 asset_type: Web Server atomic_guid: [] - confidence: 90 - impact: 100 - message: Possible exploitation of Citrix Bleed vulnerability against $dest$ fron $src$. mitre_attack_id: - T1190 - observable: - - name: dest - type: IP Address - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 90 - required_fields: - - Web.http_user_agent - - Web.status - - Web.http_method - - Web.url - - Web.url_length - - Web.src - - Web.dest - - sourcetype security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/cve-2023-4966-citrix.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/cve-2023-4966-citrix.log source: suricata sourcetype: suricata diff --git a/detections/web/citrix_adc_exploitation_cve_2023_3519.yml b/detections/web/citrix_adc_exploitation_cve_2023_3519.yml index b5455d8248..fd10fa8aee 100644 --- a/detections/web/citrix_adc_exploitation_cve_2023_3519.yml +++ b/detections/web/citrix_adc_exploitation_cve_2023_3519.yml @@ -1,16 +1,29 @@ name: Citrix ADC Exploitation CVE-2023-3519 id: 76ac2dcb-333c-4a77-8ae9-2720cfae47a8 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: Hunting data_source: - Palo Alto Network Threat -description: The following analytic identifies potential exploitation attempts against Citrix ADC related to CVE-2023-3519. It detects POST requests to specific web endpoints associated with this vulnerability by leveraging the Web datamodel. This activity is significant as CVE-2023-3519 involves a SAML processing overflow issue that can lead to memory corruption, posing a high risk. If confirmed malicious, attackers could exploit this to execute arbitrary code, escalate privileges, or disrupt services, making it crucial for SOC analysts to monitor and investigate these alerts promptly. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/saml/login","/cgi/samlauth","*/saml/activelogin","/cgi/samlart?samlart=*","*/cgi/logout","/gwtest/formssso?event=start&target=*","/netscaler/ns_gui/vpn/*") Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `citrix_adc_exploitation_cve_2023_3519_filter`' -how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -known_false_positives: False positives may be present based on organization use of SAML utilities. Filter, or restrict the analytic to Citrix devices only. +description: The following analytic identifies potential exploitation attempts against + Citrix ADC related to CVE-2023-3519. It detects POST requests to specific web endpoints + associated with this vulnerability by leveraging the Web datamodel. This activity + is significant as CVE-2023-3519 involves a SAML processing overflow issue that can + lead to memory corruption, posing a high risk. If confirmed malicious, attackers + could exploit this to execute arbitrary code, escalate privileges, or disrupt services, + making it crucial for SOC analysts to monitor and investigate these alerts promptly. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("*/saml/login","/cgi/samlauth","*/saml/activelogin","/cgi/samlart?samlart=*","*/cgi/logout","/gwtest/formssso?event=start&target=*","/netscaler/ns_gui/vpn/*") Web.http_method=POST + by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, + Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `citrix_adc_exploitation_cve_2023_3519_filter`' +how_to_implement: This detection requires the Web datamodel to be populated from a + supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk + for Palo Alto. +known_false_positives: False positives may be present based on organization use of + SAML utilities. Filter, or restrict the analytic to Citrix devices only. references: - https://blog.assetnote.io/2023/07/21/citrix-CVE-2023-3519-analysis/ - https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467 @@ -24,32 +37,17 @@ tags: - CVE-2023-3519 asset_type: Network atomic_guid: [] - confidence: 50 - impact: 90 - message: Possible expliotation of CVE-2023-3519 against $dest$. mitre_attack_id: - T1190 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 45 - required_fields: - - _time - - Web.http_method - - Web.url - - Web.url_length - - Web.src - - Web.dest security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/citrix-cve20233519.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/citrix-cve20233519.log source: pan:threat sourcetype: pan:threat diff --git a/detections/web/citrix_sharefile_exploitation_cve_2023_24489.yml b/detections/web/citrix_sharefile_exploitation_cve_2023_24489.yml index 4631d4187c..96096309be 100644 --- a/detections/web/citrix_sharefile_exploitation_cve_2023_24489.yml +++ b/detections/web/citrix_sharefile_exploitation_cve_2023_24489.yml @@ -1,16 +1,35 @@ name: Citrix ShareFile Exploitation CVE-2023-24489 id: 172c59f2-5fae-45e5-8e51-94445143e93f -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: Hunting data_source: - Suricata -description: The following analytic detects potentially malicious file upload attempts to Citrix ShareFile via specific suspicious URLs and the HTTP POST method. It leverages the Web datamodel to identify URL patterns such as "/documentum/upload.aspx?parentid=", "/documentum/upload.aspx?filename=", and "/documentum/upload.aspx?uploadId=*", combined with the HTTP POST method. This activity is significant for a SOC as it may indicate an attempt to upload harmful scripts or content, potentially compromising the Documentum application. If confirmed malicious, this could lead to unauthorized access, data breaches, and operational disruptions. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url="/documentum/upload.aspx?*" AND Web.url IN ("*parentid=*","*filename=*","*uploadId=*") AND Web.url IN ("*unzip=*", "*raw=*") Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `citrix_sharefile_exploitation_cve_2023_24489_filter`' -how_to_implement: Dependent upon the placement of the ShareFile application, ensure the latest Technology Add-On is eneabled. This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. The ShareFile application is IIS based, therefore ingesting IIS logs and reviewing for the same pattern would identify this activity, successful or not. -known_false_positives: False positives may be present, filtering may be needed. Also, restricting to known web servers running IIS or ShareFile will change this from Hunting to TTP. +description: The following analytic detects potentially malicious file upload attempts + to Citrix ShareFile via specific suspicious URLs and the HTTP POST method. It leverages + the Web datamodel to identify URL patterns such as "/documentum/upload.aspx?parentid=", + "/documentum/upload.aspx?filename=", and "/documentum/upload.aspx?uploadId=*", combined + with the HTTP POST method. This activity is significant for a SOC as it may indicate + an attempt to upload harmful scripts or content, potentially compromising the Documentum + application. If confirmed malicious, this could lead to unauthorized access, data + breaches, and operational disruptions. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url="/documentum/upload.aspx?*" AND Web.url IN ("*parentid=*","*filename=*","*uploadId=*") + AND Web.url IN ("*unzip=*", "*raw=*") Web.http_method=POST by Web.http_user_agent, + Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype + | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `citrix_sharefile_exploitation_cve_2023_24489_filter`' +how_to_implement: Dependent upon the placement of the ShareFile application, ensure + the latest Technology Add-On is eneabled. This detection requires the Web datamodel + to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, + Splunk for Nginx, or Splunk for Palo Alto. The ShareFile application is IIS based, + therefore ingesting IIS logs and reviewing for the same pattern would identify this + activity, successful or not. +known_false_positives: False positives may be present, filtering may be needed. Also, + restricting to known web servers running IIS or ShareFile will change this from + Hunting to TTP. references: - https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/ tags: @@ -20,32 +39,17 @@ tags: - CVE-2023-24489 asset_type: Network atomic_guid: [] - confidence: 50 - impact: 90 - message: Possible expliotation of CVE-2023-24489 against $dest$. mitre_attack_id: - T1190 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 45 - required_fields: - - _time - - Web.http_method - - Web.url - - Web.url_length - - Web.src - - Web.dest security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/citrix-cve_2023_24489.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/citrix-cve_2023_24489.log source: suricata sourcetype: suricata diff --git a/detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml b/detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml index d531b29830..625f7aa5ab 100644 --- a/detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml +++ b/detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml @@ -1,16 +1,29 @@ name: Confluence CVE-2023-22515 Trigger Vulnerability id: 630ea8b2-2800-4f5d-9cbc-d65c567349b0 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: TTP data_source: - Suricata -description: The following analytic identifies potential exploitation attempts of the Confluence CVE-2023-22515 vulnerability. It detects successful accesses (HTTP status 200) to specific vulnerable endpoints by analyzing web logs within the Splunk 'Web' Data Model. This activity is significant for a SOC as it indicates possible privilege escalation attempts in Confluence. If confirmed malicious, attackers could gain unauthorized access or create accounts with escalated privileges, leading to potential data breaches or further exploitation within the environment. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false*","*/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0&*") Web.http_method=GET Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_cve_2023_22515_trigger_vulnerability_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. Tested with Suricata and nginx:plus:kv. -known_false_positives: False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to Confluence servers. +description: The following analytic identifies potential exploitation attempts of + the Confluence CVE-2023-22515 vulnerability. It detects successful accesses (HTTP + status 200) to specific vulnerable endpoints by analyzing web logs within the Splunk + 'Web' Data Model. This activity is significant for a SOC as it indicates possible + privilege escalation attempts in Confluence. If confirmed malicious, attackers could + gain unauthorized access or create accounts with escalated privileges, leading to + potential data breaches or further exploitation within the environment. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("*/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false*","*/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0&*") + Web.http_method=GET Web.status=200 by Web.http_user_agent, Web.status Web.http_method, + Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_cve_2023_22515_trigger_vulnerability_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on Web traffic that include fields relavent for traffic into the `Web` datamodel. + Tested with Suricata and nginx:plus:kv. +known_false_positives: False positives may be present with legitimate applications. + Attempt to filter by dest IP or use Asset groups to restrict to Confluence servers. references: - https://github.com/Chocapikk/CVE-2023-22515/blob/main/exploit.py - https://x.com/Shadowserver/status/1712378833536741430?s=20 @@ -21,46 +34,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potential exploitation attempts on a known vulnerability in Atlassian Confluence + detected. The source IP is $src$ and the destination hostname is $dest$. + risk_objects: + - field: dest + type: system + score: 72 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server asset_type: Web Server atomic_guid: [] - confidence: 80 - impact: 90 - message: Potential exploitation attempts on a known vulnerability in Atlassian Confluence detected. The source IP is $src$ and the destination hostname is $dest$. mitre_attack_id: - T1190 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 72 - required_fields: - - _time - - Web.http_method - - Web.url - - Web.url_length - - Web.src - - Web.dest - - Web.http_user_agent - - Web.status security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/confluence_vuln_trigger_cve-2023-22515.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/confluence_vuln_trigger_cve-2023-22515.log source: suricata sourcetype: suricata diff --git a/detections/web/confluence_data_center_and_server_privilege_escalation.yml b/detections/web/confluence_data_center_and_server_privilege_escalation.yml index 2acfc79ab3..95e9336c6a 100644 --- a/detections/web/confluence_data_center_and_server_privilege_escalation.yml +++ b/detections/web/confluence_data_center_and_server_privilege_escalation.yml @@ -1,16 +1,30 @@ name: Confluence Data Center and Server Privilege Escalation id: 115bebac-0976-4f7d-a3ec-d1fb45a39a11 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: TTP data_source: - Nginx Access -description: The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, specifically targeting the /setup/*.action* URL pattern. It leverages web logs within the Splunk 'Web' Data Model, filtering for successful accesses (HTTP status 200) to these endpoints. This activity is significant as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. If confirmed malicious, it could result in unauthorized access or account creation with escalated privileges, leading to potential data breaches or further exploitation within the environment. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/setup/setupadministrator.action*", "*/setup/finishsetup.action*", "*/json/setup-restore-local.action*", "*/json/setup-restore-progress.action*", "*/json/setup-restore.action*", "*/bootstrap/selectsetupstep.action*") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_data_center_and_server_privilege_escalation_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. -known_false_positives: False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to confluence servers. +description: The following analytic identifies potential exploitation attempts on + a known vulnerability in Atlassian Confluence, specifically targeting the /setup/*.action* + URL pattern. It leverages web logs within the Splunk 'Web' Data Model, filtering + for successful accesses (HTTP status 200) to these endpoints. This activity is significant + as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. + If confirmed malicious, it could result in unauthorized access or account creation + with escalated privileges, leading to potential data breaches or further exploitation + within the environment. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("*/setup/setupadministrator.action*", "*/setup/finishsetup.action*", + "*/json/setup-restore-local.action*", "*/json/setup-restore-progress.action*", "*/json/setup-restore.action*", + "*/bootstrap/selectsetupstep.action*") Web.status=200 by Web.http_user_agent, Web.status + Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_data_center_and_server_privilege_escalation_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on Web traffic that include fields relavent for traffic into the `Web` datamodel. +known_false_positives: False positives may be present with legitimate applications. + Attempt to filter by dest IP or use Asset groups to restrict to confluence servers. references: - https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html - https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html @@ -22,9 +36,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potential exploitation attempts on a known vulnerability in Atlassian Confluence + detected. The source IP is $src$ and the destination hostname is $dest$. + risk_objects: + - field: dest + type: system + score: 72 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server @@ -33,37 +62,17 @@ tags: - CVE-2023-22518 asset_type: Web Server atomic_guid: [] - confidence: 80 - impact: 90 - message: Potential exploitation attempts on a known vulnerability in Atlassian Confluence detected. The source IP is $src$ and the destination hostname is $dest$. mitre_attack_id: - T1190 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 72 - required_fields: - - _time - - Web.http_method - - Web.url - - Web.url_length - - Web.src - - Web.dest - - Web.http_user_agent security_domain: network tests: - name: Nginx Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/nginx_plus_kv_confluence.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/nginx_plus_kv_confluence.log source: nginx:plus:kv sourcetype: nginx:plus:kv diff --git a/detections/web/confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527.yml b/detections/web/confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527.yml index 6443cc371d..e8da6a5df9 100644 --- a/detections/web/confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527.yml +++ b/detections/web/confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527.yml @@ -1,16 +1,29 @@ name: Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 id: f56936c0-ae6f-4eeb-91ff-ecc1448c6105 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: TTP data_source: - Suricata -description: The following analytic identifies attempts to exploit a critical template injection vulnerability (CVE-2023-22527) in outdated Confluence Data Center and Server versions. It detects POST requests to the "/template/aui/text-inline.vm" endpoint with HTTP status codes 200 or 202, indicating potential OGNL injection attacks. This activity is significant as it allows unauthenticated attackers to execute arbitrary code remotely. If confirmed malicious, attackers could gain full control over the affected Confluence instance, leading to data breaches, system compromise, and further network infiltration. Immediate patching is essential to mitigate this threat. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url="*/template/aui/text-inline.vm*" Web.http_method=POST Web.status IN (200, 202) by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. -known_false_positives: False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to confluence servers. +description: The following analytic identifies attempts to exploit a critical template + injection vulnerability (CVE-2023-22527) in outdated Confluence Data Center and + Server versions. It detects POST requests to the "/template/aui/text-inline.vm" + endpoint with HTTP status codes 200 or 202, indicating potential OGNL injection + attacks. This activity is significant as it allows unauthenticated attackers to + execute arbitrary code remotely. If confirmed malicious, attackers could gain full + control over the affected Confluence instance, leading to data breaches, system + compromise, and further network infiltration. Immediate patching is essential to + mitigate this threat. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url="*/template/aui/text-inline.vm*" Web.http_method=POST Web.status IN + (200, 202) by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status | `drop_dm_object_name("Web")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on Web traffic that include fields relavent for traffic into the `Web` datamodel. +known_false_positives: False positives may be present with legitimate applications. + Attempt to filter by dest IP or use Asset groups to restrict to confluence servers. references: - https://github.com/cleverg0d/CVE-2023-22527 - https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html @@ -20,9 +33,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Exploitation attempts on a known vulnerability in Atlassian Confluence + detected. The source IP is $src$ and the destination hostname is $dest$. + risk_objects: + - field: dest + type: system + score: 81 + threat_objects: + - field: src + type: ip_address tags: cve: - CVE-2023-22527 @@ -30,35 +58,17 @@ tags: - Confluence Data Center and Confluence Server Vulnerabilities asset_type: Web Application atomic_guid: [] - confidence: 90 - impact: 90 - message: Exploitation attempts on a known vulnerability in Atlassian Confluence detected. The source IP is $src$ and the destination hostname is $dest$. mitre_attack_id: - T1190 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 81 - required_fields: - - Web.src - - Web.dest - - Web.http_user_agent - - Web.url - - Web.status security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/suricata_confluence_cve-2023-22527.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/suricata_confluence_cve-2023-22527.log source: suricata sourcetype: suricata diff --git a/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml b/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml index 0e17227882..a0d16683f5 100644 --- a/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml +++ b/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml @@ -1,16 +1,34 @@ name: Confluence Unauthenticated Remote Code Execution CVE-2022-26134 id: fcf4bd3f-a79f-4b7a-83bf-2692d60b859c -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects attempts to exploit CVE-2022-26134, an unauthenticated remote code execution vulnerability in Confluence. It leverages the Web datamodel to analyze network and CIM-compliant web logs, identifying suspicious URL patterns and parameters indicative of exploitation attempts. This activity is significant as it allows attackers to execute arbitrary code on the Confluence server without authentication, potentially leading to full system compromise. If confirmed malicious, this could result in unauthorized access, data exfiltration, and further lateral movement within the network. Immediate investigation and remediation are crucial to prevent extensive damage. +description: The following analytic detects attempts to exploit CVE-2022-26134, an + unauthenticated remote code execution vulnerability in Confluence. It leverages + the Web datamodel to analyze network and CIM-compliant web logs, identifying suspicious + URL patterns and parameters indicative of exploitation attempts. This activity is + significant as it allows attackers to execute arbitrary code on the Confluence server + without authentication, potentially leading to full system compromise. If confirmed + malicious, this could result in unauthorized access, data exfiltration, and further + lateral movement within the network. Immediate investigation and remediation are + crucial to prevent extensive damage. data_source: - Palo Alto Network Threat -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*${*", "*%2F%7B*") (Web.url="*org.apache.commons.io.IOUtils*" Web.url="*java.lang.Runtime@getRuntime().exec*") OR (Web.url="*java.lang.Runtime%40getRuntime%28%29.exec*") OR (Web.url="*getEngineByName*" AND Web.url="*nashorn*" AND Web.url="*ProcessBuilder*") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_unauthenticated_remote_code_execution_cve_2022_26134_filter`' -how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx. In addition, network based logs or event data like PAN Threat. -known_false_positives: Tune based on assets if possible, or restrict to known Confluence servers. Remove the ${ for a more broad query. To identify more exec, remove everything up to the last parameter (Runtime().exec) for a broad query. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("*${*", "*%2F%7B*") (Web.url="*org.apache.commons.io.IOUtils*" + Web.url="*java.lang.Runtime@getRuntime().exec*") OR (Web.url="*java.lang.Runtime%40getRuntime%28%29.exec*") + OR (Web.url="*getEngineByName*" AND Web.url="*nashorn*" AND Web.url="*ProcessBuilder*") + by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest + sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `confluence_unauthenticated_remote_code_execution_cve_2022_26134_filter`' +how_to_implement: This detection requires the Web datamodel to be populated from a + supported Technology Add-On like Splunk for Apache or Splunk for Nginx. In addition, + network based logs or event data like PAN Threat. +known_false_positives: Tune based on assets if possible, or restrict to known Confluence + servers. Remove the ${ for a more broad query. To identify more exec, remove everything + up to the last parameter (Runtime().exec) for a broad query. references: - https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html - https://www.splunk.com/en_us/blog/security/atlassian-confluence-vulnerability-cve-2022-26134.html @@ -22,50 +40,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A URL was requested related to CVE-2022-26134, a unauthenticated remote + code execution vulnerability, on $dest$ by $src$. + risk_objects: + - field: dest + type: system + score: 100 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - Atlassian Confluence Server and Data Center CVE-2022-26134 - Confluence Data Center and Confluence Server Vulnerabilities asset_type: Web Server - confidence: 100 cve: - CVE-2022-26134 - impact: 100 - message: A URL was requested related to CVE-2022-26134, a unauthenticated remote code execution vulnerability, on $dest$ by $src$. mitre_attack_id: - T1505 - T1190 - T1133 - observable: - - name: dest - type: IP Address - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Web.http_method - - Web.url - - Web.url_length - - Web.src - - Web.dest - - Web.http_user_agent - risk_score: 100 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/confluence.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/confluence.log source: pan:threat sourcetype: pan:threat - update_timestamp: true diff --git a/detections/web/connectwise_screenconnect_authentication_bypass.yml b/detections/web/connectwise_screenconnect_authentication_bypass.yml index c662479013..f13fd7acc0 100644 --- a/detections/web/connectwise_screenconnect_authentication_bypass.yml +++ b/detections/web/connectwise_screenconnect_authentication_bypass.yml @@ -1,16 +1,37 @@ name: ConnectWise ScreenConnect Authentication Bypass id: d3f7a803-e802-448b-8eb2-e796b223bfff -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-15' author: Michael Haag, Splunk data_source: - Suricata type: TTP status: production -description: The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1709 vulnerability, which allows attackers to bypass authentication via an alternate path or channel. It leverages web request logs to identify access to the SetupWizard.aspx page, indicating potential exploitation. This activity is significant as it can lead to unauthorized administrative access and remote code execution. If confirmed malicious, attackers could create administrative users and gain full control over the affected system, posing severe security risks. Immediate remediation by updating to version 23.9.8 or above is recommended. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/SetupWizard.aspx/*","*/SetupWizard/") Web.status=200 Web.http_method=POST by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status, Web.http_method, sourcetype, source | rex field=Web.url "/SetupWizard.aspx/(?.+)" | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `connectwise_screenconnect_authentication_bypass_filter`' -how_to_implement: To implement this analytic, ensure proper logging is occurring with IIS, Apache, or a Proxy server and that these logs are being ingested into Splunk. The analytic was written against Suricata. The proper TA will need to be enabled and should be mapped to CIM and the Web datamodel. Ingestion of the data source is required to utilize this detection. In addition, if it is not mapped to the datamodel, modify the query for your application logs to look for requests the same URI and investigate further. -known_false_positives: False positives are not expected, as the detection is based on the presence of web requests to the SetupWizard.aspx page, which is not a common page to be accessed by legitimate users. Note that the analytic is limited to HTTP POST and a status of 200 to reduce false positives. Modify the query as needed to reduce false positives or hunt for additional indicators of compromise. +description: The following analytic detects attempts to exploit the ConnectWise ScreenConnect + CVE-2024-1709 vulnerability, which allows attackers to bypass authentication via + an alternate path or channel. It leverages web request logs to identify access to + the SetupWizard.aspx page, indicating potential exploitation. This activity is significant + as it can lead to unauthorized administrative access and remote code execution. + If confirmed malicious, attackers could create administrative users and gain full + control over the affected system, posing severe security risks. Immediate remediation + by updating to version 23.9.8 or above is recommended. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("*/SetupWizard.aspx/*","*/SetupWizard/") Web.status=200 Web.http_method=POST + by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status, Web.http_method, + sourcetype, source | rex field=Web.url "/SetupWizard.aspx/(?.+)" | `drop_dm_object_name("Web")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `connectwise_screenconnect_authentication_bypass_filter`' +how_to_implement: To implement this analytic, ensure proper logging is occurring with + IIS, Apache, or a Proxy server and that these logs are being ingested into Splunk. + The analytic was written against Suricata. The proper TA will need to be enabled + and should be mapped to CIM and the Web datamodel. Ingestion of the data source + is required to utilize this detection. In addition, if it is not mapped to the datamodel, + modify the query for your application logs to look for requests the same URI and + investigate further. +known_false_positives: False positives are not expected, as the detection is based + on the presence of web requests to the SetupWizard.aspx page, which is not a common + page to be accessed by legitimate users. Note that the analytic is limited to HTTP + POST and a status of 200 to reduce false positives. Modify the query as needed to + reduce false positives or hunt for additional indicators of compromise. references: - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass - https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2 @@ -21,35 +42,32 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An authentication bypass attempt against ScreenConnect has been detected + on $dest$. + risk_objects: + - field: dest + type: system + score: 100 + threat_objects: [] tags: analytic_story: - ConnectWise ScreenConnect Vulnerabilities asset_type: Web Server - confidence: 100 - impact: 100 - message: An authentication bypass attempt against ScreenConnect has been detected on $dest$. mitre_attack_id: - T1190 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Web.src - - Web.dest - - Web.http_user_agent - - Web.url - - Web.status - - Web.http_method - risk_score: 100 security_domain: network cve: - CVE-2024-1708 @@ -57,6 +75,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/screenconnect/connectwise_auth_suricata.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/screenconnect/connectwise_auth_suricata.log sourcetype: suricata source: suricata diff --git a/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml b/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml index 5eea9ad213..dbf55e5ed9 100644 --- a/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml +++ b/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml @@ -1,41 +1,46 @@ name: Detect attackers scanning for vulnerable JBoss servers id: 104658f4-afdc-499e-9719-17243f982681 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-15' author: Bhavin Patel, Splunk status: experimental type: TTP -description: The following analytic identifies specific GET or HEAD requests to web servers that indicate reconnaissance attempts to find vulnerable JBoss servers. It leverages data from the Web data model, focusing on HTTP methods and URLs associated with JBoss management interfaces. This activity is significant because it often precedes exploitation attempts using tools like JexBoss, which can compromise the server. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, or escalate privileges, leading to potential data breaches and system compromise. +description: The following analytic identifies specific GET or HEAD requests to web + servers that indicate reconnaissance attempts to find vulnerable JBoss servers. + It leverages data from the Web data model, focusing on HTTP methods and URLs associated + with JBoss management interfaces. This activity is significant because it often + precedes exploitation attempts using tools like JexBoss, which can compromise the + server. If confirmed malicious, attackers could gain unauthorized access, execute + arbitrary code, or escalate privileges, leading to potential data breaches and system + compromise. data_source: [] -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.http_method="GET" OR Web.http_method="HEAD") AND (Web.url="*/web-console/ServerInfo.jsp*" OR Web.url="*web-console*" OR Web.url="*jmx-console*" OR Web.url = "*invoker*") by Web.http_method, Web.url, Web.src, Web.dest | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_attackers_scanning_for_vulnerable_jboss_servers_filter`' -how_to_implement: You must be ingesting data from the web server or network traffic that contains web specific information, and populating the Web data model. -known_false_positives: It's possible for legitimate HTTP requests to be made to URLs containing the suspicious paths. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Web where (Web.http_method="GET" OR Web.http_method="HEAD") + AND (Web.url="*/web-console/ServerInfo.jsp*" OR Web.url="*web-console*" OR Web.url="*jmx-console*" + OR Web.url = "*invoker*") by Web.http_method, Web.url, Web.src, Web.dest | `drop_dm_object_name("Web")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_attackers_scanning_for_vulnerable_jboss_servers_filter`' +how_to_implement: You must be ingesting data from the web server or network traffic + that contains web specific information, and populating the Web data model. +known_false_positives: It's possible for legitimate HTTP requests to be made to URLs + containing the suspicious paths. references: [] +rba: + message: Potential Scanning for Vulnerable JBoss Servers + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - JBoss Vulnerability - SamSam Ransomware asset_type: Web Server - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1082 - T1133 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Web.http_method - - Web.url - - Web.src - - Web.dest - risk_score: 25 security_domain: network diff --git a/detections/web/detect_f5_tmui_rce_cve_2020_5902.yml b/detections/web/detect_f5_tmui_rce_cve_2020_5902.yml index 12411042b2..28b011afe7 100644 --- a/detections/web/detect_f5_tmui_rce_cve_2020_5902.yml +++ b/detections/web/detect_f5_tmui_rce_cve_2020_5902.yml @@ -1,39 +1,48 @@ name: Detect F5 TMUI RCE CVE-2020-5902 id: 810e4dbc-d46e-11ea-87d0-0242ac130003 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-15' author: Shannon Davis, Splunk status: experimental type: TTP -description: The following analytic identifies remote code execution (RCE) attempts targeting F5 BIG-IP, BIG-IQ, and Traffix SDC devices, specifically exploiting CVE-2020-5902. It uses regex to detect patterns in syslog data that match known exploit strings such as "hsqldb;" and directory traversal sequences. This activity is significant because successful exploitation can allow attackers to execute arbitrary commands on the affected devices, leading to full system compromise. If confirmed malicious, this could result in unauthorized access, data exfiltration, or further lateral movement within the network. +description: The following analytic identifies remote code execution (RCE) attempts + targeting F5 BIG-IP, BIG-IQ, and Traffix SDC devices, specifically exploiting CVE-2020-5902. + It uses regex to detect patterns in syslog data that match known exploit strings + such as "hsqldb;" and directory traversal sequences. This activity is significant + because successful exploitation can allow attackers to execute arbitrary commands + on the affected devices, leading to full system compromise. If confirmed malicious, + this could result in unauthorized access, data exfiltration, or further lateral + movement within the network. data_source: [] search: '`f5_bigip_rogue` | regex _raw="(hsqldb;|.*\\.\\.;.*)" | search `detect_f5_tmui_rce_cve_2020_5902_filter`' -how_to_implement: To consistently detect exploit attempts on F5 devices using the vulnerabilities contained within CVE-2020-5902 it is recommended to ingest logs via syslog. As many BIG-IP devices will have SSL enabled on their management interfaces, detections via wire data may not pick anything up unless you are decrypting SSL traffic in order to inspect it. I am using a regex string from a Cloudflare mitigation technique to try and always catch the offending string (..;), along with the other exploit of using (hsqldb;). +how_to_implement: To consistently detect exploit attempts on F5 devices using the + vulnerabilities contained within CVE-2020-5902 it is recommended to ingest logs + via syslog. As many BIG-IP devices will have SSL enabled on their management interfaces, + detections via wire data may not pick anything up unless you are decrypting SSL + traffic in order to inspect it. I am using a regex string from a Cloudflare mitigation + technique to try and always catch the offending string (..;), along with the other + exploit of using (hsqldb;). known_false_positives: unknown references: - https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/ - https://support.f5.com/csp/article/K52145254 +rba: + message: Potential F5 TMUI RCE traffic + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - F5 TMUI RCE CVE-2020-5902 asset_type: Network - confidence: 50 cve: - CVE-2020-5902 - impact: 50 - message: tbd mitre_attack_id: - T1190 - observable: - - name: dest - type: IP Address - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - risk_score: 25 security_domain: network diff --git a/detections/web/detect_malicious_requests_to_exploit_jboss_servers.yml b/detections/web/detect_malicious_requests_to_exploit_jboss_servers.yml index 753a6d3e20..7a162d7c7f 100644 --- a/detections/web/detect_malicious_requests_to_exploit_jboss_servers.yml +++ b/detections/web/detect_malicious_requests_to_exploit_jboss_servers.yml @@ -1,39 +1,44 @@ name: Detect malicious requests to exploit JBoss servers id: c8bff7a4-11ea-4416-a27d-c5bca472913d -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-15' author: Bhavin Patel, Splunk status: experimental type: TTP -description: The following analytic identifies malicious HTTP requests targeting the jmx-console in JBoss servers. It detects unusually long URLs, indicative of embedded payloads, by analyzing web server logs for GET or HEAD requests with specific URL patterns and lengths. This activity is significant as it may indicate an attempt to exploit JBoss vulnerabilities, potentially leading to unauthorized remote code execution. If confirmed malicious, attackers could gain control over the server, escalate privileges, and compromise sensitive data, posing a severe threat to the organization's security. +description: The following analytic identifies malicious HTTP requests targeting the + jmx-console in JBoss servers. It detects unusually long URLs, indicative of embedded + payloads, by analyzing web server logs for GET or HEAD requests with specific URL + patterns and lengths. This activity is significant as it may indicate an attempt + to exploit JBoss vulnerabilities, potentially leading to unauthorized remote code + execution. If confirmed malicious, attackers could gain control over the server, + escalate privileges, and compromise sensitive data, posing a severe threat to the + organization's security. data_source: [] -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.http_method="GET" OR Web.http_method="HEAD") by Web.http_method, Web.url,Web.url_length Web.src, Web.dest | search Web.url="*jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin*import*" AND Web.url_length > 200 | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table src, dest_ip, http_method, url, firstTime, lastTime | `detect_malicious_requests_to_exploit_jboss_servers_filter`' -how_to_implement: You must ingest data from the web server or capture network data that contains web specific information with solutions such as Bro or Splunk Stream, and populating the Web data model +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Web where (Web.http_method="GET" OR Web.http_method="HEAD") + by Web.http_method, Web.url,Web.url_length Web.src, Web.dest | search Web.url="*jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin*import*" + AND Web.url_length > 200 | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | table src, dest_ip, http_method, url, firstTime, + lastTime | `detect_malicious_requests_to_exploit_jboss_servers_filter`' +how_to_implement: You must ingest data from the web server or capture network data + that contains web specific information with solutions such as Bro or Splunk Stream, + and populating the Web data model known_false_positives: No known false positives for this detection. references: [] +rba: + message: Potentially malicious traffic exploiting JBoss servers + risk_objects: + - field: dest_ip + type: system + score: 25 + threat_objects: [] tags: analytic_story: - JBoss Vulnerability - SamSam Ransomware asset_type: Web Server - confidence: 50 - impact: 50 - message: tbd - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Web.http_method - - Web.url - - Web.url_length - - Web.src - - Web.dest - risk_score: 25 security_domain: network diff --git a/detections/web/detect_remote_access_software_usage_url.yml b/detections/web/detect_remote_access_software_usage_url.yml index a7f3aa11a1..6f186e9379 100644 --- a/detections/web/detect_remote_access_software_usage_url.yml +++ b/detections/web/detect_remote_access_software_usage_url.yml @@ -1,16 +1,39 @@ name: Detect Remote Access Software Usage URL id: 9296f515-073c-43a5-88ec-eda5a4626654 -version: 4 -date: '2024-09-30' +version: 7 +date: '2024-11-15' author: Steven Dick status: production type: Anomaly -description: The following analytic detects the execution of known remote access software within the environment. It leverages network logs mapped to the Web data model, identifying specific URLs and user agents associated with remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This activity is significant as adversaries often use these utilities to maintain unauthorized remote access. If confirmed malicious, this could allow attackers to control systems remotely, exfiltrate data, or further compromise the network, posing a severe security risk. +description: The following analytic detects the execution of known remote access software + within the environment. It leverages network logs mapped to the Web data model, + identifying specific URLs and user agents associated with remote access tools like + AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This activity is significant as adversaries + often use these utilities to maintain unauthorized remote access. If confirmed malicious, + this could allow attackers to control systems remotely, exfiltrate data, or further + compromise the network, posing a severe security risk. data_source: - Palo Alto Network Threat -search: '| tstats count min(_time) as firstTime max(_time) as lastTime latest(Web.http_method) as http_method latest(Web.http_user_agent) as http_user_agent latest(Web.url) as url latest(Web.user) as user latest(Web.dest) as dest from datamodel=Web by Web.action Web.src Web.category Web.url_domain | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Web)` | lookup remote_access_software remote_domain AS url_domain OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = True | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_url_filter`' -how_to_implement: The detection is based on data that originates from network logs. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the network logs. The logs must also be mapped to the `Web` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. The "exceptions" macro leverages both an Assets and Identities lookup, as well as a KVStore collection called "remote_software_exceptions" that lets you track and maintain device- based exceptions for this set of detections. -known_false_positives: It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment. Known false positives can be added to the remote_access_software_usage_exception.csv lookup to globally suppress these situations across all remote access content +search: '| tstats count min(_time) as firstTime max(_time) as lastTime latest(Web.http_method) + as http_method latest(Web.http_user_agent) as http_user_agent latest(Web.url) as + url latest(Web.user) as user latest(Web.dest) as dest from datamodel=Web by Web.action + Web.src Web.category Web.url_domain | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `drop_dm_object_name("Web")` | lookup remote_access_software remote_domain AS + url_domain OUTPUT isutility, description as signature, comment_reference as desc, + category | search isutility = True | `remote_access_software_usage_exceptions` | + `detect_remote_access_software_usage_url_filter`' +how_to_implement: The detection is based on data that originates from network logs. + These logs must be processed using the appropriate Splunk Technology Add-ons that + are specific to the network logs. The logs must also be mapped to the `Web` data + model. Use the Splunk Common Information Model (CIM) to normalize the field names + and speed up the data modeling process. The "exceptions" macro leverages both an + Assets and Identities lookup, as well as a KVStore collection called "remote_software_exceptions" + that lets you track and maintain device- based exceptions for this set of detections. +known_false_positives: It is possible that legitimate remote access software is used + within the environment. Ensure that the lookup is reviewed and updated with any + additional remote access software that is used within the environment. Known false + positives can be added to the remote_access_software_usage_exception.csv lookup + to globally suppress these situations across all remote access content references: - https://attack.mitre.org/techniques/T1219/ - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ @@ -21,50 +44,53 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +- name: Investigate traffic to $url_domain$ + search: '| from datamodel:Web | search src=$src$ url_domain=$url_domain$' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A domain for a known remote access software $url_domain$ was contacted + by $src$. + risk_objects: + - field: src + type: system + score: 25 + - field: user + type: user + score: 25 + threat_objects: + - field: url_domain + type: domain + - field: signature + type: signature tags: analytic_story: - Insider Threat - Command And Control - Ransomware - CISA AA24-241A + - Remote Monitoring and Management Software asset_type: Network - confidence: 50 - impact: 50 - message: A domain for a known remote access software $url_domain$ was contacted by $src$. mitre_attack_id: - T1219 - observable: - - name: src - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim - - name: url_domain - type: Hostname - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Web.action - - Web.src - - Web.category - - Web.url_domain - risk_score: 25 security_domain: network manual_test: This detection uses A&I lookups from Enterprise Security. tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_palo.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_palo.log source: screenconnect_palo sourcetype: pan:threat diff --git a/detections/web/exploit_public_facing_application_via_apache_commons_text.yml b/detections/web/exploit_public_facing_application_via_apache_commons_text.yml index 77a6d3f651..d9b87dfcf0 100644 --- a/detections/web/exploit_public_facing_application_via_apache_commons_text.yml +++ b/detections/web/exploit_public_facing_application_via_apache_commons_text.yml @@ -1,16 +1,40 @@ name: Exploit Public Facing Application via Apache Commons Text id: 19a481e0-c97c-4d14-b1db-75a708eb592e -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic detects attempts to exploit the CVE-2022-42889 vulnerability in the Apache Commons Text Library, known as Text4Shell. It leverages the Web datamodel to identify suspicious HTTP requests containing specific lookup keys (url, dns, script) that can lead to Remote Code Execution (RCE). This activity is significant as it targets a critical vulnerability that can allow attackers to execute arbitrary code on the server. If confirmed malicious, this could lead to full system compromise, data exfiltration, or further lateral movement within the network. +description: The following analytic detects attempts to exploit the CVE-2022-42889 + vulnerability in the Apache Commons Text Library, known as Text4Shell. It leverages + the Web datamodel to identify suspicious HTTP requests containing specific lookup + keys (url, dns, script) that can lead to Remote Code Execution (RCE). This activity + is significant as it targets a critical vulnerability that can allow attackers to + execute arbitrary code on the server. If confirmed malicious, this could lead to + full system compromise, data exfiltration, or further lateral movement within the + network. data_source: - Nginx Access -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.http_method IN (POST, GET) by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query Web.http_user_agent | `drop_dm_object_name(Web)` | eval utf=if(like(lower(uri_query),"%:utf-8:http%"),2,0) | eval lookup = if(like(lower(uri_query), "%url%") OR like(lower(uri_query), "%dns%") OR like(lower(uri_query), "%script%"),2,0) | eval other_lookups = if(like(lower(uri_query), "%env%") OR like(lower(uri_query), "%file%") OR like(lower(uri_query), "%getRuntime%") OR like(lower(uri_query), "%java%") OR like(lower(uri_query), "%localhost%") OR like(lower(uri_query), "%properties%") OR like(lower(uri_query), "%resource%") OR like(lower(uri_query), "%sys%") OR like(lower(uri_query), "%xml%") OR like(lower(uri_query), "%base%"),1,0) | addtotals fieldname=Score utf lookup other_lookups | fields Score, src, dest, status, uri_query, uri_path, http_method, http_user_agent firstTime lastTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where Score >= 3 | `exploit_public_facing_application_via_apache_commons_text_filter`' -how_to_implement: To implement, one must be collecting network traffic that is normalized in CIM and able to be queried via the Web datamodel. Or, take the chunks out needed and tie to a specific network source type to hunt in. Tune as needed, or remove the other_lookups statement. -known_false_positives: False positives are present when the values are set to 1 for utf and lookup. It's possible to raise this to TTP (direct notable) if removal of other_lookups occur and Score is raised to 2 (down from 4). +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Web where Web.http_method IN (POST, GET) by Web.src Web.status + Web.uri_path Web.dest Web.http_method Web.uri_query Web.http_user_agent | `drop_dm_object_name("Web")` + | eval utf=if(like(lower(uri_query),"%:utf-8:http%"),2,0) | eval lookup = if(like(lower(uri_query), + "%url%") OR like(lower(uri_query), "%dns%") OR like(lower(uri_query), "%script%"),2,0) + | eval other_lookups = if(like(lower(uri_query), "%env%") OR like(lower(uri_query), + "%file%") OR like(lower(uri_query), "%getRuntime%") OR like(lower(uri_query), "%java%") + OR like(lower(uri_query), "%localhost%") OR like(lower(uri_query), "%properties%") + OR like(lower(uri_query), "%resource%") OR like(lower(uri_query), "%sys%") OR like(lower(uri_query), + "%xml%") OR like(lower(uri_query), "%base%"),1,0) | addtotals fieldname=Score utf + lookup other_lookups | fields Score, src, dest, status, uri_query, uri_path, http_method, + http_user_agent firstTime lastTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | where Score >= 3 | `exploit_public_facing_application_via_apache_commons_text_filter`' +how_to_implement: To implement, one must be collecting network traffic that is normalized + in CIM and able to be queried via the Web datamodel. Or, take the chunks out needed + and tie to a specific network source type to hunt in. Tune as needed, or remove + the other_lookups statement. +known_false_positives: False positives are present when the values are set to 1 for + utf and lookup. It's possible to raise this to TTP (direct finding) if removal of + other_lookups occur and Score is raised to 2 (down from 4). references: - https://sysdig.com/blog/cve-2022-42889-text4shell/ - https://nvd.nist.gov/vuln/detail/CVE-2022-42889 @@ -24,50 +48,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A URL was requested related to Text4Shell on $dest$ by $src$. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - Text4Shell CVE-2022-42889 asset_type: Web Server - confidence: 70 cve: - CVE-2022-42889 - impact: 70 - message: A URL was requested related to Text4Shell on $dest$ by $src$. mitre_attack_id: - T1505.003 - T1505 - T1190 - T1133 - observable: - - name: dest - type: IP Address - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Web.http_method - - Web.src - - Web.dest - - Web.http_user_agent - - Web.status - - Web.uri_query - - Web.uri_path - risk_score: 49 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/text4shell/text4shell_nginx.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/text4shell/text4shell_nginx.log source: nginx:plus:kv sourcetype: nginx:plus:kv diff --git a/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml b/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml index 1465835197..a67a69b392 100644 --- a/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml +++ b/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml @@ -1,16 +1,29 @@ name: Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 id: 2038f5c6-5aba-4221-8ae2-ca76e2ca8b97 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects attempts to exploit the Fortinet FortiNAC CVE-2022-39952 vulnerability. It identifies HTTP POST requests to the URI configWizard/keyUpload.jsp with a payload.zip file. The detection leverages the Web datamodel, analyzing fields such as URL, HTTP method, and user agent. This activity is significant as it indicates an attempt to exploit a known vulnerability, potentially leading to remote code execution. If confirmed malicious, attackers could gain control over the affected system, schedule malicious tasks, and establish persistent access via a remote command and control (C2) server. +description: The following analytic detects attempts to exploit the Fortinet FortiNAC + CVE-2022-39952 vulnerability. It identifies HTTP POST requests to the URI configWizard/keyUpload.jsp + with a payload.zip file. The detection leverages the Web datamodel, analyzing fields + such as URL, HTTP method, and user agent. This activity is significant as it indicates + an attempt to exploit a known vulnerability, potentially leading to remote code + execution. If confirmed malicious, attackers could gain control over the affected + system, schedule malicious tasks, and establish persistent access via a remote command + and control (C2) server. data_source: - Palo Alto Network Threat -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*configWizard/keyUpload.jsp*") by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exploit_public_facing_fortinet_fortinac_cve_2022_39952_filter`' -how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -known_false_positives: False positives may be present. Modify the query as needed to POST, or add additional filtering (based on log source). +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("*configWizard/keyUpload.jsp*") by Web.http_user_agent, Web.status + Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exploit_public_facing_fortinet_fortinac_cve_2022_39952_filter`' +how_to_implement: This detection requires the Web datamodel to be populated from a + supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk + for Palo Alto. +known_false_positives: False positives may be present. Modify the query as needed + to POST, or add additional filtering (based on log source). references: - https://github.com/horizon3ai/CVE-2022-39952 - https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/ @@ -21,44 +34,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potential CVE-2022-39952 against a Fortinet NAC may be occurring against + $dest$. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Fortinet FortiNAC CVE-2022-39952 asset_type: Network - confidence: 80 cve: - CVE-2022-39952 - impact: 80 - message: Potential CVE-2022-39952 against a Fortinet NAC may be occurring against $dest$. mitre_attack_id: - T1190 - T1133 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Web.http_user_agent - - Web.http_method - - Web.url - - Web.url_length - - Web.src - - Web.dest - - sourcetype - risk_score: 64 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/fortigate/web_fortinetnac.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/fortigate/web_fortinetnac.log source: pan:threat sourcetype: pan:threat - update_timestamp: true diff --git a/detections/web/f5_tmui_authentication_bypass.yml b/detections/web/f5_tmui_authentication_bypass.yml index 544bc6f0f4..21f73cba3c 100644 --- a/detections/web/f5_tmui_authentication_bypass.yml +++ b/detections/web/f5_tmui_authentication_bypass.yml @@ -1,16 +1,30 @@ name: F5 TMUI Authentication Bypass id: 88bf127c-613e-4579-99e4-c4d4b02f3840 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: TTP data_source: - Suricata -description: The following analytic detects attempts to exploit the CVE-2023-46747 vulnerability, an authentication bypass flaw in F5 BIG-IP's Configuration utility (TMUI). It identifies this activity by monitoring for specific URI paths such as "*/mgmt/tm/auth/user/*" with the PATCH method and a 200 status code. This behavior is significant for a SOC as it indicates potential unauthorized access attempts, leading to remote code execution. If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary code, steal data, disrupt systems, or conduct further malicious activities within the network. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/mgmt/tm/auth/user/*") Web.http_method=PATCH Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `f5_tmui_authentication_bypass_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on Web traffic that include fields relevant for traffic into the `Web` datamodel. -known_false_positives: False positives should be limited to as this is strict to active exploitation. Reduce noise by filtering to F5 devices with TMUI enabled or filter data as needed. +description: The following analytic detects attempts to exploit the CVE-2023-46747 + vulnerability, an authentication bypass flaw in F5 BIG-IP's Configuration utility + (TMUI). It identifies this activity by monitoring for specific URI paths such as + "*/mgmt/tm/auth/user/*" with the PATCH method and a 200 status code. This behavior + is significant for a SOC as it indicates potential unauthorized access attempts, + leading to remote code execution. If confirmed malicious, an attacker could gain + unauthorized access, execute arbitrary code, steal data, disrupt systems, or conduct + further malicious activities within the network. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("*/mgmt/tm/auth/user/*") Web.http_method=PATCH Web.status=200 + by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, + Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `f5_tmui_authentication_bypass_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on Web traffic that include fields relevant for traffic into the `Web` datamodel. +known_false_positives: False positives should be limited to as this is strict to active + exploitation. Reduce noise by filtering to F5 devices with TMUI enabled or filter + data as needed. references: - https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/ - https://github.com/projectdiscovery/nuclei-templates/blob/3b0bb71bd627c6c3139e1d06c866f8402aa228ae/http/cves/2023/CVE-2023-46747.yaml @@ -20,9 +34,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potential CVE-2023-46747 F5 TMUI Authentication Bypass may be occurring + against $dest$ from $src$. + risk_objects: + - field: dest + type: system + score: 90 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - F5 Authentication Bypass with TMUI @@ -30,36 +59,15 @@ tags: atomic_guid: [] cve: - CVE-2023-46747 - confidence: 90 - impact: 100 - message: Potential CVE-2023-46747 F5 TMUI Authentication Bypass may be occurring against $dest$ from $src$. - observable: - - name: dest - type: Hostname - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 90 - required_fields: - - Web.http_user_agent - - Web.status - - Web.http_method - - Web.url - - Web.url_length - - Web.src - - Web.dest - - sourcetype security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/f5/f5_tmui.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/f5/f5_tmui.log source: suricata sourcetype: suricata diff --git a/detections/web/fortinet_appliance_auth_bypass.yml b/detections/web/fortinet_appliance_auth_bypass.yml index 34754edd27..26b16128b0 100644 --- a/detections/web/fortinet_appliance_auth_bypass.yml +++ b/detections/web/fortinet_appliance_auth_bypass.yml @@ -1,16 +1,33 @@ name: Fortinet Appliance Auth bypass id: a83122f2-fa09-4868-a230-544dbc54bc1c -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects attempts to exploit CVE-2022-40684, a Fortinet appliance authentication bypass vulnerability. It identifies REST API requests to the /api/v2/ endpoint using various HTTP methods (GET, POST, PUT, DELETE) that may indicate unauthorized modifications, such as adding SSH keys or creating new users. This detection leverages the Web datamodel to monitor specific URL patterns and HTTP methods. This activity is significant as it can lead to unauthorized access and control over the appliance. If confirmed malicious, attackers could gain persistent access, reroute network traffic, or capture sensitive information. +description: The following analytic detects attempts to exploit CVE-2022-40684, a + Fortinet appliance authentication bypass vulnerability. It identifies REST API requests + to the /api/v2/ endpoint using various HTTP methods (GET, POST, PUT, DELETE) that + may indicate unauthorized modifications, such as adding SSH keys or creating new + users. This detection leverages the Web datamodel to monitor specific URL patterns + and HTTP methods. This activity is significant as it can lead to unauthorized access + and control over the appliance. If confirmed malicious, attackers could gain persistent + access, reroute network traffic, or capture sensitive information. data_source: - Palo Alto Network Threat -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/api/v2/cmdb/system/admin*") Web.http_method IN ("GET", "PUT") by Web.http_user_agent, Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `fortinet_appliance_auth_bypass_filter`' -how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache. Splunk for Nginx, or Splunk for Palo Alto. -known_false_positives: GET requests will be noisy and need to be filtered out or removed from the query based on volume. Restrict analytic to known publically facing Fortigates, or run analytic as a Hunt until properly tuned. It is also possible the user agent may be filtered on Report Runner or Node.js only for the exploit, however, it is unknown at this if other user agents may be used. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("*/api/v2/cmdb/system/admin*") Web.http_method IN ("GET", "PUT") + by Web.http_user_agent, Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, + sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `fortinet_appliance_auth_bypass_filter`' +how_to_implement: This detection requires the Web datamodel to be populated from a + supported Technology Add-On like Splunk for Apache. Splunk for Nginx, or Splunk + for Palo Alto. +known_false_positives: GET requests will be noisy and need to be filtered out or removed + from the query based on volume. Restrict analytic to known publically facing Fortigates, + or run analytic as a Hunt until properly tuned. It is also possible the user agent + may be filtered on Report Runner or Node.js only for the exploit, however, it is + unknown at this if other user agents may be used. references: - https://www.wordfence.com/blog/2022/10/threat-advisory-cve-2022-40684-fortinet-appliance-auth-bypass/ - https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/ @@ -24,44 +41,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potential CVE-2022-40684 against a Fortinet appliance may be occurring + against $dest$. + risk_objects: + - field: dest + type: system + score: 81 + threat_objects: [] tags: analytic_story: - CVE-2022-40684 Fortinet Appliance Auth bypass asset_type: Network - confidence: 90 cve: - CVE-2022-40684 - impact: 90 - message: Potential CVE-2022-40684 against a Fortinet appliance may be occurring against $dest$. mitre_attack_id: - T1190 - T1133 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Web.http_user_agent - - Web.http_method - - Web.url - - Web.url_length - - Web.src - - Web.dest - - sourcetype - risk_score: 81 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/fortigate/fortinetcve202240684.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/fortigate/fortinetcve202240684.log source: pan:threat sourcetype: pan:threat - update_timestamp: true diff --git a/detections/web/high_volume_of_bytes_out_to_url.yml b/detections/web/high_volume_of_bytes_out_to_url.yml index 610481f0e5..06dc8e5092 100644 --- a/detections/web/high_volume_of_bytes_out_to_url.yml +++ b/detections/web/high_volume_of_bytes_out_to_url.yml @@ -1,16 +1,32 @@ name: High Volume of Bytes Out to Url id: c8a6b56d-16dd-4e9c-b4bd-527742ead98d -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Bhavin Patel, Splunk data_source: - Nginx Access type: Anomaly status: production -description: The following analytic detects a high volume of outbound web traffic, specifically over 1GB of data sent to a URL within a 2-minute window. It leverages the Web data model to identify significant uploads by analyzing the sum of bytes out. This activity is significant as it may indicate potential data exfiltration by malware or malicious insiders. If confirmed as malicious, this behavior could lead to unauthorized data transfer, resulting in data breaches and loss of sensitive information. Immediate investigation is required to determine the legitimacy of the transfer and mitigate any potential threats. -search: '| tstats `security_content_summariesonly` count sum(Web.bytes_out) as sum_bytes_out values(Web.user) as user values(Web.app) as app values(Web.dest) as dest from datamodel=Web by _time span=2m Web.url Web.src sourcetype | search sum_bytes_out > 1070000000 | `drop_dm_object_name(Web)`| `high_volume_of_bytes_out_to_url_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. Please adjust the threshold for the sum of bytes out as per your environment and user behavior. -known_false_positives: This search may trigger false positives if there is a legitimate reason for a high volume of bytes out to a URL. We recommend to investigate these findings. Consider updating the filter macro to exclude the applications that are relevant to your environment. +description: The following analytic detects a high volume of outbound web traffic, + specifically over 1GB of data sent to a URL within a 2-minute window. It leverages + the Web data model to identify significant uploads by analyzing the sum of bytes + out. This activity is significant as it may indicate potential data exfiltration + by malware or malicious insiders. If confirmed as malicious, this behavior could + lead to unauthorized data transfer, resulting in data breaches and loss of sensitive + information. Immediate investigation is required to determine the legitimacy of + the transfer and mitigate any potential threats. +search: '| tstats `security_content_summariesonly` count sum(Web.bytes_out) as sum_bytes_out + values(Web.user) as user values(Web.app) as app values(Web.dest) as dest from datamodel=Web + by _time span=2m Web.url Web.src sourcetype | search sum_bytes_out > 1070000000 + | `drop_dm_object_name("Web")`| `high_volume_of_bytes_out_to_url_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on Web traffic that include fields relavent for traffic into the `Web` datamodel. + Please adjust the threshold for the sum of bytes out as per your environment and + user behavior. +known_false_positives: This search may trigger false positives if there is a legitimate + reason for a high volume of bytes out to a URL. We recommend to investigate these + findings. Consider updating the filter macro to exclude the applications that are + relevant to your environment. references: - https://attack.mitre.org/techniques/T1567/ - https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html @@ -21,44 +37,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A high volume of bytes out to a URL $url$ was detected from src $src$ to + dest $dest$. + risk_objects: + - field: src + type: system + score: 9 + threat_objects: + - field: dest + type: ip_address tags: analytic_story: - Data Exfiltration asset_type: Endpoint - confidence: 30 - impact: 30 - message: A high volume of bytes out to a URL $url$ was detected from src $src$ to dest $dest$. mitre_attack_id: - T1567 - observable: - - name: src - type: IP Address - role: - - Victim - - name: dest - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Web.http_method - - Web.url - - Web.url_length - - Web.src - - Web.dest - - Web.http_user_agent - risk_score: 9 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/web_upload_nginx/web_upload_nginx.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/web_upload_nginx/web_upload_nginx.log source: /var/log/nginx/access.log sourcetype: nginx:plus:kv diff --git a/detections/web/hunting_for_log4shell.yml b/detections/web/hunting_for_log4shell.yml index f88aa46263..772a5c62b0 100644 --- a/detections/web/hunting_for_log4shell.yml +++ b/detections/web/hunting_for_log4shell.yml @@ -1,16 +1,40 @@ name: Hunting for Log4Shell id: 158b68fa-5d1a-11ec-aac8-acde48001122 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic detects potential exploitation attempts of the Log4Shell vulnerability (CVE-2021-44228) by analyzing HTTP headers for specific patterns. It leverages the Web Datamodel and evaluates various indicators such as the presence of `{jndi:`, environment variables, and common URI paths. This detection is significant as Log4Shell allows remote code execution, posing a severe threat to systems. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, and potentially compromise sensitive data, leading to extensive damage and data breaches. +description: The following analytic detects potential exploitation attempts of the + Log4Shell vulnerability (CVE-2021-44228) by analyzing HTTP headers for specific + patterns. It leverages the Web Datamodel and evaluates various indicators such as + the presence of `{jndi:`, environment variables, and common URI paths. This detection + is significant as Log4Shell allows remote code execution, posing a severe threat + to systems. If confirmed malicious, attackers could gain unauthorized access, execute + arbitrary code, and potentially compromise sensitive data, leading to extensive + damage and data breaches. data_source: - Nginx Access -search: '| from datamodel Web.Web | eval jndi=if(match(_raw, "(\{|%7B)[jJnNdDiI]{4}:"),4,0) | eval jndi_fastmatch=if(match(_raw, "[jJnNdDiI]{4}"),2,0) | eval jndi_proto=if(match(_raw,"(?i)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http|https):"),5,0) | eval all_match = if(match(_raw, "(?i)(%(25){0,}20|\s)*(%(25){0,}24|\$)(%(25){0,}20|\s)*(%(25){0,}7B|{)(%(25){0,}20|\s)*(%(25){0,}(6A|4A)|J)(%(25){0,}(6E|4E)|N)(%(25){0,}(64|44)|D)(%(25){0,}(69|49)|I)(%(25){0,}20|\s)*(%(25){0,}3A|:)[\w\%]+(%(25){1,}3A|:)(%(25){1,}2F|\/)[^\n]+"),5,0) | eval env_var = if(match(_raw, "env:") OR match(_raw, "env:AWS_ACCESS_KEY_ID") OR match(_raw, "env:AWS_SECRET_ACCESS_KEY"),5,0) | eval uridetect = if(match(_raw, "(?i)Basic\/Command\/Base64|Basic\/ReverseShell|Basic\/TomcatMemshell|Basic\/JBossMemshell|Basic\/WebsphereMemshell|Basic\/SpringMemshell|Basic\/Command|Deserialization\/CommonsCollectionsK|Deserialization\/CommonsBeanutils|Deserialization\/Jre8u20\/TomcatMemshell|Deserialization\/CVE_2020_2555\/WeblogicMemshell|TomcatBypass|GroovyBypass|WebsphereBypass"),4,0) | eval keywords = if(match(_raw,"(?i)\$\{ctx\:loginId\}|\$\{map\:type\}|\$\{filename\}|\$\{date\:MM-dd-yyyy\}|\$\{docker\:containerId\}|\$\{docker\:containerName\}|\$\{docker\:imageName\}|\$\{env\:USER\}|\$\{event\:Marker\}|\$\{mdc\:UserId\}|\$\{java\:runtime\}|\$\{java\:vm\}|\$\{java\:os\}|\$\{jndi\:logging/context-name\}|\$\{hostName\}|\$\{docker\:containerId\}|\$\{k8s\:accountName\}|\$\{k8s\:clusterName\}|\$\{k8s\:containerId\}|\$\{k8s\:containerName\}|\$\{k8s\:host\}|\$\{k8s\:labels.app\}|\$\{k8s\:labels.podTemplateHash\}|\$\{k8s\:masterUrl\}|\$\{k8s\:namespaceId\}|\$\{k8s\:namespaceName\}|\$\{k8s\:podId\}|\$\{k8s\:podIp\}|\$\{k8s\:podName\}|\$\{k8s\:imageId\}|\$\{k8s\:imageName\}|\$\{log4j\:configLocation\}|\$\{log4j\:configParentLocation\}|\$\{spring\:spring.application.name\}|\$\{main\:myString\}|\$\{main\:0\}|\$\{main\:1\}|\$\{main\:2\}|\$\{main\:3\}|\$\{main\:4\}|\$\{main\:bar\}|\$\{name\}|\$\{marker\}|\$\{marker\:name\}|\$\{spring\:profiles.active[0]|\$\{sys\:logPath\}|\$\{web\:rootDir\}|\$\{sys\:user.name\}"),4,0) | eval obf = if(match(_raw, "(\$|%24)[^ /]*({|%7b)[^ /]*(j|%6a)[^ /]*(n|%6e)[^ /]*(d|%64)[^ /]*(i|%69)[^ /]*(:|%3a)[^ /]*(:|%3a)[^ /]*(/|%2f)"),5,0) | eval lookups = if(match(_raw, "(?i)({|%7b)(main|sys|k8s|spring|lower|upper|env|date|sd)"),4,0) | addtotals fieldname=Score, jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, obf, lookups | where Score > 2 | stats values(Score) by jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, lookups, obf, dest, src, http_method, _raw | `hunting_for_log4shell_filter`' -how_to_implement: Out of the box, the Web datamodel is required to be pre-filled. However, tested was performed against raw httpd access logs. Change the first line to any dataset to pass the regex's against. -known_false_positives: It is highly possible you will find false positives, however, the base score is set to 2 for _any_ jndi found in raw logs. tune and change as needed, include any filtering. +search: '| from datamodel Web.Web | eval jndi=if(match(_raw, "(\{|%7B)[jJnNdDiI]{4}:"),4,0) + | eval jndi_fastmatch=if(match(_raw, "[jJnNdDiI]{4}"),2,0) | eval jndi_proto=if(match(_raw,"(?i)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http|https):"),5,0) + | eval all_match = if(match(_raw, "(?i)(%(25){0,}20|\s)*(%(25){0,}24|\$)(%(25){0,}20|\s)*(%(25){0,}7B|{)(%(25){0,}20|\s)*(%(25){0,}(6A|4A)|J)(%(25){0,}(6E|4E)|N)(%(25){0,}(64|44)|D)(%(25){0,}(69|49)|I)(%(25){0,}20|\s)*(%(25){0,}3A|:)[\w\%]+(%(25){1,}3A|:)(%(25){1,}2F|\/)[^\n]+"),5,0) + | eval env_var = if(match(_raw, "env:") OR match(_raw, "env:AWS_ACCESS_KEY_ID") + OR match(_raw, "env:AWS_SECRET_ACCESS_KEY"),5,0) | eval uridetect = if(match(_raw, + "(?i)Basic\/Command\/Base64|Basic\/ReverseShell|Basic\/TomcatMemshell|Basic\/JBossMemshell|Basic\/WebsphereMemshell|Basic\/SpringMemshell|Basic\/Command|Deserialization\/CommonsCollectionsK|Deserialization\/CommonsBeanutils|Deserialization\/Jre8u20\/TomcatMemshell|Deserialization\/CVE_2020_2555\/WeblogicMemshell|TomcatBypass|GroovyBypass|WebsphereBypass"),4,0) + | eval keywords = if(match(_raw,"(?i)\$\{ctx\:loginId\}|\$\{map\:type\}|\$\{filename\}|\$\{date\:MM-dd-yyyy\}|\$\{docker\:containerId\}|\$\{docker\:containerName\}|\$\{docker\:imageName\}|\$\{env\:USER\}|\$\{event\:Marker\}|\$\{mdc\:UserId\}|\$\{java\:runtime\}|\$\{java\:vm\}|\$\{java\:os\}|\$\{jndi\:logging/context-name\}|\$\{hostName\}|\$\{docker\:containerId\}|\$\{k8s\:accountName\}|\$\{k8s\:clusterName\}|\$\{k8s\:containerId\}|\$\{k8s\:containerName\}|\$\{k8s\:host\}|\$\{k8s\:labels.app\}|\$\{k8s\:labels.podTemplateHash\}|\$\{k8s\:masterUrl\}|\$\{k8s\:namespaceId\}|\$\{k8s\:namespaceName\}|\$\{k8s\:podId\}|\$\{k8s\:podIp\}|\$\{k8s\:podName\}|\$\{k8s\:imageId\}|\$\{k8s\:imageName\}|\$\{log4j\:configLocation\}|\$\{log4j\:configParentLocation\}|\$\{spring\:spring.application.name\}|\$\{main\:myString\}|\$\{main\:0\}|\$\{main\:1\}|\$\{main\:2\}|\$\{main\:3\}|\$\{main\:4\}|\$\{main\:bar\}|\$\{name\}|\$\{marker\}|\$\{marker\:name\}|\$\{spring\:profiles.active[0]|\$\{sys\:logPath\}|\$\{web\:rootDir\}|\$\{sys\:user.name\}"),4,0) + | eval obf = if(match(_raw, "(\$|%24)[^ /]*({|%7b)[^ /]*(j|%6a)[^ /]*(n|%6e)[^ /]*(d|%64)[^ + /]*(i|%69)[^ /]*(:|%3a)[^ /]*(:|%3a)[^ /]*(/|%2f)"),5,0) | eval lookups = if(match(_raw, + "(?i)({|%7b)(main|sys|k8s|spring|lower|upper|env|date|sd)"),4,0) | addtotals fieldname=Score, + jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, obf, + lookups | where Score > 2 | stats values(Score) by jndi, jndi_proto, env_var, uridetect, + all_match, jndi_fastmatch, keywords, lookups, obf, dest, src, http_method, _raw + | `hunting_for_log4shell_filter`' +how_to_implement: Out of the box, the Web datamodel is required to be pre-filled. + However, tested was performed against raw httpd access logs. Change the first line + to any dataset to pass the regex's against. +known_false_positives: It is highly possible you will find false positives, however, + the base score is set to 2 for _any_ jndi found in raw logs. tune and change as + needed, include any filtering. references: - https://gist.github.com/olafhartong/916ebc673ba066537740164f7e7e1d72 - https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b#gistcomment-3994449 @@ -24,35 +48,20 @@ tags: - Log4Shell CVE-2021-44228 - CISA AA22-320A asset_type: Web Server - confidence: 50 cve: - CVE-2021-44228 - impact: 80 - message: Hunting for Log4Shell exploitation has occurred. mitre_attack_id: - T1190 - T1133 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - _raw - risk_score: 40 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/log4shell-nginx.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/log4shell-nginx.log source: /var/log/nginx/access.log sourcetype: nginx:plus:kv diff --git a/detections/web/ivanti_connect_secure_command_injection_attempts.yml b/detections/web/ivanti_connect_secure_command_injection_attempts.yml index 19bdfc3646..9c15e51f48 100644 --- a/detections/web/ivanti_connect_secure_command_injection_attempts.yml +++ b/detections/web/ivanti_connect_secure_command_injection_attempts.yml @@ -1,16 +1,32 @@ name: Ivanti Connect Secure Command Injection Attempts id: 1f32a7e0-a060-4545-b7de-73fcf9ad536e -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: TTP data_source: - Suricata -description: The following analytic identifies attempts to exploit the CVE-2023-46805 and CVE-2024-21887 vulnerabilities in Ivanti Connect Secure. It detects POST requests to specific URIs that leverage command injection to execute arbitrary commands. The detection uses the Web datamodel to monitor for these requests and checks for a 200 OK response, indicating a successful exploit attempt. This activity is significant as it can lead to unauthorized command execution on the server. If confirmed malicious, attackers could gain control over the system, leading to potential data breaches or further network compromise. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN("*/api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection*","*/api/v1/totp/user-backup-code/../../license/keys-status/*") Web.http_method IN ("POST", "GET") Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.http_method, Web.status | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_connect_secure_command_injection_attempts_filter`' -how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -known_false_positives: This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. +description: The following analytic identifies attempts to exploit the CVE-2023-46805 + and CVE-2024-21887 vulnerabilities in Ivanti Connect Secure. It detects POST requests + to specific URIs that leverage command injection to execute arbitrary commands. + The detection uses the Web datamodel to monitor for these requests and checks for + a 200 OK response, indicating a successful exploit attempt. This activity is significant + as it can lead to unauthorized command execution on the server. If confirmed malicious, + attackers could gain control over the system, leading to potential data breaches + or further network compromise. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN("*/api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection*","*/api/v1/totp/user-backup-code/../../license/keys-status/*") + Web.http_method IN ("POST", "GET") Web.status=200 by Web.src, Web.dest, Web.http_user_agent, + Web.url, Web.http_method, Web.status | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `ivanti_connect_secure_command_injection_attempts_filter`' +how_to_implement: This detection requires the Web datamodel to be populated from a + supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, + or Splunk for Palo Alto. +known_false_positives: This analytic is limited to HTTP Status 200; adjust as necessary. + False positives may occur if the URI path is IP-restricted or externally blocked. + It's recommended to review the context of the alerts and adjust the analytic parameters + to better fit the specific environment. references: - https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve2023-46805_2024_21887.nse - https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml @@ -24,9 +40,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Possible exploitation of CVE-2023-46805 and CVE-2024-21887 against $dest$. + risk_objects: + - field: dest + type: system + score: 90 + threat_objects: [] tags: cve: - CVE-2023-46805 @@ -36,30 +64,17 @@ tags: - CISA AA24-241A asset_type: VPN Appliance atomic_guid: [] - confidence: 90 - impact: 100 - message: Possible exploitation of CVE-2023-46805 and CVE-2024-21887 against $dest$. mitre_attack_id: - T1190 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 90 - required_fields: - - Web.src - - Web.dest - - Web.http_user_agent - - Web.url security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_secure_connect_exploitphase.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_secure_connect_exploitphase.log source: suricata sourcetype: suricata diff --git a/detections/web/ivanti_connect_secure_ssrf_in_saml_component.yml b/detections/web/ivanti_connect_secure_ssrf_in_saml_component.yml index 6ecc2fbd69..5647cfa8a7 100644 --- a/detections/web/ivanti_connect_secure_ssrf_in_saml_component.yml +++ b/detections/web/ivanti_connect_secure_ssrf_in_saml_component.yml @@ -1,16 +1,32 @@ name: Ivanti Connect Secure SSRF in SAML Component id: 8e6ca490-7af3-4299-9a24-39fb69759925 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: TTP data_source: - Suricata -description: The following analytic identifies POST requests targeting endpoints vulnerable to the SSRF issue (CVE-2024-21893) in Ivanti's products. It leverages the Web data model, focusing on endpoints such as /dana-ws/saml20.ws, /dana-ws/saml.ws, /dana-ws/samlecp.ws, and /dana-na/auth/saml-logout.cgi. The detection filters for POST requests that received an HTTP 200 OK response, indicating successful execution. This activity is significant as it may indicate an attempt to exploit SSRF vulnerabilities, potentially allowing attackers to access internal services or sensitive data. If confirmed malicious, this could lead to unauthorized access and data exfiltration. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/dana-ws/saml20.ws*","*/dana-ws/saml.ws*","*/dana-ws/samlecp.ws*","*/dana-na/auth/saml-logout.cgi/*") Web.http_method=POST Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status, Web.http_method | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_connect_secure_ssrf_in_saml_component_filter`' -how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -known_false_positives: This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the HTTP Status is removed, as most failed attempts result in a 301. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. +description: The following analytic identifies POST requests targeting endpoints vulnerable + to the SSRF issue (CVE-2024-21893) in Ivanti's products. It leverages the Web data + model, focusing on endpoints such as /dana-ws/saml20.ws, /dana-ws/saml.ws, /dana-ws/samlecp.ws, + and /dana-na/auth/saml-logout.cgi. The detection filters for POST requests that + received an HTTP 200 OK response, indicating successful execution. This activity + is significant as it may indicate an attempt to exploit SSRF vulnerabilities, potentially + allowing attackers to access internal services or sensitive data. If confirmed malicious, + this could lead to unauthorized access and data exfiltration. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("*/dana-ws/saml20.ws*","*/dana-ws/saml.ws*","*/dana-ws/samlecp.ws*","*/dana-na/auth/saml-logout.cgi/*") + Web.http_method=POST Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url, + Web.status, Web.http_method | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `ivanti_connect_secure_ssrf_in_saml_component_filter`' +how_to_implement: This detection requires the Web datamodel to be populated from a + supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, + or Splunk for Palo Alto. +known_false_positives: This analytic is limited to HTTP Status 200; adjust as necessary. + False positives may occur if the HTTP Status is removed, as most failed attempts + result in a 301. It's recommended to review the context of the alerts and adjust + the analytic parameters to better fit the specific environment. references: - https://attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis - https://www.assetnote.io/resources/research/ivantis-pulse-connect-secure-auth-bypass-round-two @@ -20,9 +36,23 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Possible exploitation of CVE-2024-21893 against $dest$ from $src$. + risk_objects: + - field: dest + type: system + score: 81 + threat_objects: + - field: src + type: ip_address tags: cve: - CVE-2024-21893 @@ -30,36 +60,17 @@ tags: - Ivanti Connect Secure VPN Vulnerabilities asset_type: VPN Appliance atomic_guid: [] - confidence: 90 - impact: 90 - message: Possible exploitation of CVE-2024-21893 against $dest$ from $src$. mitre_attack_id: - T1190 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 81 - required_fields: - - Web.src - - Web.dest - - Web.http_user_agent - - Web.url - - Web.status - - Web.http_method security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_saml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_saml.log source: suricata sourcetype: suricata diff --git a/detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml b/detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml index bb63cf082c..8ca110a5e3 100644 --- a/detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml +++ b/detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml @@ -1,16 +1,32 @@ name: Ivanti Connect Secure System Information Access via Auth Bypass id: d51c13dd-a232-4c83-a2bb-72ab36233c5d -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: Anomaly data_source: - Suricata -description: The following analytic identifies attempts to exploit the CVE-2023-46805 and CVE-2024-21887 vulnerabilities in Ivanti Connect Secure. It detects GET requests to the /api/v1/totp/user-backup-code/../../system/system-information URI, which leverage an authentication bypass to access system information. The detection uses the Web datamodel to identify requests with a 200 OK response, indicating a successful exploit attempt. This activity is significant as it reveals potential unauthorized access to sensitive system information. If confirmed malicious, attackers could gain critical insights into the system, facilitating further exploitation and compromise. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url="*/api/v1/totp/user-backup-code/../../system/system-information*" Web.http_method=GET Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_connect_secure_system_information_access_via_auth_bypass_filter`' -how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -known_false_positives: This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. +description: The following analytic identifies attempts to exploit the CVE-2023-46805 + and CVE-2024-21887 vulnerabilities in Ivanti Connect Secure. It detects GET requests + to the /api/v1/totp/user-backup-code/../../system/system-information URI, which + leverage an authentication bypass to access system information. The detection uses + the Web datamodel to identify requests with a 200 OK response, indicating a successful + exploit attempt. This activity is significant as it reveals potential unauthorized + access to sensitive system information. If confirmed malicious, attackers could + gain critical insights into the system, facilitating further exploitation and compromise. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url="*/api/v1/totp/user-backup-code/../../system/system-information*" + Web.http_method=GET Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url + | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `ivanti_connect_secure_system_information_access_via_auth_bypass_filter`' +how_to_implement: This detection requires the Web datamodel to be populated from a + supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, + or Splunk for Palo Alto. +known_false_positives: This analytic is limited to HTTP Status 200; adjust as necessary. + False positives may occur if the URI path is IP-restricted or externally blocked. + It's recommended to review the context of the alerts and adjust the analytic parameters + to better fit the specific environment. references: - https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve2023-46805_2024_21887.nse - https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml @@ -21,9 +37,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Possible exploitation of CVE-2023-46805 and CVE-2024-21887 against $dest$. + risk_objects: + - field: dest + type: system + score: 72 + threat_objects: [] tags: cve: - CVE-2023-46805 @@ -33,30 +61,17 @@ tags: - CISA AA24-241A asset_type: VPN Appliance atomic_guid: [] - confidence: 80 - impact: 90 - message: Possible exploitation of CVE-2023-46805 and CVE-2024-21887 against $dest$. mitre_attack_id: - T1190 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 72 - required_fields: - - Web.src - - Web.dest - - Web.http_user_agent - - Web.url security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_secure_connect_checkphase.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_secure_connect_checkphase.log source: suricata sourcetype: suricata diff --git a/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml b/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml index a4f1ea918a..0531367b9e 100644 --- a/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml +++ b/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml @@ -1,16 +1,42 @@ name: Ivanti EPM SQL Injection Remote Code Execution id: e20564ca-c86c-4e30-acdb-a8486673426f -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-11-15' author: Michael Haag type: TTP status: production data_source: - Suricata -description: This detection identifies potential exploitation of a critical SQL injection vulnerability in Ivanti Endpoint Manager (EPM), identified as CVE-2024-29824. The vulnerability, which has a CVSS score of 9.8, allows for remote code execution through the `RecordGoodApp` function in the `PatchBiz.dll` file. An attacker can exploit this vulnerability by manipulating the `goodApp.md5` value in an HTTP POST request to the `/WSStatusEvents/EventHandler.asmx` endpoint, leading to unauthorized command execution on the server. Monitoring for unusual SQL commands and HTTP requests to this endpoint can help identify exploitation attempts. Note that, the detection is focused on the URI path, HTTP method and status code of 200, indicating potential exploitation. To properly identify if this was successful, TLS inspection and additional network traffic analysis is required as the xp_cmdshell comes in via the request body. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/WSStatusEvents/EventHandler.asmx") Web.http_method=POST Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_epm_sql_injection_remote_code_execution_filter`' -how_to_implement: The detection is based on monitoring HTTP POST requests to the `/WSStatusEvents/EventHandler.asmx` endpoint with a status code of 200. The detection is focused on the URI path, HTTP method, and status code, which can indicate potential exploitation of the CVE-2024-29824 vulnerability. To implement this detection, ensure that you have enabled the necessary data sources and are ingesting HTTP traffic data. The detection can be implemented using Splunk Enterprise Security and Splunk Cloud with the provided search query. The search query should be scheduled to run at regular intervals to detect potential exploitation attempts. Additionally, consider implementing TLS inspection or network traffic analysis (IDS/IPS) to identify successful exploitation attempts. -known_false_positives: False positives are not expected, as this detection is based on monitoring HTTP POST requests to a specific endpoint with a status code of 200. However, ensure that legitimate requests to the `/WSStatusEvents/EventHandler.asmx` endpoint are accounted for in the environment to avoid false positives. +description: This detection identifies potential exploitation of a critical SQL injection + vulnerability in Ivanti Endpoint Manager (EPM), identified as CVE-2024-29824. The + vulnerability, which has a CVSS score of 9.8, allows for remote code execution through + the `RecordGoodApp` function in the `PatchBiz.dll` file. An attacker can exploit + this vulnerability by manipulating the `goodApp.md5` value in an HTTP POST request + to the `/WSStatusEvents/EventHandler.asmx` endpoint, leading to unauthorized command + execution on the server. Monitoring for unusual SQL commands and HTTP requests to + this endpoint can help identify exploitation attempts. Note that, the detection + is focused on the URI path, HTTP method and status code of 200, indicating potential + exploitation. To properly identify if this was successful, TLS inspection and additional + network traffic analysis is required as the xp_cmdshell comes in via the request + body. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("/WSStatusEvents/EventHandler.asmx") Web.http_method=POST Web.status=200 + by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, + Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `ivanti_epm_sql_injection_remote_code_execution_filter`' +how_to_implement: The detection is based on monitoring HTTP POST requests to the `/WSStatusEvents/EventHandler.asmx` + endpoint with a status code of 200. The detection is focused on the URI path, HTTP + method, and status code, which can indicate potential exploitation of the CVE-2024-29824 + vulnerability. To implement this detection, ensure that you have enabled the necessary + data sources and are ingesting HTTP traffic data. The detection can be implemented + using Splunk Enterprise Security and Splunk Cloud with the provided search query. + The search query should be scheduled to run at regular intervals to detect potential + exploitation attempts. Additionally, consider implementing TLS inspection or network + traffic analysis (IDS/IPS) to identify successful exploitation attempts. +known_false_positives: False positives are not expected, as this detection is based + on monitoring HTTP POST requests to a specific endpoint with a status code of 200. + However, ensure that legitimate requests to the `/WSStatusEvents/EventHandler.asmx` + endpoint are accounted for in the environment to avoid false positives. references: - https://www.horizon3.ai/attack-research/attack-blogs/cve-2024-29824-deep-dive-ivanti-epm-sql-injection-remote-code-execution-vulnerability/ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-29824 @@ -21,43 +47,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potential exploitation of a critical SQL injection vulnerability in Ivanti + Endpoint Manager (EPM), identified as CVE-2024-29824 against $dest$. + risk_objects: + - field: dest + type: system + score: 80 + threat_objects: [] tags: analytic_story: - Ivanti EPM Vulnerabilities asset_type: Web Server - confidence: 80 - impact: 100 - message: Potential exploitation of a critical SQL injection vulnerability in Ivanti Endpoint Manager (EPM), identified as CVE-2024-29824 against $dest$. mitre_attack_id: - T1190 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Web.http_user_agent - - Web.status - - Web.http_method - - Web.url - - Web.url_length - - Web.src - - Web.dest - - sourcetype - risk_score: 80 security_domain: network cve: - CVE-2024-29824 tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_epm.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_epm.log sourcetype: suricata source: suricata diff --git a/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078.yml b/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078.yml index 1129976167..358098f043 100644 --- a/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078.yml +++ b/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078.yml @@ -1,16 +1,33 @@ name: Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 id: 66b9c9ba-7fb2-4e80-a3a2-496e5e078167 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: TTP data_source: - Suricata -description: The following analytic detects attempts to exploit CVE-2023-35078, a vulnerability in Ivanti Endpoint Manager Mobile (EPMM) versions up to 11.4. It identifies HTTP requests to the endpoint "/mifs/aad/api/v2/authorized/users?*" with a status code of 200 in web logs. This activity is significant as it indicates unauthorized remote access to restricted functionalities or resources. If confirmed malicious, this could lead to data theft, unauthorized modifications, or further system compromise, necessitating immediate action to mitigate potential severe impacts. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/mifs/aad/api/v2/authorized/users?*") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078_filter`' -how_to_implement: To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products. -known_false_positives: The Proof of Concept exploit script indicates that status=200 is required for successful exploitation of the vulnerability. False positives may be present if status=200 is removed from the search. If it is removed,then the search also alert on status=301 and status=404 which indicates unsuccessful exploitation attempts. Analysts may find it useful to hunt for these status codes as well, but it is likely to produce a significant number of alerts as this is a widespread vulnerability. +description: The following analytic detects attempts to exploit CVE-2023-35078, a + vulnerability in Ivanti Endpoint Manager Mobile (EPMM) versions up to 11.4. It identifies + HTTP requests to the endpoint "/mifs/aad/api/v2/authorized/users?*" with a status + code of 200 in web logs. This activity is significant as it indicates unauthorized + remote access to restricted functionalities or resources. If confirmed malicious, + this could lead to data theft, unauthorized modifications, or further system compromise, + necessitating immediate action to mitigate potential severe impacts. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("/mifs/aad/api/v2/authorized/users?*") Web.status=200 by Web.http_user_agent, + Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype + | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078_filter`' +how_to_implement: To implement this analytic, a network product similar to Suricata + or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work + with your products. +known_false_positives: The Proof of Concept exploit script indicates that status=200 + is required for successful exploitation of the vulnerability. False positives may + be present if status=200 is removed from the search. If it is removed,then the + search also alert on status=301 and status=404 which indicates unsuccessful exploitation + attempts. Analysts may find it useful to hunt for these status codes as well, but + it is likely to produce a significant number of alerts as this is a widespread vulnerability. references: - https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US - https://github.com/vchan-in/CVE-2023-35078-Exploit-POC/blob/main/cve_2023_35078_poc.py @@ -20,9 +37,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potential CVE-2023-35078 against an Ivanti EPMM appliance on $dest$. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Ivanti EPMM Remote Unauthenticated Access @@ -30,33 +59,18 @@ tags: cve: - CVE-2023-35078 atomic_guid: [] - confidence: 80 - impact: 80 - message: Potential CVE-2023-35078 against an Ivanti EPMM appliance on $dest$. mitre_attack_id: - T1190 - T1133 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 - required_fields: - - _time - - Web.http_method - - Web.url - - Web.url_length - - Web.src - - Web.dest security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_CVE202335078.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_CVE202335078.log source: suricata sourcetype: suricata diff --git a/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082.yml b/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082.yml index 2366ae376f..a12e81e4e8 100644 --- a/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082.yml +++ b/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082.yml @@ -1,16 +1,35 @@ name: Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 id: e03edeba-4942-470c-a664-27253f3ad351 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: TTP data_source: - Suricata -description: The following analytic detects potential unauthorized access attempts exploiting CVE-2023-35082 within Ivanti's software products. It identifies access to the specific URI path /mifs/asfV3/api/v2/ with an HTTP 200 response code in web access logs, indicating successful unauthorized access. This activity is significant for a SOC as it highlights potential security breaches that could lead to unauthorized data access or system modifications. If confirmed malicious, an attacker could gain unbridled access to sensitive organizational data or modify systems maliciously, posing severe security risks. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/mifs/asfV3/api/v2/*") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082_filter`' -how_to_implement: To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products. -known_false_positives: Similar to CVE-2023-35078, the path for exploitation indicates that status=200 is required for successful exploitation of the vulnerability. False positives may be present if status=200 is removed from the search. If it is removed,then the search also alert on status=301 and status=404 which indicates unsuccessful exploitation attempts. Analysts may find it useful to hunt for these status codes as well, but it is likely to produce a significant number of alerts as this is a widespread vulnerability. +description: The following analytic detects potential unauthorized access attempts + exploiting CVE-2023-35082 within Ivanti's software products. It identifies access + to the specific URI path /mifs/asfV3/api/v2/ with an HTTP 200 response code in web + access logs, indicating successful unauthorized access. This activity is significant + for a SOC as it highlights potential security breaches that could lead to unauthorized + data access or system modifications. If confirmed malicious, an attacker could gain + unbridled access to sensitive organizational data or modify systems maliciously, + posing severe security risks. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("/mifs/asfV3/api/v2/*") Web.status=200 by Web.http_user_agent, + Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype + | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082_filter`' +how_to_implement: To implement this analytic, a network product similar to Suricata + or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work + with your products. +known_false_positives: Similar to CVE-2023-35078, the path for exploitation indicates + that status=200 is required for successful exploitation of the vulnerability. False + positives may be present if status=200 is removed from the search. If it is removed,then + the search also alert on status=301 and status=404 which indicates unsuccessful + exploitation attempts. Analysts may find it useful to hunt for these status codes + as well, but it is likely to produce a significant number of alerts as this is a + widespread vulnerability. references: - https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older?language=en_US - https://github.com/vchan-in/CVE-2023-35078-Exploit-POC/blob/main/cve_2023_35078_poc.py @@ -21,9 +40,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potential CVE-2023-35082 against an Ivanti EPMM appliance on $dest$. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Ivanti EPMM Remote Unauthenticated Access @@ -31,33 +62,18 @@ tags: cve: - CVE-2023-35082 atomic_guid: [] - confidence: 80 - impact: 80 - message: Potential CVE-2023-35082 against an Ivanti EPMM appliance on $dest$. mitre_attack_id: - T1190 - T1133 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 64 - required_fields: - - _time - - Web.http_method - - Web.url - - Web.url_length - - Web.src - - Web.dest security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_CVE202335082.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_CVE202335082.log source: suricata sourcetype: suricata diff --git a/detections/web/ivanti_sentry_authentication_bypass.yml b/detections/web/ivanti_sentry_authentication_bypass.yml index c4fbbd95cb..3f13c71a17 100644 --- a/detections/web/ivanti_sentry_authentication_bypass.yml +++ b/detections/web/ivanti_sentry_authentication_bypass.yml @@ -1,16 +1,33 @@ name: Ivanti Sentry Authentication Bypass id: b8e0d1cf-e6a8-4d46-a5ae-aebe18ead8f8 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: TTP data_source: - Suricata -description: The following analytic identifies unauthenticated access attempts to the System Manager Portal in Ivanti Sentry, exploiting CVE-2023-38035. It detects this activity by monitoring HTTP requests to specific endpoints ("/mics/services/configservice/*", "/mics/services/*", "/mics/services/MICSLogService*") with a status code of 200. This behavior is significant for a SOC as it indicates potential unauthorized access, which could lead to OS command execution as root. If confirmed malicious, this activity could result in significant system compromise and data breaches, especially if port 8443 is exposed to the internet. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/mics/services/configservice/*", "/mics/services/*","/mics/services/MICSLogService*") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_sentry_authentication_bypass_filter`' -how_to_implement: To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products. -known_false_positives: It is important to note that false positives may occur if the search criteria are expanded beyond the HTTP status code 200. In other words, if the search includes other HTTP status codes, the likelihood of encountering false positives increases. This is due to the fact that HTTP status codes other than 200 may not necessarily indicate a successful exploitation attempt. +description: The following analytic identifies unauthenticated access attempts to + the System Manager Portal in Ivanti Sentry, exploiting CVE-2023-38035. It detects + this activity by monitoring HTTP requests to specific endpoints ("/mics/services/configservice/*", + "/mics/services/*", "/mics/services/MICSLogService*") with a status code of 200. + This behavior is significant for a SOC as it indicates potential unauthorized access, + which could lead to OS command execution as root. If confirmed malicious, this activity + could result in significant system compromise and data breaches, especially if port + 8443 is exposed to the internet. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("/mics/services/configservice/*", "/mics/services/*","/mics/services/MICSLogService*") + Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, + Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `ivanti_sentry_authentication_bypass_filter`' +how_to_implement: To implement this analytic, a network product similar to Suricata + or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work + with your products. +known_false_positives: It is important to note that false positives may occur if the + search criteria are expanded beyond the HTTP status code 200. In other words, if + the search includes other HTTP status codes, the likelihood of encountering false + positives increases. This is due to the fact that HTTP status codes other than 200 + may not necessarily indicate a successful exploitation attempt. references: - https://github.com/horizon3ai/CVE-2023-38035/blob/main/CVE-2023-38035.py - https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/ @@ -21,9 +38,23 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Possible exploitation of CVE-2023-38035 against $dest$. + risk_objects: + - field: dest + type: system + score: 45 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - Ivanti Sentry Authentication Bypass CVE-2023-38035 @@ -31,38 +62,17 @@ tags: - CVE-2023-38035 asset_type: Network atomic_guid: [] - confidence: 50 - impact: 90 - message: Possible exploitation of CVE-2023-38035 against $dest$. mitre_attack_id: - T1190 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 45 - required_fields: - - Web.http_user_agent - - Web.status - - Web.http_method - - Web.url - - Web.url_length - - Web.src - - Web.dest - - sourcetype security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/ivanti_sentry_CVE_2023_38035.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/ivanti_sentry_CVE_2023_38035.log source: suricata sourcetype: suricata diff --git a/detections/web/java_class_file_download_by_java_user_agent.yml b/detections/web/java_class_file_download_by_java_user_agent.yml index 22c7358708..a4f4ce619f 100644 --- a/detections/web/java_class_file_download_by_java_user_agent.yml +++ b/detections/web/java_class_file_download_by_java_user_agent.yml @@ -1,17 +1,23 @@ name: Java Class File download by Java User Agent id: 8281ce42-5c50-11ec-82d2-acde48001122 -version: 4 -date: '2024-10-16' +version: 5 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies a Java user agent performing a GET request for a .class file from a remote site. It leverages web or proxy logs within the Web Datamodel to detect this activity. This behavior is significant as it may indicate exploitation attempts, such as those related to CVE-2021-44228 (Log4Shell). If confirmed malicious, an attacker could exploit vulnerabilities in the Java application, potentially leading to remote code execution and further compromise of the affected system. +description: The following analytic identifies a Java user agent performing a GET + request for a .class file from a remote site. It leverages web or proxy logs within + the Web Datamodel to detect this activity. This behavior is significant as it may + indicate exploitation attempts, such as those related to CVE-2021-44228 (Log4Shell). + If confirmed malicious, an attacker could exploit vulnerabilities in the Java application, + potentially leading to remote code execution and further compromise of the affected + system. data_source: - Splunk Stream HTTP -search: '| tstats `security_content_summariesonly` count from datamodel=Web where Web.http_user_agent="*Java*" Web.http_method="GET" - Web.url="*.class*" by Web.http_user_agent Web.http_method, Web.url,Web.url_length - Web.src, Web.dest | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `java_class_file_download_by_java_user_agent_filter`' +search: '| tstats `security_content_summariesonly` count from datamodel=Web where + Web.http_user_agent="*Java*" Web.http_method="GET" Web.url="*.class*" by Web.http_user_agent + Web.http_method, Web.url,Web.url_length Web.src, Web.dest | `drop_dm_object_name("Web")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `java_class_file_download_by_java_user_agent_filter`' how_to_implement: To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict @@ -25,46 +31,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A Java user agent $http_user_agent$ was performing a $http_method$ to retrieve + a remote class file. + risk_objects: + - field: dest + type: system + score: 40 + threat_objects: + - field: http_user_agent + type: http_user_agent tags: analytic_story: - Log4Shell CVE-2021-44228 asset_type: Web Server - confidence: 50 cve: - CVE-2021-44228 - impact: 80 - message: A Java user agent $http_user_agent$ was performing a $http_method$ to retrieve a remote class file. mitre_attack_id: - T1190 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: http_user_agent - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Web.http_method - - Web.url - - Web.url_length - - Web.src - - Web.dest - - Web.http_user_agent - risk_score: 40 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/java.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/java.log source: stream:http sourcetype: stream:http diff --git a/detections/web/jenkins_arbitrary_file_read_cve_2024_23897.yml b/detections/web/jenkins_arbitrary_file_read_cve_2024_23897.yml index 2d19cff4ad..8dd7dab448 100644 --- a/detections/web/jenkins_arbitrary_file_read_cve_2024_23897.yml +++ b/detections/web/jenkins_arbitrary_file_read_cve_2024_23897.yml @@ -1,16 +1,29 @@ name: Jenkins Arbitrary File Read CVE-2024-23897 id: c641260d-2b48-4eb1-b1e8-2cc5b8b99ab1 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: TTP data_source: - Nginx Access -description: The following analytic identifies attempts to exploit Jenkins Arbitrary File Read CVE-2024-23897. It detects HTTP POST requests to Jenkins URLs containing "*/cli?remoting=false*" with a 200 status code. This activity is significant as it indicates potential unauthorized access to sensitive files on the Jenkins server, such as credentials and private keys. If confirmed malicious, this could lead to severe data breaches, unauthorized access, and further exploitation within the environment. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url="*/cli?remoting=false*" Web.status=200 Web.http_method=POST by Web.src, Web.dest, Web.http_user_agent, Web.url Web.status, Web.http_method | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jenkins_arbitrary_file_read_cve_2024_23897_filter`' -how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. If unable to utilize the Web datamodel, modify query to your data source. -known_false_positives: False positives should be limited as this detection is based on a specific URL path and HTTP status code. Adjust the search as necessary to fit the environment. +description: The following analytic identifies attempts to exploit Jenkins Arbitrary + File Read CVE-2024-23897. It detects HTTP POST requests to Jenkins URLs containing + "*/cli?remoting=false*" with a 200 status code. This activity is significant as + it indicates potential unauthorized access to sensitive files on the Jenkins server, + such as credentials and private keys. If confirmed malicious, this could lead to + severe data breaches, unauthorized access, and further exploitation within the environment. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url="*/cli?remoting=false*" Web.status=200 Web.http_method=POST by Web.src, + Web.dest, Web.http_user_agent, Web.url Web.status, Web.http_method | `drop_dm_object_name("Web")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jenkins_arbitrary_file_read_cve_2024_23897_filter`' +how_to_implement: This detection requires the Web datamodel to be populated from a + supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, + or Splunk for Palo Alto. If unable to utilize the Web datamodel, modify query to + your data source. +known_false_positives: False positives should be limited as this detection is based + on a specific URL path and HTTP status code. Adjust the search as necessary to fit + the environment. references: - https://github.com/projectdiscovery/nuclei-templates/pull/9025 - https://github.com/jenkinsci-cert/SECURITY-3314-3315 @@ -25,9 +38,23 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Jenkins Arbitrary File Read CVE-2024-23897 against $dest$ by $src$. + risk_objects: + - field: dest + type: system + score: 81 + threat_objects: + - field: src + type: ip_address tags: cve: - CVE-2024-23897 @@ -35,36 +62,17 @@ tags: - Jenkins Server Vulnerabilities asset_type: Web Server atomic_guid: [] - confidence: 90 - impact: 90 - message: Jenkins Arbitrary File Read CVE-2024-23897 against $dest$ by $src$. mitre_attack_id: - T1190 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 81 - required_fields: - - Web.src - - Web.dest - - Web.http_user_agent - - Web.url - - Web.status - - Web.http_method security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/jenkins/nginx_jenkins_cve_2023_23897.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/jenkins/nginx_jenkins_cve_2023_23897.log source: nginx:plus:kv sourcetype: nginx:plus:kv diff --git a/detections/web/jetbrains_teamcity_authentication_bypass_cve_2024_27198.yml b/detections/web/jetbrains_teamcity_authentication_bypass_cve_2024_27198.yml index 3722884aeb..4fd44d2268 100644 --- a/detections/web/jetbrains_teamcity_authentication_bypass_cve_2024_27198.yml +++ b/detections/web/jetbrains_teamcity_authentication_bypass_cve_2024_27198.yml @@ -1,16 +1,33 @@ name: JetBrains TeamCity Authentication Bypass CVE-2024-27198 id: fbcc04c7-8a79-453c-b3a9-c232c423bdd4 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk data_source: - Suricata type: TTP status: production -description: The following analytic identifies attempts to exploit the JetBrains TeamCity Authentication Bypass vulnerability (CVE-2024-27198). It detects suspicious POST requests to the `/app/rest/users` and `/app/rest/users/id:1/tokens` endpoints, which are indicative of attempts to create new administrator users or generate admin access tokens without authentication. This detection leverages the Web datamodel and CIM-compliant log sources, such as Nginx or TeamCity logs. This activity is significant as it can lead to full control over the TeamCity server, including all projects, builds, agents, and artifacts. If confirmed malicious, attackers could gain unauthorized administrative access, leading to severe security breaches. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where ((Web.url="*?jsp=*" AND Web.url="*;.jsp*") Web.status=200 Web.http_method=POST) OR (Web.url IN ("*jsp=/app/rest/users;.jsp","*?jsp=/app/rest/users;.jsp","*?jsp=.*/app/rest/users/id:*/tokens;*") Web.status=200 Web.http_method=POST ) by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status, Web.http_method, sourcetype, source | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `jetbrains_teamcity_authentication_bypass_cve_2024_27198_filter`' -how_to_implement: The detection relies on the Web datamodel and a CIM compliant log source, that may include Nginx, TeamCity logs, or other web server logs. -known_false_positives: False positives are not expected, as this detection is based on the presence of specific URI paths and HTTP methods that are indicative of the CVE-2024-27198 vulnerability exploitation. Monitor, filter and tune as needed based on organization log sources. +description: The following analytic identifies attempts to exploit the JetBrains TeamCity + Authentication Bypass vulnerability (CVE-2024-27198). It detects suspicious POST + requests to the `/app/rest/users` and `/app/rest/users/id:1/tokens` endpoints, which + are indicative of attempts to create new administrator users or generate admin access + tokens without authentication. This detection leverages the Web datamodel and CIM-compliant + log sources, such as Nginx or TeamCity logs. This activity is significant as it + can lead to full control over the TeamCity server, including all projects, builds, + agents, and artifacts. If confirmed malicious, attackers could gain unauthorized + administrative access, leading to severe security breaches. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where ((Web.url="*?jsp=*" AND Web.url="*;.jsp*") Web.status=200 Web.http_method=POST) + OR (Web.url IN ("*jsp=/app/rest/users;.jsp","*?jsp=/app/rest/users;.jsp","*?jsp=.*/app/rest/users/id:*/tokens;*") + Web.status=200 Web.http_method=POST ) by Web.src, Web.dest, Web.http_user_agent, + Web.url, Web.status, Web.http_method, sourcetype, source | `drop_dm_object_name("Web")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `jetbrains_teamcity_authentication_bypass_cve_2024_27198_filter`' +how_to_implement: The detection relies on the Web datamodel and a CIM compliant log + source, that may include Nginx, TeamCity logs, or other web server logs. +known_false_positives: False positives are not expected, as this detection is based + on the presence of specific URI paths and HTTP methods that are indicative of the + CVE-2024-27198 vulnerability exploitation. Monitor, filter and tune as needed based + on organization log sources. references: - https://github.com/projectdiscovery/nuclei-templates/pull/9279/files - https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/ @@ -23,47 +40,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Possible JetBrains TeamCity Authentication Bypass CVE-2024-27198 Attempt + against $dest$ from $src$. + risk_objects: + - field: dest + type: system + score: 81 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - JetBrains TeamCity Vulnerabilities asset_type: Web Server - confidence: 90 - impact: 90 - message: Possible JetBrains TeamCity Authentication Bypass CVE-2024-27198 Attempt against $dest$ from $src$. mitre_attack_id: - T1190 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Web.src - - Web.dest - - Web.http_user_agent - - Web.url - - Web.status - - Web.http_method - - sourcetype - - source - risk_score: 81 security_domain: network cve: - CVE-2024-27198 tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/jetbrains/teamcity_cve_2024_27198.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/jetbrains/teamcity_cve_2024_27198.log sourcetype: suricata source: suricata diff --git a/detections/web/jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198.yml b/detections/web/jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198.yml index cb2b785167..7aa9431f75 100644 --- a/detections/web/jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198.yml +++ b/detections/web/jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198.yml @@ -1,16 +1,32 @@ name: JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198 id: fbcc04c7-8a79-453c-b3a9-c232c423bdd3 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk data_source: - Suricata type: TTP status: production -description: The following analytic detects attempts to exploit the CVE-2024-27198 vulnerability in JetBrains TeamCity on-premises servers, which allows attackers to bypass authentication mechanisms. It leverages Suricata HTTP traffic logs to identify suspicious POST requests to the `/app/rest/users` and `/app/rest/users/id:1/tokens` endpoints. This activity is significant because it can lead to unauthorized administrative access, enabling attackers to gain full control over the TeamCity server, including projects, builds, agents, and artifacts. If confirmed malicious, this could result in severe security breaches and compromise the integrity of the development environment. -search: '`suricata` ((http.url="*?jsp=*" AND http.url="*;.jsp*") http.status=200 http_method=POST) OR (http.url IN ("*jsp=/app/rest/users;.jsp","*?jsp=/app/rest/users;.jsp","*?jsp=.*/app/rest/users/id:*/tokens;*") http.status=200 http_method=POST ) | stats count min(_time) as firstTime max(_time) as lastTime by src, dest, http.http_user_agent, http.url, http.status,http_method | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198_filter`' -how_to_implement: The following detection relies on the Suricata TA and ensuring it is properly configured to monitor HTTP traffic. Modify the query for your environment and log sources as needed. -known_false_positives: False positives are not expected, as this detection is based on the presence of specific URI paths and HTTP methods that are indicative of the CVE-2024-27198 vulnerability exploitation. Monitor, filter and tune as needed based on organization log sources. +description: The following analytic detects attempts to exploit the CVE-2024-27198 + vulnerability in JetBrains TeamCity on-premises servers, which allows attackers + to bypass authentication mechanisms. It leverages Suricata HTTP traffic logs to + identify suspicious POST requests to the `/app/rest/users` and `/app/rest/users/id:1/tokens` + endpoints. This activity is significant because it can lead to unauthorized administrative + access, enabling attackers to gain full control over the TeamCity server, including + projects, builds, agents, and artifacts. If confirmed malicious, this could result + in severe security breaches and compromise the integrity of the development environment. +search: '`suricata` ((http.url="*?jsp=*" AND http.url="*;.jsp*") http.status=200 http_method=POST) + OR (http.url IN ("*jsp=/app/rest/users;.jsp","*?jsp=/app/rest/users;.jsp","*?jsp=.*/app/rest/users/id:*/tokens;*") + http.status=200 http_method=POST ) | stats count min(_time) as firstTime max(_time) + as lastTime by src, dest, http.http_user_agent, http.url, http.status,http_method + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198_filter`' +how_to_implement: The following detection relies on the Suricata TA and ensuring it + is properly configured to monitor HTTP traffic. Modify the query for your environment + and log sources as needed. +known_false_positives: False positives are not expected, as this detection is based + on the presence of specific URI paths and HTTP methods that are indicative of the + CVE-2024-27198 vulnerability exploitation. Monitor, filter and tune as needed based + on organization log sources. references: - https://github.com/projectdiscovery/nuclei-templates/pull/9279/files - https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/ @@ -22,45 +38,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Possible JetBrains TeamCity Authentication Bypass Attempt against $dest$ + from $src$. + risk_objects: + - field: dest + type: system + score: 81 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - JetBrains TeamCity Vulnerabilities asset_type: Web Server - confidence: 90 - impact: 90 - message: Possible JetBrains TeamCity Authentication Bypass Attempt against $dest$ from $src$. mitre_attack_id: - T1190 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - src - - dest - - http.http_user_agent - - http.url - - http.status - - http_method - risk_score: 81 security_domain: network cve: - CVE-2024-27198 tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/jetbrains/teamcity_cve_2024_27198.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/jetbrains/teamcity_cve_2024_27198.log sourcetype: suricata source: suricata diff --git a/detections/web/jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199.yml b/detections/web/jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199.yml index 094ff34444..d1f5a7e239 100644 --- a/detections/web/jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199.yml +++ b/detections/web/jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199.yml @@ -1,16 +1,37 @@ name: JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199 id: a1e68dcd-2e24-4434-bd0e-b3d4de139d58 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk data_source: - Suricata type: TTP status: production -description: The following analytic identifies attempts to exploit CVE-2024-27199, a critical vulnerability in JetBrains TeamCity web server, allowing unauthenticated access to specific endpoints. It detects unusual access patterns to vulnerable paths such as /res/, /update/, and /.well-known/acme-challenge/ by monitoring HTTP traffic logs via Suricata. This activity is significant as it could indicate an attacker bypassing authentication to access or modify system settings. If confirmed malicious, this could lead to unauthorized changes, disclosure of sensitive information, or uploading of malicious certificates, severely compromising the server's security. -search: '`suricata` http.url IN ("*../admin/diagnostic.jsp*", "*../app/https/settings/*", "*../app/pipeline*", "*../app/oauth/space/createBuild.html*", "*../res/*", "*../update/*", "*../.well-known/acme-challenge/*", "*../app/availableRunners*", "*../app/https/settings/setPort*", "*../app/https/settings/certificateInfo*", "*../app/https/settings/defaultHttpsPort*", "*../app/https/settings/fetchFromAcme*", "*../app/https/settings/removeCertificate*", "*../app/https/settings/uploadCertificate*", "*../app/https/settings/termsOfService*", "*../app/https/settings/triggerAcmeChallenge*", "*../app/https/settings/cancelAcmeChallenge*", "*../app/https/settings/getAcmeOrder*", "*../app/https/settings/setRedirectStrategy*") http.status=200 http_method=GET | stats count min(_time) as firstTime max(_time) as lastTime by src, dest, http_user_agent, http.url, http.status, http_method | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199_filter`' -how_to_implement: The following detection relies on the Suricata TA and ensuring it is properly configured to monitor HTTP traffic. Modify the query for your environment and log sources as needed. -known_false_positives: False positives are not expected, however, monitor, filter, and tune as needed based on organization log sources. The analytic is restricted to 200 and GET requests to specific URI paths, which should limit false positives. +description: The following analytic identifies attempts to exploit CVE-2024-27199, + a critical vulnerability in JetBrains TeamCity web server, allowing unauthenticated + access to specific endpoints. It detects unusual access patterns to vulnerable paths + such as /res/, /update/, and /.well-known/acme-challenge/ by monitoring HTTP traffic + logs via Suricata. This activity is significant as it could indicate an attacker + bypassing authentication to access or modify system settings. If confirmed malicious, + this could lead to unauthorized changes, disclosure of sensitive information, or + uploading of malicious certificates, severely compromising the server's security. +search: '`suricata` http.url IN ("*../admin/diagnostic.jsp*", "*../app/https/settings/*", + "*../app/pipeline*", "*../app/oauth/space/createBuild.html*", "*../res/*", "*../update/*", + "*../.well-known/acme-challenge/*", "*../app/availableRunners*", "*../app/https/settings/setPort*", + "*../app/https/settings/certificateInfo*", "*../app/https/settings/defaultHttpsPort*", + "*../app/https/settings/fetchFromAcme*", "*../app/https/settings/removeCertificate*", + "*../app/https/settings/uploadCertificate*", "*../app/https/settings/termsOfService*", + "*../app/https/settings/triggerAcmeChallenge*", "*../app/https/settings/cancelAcmeChallenge*", + "*../app/https/settings/getAcmeOrder*", "*../app/https/settings/setRedirectStrategy*") + http.status=200 http_method=GET | stats count min(_time) as firstTime max(_time) + as lastTime by src, dest, http_user_agent, http.url, http.status, http_method | + `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199_filter`' +how_to_implement: The following detection relies on the Suricata TA and ensuring it + is properly configured to monitor HTTP traffic. Modify the query for your environment + and log sources as needed. +known_false_positives: False positives are not expected, however, monitor, filter, + and tune as needed based on organization log sources. The analytic is restricted + to 200 and GET requests to specific URI paths, which should limit false positives. references: - https://github.com/projectdiscovery/nuclei-templates/blob/f644ec82dfe018890c6aa308967424d26c0f1522/http/cves/2024/CVE-2024-27199.yaml - https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/ @@ -22,45 +43,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Possible JetBrains TeamCity Limited Authentication Bypass Attempt against + $dest$ from $src$. + risk_objects: + - field: dest + type: system + score: 63 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - JetBrains TeamCity Vulnerabilities asset_type: Web Server - confidence: 70 - impact: 90 - message: Possible JetBrains TeamCity Limited Authentication Bypass Attempt against $dest$ from $src$. mitre_attack_id: - T1190 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - src - - dest - - http_user_agent - - http.url - - http.status - - http_method - risk_score: 63 security_domain: network cve: - CVE-2024-27199 tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/jetbrains/teamcity_cve_2024_27199.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/jetbrains/teamcity_cve_2024_27199.log sourcetype: suricata source: suricata diff --git a/detections/web/jetbrains_teamcity_rce_attempt.yml b/detections/web/jetbrains_teamcity_rce_attempt.yml index bac8cbf0d8..f478aa2c0c 100644 --- a/detections/web/jetbrains_teamcity_rce_attempt.yml +++ b/detections/web/jetbrains_teamcity_rce_attempt.yml @@ -1,16 +1,29 @@ name: JetBrains TeamCity RCE Attempt id: 89a58e5f-1365-4793-b45c-770abbb32b6c -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: TTP data_source: - Suricata -description: The following analytic detects attempts to exploit the CVE-2023-42793 vulnerability in JetBrains TeamCity On-Premises. It identifies suspicious POST requests to /app/rest/users/id:1/tokens/RPC2, leveraging the Web datamodel to monitor specific URL patterns and HTTP methods. This activity is significant as it may indicate an unauthenticated attacker attempting to gain administrative access via Remote Code Execution (RCE). If confirmed malicious, this could allow the attacker to execute arbitrary code, potentially compromising the entire TeamCity environment and leading to further unauthorized access and data breaches. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/app/rest/users/id:1/tokens/RPC2*") Web.status=200 Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jetbrains_teamcity_rce_attempt_filter`' -how_to_implement: The following analytic requires the Web datamodel. Ensure data source is mapped correctly or modify and tune for your data source. -known_false_positives: If TeamCity is not in use, this analytic will not return results. Monitor and tune for your environment. +description: The following analytic detects attempts to exploit the CVE-2023-42793 + vulnerability in JetBrains TeamCity On-Premises. It identifies suspicious POST requests + to /app/rest/users/id:1/tokens/RPC2, leveraging the Web datamodel to monitor specific + URL patterns and HTTP methods. This activity is significant as it may indicate an + unauthenticated attacker attempting to gain administrative access via Remote Code + Execution (RCE). If confirmed malicious, this could allow the attacker to execute + arbitrary code, potentially compromising the entire TeamCity environment and leading + to further unauthorized access and data breaches. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("/app/rest/users/id:1/tokens/RPC2*") Web.status=200 Web.http_method=POST + by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, + Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `jetbrains_teamcity_rce_attempt_filter`' +how_to_implement: The following analytic requires the Web datamodel. Ensure data source + is mapped correctly or modify and tune for your data source. +known_false_positives: If TeamCity is not in use, this analytic will not return results. + Monitor and tune for your environment. references: - https://blog.jetbrains.com/teamcity/2023/09/critical-security-issue-affecting-teamcity-on-premises-update-to-2023-05-4-now/ - https://www.sonarsource.com/blog/teamcity-vulnerability/ @@ -22,9 +35,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potential JetBrains TeamCity RCE Attempt detected against URL $url$ on + $dest$. + risk_objects: + - field: dest + type: system + score: 81 + threat_objects: + - field: src + type: ip_address tags: cve: - CVE-2023-42793 @@ -34,37 +62,17 @@ tags: - JetBrains TeamCity Vulnerabilities asset_type: Web Server atomic_guid: [] - confidence: 90 - impact: 90 - message: Potential JetBrains TeamCity RCE Attempt detected against URL $url$ on $dest$. mitre_attack_id: - T1190 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 81 - required_fields: - - Web.http_user_agent - - Web.status - - Web.http_method - - Web.url - - Web.url_length - - Web.src - - Web.dest security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/jetbrains/teamcity.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/jetbrains/teamcity.log source: suricata sourcetype: suricata diff --git a/detections/web/juniper_networks_remote_code_execution_exploit_detection.yml b/detections/web/juniper_networks_remote_code_execution_exploit_detection.yml index 92dc8ebb92..833be2b428 100644 --- a/detections/web/juniper_networks_remote_code_execution_exploit_detection.yml +++ b/detections/web/juniper_networks_remote_code_execution_exploit_detection.yml @@ -1,16 +1,34 @@ name: Juniper Networks Remote Code Execution Exploit Detection id: 6cc4cc3d-b10a-4fac-be1e-55d384fc690e -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: TTP data_source: - Suricata -description: The following analytic detects attempts to exploit a remote code execution vulnerability in Juniper Networks devices. It identifies requests to /webauth_operation.php?PHPRC=*, which are indicative of uploading and executing malicious PHP files. This detection leverages the Web data model, focusing on specific URL patterns and HTTP status codes. This activity is significant because it signals an attempt to gain unauthorized access and execute arbitrary code on the device. If confirmed malicious, the attacker could gain control over the device, leading to data theft, network compromise, or other severe consequences. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/webauth_operation.php?PHPRC=*") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `juniper_networks_remote_code_execution_exploit_detection_filter`' -how_to_implement: To implement this search, ensure that the Web data model is populated. The search is activated when the Web data model is accelerated. Network products, such as Suricata or Palo Alto, need to be mapped to the Web data model. Adjust the mapping as necessary to suit your specific products. -known_false_positives: Be aware of potential false positives - legitimate uses of the /webauth_operation.php endpoint may cause benign activities to be flagged.The URL in the analytic is specific to a successful attempt to exploit the vulnerability. Review contents of the HTTP body to determine if the request is malicious. If the request is benign, add the URL to the whitelist or continue to monitor. +description: The following analytic detects attempts to exploit a remote code execution + vulnerability in Juniper Networks devices. It identifies requests to /webauth_operation.php?PHPRC=*, + which are indicative of uploading and executing malicious PHP files. This detection + leverages the Web data model, focusing on specific URL patterns and HTTP status + codes. This activity is significant because it signals an attempt to gain unauthorized + access and execute arbitrary code on the device. If confirmed malicious, the attacker + could gain control over the device, leading to data theft, network compromise, or + other severe consequences. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("*/webauth_operation.php?PHPRC=*") Web.status=200 by Web.http_user_agent, + Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype + | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `juniper_networks_remote_code_execution_exploit_detection_filter`' +how_to_implement: To implement this search, ensure that the Web data model is populated. + The search is activated when the Web data model is accelerated. Network products, + such as Suricata or Palo Alto, need to be mapped to the Web data model. Adjust the + mapping as necessary to suit your specific products. +known_false_positives: Be aware of potential false positives - legitimate uses of + the /webauth_operation.php endpoint may cause benign activities to be flagged.The + URL in the analytic is specific to a successful attempt to exploit the vulnerability. + Review contents of the HTTP body to determine if the request is malicious. If the + request is benign, add the URL to the whitelist or continue to monitor. references: - https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US - https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-36844.yaml @@ -24,9 +42,25 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: This analytic has identified a potential exploitation of a remote code + execution vulnerability in Juniper Networks devices on $dest$ on the URL $url$ + used for the exploit. + risk_objects: + - field: dest + type: system + score: 72 + threat_objects: + - field: url + type: url tags: analytic_story: - Juniper JunOS Remote Code Execution @@ -37,18 +71,6 @@ tags: - CVE-2023-36847 asset_type: Web Server atomic_guid: [] - confidence: 80 - impact: 90 - message: This analytic has identified a potential exploitation of a remote code execution vulnerability in Juniper Networks devices on $dest$ on the URL $url$ used for the exploit. - observable: - - name: dest - type: Hostname - role: - - Victim - - name: url - type: URL String - role: - - Attacker mitre_attack_id: - T1190 - T1105 @@ -57,20 +79,11 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 72 - required_fields: - - Web.http_user_agent - - Web.status - - Web.http_method - - Web.url - - Web.url_length - - Web.src - - Web.dest - - sourcetype security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/juniper/suricata_junos_cvemegazord.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/juniper/suricata_junos_cvemegazord.log source: suricata sourcetype: suricata diff --git a/detections/web/log4shell_jndi_payload_injection_attempt.yml b/detections/web/log4shell_jndi_payload_injection_attempt.yml index 5cec66ffc9..5ec2d50d5e 100644 --- a/detections/web/log4shell_jndi_payload_injection_attempt.yml +++ b/detections/web/log4shell_jndi_payload_injection_attempt.yml @@ -1,16 +1,28 @@ name: Log4Shell JNDI Payload Injection Attempt id: c184f12e-5c90-11ec-bf1f-497c9a704a72 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Jose Hernandez status: production type: Anomaly -description: The following analytic identifies attempts to inject Log4Shell JNDI payloads via web calls. It leverages the Web datamodel and uses regex to detect patterns like `${jndi:ldap://` in raw web event data, including HTTP headers. This activity is significant because it targets vulnerabilities in Java web applications using Log4j, such as Apache Struts and Solr. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to full system compromise. Immediate investigation is required to determine if the attempt was successful and to mitigate any potential exploitation. +description: The following analytic identifies attempts to inject Log4Shell JNDI payloads + via web calls. It leverages the Web datamodel and uses regex to detect patterns + like `${jndi:ldap://` in raw web event data, including HTTP headers. This activity + is significant because it targets vulnerabilities in Java web applications using + Log4j, such as Apache Struts and Solr. If confirmed malicious, this could allow + attackers to execute arbitrary code, potentially leading to full system compromise. + Immediate investigation is required to determine if the attempt was successful and + to mitigate any potential exploitation. data_source: - Nginx Access -search: '| from datamodel Web.Web | regex _raw="[jJnNdDiI]{4}(\:|\%3A|\/|\%2F)\w+(\:\/\/|\%3A\%2F\%2F)(\$\{.*?\}(\.)?)?" | fillnull | stats count by action, category, dest, dest_port, http_content_type, http_method, http_referrer, http_user_agent, site, src, url, url_domain, user | `log4shell_jndi_payload_injection_attempt_filter`' -how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx. -known_false_positives: If there is a vulnerablility scannner looking for log4shells this will trigger, otherwise likely to have low false positives. +search: '| from datamodel Web.Web | regex _raw="[jJnNdDiI]{4}(\:|\%3A|\/|\%2F)\w+(\:\/\/|\%3A\%2F\%2F)(\$\{.*?\}(\.)?)?" + | fillnull | stats count by action, category, dest, dest_port, http_content_type, + http_method, http_referrer, http_user_agent, site, src, url, url_domain, user | + `log4shell_jndi_payload_injection_attempt_filter`' +how_to_implement: This detection requires the Web datamodel to be populated from a + supported Technology Add-On like Splunk for Apache or Splunk for Nginx. +known_false_positives: If there is a vulnerablility scannner looking for log4shells + this will trigger, otherwise likely to have low false positives. references: - https://www.lunasec.io/docs/blog/log4j-zero-day/ drilldown_searches: @@ -19,55 +31,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: CVE-2021-44228 Log4Shell triggered for host $dest$ + risk_objects: + - field: user + type: user + score: 15 + - field: dest + type: system + score: 15 + threat_objects: [] tags: analytic_story: - Log4Shell CVE-2021-44228 - CISA AA22-257A - CISA AA22-320A asset_type: Endpoint - confidence: 30 cve: - CVE-2021-44228 - impact: 50 - message: CVE-2021-44228 Log4Shell triggered for host $dest$ mitre_attack_id: - T1190 - T1133 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - action - - category - - dest - - dest_port - - http_content_type - - http_method - - http_referrer - - http_user_agent - - site - - src - - url - - url_domain - - user - risk_score: 15 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/log4j_proxy_logs/log4j_proxy_logs.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/log4j_proxy_logs/log4j_proxy_logs.log source: nginx sourcetype: nginx:plus:kv diff --git a/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml b/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml index ea36371aff..a1baf2c02e 100644 --- a/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml +++ b/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml @@ -1,15 +1,30 @@ name: Log4Shell JNDI Payload Injection with Outbound Connection id: 69afee44-5c91-11ec-bf1f-497c9a704a72 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Jose Hernandez status: production type: Anomaly -description: The following analytic detects Log4Shell JNDI payload injections via outbound connections. It identifies suspicious LDAP lookup functions in web logs, such as `${jndi:ldap://PAYLOAD_INJECTED}`, and correlates them with network traffic to known malicious IP addresses. This detection leverages the Web and Network_Traffic data models in Splunk. Monitoring this activity is crucial as it targets vulnerabilities in Java web applications using log4j, potentially leading to remote code execution. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, and compromise sensitive data within the affected environment. +description: The following analytic detects Log4Shell JNDI payload injections via + outbound connections. It identifies suspicious LDAP lookup functions in web logs, + such as `${jndi:ldap://PAYLOAD_INJECTED}`, and correlates them with network traffic + to known malicious IP addresses. This detection leverages the Web and Network_Traffic + data models in Splunk. Monitoring this activity is crucial as it targets vulnerabilities + in Java web applications using log4j, potentially leading to remote code execution. + If confirmed malicious, attackers could gain unauthorized access, execute arbitrary + code, and compromise sensitive data within the affected environment. data_source: [] -search: '| from datamodel Web.Web | rex field=_raw max_match=0 "[jJnNdDiI]{4}(\:|\%3A|\/|\%2F)(?\w+)(\:\/\/|\%3A\%2F\%2F)(\$\{.*?\}(\.)?)?(?[a-zA-Z0-9\.\-\_\$]+)" | join affected_host type=inner [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic by All_Traffic.dest | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename dest AS affected_host] | fillnull | stats count by action, category, dest, dest_port, http_content_type, http_method, http_referrer, http_user_agent, site, src, url, url_domain, user | `log4shell_jndi_payload_injection_with_outbound_connection_filter`' -how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx. -known_false_positives: If there is a vulnerablility scannner looking for log4shells this will trigger, otherwise likely to have low false positives. +search: '| from datamodel Web.Web | rex field=_raw max_match=0 "[jJnNdDiI]{4}(\:|\%3A|\/|\%2F)(?\w+)(\:\/\/|\%3A\%2F\%2F)(\$\{.*?\}(\.)?)?(?[a-zA-Z0-9\.\-\_\$]+)" + | join affected_host type=inner [| tstats `security_content_summariesonly` count + min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic + by All_Traffic.dest | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | rename dest AS affected_host] | fillnull + | stats count by action, category, dest, dest_port, http_content_type, http_method, + http_referrer, http_user_agent, site, src, url, url_domain, user | `log4shell_jndi_payload_injection_with_outbound_connection_filter`' +how_to_implement: This detection requires the Web datamodel to be populated from a + supported Technology Add-On like Splunk for Apache or Splunk for Nginx. +known_false_positives: If there is a vulnerablility scannner looking for log4shells + this will trigger, otherwise likely to have low false positives. references: - https://www.lunasec.io/docs/blog/log4j-zero-day/ drilldown_searches: @@ -18,57 +33,47 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: CVE-2021-44228 Log4Shell triggered for host $dest$ + risk_objects: + - field: user + type: user + score: 15 + - field: dest + type: system + score: 15 + threat_objects: [] tags: analytic_story: - Log4Shell CVE-2021-44228 - CISA AA22-320A asset_type: Endpoint - confidence: 30 cve: - CVE-2021-44228 - impact: 50 - message: CVE-2021-44228 Log4Shell triggered for host $dest$ mitre_attack_id: - T1190 - T1133 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - action - - category - - dest - - dest_port - - http_content_type - - http_method - - http_referrer - - http_user_agent - - site - - src - - url - - url_domain - - user - risk_score: 15 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/log4j_proxy_logs/log4j_proxy_logs.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/log4j_proxy_logs/log4j_proxy_logs.log source: nginx sourcetype: nginx:plus:kv - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/log4j_network_logs/log4j_network_logs.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/log4j_network_logs/log4j_network_logs.log source: stream:Splunk_IP sourcetype: stream:ip diff --git a/detections/web/microsoft_sharepoint_server_elevation_of_privilege.yml b/detections/web/microsoft_sharepoint_server_elevation_of_privilege.yml index 052198c091..be8d1c5663 100644 --- a/detections/web/microsoft_sharepoint_server_elevation_of_privilege.yml +++ b/detections/web/microsoft_sharepoint_server_elevation_of_privilege.yml @@ -1,16 +1,30 @@ name: Microsoft SharePoint Server Elevation of Privilege id: fcf4bd3f-a79f-4b7a-83bf-2692d60b859d -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Gowthamaraj Rajendran, Splunk status: production type: TTP data_source: - Suricata -description: The following analytic detects potential exploitation attempts against Microsoft SharePoint Server vulnerability CVE-2023-29357. It leverages the Web datamodel to monitor for specific API calls and HTTP methods indicative of privilege escalation attempts. This activity is significant as it may indicate an attacker is trying to gain unauthorized privileged access to the SharePoint environment. If confirmed malicious, the impact could include unauthorized access to sensitive data, potential data theft, and further compromise of the SharePoint server, leading to a broader security breach. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/_api/web/siteusers*","/_api/web/currentuser*") Web.status=200 Web.http_method=GET by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `microsoft_sharepoint_server_elevation_of_privilege_filter`' -how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Microsoft SharePoint. -known_false_positives: False positives may occur if there are legitimate activities that mimic the exploitation pattern. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. +description: The following analytic detects potential exploitation attempts against + Microsoft SharePoint Server vulnerability CVE-2023-29357. It leverages the Web datamodel + to monitor for specific API calls and HTTP methods indicative of privilege escalation + attempts. This activity is significant as it may indicate an attacker is trying + to gain unauthorized privileged access to the SharePoint environment. If confirmed + malicious, the impact could include unauthorized access to sensitive data, potential + data theft, and further compromise of the SharePoint server, leading to a broader + security breach. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("/_api/web/siteusers*","/_api/web/currentuser*") Web.status=200 + Web.http_method=GET by Web.http_user_agent, Web.status Web.http_method, Web.url, + Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `microsoft_sharepoint_server_elevation_of_privilege_filter`' +how_to_implement: This detection requires the Web datamodel to be populated from a + supported Technology Add-On like Splunk for Microsoft SharePoint. +known_false_positives: False positives may occur if there are legitimate activities + that mimic the exploitation pattern. It's recommended to review the context of the + alerts and adjust the analytic parameters to better fit the specific environment. references: - https://socradar.io/microsoft-sharepoint-server-elevation-of-privilege-vulnerability-exploit-cve-2023-29357/ - https://github.com/LuemmelSec/CVE-2023-29357/blob/main/CVE-2023-29357/Program.cs @@ -20,9 +34,23 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Possible exploitation of CVE-2023-29357 against $dest$ from $src$. + risk_objects: + - field: dest + type: system + score: 45 + threat_objects: + - field: src + type: ip_address tags: cve: - CVE-2023-29357 @@ -30,39 +58,17 @@ tags: - Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357 asset_type: Web Server atomic_guid: [] - confidence: 50 - impact: 90 - message: Possible exploitation of CVE-2023-29357 against $dest$ from $src$. mitre_attack_id: - T1068 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 45 - required_fields: - - _time - - Web.http_method - - Web.url - - Web.url_length - - Web.src - - Web.dest - - Web.http_user_agent - - Web.status - - sourcetype security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/sharepoint/sharepointeop.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/sharepoint/sharepointeop.log source: suricata sourcetype: suricata diff --git a/detections/web/monitor_web_traffic_for_brand_abuse.yml b/detections/web/monitor_web_traffic_for_brand_abuse.yml index 01fbd59181..650b5c9f48 100644 --- a/detections/web/monitor_web_traffic_for_brand_abuse.yml +++ b/detections/web/monitor_web_traffic_for_brand_abuse.yml @@ -1,35 +1,41 @@ name: Monitor Web Traffic For Brand Abuse id: 134da869-e264-4a8f-8d7e-fcd0ec88f301 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-15' author: David Dorsey, Splunk status: experimental type: TTP -description: The following analytic identifies web requests to domains that closely resemble your monitored brand's domain, indicating potential brand abuse. It leverages data from web traffic sources, such as web proxies or network traffic analysis tools, and cross-references these with known domain permutations generated by the "ESCU - DNSTwist Domain Names" search. This activity is significant as it can indicate phishing attempts or other malicious activities targeting your brand. If confirmed malicious, attackers could deceive users, steal credentials, or distribute malware, leading to significant reputational and financial damage. +description: The following analytic identifies web requests to domains that closely + resemble your monitored brand's domain, indicating potential brand abuse. It leverages + data from web traffic sources, such as web proxies or network traffic analysis tools, + and cross-references these with known domain permutations generated by the "ESCU + - DNSTwist Domain Names" search. This activity is significant as it can indicate + phishing attempts or other malicious activities targeting your brand. If confirmed + malicious, attackers could deceive users, steal credentials, or distribute malware, + leading to significant reputational and financial damage. data_source: [] -search: '| tstats `security_content_summariesonly` values(Web.url) as urls min(_time) as firstTime from datamodel=Web by Web.src | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `brand_abuse_web` | `monitor_web_traffic_for_brand_abuse_filter`' -how_to_implement: You need to ingest data from your web traffic. This can be accomplished by indexing data from a web proxy, or using a network traffic analysis tool, such as Bro or Splunk Stream. You also need to have run the search "ESCU - DNSTwist Domain Names", which creates the permutations of the domain that will be checked for. +search: '| tstats `security_content_summariesonly` values(Web.url) as urls min(_time) + as firstTime from datamodel=Web by Web.src | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` + | `brand_abuse_web` | `monitor_web_traffic_for_brand_abuse_filter`' +how_to_implement: You need to ingest data from your web traffic. This can be accomplished + by indexing data from a web proxy, or using a network traffic analysis tool, such + as Bro or Splunk Stream. You also need to have run the search "ESCU - DNSTwist Domain + Names", which creates the permutations of the domain that will be checked for. known_false_positives: None at this time references: [] +rba: + message: Potential Brand Abus discovered in web logs + risk_objects: + - field: src + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Brand Monitoring asset_type: Endpoint - confidence: 50 - impact: 50 - message: tbd - observable: - - name: src - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Web.url - - Web.src - risk_score: 25 security_domain: network diff --git a/detections/web/multiple_archive_files_http_post_traffic.yml b/detections/web/multiple_archive_files_http_post_traffic.yml index 1b33d2eb8c..725f31561f 100644 --- a/detections/web/multiple_archive_files_http_post_traffic.yml +++ b/detections/web/multiple_archive_files_http_post_traffic.yml @@ -1,15 +1,29 @@ name: Multiple Archive Files Http Post Traffic id: 4477f3ea-a28f-11eb-b762-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-15' author: Teoderick Contreras, Splunk status: production type: TTP -description: "The following analytic detects the high-frequency exfiltration of archive files via HTTP POST requests. It leverages HTTP stream logs to identify specific archive file headers within the request body. This activity is significant as it often indicates data exfiltration by APTs or trojan spyware after data collection. If confirmed malicious, this behavior could lead to the unauthorized transfer of sensitive data to an attacker\u2019s command and control server, potentially resulting in severe data breaches and loss of confidential information." +description: The following analytic detects the high-frequency exfiltration of archive + files via HTTP POST requests. It leverages HTTP stream logs to identify specific + archive file headers within the request body. This activity is significant as it + often indicates data exfiltration by APTs or trojan spyware after data collection. + If confirmed malicious, this behavior could lead to the unauthorized transfer of + sensitive data to an attacker’s command and control server, potentially resulting + in severe data breaches and loss of confidential information. data_source: - Splunk Stream HTTP -search: '`stream_http` http_method=POST |eval archive_hdr1=substr(form_data,1,2) | eval archive_hdr2 = substr(form_data,1,4) |stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by src_ip dest_ip http_method http_user_agent uri_path url bytes_in bytes_out archive_hdr1 archive_hdr2 |where count >20 AND (archive_hdr1 = "7z" OR archive_hdr1 = "PK" OR archive_hdr2="Rar!") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `multiple_archive_files_http_post_traffic_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled in stream http configuration. +search: '`stream_http` http_method=POST |eval archive_hdr1=substr(form_data,1,2) | + eval archive_hdr2 = substr(form_data,1,4) |stats values(form_data) as http_request_body + min(_time) as firstTime max(_time) as lastTime count by src_ip dest_ip http_method + http_user_agent uri_path url bytes_in bytes_out archive_hdr1 archive_hdr2 |where + count >20 AND (archive_hdr1 = "7z" OR archive_hdr1 = "PK" OR archive_hdr2="Rar!") + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `multiple_archive_files_http_post_traffic_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the stream HTTP logs or network logs that catch network traffic. Make + sure that the http-request-body, payload, or request field is enabled in stream + http configuration. known_false_positives: Normal archive transfer via HTTP protocol may trip this detection. references: - https://attack.mitre.org/techniques/T1560/001/ @@ -21,49 +35,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src_ip$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A http post $http_method$ sending packet with possible archive bytes header + in uri path $uri_path$ + risk_objects: + - field: src_ip + type: system + score: 25 + threat_objects: + - field: url + type: url tags: analytic_story: - Data Exfiltration - Command And Control asset_type: Endpoint - confidence: 50 - impact: 50 - message: A http post $http_method$ sending packet with possible archive bytes header in uri path $uri_path$ mitre_attack_id: - T1048.003 - T1048 - observable: - - name: src_ip - type: IP Address - role: - - Victim - - name: url - type: URL String - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - http_method - - http_user_agent - - uri_path - - url - - bytes_in - - bytes_out - - archive_hdr1 - - archive_hdr2 - - form_data - risk_score: 25 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/archive_http_post/stream_http_events.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/archive_http_post/stream_http_events.log source: stream sourcetype: stream:http diff --git a/detections/web/nginx_connectwise_screenconnect_authentication_bypass.yml b/detections/web/nginx_connectwise_screenconnect_authentication_bypass.yml index 138580f5a6..16a623f265 100644 --- a/detections/web/nginx_connectwise_screenconnect_authentication_bypass.yml +++ b/detections/web/nginx_connectwise_screenconnect_authentication_bypass.yml @@ -1,16 +1,34 @@ name: Nginx ConnectWise ScreenConnect Authentication Bypass id: b3f7a803-e802-448b-8eb2-e796b223bccc -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk data_source: - Nginx Access type: TTP status: production -description: The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1709 vulnerability, which allows attackers to bypass authentication via alternate paths or channels. It leverages Nginx access logs to identify web requests to the SetupWizard.aspx page, indicating potential exploitation. This activity is significant as it can lead to unauthorized administrative access and remote code execution. If confirmed malicious, attackers could create administrative users and gain full control over the affected ScreenConnect instance, posing severe security risks. Immediate remediation by updating to version 23.9.8 or above is recommended. -search: '`nginx_access_logs` uri_path IN ("*/SetupWizard.aspx/*","*/SetupWizard/") status=200 http_method=POST | stats count min(_time) as firstTime max(_time) as lastTime by src, dest, http_user_agent, url, uri_path, status, http_method, sourcetype, source | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `nginx_connectwise_screenconnect_authentication_bypass_filter`' -how_to_implement: To implement this analytic, ensure proper logging is occurring with Nginx, access.log and error.log, and that these logs are being ingested into Splunk. STRT utilizes this nginx.conf https://gist.github.com/MHaggis/26f59108b04da8f1d870c9cc3a3c8eec to properly log as much data with Nginx. -known_false_positives: False positives are not expected, as the detection is based on the presence of web requests to the SetupWizard.aspx page, which is not a common page to be accessed by legitimate users. Note that the analytic is limited to HTTP POST and a status of 200 to reduce false positives. Modify the query as needed to reduce false positives or hunt for additional indicators of compromise. +description: The following analytic detects attempts to exploit the ConnectWise ScreenConnect + CVE-2024-1709 vulnerability, which allows attackers to bypass authentication via + alternate paths or channels. It leverages Nginx access logs to identify web requests + to the SetupWizard.aspx page, indicating potential exploitation. This activity is + significant as it can lead to unauthorized administrative access and remote code + execution. If confirmed malicious, attackers could create administrative users and + gain full control over the affected ScreenConnect instance, posing severe security + risks. Immediate remediation by updating to version 23.9.8 or above is recommended. +search: '`nginx_access_logs` uri_path IN ("*/SetupWizard.aspx/*","*/SetupWizard/") + status=200 http_method=POST | stats count min(_time) as firstTime max(_time) as + lastTime by src, dest, http_user_agent, url, uri_path, status, http_method, sourcetype, + source | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `nginx_connectwise_screenconnect_authentication_bypass_filter`' +how_to_implement: To implement this analytic, ensure proper logging is occurring with + Nginx, access.log and error.log, and that these logs are being ingested into Splunk. + STRT utilizes this nginx.conf https://gist.github.com/MHaggis/26f59108b04da8f1d870c9cc3a3c8eec + to properly log as much data with Nginx. +known_false_positives: False positives are not expected, as the detection is based + on the presence of web requests to the SetupWizard.aspx page, which is not a common + page to be accessed by legitimate users. Note that the analytic is limited to HTTP + POST and a status of 200 to reduce false positives. Modify the query as needed to + reduce false positives or hunt for additional indicators of compromise. references: - https://docs.splunk.com/Documentation/AddOns/released/NGINX/Sourcetypes - https://gist.github.com/MHaggis/26f59108b04da8f1d870c9cc3a3c8eec @@ -23,39 +41,32 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An authentication bypass attempt against ScreenConnect has been detected + on $dest$. + risk_objects: + - field: dest + type: system + score: 100 + threat_objects: [] tags: analytic_story: - ConnectWise ScreenConnect Vulnerabilities asset_type: Web Proxy - confidence: 100 - impact: 100 - message: An authentication bypass attempt against ScreenConnect has been detected on $dest$. mitre_attack_id: - T1190 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - src - - dest - - http_user_agent - - url - - uri_path - - status - - http_method - - sourcetype - - source - risk_score: 100 security_domain: network cve: - CVE-2024-1708 @@ -63,6 +74,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/screenconnect/nginx_screenconnect.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/screenconnect/nginx_screenconnect.log sourcetype: nginx:plus:kv source: nginx:plus:kv diff --git a/detections/web/papercut_ng_remote_web_access_attempt.yml b/detections/web/papercut_ng_remote_web_access_attempt.yml index 35ebd34bdb..ca301d7f70 100644 --- a/detections/web/papercut_ng_remote_web_access_attempt.yml +++ b/detections/web/papercut_ng_remote_web_access_attempt.yml @@ -1,15 +1,30 @@ name: PaperCut NG Remote Web Access Attempt id: 9fcb214a-dc42-4ce7-a650-f1d2cab16a6a -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: TTP data_source: - Suricata -description: The following analytic detects potential exploitation attempts on publicly accessible PaperCut NG servers. It identifies connections from public IP addresses to the server, specifically monitoring URI paths commonly used in proof-of-concept scripts for exploiting PaperCut NG vulnerabilities. This detection leverages web traffic data from the `Web` datamodel, focusing on specific URI paths and excluding internal IP ranges. This activity is significant as it may indicate an attempt to exploit known vulnerabilities in PaperCut NG, potentially leading to unauthorized access or control of the server. If confirmed malicious, attackers could gain administrative access, leading to data breaches or further network compromise. -search: '| tstats count from datamodel=Web where Web.url IN ("/app?service=page/SetupCompleted", "/app", "/app?service=page/PrinterList", "/app?service=direct/1/PrinterList/selectPrinter&sp=*", "/app?service=direct/1/PrinterDetails/printerOptionsTab.tab") NOT (src IN ("10.*.*.*","172.16.*.*", "192.168.*.*", "169.254.*.*", "127.*.*.*", "fc00::*", "fd00::*", "fe80::*")) by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest Web.dest_port sourcetype | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `papercut_ng_remote_web_access_attempt_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. +description: The following analytic detects potential exploitation attempts on publicly + accessible PaperCut NG servers. It identifies connections from public IP addresses + to the server, specifically monitoring URI paths commonly used in proof-of-concept + scripts for exploiting PaperCut NG vulnerabilities. This detection leverages web + traffic data from the `Web` datamodel, focusing on specific URI paths and excluding + internal IP ranges. This activity is significant as it may indicate an attempt to + exploit known vulnerabilities in PaperCut NG, potentially leading to unauthorized + access or control of the server. If confirmed malicious, attackers could gain administrative + access, leading to data breaches or further network compromise. +search: '| tstats count from datamodel=Web where Web.url IN ("/app?service=page/SetupCompleted", + "/app", "/app?service=page/PrinterList", "/app?service=direct/1/PrinterList/selectPrinter&sp=*", + "/app?service=direct/1/PrinterDetails/printerOptionsTab.tab") NOT (src IN ("10.*.*.*","172.16.*.*", + "192.168.*.*", "169.254.*.*", "127.*.*.*", "fc00::*", "fd00::*", "fe80::*")) by + Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest Web.dest_port + sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `papercut_ng_remote_web_access_attempt_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on Web traffic that include fields relavent for traffic into the `Web` datamodel. known_false_positives: False positives may be present, filter as needed. references: - https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability @@ -23,43 +38,38 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: URIs specific to PaperCut NG have been access by a public IP against $dest$. + risk_objects: + - field: dest + type: system + score: 63 + threat_objects: [] tags: analytic_story: - PaperCut MF NG Vulnerability asset_type: Web Server atomic_guid: [] - confidence: 70 - impact: 90 - message: URIs specific to PaperCut NG have been access by a public IP against $dest$. mitre_attack_id: - T1190 - T1133 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 63 - required_fields: - - _time - - Web.http_user_agent - - Web.http_method - - Web.url - - Web.url_length - - Web.src - - Web.dest - - sourcetype security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/papercut/papercutng-suricata.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/papercut/papercutng-suricata.log source: suricata sourcetype: suricata diff --git a/detections/web/plain_http_post_exfiltrated_data.yml b/detections/web/plain_http_post_exfiltrated_data.yml index 96955b1d68..f94dbe9139 100644 --- a/detections/web/plain_http_post_exfiltrated_data.yml +++ b/detections/web/plain_http_post_exfiltrated_data.yml @@ -1,15 +1,28 @@ name: Plain HTTP POST Exfiltrated Data id: e2b36208-a364-11eb-8909-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-15' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects potential data exfiltration using plain HTTP POST requests. It leverages network traffic logs, specifically monitoring the `stream_http` data source for POST methods containing suspicious form data such as "wermgr.exe" or "svchost.exe". This activity is significant because it is commonly associated with malware like Trickbot, trojans, keyloggers, or APT adversaries, which use plain text HTTP POST requests to communicate with remote C2 servers. If confirmed malicious, this activity could lead to unauthorized data exfiltration, compromising sensitive information and potentially leading to further network infiltration. +description: The following analytic detects potential data exfiltration using plain + HTTP POST requests. It leverages network traffic logs, specifically monitoring the + `stream_http` data source for POST methods containing suspicious form data such + as "wermgr.exe" or "svchost.exe". This activity is significant because it is commonly + associated with malware like Trickbot, trojans, keyloggers, or APT adversaries, + which use plain text HTTP POST requests to communicate with remote C2 servers. If + confirmed malicious, this activity could lead to unauthorized data exfiltration, + compromising sensitive information and potentially leading to further network infiltration. data_source: - Splunk Stream HTTP -search: '`stream_http` http_method=POST form_data IN ("*wermgr.exe*","*svchost.exe*", "*name=\"proclist\"*","*ipconfig*", "*name=\"sysinfo\"*", "*net view*") |stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by src_ip dest_ip http_method http_user_agent uri_path url bytes_in bytes_out | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `plain_http_post_exfiltrated_data_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled. +search: '`stream_http` http_method=POST form_data IN ("*wermgr.exe*","*svchost.exe*", + "*name=\"proclist\"*","*ipconfig*", "*name=\"sysinfo\"*", "*net view*") |stats values(form_data) + as http_request_body min(_time) as firstTime max(_time) as lastTime count by src_ip + dest_ip http_method http_user_agent uri_path url bytes_in bytes_out | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `plain_http_post_exfiltrated_data_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the stream HTTP logs or network logs that catch network traffic. Make + sure that the http-request-body, payload, or request field is enabled. known_false_positives: unknown references: - https://blog.talosintelligence.com/2020/03/trickbot-primer.html @@ -19,42 +32,39 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src_ip$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A http post $http_method$ sending packet with plain text of information + in uri path $uri_path$ + risk_objects: + - field: src_ip + type: system + score: 63 + threat_objects: [] tags: analytic_story: - Data Exfiltration - Command And Control asset_type: Endpoint - confidence: 90 - impact: 70 - message: A http post $http_method$ sending packet with plain text of information in uri path $uri_path$ mitre_attack_id: - T1048.003 - T1048 - observable: - - name: src_ip - type: IP Address - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - http_method - - http_user_agent - - uri_path - - url - - bytes_in - - bytes_out - risk_score: 63 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/plain_exfil_data/stream_http_events.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/plain_exfil_data/stream_http_events.log source: stream sourcetype: stream:http diff --git a/detections/web/proxyshell_proxynotshell_behavior_detected.yml b/detections/web/proxyshell_proxynotshell_behavior_detected.yml index 3b8628a558..e6a6098d09 100644 --- a/detections/web/proxyshell_proxynotshell_behavior_detected.yml +++ b/detections/web/proxyshell_proxynotshell_behavior_detected.yml @@ -1,15 +1,40 @@ name: ProxyShell ProxyNotShell Behavior Detected id: c32fab32-6aaf-492d-bfaf-acbed8e50cdf -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: Correlation -description: The following analytic identifies potential exploitation of Windows Exchange servers via ProxyShell or ProxyNotShell vulnerabilities, followed by post-exploitation activities such as running nltest, Cobalt Strike, Mimikatz, and adding new users. It leverages data from multiple analytic stories, requiring at least five distinct sources to trigger, thus reducing noise. This activity is significant as it indicates a high likelihood of an active compromise, potentially leading to unauthorized access, privilege escalation, and persistent threats within the environment. If confirmed malicious, attackers could gain control over the Exchange server, exfiltrate data, and maintain long-term access. +description: The following analytic identifies potential exploitation of Windows Exchange + servers via ProxyShell or ProxyNotShell vulnerabilities, followed by post-exploitation + activities such as running nltest, Cobalt Strike, Mimikatz, and adding new users. + It leverages data from multiple analytic stories, requiring at least five distinct + sources to trigger, thus reducing noise. This activity is significant as it indicates + a high likelihood of an active compromise, potentially leading to unauthorized access, + privilege escalation, and persistent threats within the environment. If confirmed + malicious, attackers could gain control over the Exchange server, exfiltrate data, + and maintain long-term access. data_source: [] -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.analyticstories) as analyticstories values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count dc(All_Risk.analyticstories) as dc_analyticstories from datamodel=Risk.All_Risk where All_Risk.analyticstories IN ("ProxyNotShell","ProxyShell") OR (All_Risk.analyticstories IN ("ProxyNotShell","ProxyShell") AND All_Risk.analyticstories="Cobalt Strike") All_Risk.risk_object_type="system" by _time span=1h All_Risk.risk_object All_Risk.risk_object_type | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| where source_count >=5 | `proxyshell_proxynotshell_behavior_detected_filter`' -how_to_implement: To implement this correlation, you will need to enable ProxyShell, ProxyNotShell and Cobalt Strike analytic stories (the anaytics themselves) and ensure proper data is being collected for Web and Endpoint datamodels. Run the correlation rule seperately to validate it is not triggering too much or generating incorrectly. Validate by running ProxyShell POC code and Cobalt Strike behavior. -known_false_positives: False positives will be limited, however tune or modify the query as needed. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) + as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as + annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) + as mitre_tactic_id_count, values(All_Risk.analyticstories) as analyticstories values(All_Risk.annotations.mitre_attack.mitre_technique_id) + as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) + as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, + dc(source) as source_count dc(All_Risk.analyticstories) as dc_analyticstories from + datamodel=Risk.All_Risk where All_Risk.analyticstories IN ("ProxyNotShell","ProxyShell") + OR (All_Risk.analyticstories IN ("ProxyNotShell","ProxyShell") AND All_Risk.analyticstories="Cobalt + Strike") All_Risk.risk_object_type="system" by _time span=1h All_Risk.risk_object + All_Risk.risk_object_type | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| where source_count >=5 | `proxyshell_proxynotshell_behavior_detected_filter`' +how_to_implement: To implement this correlation, you will need to enable ProxyShell, + ProxyNotShell and Cobalt Strike analytic stories (the anaytics themselves) and ensure + proper data is being collected for Web and Endpoint datamodels. Run the correlation + rule seperately to validate it is not triggering too much or generating incorrectly. + Validate by running ProxyShell POC code and Cobalt Strike behavior. +known_false_positives: False positives will be limited, however tune or modify the + query as needed. references: - https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html - https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/ @@ -19,7 +44,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$risk_object$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: @@ -28,33 +58,18 @@ tags: - BlackByte Ransomware - ProxyNotShell asset_type: Web Server - confidence: 90 - impact: 90 - message: ProxyShell or ProxyNotShell activity has been identified on $risk_object$. mitre_attack_id: - T1190 - T1133 - observable: - - name: risk_object - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - All_Risk.analyticstories - - All_Risk.risk_object_type - - All_Risk.risk_object - - All_Risk.annotations.mitre_attack.mitre_tactic - - source - risk_score: 81 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/proxyshell/proxyshell-risk.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/proxyshell/proxyshell-risk.log source: proxyshell sourcetype: stash - update_timestamp: true diff --git a/detections/web/spring4shell_payload_url_request.yml b/detections/web/spring4shell_payload_url_request.yml index 0a2f31fe02..1ba92e50e9 100644 --- a/detections/web/spring4shell_payload_url_request.yml +++ b/detections/web/spring4shell_payload_url_request.yml @@ -1,16 +1,28 @@ name: Spring4Shell Payload URL Request id: 9d44d649-7d67-4559-95c1-8022ff49420b -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects attempts to exploit the Spring4Shell vulnerability (CVE-2022-22963) by identifying specific URL patterns associated with web shell payloads. It leverages web traffic data, focusing on HTTP GET requests with URLs containing indicators like "tomcatwar.jsp," "poc.jsp," and "shell.jsp." This activity is significant as it suggests an attacker is trying to deploy a web shell, which can lead to remote code execution. If confirmed malicious, this could allow the attacker to gain persistent access, execute arbitrary commands, and potentially escalate privileges within the compromised environment. +description: The following analytic detects attempts to exploit the Spring4Shell vulnerability + (CVE-2022-22963) by identifying specific URL patterns associated with web shell + payloads. It leverages web traffic data, focusing on HTTP GET requests with URLs + containing indicators like "tomcatwar.jsp," "poc.jsp," and "shell.jsp." This activity + is significant as it suggests an attacker is trying to deploy a web shell, which + can lead to remote code execution. If confirmed malicious, this could allow the + attacker to gain persistent access, execute arbitrary commands, and potentially + escalate privileges within the compromised environment. data_source: - Nginx Access -search: '| tstats count from datamodel=Web where Web.http_method IN ("GET") Web.url IN ("*tomcatwar.jsp*","*poc.jsp*","*shell.jsp*") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spring4shell_payload_url_request_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. -known_false_positives: The jsp file names are static names used in current proof of concept code. = +search: '| tstats count from datamodel=Web where Web.http_method IN ("GET") Web.url + IN ("*tomcatwar.jsp*","*poc.jsp*","*shell.jsp*") by Web.http_user_agent Web.http_method, + Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name("Web")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spring4shell_payload_url_request_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on Web traffic that include fields relavent for traffic into the `Web` datamodel. +known_false_positives: The jsp file names are static names used in current proof of + concept code. = references: - https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/ - https://github.com/TheGejr/SpringShell @@ -21,49 +33,43 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A URL was requested related to Spring4Shell POC code on $dest$ by $src$. + risk_objects: + - field: dest + type: system + score: 36 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - Spring4Shell CVE-2022-22965 asset_type: Web Server - confidence: 60 cve: - CVE-2022-22965 - impact: 60 - message: A URL was requested related to Spring4Shell POC code on $dest$ by $src$. mitre_attack_id: - T1505.003 - T1505 - T1190 - T1133 - observable: - - name: dest - type: IP Address - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Web.http_method - - Web.url - - Web.url_length - - Web.src - - Web.dest - - Web.http_user_agent - risk_score: 36 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/spring4shell_nginx.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/spring4shell_nginx.log source: /var/log/nginx/access.log sourcetype: nginx:plus:kv diff --git a/detections/web/sql_injection_with_long_urls.yml b/detections/web/sql_injection_with_long_urls.yml index 704e49b237..baeaf5e239 100644 --- a/detections/web/sql_injection_with_long_urls.yml +++ b/detections/web/sql_injection_with_long_urls.yml @@ -1,42 +1,56 @@ name: SQL Injection with Long URLs id: e0aad4cf-0790-423b-8328-7564d0d938f9 -version: 5 -date: '2024-10-17' +version: 6 +date: '2024-11-15' author: Bhavin Patel, Splunk status: experimental type: TTP -description: The following analytic detects long URLs containing multiple SQL commands, indicating a potential SQL injection attack. This detection leverages web traffic data, specifically targeting web server destinations with URLs longer than 1024 characters or HTTP user agents longer than 200 characters. SQL injection is significant as it allows attackers to manipulate a web application's database, potentially leading to unauthorized data access or modification. If confirmed malicious, this activity could result in data breaches, unauthorized access, and complete system compromise. Immediate investigation and validation of alerts are crucial to mitigate these risks. +description: The following analytic detects long URLs containing multiple SQL commands, + indicating a potential SQL injection attack. This detection leverages web traffic + data, specifically targeting web server destinations with URLs longer than 1024 + characters or HTTP user agents longer than 200 characters. SQL injection is significant + as it allows attackers to manipulate a web application's database, potentially leading + to unauthorized data access or modification. If confirmed malicious, this activity + could result in data breaches, unauthorized access, and complete system compromise. + Immediate investigation and validation of alerts are crucial to mitigate these risks. data_source: [] -search: '| tstats `security_content_summariesonly` count from datamodel=Web where Web.dest_category=web_server AND (Web.url_length > 1024 OR Web.http_user_agent_length > 200) by Web.src Web.dest Web.url Web.url_length Web.http_user_agent | `drop_dm_object_name(Web)` | eval url=lower(url) | eval num_sql_cmds=mvcount(split(url, "alter%20table")) + mvcount(split(url, "between")) + mvcount(split(url, "create%20table")) + mvcount(split(url, "create%20database")) + mvcount(split(url, "create%20index")) + mvcount(split(url, "create%20view")) + mvcount(split(url, "delete")) + mvcount(split(url, "drop%20database")) + mvcount(split(url, "drop%20index")) + mvcount(split(url, "drop%20table")) + mvcount(split(url, "exists")) + mvcount(split(url, "exec")) + mvcount(split(url, "group%20by")) + mvcount(split(url, "having")) + mvcount(split(url, "insert%20into")) + mvcount(split(url, "inner%20join")) + mvcount(split(url, "left%20join")) + mvcount(split(url, "right%20join")) + mvcount(split(url, "full%20join")) + mvcount(split(url, "select")) + mvcount(split(url, "distinct")) + mvcount(split(url, "select%20top")) + mvcount(split(url, "union")) + mvcount(split(url, "xp_cmdshell")) - 24 | where num_sql_cmds > 3 | `sql_injection_with_long_urls_filter`' -how_to_implement: To successfully implement this search, you need to be monitoring network communications to your web servers or ingesting your HTTP logs and populating the Web data model. You must also identify your web servers in the Enterprise Security assets table. -known_false_positives: It's possible that legitimate traffic will have long URLs or long user agent strings and that common SQL commands may be found within the URL. Please investigate as appropriate. +search: '| tstats `security_content_summariesonly` count from datamodel=Web where + Web.dest_category=web_server AND (Web.url_length > 1024 OR Web.http_user_agent_length + > 200) by Web.src Web.dest Web.url Web.url_length Web.http_user_agent | `drop_dm_object_name("Web")` + | eval url=lower(url) | eval num_sql_cmds=mvcount(split(url, "alter%20table")) + + mvcount(split(url, "between")) + mvcount(split(url, "create%20table")) + mvcount(split(url, + "create%20database")) + mvcount(split(url, "create%20index")) + mvcount(split(url, + "create%20view")) + mvcount(split(url, "delete")) + mvcount(split(url, "drop%20database")) + + mvcount(split(url, "drop%20index")) + mvcount(split(url, "drop%20table")) + mvcount(split(url, + "exists")) + mvcount(split(url, "exec")) + mvcount(split(url, "group%20by")) + mvcount(split(url, + "having")) + mvcount(split(url, "insert%20into")) + mvcount(split(url, "inner%20join")) + + mvcount(split(url, "left%20join")) + mvcount(split(url, "right%20join")) + mvcount(split(url, + "full%20join")) + mvcount(split(url, "select")) + mvcount(split(url, "distinct")) + + mvcount(split(url, "select%20top")) + mvcount(split(url, "union")) + mvcount(split(url, + "xp_cmdshell")) - 24 | where num_sql_cmds > 3 | `sql_injection_with_long_urls_filter`' +how_to_implement: To successfully implement this search, you need to be monitoring + network communications to your web servers or ingesting your HTTP logs and populating + the Web data model. You must also identify your web servers in the Enterprise Security + assets table. +known_false_positives: It's possible that legitimate traffic will have long URLs or + long user agent strings and that common SQL commands may be found within the URL. + Please investigate as appropriate. references: [] +rba: + message: SQL injection attempt with url $url$ detected on $dest$ + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - SQL Injection asset_type: Database Server - confidence: 50 - impact: 50 - message: SQL injection attempt with url $url$ detected on $dest$ mitre_attack_id: - T1190 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Web.dest_category - - Web.url_length - - Web.http_user_agent_length - - Web.src - - Web.dest - - Web.url - - Web.http_user_agent - risk_score: 25 security_domain: network diff --git a/detections/web/supernova_webshell.yml b/detections/web/supernova_webshell.yml index f34d8d78d0..d2ddb7e2ec 100644 --- a/detections/web/supernova_webshell.yml +++ b/detections/web/supernova_webshell.yml @@ -1,48 +1,52 @@ name: Supernova Webshell id: 2ec08a09-9ff1-4dac-b59f-1efd57972ec1 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-15' author: John Stoner, Splunk status: experimental type: TTP -description: The following analytic detects the presence of the Supernova webshell, used in the SUNBURST attack, by identifying specific patterns in web URLs. The detection leverages Splunk to search for URLs containing "*logoimagehandler.ashx*codes*", "*logoimagehandler.ashx*clazz*", "*logoimagehandler.ashx*method*", and "*logoimagehandler.ashx*args*". This activity is significant as it indicates potential unauthorized access and arbitrary code execution on a compromised system. If confirmed malicious, this could lead to data theft, ransomware deployment, or other severe outcomes. Immediate steps include reviewing the web URLs, inspecting on-disk artifacts, and analyzing concurrent processes and network connections. +description: The following analytic detects the presence of the Supernova webshell, + used in the SUNBURST attack, by identifying specific patterns in web URLs. The detection + leverages Splunk to search for URLs containing "*logoimagehandler.ashx*codes*", + "*logoimagehandler.ashx*clazz*", "*logoimagehandler.ashx*method*", and "*logoimagehandler.ashx*args*". + This activity is significant as it indicates potential unauthorized access and arbitrary + code execution on a compromised system. If confirmed malicious, this could lead + to data theft, ransomware deployment, or other severe outcomes. Immediate steps + include reviewing the web URLs, inspecting on-disk artifacts, and analyzing concurrent + processes and network connections. data_source: [] -search: '| tstats `security_content_summariesonly` count from datamodel=Web.Web where web.url=*logoimagehandler.ashx*codes* OR Web.url=*logoimagehandler.ashx*clazz* OR Web.url=*logoimagehandler.ashx*method* OR Web.url=*logoimagehandler.ashx*args* by Web.src Web.dest Web.url Web.vendor_product Web.user Web.http_user_agent _time span=1s | `supernova_webshell_filter`' -how_to_implement: To successfully implement this search, you need to be monitoring web traffic to your Solarwinds Orion. The logs should be ingested into splunk and populating/mapped to the Web data model. -known_false_positives: There might be false positives associted with this detection since items like args as a web argument is pretty generic. +search: '| tstats `security_content_summariesonly` count from datamodel=Web.Web where + web.url=*logoimagehandler.ashx*codes* OR Web.url=*logoimagehandler.ashx*clazz* OR + Web.url=*logoimagehandler.ashx*method* OR Web.url=*logoimagehandler.ashx*args* by + Web.src Web.dest Web.url Web.vendor_product Web.user Web.http_user_agent _time span=1s + | `supernova_webshell_filter`' +how_to_implement: To successfully implement this search, you need to be monitoring + web traffic to your Solarwinds Orion. The logs should be ingested into splunk and + populating/mapped to the Web data model. +known_false_positives: There might be false positives associted with this detection + since items like args as a web argument is pretty generic. references: - https://www.splunk.com/en_us/blog/security/detecting-supernova-malware-solarwinds-continued.html - https://www.guidepointsecurity.com/blog/supernova-solarwinds-net-webshell-analysis/ +rba: + message: Potential Supernova Webshell on $dest$ + risk_objects: + - field: user + type: user + score: 25 + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - NOBELIUM Group asset_type: Web Server - confidence: 50 - impact: 50 - message: tbd mitre_attack_id: - T1505.003 - T1133 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Web.url - - Web.src - - Web.dest - - Web.vendor_product - - Web.user - - Web.http_user_agent - risk_score: 25 security_domain: network diff --git a/detections/web/unusually_long_content_type_length.yml b/detections/web/unusually_long_content_type_length.yml index 3126377481..ecb890838d 100644 --- a/detections/web/unusually_long_content_type_length.yml +++ b/detections/web/unusually_long_content_type_length.yml @@ -1,53 +1,50 @@ name: Unusually Long Content-Type Length id: 57a0a2bf-353f-40c1-84dc-29293f3c35b7 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-15' author: Bhavin Patel, Splunk status: experimental type: Anomaly -description: The following analytic identifies unusually long strings in the Content-Type HTTP header sent by the client to the server. It uses data from the Stream:HTTP source, specifically evaluating the length of the `cs_content_type` field. This activity is significant because excessively long Content-Type headers can indicate attempts to exploit vulnerabilities or evade detection mechanisms. If confirmed malicious, this behavior could allow attackers to execute code, manipulate data, or bypass security controls, potentially leading to unauthorized access or data breaches. +description: The following analytic identifies unusually long strings in the Content-Type + HTTP header sent by the client to the server. It uses data from the Stream:HTTP + source, specifically evaluating the length of the `cs_content_type` field. This + activity is significant because excessively long Content-Type headers can indicate + attempts to exploit vulnerabilities or evade detection mechanisms. If confirmed + malicious, this behavior could allow attackers to execute code, manipulate data, + or bypass security controls, potentially leading to unauthorized access or data + breaches. data_source: [] search: >- - | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web by Web.src Web.dest Web.url Web.http_user_agent Web.http_content_type - | `drop_dm_object_name("Web")` - | eval http_content_type_length = len(http_content_type) - | where http_content_type_length > 100 - | table firstTime lastTime src dest http_content_type_length http_content_type url http_user_agent - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `unusually_long_content_type_length_filter` + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Web by Web.src Web.dest Web.url Web.http_user_agent Web.http_content_type + | `drop_dm_object_name("Web")` | eval http_content_type_length = len(http_content_type) | + where http_content_type_length > 100 + | table firstTime lastTime src dest http_content_type_length http_content_type url + http_user_agent + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `unusually_long_content_type_length_filter` how_to_implement: This particular search leverages data extracted from Stream:HTTP. You must configure the http stream using the Splunk Stream App on your Splunk Stream deployment server to extract the cs_content_type field. known_false_positives: Very few legitimate Content-Type fields will have a length greater than 100 characters. references: [] +rba: + message: Unusually Long Content-Type Length ($http_content_type_length$ characters) + In Web Request from $src$ + risk_objects: + - field: dest + type: system + score: 25 + - field: src + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Apache Struts Vulnerability asset_type: Web Server - confidence: 50 - impact: 50 - message: Unusually Long Content-Type Length ($http_content_type_length$ characters) In Web Request from $src$ - observable: - - name: dest - type: Hostname - role: - - Victim - - name: src - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - cs_content_type - - endtime - - src_ip - - dest_ip - - url - risk_score: 25 security_domain: network diff --git a/detections/web/vmware_aria_operations_exploit_attempt.yml b/detections/web/vmware_aria_operations_exploit_attempt.yml index ac2bbbb2cc..bcad5a1335 100644 --- a/detections/web/vmware_aria_operations_exploit_attempt.yml +++ b/detections/web/vmware_aria_operations_exploit_attempt.yml @@ -1,16 +1,30 @@ name: VMWare Aria Operations Exploit Attempt id: d5d865e4-03e6-43da-98f4-28a4f42d4df7 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: TTP data_source: - Palo Alto Network Threat -description: The following analytic detects potential exploitation attempts against VMWare vRealize Network Insight, specifically targeting the CVE-2023-20887 vulnerability. It monitors web traffic for HTTP POST requests directed at the vulnerable endpoint "/saas./resttosaasservlet." This detection leverages web traffic data, focusing on specific URL patterns and HTTP methods. Identifying this behavior is crucial for a SOC as it indicates an active exploit attempt. If confirmed malicious, the attacker could execute arbitrary code, leading to unauthorized access, data theft, or further network compromise. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/saas./resttosaasservlet*") Web.http_method=POST Web.status IN ("unknown", "200") by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vmware_aria_operations_exploit_attempt_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. Restrict to specific dest assets to reduce false positives. -known_false_positives: False positives will be present based on gateways in use, modify the status field as needed. +description: The following analytic detects potential exploitation attempts against + VMWare vRealize Network Insight, specifically targeting the CVE-2023-20887 vulnerability. + It monitors web traffic for HTTP POST requests directed at the vulnerable endpoint + "/saas./resttosaasservlet." This detection leverages web traffic data, focusing + on specific URL patterns and HTTP methods. Identifying this behavior is crucial + for a SOC as it indicates an active exploit attempt. If confirmed malicious, the + attacker could execute arbitrary code, leading to unauthorized access, data theft, + or further network compromise. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("*/saas./resttosaasservlet*") Web.http_method=POST Web.status + IN ("unknown", "200") by Web.http_user_agent, Web.status Web.http_method, Web.url, + Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `vmware_aria_operations_exploit_attempt_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + web or proxy logs, or ensure it is being filled by a proxy like device, into the + Web Datamodel. Restrict to specific dest assets to reduce false positives. +known_false_positives: False positives will be present based on gateways in use, modify + the status field as needed. references: - https://nvd.nist.gov/vuln/detail/CVE-2023-20887 - https://viz.greynoise.io/tag/vmware-aria-operations-for-networks-rce-attempt?days=30 @@ -22,49 +36,45 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An exploitation attempt has occurred against $dest$ from $src$ related + to CVE-2023-20887 + risk_objects: + - field: dest + type: system + score: 72 + threat_objects: + - field: src + type: ip_address tags: - CVE: + cve: - CVE-2023-20887 analytic_story: - VMware Aria Operations vRealize CVE-2023-20887 asset_type: Web Server atomic_guid: [] - confidence: 80 - impact: 90 - message: An exploitation attempt has occurred against $dest$ from $src$ related to CVE-2023-20887 mitre_attack_id: - T1133 - T1190 - T1210 - T1068 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 72 - required_fields: - - Web.http_method - - Web.url - - Web.url_length - - Web.src - - Web.dest - - Web.http_user_agent security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/vmware/vmware_aria.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/vmware/vmware_aria.log source: pan:threat sourcetype: pan:threat diff --git a/detections/web/vmware_server_side_template_injection_hunt.yml b/detections/web/vmware_server_side_template_injection_hunt.yml index b023872ca1..202f0e3626 100644 --- a/detections/web/vmware_server_side_template_injection_hunt.yml +++ b/detections/web/vmware_server_side_template_injection_hunt.yml @@ -1,16 +1,31 @@ name: VMware Server Side Template Injection Hunt id: 5796b570-ad12-44df-b1b5-b7e6ae3aabb0 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies potential server-side template injection attempts related to CVE-2022-22954. It detects suspicious URL patterns containing "deviceudid" and keywords like "java.lang.ProcessBuilder" or "freemarker.template.utility.ObjectConstructor" using web or proxy logs within the Web Datamodel. This activity is significant as it may indicate an attempt to exploit a known vulnerability in VMware, potentially leading to remote code execution. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, and compromise the affected system, posing a severe security risk. +description: The following analytic identifies potential server-side template injection + attempts related to CVE-2022-22954. It detects suspicious URL patterns containing + "deviceudid" and keywords like "java.lang.ProcessBuilder" or "freemarker.template.utility.ObjectConstructor" + using web or proxy logs within the Web Datamodel. This activity is significant as + it may indicate an attempt to exploit a known vulnerability in VMware, potentially + leading to remote code execution. If confirmed malicious, attackers could gain unauthorized + access, execute arbitrary code, and compromise the affected system, posing a severe + security risk. data_source: - Palo Alto Network Threat -search: '| tstats count from datamodel=Web where Web.http_method IN ("GET") Web.url="*deviceudid=*" AND Web.url IN ("*java.lang.ProcessBuilder*","*freemarker.template.utility.ObjectConstructor*") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vmware_server_side_template_injection_hunt_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good. -known_false_positives: False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed. +search: '| tstats count from datamodel=Web where Web.http_method IN ("GET") Web.url="*deviceudid=*" + AND Web.url IN ("*java.lang.ProcessBuilder*","*freemarker.template.utility.ObjectConstructor*") + by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest + sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `vmware_server_side_template_injection_hunt_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + web or proxy logs, or ensure it is being filled by a proxy like device, into the + Web Datamodel. For additional filtering, allow list private IP space or restrict + by known good. +known_false_positives: False positives may be present if the activity is blocked or + was not successful. Filter known vulnerablity scanners. Filter as needed. references: - https://www.cisa.gov/uscert/ncas/alerts/aa22-138b - https://github.com/wvu/metasploit-framework/blob/master/modules/exploits/linux/http/vmware_workspace_one_access_cve_2022_22954.rb @@ -22,36 +37,20 @@ tags: analytic_story: - VMware Server Side Injection and Privilege Escalation asset_type: Web Server - confidence: 50 cve: - CVE-2022-22954 - impact: 70 - message: An attempt to exploit a VMware Server Side Injection CVE-2022-22954 on $dest$ has occurred. mitre_attack_id: - T1190 - T1133 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Web.http_method - - Web.url - - Web.url_length - - Web.src - - Web.dest - - Web.http_user_agent - risk_score: 35 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/vmware/vmware_scanning_pan_threat.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/vmware/vmware_scanning_pan_threat.log source: pan:threat sourcetype: pan:threat - update_timestamp: true diff --git a/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml b/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml index 8c2b7fb38f..09e37d2b77 100644 --- a/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml +++ b/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml @@ -1,16 +1,30 @@ name: VMware Workspace ONE Freemarker Server-side Template Injection id: 9e5726fe-8fde-460e-bd74-cddcf6c86113 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic detects server-side template injection attempts related to CVE-2022-22954 in VMware Workspace ONE. It leverages web or proxy logs to identify HTTP GET requests to the endpoint catalog-portal/ui/oauth/verify with the freemarker.template.utility.Execute command. This activity is significant as it indicates potential exploitation attempts that could lead to remote code execution. If confirmed malicious, an attacker could execute arbitrary commands on the server, leading to full system compromise, data exfiltration, or further lateral movement within the network. +description: The following analytic detects server-side template injection attempts + related to CVE-2022-22954 in VMware Workspace ONE. It leverages web or proxy logs + to identify HTTP GET requests to the endpoint catalog-portal/ui/oauth/verify with + the freemarker.template.utility.Execute command. This activity is significant as + it indicates potential exploitation attempts that could lead to remote code execution. + If confirmed malicious, an attacker could execute arbitrary commands on the server, + leading to full system compromise, data exfiltration, or further lateral movement + within the network. data_source: - Palo Alto Network Threat -search: '| tstats count from datamodel=Web where Web.http_method IN ("GET") Web.url="*/catalog-portal/ui/oauth/verify?error=&deviceudid=*" AND Web.url="*freemarker.template.utility.Execute*" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vmware_workspace_one_freemarker_server_side_template_injection_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good. -known_false_positives: False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed. +search: '| tstats count from datamodel=Web where Web.http_method IN ("GET") Web.url="*/catalog-portal/ui/oauth/verify?error=&deviceudid=*" + AND Web.url="*freemarker.template.utility.Execute*" by Web.http_user_agent Web.http_method, + Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name("Web")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vmware_workspace_one_freemarker_server_side_template_injection_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + web or proxy logs, or ensure it is being filled by a proxy like device, into the + Web Datamodel. For additional filtering, allow list private IP space or restrict + by known good. +known_false_positives: False positives may be present if the activity is blocked or + was not successful. Filter known vulnerablity scanners. Filter as needed. references: - https://www.cisa.gov/uscert/ncas/alerts/aa22-138b - https://github.com/wvu/metasploit-framework/blob/master/modules/exploits/linux/http/vmware_workspace_one_access_cve_2022_22954.rb @@ -23,43 +37,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An attempt to exploit a VMware Server Side Injection CVE-2022-22954 on + $dest$ has occurred. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - VMware Server Side Injection and Privilege Escalation asset_type: Web Server - confidence: 70 cve: - CVE-2022-22954 - impact: 70 - message: An attempt to exploit a VMware Server Side Injection CVE-2022-22954 on $dest$ has occurred. mitre_attack_id: - T1190 - T1133 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Web.http_method - - Web.url - - Web.url_length - - Web.src - - Web.dest - - Web.http_user_agent - risk_score: 49 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/vmware/vmware_scanning_pan_threat.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/vmware/vmware_scanning_pan_threat.log source: pan:threat sourcetype: pan:threat - update_timestamp: true diff --git a/detections/web/web_jsp_request_via_url.yml b/detections/web/web_jsp_request_via_url.yml index 2e1ba341db..3aea7b2a94 100644 --- a/detections/web/web_jsp_request_via_url.yml +++ b/detections/web/web_jsp_request_via_url.yml @@ -1,16 +1,28 @@ name: Web JSP Request via URL id: 2850c734-2d44-4431-8139-1a56f6f54c01 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies URL requests associated with CVE-2022-22965 (Spring4Shell) exploitation attempts, specifically targeting webshell access on a remote webserver. It detects HTTP GET requests with URLs containing ".jsp?cmd=" or "j&cmd=" patterns. This activity is significant as it indicates potential webshell deployment, which can lead to unauthorized remote command execution. If confirmed malicious, attackers could gain control over the webserver, execute arbitrary commands, and potentially escalate privileges, leading to severe data breaches and system compromise. +description: The following analytic identifies URL requests associated with CVE-2022-22965 + (Spring4Shell) exploitation attempts, specifically targeting webshell access on + a remote webserver. It detects HTTP GET requests with URLs containing ".jsp?cmd=" + or "j&cmd=" patterns. This activity is significant as it indicates potential webshell + deployment, which can lead to unauthorized remote command execution. If confirmed + malicious, attackers could gain control over the webserver, execute arbitrary commands, + and potentially escalate privileges, leading to severe data breaches and system + compromise. data_source: - Nginx Access -search: '| tstats count from datamodel=Web where Web.http_method IN ("GET") Web.url IN ("*.jsp?cmd=*","*j&cmd=*") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_jsp_request_via_url_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. -known_false_positives: False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to servers. +search: '| tstats count from datamodel=Web where Web.http_method IN ("GET") Web.url + IN ("*.jsp?cmd=*","*j&cmd=*") by Web.http_user_agent Web.http_method, Web.url,Web.url_length + Web.src, Web.dest sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `web_jsp_request_via_url_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on Web traffic that include fields relavent for traffic into the `Web` datamodel. +known_false_positives: False positives may be present with legitimate applications. + Attempt to filter by dest IP or use Asset groups to restrict to servers. references: - https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/ - https://github.com/TheGejr/SpringShell @@ -21,49 +33,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A suspicious URL has been requested against $dest$ by $src$, related to + web shell activity. + risk_objects: + - field: dest + type: system + score: 72 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - Spring4Shell CVE-2022-22965 asset_type: Web Server - confidence: 80 cve: - CVE-2022-22965 - impact: 90 - message: A suspicious URL has been requested against $dest$ by $src$, related to web shell activity. mitre_attack_id: - T1505.003 - T1505 - T1190 - T1133 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Web.http_method - - Web.url - - Web.url_length - - Web.src - - Web.dest - - Web.http_user_agent - risk_score: 72 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/spring4shell_nginx.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/spring4shell_nginx.log source: /var/log/nginx/access.log sourcetype: nginx:plus:kv diff --git a/detections/web/web_remote_shellservlet_access.yml b/detections/web/web_remote_shellservlet_access.yml index 753c3f7215..e6d6919549 100644 --- a/detections/web/web_remote_shellservlet_access.yml +++ b/detections/web/web_remote_shellservlet_access.yml @@ -1,16 +1,30 @@ name: Web Remote ShellServlet Access id: c2a332c3-24a2-4e24-9455-0e80332e6746 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: TTP data_source: - Nginx Access -description: The following analytic identifies attempts to access the Remote ShellServlet on a web server, specifically targeting Confluence servers vulnerable to CVE-2023-22518 and CVE-2023-22515. It leverages web data to detect URLs containing "*plugins/servlet/com.jsos.shell/*" with a status code of 200. This activity is significant as it is commonly associated with web shells and other malicious behaviors, potentially leading to unauthorized command execution. If confirmed malicious, attackers could gain remote code execution capabilities, compromising the server and potentially the entire network. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*plugins/servlet/com.jsos.shell/*") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_remote_shellservlet_access_filter`' -how_to_implement: This analytic necessitates the collection of web data, which can be achieved through Splunk Stream or by utilizing the Splunk Add-on for Apache Web Server. No additional configuration is required for this analytic. -known_false_positives: False positives may occur depending on the web server's configuration. If the web server is intentionally configured to utilize the Remote ShellServlet, then the detections by this analytic would not be considered true positives. +description: The following analytic identifies attempts to access the Remote ShellServlet + on a web server, specifically targeting Confluence servers vulnerable to CVE-2023-22518 + and CVE-2023-22515. It leverages web data to detect URLs containing "*plugins/servlet/com.jsos.shell/*" + with a status code of 200. This activity is significant as it is commonly associated + with web shells and other malicious behaviors, potentially leading to unauthorized + command execution. If confirmed malicious, attackers could gain remote code execution + capabilities, compromising the server and potentially the entire network. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("*plugins/servlet/com.jsos.shell/*") Web.status=200 by Web.http_user_agent, + Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype + | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `web_remote_shellservlet_access_filter`' +how_to_implement: This analytic necessitates the collection of web data, which can + be achieved through Splunk Stream or by utilizing the Splunk Add-on for Apache Web + Server. No additional configuration is required for this analytic. +known_false_positives: False positives may occur depending on the web server's configuration. + If the web server is intentionally configured to utilize the Remote ShellServlet, + then the detections by this analytic would not be considered true positives. references: - http://www.servletsuite.com/servlets/shell.htm drilldown_searches: @@ -19,46 +33,40 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An attempt to access the Remote ShellServlet on a web server was detected. + The source IP is $src$ and the destination hostname is $dest$. + risk_objects: + - field: dest + type: system + score: 81 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server asset_type: Web Server atomic_guid: [] - confidence: 90 - impact: 90 - message: An attempt to access the Remote ShellServlet on a web server was detected. The source IP is $src$ and the destination hostname is $dest$. mitre_attack_id: - T1190 - observable: - - name: src - type: IP Address - role: - - Attacker - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 81 - required_fields: - - Web.http_user_agent - - Web.status - - Web.http_method - - Web.url - - Web.url_length - - Web.src - - Web.dest - - sourcetype security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/nginx_shellservlet.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/nginx_shellservlet.log source: /var/log/nginx/access.log sourcetype: nginx:plus:kv diff --git a/detections/web/web_spring4shell_http_request_class_module.yml b/detections/web/web_spring4shell_http_request_class_module.yml index 321632df47..e7e91040c9 100644 --- a/detections/web/web_spring4shell_http_request_class_module.yml +++ b/detections/web/web_spring4shell_http_request_class_module.yml @@ -1,16 +1,30 @@ name: Web Spring4Shell HTTP Request Class Module id: fcdfd69d-0ca3-4476-920e-9b633cb4593e -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects HTTP requests containing payloads related to the Spring4Shell vulnerability (CVE-2022-22965). It leverages Splunk Stream HTTP data to inspect the HTTP request body and form data for specific fields such as "class.module.classLoader.resources.context.parent.pipeline.first". This activity is significant as it indicates an attempt to exploit a critical vulnerability in Spring Framework, potentially leading to remote code execution. If confirmed malicious, this could allow attackers to gain unauthorized access, execute arbitrary code, and compromise the affected system. +description: The following analytic detects HTTP requests containing payloads related + to the Spring4Shell vulnerability (CVE-2022-22965). It leverages Splunk Stream HTTP + data to inspect the HTTP request body and form data for specific fields such as + "class.module.classLoader.resources.context.parent.pipeline.first". This activity + is significant as it indicates an attempt to exploit a critical vulnerability in + Spring Framework, potentially leading to remote code execution. If confirmed malicious, + this could allow attackers to gain unauthorized access, execute arbitrary code, + and compromise the affected system. data_source: - Splunk Stream HTTP -search: '`stream_http` http_method IN ("POST") | stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by src dest http_method http_user_agent uri_path url bytes_in bytes_out | search http_request_body IN ("*class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=_*", "*class.module.classLoader.resources.context.parent.pipeline.first.pattern*","*suffix=.jsp*") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_spring4shell_http_request_class_module_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled. -known_false_positives: False positives may occur and filtering may be required. Restrict analytic to asset type. +search: '`stream_http` http_method IN ("POST") | stats values(form_data) as http_request_body + min(_time) as firstTime max(_time) as lastTime count by src dest http_method http_user_agent + uri_path url bytes_in bytes_out | search http_request_body IN ("*class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=_*", + "*class.module.classLoader.resources.context.parent.pipeline.first.pattern*","*suffix=.jsp*") + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_spring4shell_http_request_class_module_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the stream HTTP logs or network logs that catch network traffic. Make + sure that the http-request-body, payload, or request field is enabled. +known_false_positives: False positives may occur and filtering may be required. Restrict + analytic to asset type. references: - https://github.com/DDuarte/springshell-rce-poc/blob/master/poc.py drilldown_searches: @@ -19,48 +33,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A http body request related to Spring4Shell has been sent to $dest$ by + $src$. + risk_objects: + - field: dest + type: system + score: 72 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - Spring4Shell CVE-2022-22965 asset_type: Web Server - confidence: 80 cve: - CVE-2022-22965 - impact: 90 - message: A http body request related to Spring4Shell has been sent to $dest$ by $src$. mitre_attack_id: - T1190 - T1133 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - http_request_body - - http_method - - http_user_agent - - uri_path - - url - - bytes_in - - bytes_out - risk_score: 72 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/http_request_body_streams.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/http_request_body_streams.log source: stream:http sourcetype: stream:http diff --git a/detections/web/web_spring_cloud_function_functionrouter.yml b/detections/web/web_spring_cloud_function_functionrouter.yml index 5dd88043a4..8d690391ad 100644 --- a/detections/web/web_spring_cloud_function_functionrouter.yml +++ b/detections/web/web_spring_cloud_function_functionrouter.yml @@ -1,16 +1,28 @@ name: Web Spring Cloud Function FunctionRouter id: 89dddbad-369a-4f8a-ace2-2439218735bc -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies HTTP POST requests to the Spring Cloud Function endpoint containing "functionRouter" in the URL. It leverages the Web data model to detect these requests based on specific fields such as http_method, url, and http_user_agent. This activity is significant because it targets CVE-2022-22963, a known vulnerability in Spring Cloud Function, which has multiple proof-of-concept exploits available. If confirmed malicious, this activity could allow attackers to execute arbitrary code, potentially leading to unauthorized access, data exfiltration, or further compromise of the affected system. +description: The following analytic identifies HTTP POST requests to the Spring Cloud + Function endpoint containing "functionRouter" in the URL. It leverages the Web data + model to detect these requests based on specific fields such as http_method, url, + and http_user_agent. This activity is significant because it targets CVE-2022-22963, + a known vulnerability in Spring Cloud Function, which has multiple proof-of-concept + exploits available. If confirmed malicious, this activity could allow attackers + to execute arbitrary code, potentially leading to unauthorized access, data exfiltration, + or further compromise of the affected system. data_source: - Splunk Stream HTTP -search: '| tstats count from datamodel=Web where Web.http_method IN ("POST") Web.url="*/functionRouter*" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest Web.status sourcetype | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_spring_cloud_function_functionrouter_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. -known_false_positives: False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to servers. +search: '| tstats count from datamodel=Web where Web.http_method IN ("POST") Web.url="*/functionRouter*" + by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest + Web.status sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `web_spring_cloud_function_functionrouter_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on Web traffic that include fields relavent for traffic into the `Web` datamodel. +known_false_positives: False positives may be present with legitimate applications. + Attempt to filter by dest IP or use Asset groups to restrict to servers. references: - https://github.com/rapid7/metasploit-framework/pull/16395 - https://github.com/hktalent/spring-spel-0day-poc @@ -20,47 +32,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A suspicious URL has been requested against $dest$ by $src$, related to + a vulnerability in Spring Cloud. + risk_objects: + - field: dest + type: system + score: 42 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - Spring4Shell CVE-2022-22965 asset_type: Web Server - confidence: 60 cve: - CVE-2022-22963 - impact: 70 - message: A suspicious URL has been requested against $dest$ by $src$, related to a vulnerability in Spring Cloud. mitre_attack_id: - T1190 - T1133 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Web.http_method - - Web.url - - Web.url_length - - Web.src - - Web.dest - - Web.http_user_agent - risk_score: 42 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/all_functionrouter_http_streams.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/all_functionrouter_http_streams.log source: stream:http sourcetype: stream:http diff --git a/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml b/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml index 3a567064d0..9b10539657 100644 --- a/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml +++ b/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml @@ -1,14 +1,24 @@ name: Windows Exchange Autodiscover SSRF Abuse id: d436f9e7-0ee7-4a47-864b-6dea2c4e2752 -version: 3 -date: '2024-09-30' +version: 4 +date: '2025-01-16' author: Michael Haag, Nathaniel Stearns, Splunk status: production type: TTP -description: The following analytic detects potential abuse of the ProxyShell or ProxyNotShell vulnerabilities in Microsoft Exchange via Server Side Request Forgery (SSRF). It leverages the Web datamodel to identify suspicious POST requests with specific URI paths and queries related to autodiscover, powershell, and mapi. This activity is significant as it may indicate an attempt to exploit Exchange server vulnerabilities to access internal services or sensitive data. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further compromise of the network. +description: This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server. The detection focuses on identifying the SSRF attack patterns used in these exploit chains. The analytic monitors for suspicious POST requests to /autodiscover/autodiscover.json endpoints that may indicate attempts to enumerate LegacyDN attributes as part of initial reconnaissance. It also detects requests containing X-Rps-CAT parameters that could indicate attempts to impersonate Exchange users and access the PowerShell backend. Additionally, it looks for MAPI requests that may be used to obtain user SIDs, along with suspicious user agents (particularly Python-based) commonly used in automated exploit attempts. If successful, these attacks can lead to remote code execution as SYSTEM, allowing attackers to deploy webshells, access mailboxes, or gain persistent access to the Exchange server and potentially the broader network environment. data_source: - Windows IIS -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.status=200 OR Web.status=302 OR Web.status=401) AND Web.http_method=POST by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query | `drop_dm_object_name(Web)` | eval is_autodiscover=if(like(lower(uri_path),"%autodiscover%"),1,0) | eval powershell = if(match(lower(uri_query),"powershell"), "1",0) | eval mapi=if(like(uri_query,"%/mapi/%"),1,0) | addtotals fieldname=Score is_autodiscover, powershell, mapi | fields Score, src,dest, status, uri_query,uri_path,http_method | where Score >= 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_exchange_autodiscover_ssrf_abuse_filter`' +search: ' | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.status=200) AND Web.http_method=POST by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query Web.http_user_agent + | `drop_dm_object_name("Web")` + | eval is_autodiscover=if(like(lower(uri_path),"%autodiscover/autodiscover.json%"),1,0) + | eval has_rps_cat=if(like(lower(uri_query),"%x-rps-cat=%"),1,0) + | eval exchange_backend=if(like(lower(uri_query),"%/powershell/?%"),1,0) + | eval mapi=if(like(uri_query,"%/mapi/%"),1,0) + | eval suspicious_agent=if(match(lower(http_user_agent), "python|urllib"),1,0) + | addtotals fieldname=Score is_autodiscover, has_rps_cat, exchange_backend, mapi, suspicious_agent + | where Score >= 3 + | fields Score, src, dest, status, uri_query, uri_path, http_method, http_user_agent + | `windows_exchange_autodiscover_ssrf_abuse_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on Web traffic, Exchange OR IIS logs, mapped to `Web` datamodel in the `Web` node. In addition, confirm the latest CIM App 4.20 or higher is installed. known_false_positives: False positives are limited. references: @@ -21,56 +31,53 @@ references: - https://docs.splunk.com/Documentation/AddOns/released/MSIIS - https://highon.coffee/blog/ssrf-cheat-sheet/ - https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/ +- https://m365internals.com/2022/10/18/hunting-and-responding-to-proxyshell-attacks/ drilldown_searches: - name: View the detection results for - "$dest$" search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Activity related to ProxyShell or ProxyNotShell has been identified on + $dest$. Review events and take action accordingly. + risk_objects: + - field: dest + type: system + score: 72 + threat_objects: [] tags: analytic_story: - ProxyShell - BlackByte Ransomware - ProxyNotShell asset_type: Web Server - confidence: 80 cve: - CVE-2021-34523 - CVE-2021-34473 - CVE-2021-31207 - CVE-2022-41040 - CVE-2022-41082 - impact: 90 - message: Activity related to ProxyShell or ProxyNotShell has been identified on $dest$. Review events and take action accordingly. mitre_attack_id: - T1190 - T1133 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Web.src - - Web.status - - Web.uri_path - - Web.dest - - Web.http_method - - Web.uri_query - risk_score: 72 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/proxyshell/proxyshell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/proxyshell/proxyshell.log source: ms:iis:splunk sourcetype: ms:iis:splunk - update_timestamp: true diff --git a/detections/web/windows_iis_server_pswa_console_access.yml b/detections/web/windows_iis_server_pswa_console_access.yml index 679e532df2..70212b2e4e 100644 --- a/detections/web/windows_iis_server_pswa_console_access.yml +++ b/detections/web/windows_iis_server_pswa_console_access.yml @@ -1,54 +1,48 @@ name: Windows IIS Server PSWA Console Access id: 914ab191-fa8a-48cb-83a6-0565e061f934 -version: 2 -date: '2024-10-17' +version: 3 +date: '2024-11-15' author: Michael Haag, Splunk data_source: - Windows IIS type: Hunting status: production -description: This analytic detects access attempts to the PowerShell Web Access (PSWA) console on Windows IIS servers. It monitors web traffic for requests to PSWA-related URIs, which could indicate legitimate administrative activity or potential unauthorized access attempts. By tracking source IP, HTTP status, URI path, and HTTP method, it helps identify suspicious patterns or brute-force attacks targeting PSWA. This detection is crucial for maintaining the security of remote PowerShell management interfaces and preventing potential exploitation of this powerful administrative tool. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.dest IN ("/pswa/*") by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query | `drop_dm_object_name(Web)`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_server_pswa_console_access_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on Web traffic, Exchange OR IIS logs, mapped to `Web` datamodel in the `Web` node. In addition, confirm the latest CIM App 4.20 or higher is installed. -known_false_positives: False positives may occur if legitimate PSWA processes are used for administrative tasks. Careful review of the logs is recommended to distinguish between legitimate and malicious activity. +description: This analytic detects access attempts to the PowerShell Web Access (PSWA) + console on Windows IIS servers. It monitors web traffic for requests to PSWA-related + URIs, which could indicate legitimate administrative activity or potential unauthorized + access attempts. By tracking source IP, HTTP status, URI path, and HTTP method, + it helps identify suspicious patterns or brute-force attacks targeting PSWA. This + detection is crucial for maintaining the security of remote PowerShell management + interfaces and preventing potential exploitation of this powerful administrative + tool. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Web where Web.dest IN ("/pswa/*") by Web.src Web.status + Web.uri_path Web.dest Web.http_method Web.uri_query | `drop_dm_object_name("Web")`| + `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_server_pswa_console_access_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on Web traffic, Exchange OR IIS logs, mapped to `Web` datamodel in the `Web` node. + In addition, confirm the latest CIM App 4.20 or higher is installed. +known_false_positives: False positives may occur if legitimate PSWA processes are + used for administrative tasks. Careful review of the logs is recommended to distinguish + between legitimate and malicious activity. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a tags: analytic_story: - CISA AA24-241A asset_type: Web Server - confidence: 80 - impact: 40 - message: Access to the PowerShell Web Access (PSWA) console detected from $src$. mitre_attack_id: - T1190 - observable: - - name: src - type: IP Address - role: - - Attacker - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Web.src - - Web.status - - Web.uri_path - - Web.dest - - Web.http_method - - Web.uri_query - risk_score: 32 security_domain: network cve: [] tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/pswa/iis_pswaaccess.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/pswa/iis_pswaaccess.log sourcetype: ms:iis:splunk source: ms:iis:splunk diff --git a/detections/web/wordpress_bricks_builder_plugin_rce.yml b/detections/web/wordpress_bricks_builder_plugin_rce.yml index f7927dd9e4..4978d1782b 100644 --- a/detections/web/wordpress_bricks_builder_plugin_rce.yml +++ b/detections/web/wordpress_bricks_builder_plugin_rce.yml @@ -1,16 +1,31 @@ name: WordPress Bricks Builder plugin RCE id: 56a8771a-3fda-4959-b81d-2f266e2f679f -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Michael Haag, Splunk data_source: - Nginx Access type: TTP status: production -description: The following analytic identifies potential exploitation of the WordPress Bricks Builder plugin RCE vulnerability. It detects HTTP POST requests to the URL path "/wp-json/bricks/v1/render_element" with a status code of 200, leveraging the Web datamodel. This activity is significant as it indicates an attempt to exploit CVE-2024-25600, a known vulnerability that allows remote code execution. If confirmed malicious, an attacker could execute arbitrary commands on the target server, leading to potential full system compromise and unauthorized access to sensitive data. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/wp-json/bricks/v1/render_element") Web.status=200 Web.http_method=POST by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.uri_path, Web.status, Web.http_method, sourcetype, source | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wordpress_bricks_builder_plugin_rce_filter`' -how_to_implement: The search is based on data in the Web datamodel and was modeled from NGINX logs. Ensure that the Web datamodel is accelerated and that the data source for the Web datamodel is properly configured. If using other web sources, modify they query, or review the data, as needed. -known_false_positives: False positives may be possible, however we restricted it to HTTP Status 200 and POST requests, based on the POC. Upon investigation review the POST body for the actual payload - or command - being executed. +description: The following analytic identifies potential exploitation of the WordPress + Bricks Builder plugin RCE vulnerability. It detects HTTP POST requests to the URL + path "/wp-json/bricks/v1/render_element" with a status code of 200, leveraging the + Web datamodel. This activity is significant as it indicates an attempt to exploit + CVE-2024-25600, a known vulnerability that allows remote code execution. If confirmed + malicious, an attacker could execute arbitrary commands on the target server, leading + to potential full system compromise and unauthorized access to sensitive data. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Web where Web.url IN ("*/wp-json/bricks/v1/render_element") + Web.status=200 Web.http_method=POST by Web.src, Web.dest, Web.http_user_agent, Web.url, + Web.uri_path, Web.status, Web.http_method, sourcetype, source | `drop_dm_object_name("Web")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wordpress_bricks_builder_plugin_rce_filter`' +how_to_implement: The search is based on data in the Web datamodel and was modeled + from NGINX logs. Ensure that the Web datamodel is accelerated and that the data + source for the Web datamodel is properly configured. If using other web sources, + modify they query, or review the data, as needed. +known_false_positives: False positives may be possible, however we restricted it to + HTTP Status 200 and POST requests, based on the POC. Upon investigation review the + POST body for the actual payload - or command - being executed. references: - https://attack.mitre.org/techniques/T1190 - https://github.com/Tornad0007/CVE-2024-25600-Bricks-Builder-plugin-for-WordPress/blob/main/exploit.py @@ -23,48 +38,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potential exploitation of the WordPress Bricks Builder plugin RCE vulnerability + on $dest$ by $src$. + risk_objects: + - field: dest + type: system + score: 100 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - WordPress Vulnerabilities asset_type: Web Server - confidence: 100 - impact: 100 - message: Potential exploitation of the WordPress Bricks Builder plugin RCE vulnerability on $dest$ by $src$. mitre_attack_id: - T1190 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Web.src - - Web.dest - - Web.http_user_agent - - Web.url - - Web.status - - Web.http_method - - sourcetype - - source - risk_score: 100 security_domain: network cve: - CVE-2024-25600 tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/wordpress/bricks_cve_2024_25600.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/wordpress/bricks_cve_2024_25600.log source: nginx:plus:kv sourcetype: nginx:plus:kv diff --git a/detections/web/ws_ftp_remote_code_execution.yml b/detections/web/ws_ftp_remote_code_execution.yml index 79bb3d83b7..d4cf8f56d1 100644 --- a/detections/web/ws_ftp_remote_code_execution.yml +++ b/detections/web/ws_ftp_remote_code_execution.yml @@ -1,16 +1,30 @@ name: WS FTP Remote Code Execution id: b84e8f39-4e7b-4d4f-9e7c-fcd29a227845 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-11-15' author: Michael Haag, Splunk status: production type: TTP data_source: - Suricata -description: The following analytic detects potential Remote Code Execution (RCE) attempts exploiting CVE-2023-40044 in WS_FTP software. It identifies HTTP POST requests to the "/AHT/AhtApiService.asmx/AuthUser" URL with a status code of 200. This detection leverages the Web datamodel to monitor specific URL patterns and HTTP status codes. This activity is significant as it may indicate an exploitation attempt, potentially allowing an attacker to execute arbitrary code on the server. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further compromise of the affected system. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/AHT/AhtApiService.asmx/AuthUser") Web.status=200 Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ws_ftp_remote_code_execution_filter`' -how_to_implement: The following analytic requires the Web datamodel. Ensure data source is mapped correctly or modify and tune for your data source. -known_false_positives: If WS_FTP Server is not in use, this analytic will not return results. Monitor and tune for your environment. Note the MetaSploit module is focused on only hitting /AHT/ and not the full /AHT/AhtApiService.asmx/AuthUser URL. +description: The following analytic detects potential Remote Code Execution (RCE) + attempts exploiting CVE-2023-40044 in WS_FTP software. It identifies HTTP POST requests + to the "/AHT/AhtApiService.asmx/AuthUser" URL with a status code of 200. This detection + leverages the Web datamodel to monitor specific URL patterns and HTTP status codes. + This activity is significant as it may indicate an exploitation attempt, potentially + allowing an attacker to execute arbitrary code on the server. If confirmed malicious, + this could lead to unauthorized access, data exfiltration, or further compromise + of the affected system. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("/AHT/AhtApiService.asmx/AuthUser") Web.status=200 Web.http_method=POST + by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, + Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `ws_ftp_remote_code_execution_filter`' +how_to_implement: The following analytic requires the Web datamodel. Ensure data source + is mapped correctly or modify and tune for your data source. +known_false_positives: If WS_FTP Server is not in use, this analytic will not return + results. Monitor and tune for your environment. Note the MetaSploit module is focused + on only hitting /AHT/ and not the full /AHT/AhtApiService.asmx/AuthUser URL. references: - https://github.com/projectdiscovery/nuclei-templates/pull/8296/files - https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044 @@ -21,9 +35,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potential WS FTP Remote Code Execution detected against URL $url$ on $dest$ + from $src$ + risk_objects: + - field: dest + type: system + score: 72 + threat_objects: + - field: src + type: ip_address tags: cve: - CVE-2023-40044 @@ -31,38 +60,17 @@ tags: - WS FTP Server Critical Vulnerabilities asset_type: Web Server atomic_guid: [] - confidence: 80 - impact: 90 - message: Potential WS FTP Remote Code Execution detected against URL $url$ on $dest$ from $src$ mitre_attack_id: - T1190 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 72 - required_fields: - - Web.http_user_agent - - Web.status - - Web.http_method - - Web.url - - Web.url_length - - Web.src - - Web.dest - - sourcetype security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ws_ftp/wsftpweb.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ws_ftp/wsftpweb.log source: suricata sourcetype: suricata diff --git a/detections/web/zscaler_adware_activities_threat_blocked.yml b/detections/web/zscaler_adware_activities_threat_blocked.yml index 5f2e135eb4..c47abd8740 100644 --- a/detections/web/zscaler_adware_activities_threat_blocked.yml +++ b/detections/web/zscaler_adware_activities_threat_blocked.yml @@ -1,14 +1,29 @@ name: Zscaler Adware Activities Threat Blocked id: 3407b250-345a-4d71-80db-c91e555a3ece -version: 3 -date: '2024-09-30' +version: 5 +date: '2024-11-15' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly data_source: [] -description: The following analytic identifies potential adware activity blocked by Zscaler. It leverages web proxy logs to detect blocked actions associated with adware threats. Key data points such as device owner, user, URL category, destination URL, and IP are analyzed. This activity is significant as adware can degrade system performance, lead to unwanted advertisements, and potentially expose users to further malicious content. If confirmed malicious, it could indicate an attempt to compromise user systems, necessitating further investigation and remediation to prevent potential data breaches or system exploitation. -search: '`zscaler_proxy` action=blocked threatname=*adware* | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_adware_activities_threat_blocked_filter`' -how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. +description: The following analytic identifies potential adware activity blocked by + Zscaler. It leverages web proxy logs to detect blocked actions associated with adware + threats. Key data points such as device owner, user, URL category, destination URL, + and IP are analyzed. This activity is significant as adware can degrade system performance, + lead to unwanted advertisements, and potentially expose users to further malicious + content. If confirmed malicious, it could indicate an attempt to compromise user + systems, necessitating further investigation and remediation to prevent potential + data breaches or system exploitation. +search: '`zscaler_proxy` action=blocked threatname=*adware* | stats count min(_time) + as firstTime max(_time) as lastTime by action deviceowner user urlcategory url + src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `zscaler_adware_activities_threat_blocked_filter`' +how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. + You must be ingesting Zscaler events into your Splunk environment through an ingester. + This analytic was written to be used with the "zscalernss-web" sourcetype leveraging + the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. + Security teams are encouraged to adjust the detection parameters, ensuring the detection + is tailored to their specific environment. known_false_positives: False positives are limited to Zscaler configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs @@ -18,50 +33,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potential Adware Activity blocked from dest -[$dest$] on $src$ for user-[$user$]. + risk_objects: + - field: src + type: system + score: 8 + - field: user + type: user + score: 8 + threat_objects: + - field: url + type: url tags: analytic_story: - Zscaler Browser Proxy Threats asset_type: Web Server - confidence: 80 - impact: 10 - message: Potential Adware Activity blocked from dest -[$dest$] on $src$ for user-[$user$]. mitre_attack_id: - T1566 - observable: - - name: src - type: IP Address - role: - - Victim - - name: user - type: User - role: - - Victim - - name: url - type: URL String - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 8 - required_fields: - - action - - threatname - - deviceowner - - user - - urlcategory - - url - - dest - - dest_ip - - action security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json source: zscaler sourcetype: zscalernss-web diff --git a/detections/web/zscaler_behavior_analysis_threat_blocked.yml b/detections/web/zscaler_behavior_analysis_threat_blocked.yml index fc5f7f6c48..8a55d3f407 100644 --- a/detections/web/zscaler_behavior_analysis_threat_blocked.yml +++ b/detections/web/zscaler_behavior_analysis_threat_blocked.yml @@ -1,14 +1,28 @@ name: Zscaler Behavior Analysis Threat Blocked id: 289ad59f-8939-4331-b805-f2bd51d36fb8 -version: 3 -date: '2024-09-30' +version: 5 +date: '2024-11-15' author: Rod Soto, Gowthamaraj Rajendran, Splunk status: production type: Anomaly data_source: [] -description: The following analytic identifies threats blocked by the Zscaler proxy based on behavior analysis. It leverages web proxy logs to detect entries where actions are blocked and threat names and classes are specified. This detection is significant as it highlights potential malicious activities that were intercepted by Zscaler's behavior analysis, providing early indicators of threats. If confirmed malicious, these blocked threats could indicate attempted breaches or malware infections, helping security teams to understand and mitigate potential risks in their environment. -search: '`zscaler_proxy` action=blocked threatname!="None" threatclass="Behavior Analysis" | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user threatname url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_behavior_analysis_threat_blocked_filter`' -how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. +description: The following analytic identifies threats blocked by the Zscaler proxy + based on behavior analysis. It leverages web proxy logs to detect entries where + actions are blocked and threat names and classes are specified. This detection is + significant as it highlights potential malicious activities that were intercepted + by Zscaler's behavior analysis, providing early indicators of threats. If confirmed + malicious, these blocked threats could indicate attempted breaches or malware infections, + helping security teams to understand and mitigate potential risks in their environment. +search: '`zscaler_proxy` action=blocked threatname!="None" threatclass="Behavior Analysis" + | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner + user threatname url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `zscaler_behavior_analysis_threat_blocked_filter`' +how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. + You must be ingesting Zscaler events into your Splunk environment through an ingester. + This analytic was written to be used with the "zscalernss-web" sourcetype leveraging + the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. + Security teams are encouraged to adjust the detection parameters, ensuring the detection + is tailored to their specific environment. known_false_positives: False positives are limited to Zscalar configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs @@ -18,50 +32,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potential Adware Behavior Analysis Threat from dest -[$dest$] on $src$ + for user-[$user$]. + risk_objects: + - field: src + type: system + score: 8 + - field: user + type: user + score: 8 + threat_objects: + - field: url + type: url tags: analytic_story: - Zscaler Browser Proxy Threats asset_type: Web Server - confidence: 80 - impact: 10 - message: Potential Adware Behavior Analysis Threat from dest -[$dest$] on $src$ for user-[$user$]. mitre_attack_id: - T1566 - observable: - - name: src - type: IP Address - role: - - Victim - - name: user - type: User - role: - - Victim - - name: url - type: URL String - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 8 - required_fields: - - action - - threatname - - deviceowner - - user - - urlcategory - - url - - dest - - dest_ip - - action security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json source: zscaler sourcetype: zscalernss-web diff --git a/detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml b/detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml index cd49da9142..6d18afa2c9 100644 --- a/detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml +++ b/detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml @@ -1,14 +1,29 @@ name: Zscaler CryptoMiner Downloaded Threat Blocked id: ed76ce37-bab9-4ec0-bf3e-9c6a6cf43365 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Gowthamaraj Rajendran, Rod Soto, Splunk status: production type: Anomaly data_source: [] -description: The following analytic identifies attempts to download cryptomining software that are blocked by Zscaler. It leverages web proxy logs to detect blocked actions associated with cryptominer threats, analyzing key data points such as device owner, user, URL category, destination URL, and IP. This activity is significant for a SOC as it helps in early identification and mitigation of cryptomining activities, which can compromise network integrity and resource availability. If confirmed malicious, this activity could lead to unauthorized use of network resources for cryptomining, potentially degrading system performance and increasing operational costs. -search: '`zscaler_proxy` action=blocked threatname=*miner* | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_cryptominer_downloaded_threat_blocked_filter`' -how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. +description: The following analytic identifies attempts to download cryptomining software + that are blocked by Zscaler. It leverages web proxy logs to detect blocked actions + associated with cryptominer threats, analyzing key data points such as device owner, + user, URL category, destination URL, and IP. This activity is significant for a + SOC as it helps in early identification and mitigation of cryptomining activities, + which can compromise network integrity and resource availability. If confirmed malicious, + this activity could lead to unauthorized use of network resources for cryptomining, + potentially degrading system performance and increasing operational costs. +search: '`zscaler_proxy` action=blocked threatname=*miner* | stats count min(_time) + as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src + dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `zscaler_cryptominer_downloaded_threat_blocked_filter`' +how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. + You must be ingesting Zscaler events into your Splunk environment through an ingester. + This analytic was written to be used with the "zscalernss-web" sourcetype leveraging + the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. + Security teams are encouraged to adjust the detection parameters, ensuring the detection + is tailored to their specific environment. known_false_positives: False positives are limited to Zscaler configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs @@ -18,50 +33,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potential CryptoMiner Downloaded Threat from dest -[$dest$] on $src$ for + user-[$user$]. + risk_objects: + - field: src + type: system + score: 32 + - field: user + type: user + score: 32 + threat_objects: + - field: url + type: url tags: analytic_story: - Zscaler Browser Proxy Threats asset_type: Web Server - confidence: 80 - impact: 40 - message: Potential CryptoMiner Downloaded Threat from dest -[$dest$] on $src$ for user-[$user$]. mitre_attack_id: - T1566 - observable: - - name: src - type: IP Address - role: - - Victim - - name: user - type: User - role: - - Victim - - name: url - type: URL String - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 32 - required_fields: - - action - - threatname - - deviceowner - - user - - urlcategory - - url - - dest - - dest_ip - - action security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json source: zscaler sourcetype: zscalernss-web diff --git a/detections/web/zscaler_employment_search_web_activity.yml b/detections/web/zscaler_employment_search_web_activity.yml index 63a7d4278c..99af05f85e 100644 --- a/detections/web/zscaler_employment_search_web_activity.yml +++ b/detections/web/zscaler_employment_search_web_activity.yml @@ -1,14 +1,29 @@ name: Zscaler Employment Search Web Activity id: 5456bdef-d765-4565-8e1f-61ca027bc50e -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Gowthamaraj Rajendran, Rod Soto, Splunk status: production type: Anomaly data_source: [] -description: The following analytic identifies web activity related to employment searches within a network. It leverages Zscaler web proxy logs, focusing on entries categorized as 'Job/Employment Search'. Key data points such as device owner, user, URL category, destination URL, and IP are analyzed. This detection is significant for SOCs as it helps monitor potential insider threats by identifying users who may be seeking new employment. If confirmed malicious, this activity could indicate a risk of data exfiltration or other insider threats, potentially leading to sensitive information leakage or other security breaches. -search: '`zscaler_proxy` urlsupercategory="Job/Employment Search" | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_employment_search_web_activity_filter`' -how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. +description: The following analytic identifies web activity related to employment + searches within a network. It leverages Zscaler web proxy logs, focusing on entries + categorized as 'Job/Employment Search'. Key data points such as device owner, user, + URL category, destination URL, and IP are analyzed. This detection is significant + for SOCs as it helps monitor potential insider threats by identifying users who + may be seeking new employment. If confirmed malicious, this activity could indicate + a risk of data exfiltration or other insider threats, potentially leading to sensitive + information leakage or other security breaches. +search: '`zscaler_proxy` urlsupercategory="Job/Employment Search" | stats count min(_time) + as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src + dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `zscaler_employment_search_web_activity_filter`' +how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. + You must be ingesting Zscaler events into your Splunk environment through an ingester. + This analytic was written to be used with the "zscalernss-web" sourcetype leveraging + the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. + Security teams are encouraged to adjust the detection parameters, ensuring the detection + is tailored to their specific environment. known_false_positives: False positives are limited to Zscaler configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs @@ -18,50 +33,42 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potential Employment Search Web Activity from dest -[$dest$] on $src$ for + user-[$user$]. + risk_objects: + - field: src + type: system + score: 4 + - field: user + type: user + score: 4 + threat_objects: + - field: url + type: url tags: analytic_story: - Zscaler Browser Proxy Threats asset_type: Web Server - confidence: 80 - impact: 5 - message: Potential Employment Search Web Activity from dest -[$dest$] on $src$ for user-[$user$]. mitre_attack_id: - T1566 - observable: - - name: src - type: IP Address - role: - - Victim - - name: user - type: User - role: - - Victim - - name: url - type: URL String - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 4 - required_fields: - - action - - threatname - - deviceowner - - user - - urlcategory - - url - - dest - - dest_ip - - action security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json source: zscaler sourcetype: zscalernss-web diff --git a/detections/web/zscaler_exploit_threat_blocked.yml b/detections/web/zscaler_exploit_threat_blocked.yml index c7ae814a0a..e88d087743 100644 --- a/detections/web/zscaler_exploit_threat_blocked.yml +++ b/detections/web/zscaler_exploit_threat_blocked.yml @@ -1,14 +1,29 @@ name: Zscaler Exploit Threat Blocked id: 94665d8c-b841-4ff4-acb4-34d613e2cbfe -version: 3 -date: '2024-09-30' +version: 5 +date: '2024-11-15' author: Rod Soto, Gowthamaraj Rajendran, Splunk status: production type: TTP data_source: [] -description: The following analytic identifies potential exploit attempts involving command and script interpreters blocked by Zscaler. It leverages web proxy logs to detect incidents where actions are blocked due to exploit references. The detection compiles statistics by user, threat name, URL, hostname, file class, and filename. This activity is significant as it helps identify and mitigate exploit attempts, which are critical for maintaining security. If confirmed malicious, such activity could lead to unauthorized code execution, privilege escalation, or persistent access within the environment, posing a severe threat to organizational security. -search: '`zscaler_proxy` action=blocked threatname=*exploit* | stats count min(_time) as firstTime max(_time) as lastTime by user threatname src hostname fileclass filename url dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_exploit_threat_blocked_filter`' -how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. +description: The following analytic identifies potential exploit attempts involving + command and script interpreters blocked by Zscaler. It leverages web proxy logs + to detect incidents where actions are blocked due to exploit references. The detection + compiles statistics by user, threat name, URL, hostname, file class, and filename. + This activity is significant as it helps identify and mitigate exploit attempts, + which are critical for maintaining security. If confirmed malicious, such activity + could lead to unauthorized code execution, privilege escalation, or persistent access + within the environment, posing a severe threat to organizational security. +search: '`zscaler_proxy` action=blocked threatname=*exploit* | stats count min(_time) + as firstTime max(_time) as lastTime by user threatname src hostname fileclass filename + url dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `zscaler_exploit_threat_blocked_filter`' +how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. + You must be ingesting Zscaler events into your Splunk environment through an ingester. + This analytic was written to be used with the "zscalernss-web" sourcetype leveraging + the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. + Security teams are encouraged to adjust the detection parameters, ensuring the detection + is tailored to their specific environment. known_false_positives: False positives are limited to Zscaler configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs @@ -18,50 +33,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potential Exploit Threat from dest -[$dest$] on $src$ for user-[$user$]. + risk_objects: + - field: src + type: system + score: 40 + - field: user + type: user + score: 40 + threat_objects: + - field: url + type: url tags: analytic_story: - Zscaler Browser Proxy Threats asset_type: Web Server - confidence: 80 - impact: 50 - message: Potential Exploit Threat from dest -[$dest$] on $src$ for user-[$user$]. mitre_attack_id: - T1566 - observable: - - name: src - type: IP Address - role: - - Victim - - name: user - type: User - role: - - Victim - - name: url - type: URL String - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 40 - required_fields: - - action - - threatname - - deviceowner - - user - - urlcategory - - url - - dest - - dest_ip - - action security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json source: zscaler sourcetype: zscalernss-web diff --git a/detections/web/zscaler_legal_liability_threat_blocked.yml b/detections/web/zscaler_legal_liability_threat_blocked.yml index 0374908080..319cba5ae7 100644 --- a/detections/web/zscaler_legal_liability_threat_blocked.yml +++ b/detections/web/zscaler_legal_liability_threat_blocked.yml @@ -1,14 +1,28 @@ name: Zscaler Legal Liability Threat Blocked id: bbf55ebf-c416-4f62-94d9-4064f2a28014 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Rod Soto, Gowthamaraj Rajendran, Splunk status: production type: Anomaly data_source: [] -description: The following analytic identifies significant legal liability threats blocked by the Zscaler web proxy. It uses web proxy logs to track destinations, device owners, users, URL categories, and actions associated with legal liability. By leveraging statistics on unique fields, it ensures a precise focus on these threats. This activity is significant for SOC as it helps enforce legal compliance and risk management. If confirmed malicious, it could indicate attempts to access legally sensitive or restricted content, potentially leading to legal repercussions and compliance violations. -search: '`zscaler_proxy` urlclass="Legal Liability" | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | dedup urlcategory | `zscaler_legal_liability_threat_blocked_filter`' -how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. +description: The following analytic identifies significant legal liability threats + blocked by the Zscaler web proxy. It uses web proxy logs to track destinations, + device owners, users, URL categories, and actions associated with legal liability. + By leveraging statistics on unique fields, it ensures a precise focus on these threats. + This activity is significant for SOC as it helps enforce legal compliance and risk + management. If confirmed malicious, it could indicate attempts to access legally + sensitive or restricted content, potentially leading to legal repercussions and + compliance violations. +search: '`zscaler_proxy` urlclass="Legal Liability" | stats count min(_time) as firstTime + max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | dedup urlcategory | `zscaler_legal_liability_threat_blocked_filter`' +how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. + You must be ingesting Zscaler events into your Splunk environment through an ingester. + This analytic was written to be used with the "zscalernss-web" sourcetype leveraging + the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. + Security teams are encouraged to adjust the detection parameters, ensuring the detection + is tailored to their specific environment. known_false_positives: False positives are limited to Zscaler configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs @@ -18,50 +32,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potential Legal Liability Threat from dest -[$dest$] on $src$ for user-[$user$]. + risk_objects: + - field: src + type: system + score: 16 + - field: user + type: user + score: 16 + threat_objects: + - field: url + type: url tags: analytic_story: - Zscaler Browser Proxy Threats asset_type: Web Server - confidence: 80 - impact: 20 - message: Potential Legal Liability Threat from dest -[$dest$] on $src$ for user-[$user$]. mitre_attack_id: - T1566 - observable: - - name: src - type: IP Address - role: - - Victim - - name: user - type: User - role: - - Victim - - name: url - type: URL String - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 16 - required_fields: - - action - - threatname - - deviceowner - - user - - urlcategory - - url - - dest - - dest_ip - - action security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json source: zscaler sourcetype: zscalernss-web diff --git a/detections/web/zscaler_malware_activity_threat_blocked.yml b/detections/web/zscaler_malware_activity_threat_blocked.yml index 9ec20e0a1a..34061dc5be 100644 --- a/detections/web/zscaler_malware_activity_threat_blocked.yml +++ b/detections/web/zscaler_malware_activity_threat_blocked.yml @@ -1,14 +1,29 @@ name: Zscaler Malware Activity Threat Blocked id: ae874ad8-e353-40a7-87d4-420cdfb27d1a -version: 3 -date: '2024-09-30' +version: 5 +date: '2024-11-15' author: Rod Soto, Gowthamaraj Rajendran, Splunk status: production type: Anomaly data_source: [] -description: The following analytic identifies potential malware activities within a network that are blocked by Zscaler. It leverages web proxy logs to filter for blocked actions associated with malware, aggregating occurrences by user, URL, and threat category. This detection is significant for SOC as it highlights attempts to access malicious content, indicating potential compromise or targeted attacks. If confirmed malicious, this activity could signify an ongoing attempt to infiltrate the network, necessitating immediate investigation to prevent further threats and ensure network integrity. -search: '`zscaler_proxy` action=blocked threatname=*malware* threatcategory!=None | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_malware_activity_threat_blocked_filter`' -how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. +description: The following analytic identifies potential malware activities within + a network that are blocked by Zscaler. It leverages web proxy logs to filter for + blocked actions associated with malware, aggregating occurrences by user, URL, and + threat category. This detection is significant for SOC as it highlights attempts + to access malicious content, indicating potential compromise or targeted attacks. + If confirmed malicious, this activity could signify an ongoing attempt to infiltrate + the network, necessitating immediate investigation to prevent further threats and + ensure network integrity. +search: '`zscaler_proxy` action=blocked threatname=*malware* threatcategory!=None + | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner + user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `zscaler_malware_activity_threat_blocked_filter`' +how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. + You must be ingesting Zscaler events into your Splunk environment through an ingester. + This analytic was written to be used with the "zscalernss-web" sourcetype leveraging + the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. + Security teams are encouraged to adjust the detection parameters, ensuring the detection + is tailored to their specific environment. known_false_positives: False positives are limited to Zscalar configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs @@ -18,50 +33,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potential Malware Activity from dest -[$dest$] on $src$ for user-[$user$]. + risk_objects: + - field: src + type: system + score: 40 + - field: user + type: user + score: 40 + threat_objects: + - field: url + type: url tags: analytic_story: - Zscaler Browser Proxy Threats asset_type: Web Server - confidence: 80 - impact: 50 - message: Potential Malware Activity from dest -[$dest$] on $src$ for user-[$user$]. mitre_attack_id: - T1566 - observable: - - name: src - type: IP Address - role: - - Victim - - name: user - type: User - role: - - Victim - - name: url - type: URL String - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 40 - required_fields: - - action - - threatname - - deviceowner - - user - - urlcategory - - url - - dest - - dest_ip - - action security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json source: zscaler sourcetype: zscalernss-web diff --git a/detections/web/zscaler_phishing_activity_threat_blocked.yml b/detections/web/zscaler_phishing_activity_threat_blocked.yml index c1d3357467..06092146ff 100644 --- a/detections/web/zscaler_phishing_activity_threat_blocked.yml +++ b/detections/web/zscaler_phishing_activity_threat_blocked.yml @@ -1,14 +1,29 @@ name: Zscaler Phishing Activity Threat Blocked id: 68d3e2c1-e97f-4310-b080-dea180b48aa9 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-11-15' author: Gowthamaraj Rajendran, Rod Soto, Splunk status: production type: Anomaly data_source: [] -description: The following analytic identifies potential phishing attempts blocked by Zscaler within a network. It leverages web proxy logs to detect actions tagged as HTML.Phish. The detection method involves analyzing critical data points such as user, threat name, URL, and hostname. This activity is significant for a SOC as it serves as an early warning system for phishing threats, enabling prompt investigation and mitigation. If confirmed malicious, this activity could indicate an attempt to deceive users into divulging sensitive information, potentially leading to data breaches or credential theft. -search: '`zscaler_proxy` action=blocked threatname="HTML.Phish*" | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user threatname url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_phishing_activity_threat_blocked_filter`' -how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. +description: The following analytic identifies potential phishing attempts blocked + by Zscaler within a network. It leverages web proxy logs to detect actions tagged + as HTML.Phish. The detection method involves analyzing critical data points such + as user, threat name, URL, and hostname. This activity is significant for a SOC + as it serves as an early warning system for phishing threats, enabling prompt investigation + and mitigation. If confirmed malicious, this activity could indicate an attempt + to deceive users into divulging sensitive information, potentially leading to data + breaches or credential theft. +search: '`zscaler_proxy` action=blocked threatname="HTML.Phish*" | stats count min(_time) + as firstTime max(_time) as lastTime by action deviceowner user threatname url src + dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `zscaler_phishing_activity_threat_blocked_filter`' +how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. + You must be ingesting Zscaler events into your Splunk environment through an ingester. + This analytic was written to be used with the "zscalernss-web" sourcetype leveraging + the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. + Security teams are encouraged to adjust the detection parameters, ensuring the detection + is tailored to their specific environment. known_false_positives: False positives are limited to Zscalar configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs @@ -18,50 +33,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potential Phishing Activity from dest -[$dest$] on $src$ for user-[$user$]. + risk_objects: + - field: src + type: system + score: 16 + - field: user + type: user + score: 16 + threat_objects: + - field: url + type: url tags: analytic_story: - Zscaler Browser Proxy Threats asset_type: Web Server - confidence: 80 - impact: 20 - message: Potential Phishing Activity from dest -[$dest$] on $src$ for user-[$user$]. mitre_attack_id: - T1566 - observable: - - name: src - type: IP Address - role: - - Victim - - name: user - type: User - role: - - Victim - - name: url - type: URL String - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 16 - required_fields: - - action - - threatname - - deviceowner - - user - - urlcategory - - url - - dest - - dest_ip - - action security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json source: zscaler sourcetype: zscalernss-web diff --git a/detections/web/zscaler_potentially_abused_file_download.yml b/detections/web/zscaler_potentially_abused_file_download.yml index b7fed03db7..f18bdfe4f0 100644 --- a/detections/web/zscaler_potentially_abused_file_download.yml +++ b/detections/web/zscaler_potentially_abused_file_download.yml @@ -1,14 +1,28 @@ name: Zscaler Potentially Abused File Download id: b0c21379-f4ba-4bac-a958-897e260f964a -version: 3 -date: '2024-09-30' +version: 5 +date: '2024-11-15' author: Gowthamaraj Rajendran, Rod Soto, Splunk status: production type: Anomaly data_source: [] -description: The following analytic identifies the download of potentially malicious file types, such as .scr, .dll, .bat, and .lnk, within a network. It leverages web proxy logs from Zscaler, focusing on blocked actions and analyzing fields like deviceowner, user, urlcategory, url, dest, and filename. This activity is significant as these file types are often used to spread malware, posing a threat to network security. If confirmed malicious, this activity could lead to malware execution, data compromise, or further network infiltration. -search: '`zscaler_proxy` url IN ("*.scr", "*.dll", "*.bat", "*.lnk") | stats count min(_time) as firstTime max(_time) as lastTime by deviceowner user urlcategory url src filename dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_potentially_abused_file_download_filter`' -how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. +description: The following analytic identifies the download of potentially malicious + file types, such as .scr, .dll, .bat, and .lnk, within a network. It leverages web + proxy logs from Zscaler, focusing on blocked actions and analyzing fields like deviceowner, + user, urlcategory, url, dest, and filename. This activity is significant as these + file types are often used to spread malware, posing a threat to network security. + If confirmed malicious, this activity could lead to malware execution, data compromise, + or further network infiltration. +search: '`zscaler_proxy` url IN ("*.scr", "*.dll", "*.bat", "*.lnk") | stats count + min(_time) as firstTime max(_time) as lastTime by deviceowner user urlcategory url + src filename dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `zscaler_potentially_abused_file_download_filter`' +how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. + You must be ingesting Zscaler events into your Splunk environment through an ingester. + This analytic was written to be used with the "zscalernss-web" sourcetype leveraging + the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. + Security teams are encouraged to adjust the detection parameters, ensuring the detection + is tailored to their specific environment. known_false_positives: False positives are limited to Zscaler configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs @@ -18,50 +32,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potential Abused File Download from dest -[$dest$] on $src$ for user-[$user$]. + risk_objects: + - field: src + type: system + score: 8 + - field: user + type: user + score: 8 + threat_objects: + - field: url + type: url tags: analytic_story: - Zscaler Browser Proxy Threats asset_type: Web Server - confidence: 80 - impact: 10 - message: Potential Abused File Download from dest -[$dest$] on $src$ for user-[$user$]. mitre_attack_id: - T1566 - observable: - - name: src - type: IP Address - role: - - Victim - - name: user - type: User - role: - - Victim - - name: url - type: URL String - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 8 - required_fields: - - action - - threatname - - deviceowner - - user - - urlcategory - - url - - dest - - dest_ip - - action security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json source: zscaler sourcetype: zscalernss-web diff --git a/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml b/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml index c13b18286c..abf94751e3 100644 --- a/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml +++ b/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml @@ -1,14 +1,29 @@ name: Zscaler Privacy Risk Destinations Threat Blocked id: 5456bdef-d765-4565-8e1f-61ca027bc50d -version: 3 -date: '2024-09-30' +version: 5 +date: '2024-11-15' author: Gowthamaraj Rajendran, Rod Soto, Splunk status: production type: Anomaly data_source: [] -description: The following analytic identifies blocked destinations within a network that are deemed privacy risks by Zscaler. It leverages web proxy logs, focusing on entries marked as "Privacy Risk." Key data points such as device owner, user, URL category, destination URL, and IP are analyzed. This activity is significant for a SOC as it helps monitor and manage privacy risks, ensuring a secure network environment. If confirmed malicious, this activity could indicate attempts to access or exfiltrate sensitive information, posing a significant threat to data privacy and security. -search: '`zscaler_proxy` action=blocked urlclass="Privacy Risk" | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | dedup urlcategory | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_privacy_risk_destinations_threat_blocked_filter`' -how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. +description: The following analytic identifies blocked destinations within a network + that are deemed privacy risks by Zscaler. It leverages web proxy logs, focusing + on entries marked as "Privacy Risk." Key data points such as device owner, user, + URL category, destination URL, and IP are analyzed. This activity is significant + for a SOC as it helps monitor and manage privacy risks, ensuring a secure network + environment. If confirmed malicious, this activity could indicate attempts to access + or exfiltrate sensitive information, posing a significant threat to data privacy + and security. +search: '`zscaler_proxy` action=blocked urlclass="Privacy Risk" | stats count min(_time) + as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src + dest | dedup urlcategory | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `zscaler_privacy_risk_destinations_threat_blocked_filter`' +how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. + You must be ingesting Zscaler events into your Splunk environment through an ingester. + This analytic was written to be used with the "zscalernss-web" sourcetype leveraging + the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. + Security teams are encouraged to adjust the detection parameters, ensuring the detection + is tailored to their specific environment. known_false_positives: False positives are limited to Zscaler configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs @@ -18,50 +33,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potential Privacy Risk Destinations from dest -[$dest$] on $src$ for user-[$user$]. + risk_objects: + - field: src + type: system + score: 8 + - field: user + type: user + score: 8 + threat_objects: + - field: url + type: url tags: analytic_story: - Zscaler Browser Proxy Threats asset_type: Web Server - confidence: 80 - impact: 10 - message: Potential Privacy Risk Destinations from dest -[$dest$] on $src$ for user-[$user$]. mitre_attack_id: - T1566 - observable: - - name: src - type: IP Address - role: - - Victim - - name: user - type: User - role: - - Victim - - name: url - type: URL String - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 8 - required_fields: - - action - - threatname - - deviceowner - - user - - urlcategory - - url - - dest - - dest_ip - - action security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json source: zscaler sourcetype: zscalernss-web diff --git a/detections/web/zscaler_scam_destinations_threat_blocked.yml b/detections/web/zscaler_scam_destinations_threat_blocked.yml index 17755e36e5..5c7281924b 100644 --- a/detections/web/zscaler_scam_destinations_threat_blocked.yml +++ b/detections/web/zscaler_scam_destinations_threat_blocked.yml @@ -1,14 +1,28 @@ name: Zscaler Scam Destinations Threat Blocked id: a0c21379-f4ba-4bac-a958-897e260f964a -version: 3 -date: '2024-09-30' +version: 5 +date: '2024-11-15' author: Gowthamaraj Rajendran, Rod Soto, Splunk status: production type: Anomaly data_source: [] -description: The following analytic identifies blocked scam-related activities detected by Zscaler within a network. It leverages web proxy logs to examine actions flagged as scam threats, focusing on data points such as device owner, user, URL category, destination URL, and IP. This detection is significant for SOC as it helps in the early identification and mitigation of scam activities, ensuring network safety. If confirmed malicious, this activity could indicate attempts to deceive users, potentially leading to data theft or financial loss. -search: '`zscaler_proxy` action=blocked threatname=*scam* | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_scam_destinations_threat_blocked_filter`' -how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. +description: The following analytic identifies blocked scam-related activities detected + by Zscaler within a network. It leverages web proxy logs to examine actions flagged + as scam threats, focusing on data points such as device owner, user, URL category, + destination URL, and IP. This detection is significant for SOC as it helps in the + early identification and mitigation of scam activities, ensuring network safety. + If confirmed malicious, this activity could indicate attempts to deceive users, + potentially leading to data theft or financial loss. +search: '`zscaler_proxy` action=blocked threatname=*scam* | stats count min(_time) + as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src + dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `zscaler_scam_destinations_threat_blocked_filter`' +how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. + You must be ingesting Zscaler events into your Splunk environment through an ingester. + This analytic was written to be used with the "zscalernss-web" sourcetype leveraging + the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. + Security teams are encouraged to adjust the detection parameters, ensuring the detection + is tailored to their specific environment. known_false_positives: False positives are limited to Zscaler configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs @@ -18,50 +32,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potential Scam Threat from dest -[$dest$] on $src$ for user-[$user$]. + risk_objects: + - field: src + type: system + score: 8 + - field: user + type: user + score: 8 + threat_objects: + - field: url + type: url tags: analytic_story: - Zscaler Browser Proxy Threats asset_type: Web Server - confidence: 80 - impact: 10 - message: Potential Scam Threat from dest -[$dest$] on $src$ for user-[$user$]. mitre_attack_id: - T1566 - observable: - - name: src - type: IP Address - role: - - Victim - - name: user - type: User - role: - - Victim - - name: url - type: URL String - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 8 - required_fields: - - action - - threatname - - deviceowner - - user - - urlcategory - - url - - dest - - dest_ip - - action security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json source: zscaler sourcetype: zscalernss-web diff --git a/detections/web/zscaler_virus_download_threat_blocked.yml b/detections/web/zscaler_virus_download_threat_blocked.yml index 3ae874d2b7..f0c094a07c 100644 --- a/detections/web/zscaler_virus_download_threat_blocked.yml +++ b/detections/web/zscaler_virus_download_threat_blocked.yml @@ -1,14 +1,29 @@ name: Zscaler Virus Download threat blocked id: aa19e627-d448-4a31-85cd-82068dec5691 -version: 3 -date: '2024-09-30' +version: 5 +date: '2024-11-15' author: Gowthamaraj Rajendran, Rod Soto, Splunk status: production type: Anomaly data_source: [] -description: The following analytic identifies attempts to download viruses that were blocked by Zscaler within a network. It leverages web proxy logs to detect blocked actions indicative of virus download attempts. Key data points such as device owner, user, URL category, destination URL, and IP are analyzed. This activity is significant as it helps in early detection and remediation of potential virus threats, enhancing network security. If confirmed malicious, this activity could indicate an attempt to compromise the network, potentially leading to data breaches or further malware infections. -search: '`zscaler_proxy` action=blocked threatname!="None" threatclass=Virus | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_virus_download_threat_blocked_filter`' -how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. +description: The following analytic identifies attempts to download viruses that were + blocked by Zscaler within a network. It leverages web proxy logs to detect blocked + actions indicative of virus download attempts. Key data points such as device owner, + user, URL category, destination URL, and IP are analyzed. This activity is significant + as it helps in early detection and remediation of potential virus threats, enhancing + network security. If confirmed malicious, this activity could indicate an attempt + to compromise the network, potentially leading to data breaches or further malware + infections. +search: '`zscaler_proxy` action=blocked threatname!="None" threatclass=Virus | stats + count min(_time) as firstTime max(_time) as lastTime by action deviceowner user + urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `zscaler_virus_download_threat_blocked_filter`' +how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. + You must be ingesting Zscaler events into your Splunk environment through an ingester. + This analytic was written to be used with the "zscalernss-web" sourcetype leveraging + the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. + Security teams are encouraged to adjust the detection parameters, ensuring the detection + is tailored to their specific environment. known_false_positives: False positives are limited to Zscaler configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs @@ -18,50 +33,41 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Potential Virus Download Threat from dest -[$dest$] on $src$ for user-[$user$]. + risk_objects: + - field: src + type: system + score: 40 + - field: user + type: user + score: 40 + threat_objects: + - field: url + type: url tags: analytic_story: - Zscaler Browser Proxy Threats asset_type: Web Server - confidence: 80 - impact: 50 - message: Potential Virus Download Threat from dest -[$dest$] on $src$ for user-[$user$]. mitre_attack_id: - T1566 - observable: - - name: src - type: IP Address - role: - - Victim - - name: user - type: User - role: - - Victim - - name: url - type: URL String - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 40 - required_fields: - - action - - threatname - - deviceowner - - user - - urlcategory - - url - - dest - - dest_ip - - action security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json source: zscaler sourcetype: zscalernss-web diff --git a/investigations/all_backup_logs_for_host.yml b/investigations/all_backup_logs_for_host.yml index bce094b0ca..526e0760f2 100644 --- a/investigations/all_backup_logs_for_host.yml +++ b/investigations/all_backup_logs_for_host.yml @@ -4,7 +4,7 @@ version: 1 date: '2017-09-12' author: Rico Valdez, Splunk type: Investigation -datamodel: [] +status: deprecated description: Retrieve the backup logs for the last 2 weeks for a specific host in order to investigate why backups are not completing successfully. search: '| search `netbackup` dest=$dest$' @@ -17,7 +17,4 @@ tags: - Monitor Backup Solution product: - Splunk Phantom - required_fields: - - _time - - dest security_domain: endpoint diff --git a/investigations/amazon_eks_kubernetes_activity_by_src_ip.yml b/investigations/amazon_eks_kubernetes_activity_by_src_ip.yml index 954ae79109..fdd85fd8e0 100644 --- a/investigations/amazon_eks_kubernetes_activity_by_src_ip.yml +++ b/investigations/amazon_eks_kubernetes_activity_by_src_ip.yml @@ -4,7 +4,7 @@ version: 1 date: '2020-04-13' author: Rod Soto, Splunk type: Investigation -datamodel: [] +status: deprecated description: This search provides investigation data about requests via user agent, authentication request URI, verb and cluster name data against Kubernetes cluster from a specific IP address @@ -22,12 +22,4 @@ tags: - Kubernetes Scanning Activity product: - Splunk Phantom - required_fields: - - _time - - sourceIPs{} - - user.username - - requestURI - - verb - - userAgent - - annotations.authorization.k8s.io/decision security_domain: network diff --git a/investigations/aws_investigate_security_hub_alerts_by_dest.yml b/investigations/aws_investigate_security_hub_alerts_by_dest.yml index d5105ba0ad..c68fadb66c 100644 --- a/investigations/aws_investigate_security_hub_alerts_by_dest.yml +++ b/investigations/aws_investigate_security_hub_alerts_by_dest.yml @@ -4,7 +4,7 @@ version: 1 date: '2020-06-08' author: Bhavin Patel, Splunk type: Investigation -datamodel: [] +status: deprecated description: This search retrieves the all the alerts created by AWS Security Hub for a specific dest(instance_id). search: '`aws_securityhub_firehose` "findings{}.Resources{}.Type"=AWSEC2Instance | @@ -24,15 +24,4 @@ tags: - AWS Suspicious Provisioning Activities product: - Splunk Phantom - required_fields: - - _time - - findings{}.Resources{}.Type - - findings{}.Resources{}.Id - - instance - - Remediation.Recommendation.Text - - Title - - ProductArn - - Description - - FirstObservedAt - - RecordState security_domain: network diff --git a/investigations/aws_investigate_user_activities_by_accesskeyid.yml b/investigations/aws_investigate_user_activities_by_accesskeyid.yml index f9a45e8f8e..c9523dd2fd 100644 --- a/investigations/aws_investigate_user_activities_by_accesskeyid.yml +++ b/investigations/aws_investigate_user_activities_by_accesskeyid.yml @@ -4,7 +4,7 @@ version: 1 date: '2018-06-08' author: David Dorsey, Splunk type: Investigation -datamodel: [] +status: deprecated description: This search retrieves the times, ARN, source IPs, AWS regions, event names, and the result of the event for specific credentials. search: '`cloudtrail` | rename userIdentity.accessKeyId as accessKeyId| search accessKeyId=$accessKeyId$ @@ -21,13 +21,4 @@ tags: product: - Splunk Phantom - Splunk Security Analytics for AWS - required_fields: - - _time - - userIdentity.accessKeyId - - userIdentity.arn - - sourceIPAddress - - awsRegion - - eventName - - errorCode - - errorMessage security_domain: network diff --git a/investigations/aws_investigate_user_activities_by_arn.yml b/investigations/aws_investigate_user_activities_by_arn.yml index c28c2279bd..d15290547a 100644 --- a/investigations/aws_investigate_user_activities_by_arn.yml +++ b/investigations/aws_investigate_user_activities_by_arn.yml @@ -4,7 +4,7 @@ version: 2 date: '2019-04-30' author: Bhavin Patel, Splunk type: Investigation -datamodel: [] +status: deprecated description: This search lists all the logged CloudTrail activities by a specific user ARN and will create a table containing the source of the user, the region of the activity, the name and type of the event, the action taken, and all the user's @@ -33,15 +33,4 @@ tags: - Command And Control product: - Splunk Phantom - required_fields: - - _time - - user - - userIdentity.type - - userIdentity.userName - - userIdentity.arn - - aws_account_id - - src - - awsRegion - - eventName - - eventType security_domain: network diff --git a/investigations/aws_network_acl_details_from_id.yml b/investigations/aws_network_acl_details_from_id.yml index 75d378c08f..71ef17baf8 100644 --- a/investigations/aws_network_acl_details_from_id.yml +++ b/investigations/aws_network_acl_details_from_id.yml @@ -4,7 +4,7 @@ version: 1 date: '2017-01-22' author: Bhavin Patel, Splunk type: Investigation -datamodel: [] +status: deprecated description: This search queries AWS description logs and returns all the information about a specific network ACL via network ACL ID search: '`aws_description` | rename id as networkAclId | search networkAclId=$networkAclId$ @@ -21,10 +21,4 @@ tags: - Command And Control product: - Splunk Phantom - required_fields: - - _time - - id - - account_id - - vpc_id - - network_acl_entries{}.* security_domain: network diff --git a/investigations/aws_network_interface_details_via_resourceid.yml b/investigations/aws_network_interface_details_via_resourceid.yml index 465ce96cdb..081ba1bdc4 100644 --- a/investigations/aws_network_interface_details_via_resourceid.yml +++ b/investigations/aws_network_interface_details_via_resourceid.yml @@ -4,7 +4,7 @@ version: 1 date: '2018-05-07' author: Bhavin Patel, Splunk type: Investigation -datamodel: [] +status: deprecated description: This search queries AWS configuration logs and returns the information about a specific network interface via network interface ID. The information will include the ARN of the network interface, its relationships with other AWS resources, @@ -24,13 +24,4 @@ tags: - Command And Control product: - Splunk Phantom - required_fields: - - _time - - resourceId - - ARN - - relationships{}.resourceType - - relationships{}.name - - relationships{}.resourceId - - configuration.privateIpAddresses{}.privateIpAddress - - configuration.privateIpAddresses{}.association.publicIp security_domain: network diff --git a/investigations/aws_s3_bucket_details_via_bucketname.yml b/investigations/aws_s3_bucket_details_via_bucketname.yml index c292a77254..86946b4438 100644 --- a/investigations/aws_s3_bucket_details_via_bucketname.yml +++ b/investigations/aws_s3_bucket_details_via_bucketname.yml @@ -4,7 +4,7 @@ version: 1 date: '2018-06-26' author: Bhavin Patel, Splunk type: Investigation -datamodel: [] +status: deprecated description: This search queries AWS configuration logs and returns the information about a specific S3 bucket. The information returned includes the time the S3 bucket was created, the resource ID, the region it belongs to, the value of action performed, @@ -22,13 +22,4 @@ tags: - Suspicious AWS S3 Activities product: - Splunk Phantom - required_fields: - - _time - - resourceId - - bucketName - - resourceCreationTime - - vendor_region - - action - - aws_account_id - - supplementaryConfiguration.AccessControlList security_domain: network diff --git a/investigations/gcp_kubernetes_activity_by_src_ip.yml b/investigations/gcp_kubernetes_activity_by_src_ip.yml index cf1f33d2ef..d4359faeb0 100644 --- a/investigations/gcp_kubernetes_activity_by_src_ip.yml +++ b/investigations/gcp_kubernetes_activity_by_src_ip.yml @@ -4,7 +4,7 @@ version: 1 date: '2020-04-13' author: Rod Soto, Splunk type: Investigation -datamodel: [] +status: deprecated description: This search provides investigation data about requests via user agent, authentication request URI, resource path and cluster name data against Kubernetes cluster from a specific IP address @@ -26,14 +26,4 @@ tags: - Kubernetes Scanning Activity product: - Splunk Phantom - required_fields: - - _time - - data.protoPayload.requestMetadata.callerIp - - data.protoPayload.methodName - - data.protoPayload.resourceName - - data.protoPayload.requestMetadata.callerSuppliedUserAgent - - data.protoPayload.authenticationInfo.principalEmail - - data.protoPayload.status.message - - data.resource.labels.cluster_name - - data.resource.type security_domain: network diff --git a/investigations/get_all_aws_activity_from_city.yml b/investigations/get_all_aws_activity_from_city.yml index d37d913fd1..4e9d0f79a9 100644 --- a/investigations/get_all_aws_activity_from_city.yml +++ b/investigations/get_all_aws_activity_from_city.yml @@ -4,7 +4,7 @@ version: 1 date: '2018-03-19' author: David Dorsey, Splunk type: Investigation -datamodel: [] +status: deprecated description: This search retrieves all the activity from a specific city and will create a table containing the time, city, ARN, username, the type of user, the source IP address, the AWS region the activity was in, the API called, and whether or not @@ -23,13 +23,4 @@ tags: - AWS Suspicious Provisioning Activities product: - Splunk Phantom - required_fields: - - _time - - sourceIPAddress - - userIdentity.arn - - userIdentity.userName - - userIdentity.type - - awsRegion - - eventName - - errorCode security_domain: network diff --git a/investigations/get_all_aws_activity_from_country.yml b/investigations/get_all_aws_activity_from_country.yml index 588de58c1a..aef67b8395 100644 --- a/investigations/get_all_aws_activity_from_country.yml +++ b/investigations/get_all_aws_activity_from_country.yml @@ -4,7 +4,7 @@ version: 1 date: '2018-03-19' author: David Dorsey, Splunk type: Investigation -datamodel: [] +status: deprecated description: This search retrieves all the activity from a specific country and will create a table containing the time, country, ARN, username, the type of user, the source IP address, the AWS region the activity was in, the API called, and whether @@ -24,13 +24,4 @@ tags: - AWS Suspicious Provisioning Activities product: - Splunk Phantom - required_fields: - - _time - - sourceIPAddress - - userIdentity.arn - - userIdentity.userName - - userIdentity.type - - awsRegion - - eventName - - errorCode security_domain: network diff --git a/investigations/get_all_aws_activity_from_ip_address.yml b/investigations/get_all_aws_activity_from_ip_address.yml index d1fa39b95c..ad00e31621 100644 --- a/investigations/get_all_aws_activity_from_ip_address.yml +++ b/investigations/get_all_aws_activity_from_ip_address.yml @@ -4,7 +4,7 @@ version: 1 date: '2018-03-19' author: David Dorsey, Splunk type: Investigation -datamodel: [] +status: deprecated description: This search retrieves all the activity from a specific IP address and will create a table containing the time, ARN, username, the type of user, the IP address, the AWS region the activity was in, the API called, and whether or not @@ -28,13 +28,4 @@ tags: - Command And Control product: - Splunk Phantom - required_fields: - - _time - - sourceIPAddress - - userIdentity.arn - - userIdentity.userName - - userIdentity.type - - awsRegion - - eventName - - errorCode security_domain: network diff --git a/investigations/get_all_aws_activity_from_region.yml b/investigations/get_all_aws_activity_from_region.yml index 476f3008db..a9be04ab63 100644 --- a/investigations/get_all_aws_activity_from_region.yml +++ b/investigations/get_all_aws_activity_from_region.yml @@ -4,7 +4,7 @@ version: 1 date: '2018-03-19' author: David Dorsey, Splunk type: Investigation -datamodel: [] +status: deprecated description: This search retrieves all the activity from a specific geographic region and will create a table containing the time, geographic region, ARN, username, the type of user, the source IP address, the AWS region the activity was in, the API @@ -23,13 +23,4 @@ tags: - AWS Suspicious Provisioning Activities product: - Splunk Phantom - required_fields: - - _time - - sourceIPAddress - - userIdentity.arn - - userIdentity.userName - - userIdentity.type - - awsRegion - - eventName - - errorCode security_domain: network diff --git a/investigations/get_backup_logs_for_endpoint.yml b/investigations/get_backup_logs_for_endpoint.yml index a381ddc275..92c86ed03a 100644 --- a/investigations/get_backup_logs_for_endpoint.yml +++ b/investigations/get_backup_logs_for_endpoint.yml @@ -4,7 +4,7 @@ version: 1 date: '2017-09-14' author: David Dorsey, Splunk type: Investigation -datamodel: [] +status: deprecated description: This search will tell you the backup status from your netbackup_logs of a specific endpoint for the last week. search: '`netbackup` COMPUTERNAME=$dest$ | rename COMPUTERNAME as dest, MESSAGE as @@ -18,8 +18,4 @@ tags: - SamSam Ransomware product: - Splunk Phantom - required_fields: - - _time - - COMPUTERNAME - - MESSAGE security_domain: endpoint diff --git a/investigations/get_certificate_logs_for_a_domain.yml b/investigations/get_certificate_logs_for_a_domain.yml index d6c37bddf6..f0b2aa4a3d 100644 --- a/investigations/get_certificate_logs_for_a_domain.yml +++ b/investigations/get_certificate_logs_for_a_domain.yml @@ -4,7 +4,7 @@ version: 2 date: '2019-04-29' author: Bhavin Patel, Splunk type: Investigation -datamodel: [] +status: deprecated description: This search queries the Certificates datamodel and give you all the information for a specific domain. Please note that the certificates issued by "Let's Encrypt" are widely used by attackers. @@ -24,11 +24,4 @@ tags: - Common Phishing Frameworks product: - Splunk Phantom - required_fields: - - _time - - All_Certificates.SSL.ssl_subject_common_name - - All_Certificates.dest - - All_Certificates.src - - All_Certificates.SSL.ssl_issuer_common_name - - All_Certificates.SSL.ssl_hash security_domain: network diff --git a/investigations/get_dns_server_history_for_a_host.yml b/investigations/get_dns_server_history_for_a_host.yml index 9869c96a45..58ba43d1c1 100644 --- a/investigations/get_dns_server_history_for_a_host.yml +++ b/investigations/get_dns_server_history_for_a_host.yml @@ -4,7 +4,7 @@ version: 1 date: '2017-11-09' author: Bhavin Patel, Splunk type: Investigation -datamodel: [] +status: deprecated description: While investigating any detections it is important to understand which and how many DNS servers a host has connected to in the past. This search uses data that is tagged as DNS and gives you a count and list of DNS servers that a particular @@ -30,9 +30,4 @@ tags: - Command And Control product: - Splunk Phantom - required_fields: - - _time - - src_ip - - dest_port - - dest_ip security_domain: network diff --git a/investigations/get_dns_traffic_ratio.yml b/investigations/get_dns_traffic_ratio.yml index ee8600d8bc..ede0480799 100644 --- a/investigations/get_dns_traffic_ratio.yml +++ b/investigations/get_dns_traffic_ratio.yml @@ -4,13 +4,12 @@ version: 2 date: '2024-09-24' author: Bhavin Patel, Splunk type: Investigation -datamodel: -- Network_Traffic -description: 'This search calculates the ratio of DNS traffic originating and coming +status: deprecated +description: This search calculates the ratio of DNS traffic originating and coming from a host to a list of DNS servers over the last 24 hours. A high value of this ratio could be very useful to quickly understand if a src_ip (host) is sending a high volume of data out via port 53, could be an indicator of data exfiltration - via DNS.' + via DNS. search: '| tstats allow_old_summaries=true sum(All_Traffic.bytes_out) as "bytes_out" sum(All_Traffic.bytes_in) as "bytes_in" from datamodel=Network_Traffic where nodename=All_Traffic All_Traffic.dest_port=53 by All_Traffic.src All_Traffic.dest| `drop_dm_object_name(All_Traffic)` @@ -30,11 +29,4 @@ tags: - Command And Control product: - Splunk Phantom - required_fields: - - _time - - All_Traffic.bytes_out - - All_Traffic.bytes_in - - All_Traffic.dest_port - - All_Traffic.src - - All_Traffic.dest security_domain: network diff --git a/investigations/get_ec2_instance_details_by_instanceid.yml b/investigations/get_ec2_instance_details_by_instanceid.yml index 60aa981fa8..ed0ddf0c52 100644 --- a/investigations/get_ec2_instance_details_by_instanceid.yml +++ b/investigations/get_ec2_instance_details_by_instanceid.yml @@ -4,7 +4,7 @@ version: 1 date: '2018-02-12' author: Bhavin Patel, Splunk type: Investigation -datamodel: [] +status: deprecated description: This search queries AWS description logs and returns all the information about a specific instance via the instanceId field search: '`aws_description` | dedup id sortby -_time |rename id as instanceId| search @@ -29,17 +29,4 @@ tags: - AWS Security Hub Alerts product: - Splunk Phantom - required_fields: - - _time - - id - - ip_address - - tags - - aws_account_id - - placement - - instance_type - - key_name - - launch_time - - state - - vpc_id - - subnet_id security_domain: network diff --git a/investigations/get_ec2_launch_details.yml b/investigations/get_ec2_launch_details.yml index b5092ffd05..46432d9945 100644 --- a/investigations/get_ec2_launch_details.yml +++ b/investigations/get_ec2_launch_details.yml @@ -4,7 +4,7 @@ version: 1 date: '2018-03-12' author: Bhavin Patel, Splunk type: Investigation -datamodel: [] +status: deprecated description: This search returns some of the launch details for a EC2 instance. search: '`cloudtrail` dest=$dest$ |rename userIdentity.arn as arn, responseElements.instancesSet.items{}.instanceId as dest, responseElements.instancesSet.items{}.privateIpAddress as privateIpAddress, @@ -24,13 +24,4 @@ tags: - AWS Security Hub Alerts product: - Splunk Phantom - required_fields: - - _time - - dest - - userIdentity.arn - - responseElements.instancesSet.items{}.instanceId - - responseElements.instancesSet.items{}.privateIpAddress - - responseElements.instancesSet.items{}.imageId - - responseElements.instancesSet.items{}.architecture - - responseElements.instancesSet.items{}.keyName security_domain: network diff --git a/investigations/get_email_info.yml b/investigations/get_email_info.yml index 322bead4ff..247576a7cc 100644 --- a/investigations/get_email_info.yml +++ b/investigations/get_email_info.yml @@ -4,7 +4,7 @@ version: 1 date: '2017-11-09' author: Bhavin Patel, Splunk type: Investigation -datamodel: [] +status: deprecated description: This search returns all the information Splunk might have collected a specific email message over the last 2 hours. search: '| from datamodel Email.All_Email | search message_id=$message_id$' @@ -18,7 +18,4 @@ tags: - Suspicious Emails product: - Splunk Phantom - required_fields: - - _time - - message security_domain: network diff --git a/investigations/get_emails_from_specific_sender.yml b/investigations/get_emails_from_specific_sender.yml index 7c7bd838b9..c4e5b0389a 100644 --- a/investigations/get_emails_from_specific_sender.yml +++ b/investigations/get_emails_from_specific_sender.yml @@ -4,7 +4,7 @@ version: 1 date: '2017-11-09' author: David Dorsey, Splunk type: Investigation -datamodel: [] +status: deprecated description: This search returns all the emails from a specific sender over the last 24 and next hours. search: '| from datamodel Email.All_Email | search src_user=$src_user$' @@ -20,7 +20,4 @@ tags: - Web Fraud Detection product: - Splunk Phantom - required_fields: - - _time - - src_user security_domain: network diff --git a/investigations/get_first_occurrence_and_last_occurrence_of_a_mac_address.yml b/investigations/get_first_occurrence_and_last_occurrence_of_a_mac_address.yml index 52285d92ac..22da000f97 100644 --- a/investigations/get_first_occurrence_and_last_occurrence_of_a_mac_address.yml +++ b/investigations/get_first_occurrence_and_last_occurrence_of_a_mac_address.yml @@ -4,8 +4,7 @@ version: 1 date: '2017-09-13' author: Bhavin Patel, Splunk type: Investigation -datamodel: -- Network_Sessions +status: deprecated description: This search allows you to gather more context around a notable which has detected a new device connecting to your network. Use this search to determine the first and last occurrences of the suspicious device attempting to connect with @@ -23,11 +22,4 @@ tags: - Asset Tracking product: - Splunk Phantom - required_fields: - - _time - - All_Sessions.DHCP - - All_Sessions.signature - - All_Sessions.src_mac - - All_Sessions.src_ip - - All_Sessions.user security_domain: network diff --git a/investigations/get_history_of_email_sources.yml b/investigations/get_history_of_email_sources.yml index 5913aeb375..6b5b7d83af 100644 --- a/investigations/get_history_of_email_sources.yml +++ b/investigations/get_history_of_email_sources.yml @@ -4,8 +4,7 @@ version: 1 date: '2019-02-21' author: Rico Valdez, Splunk type: Investigation -datamodel: -- Email +status: deprecated description: This search returns a list of all email sources seen in the 48 hours prior to the notable event to 24 hours after, and the number of emails from each source. @@ -30,9 +29,4 @@ tags: - SamSam Ransomware product: - Splunk Phantom - required_fields: - - _time - - All_Email.dest - - All_Email.recipient - - All_Email.src security_domain: network diff --git a/investigations/get_logon_rights_modifications_for_endpoint.yml b/investigations/get_logon_rights_modifications_for_endpoint.yml index fe8a53898b..42405d395a 100644 --- a/investigations/get_logon_rights_modifications_for_endpoint.yml +++ b/investigations/get_logon_rights_modifications_for_endpoint.yml @@ -4,7 +4,7 @@ version: 2 date: '2017-09-12' author: David Dorsey, Splunk type: Investigation -datamodel: [] +status: deprecated description: This search allows you to retrieve any modifications to logon rights associated with a specific host. search: '`wineventlog_security` (signature_id=4718 OR signature_id=4717) dest=$dest$ @@ -19,9 +19,4 @@ tags: - AWS Cryptomining product: - Splunk Phantom - required_fields: - - _time - - signature_id - - dest - - user security_domain: endpoint diff --git a/investigations/get_logon_rights_modifications_for_user.yml b/investigations/get_logon_rights_modifications_for_user.yml index ae39bb083f..10d81579af 100644 --- a/investigations/get_logon_rights_modifications_for_user.yml +++ b/investigations/get_logon_rights_modifications_for_user.yml @@ -4,7 +4,7 @@ version: 2 date: '2019-02-27' author: David Dorsey, Splunk type: Investigation -datamodel: [] +status: deprecated description: This search allows you to retrieve any modifications to logon rights for a specific user account. search: '`wineventlog_security` (signature_id=4718 OR signature_id=4717) user=$user$ @@ -19,9 +19,4 @@ tags: - AWS Cryptomining product: - Splunk Phantom - required_fields: - - _time - - signature_id - - dest - - user security_domain: endpoint diff --git a/investigations/get_notable_history.yml b/investigations/get_notable_history.yml index fc139746e5..0263940a86 100644 --- a/investigations/get_notable_history.yml +++ b/investigations/get_notable_history.yml @@ -4,7 +4,7 @@ version: 2 date: '2017-09-20' author: Bhavin Patel, Splunk type: Investigation -datamodel: [] +status: deprecated description: This search queries the notable index and returns all the Notable Events for the particular destination host, giving the analyst an overview of the incidents that may have occurred with the host under investigation. @@ -84,6 +84,4 @@ tags: - Command And Control product: - Splunk Phantom - required_fields: - - _time security_domain: endpoint diff --git a/investigations/get_outbound_emails_to_hidden_cobra_threat_actors.yml b/investigations/get_outbound_emails_to_hidden_cobra_threat_actors.yml index ee1a69683d..eb30eaa867 100644 --- a/investigations/get_outbound_emails_to_hidden_cobra_threat_actors.yml +++ b/investigations/get_outbound_emails_to_hidden_cobra_threat_actors.yml @@ -4,8 +4,7 @@ version: 1 date: '2018-06-14' author: Bhavin Patel, Splunk type: Investigation -datamodel: -- Email +status: deprecated description: 'This search returns the information of the users that sent emails to the accounts controlled by the Hidden Cobra Threat Actors: specifically to `misswang8107@gmail.com`, and from `redhat@gmail.com`.' @@ -23,10 +22,4 @@ tags: - Hidden Cobra Malware product: - Splunk Phantom - required_fields: - - _time - - recipient - - src_user - - dest - - sec security_domain: network diff --git a/investigations/get_parent_process_info.yml b/investigations/get_parent_process_info.yml index 9c8461c595..54a97aea2b 100644 --- a/investigations/get_parent_process_info.yml +++ b/investigations/get_parent_process_info.yml @@ -4,8 +4,7 @@ version: 2 date: '2019-02-28' author: Bhavin Patel, Splunk type: Investigation -datamodel: -- Endpoint +status: deprecated description: This search queries the Endpoint data model to give you details about the parent process of a process running on a host which is under investigation. Enter the values of the process name in question and the dest @@ -51,10 +50,4 @@ tags: - Command And Control product: - Splunk Phantom - required_fields: - - _time - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.dest security_domain: endpoint diff --git a/investigations/get_process_file_activity.yml b/investigations/get_process_file_activity.yml index 574c0690d1..04450db005 100644 --- a/investigations/get_process_file_activity.yml +++ b/investigations/get_process_file_activity.yml @@ -4,8 +4,7 @@ version: 2 date: '2019-11-06' author: David Dorsey, Splunk type: Investigation -datamodel: -- Endpoint +status: deprecated description: This search returns the file activity for a specific process on a specific endpoint search: '| tstats `security_content_summariesonly` values(Filesystem.file_name) as @@ -24,11 +23,4 @@ tags: - Suspicious Zoom Child Processes product: - Splunk Phantom - required_fields: - - _time - - Filesystem.file_name - - Filesystem.dest - - Filesystem.process_name - - Filesystem.file_path - - Filesystem.action security_domain: endpoint diff --git a/investigations/get_process_info.yml b/investigations/get_process_info.yml index bd9856632e..c5e6c10d84 100644 --- a/investigations/get_process_info.yml +++ b/investigations/get_process_info.yml @@ -4,8 +4,7 @@ version: 2 date: '2019-04-01' author: Bhavin Patel, Splunk type: Investigation -datamodel: -- Endpoint +status: deprecated description: This search queries the Endpoint data model to give you details about the process running on a host which is under investigation. To gather the process info, enter the values for the process name in question and the destination IP address. @@ -52,10 +51,4 @@ tags: - Command And Control product: - Splunk Phantom - required_fields: - - _time - - Processes.user - - Processes.parent_process_name - - Processes.process_name - - Processes.dest security_domain: endpoint diff --git a/investigations/get_process_information_for_port_activity.yml b/investigations/get_process_information_for_port_activity.yml index 77decff308..de14541ff3 100644 --- a/investigations/get_process_information_for_port_activity.yml +++ b/investigations/get_process_information_for_port_activity.yml @@ -4,8 +4,7 @@ version: 2 date: '2019-04-01' author: Bhavin Patel, Splunk type: Investigation -datamodel: -- Endpoint +status: deprecated description: This search will return information about the process associated with observed network traffic to a specific destination port from a specific host. search: '| tstats `security_content_summariesonly` count min(_time) max(_time) as @@ -34,13 +33,4 @@ tags: - Command And Control product: - Splunk Phantom - required_fields: - - _time - - Processes.user - - Processes.process_id - - Processes.process_name - - Processes.dest - - Ports.process_id - - Ports.src - - Ports.dest_port security_domain: endpoint diff --git a/investigations/get_process_responsible_for_the_dns_traffic.yml b/investigations/get_process_responsible_for_the_dns_traffic.yml index ab34548b4a..09b50690c7 100644 --- a/investigations/get_process_responsible_for_the_dns_traffic.yml +++ b/investigations/get_process_responsible_for_the_dns_traffic.yml @@ -4,8 +4,7 @@ version: 2 date: '2019-04-01' author: Bhavin Patel, Splunk type: Investigation -datamodel: -- Endpoint +status: deprecated description: While investigating, an analyst will want to know what process and parent_process is responsible for generating suspicious DNS traffic. Use the following search and enter the value of `dest` in the search to get specific details on the process responsible @@ -34,14 +33,4 @@ tags: - Command And Control product: - Splunk Phantom - required_fields: - - _time - - Processes.user - - Processes.process_id - - Processes.process_name - - Processes.dest - - Processes.parent_process - - Ports.process_id - - Ports.src - - Ports.dest_port security_domain: endpoint diff --git a/investigations/get_sysmon_wmi_activity_for_host.yml b/investigations/get_sysmon_wmi_activity_for_host.yml index 6d03d1aaa2..e066466664 100644 --- a/investigations/get_sysmon_wmi_activity_for_host.yml +++ b/investigations/get_sysmon_wmi_activity_for_host.yml @@ -4,7 +4,7 @@ version: 1 date: '2018-10-23' author: Rico Valdez, Splunk type: Investigation -datamodel: [] +status: deprecated description: This search queries Sysmon WMI events for the host of interest. search: '`sysmon` EventCode>18 EventCode<22 | rename host as dest | search dest=$dest$| table _time, dest, user, Name, Operation, EventType, Type, Query, Consumer, Filter' @@ -20,15 +20,4 @@ tags: - Suspicious WMI Use product: - Splunk Phantom - required_fields: - - _time - - EventCode - - user - - Name - - Operation - - EventType - - Type - - Query - - Consumer - - Filter security_domain: endpoint diff --git a/investigations/get_web_session_information_via_session_id.yml b/investigations/get_web_session_information_via_session_id.yml index 890e160435..955b678802 100644 --- a/investigations/get_web_session_information_via_session_id.yml +++ b/investigations/get_web_session_information_via_session_id.yml @@ -4,7 +4,7 @@ version: 1 date: '2018-10-08' author: Bhavin Patel, Splunk type: Investigation -datamodel: [] +status: deprecated description: This search helps an analyst investigate a notable event to find out more about a specific web session. The search looks for a specific web session ID in the HTTP web traffic and outputs the URL and user agents, grouped by source IP @@ -21,10 +21,4 @@ tags: - Web Fraud Detection product: - Splunk Phantom - required_fields: - - _time - - session_id - - http_user_agent - - src_ip - - status security_domain: network diff --git a/investigations/investigate_aws_activities_via_region_name.yml b/investigations/investigate_aws_activities_via_region_name.yml index 5a29ff6bae..d1f8bd0bbb 100644 --- a/investigations/investigate_aws_activities_via_region_name.yml +++ b/investigations/investigate_aws_activities_via_region_name.yml @@ -4,7 +4,7 @@ version: 1 date: '2018-02-09' author: Bhavin Patel, Splunk type: Investigation -datamodel: [] +status: deprecated description: This search lists all the user activities logged by CloudTrail for a specific region in question and will create a table of the values of parameters requested, the type of the event and the response from the AWS API by each user @@ -23,10 +23,4 @@ tags: - Suspicious AWS S3 Activities product: - Splunk Phantom - required_fields: - - _time - - vendor_region - - requestParameters.instancesSet.items{}.instanceId - - eventName - - user security_domain: network diff --git a/investigations/investigate_aws_user_activities_by_user_field.yml b/investigations/investigate_aws_user_activities_by_user_field.yml index b57a5b8bcb..84f4231bcd 100644 --- a/investigations/investigate_aws_user_activities_by_user_field.yml +++ b/investigations/investigate_aws_user_activities_by_user_field.yml @@ -4,7 +4,7 @@ version: 2 date: '2024-09-24' author: Bhavin Patel, Splunk type: Investigation -datamodel: [] +status: deprecated description: This search lists all the logged CloudTrail activities by a specific user and will create a table containing the source of the user, the region of the activity, the name and type of the event, the action taken, and the user's identity @@ -22,15 +22,4 @@ tags: - Suspicious Cloud Authentication Activities product: - Splunk Phantom - required_fields: - - _time - - user - - userIdentity.type - - userIdentity.userName - - userIdentity.arn - - aws_account_id - - src - - awsRegion - - eventName - - eventType security_domain: network diff --git a/investigations/investigate_failed_logins_for_multiple_destinations.yml b/investigations/investigate_failed_logins_for_multiple_destinations.yml index e236f84925..929d971fd4 100644 --- a/investigations/investigate_failed_logins_for_multiple_destinations.yml +++ b/investigations/investigate_failed_logins_for_multiple_destinations.yml @@ -4,8 +4,7 @@ version: 1 date: '2019-12-10' author: Patrick Bareiss, Splunk type: Investigation -datamodel: -- Authentication +status: deprecated description: This search returns failed logins to multiple destinations by user. search: '| tstats count `security_content_summariesonly` earliest(_time) as first_login latest(_time) as last_login dc(Authentication.dest) AS distinct_count_dest values(Authentication.dest) @@ -22,10 +21,4 @@ tags: - Credential Dumping product: - Splunk Phantom - required_fields: - - _time - - Authentication.dest - - Authentication.app - - Authentication.action - - Authentication.user security_domain: endpoint diff --git a/investigations/investigate_network_traffic_from_src_ip.yml b/investigations/investigate_network_traffic_from_src_ip.yml index 67424cbe4b..ba7875b78f 100644 --- a/investigations/investigate_network_traffic_from_src_ip.yml +++ b/investigations/investigate_network_traffic_from_src_ip.yml @@ -4,8 +4,7 @@ version: 1 date: '2018-06-15' author: David Dorsey, Splunk type: Investigation -datamodel: -- Network_Traffic +status: deprecated description: This search allows you to find all the network traffic from a specific IP address. search: '| from datamodel Network_Traffic.All_Traffic | search src_ip=$src_ip$' @@ -16,11 +15,6 @@ references: [] tags: analytic_story: - ColdRoot MacOS RAT - cve: - - CVE-2018-11409 product: - Splunk Phantom - required_fields: - - _time - - src_ip security_domain: network diff --git a/investigations/investigate_okta_activity_by_app.yml b/investigations/investigate_okta_activity_by_app.yml index c598aeb420..9c9111a9aa 100644 --- a/investigations/investigate_okta_activity_by_app.yml +++ b/investigations/investigate_okta_activity_by_app.yml @@ -4,7 +4,7 @@ version: 1 date: '2020-04-02' author: Rico Valdez, Splunk type: Investigation -datamodel: [] +status: deprecated description: This search returns all okta events associated with a specific app search: '`okta` app=$app$ | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city @@ -17,15 +17,4 @@ tags: - Suspicious Okta Activity product: - Splunk Phantom - required_fields: - - _time - - app - - client.geographicalContext.country - - client.geographicalContext.state - - client.geographicalContext.city - - user - - displayMessage - - src_ip - - result - - outcome.reason security_domain: network diff --git a/investigations/investigate_okta_activity_by_ip_address.yml b/investigations/investigate_okta_activity_by_ip_address.yml index db8f5fb1a2..a3a945fed5 100644 --- a/investigations/investigate_okta_activity_by_ip_address.yml +++ b/investigations/investigate_okta_activity_by_ip_address.yml @@ -4,7 +4,7 @@ version: 1 date: '2020-04-02' author: Rico Valdez, Splunk type: Investigation -datamodel: [] +status: deprecated description: This search returns all okta events from a specific IP address. search: '`okta` src_ip={src_ip} | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city @@ -17,15 +17,4 @@ tags: - Suspicious Okta Activity product: - Splunk Phantom - required_fields: - - _time - - app - - client.geographicalContext.country - - client.geographicalContext.state - - client.geographicalContext.city - - user - - displayMessage - - src_ip - - result - - outcome.reason security_domain: network diff --git a/investigations/investigate_pass_the_hash_attempts.yml b/investigations/investigate_pass_the_hash_attempts.yml index 46c86fb11f..e4a495f05f 100644 --- a/investigations/investigate_pass_the_hash_attempts.yml +++ b/investigations/investigate_pass_the_hash_attempts.yml @@ -4,7 +4,7 @@ version: 1 date: '2019-12-10' author: Patrick Bareiss, Splunk type: Investigation -datamodel: [] +status: deprecated description: This search hunts for dumped NTLM hashes used for pass the hash. search: '`wineventlog_security` EventCode=4624 Logon_Type=9 AuthenticationPackageName=Negotiate | stats count earliest(_time) as first_login latest(_time) as last_login by src_user @@ -23,11 +23,4 @@ tags: - Credential Dumping product: - Splunk Phantom - required_fields: - - _time - - EventCode - - Logon_Type - - AuthenticationPackageName - - src_user - - dest security_domain: endpoint diff --git a/investigations/investigate_pass_the_ticket_attempts.yml b/investigations/investigate_pass_the_ticket_attempts.yml index aec933ac8b..3e971419a5 100644 --- a/investigations/investigate_pass_the_ticket_attempts.yml +++ b/investigations/investigate_pass_the_ticket_attempts.yml @@ -4,7 +4,7 @@ version: 2 date: '2024-09-24' author: Patrick Bareiss, Splunk type: Investigation -datamodel: [] +status: deprecated description: This search hunts for dumped kerberos ticket from LSASS memory. search: '`wineventlog_security` EventCode=4768 OR EventCode=4769 | rex field=user "(?[^\@]+)" | stats count BY new_user, dest, EventCode | stats max(count) @@ -23,9 +23,4 @@ tags: - Credential Dumping product: - Splunk Phantom - required_fields: - - _time - - EventCode - - user - - dest security_domain: endpoint diff --git a/investigations/investigate_previous_unseen_user.yml b/investigations/investigate_previous_unseen_user.yml index 1553a8c28f..1e70b07b01 100644 --- a/investigations/investigate_previous_unseen_user.yml +++ b/investigations/investigate_previous_unseen_user.yml @@ -4,8 +4,7 @@ version: 1 date: '2019-12-10' author: Patrick Bareiss, Splunk type: Investigation -datamodel: -- Authentication +status: deprecated description: This search returns previous unseen user, which didn't log in for 30 days. search: '| tstats count `security_content_summariesonly` earliest(_time) as first_login @@ -26,10 +25,4 @@ tags: - Credential Dumping product: - Splunk Phantom - required_fields: - - _time - - Authentication.dest - - Authentication.app - - Authentication.action - - Authentication.user security_domain: endpoint diff --git a/investigations/investigate_successful_remote_desktop_authentications.yml b/investigations/investigate_successful_remote_desktop_authentications.yml index 2188ea6be0..b5c02044c6 100644 --- a/investigations/investigate_successful_remote_desktop_authentications.yml +++ b/investigations/investigate_successful_remote_desktop_authentications.yml @@ -4,11 +4,10 @@ version: 2 date: '2024-09-24' author: Jose Hernandez, Splunk type: Investigation -datamodel: -- Authentication -description: 'This search returns the source, destination, and user for all successful +status: deprecated +description: This search returns the source, destination, and user for all successful remote-desktop authentications. A successful authentication after a brute-force - attack on a destination machine is suspicious behavior.' + attack on a destination machine is suspicious behavior. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication where Authentication.signature_id=4624 Authentication.app=win:remote by Authentication.src Authentication.dest Authentication.app @@ -27,13 +26,4 @@ tags: - SamSam Ransomware product: - Splunk Phantom - required_fields: - - _time - - Authentication.signature_id - - Authentication.app - - Authentication.src - - Authentication.dest - - Authentication.user - - Authentication.signature - - Authentication.src_nt_domain security_domain: endpoint diff --git a/investigations/investigate_suspicious_strings_in_http_header.yml b/investigations/investigate_suspicious_strings_in_http_header.yml index 806f8da3ae..d2d83857e1 100644 --- a/investigations/investigate_suspicious_strings_in_http_header.yml +++ b/investigations/investigate_suspicious_strings_in_http_header.yml @@ -4,7 +4,7 @@ version: 1 date: '2017-10-20' author: Bhavin Patel, Splunk type: Investigation -datamodel: [] +status: deprecated description: This search helps an analyst investigate a notable event related to a potential Apache Struts exploitation. To investigate, we will want to isolate and analyze the "payload" or the commands that were passed to the vulnerable hosts by @@ -27,10 +27,4 @@ tags: - Apache Struts Vulnerability product: - Splunk Phantom - required_fields: - - _time - - src_ip - - dest_ip - - cs_content_type - - url security_domain: network diff --git a/investigations/investigate_user_activities_in_okta.yml b/investigations/investigate_user_activities_in_okta.yml index 57ac515d5e..522e019822 100644 --- a/investigations/investigate_user_activities_in_okta.yml +++ b/investigations/investigate_user_activities_in_okta.yml @@ -4,7 +4,7 @@ version: 1 date: '2020-04-02' author: Rico Valdez, Splunk type: Investigation -datamodel: [] +status: deprecated description: This search returns all okta events by a specific user search: '`okta` user=$user$ | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city @@ -17,14 +17,4 @@ tags: - Suspicious Okta Activity product: - Splunk Phantom - required_fields: - - _time - - client.geographicalContext.country - - client.geographicalContext.state - - client.geographicalContext.city - - user - - displayMessage - - src_ip - - result - - outcome.reason security_domain: network diff --git a/investigations/investigate_web_posts_from_src.yml b/investigations/investigate_web_posts_from_src.yml index b6027c8d4c..89d2b23432 100644 --- a/investigations/investigate_web_posts_from_src.yml +++ b/investigations/investigate_web_posts_from_src.yml @@ -4,11 +4,10 @@ version: 2 date: '2024-09-24' author: Jose Hernandez, Splunk type: Investigation -datamodel: -- Web -description: 'This investigative search retrieves POST requests from a specified source +status: deprecated +description: This investigative search retrieves POST requests from a specified source IP or hostname. Identifying the POST requests, as well as their associated destination - URLs and user agent(s), may help you scope and characterize the suspicious traffic.' + URLs and user agent(s), may help you scope and characterize the suspicious traffic. search: '| tstats `security_content_summariesonly` values(Web.url) as url from datamodel=Web by Web.src,Web.http_user_agent,Web.http_method | `drop_dm_object_name(Web)`| search http_method, "POST" | search src=$src$' @@ -21,10 +20,4 @@ tags: - Apache Struts Vulnerability product: - Splunk Phantom - required_fields: - - _time - - Web.url - - Web.src - - Web.http_user_agent - - Web.http_method security_domain: network diff --git a/lookups/3cx_ioc_domains.yml b/lookups/3cx_ioc_domains.yml index 611c4c7f7d..3b82b2cb5f 100644 --- a/lookups/3cx_ioc_domains.yml +++ b/lookups/3cx_ioc_domains.yml @@ -1,7 +1,12 @@ -description: A list of domains from the 3CX supply chain attack. -filename: 3cx_ioc_domains.csv name: 3cx_ioc_domains -default_match: 'false' -match_type: WILDCARD(domain) +date: 2024-12-23 +version: 2 +id: 65c25399-4081-4ef1-b791-86f497d3380d +author: Splunk Threat Research Team +lookup_type: csv +description: A list of domains from the 3CX supply chain attack. +default_match: false +match_type: +- WILDCARD(domain) min_matches: 1 -case_sensitive_match: 'false' \ No newline at end of file +case_sensitive_match: false \ No newline at end of file diff --git a/lookups/__mlspl_detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml b/lookups/__mlspl_detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml index f834f44dc7..2589335cce 100644 --- a/lookups/__mlspl_detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml +++ b/lookups/__mlspl_detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml @@ -1,4 +1,8 @@ -description: Detect DNS Data Exfiltration using pretrained Model in DSDL -filename: __mlspl_detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.mlmodel name: __mlspl_detect_dns_data_exfiltration_using_pretrained_model_in_dsdl -case_sensitive_match: 'false' \ No newline at end of file +date: 2024-12-23 +version: 2 +id: db5df924-c34c-4b0f-9333-a08b2af98e65 +author: Splunk Threat Research Team +lookup_type: mlmodel +description: Detect DNS Data Exfiltration using pretrained Model in DSDL +case_sensitive_match: false diff --git a/lookups/__mlspl_detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml b/lookups/__mlspl_detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml index 6d1d90cfd5..247cdd7e83 100644 --- a/lookups/__mlspl_detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml +++ b/lookups/__mlspl_detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml @@ -1,4 +1,8 @@ -description: Detect suspicious DNS txt records using Pretrained Model in DSDL -filename: __mlspl_detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.mlmodel name: __mlspl_detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl -case_sensitive_match: 'false' \ No newline at end of file +date: 2024-12-23 +version: 2 +id: d5099bcb-420e-4eec-9714-db0590ea4f03 +author: Splunk Threat Research Team +lookup_type: mlmodel +description: Detect suspicious DNS txt records using Pretrained Model in DSDL +case_sensitive_match: false \ No newline at end of file diff --git a/lookups/__mlspl_detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml b/lookups/__mlspl_detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml index dfe23d09ca..d44bc582b0 100644 --- a/lookups/__mlspl_detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml +++ b/lookups/__mlspl_detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml @@ -1,4 +1,8 @@ -description: Detect a suspicious processname using Pretrained Model in DSDL -filename: __mlspl_detect_suspicious_processnames_using_pretrained_model_in_dsdl.mlmodel name: __mlspl_detect_suspicious_processnames_using_pretrained_model_in_dsdl -case_sensitive_match: 'false' \ No newline at end of file +date: 2024-12-23 +version: 2 +id: 4660425a-4fdb-4a25-895b-abbd2557aa64 +author: Splunk Threat Research Team +lookup_type: mlmodel +description: Detect a suspicious processname using Pretrained Model in DSDL +case_sensitive_match: false \ No newline at end of file diff --git a/lookups/__mlspl_pretrained_dga_model_dsdl.yml b/lookups/__mlspl_pretrained_dga_model_dsdl.yml index 9aba0dcf66..069ac82ee3 100644 --- a/lookups/__mlspl_pretrained_dga_model_dsdl.yml +++ b/lookups/__mlspl_pretrained_dga_model_dsdl.yml @@ -1,4 +1,8 @@ -description: Detect DGA domains using Pretrained Model in DSDL -filename: __mlspl_pretrained_dga_model_dsdl.mlmodel name: __mlspl_pretrained_dga_model_dsdl -case_sensitive_match: 'false' \ No newline at end of file +date: 2024-12-23 +version: 2 +id: 6c55ccdb-7006-4367-80b6-55bee5eae1a2 +author: Splunk Threat Research Team +lookup_type: mlmodel +description: Detect DGA domains using Pretrained Model in DSDL +case_sensitive_match: false \ No newline at end of file diff --git a/lookups/__mlspl_unusual_commandline_detection.yml b/lookups/__mlspl_unusual_commandline_detection.yml index 7fd0faa546..b61270c65f 100644 --- a/lookups/__mlspl_unusual_commandline_detection.yml +++ b/lookups/__mlspl_unusual_commandline_detection.yml @@ -1,6 +1,10 @@ -description: An MLTK model for detecting malicious commandlines -filename: __mlspl_unusual_commandline_detection.mlmodel name: __mlspl_unusual_commandline_detection -case_sensitive_match: 'false' +date: 2024-12-23 +version: 2 +id: e340177d-f2c5-4cb7-8b13-9f484934f648 +author: Splunk Threat Research Team +lookup_type: mlmodel +description: An MLTK model for detecting malicious commandlines +case_sensitive_match: false min_matches: 1 -default_match: 'false' +default_match: false diff --git a/lookups/ace_access_rights_lookup.yml b/lookups/ace_access_rights_lookup.yml index eb19f3befa..e7488a1092 100644 --- a/lookups/ace_access_rights_lookup.yml +++ b/lookups/ace_access_rights_lookup.yml @@ -1,3 +1,8 @@ +name: ace_access_rights_lookup +date: 2024-12-23 +version: 2 +id: 26cf3fc4-cee2-431a-9583-c4a404a25275 +author: Splunk Threat Research Team +lookup_type: csv description: A lookup file that will contain translations for AD object ace access rights strings -filename: ace_access_rights_lookup.csv -name: ace_access_rights_lookup \ No newline at end of file + diff --git a/lookups/ace_flag_lookup.yml b/lookups/ace_flag_lookup.yml index 04c9c22d75..d524193154 100644 --- a/lookups/ace_flag_lookup.yml +++ b/lookups/ace_flag_lookup.yml @@ -1,3 +1,7 @@ -description: A lookup file that will contain translations for AD object ace flags strings -filename: ace_flag_lookup.csv -name: ace_flag_lookup \ No newline at end of file +name: ace_flag_lookup +date: 2024-12-23 +version: 2 +id: 1795f9f3-008a-4b6c-9d7b-9e79b15da9fc +author: Splunk Threat Research Team +lookup_type: csv +description: A lookup file that will contain translations for AD object ace flags strings \ No newline at end of file diff --git a/lookups/ace_type_lookup.yml b/lookups/ace_type_lookup.yml index ce9a833964..8f7ff97f04 100644 --- a/lookups/ace_type_lookup.yml +++ b/lookups/ace_type_lookup.yml @@ -1,3 +1,7 @@ -description: A lookup file that will contain translations for AD object ace type strings -filename: ace_type_lookup.csv -name: ace_type_lookup \ No newline at end of file +name: ace_type_lookup +date: 2024-12-23 +version: 2 +id: 86e4531f-a37e-430c-9d5f-1447af2bc619 +author: Splunk Threat Research Team +lookup_type: csv +description: A lookup file that will contain translations for AD object ace type strings \ No newline at end of file diff --git a/lookups/advanced_audit_policy_guids.yml b/lookups/advanced_audit_policy_guids.yml index 37b6e854af..fab6f56b80 100644 --- a/lookups/advanced_audit_policy_guids.yml +++ b/lookups/advanced_audit_policy_guids.yml @@ -1,7 +1,12 @@ -description: List of GUIDs associated with Windows advanced audit policies -filename: advanced_audit_policy_guids.csv name: advanced_audit_policy_guids -default_match: 'false' -match_type: WILDCARD(GUID) +date: 2024-12-23 +version: 2 +id: e2581a3a-1254-4b93-ae8f-ccde22362f0c +author: Splunk Threat Research Team +lookup_type: csv +description: List of GUIDs associated with Windows advanced audit policies +default_match: false +match_type: +- WILDCARD(GUID) min_matches: 1 -case_sensitive_match: 'false' \ No newline at end of file +case_sensitive_match: false \ No newline at end of file diff --git a/lookups/api_call_by_user_baseline.yml b/lookups/api_call_by_user_baseline.yml index 13068b3db6..ccf119d7e2 100644 --- a/lookups/api_call_by_user_baseline.yml +++ b/lookups/api_call_by_user_baseline.yml @@ -1,5 +1,15 @@ +name: api_call_by_user_baseline +date: 2024-12-23 +version: 2 +id: 6f4b0d42-5f24-4992-98f9-aebbc7ced9bf +author: Splunk Threat Research Team +lookup_type: kvstore description: A collection that will contain the baseline information for number of AWS API calls per user -collection: api_call_by_user_baseline -name: api_call_by_user_baseline -fields_list: arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls +fields: +- _key +- arn +- latestCount +- numDataPoints +- avgApiCalls +- stdevApiCalls diff --git a/lookups/applockereventcodes.yml b/lookups/applockereventcodes.yml index cf9f1485f9..10b797958e 100644 --- a/lookups/applockereventcodes.yml +++ b/lookups/applockereventcodes.yml @@ -1,7 +1,12 @@ -description: A csv of the ID and rule name for AppLocker event codes. -filename: applockereventcodes.csv name: applockereventcodes -default_match: 'false' -match_type: WILDCARD(AppLocker_Event_Code) +date: 2024-12-23 +version: 2 +id: 2fd8cc84-f4c8-4ab6-bd57-596f714a315f +author: Splunk Threat Research Team +lookup_type: csv +description: A csv of the ID and rule name for AppLocker event codes. +default_match: false +match_type: +- WILDCARD(AppLocker_Event_Code) min_matches: 1 -case_sensitive_match: 'false' \ No newline at end of file +case_sensitive_match: false \ No newline at end of file diff --git a/lookups/asr_rules.yml b/lookups/asr_rules.yml index 2ded14cdc1..2fdfb5031d 100644 --- a/lookups/asr_rules.yml +++ b/lookups/asr_rules.yml @@ -1,7 +1,12 @@ -description: A csv of the ID and rule name for ASR, Microsoft Attack Surface Reduction rules. -filename: asr_rules.csv name: asr_rules -default_match: 'false' -match_type: WILDCARD(ASR_Rule) +date: 2024-12-23 +version: 2 +id: 3886d687-ae77-4a61-99eb-e745083e391e +author: Splunk Threat Research Team +lookup_type: csv +description: A csv of the ID and rule name for ASR, Microsoft Attack Surface Reduction rules. +default_match: false +match_type: +- WILDCARD(ASR_Rule) min_matches: 1 -case_sensitive_match: 'false' \ No newline at end of file +case_sensitive_match: false \ No newline at end of file diff --git a/lookups/attacker_tools.yml b/lookups/attacker_tools.yml index 0c40ac2992..58f8dcd904 100644 --- a/lookups/attacker_tools.yml +++ b/lookups/attacker_tools.yml @@ -1,7 +1,12 @@ -description: A list of tools used by attackers -filename: attacker_tools.csv name: attacker_tools -default_match: 'false' -match_type: WILDCARD(attacker_tool_names) +date: 2024-12-23 +version: 2 +id: 72620fe1-26cb-4cee-a6ee-8c6127056d81 +author: Splunk Threat Research Team +lookup_type: csv +description: A list of tools used by attackers +default_match: false +match_type: +- WILDCARD(attacker_tool_names) min_matches: 1 -case_sensitive_match: 'false' \ No newline at end of file +case_sensitive_match: false \ No newline at end of file diff --git a/lookups/aws_service_accounts.yml b/lookups/aws_service_accounts.yml index e6c6131962..708577bf03 100644 --- a/lookups/aws_service_accounts.yml +++ b/lookups/aws_service_accounts.yml @@ -1,3 +1,7 @@ -description: A lookup file that will contain AWS Service accounts -filename: aws_service_accounts.csv name: aws_service_accounts +date: 2024-12-23 +version: 2 +id: 33868b47-48b2-42ad-8acb-0416772ae664 +author: Splunk Threat Research Team +lookup_type: csv +description: A lookup file that will contain AWS Service accounts \ No newline at end of file diff --git a/lookups/baseline_blocked_outbound_connections.yml b/lookups/baseline_blocked_outbound_connections.yml index e598b521c1..567954768f 100644 --- a/lookups/baseline_blocked_outbound_connections.yml +++ b/lookups/baseline_blocked_outbound_connections.yml @@ -1,4 +1,9 @@ +name: baseline_blocked_outbound_connections +date: 2024-12-23 +version: 2 +id: 3abebeea-215f-44aa-ba69-3c2e828b7887 +author: Splunk Threat Research Team +lookup_type: csv description: A lookup file that will contain the baseline information for number of blocked outbound connections -filename: baseline_blocked_outbound_connections.csv -name: baseline_blocked_outbound_connections + diff --git a/lookups/brand_monitoring.csv b/lookups/brandmonitoring_lookup.csv similarity index 100% rename from lookups/brand_monitoring.csv rename to lookups/brandmonitoring_lookup.csv diff --git a/lookups/brandmonitoring_lookup.yml b/lookups/brandmonitoring_lookup.yml index d560868ca5..39a7f8e701 100644 --- a/lookups/brandmonitoring_lookup.yml +++ b/lookups/brandmonitoring_lookup.yml @@ -1,7 +1,12 @@ -default_match: 'false' +name: brandMonitoring_lookup +date: 2024-12-23 +version: 2 +id: 6fff763a-d654-42dc-8e56-92c8e255ac55 +author: Splunk Threat Research Team +lookup_type: csv +default_match: false description: A file that contains look-a-like domains for brands that you want to monitor -filename: brand_monitoring.csv -match_type: WILDCARD(domain) -min_matches: 1 -name: brandMonitoring_lookup +match_type: +- WILDCARD(domain) +min_matches: 1 \ No newline at end of file diff --git a/lookups/browser_app_list.yml b/lookups/browser_app_list.yml index 57e67f58c9..5fe50536ba 100644 --- a/lookups/browser_app_list.yml +++ b/lookups/browser_app_list.yml @@ -1,7 +1,13 @@ -default_match: 'false' +name: browser_app_list +date: 2024-12-23 +version: 2 +id: a80ccd19-e46f-4a12-9ad7-e653ad646347 +author: Splunk Threat Research Team +lookup_type: csv +default_match: false description: A list of known browser application being targeted for credential extraction. -filename: browser_app_list.csv -match_type: WILDCARD(browser_process_name), WILDCARD(browser_object_path) +match_type: +- WILDCARD(browser_process_name) +- WILDCARD(browser_object_path) min_matches: 1 -name: browser_app_list -case_sensitive_match: 'false' \ No newline at end of file +case_sensitive_match: false \ No newline at end of file diff --git a/lookups/builtin_groups_lookup.yml b/lookups/builtin_groups_lookup.yml index cc4959d3c4..609e942dfc 100644 --- a/lookups/builtin_groups_lookup.yml +++ b/lookups/builtin_groups_lookup.yml @@ -1,3 +1,8 @@ +name: builtin_groups_lookup +date: 2024-12-23 +version: 2 +id: 7d0a0c1c-2ef0-48a9-87c6-de97a0ad1ccf +author: Splunk Threat Research Team +lookup_type: csv description: A lookup file that will contain translations for builtin AD group strings -filename: builtin_groups_lookup.csv -name: builtin_groups_lookup \ No newline at end of file + diff --git a/lookups/char_conversion_matrix.yml b/lookups/char_conversion_matrix.yml index 75cf0abe3b..c75b0c8542 100644 --- a/lookups/char_conversion_matrix.yml +++ b/lookups/char_conversion_matrix.yml @@ -1,7 +1,12 @@ -description: A simple conversion matrix for converting to and from UTF8/16 base64/hex/decimal encoding. Created mosty from https://community.splunk.com/t5/Splunk-Search/base64-decoding-in-search/m-p/27572#M177741, with small modifications for UTF16LE parsing for powershell encoding. -filename: char_conversion_matrix.csv name: char_conversion_matrix -default_match: 'false' -match_type: WILDCARD(data) +date: 2024-12-23 +version: 2 +id: 0177cf7b-8cf9-412a-9919-d1919b8d59dc +author: Splunk Threat Research Team +lookup_type: csv +description: A simple conversion matrix for converting to and from UTF8/16 base64/hex/decimal encoding. Created mosty from https://community.splunk.com/t5/Splunk-Search/base64-decoding-in-search/m-p/27572#M177741, with small modifications for UTF16LE parsing for powershell encoding. +default_match: false +match_type: +- WILDCARD(data) min_matches: 1 -case_sensitive_match: 'true' \ No newline at end of file +case_sensitive_match: true \ No newline at end of file diff --git a/lookups/cloud_instances_enough_data.yml b/lookups/cloud_instances_enough_data.yml index c4a78b2305..68dd5d4249 100644 --- a/lookups/cloud_instances_enough_data.yml +++ b/lookups/cloud_instances_enough_data.yml @@ -1,6 +1,14 @@ -default_match: 'false' -description: A lookup to determine if you have a sufficient amount of time has passed to collect cloud instance data for behavioral searches -collection: cloud_instances_enough_data name: cloud_instances_enough_data -fields_list: _key, filter, enough_data -match_type: WILDCARD(filter) +date: 2024-12-23 +version: 2 +id: 2aabac97-9782-4156-9dfd-7c1fb7aab2a6 +author: Splunk Threat Research Team +lookup_type: kvstore +default_match: false +description: A lookup to determine if you have a sufficient amount of time has passed to collect cloud instance data for behavioral searches +fields: + - _key + - filter + - enough_data +match_type: +- WILDCARD(filter) diff --git a/lookups/discovered_dns_records.yml b/lookups/discovered_dns_records.yml index 4cc3636a27..bc014779db 100644 --- a/lookups/discovered_dns_records.yml +++ b/lookups/discovered_dns_records.yml @@ -1,5 +1,9 @@ -default_match: 'false' +name: discovered_dns_records +date: 2024-12-23 +version: 2 +id: ebf80033-0cc1-4256-a1cb-730ccbda36af +author: Splunk Threat Research Team +lookup_type: csv +default_match: false description: A placeholder for a list of discovered DNS records generated by the baseline discover_dns_records -filename: discovered_dns_records.csv min_matches: 1 -name: discovered_dns_records diff --git a/lookups/domain_admins.yml b/lookups/domain_admins.yml index 8d7f834d7e..da13fdcd14 100644 --- a/lookups/domain_admins.yml +++ b/lookups/domain_admins.yml @@ -1,4 +1,8 @@ -description: List of domain admins -filename: domain_admins.csv name: domain_admins -case_sensitive_match: 'false' \ No newline at end of file +date: 2024-12-23 +version: 2 +id: f4b5fe34-a474-4894-bdb9-7e3af6da1d94 +author: Splunk Threat Research Team +lookup_type: csv +description: List of domain admins +case_sensitive_match: false \ No newline at end of file diff --git a/lookups/domains.yml b/lookups/domains.yml index 500430e372..84204c3a61 100644 --- a/lookups/domains.yml +++ b/lookups/domains.yml @@ -1,3 +1,7 @@ -description: A list of domains that can be ignored -filename: domains.csv name: domains +date: 2024-12-23 +version: 2 +id: b34f12f1-952d-4fe1-a5d9-18b81ca32244 +author: Splunk Threat Research Team +lookup_type: csv +description: A list of domains that can be ignored diff --git a/lookups/dynamic_dns_providers_default.yml b/lookups/dynamic_dns_providers_default.yml index 3103733867..dbc342aed2 100644 --- a/lookups/dynamic_dns_providers_default.yml +++ b/lookups/dynamic_dns_providers_default.yml @@ -1,5 +1,11 @@ -case_sensitive_match: 'false' -description: A list of dynammic dns providers that should not be modified -filename: dynamic_dns_providers_default.csv -match_type: WILDCARD(dynamic_dns_domains) name: dynamic_dns_providers_default +date: 2024-12-23 +version: 2 +id: 37046407-ef07-48a5-b63d-384fd15b8c4b +author: Splunk Threat Research Team +lookup_type: csv +case_sensitive_match: false +description: A list of dynammic dns providers that should not be modified +match_type: +- WILDCARD(dynamic_dns_domains) + diff --git a/lookups/dynamic_dns_providers_local.yml b/lookups/dynamic_dns_providers_local.yml index 161155c352..8d1a49f924 100644 --- a/lookups/dynamic_dns_providers_local.yml +++ b/lookups/dynamic_dns_providers_local.yml @@ -1,5 +1,11 @@ -case_sensitive_match: 'false' -description: A list of dynammic dns providers that can be modified -filename: dynamic_dns_providers_local.csv -match_type: WILDCARD(dynamic_dns_domains) name: dynamic_dns_providers_local +date: 2024-12-23 +version: 2 +id: b3313546-95ec-4e0e-91ab-b87009c600a4 +author: Splunk Threat Research Team +lookup_type: csv +case_sensitive_match: false +description: A list of dynammic dns providers that can be modified +match_type: +- WILDCARD(dynamic_dns_domains) + diff --git a/lookups/hijacklibs.yml b/lookups/hijacklibs.yml index c1223d0343..39678bdb26 100644 --- a/lookups/hijacklibs.yml +++ b/lookups/hijacklibs.yml @@ -1,7 +1,12 @@ -description: A list of potentially abused libraries in Windows -filename: hijacklibs.csv name: hijacklibs -default_match: 'false' -match_type: WILDCARD(library) +date: 2024-12-23 +version: 2 +id: 00990d97-e923-4ae7-9fa0-b5033a8b0164 +author: Splunk Threat Research Team +lookup_type: csv +description: A list of potentially abused libraries in Windows +default_match: false +match_type: +- WILDCARD(library) min_matches: 1 -case_sensitive_match: 'false' \ No newline at end of file +case_sensitive_match: false \ No newline at end of file diff --git a/lookups/hijacklibs_loaded.yml b/lookups/hijacklibs_loaded.yml index 5f03f2a174..444a0c3d04 100644 --- a/lookups/hijacklibs_loaded.yml +++ b/lookups/hijacklibs_loaded.yml @@ -1,7 +1,13 @@ -description: A list of potentially abused libraries in Windows -filename: hijacklibs_loaded.csv name: hijacklibs_loaded -default_match: 'false' -match_type: WILDCARD(library),WILDCARD(excludes) +date: 2024-12-23 +version: 2 +id: 0a58a703-3a7a-4b27-a82b-f5a61acd3f1a +author: Splunk Threat Research Team +lookup_type: csv +description: A list of potentially abused libraries in Windows +default_match: false +match_type: +- WILDCARD(library) +- WILDCARD(excludes) min_matches: 1 -case_sensitive_match: 'false' \ No newline at end of file +case_sensitive_match: false \ No newline at end of file diff --git a/lookups/images_to_repository.yml b/lookups/images_to_repository.yml index 2d8699d750..6241158519 100644 --- a/lookups/images_to_repository.yml +++ b/lookups/images_to_repository.yml @@ -1,3 +1,8 @@ -description: Mapping images to repositories -filename: images_to_repository.csv name: images_to_repository +date: 2024-12-23 +version: 2 +id: 68205e30-0097-4138-b01d-f4e4d21a86f6 +author: Splunk Threat Research Team +lookup_type: csv +description: Mapping images to repositories + diff --git a/lookups/is_net_windows_file20231221.csv b/lookups/is_net_windows_file.csv similarity index 100% rename from lookups/is_net_windows_file20231221.csv rename to lookups/is_net_windows_file.csv diff --git a/lookups/is_net_windows_file.yml b/lookups/is_net_windows_file.yml index be9b9a8c7b..4a805b52e6 100644 --- a/lookups/is_net_windows_file.yml +++ b/lookups/is_net_windows_file.yml @@ -1,6 +1,10 @@ -default_match: 'false' +name: is_net_windows_file +date: 2024-12-23 +version: 2 +id: 891cfb79-06cd-455d-9cf8-b4d4de2bff25 +author: Splunk Threat Research Team +lookup_type: csv +default_match: false description: A full baseline of executable files in \Windows\, including sub-directories from Server 2016 and Windows 11. Certain .net binaries may not have been captured due to different Windows SDK's or developer utilities not installed during baseline. -filename: is_net_windows_file20231221.csv min_matches: 1 -name: is_net_windows_file -case_sensitive_match: 'false' \ No newline at end of file +case_sensitive_match: false \ No newline at end of file diff --git a/lookups/is_nirsoft_software20231221.csv b/lookups/is_nirsoft_software.csv similarity index 100% rename from lookups/is_nirsoft_software20231221.csv rename to lookups/is_nirsoft_software.csv diff --git a/lookups/is_nirsoft_software.yml b/lookups/is_nirsoft_software.yml index d644eb536a..64210f6035 100644 --- a/lookups/is_nirsoft_software.yml +++ b/lookups/is_nirsoft_software.yml @@ -1,6 +1,10 @@ -default_match: 'false' +name: is_nirsoft_software +date: 2024-12-23 +version: 2 +id: 28966a08-55e4-4ccb-a20d-dc4cc154b09c +author: Splunk Threat Research Team +lookup_type: csv +default_match: false description: A subset of utilities provided by NirSoft that may be used by adversaries. -filename: is_nirsoft_software20231221.csv min_matches: 1 -name: is_nirsoft_software -case_sensitive_match: 'false' \ No newline at end of file +case_sensitive_match: false \ No newline at end of file diff --git a/lookups/is_suspicious_file_extension_lookup.yml b/lookups/is_suspicious_file_extension_lookup.yml index 867142f191..3b8372232c 100644 --- a/lookups/is_suspicious_file_extension_lookup.yml +++ b/lookups/is_suspicious_file_extension_lookup.yml @@ -1,4 +1,9 @@ -description: A list of suspicious extensions for email attachments -filename: is_suspicious_file_extension_lookup.csv -match_type: WILDCARD(file_name) name: is_suspicious_file_extension_lookup +date: 2024-12-23 +version: 2 +id: 183b3599-4fbd-4b76-bff0-9d689ed05e17 +author: Splunk Threat Research Team +lookup_type: csv +description: A list of suspicious extensions for email attachments +match_type: +- WILDCARD(file_name) \ No newline at end of file diff --git a/lookups/is_windows_system_file20231221.csv b/lookups/is_windows_system_file.csv similarity index 100% rename from lookups/is_windows_system_file20231221.csv rename to lookups/is_windows_system_file.csv diff --git a/lookups/is_windows_system_file.yml b/lookups/is_windows_system_file.yml index daf0f118d7..59b4d90c5d 100644 --- a/lookups/is_windows_system_file.yml +++ b/lookups/is_windows_system_file.yml @@ -1,6 +1,10 @@ -default_match: 'false' +name: is_windows_system_file +date: 2024-12-23 +version: 2 +id: ce238622-4d8f-41a4-a747-5d0adab9c854 +author: Splunk Threat Research Team +lookup_type: csv +default_match: false description: A full baseline of executable files in Windows\System32 and Windows\Syswow64, including sub-directories from Server 2016 and Windows 10. -filename: is_windows_system_file20231221.csv min_matches: 1 -name: is_windows_system_file -case_sensitive_match: 'false' \ No newline at end of file +case_sensitive_match: false \ No newline at end of file diff --git a/lookups/k8s_container_network_io_baseline.yml b/lookups/k8s_container_network_io_baseline.yml index 83983b1dce..7bc2ba584a 100644 --- a/lookups/k8s_container_network_io_baseline.yml +++ b/lookups/k8s_container_network_io_baseline.yml @@ -1,4 +1,15 @@ -description: A place holder for a list of used Kuberntes Container Network IO -collection: k8s_container_network_io_baseline name: k8s_container_network_io_baseline -fields_list: key, avg_outbound_network_io, avg_inbound_network_io, stdev_outbound_network_io, stdev_inbound_network_io, count, last_seen \ No newline at end of file +date: 2024-12-23 +version: 2 +id: ce26ec18-c6da-4110-ac3f-8bd239d045b3 +author: Splunk Threat Research Team +lookup_type: kvstore +description: A place holder for a list of used Kuberntes Container Network IO +fields: +- _key +- avg_outbound_network_io +- avg_inbound_network_io +- stdev_outbound_network_io +- stdev_inbound_network_io +- count +- last_seen \ No newline at end of file diff --git a/lookups/k8s_container_network_io_ratio_baseline.yml b/lookups/k8s_container_network_io_ratio_baseline.yml index 0f79794504..f91205f3ee 100644 --- a/lookups/k8s_container_network_io_ratio_baseline.yml +++ b/lookups/k8s_container_network_io_ratio_baseline.yml @@ -1,4 +1,15 @@ -description: A place holder for a list of used Kuberntes Container Network IO Ratio -collection: k8s_container_network_io_ratio_baseline name: k8s_container_network_io_ratio_baseline -fields_list: key, avg_outbound_network_io, avg_inbound_network_io, stdev_outbound_network_io, stdev_inbound_network_io, count, last_seen \ No newline at end of file +date: 2024-12-23 +version: 2 +id: fdb4f703-0378-4803-9300-92f562e1b840 +author: Splunk Threat Research Team +lookup_type: kvstore +description: A place holder for a list of used Kuberntes Container Network IO Ratio +fields: +- _key +- avg_outbound_network_io +- avg_inbound_network_io +- stdev_outbound_network_io +- stdev_inbound_network_io +- count +- last_seen \ No newline at end of file diff --git a/lookups/k8s_process_resource_baseline.yml b/lookups/k8s_process_resource_baseline.yml index 4eaead0dcd..cfdd54c803 100644 --- a/lookups/k8s_process_resource_baseline.yml +++ b/lookups/k8s_process_resource_baseline.yml @@ -1,4 +1,29 @@ -description: A place holder for a list of used Kuberntes Process Resource -collection: k8s_process_resource_baseline name: k8s_process_resource_baseline -fields_list: host.name, k8s.cluster.name, k8s.node.name, process.executable.name, avg_process.cpu.time, avg_process.cpu.utilization, avg_process.disk.io, avg_process.disk.operations, avg_process.memory.usage, avg_process.memory.utilization, avg_process.memory.virtual, avg_process.threads, stdev_process.cpu.time, stdev_process.cpu.utilization, stdev_process.disk.io, stdev_process.disk.operations, stdev_process.memory.usage, stdev_process.memory.utilization, stdev_process.memory.virtual, stdev_process.threads, key \ No newline at end of file +date: 2024-12-23 +version: 2 +id: 6deb2883-faf8-4f78-bf88-ad67ccc8dfc0 +author: Splunk Threat Research Team +lookup_type: kvstore +description: A place holder for a list of used Kuberntes Process Resource +fields: +- _key +- host.name +- k8s.cluster.name +- k8s.node.name +- process.executable.name +- avg_process.cpu.time +- avg_process.cpu.utilization +- avg_process.disk.io +- avg_process.disk.operations +- avg_process.memory.usage +- avg_process.memory.utilization +- avg_process.memory.virtual +- avg_process.threads +- stdev_process.cpu.time +- stdev_process.cpu.utilization +- stdev_process.disk.io +- stdev_process.disk.operations +- stdev_process.memory.usage +- stdev_process.memory.utilization +- stdev_process.memory.virtual +- stdev_process.threads \ No newline at end of file diff --git a/lookups/k8s_process_resource_ratio_baseline.yml b/lookups/k8s_process_resource_ratio_baseline.yml index cfa4445e28..ed1260ff66 100644 --- a/lookups/k8s_process_resource_ratio_baseline.yml +++ b/lookups/k8s_process_resource_ratio_baseline.yml @@ -1,4 +1,21 @@ -description: A place holder for a list of used Kuberntes Process Ratios -collection: k8s_process_resource_ratio_baseline name: k8s_process_resource_ratio_baseline -fields_list: key, avg_cpu:mem, stdev_cpu:mem, avg_cpu:disk, stdev_cpu:disk, avg_mem:disk, stdev_mem:disk, avg_cpu:threads, stdev_cpu:threads, avg_disk:threads, avg_disk:threads, count, last_seen \ No newline at end of file +date: 2024-12-23 +version: 2 +id: 7bfd9071-fb1f-4673-ab84-6396a0d3d412 +author: Splunk Threat Research Team +lookup_type: kvstore +description: A place holder for a list of used Kuberntes Process Ratios +fields: +- _key +- avg_cpu:mem +- stdev_cpu:mem +- avg_cpu:disk +- stdev_cpu:disk +- avg_mem:disk +- stdev_mem:disk +- avg_cpu:threads +- stdev_cpu:threads +- avg_disk:threads +- avg_disk:threads +- count +- last_seen \ No newline at end of file diff --git a/lookups/legit_domains.yml b/lookups/legit_domains.yml index bc42c9620e..72ded19154 100644 --- a/lookups/legit_domains.yml +++ b/lookups/legit_domains.yml @@ -1,3 +1,7 @@ -description: A list of legit domains to be used as an ignore list for possible phishing sites -filename: legit_domains.csv name: legit_domains +date: 2024-12-23 +version: 2 +id: 06602f3e-0dcc-47ef-aabc-85a4ad782442 +author: Splunk Threat Research Team +lookup_type: csv +description: A list of legit domains to be used as an ignore list for possible phishing sites \ No newline at end of file diff --git a/lookups/linux_tool_discovery_process.yml b/lookups/linux_tool_discovery_process.yml index 645544a521..3ca56a079f 100644 --- a/lookups/linux_tool_discovery_process.yml +++ b/lookups/linux_tool_discovery_process.yml @@ -1,7 +1,12 @@ -description: A list of suspicious bash commonly used by attackers via scripts -filename: linux_tool_discovery_process.csv name: linux_tool_discovery_process -default_match: 'false' -match_type: WILDCARD(process) +date: 2024-12-23 +version: 2 +id: f0d8b1c8-4ca0-4765-858a-ab0dea68c399 +author: Splunk Threat Research Team +lookup_type: csv +description: A list of suspicious bash commonly used by attackers via scripts +default_match: false +match_type: +- WILDCARD(process) min_matches: 1 -case_sensitive_match: 'false' \ No newline at end of file +case_sensitive_match: false \ No newline at end of file diff --git a/lookups/local_file_inclusion_paths.yml b/lookups/local_file_inclusion_paths.yml index e08394bf85..15638c2135 100644 --- a/lookups/local_file_inclusion_paths.yml +++ b/lookups/local_file_inclusion_paths.yml @@ -1,7 +1,12 @@ -description: A list of interesting files in a local file inclusion attack -filename: local_file_inclusion_paths.csv name: local_file_inclusion_paths -default_match: 'false' -match_type: WILDCARD(local_file_inclusion_paths) +date: 2024-12-23 +version: 2 +id: 10efe0a8-ec54-4f86-8d11-677a7ac65d64 +author: Splunk Threat Research Team +lookup_type: csv +description: A list of interesting files in a local file inclusion attack +default_match: false +match_type: +- WILDCARD(local_file_inclusion_paths) min_matches: 1 -case_sensitive_match: 'false' \ No newline at end of file +case_sensitive_match: false \ No newline at end of file diff --git a/lookups/lolbas_file_path20240725.csv b/lookups/lolbas_file_path.csv similarity index 100% rename from lookups/lolbas_file_path20240725.csv rename to lookups/lolbas_file_path.csv diff --git a/lookups/lolbas_file_path.yml b/lookups/lolbas_file_path.yml index 4d135b8f48..73ecc09722 100644 --- a/lookups/lolbas_file_path.yml +++ b/lookups/lolbas_file_path.yml @@ -1,8 +1,14 @@ -description: A list of LOLBAS and their file path used in determining if a script or binary is valid on windows, Updated for 2024 from lolbas project. -filename: lolbas_file_path20240725.csv name: lolbas_file_path -default_match: 'false' -match_type: WILDCARD(lolbas_file_name),WILDCARD(lolbas_file_path) +date: 2024-12-23 +version: 2 +id: b88d9c91-33c6-408a-8ef0-00806932f8c5 +author: Splunk Threat Research Team +lookup_type: csv +description: A list of LOLBAS and their file path used in determining if a script or binary is valid on windows, Updated for 2024 from lolbas project. +default_match: false +match_type: +- WILDCARD(lolbas_file_name) +- WILDCARD(lolbas_file_path) min_matches: 1 max_matches: 1 -case_sensitive_match: 'false' +case_sensitive_match: false diff --git a/lookups/loldrivers.yml b/lookups/loldrivers.yml index 08df9fba29..412e1a069a 100644 --- a/lookups/loldrivers.yml +++ b/lookups/loldrivers.yml @@ -1,7 +1,12 @@ -description: A list of known vulnerable drivers -filename: loldrivers.csv name: loldrivers -default_match: 'false' -match_type: WILDCARD(driver_name) +date: 2024-12-23 +version: 2 +id: a4c71880-bb4a-4e2c-9b44-be70cf181fb3 +author: Splunk Threat Research Team +lookup_type: csv +description: A list of known vulnerable drivers +default_match: false +match_type: +- WILDCARD(driver_name) min_matches: 1 -case_sensitive_match: 'false' \ No newline at end of file +case_sensitive_match: false \ No newline at end of file diff --git a/lookups/rare_process_allow_list_default.csv b/lookups/lookup_rare_process_allow_list_default.csv similarity index 100% rename from lookups/rare_process_allow_list_default.csv rename to lookups/lookup_rare_process_allow_list_default.csv diff --git a/lookups/lookup_rare_process_allow_list_default.yml b/lookups/lookup_rare_process_allow_list_default.yml index 82734f48dc..1474969aa6 100644 --- a/lookups/lookup_rare_process_allow_list_default.yml +++ b/lookups/lookup_rare_process_allow_list_default.yml @@ -1,7 +1,12 @@ -case_sensitive_match: 'false' -default_match: 'false' -description: A list of rare processes that are legitimate that is provided by Splunk -filename: rare_process_allow_list_default.csv -match_type: WILDCARD(process) -min_matches: 1 name: lookup_rare_process_allow_list_default +date: 2024-12-23 +version: 2 +id: fc0c452e-47b1-4931-ba41-de5b7c6ed92b +author: Splunk Threat Research Team +lookup_type: csv +case_sensitive_match: false +default_match: false +description: A list of rare processes that are legitimate that is provided by Splunk +match_type: +- WILDCARD(process) +min_matches: 1 \ No newline at end of file diff --git a/lookups/rare_process_allow_list_local.csv b/lookups/lookup_rare_process_allow_list_local.csv similarity index 100% rename from lookups/rare_process_allow_list_local.csv rename to lookups/lookup_rare_process_allow_list_local.csv diff --git a/lookups/lookup_rare_process_allow_list_local.yml b/lookups/lookup_rare_process_allow_list_local.yml index 7cf00d98a7..16b9681815 100644 --- a/lookups/lookup_rare_process_allow_list_local.yml +++ b/lookups/lookup_rare_process_allow_list_local.yml @@ -1,7 +1,13 @@ -case_sensitive_match: 'false' -default_match: 'false' +name: lookup_rare_process_allow_list_local +date: 2024-12-23 +version: 2 +id: 7aec9c17-69b8-4a0b-8f8d-d3ea9b0e2adb +author: Splunk Threat Research Team +lookup_type: csv +case_sensitive_match: false +default_match: false description: A list of rare processes that are legitimate provided by the end user -filename: rare_process_allow_list_local.csv -match_type: WILDCARD(process) +match_type: +- WILDCARD(process) min_matches: 1 -name: lookup_rare_process_allow_list_local + diff --git a/lookups/uncommon_processes_default.csv b/lookups/lookup_uncommon_processes_default.csv similarity index 100% rename from lookups/uncommon_processes_default.csv rename to lookups/lookup_uncommon_processes_default.csv diff --git a/lookups/lookup_uncommon_processes_default.yml b/lookups/lookup_uncommon_processes_default.yml index ad096dea49..9e029fface 100644 --- a/lookups/lookup_uncommon_processes_default.yml +++ b/lookups/lookup_uncommon_processes_default.yml @@ -1,5 +1,11 @@ -case_sensitive_match: 'false' -description: A list of processes that are not common -filename: uncommon_processes_default.csv -match_type: WILDCARD(process) name: lookup_uncommon_processes_default +date: 2024-12-23 +version: 2 +id: 486eba44-2238-4246-98ca-1ff9b6e1c023 +author: Splunk Threat Research Team +lookup_type: csv +case_sensitive_match: false +description: A list of processes that are not common +match_type: +- WILDCARD(process) + diff --git a/lookups/uncommon_processes_local.csv b/lookups/lookup_uncommon_processes_local.csv similarity index 100% rename from lookups/uncommon_processes_local.csv rename to lookups/lookup_uncommon_processes_local.csv diff --git a/lookups/lookup_uncommon_processes_local.yml b/lookups/lookup_uncommon_processes_local.yml index 1c91ec0afb..0b5cb44d6b 100644 --- a/lookups/lookup_uncommon_processes_local.yml +++ b/lookups/lookup_uncommon_processes_local.yml @@ -1,5 +1,11 @@ -case_sensitive_match: 'false' -description: A list of processes that are not common -filename: uncommon_processes_local.csv -match_type: WILDCARD(process) name: lookup_uncommon_processes_local +date: 2024-12-23 +version: 2 +id: 3ece1ae5-4389-485e-b2b9-4cafdb6924dc +author: Splunk Threat Research Team +lookup_type: csv +case_sensitive_match: false +description: A list of processes that are not common +match_type: +- WILDCARD(process) + diff --git a/lookups/mandatory_job_for_workflow.yml b/lookups/mandatory_job_for_workflow.yml index 0e98d674dd..ba5fead0c0 100644 --- a/lookups/mandatory_job_for_workflow.yml +++ b/lookups/mandatory_job_for_workflow.yml @@ -1,3 +1,7 @@ -description: A lookup file that will be used to define the mandatory job for workflow -filename: mandatory_job_for_workflow.csv name: mandatory_job_for_workflow +date: 2024-12-23 +version: 2 +id: 76d805e3-b538-43c7-bd8b-f5fd62af596a +author: Splunk Threat Research Team +lookup_type: csv +description: A lookup file that will be used to define the mandatory job for workflow \ No newline at end of file diff --git a/lookups/mandatory_step_for_job.yml b/lookups/mandatory_step_for_job.yml index 5ea729ffab..68e5de0f17 100644 --- a/lookups/mandatory_step_for_job.yml +++ b/lookups/mandatory_step_for_job.yml @@ -1,3 +1,7 @@ -description: A lookup file that will be used to define the mandatory step for job -filename: mandatory_step_for_job.csv name: mandatory_step_for_job +date: 2024-12-23 +version: 2 +id: ac92a35c-26c4-4f6c-a005-d152b5b343b2 +author: Splunk Threat Research Team +lookup_type: csv +description: A lookup file that will be used to define the mandatory step for job diff --git a/lookups/msad_guid_lookup.yml b/lookups/msad_guid_lookup.yml index b036f88e84..10a8134341 100644 --- a/lookups/msad_guid_lookup.yml +++ b/lookups/msad_guid_lookup.yml @@ -1,3 +1,8 @@ +name: msad_guid_lookup +date: 2024-12-23 +version: 2 +id: d8812c9c-9a4c-4b4b-9995-31db35c0b8cf +author: Splunk Threat Research Team +lookup_type: csv description: A lookup file that will contain translations for AD object ace control access rights guids -filename: msad_guid_lookup.csv -name: msad_guid_lookup \ No newline at end of file + diff --git a/lookups/network_acl_activity_baseline.yml b/lookups/network_acl_activity_baseline.yml index 1fb0851e68..0c37d19d1c 100644 --- a/lookups/network_acl_activity_baseline.yml +++ b/lookups/network_acl_activity_baseline.yml @@ -1,4 +1,8 @@ +name: network_acl_activity_baseline +date: 2024-12-23 +version: 2 +id: 779e0050-a97a-49d2-8aa0-3640d4829b30 +author: Splunk Threat Research Team description: A lookup file that will contain the baseline information for number of AWS Network ACL Activity -filename: network_acl_activity_baseline.csv -name: network_acl_activity_baseline +lookup_type: csv \ No newline at end of file diff --git a/lookups/previously_seen_api_calls_from_user_roles.yml b/lookups/previously_seen_api_calls_from_user_roles.yml index 93525ddd14..6b1ea7ed0c 100644 --- a/lookups/previously_seen_api_calls_from_user_roles.yml +++ b/lookups/previously_seen_api_calls_from_user_roles.yml @@ -1,4 +1,13 @@ -description: A placeholder for a list of IPs that have access S3 -collection: previously_seen_api_calls_from_user_roles name: previously_seen_api_calls_from_user_roles -fields_list: _key,earliest,latest,userName,eventName +date: 2024-12-23 +version: 2 +id: 80620693-2a0f-4c17-8579-2f9a6a2bfa15 +author: Splunk Threat Research Team +lookup_type: kvstore +description: A placeholder for a list of IPs that have access S3 +fields: +- _key +- earliest +- latest +- userName +- eventName diff --git a/lookups/previously_seen_aws_cross_account_activity.yml b/lookups/previously_seen_aws_cross_account_activity.yml index 04f34c480c..63f2d39e13 100644 --- a/lookups/previously_seen_aws_cross_account_activity.yml +++ b/lookups/previously_seen_aws_cross_account_activity.yml @@ -1,4 +1,13 @@ -description: A placeholder for a list of AWS accounts and assumed roles -collection: previously_seen_aws_cross_account_activity name: previously_seen_aws_cross_account_activity -fields_list: _key,firstTime,lastTime,requestingAccountId,requestedAccountId \ No newline at end of file +date: 2024-12-23 +version: 2 +id: fffe4494-7356-4448-a8c0-fd266d51f318 +author: Splunk Threat Research Team +lookup_type: kvstore +description: A placeholder for a list of AWS accounts and assumed roles +fields: +- _key +- firstTime +- lastTime +- requestingAccountId +- requestedAccountId \ No newline at end of file diff --git a/lookups/previously_seen_aws_regions.yml b/lookups/previously_seen_aws_regions.yml index 52ade4494c..6a7119efdb 100644 --- a/lookups/previously_seen_aws_regions.yml +++ b/lookups/previously_seen_aws_regions.yml @@ -1,4 +1,12 @@ -description: A place holder for a list of used AWS regions -collection: previously_seen_aws_regions name: previously_seen_aws_regions -fields_list: _key,earliest,latest,awsRegion \ No newline at end of file +date: 2024-12-23 +version: 2 +id: 804c385e-5942-4e0c-87eb-69890483fe73 +author: Splunk Threat Research Team +lookup_type: kvstore +description: A place holder for a list of used AWS regions +fields: +- _key +- earliest +- latest +- awsRegion \ No newline at end of file diff --git a/lookups/previously_seen_cloud_api_calls_per_user_role.yml b/lookups/previously_seen_cloud_api_calls_per_user_role.yml index 69194ec372..8f5a9effeb 100644 --- a/lookups/previously_seen_cloud_api_calls_per_user_role.yml +++ b/lookups/previously_seen_cloud_api_calls_per_user_role.yml @@ -1,4 +1,14 @@ -description: A table of users, commands, and the first and last time that they have been seen -collection: previously_seen_cloud_api_calls_per_user_role name: previously_seen_cloud_api_calls_per_user_role -fields_list: _key, user, command, firstTimeSeen, lastTimeSeen, enough_data +date: 2024-12-23 +version: 2 +id: 3684fed6-6f6a-4830-a3b3-453898fc2a46 +author: Splunk Threat Research Team +lookup_type: kvstore +description: A table of users, commands, and the first and last time that they have been seen +fields: +- _key +- user +- command +- firstTimeSeen +- lastTimeSeen +- enough_data diff --git a/lookups/previously_seen_cloud_compute_creations_by_user.yml b/lookups/previously_seen_cloud_compute_creations_by_user.yml index 1e862ec71e..8ef8dc572a 100644 --- a/lookups/previously_seen_cloud_compute_creations_by_user.yml +++ b/lookups/previously_seen_cloud_compute_creations_by_user.yml @@ -1,4 +1,13 @@ -description: A table of previously seen users creating cloud instances -collection: previously_seen_cloud_compute_creations_by_user name: previously_seen_cloud_compute_creations_by_user -fields_list: _key, firstTimeSeen, lastTimeSeen, user, enough_data +date: 2024-12-23 +version: 2 +id: cfd1a79b-0b98-42b9-bc0d-2464f74321e5 +author: Splunk Threat Research Team +description: A table of previously seen users creating cloud instances +lookup_type: kvstore +fields: +- _key +- firstTimeSeen +- lastTimeSeen +- user +- enough_data diff --git a/lookups/previously_seen_cloud_compute_images.yml b/lookups/previously_seen_cloud_compute_images.yml index a0d0628d02..7998dcc1de 100644 --- a/lookups/previously_seen_cloud_compute_images.yml +++ b/lookups/previously_seen_cloud_compute_images.yml @@ -1,4 +1,13 @@ -description: A table of previously seen Cloud image IDs -collection: previously_seen_cloud_compute_images name: previously_seen_cloud_compute_images -fields_list: _key, firstTimeSeen, lastTimeSeen, image_id, enough_data +date: 2024-12-23 +version: 2 +id: ef8c1c7d-19eb-41d6-b6a1-9fc5ce5fc477 +author: Splunk Threat Research Team +description: A table of previously seen Cloud image IDs +lookup_type: kvstore +fields: +- _key +- firstTimeSeen +- lastTimeSeen +- image_id +- enough_data diff --git a/lookups/previously_seen_cloud_compute_instance_types.yml b/lookups/previously_seen_cloud_compute_instance_types.yml index d6529c41ef..29ec46eb4e 100644 --- a/lookups/previously_seen_cloud_compute_instance_types.yml +++ b/lookups/previously_seen_cloud_compute_instance_types.yml @@ -1,4 +1,13 @@ -description: A place holder for a list of used cloud compute instance types -collection: previously_seen_cloud_compute_instance_types name: previously_seen_cloud_compute_instance_types -fields_list: _key, firstTimeSeen, lastTimeSeen, instance_type, enough_data +date: 2024-12-23 +version: 2 +id: ae42b151-d5cd-4010-a414-af307f210726 +author: Splunk Threat Research Team +description: A place holder for a list of used cloud compute instance types +lookup_type: kvstore +fields: +- _key +- firstTimeSeen +- lastTimeSeen +- instance_type +- enough_data diff --git a/lookups/previously_seen_cloud_instance_modifications_by_user.yml b/lookups/previously_seen_cloud_instance_modifications_by_user.yml index 8841fcd51a..b91b5e2d70 100644 --- a/lookups/previously_seen_cloud_instance_modifications_by_user.yml +++ b/lookups/previously_seen_cloud_instance_modifications_by_user.yml @@ -1,4 +1,13 @@ -description: A table of users seen making instance modifications, and the first and last time that the activity was observed -collection: previously_seen_cloud_instance_modifications_by_user name: previously_seen_cloud_instance_modifications_by_user -fields_list: _key, firstTimeSeen, lastTimeSeen, user, enough_data +date: 2024-12-23 +version: 2 +id: d44862cb-39af-435e-9a1b-7fd087b0901a +author: Splunk Threat Research Team +description: A table of users seen making instance modifications, and the first and last time that the activity was observed +lookup_type: kvstore +fields: +- _key +- firstTimeSeen +- lastTimeSeen +- user +- enough_data diff --git a/lookups/previously_seen_cloud_provisioning_activity_sources.yml b/lookups/previously_seen_cloud_provisioning_activity_sources.yml index 327ffdd44e..2ade4b40d6 100644 --- a/lookups/previously_seen_cloud_provisioning_activity_sources.yml +++ b/lookups/previously_seen_cloud_provisioning_activity_sources.yml @@ -1,4 +1,16 @@ -description: A table of source IPs, geographic locations, and the first and last time that they have that done cloud provisioning activities -collection: previously_seen_cloud_provisioning_activity_sources name: previously_seen_cloud_provisioning_activity_sources -fields_list: _key, src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data +date: 2024-12-23 +version: 2 +id: be904c28-37df-4d3e-955a-ead70a537327 +author: Splunk Threat Research Team +description: A table of source IPs, geographic locations, and the first and last time that they have that done cloud provisioning activities +lookup_type: kvstore +fields: +- _key +- src +- City +- Country +- Region +- firstTimeSeen +- lastTimeSeen +- enough_data diff --git a/lookups/previously_seen_cloud_regions.yml b/lookups/previously_seen_cloud_regions.yml index 02d536714b..a44b94c657 100644 --- a/lookups/previously_seen_cloud_regions.yml +++ b/lookups/previously_seen_cloud_regions.yml @@ -1,4 +1,13 @@ -description: A table of vendor_region values and the first and last time that they have been observed in cloud provisioning activities -collection: previously_seen_cloud_regions name: previously_seen_cloud_regions -fields_list: _key, firstTimeSeen, lastTimeSeen, vendor_region, enough_data +date: 2024-12-23 +version: 2 +id: 4a030fa6-a2eb-4058-9f65-fde1746d1bec +author: Splunk Threat Research Team +lookup_type: kvstore +description: A table of vendor_region values and the first and last time that they have been observed in cloud provisioning activities +fields: +- _key +- firstTimeSeen +- lastTimeSeen +- vendor_region +- enough_data diff --git a/lookups/previously_seen_cmd_line_arguments.yml b/lookups/previously_seen_cmd_line_arguments.yml index 911cbeef07..8c0b479b5e 100644 --- a/lookups/previously_seen_cmd_line_arguments.yml +++ b/lookups/previously_seen_cmd_line_arguments.yml @@ -1,3 +1,7 @@ -description: A placeholder for a list of cmd line arugments that been seen before -filename: previously_seen_cmd_line_arguments.csv name: previously_seen_cmd_line_arguments +date: 2024-12-23 +version: 2 +id: d8be0813-d09e-4fb8-8999-641d2f4b80e1 +author: Splunk Threat Research Team +description: A placeholder for a list of cmd line arugments that been seen before +lookup_type: csv \ No newline at end of file diff --git a/lookups/previously_seen_ec2_amis_lookup.yml b/lookups/previously_seen_ec2_amis_lookup.yml new file mode 100644 index 0000000000..80b2d62fea --- /dev/null +++ b/lookups/previously_seen_ec2_amis_lookup.yml @@ -0,0 +1,12 @@ +name: previously_seen_ec2_amis_lookup +date: 2025-01-16 +version: 2 +id: a0d24031-61b5-44b8-89f9-17f844415b8a +author: Splunk Threat Research Team +lookup_type: kvstore +description: A place holder for a list of used Previously Seen EC2 AMIs +fields: +- _key +- firstTime +- lastTime +- amiID \ No newline at end of file diff --git a/lookups/previously_seen_ec2_instance_types_lookup.yml b/lookups/previously_seen_ec2_instance_types_lookup.yml new file mode 100644 index 0000000000..b5e686b273 --- /dev/null +++ b/lookups/previously_seen_ec2_instance_types_lookup.yml @@ -0,0 +1,12 @@ +name: previously_seen_ec2_instance_types_lookup +date: 2025-01-16 +version: 2 +id: 37507f63-27c5-488e-ba5b-cf38274997ff +author: Splunk Threat Research Team +lookup_type: kvstore +description: A place holder for a list of used previously seen EC2 instance types. +fields: +- _key +- earliest +- latest +- instanceType diff --git a/lookups/previously_seen_ec2_launches_by_user_lookup.yml b/lookups/previously_seen_ec2_launches_by_user_lookup.yml new file mode 100644 index 0000000000..f5cd93e46a --- /dev/null +++ b/lookups/previously_seen_ec2_launches_by_user_lookup.yml @@ -0,0 +1,12 @@ +name: previously_seen_ec2_launches_by_user_lookup +date: 2025-01-16 +version: 2 +id: a4a6d268-3c88-4996-b634-2edc33344a0a +author: Splunk Threat Research Team +lookup_type: kvstore +description: A place holder for a list of previouslyt seen EC2 launches by user +fields: +- _key +- firstTime +- lastTime +- arn diff --git a/lookups/previously_seen_ec2_modifications_by_user.yml b/lookups/previously_seen_ec2_modifications_by_user.yml index 15c2e51f3b..1a065fc0f0 100644 --- a/lookups/previously_seen_ec2_modifications_by_user.yml +++ b/lookups/previously_seen_ec2_modifications_by_user.yml @@ -1,3 +1,7 @@ -description: A place holder for a list of AWS EC2 modifications done by each user -filename: previously_seen_ec2_modifications_by_user.csv name: previously_seen_ec2_modifications_by_user +date: 2024-12-23 +version: 2 +id: 546fa1b4-02d4-4e53-96be-0825a9b95625 +author: Splunk Threat Research Team +description: A place holder for a list of AWS EC2 modifications done by each user +lookup_type: csv \ No newline at end of file diff --git a/lookups/previously_seen_gcp_storage_access_from_remote_ip.yml b/lookups/previously_seen_gcp_storage_access_from_remote_ip.yml index 164c1b92a9..c231ccf1c4 100644 --- a/lookups/previously_seen_gcp_storage_access_from_remote_ip.yml +++ b/lookups/previously_seen_gcp_storage_access_from_remote_ip.yml @@ -1,4 +1,15 @@ -description: A place holder for a list of GCP storage access from remote IPs -collection: previously_seen_gcp_storage_access_from_remote_ip name: previously_seen_gcp_storage_access_from_remote_ip -fields_list: _key, firstTime, lastTime, bucket_name, remote_ip, operation, request_uri \ No newline at end of file +date: 2024-12-23 +version: 2 +id: 343f625b-79a2-4ce6-82f2-90abde577371 +author: Splunk Threat Research Team +lookup_type: kvstore +description: A place holder for a list of GCP storage access from remote IPs +fields: +- _key +- firstTime +- lastTime +- bucket_name +- remote_ip +- operation +- request_uri \ No newline at end of file diff --git a/lookups/previously_seen_provisioning_activity_src.yml b/lookups/previously_seen_provisioning_activity_src.yml new file mode 100644 index 0000000000..272ace8d30 --- /dev/null +++ b/lookups/previously_seen_provisioning_activity_src.yml @@ -0,0 +1,15 @@ +name: previously_seen_provisioning_activity_src +date: 2024-12-23 +version: 1 +id: aa2db10e-465d-4828-88d4-545a35707b81 +author: Splunk Threat Research Team +lookup_type: kvstore +description: A placeholder for the list of previously seen AWS provisioning activity +fields: +- _key +- firstTime +- lastTime +- sourceIPAddress +- City +- Region +- Country diff --git a/lookups/previously_seen_running_windows_services.yml b/lookups/previously_seen_running_windows_services.yml index 7924c34894..87e02432ee 100644 --- a/lookups/previously_seen_running_windows_services.yml +++ b/lookups/previously_seen_running_windows_services.yml @@ -1,4 +1,12 @@ -description: A placeholder for the list of Windows Services running -collection: previously_seen_running_windows_services name: previously_seen_running_windows_services -fields_list: _key, service, firstTimeSeen, lastTimeSeen +date: 2024-12-23 +version: 2 +id: d997cadc-75ac-48a5-bebc-ccbc94c4023a +author: Splunk Threat Research Team +lookup_type: kvstore +description: A placeholder for the list of Windows Services running +fields: +- _key +- service +- firstTimeSeen +- lastTimeSeen diff --git a/lookups/previously_seen_s3_access_from_remote_ip.yml b/lookups/previously_seen_s3_access_from_remote_ip.yml index 9eaa612562..b13ffce3cf 100644 --- a/lookups/previously_seen_s3_access_from_remote_ip.yml +++ b/lookups/previously_seen_s3_access_from_remote_ip.yml @@ -1,4 +1,13 @@ -description: A placeholder for a list of IPs that have access S3 -collection: previously_seen_S3_access_from_remote_ip name: previously_seen_S3_access_from_remote_ip -fields_list: _key, bucket_name,remote_ip,earliest,latest \ No newline at end of file +date: 2024-12-23 +version: 2 +id: 264e5f12-ba04-47d1-bb88-f355a9b2b0e8 +author: Splunk Threat Research Team +lookup_type: kvstore +description: A placeholder for a list of IPs that have access S3 +fields: +- _key +- bucket_name +- remote_ip +- earliest +- latest \ No newline at end of file diff --git a/lookups/previously_seen_users_console_logins.yml b/lookups/previously_seen_users_console_logins.yml index 8913e9c540..7cbf308139 100644 --- a/lookups/previously_seen_users_console_logins.yml +++ b/lookups/previously_seen_users_console_logins.yml @@ -1,4 +1,16 @@ -description: A table of users seen doing console logins, and the first and last time that the activity was observed -collection: previously_seen_users_console_logins name: previously_seen_users_console_logins -fields_list: _key, firstTime, lastTime, user, src, City, Region, Country +date: 2024-12-23 +version: 2 +id: 308257b9-a0c6-4ca5-9602-efcab78f45ff +author: Splunk Threat Research Team +lookup_type: kvstore +description: A table of users seen doing console logins, and the first and last time that the activity was observed +fields: +- _key +- firstTime +- lastTime +- user +- src +- City +- Region +- Country diff --git a/lookups/privileged_azure_ad_roles20240807.csv b/lookups/privileged_azure_ad_roles.csv similarity index 100% rename from lookups/privileged_azure_ad_roles20240807.csv rename to lookups/privileged_azure_ad_roles.csv diff --git a/lookups/privileged_azure_ad_roles.yml b/lookups/privileged_azure_ad_roles.yml index c7d76d7a9e..0e38bee0db 100644 --- a/lookups/privileged_azure_ad_roles.yml +++ b/lookups/privileged_azure_ad_roles.yml @@ -1,7 +1,13 @@ -description: A list of privileged Azure Active Directory roles, includes updates for 2024 and template IDs. -filename: privileged_azure_ad_roles20240807.csv name: privileged_azure_ad_roles -default_match: 'false' -match_type: WILDCARD(azureadrole),WILDCARD(azuretemplateid) +date: 2024-12-23 +version: 2 +id: 4dbf0357-b5fc-4be2-9058-804d6a60b126 +author: Splunk Threat Research Team +lookup_type: csv +description: A list of privileged Azure Active Directory roles, includes updates for 2024 and template IDs. +default_match: false +match_type: +- WILDCARD(azureadrole) +- WILDCARD(azuretemplateid) min_matches: 1 -case_sensitive_match: 'false' +case_sensitive_match: false diff --git a/lookups/prohibited_apps_launching_cmd20231221.csv b/lookups/prohibited_apps_launching_cmd.csv similarity index 100% rename from lookups/prohibited_apps_launching_cmd20231221.csv rename to lookups/prohibited_apps_launching_cmd.csv diff --git a/lookups/prohibited_apps_launching_cmd.yml b/lookups/prohibited_apps_launching_cmd.yml index 2797c65682..64c86aa606 100644 --- a/lookups/prohibited_apps_launching_cmd.yml +++ b/lookups/prohibited_apps_launching_cmd.yml @@ -1,5 +1,10 @@ -description: A list of processes that should not be launching cmd.exe -fields: prohibited_applications -filename: prohibited_apps_launching_cmd20231221.csv -match_type: WILDCARD(prohibited_applications) name: prohibited_apps_launching_cmd +date: 2024-12-23 +version: 2 +id: e6ac9b38-051b-4e40-afd1-16837ddfe7fc +author: Splunk Threat Research Team +lookup_type: csv +description: A list of processes that should not be launching cmd.exe +match_type: +- WILDCARD(prohibited_applications) + diff --git a/lookups/prohibited_processes.yml b/lookups/prohibited_processes.yml index 45198d9b65..24f8cce5cb 100644 --- a/lookups/prohibited_processes.yml +++ b/lookups/prohibited_processes.yml @@ -1,3 +1,7 @@ -description: A list of processes that have been marked as prohibited -filename: prohibited_processes.csv name: prohibited_processes +date: 2024-12-23 +version: 2 +id: 310910fe-5158-4f87-8e45-9a307b6ffa8c +author: Splunk Threat Research Team +lookup_type: csv +description: A list of processes that have been marked as prohibited \ No newline at end of file diff --git a/lookups/ransomware_extensions_20241212.csv b/lookups/ransomware_extensions_lookup.csv similarity index 100% rename from lookups/ransomware_extensions_20241212.csv rename to lookups/ransomware_extensions_lookup.csv diff --git a/lookups/ransomware_extensions_lookup.yml b/lookups/ransomware_extensions_lookup.yml index 41bb4c2b93..f094df6158 100644 --- a/lookups/ransomware_extensions_lookup.yml +++ b/lookups/ransomware_extensions_lookup.yml @@ -1,7 +1,12 @@ -default_match: 'false' +name: ransomware_extensions_lookup +date: 2024-12-23 +version: 2 +id: eaf9e6bb-55fa-4bab-89a5-b0229638c526 +author: Splunk Threat Research Team +lookup_type: csv +default_match: false description: A list of file extensions that are associated with ransomware -filename: ransomware_extensions_20241212.csv -match_type: WILDCARD(Extensions) +match_type: +- WILDCARD(Extensions) min_matches: 1 -name: ransomware_extensions_lookup -case_sensitive_match: 'false' \ No newline at end of file +case_sensitive_match: false \ No newline at end of file diff --git a/lookups/ransomware_notes_20231219.csv b/lookups/ransomware_notes_lookup.csv similarity index 100% rename from lookups/ransomware_notes_20231219.csv rename to lookups/ransomware_notes_lookup.csv diff --git a/lookups/ransomware_notes_lookup.yml b/lookups/ransomware_notes_lookup.yml index 87caa657e0..e36d441ec7 100644 --- a/lookups/ransomware_notes_lookup.yml +++ b/lookups/ransomware_notes_lookup.yml @@ -1,7 +1,12 @@ -default_match: 'false' +name: ransomware_notes_lookup +date: 2024-12-23 +version: 2 +id: 93d9fb06-035e-496c-91d5-7a79543ce1e1 +author: Splunk Threat Research Team +lookup_type: csv +default_match: false description: A list of file names that are ransomware note files -filename: ransomware_notes_20231219.csv -match_type: WILDCARD(ransomware_notes) +match_type: +- WILDCARD(ransomware_notes) min_matches: 1 -name: ransomware_notes_lookup -case_sensitive_match: 'false' +case_sensitive_match: false \ No newline at end of file diff --git a/lookups/remote_access_software20240726.csv b/lookups/remote_access_software.csv similarity index 100% rename from lookups/remote_access_software20240726.csv rename to lookups/remote_access_software.csv diff --git a/lookups/remote_access_software.yml b/lookups/remote_access_software.yml index e0b7174e23..05366bd0b3 100644 --- a/lookups/remote_access_software.yml +++ b/lookups/remote_access_software.yml @@ -1,8 +1,15 @@ -description: A list of Remote Access Software -filename: remote_access_software20240726.csv name: remote_access_software -default_match: 'false' -match_type: WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo) +date: 2024-12-23 +version: 2 +id: f3b92ff9-667c-481f-b29d-458e10d48508 +author: Splunk Threat Research Team +lookup_type: csv +description: A list of Remote Access Software +default_match: false +match_type: +- WILDCARD(remote_utility) +- WILDCARD(remote_domain) +- WILDCARD(remote_utility_fileinfo) min_matches: 1 max_matches: 1 -case_sensitive_match: 'false' +case_sensitive_match: false diff --git a/lookups/remote_access_software_exceptions.yml b/lookups/remote_access_software_exceptions.yml index c59a12a474..ccddf347f6 100644 --- a/lookups/remote_access_software_exceptions.yml +++ b/lookups/remote_access_software_exceptions.yml @@ -1,4 +1,15 @@ -description: A list used to provide global exceptions to remote access monitoring content. -collection: remote_access_software_exceptions name: remote_access_software_exceptions -fields_list: _key, asset, software, exception_date, exception_ttl_days, exception, comment +date: 2024-12-23 +version: 2 +id: 2742e885-0706-494b-8f56-a90a3e8d33b4 +author: Splunk Threat Research Team +lookup_type: kvstore +description: A list used to provide global exceptions to remote access monitoring content. +fields: +- _key +- asset +- software +- exception_date +- exception_ttl_days +- exception +- comment diff --git a/lookups/s3_deletion_baseline.yml b/lookups/s3_deletion_baseline.yml index 14e7532ed4..66eaf95861 100644 --- a/lookups/s3_deletion_baseline.yml +++ b/lookups/s3_deletion_baseline.yml @@ -1,4 +1,14 @@ -description: A placeholder for the baseline information for AWS S3 deletions -collection: s3_deletion_baseline name: s3_deletion_baseline -fields_list: _key, arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls \ No newline at end of file +date: 2024-12-23 +version: 2 +id: 45e5d266-f80b-43f8-b4a7-87e070da4e70 +author: Splunk Threat Research Team +lookup_type: kvstore +description: A placeholder for the baseline information for AWS S3 deletions +fields: +- _key +- arn +- latestCount +- numDataPoints +- avgApiCalls +- stdevApiCalls \ No newline at end of file diff --git a/lookups/security_group_activity_baseline.yml b/lookups/security_group_activity_baseline.yml index 7e27a12aa7..ff14df2712 100644 --- a/lookups/security_group_activity_baseline.yml +++ b/lookups/security_group_activity_baseline.yml @@ -1,4 +1,14 @@ -description: A placeholder for the baseline information for AWS security groups -collection: security_group_activity_baseline name: security_group_activity_baseline -fields_list: _key, arn,latestCount,numDataPoints,avgApiCalls,stdevApiCalls \ No newline at end of file +date: 2024-12-23 +version: 2 +id: 2e110067-48ac-42bd-84a8-a97861edf80d +author: Splunk Threat Research Team +description: A placeholder for the baseline information for AWS security groups +lookup_type: kvstore +fields: +- _key +- arn +- latestCount +- numDataPoints +- avgApiCalls +- stdevApiCalls \ No newline at end of file diff --git a/lookups/security_services.csv b/lookups/security_services.csv deleted file mode 100644 index b8982c6109..0000000000 --- a/lookups/security_services.csv +++ /dev/null @@ -1,5 +0,0 @@ -service,description,category -*mpssvc*,Windows Firewall Service,security -*wscsvc*,Windows Security Center Service,security -*windefend*,Windows Defender Service,security -*sysmon*,Sysmon Driver,security diff --git a/lookups/security_services_lookup.csv b/lookups/security_services_lookup.csv new file mode 100644 index 0000000000..8aa2e35080 --- /dev/null +++ b/lookups/security_services_lookup.csv @@ -0,0 +1,10 @@ +service,description,category +*mpssvc*,Windows Firewall Service,security +*wscsvc*,Windows Security Center Service,security +*windefend*,Windows Defender Service,security +*sysmon*,Sysmon Driver,security +*csc_iseagent*,Cisco Secure Client - ISE Posture Agent,security +*csc_nvmagent*,Cisco Secure Client - Network Visibility Agent,security +*csc_umbrellaagent*,Cisco Secure Client - Umbrella Agent,security +*csc_swgagent*,Cisco Secure Client - Umbrella SWG Agent,security +*CiscoAMP*,Cisco Secure Endpoint,security diff --git a/lookups/security_services_lookup.yml b/lookups/security_services_lookup.yml index 77fafd03c1..bf44dcbd22 100644 --- a/lookups/security_services_lookup.yml +++ b/lookups/security_services_lookup.yml @@ -1,6 +1,12 @@ -default_match: 'false' +name: security_services_lookup +date: 2024-12-23 +version: 2 +id: c9038bad-c77b-4caa-9df2-09dc4454ac77 +author: Splunk Threat Research Team +lookup_type: csv +default_match: false description: A list of services that deal with security -filename: security_services.csv -match_type: WILDCARD(service) +match_type: +- WILDCARD(service) min_matches: 1 -name: security_services_lookup + diff --git a/lookups/suspicious_files.csv b/lookups/suspicious_writes_lookup.csv similarity index 100% rename from lookups/suspicious_files.csv rename to lookups/suspicious_writes_lookup.csv diff --git a/lookups/suspicious_writes_lookup.yml b/lookups/suspicious_writes_lookup.yml index 971f007a7f..f8a13e65fe 100644 --- a/lookups/suspicious_writes_lookup.yml +++ b/lookups/suspicious_writes_lookup.yml @@ -1,6 +1,11 @@ -default_match: 'false' -description: A list of suspicious file names -filename: suspicious_files.csv -match_type: WILDCARD(file) -min_matches: 1 name: suspicious_writes_lookup +date: 2024-12-23 +version: 2 +id: 4a189c42-84d1-49b6-817e-7bc59318f960 +author: Splunk Threat Research Team +lookup_type: csv +default_match: false +description: A list of suspicious file names +match_type: +- WILDCARD(file) +min_matches: 1 \ No newline at end of file diff --git a/lookups/windows_protocol_handlers.yml b/lookups/windows_protocol_handlers.yml index 983403752a..cbefef155a 100644 --- a/lookups/windows_protocol_handlers.yml +++ b/lookups/windows_protocol_handlers.yml @@ -1,7 +1,12 @@ -description: A list of Windows Protocol Handlers -filename: windows_protocol_handlers.csv name: windows_protocol_handlers -default_match: 'false' -match_type: WILDCARD(handler) +date: 2024-12-23 +version: 2 +id: d7a6399f-9f59-4d16-a637-3353e6d4e3d1 +author: Splunk Threat Research Team +lookup_type: csv +description: A list of Windows Protocol Handlers +default_match: false +match_type: +- WILDCARD(handler) min_matches: 1 -case_sensitive_match: 'false' \ No newline at end of file +case_sensitive_match: false \ No newline at end of file diff --git a/lookups/zoom_first_time_child_process.yml b/lookups/zoom_first_time_child_process.yml index a55dc842f0..29a5718700 100644 --- a/lookups/zoom_first_time_child_process.yml +++ b/lookups/zoom_first_time_child_process.yml @@ -1,4 +1,13 @@ -description: A list of suspicious file names -collection: zoom_first_time_child_process name: zoom_first_time_child_process -fields_list: _key, dest, process_name, firstTimeSeen, lastTimeSeen +date: 2024-12-23 +version: 2 +id: f5c154e3-b6d8-419c-aff6-863d5e7fd6e5 +author: Splunk Threat Research Team +lookup_type: kvstore +description: A list of suspicious file names +fields: +- _key +- dest +- process_name +- firstTimeSeen +- lastTimeSeen diff --git a/macros/process_cscript.yml b/macros/process_cscript.yml new file mode 100644 index 0000000000..ea60a34a73 --- /dev/null +++ b/macros/process_cscript.yml @@ -0,0 +1,3 @@ +definition: (Processes.process_name=cscript.exe OR Processes.original_file_name=cscript.exe) +description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/ +name: process_cscript diff --git a/macros/process_net.yml b/macros/process_net.yml index ca8bb9efa5..8ca4fcec5c 100644 --- a/macros/process_net.yml +++ b/macros/process_net.yml @@ -1,3 +1,3 @@ -definition: (Processes.process_name="net.exe" OR Processes.original_file_name="net.exe" OR Processes.process_name="net1.exe" OR Processes.original_file_name="net1.exe") +definition: (Processes.process_name="net1.exe" OR Processes.original_file_name="net1.exe") description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/ name: process_net \ No newline at end of file diff --git a/macros/process_office_products.yml b/macros/process_office_products.yml new file mode 100644 index 0000000000..7462194e06 --- /dev/null +++ b/macros/process_office_products.yml @@ -0,0 +1,3 @@ +definition: (Processes.process_name IN ("EQNEDT32.exe", "excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe", "wordpad.exe", "wordview.exe") OR Processes.original_file_name IN ("EQNEDT32.EXE", "Excel.exe", "Graph.exe", "MSACCESS.EXE", "MSPUB.EXE", "OneNote.exe", "OneNoteIm.exe", "OneNoteM.exe", "OUTLOOK.EXE", "POWERPNT.EXE", "VISIO.EXE", "WinProj.exe", "WinWord.exe")) +description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/ +name: process_office_products diff --git a/macros/process_office_products_parent.yml b/macros/process_office_products_parent.yml new file mode 100644 index 0000000000..c4cd308613 --- /dev/null +++ b/macros/process_office_products_parent.yml @@ -0,0 +1,3 @@ +definition: (Processes.parent_process_name IN ("EQNEDT32.exe", "excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe")) +description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/ +name: process_office_products_parent \ No newline at end of file diff --git a/macros/process_powershell.yml b/macros/process_powershell.yml index e90bfb853e..f5b56bebd7 100644 --- a/macros/process_powershell.yml +++ b/macros/process_powershell.yml @@ -1,3 +1,3 @@ -definition: (Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE) +definition: (Processes.process_name=pwsh.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE) description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/ name: process_powershell \ No newline at end of file diff --git a/macros/process_regedit.yml b/macros/process_regedit.yml new file mode 100644 index 0000000000..c611ec65d8 --- /dev/null +++ b/macros/process_regedit.yml @@ -0,0 +1,3 @@ +definition: (Processes.process_name=regedit.exe OR Processes.original_file_name=REGEDIT.exe) +description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/ +name: process_regedit diff --git a/macros/process_sc.yml b/macros/process_sc.yml new file mode 100644 index 0000000000..c98f5c4685 --- /dev/null +++ b/macros/process_sc.yml @@ -0,0 +1,3 @@ +definition: (Processes.process_name="sc.exe" OR Processes.original_file_name="sc.exe") +description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/ +name: process_sc \ No newline at end of file diff --git a/macros/process_wscript.yml b/macros/process_wscript.yml new file mode 100644 index 0000000000..2ec5d68963 --- /dev/null +++ b/macros/process_wscript.yml @@ -0,0 +1,3 @@ +definition: (Processes.process_name=wscript.exe OR Processes.original_file_name=wscript.exe) +description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/ +name: process_wscript diff --git a/macros/system_network_configuration_discovery_tools.yml b/macros/system_network_configuration_discovery_tools.yml index 3f869e3af2..245c383f2d 100644 --- a/macros/system_network_configuration_discovery_tools.yml +++ b/macros/system_network_configuration_discovery_tools.yml @@ -1,12 +1,3 @@ -definition: (process_name= "arp.exe" OR process_name= "at.exe" OR process_name= "attrib.exe" - OR process_name= "cscript.exe" OR process_name= "dsquery.exe" OR process_name= "hostname.exe" - OR process_name= "ipconfig.exe" OR process_name= "mimikatz.exe" OR process_name= - "nbstat.exe" OR process_name= "net.exe" OR process_name= "netsh.exe" OR process_name= - "nslookup.exe" OR process_name= "ping.exe" OR process_name= "quser.exe" OR process_name= - "qwinsta.exe" OR process_name= "reg.exe" OR process_name= "runas.exe" OR process_name= - "sc.exe" OR process_name= "schtasks.exe" OR process_name= "ssh.exe" OR process_name= - "systeminfo.exe" OR process_name= "taskkill.exe" OR process_name= "telnet.exe" OR - process_name= "tracert.exe" OR process_name="wscript.exe" OR process_name= "xcopy.exe") -description: This macro is a list of process that can be used to discover the network - configuration +definition: (process_name="arp.exe" OR process_name="dsquery.exe" OR process_name="hostname.exe" OR process_name="ipconfig.exe" OR process_name="nbstat.exe" OR process_name="net.exe" OR process_name="netsh.exe" OR process_name="nslookup.exe" OR process_name= "ping.exe" OR process_name= "quser.exe" OR process_name="qwinsta.exe" OR process_name= "telnet.exe" OR process_name= "tracert.exe") +description: This macro is a list of processes that can be used to discover the network configuration name: system_network_configuration_discovery_tools diff --git a/playbooks/CiscoTalosIntelligence_Identifier_Reputation_Analysis.png b/playbooks/CiscoTalosIntelligence_Identifier_Reputation_Analysis.png new file mode 100644 index 0000000000..60ac032a60 Binary files /dev/null and b/playbooks/CiscoTalosIntelligence_Identifier_Reputation_Analysis.png differ diff --git a/playbooks/Cisco_Talos_Intelligence_Identifier_Reputation_Analysis.json b/playbooks/Cisco_Talos_Intelligence_Identifier_Reputation_Analysis.json new file mode 100644 index 0000000000..24bb6ab01d --- /dev/null +++ b/playbooks/Cisco_Talos_Intelligence_Identifier_Reputation_Analysis.json @@ -0,0 +1,752 @@ +{ + "blockly": false, + "blockly_xml": "", + "category": "Identifier Reputation Analysis", + "coa": { + "data": { + "description": "Accepts a URL, IP or Domain and does reputation analysis on the objects. Generates a threat level, threat categories and AUP categories that are formatted and added to a container as a note.", + "edges": [ + { + "id": "port_0_to_port_2", + "sourceNode": "0", + "sourcePort": "0_out", + "targetNode": "2", + "targetPort": "2_in" + }, + { + "conditions": [ + { + "index": 0 + } + ], + "id": "port_2_to_port_3", + "sourceNode": "2", + "sourcePort": "2_out", + "targetNode": "3", + "targetPort": "3_in" + }, + { + "conditions": [ + { + "index": 1 + } + ], + "id": "port_2_to_port_4", + "sourceNode": "2", + "sourcePort": "2_out", + "targetNode": "4", + "targetPort": "4_in" + }, + { + "conditions": [ + { + "index": 2 + } + ], + "id": "port_2_to_port_5", + "sourceNode": "2", + "sourcePort": "2_out", + "targetNode": "5", + "targetPort": "5_in" + }, + { + "id": "port_3_to_port_6", + "sourceNode": "3", + "sourcePort": "3_out", + "targetNode": "6", + "targetPort": "6_in" + }, + { + "id": "port_4_to_port_10", + "sourceNode": "4", + "sourcePort": "4_out", + "targetNode": "10", + "targetPort": "10_in" + }, + { + "id": "port_5_to_port_13", + "sourceNode": "5", + "sourcePort": "5_out", + "targetNode": "13", + "targetPort": "13_in" + }, + { + "conditions": [ + { + "index": 0 + } + ], + "id": "port_6_to_port_17", + "sourceNode": "6", + "sourcePort": "6_out", + "targetNode": "17", + "targetPort": "17_in" + }, + { + "conditions": [ + { + "index": 0 + } + ], + "id": "port_10_to_port_16", + "sourceNode": "10", + "sourcePort": "10_out", + "targetNode": "16", + "targetPort": "16_in" + }, + { + "conditions": [ + { + "index": 0 + } + ], + "id": "port_13_to_port_18", + "sourceNode": "13", + "sourcePort": "13_out", + "targetNode": "18", + "targetPort": "18_in" + }, + { + "id": "port_17_to_port_26", + "sourceNode": "17", + "sourcePort": "17_out", + "targetNode": "26", + "targetPort": "26_in" + }, + { + "id": "port_26_to_port_1", + "sourceNode": "26", + "sourcePort": "26_out", + "targetNode": "1", + "targetPort": "1_in" + }, + { + "id": "port_16_to_port_27", + "sourceNode": "16", + "sourcePort": "16_out", + "targetNode": "27", + "targetPort": "27_in" + }, + { + "id": "port_27_to_port_1", + "sourceNode": "27", + "sourcePort": "27_out", + "targetNode": "1", + "targetPort": "1_in" + }, + { + "id": "port_18_to_port_28", + "sourceNode": "18", + "sourcePort": "18_out", + "targetNode": "28", + "targetPort": "28_in" + }, + { + "id": "port_28_to_port_1", + "sourceNode": "28", + "sourcePort": "28_out", + "targetNode": "1", + "targetPort": "1_in" + } + ], + "hash": "eba6b9d077093e83e07346cba73e6ed0a16e86ea", + "nodes": { + "0": { + "data": { + "advanced": { + "join": [] + }, + "functionName": "on_start", + "id": "0", + "type": "start" + }, + "errors": {}, + "id": "0", + "type": "start", + "warnings": {}, + "x": 1000, + "y": 419.9999999999985 + }, + "1": { + "data": { + "advanced": { + "join": [] + }, + "functionName": "on_finish", + "id": "1", + "type": "end" + }, + "errors": {}, + "id": "1", + "type": "end", + "warnings": {}, + "x": 1000, + "y": 1520 + }, + "10": { + "data": { + "advanced": { + "customName": "domain reputation filter", + "customNameId": 0, + "description": "Exclude failing domain reputations", + "join": [], + "note": "Exclude failing domain reputations" + }, + "conditions": [ + { + "comparisons": [ + { + "conditionIndex": 0, + "op": "==", + "param": "domain_reputation:action_result.status", + "value": "success" + } + ], + "conditionIndex": 0, + "customName": "Success", + "logic": "and" + } + ], + "functionId": 3, + "functionName": "domain_reputation_filter", + "id": "10", + "type": "filter" + }, + "errors": {}, + "id": "10", + "type": "filter", + "warnings": {}, + "x": 1040, + "y": 840 + }, + "13": { + "data": { + "advanced": { + "customName": "ip reputation filter", + "customNameId": 0, + "description": "Exclude failing ip reputations", + "join": [], + "note": "Exclude failing ip reputations" + }, + "conditions": [ + { + "comparisons": [ + { + "conditionIndex": 0, + "op": "==", + "param": "ip_reputation:action_result.status", + "value": "success" + } + ], + "conditionIndex": 0, + "customName": "Success", + "logic": "and" + } + ], + "functionId": 4, + "functionName": "ip_reputation_filter", + "id": "13", + "type": "filter" + }, + "errors": {}, + "id": "13", + "type": "filter", + "warnings": {}, + "x": 1380, + "y": 840 + }, + "16": { + "customCode": null, + "data": { + "advanced": { + "customName": "format 2", + "customNameId": 0, + "description": "Format output of domain threat data into an appropriate format for build_domain_output that generates observable objects.", + "join": [], + "note": "Format output of domain threat data into an appropriate format for build_domain_output that generates observable objects." + }, + "functionId": 4, + "functionName": "format_2", + "id": "16", + "parameters": [ + "filtered-data:domain_reputation_filter:condition_1:domain_reputation:action_result.data.*.Observable", + "filtered-data:domain_reputation_filter:condition_1:domain_reputation:action_result.data.*.Threat_Level", + "filtered-data:domain_reputation_filter:condition_1:domain_reputation:action_result.data.*.Threat_Categories", + "filtered-data:domain_reputation_filter:condition_1:domain_reputation:action_result.data.*.AUP" + ], + "template": "SOAR analyzed Domain using Talos Intelligence. The table below shows a summary of the information gathered.\n\n| Domain | Threat Level | Threat Categories | AUP Categories |\n| --- | --- | --- | --- |\n%%\n| {0} | {1} | {2} | {3}\n%%", + "type": "format" + }, + "errors": {}, + "id": "16", + "type": "format", + "userCode": null, + "warnings": {}, + "x": 980, + "y": 1160 + }, + "17": { + "data": { + "advanced": { + "customName": "format 1", + "customNameId": 0, + "description": "Format output of url threat data into an appropriate format for build_url_output that generates observable objects.", + "join": [], + "note": "Format output of url threat data into an appropriate format for build_url_output that generates observable objects." + }, + "functionId": 5, + "functionName": "format_1", + "id": "17", + "parameters": [ + "filtered-data:url_reputation_filter:condition_1:url_reputation:action_result.data.*.Observable", + "filtered-data:url_reputation_filter:condition_1:url_reputation:action_result.data.*.Threat_Level", + "filtered-data:url_reputation_filter:condition_1:url_reputation:action_result.data.*.Threat_Categories", + "filtered-data:url_reputation_filter:condition_1:url_reputation:action_result.data.*.AUP" + ], + "template": "SOAR analyzed URL using Talos Intelligence. The table below shows a summary of the information gathered.\n\n| URL | Threat Level | Threat Categories | AUP Categories |\n| --- | --- | --- | --- |\n%%\n| {0} | {1} | {2} | {3}\n%%", + "type": "format" + }, + "errors": {}, + "id": "17", + "type": "format", + "warnings": {}, + "x": 640, + "y": 1160 + }, + "18": { + "data": { + "advanced": { + "customName": "format 3", + "customNameId": 0, + "description": "Format output of ip threat data into an appropriate format for build_ip_output that generates observable objects. ", + "join": [], + "note": "Format output of ip threat data into an appropriate format for build_ip_output that generates observable objects. " + }, + "functionId": 6, + "functionName": "format_3", + "id": "18", + "parameters": [ + "filtered-data:ip_reputation_filter:condition_1:ip_reputation:action_result.data.*.Observable", + "filtered-data:ip_reputation_filter:condition_1:ip_reputation:action_result.data.*.Threat_Level", + "filtered-data:ip_reputation_filter:condition_1:ip_reputation:action_result.data.*.Threat_Categories", + "filtered-data:ip_reputation_filter:condition_1:ip_reputation:action_result.data.*.AUP" + ], + "template": "SOAR analyzed IP using Talos Intelligence. The table below shows a summary of the information gathered.\n\n| IP | Threat Level | Threat Categories | AUP Categories |\n| --- | --- | --- | --- |\n%%\n| {0} | {1} | {2} | {3}\n%%", + "type": "format" + }, + "errors": {}, + "id": "18", + "type": "format", + "warnings": {}, + "x": 1320, + "y": 1160 + }, + "2": { + "data": { + "advanced": { + "customName": "input filter", + "customNameId": 0, + "description": "Filter to pass in a url, domain or ip to it's appropriate action", + "join": [], + "note": "Filter to pass in a url, domain or ip to it's appropriate action" + }, + "conditions": [ + { + "comparisons": [ + { + "conditionIndex": 0, + "op": "!=", + "param": "playbook_input:url", + "value": "" + } + ], + "conditionIndex": 0, + "customName": "url", + "logic": "and" + }, + { + "comparisons": [ + { + "conditionIndex": 1, + "op": "!=", + "param": "playbook_input:domain", + "value": "" + } + ], + "conditionIndex": 1, + "customName": "domain", + "logic": "and" + }, + { + "comparisons": [ + { + "conditionIndex": 2, + "op": "!=", + "param": "playbook_input:ip", + "value": "" + } + ], + "conditionIndex": 2, + "customName": "ip", + "logic": "and" + } + ], + "functionId": 1, + "functionName": "input_filter", + "id": "2", + "type": "filter" + }, + "errors": {}, + "id": "2", + "type": "filter", + "warnings": {}, + "x": 1040, + "y": 564.5 + }, + "26": { + "customCode": null, + "data": { + "advanced": { + "customName": "build url output", + "customNameId": 0, + "description": "Generate an observable dictionary to output into the observables data path.", + "join": [], + "note": "Generate an observable dictionary to output into the observables data path." + }, + "functionId": 1, + "functionName": "build_url_output", + "id": "26", + "inputParameters": [ + "filtered-data:url_reputation_filter:condition_1:url_reputation:action_result.data.*.Observable", + "filtered-data:url_reputation_filter:condition_1:url_reputation:action_result.data.*.Threat_Level", + "filtered-data:url_reputation_filter:condition_1:url_reputation:action_result.data.*.Threat_Categories", + "filtered-data:url_reputation_filter:condition_1:url_reputation:action_result.data.*.AUP" + ], + "outputVariables": [ + "observable_array" + ], + "type": "code" + }, + "errors": {}, + "id": "26", + "type": "code", + "userCode": "\n from urllib.parse import urlparse\n build_url_output__observable_array = []\n \n talos_to_score_mapping = {\"unknown\": \"Unknown\", \"trusted\": \"Safe\", \"favorable\": \"Probably_Safe\", \"neutral\": \"May_not_be_Safe\", \"questionable\": \"Suspicious_or_Risky\", \"unstrusted\": \"Malicious\"}\n score_table = {\n \"Unkown\": \"0\",\n \"Very_Safe\": \"1\",\n \"Safe\": \"2\",\n \"Probably_Safe\": \"3\",\n \"Leans_Safe\": \"4\",\n \"May_not_be_Safe\": \"5\",\n \"Exercise_Caution\": \"6\",\n \"Suspicious_or_Risky\": \"7\",\n \"Possibly_Malicious\": \"8\",\n \"Probably_Malicious\": \"9\",\n \"Malicious\": \"10\"\n }\n \n for url, threat_level, threat_categories, aup in zip(filtered_result_0_data___observable, filtered_result_0_data___threat_level, filtered_result_0_data___threat_categories, filtered_result_0_data___aup):\n parsed_url = urlparse(url)\n score = talos_to_score_mapping.get(threat_level.lower(), \"\")\n observable_object = {\n \"value\": url,\n \"type\": \"url\",\n \"reputation\": {\n \"threat_level\": threat_level,\n \"threat_categories\": threat_categories,\n \"aup_categories\": aup,\n \"score\": score,\n \"score_id\": score_table.get(score, \"\")\n },\n \"attributes\": {\n \"hostname\": parsed_url.hostname,\n \"scheme\": parsed_url.scheme\n },\n \"source\": \"Cisco Talos Intelligence\",\n }\n if parsed_url.path:\n observable_object['attributes']['path'] = parsed_url.path\n if parsed_url.query:\n observable_object['attributes']['query'] = parsed_url.query\n if parsed_url.port:\n observable_object['attributes']['port'] = parsed_url.port\n \n build_url_output__observable_array.append(observable_object)\n\n", + "warnings": {}, + "x": 640, + "y": 1380 + }, + "27": { + "customCode": null, + "data": { + "advanced": { + "customName": "build domain output", + "customNameId": 0, + "description": "Generate an observable dictionary to output into the observables data path.", + "join": [], + "note": "Generate an observable dictionary to output into the observables data path." + }, + "functionId": 2, + "functionName": "build_domain_output", + "id": "27", + "inputParameters": [ + "filtered-data:domain_reputation_filter:condition_1:domain_reputation:action_result.data.*.Observable", + "filtered-data:domain_reputation_filter:condition_1:domain_reputation:action_result.data.*.Threat_Level", + "filtered-data:domain_reputation_filter:condition_1:domain_reputation:action_result.data.*.Threat_Categories", + "filtered-data:domain_reputation_filter:condition_1:domain_reputation:action_result.data.*.AUP" + ], + "outputVariables": [ + "observable_array" + ], + "type": "code" + }, + "errors": {}, + "id": "27", + "type": "code", + "userCode": "\n build_domain_output__observable_array = []\n \n talos_to_score_mapping = {\"unknown\": \"Unknown\", \"trusted\": \"Safe\", \"favorable\": \"Probably_Safe\", \"neutral\": \"May_not_be_Safe\", \"questionable\": \"Suspicious_or_Risky\", \"unstrusted\": \"Malicious\"}\n score_table = {\n \"Unkown\": \"0\",\n \"Very_Safe\": \"1\",\n \"Safe\": \"2\",\n \"Probably_Safe\": \"3\",\n \"Leans_Safe\": \"4\",\n \"May_not_be_Safe\": \"5\",\n \"Exercise_Caution\": \"6\",\n \"Suspicious_or_Risky\": \"7\",\n \"Possibly_Malicious\": \"8\",\n \"Probably_Malicious\": \"9\",\n \"Malicious\": \"10\"\n }\n \n for domain, threat_level, threat_categories, aup in zip(filtered_result_0_data___observable, filtered_result_0_data___threat_level, filtered_result_0_data___threat_categories, filtered_result_0_data___aup):\n score = talos_to_score_mapping.get(threat_level.lower(), \"\")\n observable_object = {\n \"value\": domain,\n \"type\": \"domain\",\n \"reputation\": {\n \"threat_level\": threat_level,\n \"threat_categories\": threat_categories,\n \"aup_categories\": aup,\n \"score\": score,\n \"score_id\": score_table.get(score, \"\")\n },\n \"source\": \"Cisco Talos Intelligence\"\n }\n build_domain_output__observable_array.append(observable_object)\n\n", + "warnings": {}, + "x": 980, + "y": 1380 + }, + "28": { + "customCode": null, + "data": { + "advanced": { + "customName": "build ip output", + "customNameId": 0, + "description": "Generate an observable dictionary to output into the observables data path.", + "join": [], + "note": "Generate an observable dictionary to output into the observables data path." + }, + "functionId": 3, + "functionName": "build_ip_output", + "id": "28", + "inputParameters": [ + "filtered-data:ip_reputation_filter:condition_1:ip_reputation:action_result.data.*.Observable", + "filtered-data:ip_reputation_filter:condition_1:ip_reputation:action_result.data.*.Threat_Level", + "filtered-data:ip_reputation_filter:condition_1:ip_reputation:action_result.data.*.Threat_Categories", + "filtered-data:ip_reputation_filter:condition_1:ip_reputation:action_result.data.*.AUP" + ], + "outputVariables": [ + "observable_array" + ], + "type": "code" + }, + "errors": {}, + "id": "28", + "type": "code", + "userCode": "\n import ipaddress\n build_ip_output__observable_array = []\n \n talos_to_score_mapping = {\"unknown\": \"Unknown\", \"trusted\": \"Safe\", \"favorable\": \"Probably_Safe\", \"neutral\": \"May_not_be_Safe\", \"questionable\": \"Suspicious_or_Risky\", \"unstrusted\": \"Malicious\"}\n score_table = {\n \"Unkown\": \"0\",\n \"Very_Safe\": \"1\",\n \"Safe\": \"2\",\n \"Probably_Safe\": \"3\",\n \"Leans_Safe\": \"4\",\n \"May_not_be_Safe\": \"5\",\n \"Exercise_Caution\": \"6\",\n \"Suspicious_or_Risky\": \"7\",\n \"Possibly_Malicious\": \"8\",\n \"Probably_Malicious\": \"9\",\n \"Malicious\": \"10\"\n }\n \n for ip, threat_level, threat_categories, aup in zip(filtered_result_0_data___observable, filtered_result_0_data___threat_level, filtered_result_0_data___threat_categories, filtered_result_0_data___aup):\n score = talos_to_score_mapping.get(threat_level.lower(), \"\")\n observable_object = {\n \"value\": ip,\n \"type\": \"ipv4\",\n \"reputation\": {\n \"threat_level\": threat_level,\n \"threat_categories\": threat_categories,\n \"aup_categories\": aup,\n \"score\": score,\n \"score_id\": score_table.get(score, \"\")\n },\n \"source\": \"Cisco Talos Intelligence\"\n }\n ip_addr = ipaddress.ip_address(ip)\n if isinstance(ip_addr, ipaddress.IPv6Address):\n observable_object[\"type\"] = \"ipv6\"\n\n build_ip_output__observable_array.append(observable_object)\n\n", + "warnings": {}, + "x": 1320, + "y": 1380 + }, + "3": { + "data": { + "action": "url reputation", + "actionType": "investigate", + "advanced": { + "customName": "url reputation", + "customNameId": 0, + "description": "Use Talos to get threat data on an url", + "join": [], + "note": "Use Talos to get threat data on an url" + }, + "connector": "Cisco Talos Intelligence", + "connectorConfigs": [ + "cisco_talos_intelligence" + ], + "connectorId": "7c653487-22c8-4ec1-bca0-16a8b1513c86", + "connectorVersion": "v1", + "functionId": 1, + "functionName": "url_reputation", + "id": "3", + "loop": { + "enabled": false, + "exitAfterUnit": "m", + "exitAfterValue": 10, + "exitConditionEnabled": false, + "exitLoopAfter": 2, + "pauseUnit": "m", + "pauseValue": 2 + }, + "parameters": { + "url": "filtered-data:input_filter:condition_1:playbook_input:url" + }, + "requiredParameters": [ + { + "data_type": "string", + "default": "", + "field": "url" + } + ], + "type": "action" + }, + "errors": {}, + "id": "3", + "type": "action", + "warnings": {}, + "x": 640, + "y": 700 + }, + "4": { + "data": { + "action": "domain reputation", + "actionType": "investigate", + "advanced": { + "customName": "domain reputation", + "customNameId": 0, + "description": "Use Talos to get threat data on a domain", + "join": [], + "note": "Use Talos to get threat data on a domain" + }, + "connector": "Cisco Talos Intelligence", + "connectorConfigs": [ + "cisco_talos_intelligence" + ], + "connectorId": "7c653487-22c8-4ec1-bca0-16a8b1513c86", + "connectorVersion": "v1", + "functionId": 1, + "functionName": "domain_reputation", + "id": "4", + "loop": { + "enabled": false, + "exitAfterUnit": "m", + "exitAfterValue": 10, + "exitConditionEnabled": false, + "exitLoopAfter": 2, + "pauseUnit": "m", + "pauseValue": 2 + }, + "parameters": { + "domain": "filtered-data:input_filter:condition_2:playbook_input:domain" + }, + "requiredParameters": [ + { + "data_type": "string", + "default": "", + "field": "domain" + } + ], + "type": "action" + }, + "errors": {}, + "id": "4", + "type": "action", + "warnings": {}, + "x": 980, + "y": 700 + }, + "5": { + "data": { + "action": "ip reputation", + "actionType": "investigate", + "advanced": { + "customName": "ip reputation", + "customNameId": 0, + "description": "Use Talos to get threat data on an ip", + "join": [], + "note": "Use Talos to get threat data on an ip" + }, + "connector": "Cisco Talos Intelligence", + "connectorConfigs": [ + "cisco_talos_intelligence" + ], + "connectorId": "7c653487-22c8-4ec1-bca0-16a8b1513c86", + "connectorVersion": "v1", + "functionId": 1, + "functionName": "ip_reputation", + "id": "5", + "loop": { + "enabled": false, + "exitAfterUnit": "m", + "exitAfterValue": 10, + "exitConditionEnabled": false, + "exitLoopAfter": 2, + "pauseUnit": "m", + "pauseValue": 2 + }, + "parameters": { + "ip": "filtered-data:input_filter:condition_3:playbook_input:ip" + }, + "requiredParameters": [ + { + "data_type": "string", + "default": "", + "field": "ip" + } + ], + "type": "action" + }, + "errors": {}, + "id": "5", + "type": "action", + "warnings": {}, + "x": 1320, + "y": 700 + }, + "6": { + "data": { + "advanced": { + "customName": "url reputation filter", + "customNameId": 0, + "description": "Exclude failing url reputations", + "join": [], + "note": "Exclude failing url reputations" + }, + "conditions": [ + { + "comparisons": [ + { + "conditionIndex": 0, + "op": "==", + "param": "url_reputation:action_result.status", + "value": "success" + } + ], + "conditionIndex": 0, + "customName": "Success", + "logic": "and" + } + ], + "functionId": 2, + "functionName": "url_reputation_filter", + "id": "6", + "type": "filter" + }, + "errors": {}, + "id": "6", + "type": "filter", + "warnings": {}, + "x": 700, + "y": 840 + } + }, + "notes": "Inputs: url, ip, domain\nInteractions: Cisco Talos Intelligence\nActions: url reputation, ip reputation, domain reputation, file reputation\nOutputs: note, observables" + }, + "input_spec": [ + { + "contains": [ + "url" + ], + "description": "A URL provided for reputation analysis", + "name": "url" + }, + { + "contains": [ + "domain" + ], + "description": "A Domain provided for reputation analysis", + "name": "domain" + }, + { + "contains": [ + "ip" + ], + "description": "An IP provided for reputation analysis", + "name": "ip" + } + ], + "output_spec": [ + { + "contains": [], + "datapaths": [ + "build_url_output:custom_function:observable_array", + "build_domain_output:custom_function:observable_array", + "build_ip_output:custom_function:observable_array" + ], + "deduplicate": false, + "description": "An array of observable dictionaries with value, threat level, threat categories and AUP categories", + "metadata": {}, + "name": "observable" + }, + { + "contains": [], + "datapaths": [ + "format_1:formatted_data", + "format_2:formatted_data", + "format_3:formatted_data" + ], + "deduplicate": false, + "description": "An array of reports. One report per observable type.", + "metadata": {}, + "name": "markdown_report" + } + ], + "playbook_trigger": "artifact_created", + "playbook_type": "data", + "python_version": "3", + "schema": "5.0.15", + "version": "6.3.1.176" + }, + "create_time": "2024-12-11T22:12:36.759275+00:00", + "draft_mode": false, + "labels": [ + "*" + ], + "tags": [ + "reputation", + "url", + "ip", + "domain", + "Cisco Talos Intelligence" + ] +} diff --git a/playbooks/Cisco_Talos_Intelligence_Identifier_Reputation_Analysis.py b/playbooks/Cisco_Talos_Intelligence_Identifier_Reputation_Analysis.py new file mode 100644 index 0000000000..83aa27dd3e --- /dev/null +++ b/playbooks/Cisco_Talos_Intelligence_Identifier_Reputation_Analysis.py @@ -0,0 +1,596 @@ +""" +Accepts a URL, IP or Domain and does reputation analysis on the objects. Generates a threat level, threat categories and AUP categories that are formatted and added to a container as a note. +""" + + +import phantom.rules as phantom +import json +from datetime import datetime, timedelta + + +@phantom.playbook_block() +def on_start(container): + phantom.debug('on_start() called') + + # call 'input_filter' block + input_filter(container=container) + + return + +@phantom.playbook_block() +def input_filter(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, loop_state_json=None, **kwargs): + phantom.debug("input_filter() called") + + ################################################################################ + # Filter to pass in a url, domain or ip to it's appropriate action + ################################################################################ + + # collect filtered artifact ids and results for 'if' condition 1 + matched_artifacts_1, matched_results_1 = phantom.condition( + container=container, + conditions=[ + ["playbook_input:url", "!=", ""] + ], + name="input_filter:condition_1", + delimiter=None) + + # call connected blocks if filtered artifacts or results + if matched_artifacts_1 or matched_results_1: + url_reputation(action=action, success=success, container=container, results=results, handle=handle, filtered_artifacts=matched_artifacts_1, filtered_results=matched_results_1) + + # collect filtered artifact ids and results for 'if' condition 2 + matched_artifacts_2, matched_results_2 = phantom.condition( + container=container, + conditions=[ + ["playbook_input:domain", "!=", ""] + ], + name="input_filter:condition_2", + delimiter=None) + + # call connected blocks if filtered artifacts or results + if matched_artifacts_2 or matched_results_2: + domain_reputation(action=action, success=success, container=container, results=results, handle=handle, filtered_artifacts=matched_artifacts_2, filtered_results=matched_results_2) + + # collect filtered artifact ids and results for 'if' condition 3 + matched_artifacts_3, matched_results_3 = phantom.condition( + container=container, + conditions=[ + ["playbook_input:ip", "!=", ""] + ], + name="input_filter:condition_3", + delimiter=None) + + # call connected blocks if filtered artifacts or results + if matched_artifacts_3 or matched_results_3: + ip_reputation(action=action, success=success, container=container, results=results, handle=handle, filtered_artifacts=matched_artifacts_3, filtered_results=matched_results_3) + + return + + +@phantom.playbook_block() +def url_reputation(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, loop_state_json=None, **kwargs): + phantom.debug("url_reputation() called") + + # phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) + + ################################################################################ + # Use Talos to get threat data on an url + ################################################################################ + + filtered_input_0_url = phantom.collect2(container=container, datapath=["filtered-data:input_filter:condition_1:playbook_input:url"]) + + parameters = [] + + # build parameters list for 'url_reputation' call + for filtered_input_0_url_item in filtered_input_0_url: + if filtered_input_0_url_item[0] is not None: + parameters.append({ + "url": filtered_input_0_url_item[0], + }) + + ################################################################################ + ## Custom Code Start + ################################################################################ + + # Write your custom code here... + + ################################################################################ + ## Custom Code End + ################################################################################ + + phantom.act("url reputation", parameters=parameters, name="url_reputation", assets=["cisco_talos_intelligence"], callback=url_reputation_filter) + + return + + +@phantom.playbook_block() +def domain_reputation(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, loop_state_json=None, **kwargs): + phantom.debug("domain_reputation() called") + + # phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) + + ################################################################################ + # Use Talos to get threat data on a domain + ################################################################################ + + filtered_input_0_domain = phantom.collect2(container=container, datapath=["filtered-data:input_filter:condition_2:playbook_input:domain"]) + + parameters = [] + + # build parameters list for 'domain_reputation' call + for filtered_input_0_domain_item in filtered_input_0_domain: + if filtered_input_0_domain_item[0] is not None: + parameters.append({ + "domain": filtered_input_0_domain_item[0], + }) + + ################################################################################ + ## Custom Code Start + ################################################################################ + + # Write your custom code here... + + ################################################################################ + ## Custom Code End + ################################################################################ + + phantom.act("domain reputation", parameters=parameters, name="domain_reputation", assets=["cisco_talos_intelligence"], callback=domain_reputation_filter) + + return + + +@phantom.playbook_block() +def ip_reputation(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, loop_state_json=None, **kwargs): + phantom.debug("ip_reputation() called") + + # phantom.debug('Action: {0} {1}'.format(action['name'], ('SUCCEEDED' if success else 'FAILED'))) + + ################################################################################ + # Use Talos to get threat data on an ip + ################################################################################ + + filtered_input_0_ip = phantom.collect2(container=container, datapath=["filtered-data:input_filter:condition_3:playbook_input:ip"]) + + parameters = [] + + # build parameters list for 'ip_reputation' call + for filtered_input_0_ip_item in filtered_input_0_ip: + if filtered_input_0_ip_item[0] is not None: + parameters.append({ + "ip": filtered_input_0_ip_item[0], + }) + + ################################################################################ + ## Custom Code Start + ################################################################################ + + # Write your custom code here... + + ################################################################################ + ## Custom Code End + ################################################################################ + + phantom.act("ip reputation", parameters=parameters, name="ip_reputation", assets=["cisco_talos_intelligence"], callback=ip_reputation_filter) + + return + + +@phantom.playbook_block() +def url_reputation_filter(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, loop_state_json=None, **kwargs): + phantom.debug("url_reputation_filter() called") + + ################################################################################ + # Exclude failing url reputations + ################################################################################ + + # collect filtered artifact ids and results for 'if' condition 1 + matched_artifacts_1, matched_results_1 = phantom.condition( + container=container, + conditions=[ + ["url_reputation:action_result.status", "==", "success"] + ], + name="url_reputation_filter:condition_1", + delimiter=None) + + # call connected blocks if filtered artifacts or results + if matched_artifacts_1 or matched_results_1: + format_1(action=action, success=success, container=container, results=results, handle=handle, filtered_artifacts=matched_artifacts_1, filtered_results=matched_results_1) + + return + + +@phantom.playbook_block() +def domain_reputation_filter(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, loop_state_json=None, **kwargs): + phantom.debug("domain_reputation_filter() called") + + ################################################################################ + # Exclude failing domain reputations + ################################################################################ + + # collect filtered artifact ids and results for 'if' condition 1 + matched_artifacts_1, matched_results_1 = phantom.condition( + container=container, + conditions=[ + ["domain_reputation:action_result.status", "==", "success"] + ], + name="domain_reputation_filter:condition_1", + delimiter=None) + + # call connected blocks if filtered artifacts or results + if matched_artifacts_1 or matched_results_1: + format_2(action=action, success=success, container=container, results=results, handle=handle, filtered_artifacts=matched_artifacts_1, filtered_results=matched_results_1) + + return + + +@phantom.playbook_block() +def ip_reputation_filter(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, loop_state_json=None, **kwargs): + phantom.debug("ip_reputation_filter() called") + + ################################################################################ + # Exclude failing ip reputations + ################################################################################ + + # collect filtered artifact ids and results for 'if' condition 1 + matched_artifacts_1, matched_results_1 = phantom.condition( + container=container, + conditions=[ + ["ip_reputation:action_result.status", "==", "success"] + ], + name="ip_reputation_filter:condition_1", + delimiter=None) + + # call connected blocks if filtered artifacts or results + if matched_artifacts_1 or matched_results_1: + format_3(action=action, success=success, container=container, results=results, handle=handle, filtered_artifacts=matched_artifacts_1, filtered_results=matched_results_1) + + return + + +@phantom.playbook_block() +def format_2(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, loop_state_json=None, **kwargs): + phantom.debug("format_2() called") + + ################################################################################ + # Format output of domain threat data into an appropriate format for build_domain_output + # that generates observable objects. + ################################################################################ + + template = """SOAR analyzed Domain using Talos Intelligence. The table below shows a summary of the information gathered.\n\n| Domain | Threat Level | Threat Categories | AUP Categories |\n| --- | --- | --- | --- |\n%%\n| {0} | {1} | {2} | {3}\n%%""" + + # parameter list for template variable replacement + parameters = [ + "filtered-data:domain_reputation_filter:condition_1:domain_reputation:action_result.data.*.Observable", + "filtered-data:domain_reputation_filter:condition_1:domain_reputation:action_result.data.*.Threat_Level", + "filtered-data:domain_reputation_filter:condition_1:domain_reputation:action_result.data.*.Threat_Categories", + "filtered-data:domain_reputation_filter:condition_1:domain_reputation:action_result.data.*.AUP" + ] + + ################################################################################ + ## Custom Code Start + ################################################################################ + + # Write your custom code here... + + ################################################################################ + ## Custom Code End + ################################################################################ + + phantom.format(container=container, template=template, parameters=parameters, name="format_2") + + build_domain_output(container=container) + + return + + +@phantom.playbook_block() +def format_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, loop_state_json=None, **kwargs): + phantom.debug("format_1() called") + + ################################################################################ + # Format output of url threat data into an appropriate format for build_url_output + # that generates observable objects. + ################################################################################ + + template = """SOAR analyzed URL using Talos Intelligence. The table below shows a summary of the information gathered.\n\n| URL | Threat Level | Threat Categories | AUP Categories |\n| --- | --- | --- | --- |\n%%\n| {0} | {1} | {2} | {3}\n%%""" + + # parameter list for template variable replacement + parameters = [ + "filtered-data:url_reputation_filter:condition_1:url_reputation:action_result.data.*.Observable", + "filtered-data:url_reputation_filter:condition_1:url_reputation:action_result.data.*.Threat_Level", + "filtered-data:url_reputation_filter:condition_1:url_reputation:action_result.data.*.Threat_Categories", + "filtered-data:url_reputation_filter:condition_1:url_reputation:action_result.data.*.AUP" + ] + + ################################################################################ + ## Custom Code Start + ################################################################################ + + # Write your custom code here... + + ################################################################################ + ## Custom Code End + ################################################################################ + + phantom.format(container=container, template=template, parameters=parameters, name="format_1") + + build_url_output(container=container) + + return + + +@phantom.playbook_block() +def format_3(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, loop_state_json=None, **kwargs): + phantom.debug("format_3() called") + + ################################################################################ + # Format output of ip threat data into an appropriate format for build_ip_output + # that generates observable objects. + ################################################################################ + + template = """SOAR analyzed IP using Talos Intelligence. The table below shows a summary of the information gathered.\n\n| IP | Threat Level | Threat Categories | AUP Categories |\n| --- | --- | --- | --- |\n%%\n| {0} | {1} | {2} | {3}\n%%""" + + # parameter list for template variable replacement + parameters = [ + "filtered-data:ip_reputation_filter:condition_1:ip_reputation:action_result.data.*.Observable", + "filtered-data:ip_reputation_filter:condition_1:ip_reputation:action_result.data.*.Threat_Level", + "filtered-data:ip_reputation_filter:condition_1:ip_reputation:action_result.data.*.Threat_Categories", + "filtered-data:ip_reputation_filter:condition_1:ip_reputation:action_result.data.*.AUP" + ] + + ################################################################################ + ## Custom Code Start + ################################################################################ + + # Write your custom code here... + + ################################################################################ + ## Custom Code End + ################################################################################ + + phantom.format(container=container, template=template, parameters=parameters, name="format_3") + + build_ip_output(container=container) + + return + + +@phantom.playbook_block() +def build_url_output(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, loop_state_json=None, **kwargs): + phantom.debug("build_url_output() called") + + ################################################################################ + # Generate an observable dictionary to output into the observables data path. + ################################################################################ + + filtered_result_0_data_url_reputation_filter = phantom.collect2(container=container, datapath=["filtered-data:url_reputation_filter:condition_1:url_reputation:action_result.data.*.Observable","filtered-data:url_reputation_filter:condition_1:url_reputation:action_result.data.*.Threat_Level","filtered-data:url_reputation_filter:condition_1:url_reputation:action_result.data.*.Threat_Categories","filtered-data:url_reputation_filter:condition_1:url_reputation:action_result.data.*.AUP"]) + + filtered_result_0_data___observable = [item[0] for item in filtered_result_0_data_url_reputation_filter] + filtered_result_0_data___threat_level = [item[1] for item in filtered_result_0_data_url_reputation_filter] + filtered_result_0_data___threat_categories = [item[2] for item in filtered_result_0_data_url_reputation_filter] + filtered_result_0_data___aup = [item[3] for item in filtered_result_0_data_url_reputation_filter] + + build_url_output__observable_array = None + + ################################################################################ + ## Custom Code Start + ################################################################################ + + from urllib.parse import urlparse + build_url_output__observable_array = [] + + talos_to_score_mapping = {"unknown": "Unknown", "trusted": "Safe", "favorable": "Probably_Safe", "neutral": "May_not_be_Safe", "questionable": "Suspicious_or_Risky", "unstrusted": "Malicious"} + score_table = { + "Unkown": "0", + "Very_Safe": "1", + "Safe": "2", + "Probably_Safe": "3", + "Leans_Safe": "4", + "May_not_be_Safe": "5", + "Exercise_Caution": "6", + "Suspicious_or_Risky": "7", + "Possibly_Malicious": "8", + "Probably_Malicious": "9", + "Malicious": "10" + } + + for url, threat_level, threat_categories, aup in zip(filtered_result_0_data___observable, filtered_result_0_data___threat_level, filtered_result_0_data___threat_categories, filtered_result_0_data___aup): + parsed_url = urlparse(url) + score = talos_to_score_mapping.get(threat_level.lower(), "") + observable_object = { + "value": url, + "type": "url", + "reputation": { + "threat_level": threat_level, + "threat_categories": threat_categories, + "aup_categories": aup, + "score": score, + "score_id": score_table.get(score, "") + }, + "attributes": { + "hostname": parsed_url.hostname, + "scheme": parsed_url.scheme + }, + "source": "Cisco Talos Intelligence", + } + if parsed_url.path: + observable_object['attributes']['path'] = parsed_url.path + if parsed_url.query: + observable_object['attributes']['query'] = parsed_url.query + if parsed_url.port: + observable_object['attributes']['port'] = parsed_url.port + + build_url_output__observable_array.append(observable_object) + + ################################################################################ + ## Custom Code End + ################################################################################ + + phantom.save_run_data(key="build_url_output:observable_array", value=json.dumps(build_url_output__observable_array)) + + return + + +@phantom.playbook_block() +def build_domain_output(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, loop_state_json=None, **kwargs): + phantom.debug("build_domain_output() called") + + ################################################################################ + # Generate an observable dictionary to output into the observables data path. + ################################################################################ + + filtered_result_0_data_domain_reputation_filter = phantom.collect2(container=container, datapath=["filtered-data:domain_reputation_filter:condition_1:domain_reputation:action_result.data.*.Observable","filtered-data:domain_reputation_filter:condition_1:domain_reputation:action_result.data.*.Threat_Level","filtered-data:domain_reputation_filter:condition_1:domain_reputation:action_result.data.*.Threat_Categories","filtered-data:domain_reputation_filter:condition_1:domain_reputation:action_result.data.*.AUP"]) + + filtered_result_0_data___observable = [item[0] for item in filtered_result_0_data_domain_reputation_filter] + filtered_result_0_data___threat_level = [item[1] for item in filtered_result_0_data_domain_reputation_filter] + filtered_result_0_data___threat_categories = [item[2] for item in filtered_result_0_data_domain_reputation_filter] + filtered_result_0_data___aup = [item[3] for item in filtered_result_0_data_domain_reputation_filter] + + build_domain_output__observable_array = None + + ################################################################################ + ## Custom Code Start + ################################################################################ + + build_domain_output__observable_array = [] + + talos_to_score_mapping = {"unknown": "Unknown", "trusted": "Safe", "favorable": "Probably_Safe", "neutral": "May_not_be_Safe", "questionable": "Suspicious_or_Risky", "unstrusted": "Malicious"} + score_table = { + "Unkown": "0", + "Very_Safe": "1", + "Safe": "2", + "Probably_Safe": "3", + "Leans_Safe": "4", + "May_not_be_Safe": "5", + "Exercise_Caution": "6", + "Suspicious_or_Risky": "7", + "Possibly_Malicious": "8", + "Probably_Malicious": "9", + "Malicious": "10" + } + + for domain, threat_level, threat_categories, aup in zip(filtered_result_0_data___observable, filtered_result_0_data___threat_level, filtered_result_0_data___threat_categories, filtered_result_0_data___aup): + score = talos_to_score_mapping.get(threat_level.lower(), "") + observable_object = { + "value": domain, + "type": "domain", + "reputation": { + "threat_level": threat_level, + "threat_categories": threat_categories, + "aup_categories": aup, + "score": score, + "score_id": score_table.get(score, "") + }, + "source": "Cisco Talos Intelligence" + } + build_domain_output__observable_array.append(observable_object) + + ################################################################################ + ## Custom Code End + ################################################################################ + + phantom.save_run_data(key="build_domain_output:observable_array", value=json.dumps(build_domain_output__observable_array)) + + return + + +@phantom.playbook_block() +def build_ip_output(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, loop_state_json=None, **kwargs): + phantom.debug("build_ip_output() called") + + ################################################################################ + # Generate an observable dictionary to output into the observables data path. + ################################################################################ + + filtered_result_0_data_ip_reputation_filter = phantom.collect2(container=container, datapath=["filtered-data:ip_reputation_filter:condition_1:ip_reputation:action_result.data.*.Observable","filtered-data:ip_reputation_filter:condition_1:ip_reputation:action_result.data.*.Threat_Level","filtered-data:ip_reputation_filter:condition_1:ip_reputation:action_result.data.*.Threat_Categories","filtered-data:ip_reputation_filter:condition_1:ip_reputation:action_result.data.*.AUP"]) + + filtered_result_0_data___observable = [item[0] for item in filtered_result_0_data_ip_reputation_filter] + filtered_result_0_data___threat_level = [item[1] for item in filtered_result_0_data_ip_reputation_filter] + filtered_result_0_data___threat_categories = [item[2] for item in filtered_result_0_data_ip_reputation_filter] + filtered_result_0_data___aup = [item[3] for item in filtered_result_0_data_ip_reputation_filter] + + build_ip_output__observable_array = None + + ################################################################################ + ## Custom Code Start + ################################################################################ + + import ipaddress + build_ip_output__observable_array = [] + + talos_to_score_mapping = {"unknown": "Unknown", "trusted": "Safe", "favorable": "Probably_Safe", "neutral": "May_not_be_Safe", "questionable": "Suspicious_or_Risky", "unstrusted": "Malicious"} + score_table = { + "Unkown": "0", + "Very_Safe": "1", + "Safe": "2", + "Probably_Safe": "3", + "Leans_Safe": "4", + "May_not_be_Safe": "5", + "Exercise_Caution": "6", + "Suspicious_or_Risky": "7", + "Possibly_Malicious": "8", + "Probably_Malicious": "9", + "Malicious": "10" + } + + for ip, threat_level, threat_categories, aup in zip(filtered_result_0_data___observable, filtered_result_0_data___threat_level, filtered_result_0_data___threat_categories, filtered_result_0_data___aup): + score = talos_to_score_mapping.get(threat_level.lower(), "") + observable_object = { + "value": ip, + "type": "ipv4", + "reputation": { + "threat_level": threat_level, + "threat_categories": threat_categories, + "aup_categories": aup, + "score": score, + "score_id": score_table.get(score, "") + }, + "source": "Cisco Talos Intelligence" + } + ip_addr = ipaddress.ip_address(ip) + if isinstance(ip_addr, ipaddress.IPv6Address): + observable_object["type"] = "ipv6" + + build_ip_output__observable_array.append(observable_object) + + ################################################################################ + ## Custom Code End + ################################################################################ + + phantom.save_run_data(key="build_ip_output:observable_array", value=json.dumps(build_ip_output__observable_array)) + + return + + +@phantom.playbook_block() +def on_finish(container, summary): + phantom.debug("on_finish() called") + + format_1 = phantom.get_format_data(name="format_1") + format_2 = phantom.get_format_data(name="format_2") + format_3 = phantom.get_format_data(name="format_3") + build_url_output__observable_array = json.loads(_ if (_ := phantom.get_run_data(key="build_url_output:observable_array")) != "" else "null") # pylint: disable=used-before-assignment + build_domain_output__observable_array = json.loads(_ if (_ := phantom.get_run_data(key="build_domain_output:observable_array")) != "" else "null") # pylint: disable=used-before-assignment + build_ip_output__observable_array = json.loads(_ if (_ := phantom.get_run_data(key="build_ip_output:observable_array")) != "" else "null") # pylint: disable=used-before-assignment + + observable_combined_value = phantom.concatenate(build_url_output__observable_array, build_domain_output__observable_array, build_ip_output__observable_array) + markdown_report_combined_value = phantom.concatenate(format_1, format_2, format_3) + + output = { + "observable": observable_combined_value, + "markdown_report": markdown_report_combined_value, + } + + ################################################################################ + ## Custom Code Start + ################################################################################ + + # Write your custom code here... + + ################################################################################ + ## Custom Code End + ################################################################################ + + phantom.save_playbook_output_data(output=output) + + return \ No newline at end of file diff --git a/playbooks/Cisco_Talos_Intelligence_Identifier_Reputation_Analysis.yml b/playbooks/Cisco_Talos_Intelligence_Identifier_Reputation_Analysis.yml new file mode 100644 index 0000000000..a66cd2fd49 --- /dev/null +++ b/playbooks/Cisco_Talos_Intelligence_Identifier_Reputation_Analysis.yml @@ -0,0 +1,29 @@ +name: Cisco Talos Intelligence Identifier Reputation Analysis +id: 9cea2ec7-9e6c-4861-b828-336410cdc1cc +version: 1 +date: '2025-01-17' +author: Kelby Shelton, Tapish Jain, Splunk +type: Investigation +description: "Accepts a URL, IP or Domain and provides intelligence on the objects. Generates a per observable report that includes the objects threat level, threat categories, acceptable use categories and score." +playbook: CiscoTalosIntelligence_Identifier_Reputation_Analysis +how_to_implement: This input playbook requires the Cisco Talos Intelligence connector to be configured and a Splunk SOAR cloud license. +references: + - https://d3fend.mitre.org/technique/d3f:IdentifierReputationAnalysis/ +app_list: + - Cisco Talos Intelligence +tags: + defend_technique_id: + - D3-IRA + platform_tags: + - reputation + - url + - ip + - domain + - Cisco Talos Intelligence + playbook_type: Input + vpe_type: Modern + playbook_fields: [] + product: + - Splunk SOAR + use_cases: + - Enrichment diff --git a/playbooks/risk_notable_import_data.json b/playbooks/risk_notable_import_data.json index b88c0b461a..12f59821d9 100644 --- a/playbooks/risk_notable_import_data.json +++ b/playbooks/risk_notable_import_data.json @@ -136,7 +136,7 @@ "errors": {}, "id": "1", "type": "end", - "userCode": "\t\n # Error handling in case of playbook not being able to import data properly\n if not format_summary_note:\n raise RuntimeError(\"Error occured during import data and summary note is missing\")\n \n # This function is called after all actions are completed.\n # summary of all the action and/or all details of actions\n # can be collected here.\n\n # summary_json = phantom.get_summary()\n # if 'result' in summary_json:\n # for action_result in summary_json['result']:\n # if 'action_run_id' in action_result:\n # action_results = phantom.get_action_results(action_run_id=action_result['action_run_id'], result_data=False, flatten=False)\n # phantom.debug(action_results)\n\n", + "userCode": "\t\n # Error handling in case of playbook not being able to import data properly\n if not format_summary_note:\n raise RuntimeError(\"Error occured during import data and summary note is missing\")\n \n # This function is called after all actions are completed.\n # summary of all the action and/or all details of actions\n # can be collected here.\n\n # summary_json = phantom.get_summary()\n # if 'result' in summary_json:\n # for action_result in summary_json['result']:\n # if 'action_run_id' in action_result:\n # action_results = phantom.get_action_results(action_run_id=action_result['action_run_id'], result_data=False, flatten=False)\n # phantom.debug(action_results)\n\n", "x": 960, "y": 1800 }, diff --git a/stories/3cx_supply_chain_attack.yml b/stories/3cx_supply_chain_attack.yml index ad37e5a890..6829373141 100644 --- a/stories/3cx_supply_chain_attack.yml +++ b/stories/3cx_supply_chain_attack.yml @@ -3,6 +3,7 @@ id: c4d7618c-73a7-4f7c-8071-060c36850785 version: 1 date: '2023-03-30' author: Michael Haag, Splunk +status: production description: 'On March 29, 2023, CrowdStrike Falcon OverWatch observed unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp, a softphone application from 3CX. The malicious activity includes beaconing to actor controlled infrastructure, deployment of second stage payloads, and, in a small number of cases, hands on keyboard activity. (CrowdStrike)' narrative: 'On March 22, 2023, cybersecurity firm SentinelOne observed a surge in behavioral detections of trojanized 3CXDesktopApp installers, a popular PABX voice and video conferencing software. The multi-stage attack chain, which automatically quarantines trojanized installers, involves downloading ICO files with base64 data from GitHub and eventually leads to a 3rd stage infostealer DLL that is still under analysis. While the Mac installer remains unconfirmed as trojanized, ongoing investigations are also examining other potentially compromised applications, such as Chrome extensions. The threat actor behind the supply chain compromise, which started in February 2022, has used a code signing certificate to sign the trojanized binaries, but connections to existing threat clusters remain unclear. SentinelOne updated their IOCs on March 30th, 2023, with contributions from the research community and continues to monitor the situation for further developments. 3CX identified the vulnerability in the recent versions 18.12.407 and 18.12.416 for the desktop app. A new certificate for the app will also be produced.' references: diff --git a/stories/abnormal_kubernetes_behavior_using_splunk_infrastructure_monitoring.yml b/stories/abnormal_kubernetes_behavior_using_splunk_infrastructure_monitoring.yml index 36115ecb93..47f4cfcb1d 100644 --- a/stories/abnormal_kubernetes_behavior_using_splunk_infrastructure_monitoring.yml +++ b/stories/abnormal_kubernetes_behavior_using_splunk_infrastructure_monitoring.yml @@ -3,6 +3,7 @@ id: 7589023b-3d98-42b3-ab1c-bb498e68fc2d version: 1 date: '2024-01-08' author: 'Matthew Moore, Patrick Bareiss, Splunk' +status: production description: Kubernetes, a complex container orchestration system, is susceptible to a variety of security threats. This story delves into the different strategies and methods adversaries employ to exploit Kubernetes environments. These include attacks on the control plane, exploitation of misconfigurations, and breaches of containerized applications. diff --git a/stories/acidpour.yml b/stories/acidpour.yml index 20b851e1fc..e93759b339 100644 --- a/stories/acidpour.yml +++ b/stories/acidpour.yml @@ -3,6 +3,7 @@ id: 5992d9b3-f83c-48e8-8164-6cf8f19cfb42 version: 1 date: '2024-04-01' author: Teoderick Contreras, Splunk +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might relate to AcidPour Wiper malware. AcidPour is a destructive variant designed to irreversibly delete data from targeted systems, rendering them inoperable. Unlike ransomware, AcidPour focuses on data destruction, targeting critical storage sectors and overwriting files to make recovery impossible. diff --git a/stories/acidrain.yml b/stories/acidrain.yml index c63f91d3ff..f2cfd73737 100644 --- a/stories/acidrain.yml +++ b/stories/acidrain.yml @@ -3,6 +3,7 @@ id: c68717c6-4938-434b-987c-e1ce9d516124 version: 1 date: '2022-04-12' author: Teoderick Contreras, Splunk +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the acidrain malware including deleting of files and etc. AcidRain is an ELF MIPS malware specifically designed to wipe modems and routers. diff --git a/stories/active_directory_discovery.yml b/stories/active_directory_discovery.yml index f57b09a979..85afaed8cb 100644 --- a/stories/active_directory_discovery.yml +++ b/stories/active_directory_discovery.yml @@ -3,7 +3,7 @@ id: 8460679c-2b21-463e-b381-b813417c32f2 version: 1 date: '2021-08-20' author: Mauricio Velazco, Splunk -type: batch +status: production description: Monitor for activities and techniques associated with Discovery and Reconnaissance within with Active Directory environments. narrative: 'Discovery consists of techniques an adversay uses to gain knowledge about diff --git a/stories/active_directory_kerberos_attacks.yml b/stories/active_directory_kerberos_attacks.yml index ed03bd160f..224548cb64 100644 --- a/stories/active_directory_kerberos_attacks.yml +++ b/stories/active_directory_kerberos_attacks.yml @@ -3,6 +3,7 @@ id: 38b8cf16-8461-11ec-ade1-acde48001122 version: 1 date: '2022-02-02' author: Mauricio Velazco, Splunk +status: production description: Monitor for activities and techniques associated with Kerberos based attacks within with Active Directory environments. narrative: Kerberos, initially named after Cerberus, the three-headed dog in Greek mythology, is a network authentication protocol that allows computers and users to prove their identity through a trusted third-party. This trusted third-party issues Kerberos tickets using symmetric encryption to allow users access diff --git a/stories/active_directory_lateral_movement.yml b/stories/active_directory_lateral_movement.yml index 9c31419c16..9b7139c117 100644 --- a/stories/active_directory_lateral_movement.yml +++ b/stories/active_directory_lateral_movement.yml @@ -3,6 +3,7 @@ id: 399d65dc-1f08-499b-a259-aad9051f38ad version: 3 date: '2021-12-09' author: David Dorsey, Mauricio Velazco Splunk +status: production description: Detect and investigate tactics, techniques, and procedures around how attackers move laterally within an Active Directory environment. Since lateral movement is often a necessary step in a breach, it is important for cyber defenders to deploy diff --git a/stories/active_directory_password_spraying.yml b/stories/active_directory_password_spraying.yml index 673f255263..a2c49e1736 100644 --- a/stories/active_directory_password_spraying.yml +++ b/stories/active_directory_password_spraying.yml @@ -3,6 +3,7 @@ id: 3de109da-97d2-11eb-8b6a-acde48001122 version: 2 date: '2021-04-07' author: Mauricio Velazco, Splunk +status: production description: Monitor for activities and techniques associated with Password Spraying attacks within Active Directory environments. narrative: 'In a password spraying attack, adversaries leverage one or a small list diff --git a/stories/active_directory_privilege_escalation.yml b/stories/active_directory_privilege_escalation.yml index dc396f9dfb..4b7671cb52 100644 --- a/stories/active_directory_privilege_escalation.yml +++ b/stories/active_directory_privilege_escalation.yml @@ -3,6 +3,7 @@ id: fa34a5d8-df0a-404c-8237-11f99cba1d5f version: 1 date: '2023-03-20' author: Mauricio Velazco, Splunk +status: production description: Monitor for activities and techniques associated with Privilege Escalation attacks within Active Directory environments. narrative: Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. diff --git a/stories/adobe_coldfusion_arbitrary_code_execution_cve_2023_29298_cve_2023_26360.yml b/stories/adobe_coldfusion_arbitrary_code_execution_cve_2023_29298_cve_2023_26360.yml index e38731c89a..c359973e9b 100644 --- a/stories/adobe_coldfusion_arbitrary_code_execution_cve_2023_29298_cve_2023_26360.yml +++ b/stories/adobe_coldfusion_arbitrary_code_execution_cve_2023_29298_cve_2023_26360.yml @@ -3,6 +3,7 @@ id: e33e2e38-f9c2-432d-8be6-bc67b92aa82e version: 1 date: '2023-08-23' author: Michael Haag, Splunk +status: production description: In July 2023, a significant vulnerability, CVE-2023-29298, affecting Adobe ColdFusion was uncovered by Rapid7, shedding light on an access control bypass mechanism. This vulnerability allows attackers to access sensitive ColdFusion Administrator endpoints by exploiting a flaw in the URL path validation. Disturbingly, this flaw can be chained with another critical vulnerability, CVE-2023-26360, which has been actively exploited. The latter enables unauthorized arbitrary code execution and file reading. Adobe has promptly addressed these vulnerabilities, but the intricacies and potential ramifications of their combination underscore the importance of immediate action by organizations. With active exploitation in the wild and the ability to bypass established security measures, the situation is alarming. Organizations are urged to apply the updates provided by Adobe immediately, considering the active threat landscape and the severe implications of these chained vulnerabilities. narrative: Adobe ColdFusion, a prominent application server, has been thrust into the cybersecurity spotlight due to two intertwined vulnerabilities. The first, CVE-2023-29298, identified by Rapid7 in July 2023, pertains to an access control bypass in ColdFusion's security mechanisms. This flaw allows attackers to access protected ColdFusion Administrator endpoints simply by manipulating the URL path, specifically by inserting an additional forward slash. Compounding the threat is the revelation that CVE-2023-29298 can be chained with CVE-2023-26360, another severe ColdFusion vulnerability. This latter vulnerability, which has seen active exploitation, permits unauthorized attackers to execute arbitrary code or read arbitrary files on the affected system. In practice, an attacker could exploit the access control bypass to access sensitive ColdFusion endpoints and subsequently exploit the arbitrary code execution vulnerability, broadening their control and access over the targeted system. diff --git a/stories/agenttesla.yml b/stories/agenttesla.yml index 6145f9da10..aff5c845de 100644 --- a/stories/agenttesla.yml +++ b/stories/agenttesla.yml @@ -3,6 +3,7 @@ id: 9bb6077a-843e-418b-b134-c57ef997103c version: 1 date: '2022-04-12' author: Teoderick Contreras, Splunk +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the AgentTesla malware including .chm application child process, ftp/smtp connection, persistence and many more. AgentTesla is one of the advanced remote access trojans (RAT) that are capable of stealing sensitive information from the infected or targeted host machine. diff --git a/stories/amadey.yml b/stories/amadey.yml index 91f19a726e..8bcbf47ade 100644 --- a/stories/amadey.yml +++ b/stories/amadey.yml @@ -3,6 +3,7 @@ id: a919a01b-3ea5-4ed4-9cbe-11cd8b64c36c version: 1 date: '2023-06-16' author: Teoderick Contreras, Splunk +status: production description: This analytic story contains searches that aims to detect activities related to Amadey, a type of malware that primarily operates as a banking Trojan. It is designed to steal sensitive information such as login credentials, credit card details, and other financial data from infected systems. The malware typically targets Windows-based computers. narrative: Amadey is one of the active trojans that are capable of stealing sensitive information via its from the infected or targeted host machine. It can collect various types of data, including browser profile information, clipboard data, capture screenshots and system information. Adversaries or threat actors may use this malware to maximize the impact of infection on the target organization in operations where data collection and exfiltration is the goal. The primary function is to steal information and further distribute malware. It aims to extract a variety of information from infected devices and attempts to evade the detection of security measures by reducing the volume of data exfiltration compared to that seen in other malicious instances. references: diff --git a/stories/apache_struts_vulnerability.yml b/stories/apache_struts_vulnerability.yml index 083cca22b5..46fb9a302b 100644 --- a/stories/apache_struts_vulnerability.yml +++ b/stories/apache_struts_vulnerability.yml @@ -3,6 +3,7 @@ id: 2dcfd6a2-e7d2-4873-b6ba-adaf819d2a1e version: 1 date: '2018-12-06' author: Rico Valdez, Splunk +status: production description: Detect and investigate activities--such as unusually long `Content-Type` length, suspicious java classes and web servers executing suspicious processes--consistent with attempts to exploit Apache Struts vulnerabilities. diff --git a/stories/apt29_diplomatic_deceptions_with_wineloader.yml b/stories/apt29_diplomatic_deceptions_with_wineloader.yml index 43f164b3aa..28acf92824 100644 --- a/stories/apt29_diplomatic_deceptions_with_wineloader.yml +++ b/stories/apt29_diplomatic_deceptions_with_wineloader.yml @@ -3,6 +3,7 @@ id: 7cb5fdb5-4c36-4721-8b0a-4cc5e78afadd version: 1 date: '2024-03-26' author: Michael Haag, splunk +status: production description: APT29, a sophisticated threat actor linked to the Russian SVR, has expanded its cyber espionage activities to target European diplomats and German political parties. Utilizing a novel backdoor variant, WINELOADER, these campaigns leverage diplomatic-themed lures to initiate infection chains, demonstrating APT29's evolving tactics and interest in geopolitical intelligence. The operations, marked by their low volume and high precision, underscore the broad threat APT29 poses to Western political and diplomatic entities. narrative: APT29, also known as Cozy Bear, has historically focused on espionage activities aligned with Russian intelligence interests. In recent campaigns, APT29 has notably shifted its operational focus, targeting not only its traditional diplomatic missions but also expanding into the political domain, specifically German political parties. These campaigns have been characterized by the deployment of WINELOADER, a sophisticated backdoor that facilitates the exfiltration of sensitive information. The use of themed lures, such as invitations from the Ambassador of India and CDU-themed documents, highlights APT29's strategic use of social engineering to compromise targets. The operations against European diplomats and German political entities reveal APT29's adaptive tactics and its persistent effort to gather intelligence that could influence Russia's geopolitical strategy. The precision of these attacks, coupled with the use of compromised websites for command and control, underscores the evolving threat landscape and the need for heightened cybersecurity vigilance among potential targets. references: diff --git a/stories/asset_tracking.yml b/stories/asset_tracking.yml index cd2afdb44d..1c343caf6e 100644 --- a/stories/asset_tracking.yml +++ b/stories/asset_tracking.yml @@ -3,6 +3,7 @@ id: 91c676cf-0b23-438d-abee-f6335e1fce77 version: 1 date: '2017-09-13' author: Bhavin Patel, Splunk +status: production description: Keep a careful inventory of every asset on your network to make it easier to detect rogue devices. Unauthorized/unmanaged devices could be an indication of malicious behavior that should be investigated further. diff --git a/stories/asyncrat.yml b/stories/asyncrat.yml index fbac0d1313..0b3b0efd4b 100644 --- a/stories/asyncrat.yml +++ b/stories/asyncrat.yml @@ -3,6 +3,7 @@ id: d7053072-7dd2-4874-8314-bfcbc99978a4 version: 1 date: '2023-01-24' author: Teoderick Contreras, Splunk +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the AsyncRAT malware including mshta application child process, bat loader execution, persistence and many more. AsyncRAT is an open source remote administration tool released last 2019. It's designed to remotely control computers via an encrypted diff --git a/stories/atlassian_confluence_server_and_data_center_cve_2022_26134.yml b/stories/atlassian_confluence_server_and_data_center_cve_2022_26134.yml index e73cbfbb06..8f99a94428 100644 --- a/stories/atlassian_confluence_server_and_data_center_cve_2022_26134.yml +++ b/stories/atlassian_confluence_server_and_data_center_cve_2022_26134.yml @@ -3,6 +3,7 @@ id: 91623a50-41fa-4c4e-8637-c239b80ff439 version: 1 date: '2022-06-03' author: Michael Haag, Splunk +status: production description: On June 2, security researchers at Volexity published a blog outlining the discovery of an unauthenticated remote code execution zero day vulnerability (CVE-2022-26134) being actively exploited in Atlassian Confluence Server and Data Center instances in the wild. Atlassian released a fix within 24 hours of the blog''s release. narrative: Atlassian describes the vulnerability as an Object-Graph Navigation Language (OGNL) injection allowing an unauthenticated user to execute arbitrary code on a Confluence Server or Data Server instance. Volexity did not release proof-of-concept (POC) exploit code, but researchers there have observed coordinated, widespread exploitation. Volexity first discovered the vulnerability over the weekend on two Internet-facing web servers running Confluence Server software. The investigation was due to suspicious activity on the hosts, including JSP webshells that were written to disk. diff --git a/stories/awfulshred.yml b/stories/awfulshred.yml index e9f962a6c9..697fa00da4 100644 --- a/stories/awfulshred.yml +++ b/stories/awfulshred.yml @@ -3,6 +3,7 @@ id: e36935ce-f48c-4fb2-8109-7e80c1cdc9e2 version: 1 date: '2023-01-24' author: Teoderick Contreras, Splunk +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the AwfulShred malware including wiping files, process kill, system reboot via system request, shred, and service stops. narrative: AwfulShred is a malicious linux shell script designed to corrupt or wipe the linux targeted system. diff --git a/stories/aws_cross_account_activity.yml b/stories/aws_cross_account_activity.yml index 1f8e8e899c..0198363273 100644 --- a/stories/aws_cross_account_activity.yml +++ b/stories/aws_cross_account_activity.yml @@ -3,6 +3,7 @@ id: 2f2f610a-d64d-48c2-b57c-967a2b49ab5a version: 1 date: '2018-06-04' author: David Dorsey, Splunk +status: production description: Track when a user assumes an IAM role in another AWS account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity. diff --git a/stories/aws_defense_evasion.yml b/stories/aws_defense_evasion.yml index fdf8802ed2..0bb3ca6bb9 100644 --- a/stories/aws_defense_evasion.yml +++ b/stories/aws_defense_evasion.yml @@ -3,6 +3,7 @@ id: 4e00b690-293f-434d-a9d8-bcfb2ea5fff9 version: 1 date: '2022-07-15' author: Gowthamaraj Rajendran, Splunk +status: production description: Identify activity and techniques associated with the Evasion of Defenses within AWS, such as Disabling CloudTrail, Deleting CloudTrail and many others. narrative: Adversaries employ a variety of techniques in order to avoid detection and operate diff --git a/stories/aws_iam_privilege_escalation.yml b/stories/aws_iam_privilege_escalation.yml index 6d08eaa713..cd93765bff 100644 --- a/stories/aws_iam_privilege_escalation.yml +++ b/stories/aws_iam_privilege_escalation.yml @@ -3,6 +3,7 @@ id: ced74200-8465-4bc3-bd2c-22782eec6750 version: 2 date: '2024-09-24' author: Bhavin Patel, Splunk +status: production description: This analytic story contains detections that query your AWS Cloudtrail for activities related to privilege escalation. narrative: 'Amazon Web Services provides a neat feature called Identity and Access diff --git a/stories/aws_identity_and_access_management_account_takeover.yml b/stories/aws_identity_and_access_management_account_takeover.yml index 350970df73..83d01652aa 100644 --- a/stories/aws_identity_and_access_management_account_takeover.yml +++ b/stories/aws_identity_and_access_management_account_takeover.yml @@ -3,6 +3,7 @@ id: 4210b690-293f-411d-a9d8-bcfb2ea5fff9 version: 2 date: '2022-08-19' author: Gowthamaraj Rajendran, Bhavin Patel, Splunk +status: production description: Identify activity and techniques associated with accessing credential files from AWS resources, monitor unusual authentication related activities to the AWS Console and other services such as RDS. narrative: Amazon Web Services provides a web service known as Identity and Access Management(IAM) for controlling and securly managing various AWS resources. This is basically the foundation of how users in AWS interact with various resources/services in cloud and vice versa. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. Adversaries employ a variety of techniques to steal AWS Cloud credentials like account names, passwords and keys and takeover legitmate user accounts. Usage of legitimate keys will assist the attackers to gain access to other sensitive system and they can also mimic legitimate behaviour making them harder to be detected. Such activity may involve multiple failed login to the console, new console logins and password reset activities. diff --git a/stories/aws_network_acl_activity.yml b/stories/aws_network_acl_activity.yml index 7def55a8b2..9f4e6c038e 100644 --- a/stories/aws_network_acl_activity.yml +++ b/stories/aws_network_acl_activity.yml @@ -3,6 +3,7 @@ id: 2e8948a5-5239-406b-b56b-6c50ff268af4 version: 2 date: '2018-05-21' author: Bhavin Patel, Splunk +status: production description: Monitor your AWS network infrastructure for bad configurations and malicious activity. Investigative searches help you probe deeper, when the facts warrant it. narrative: AWS CloudTrail is an AWS service that helps you enable governance, compliance, diff --git a/stories/aws_security_hub_alerts.yml b/stories/aws_security_hub_alerts.yml index c0745fdcef..6b5b2f5799 100644 --- a/stories/aws_security_hub_alerts.yml +++ b/stories/aws_security_hub_alerts.yml @@ -3,6 +3,7 @@ id: 2f2f610a-d64d-48c2-b57c-96722b49ab5a version: 1 date: '2020-08-04' author: Bhavin Patel, Splunk +status: production description: This story is focused around detecting Security Hub alerts generated from AWS narrative: AWS Security Hub collects and consolidates findings from AWS security services diff --git a/stories/aws_user_monitoring.yml b/stories/aws_user_monitoring.yml index a4b80bd9a9..111d64b824 100644 --- a/stories/aws_user_monitoring.yml +++ b/stories/aws_user_monitoring.yml @@ -3,6 +3,7 @@ id: 2e8948a5-5239-406b-b56b-6c50f1269af3 version: 1 date: '2018-03-12' author: Bhavin Patel, Splunk +status: production description: Detect and investigate dormant user accounts for your AWS environment that have become active again. Because inactive and ad-hoc accounts are common attack targets, it's critical to enable governance within your environment. diff --git a/stories/azorult.yml b/stories/azorult.yml index 6f6c5e5315..13dc30714f 100644 --- a/stories/azorult.yml +++ b/stories/azorult.yml @@ -3,6 +3,7 @@ id: efed5343-4ac2-42b1-a16d-da2428d0ce94 version: 1 date: '2022-06-09' author: Teoderick Contreras, Splunk +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the Azorult malware including firewall modification, icacl execution, spawning more process, botnet c2 communication, defense evasion and etc. The AZORULT malware was first discovered in 2016 to be an information stealer that steals browsing history, cookies, ID/passwords, cryptocurrency information and more. diff --git a/stories/azure_active_directory_account_takeover.yml b/stories/azure_active_directory_account_takeover.yml index 709898c01e..9a145d303e 100644 --- a/stories/azure_active_directory_account_takeover.yml +++ b/stories/azure_active_directory_account_takeover.yml @@ -3,6 +3,7 @@ id: 41514c46-7118-4eab-a9bb-f3bfa4e3bea9 version: 2 date: '2022-07-14' author: Mauricio Velazco, Splunk +status: production description: Monitor for activities and techniques associated with Account Takeover attacks against Azure Active Directory tenants. narrative: 'Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic storic groups detections that can help security operations teams identify the potential compromise of Azure Active Directory accounts.' diff --git a/stories/azure_active_directory_persistence.yml b/stories/azure_active_directory_persistence.yml index 6f6bc34c18..101da0107f 100644 --- a/stories/azure_active_directory_persistence.yml +++ b/stories/azure_active_directory_persistence.yml @@ -3,6 +3,7 @@ id: dca983db-6334-4a0d-be32-80611ca1396c version: 2 date: '2024-09-24' author: Mauricio Velazco, Splunk +status: production description: Monitor for activities and techniques associated with the execution of Persistence techniques against Azure Active Directory tenants. narrative: 'Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure diff --git a/stories/azure_active_directory_privilege_escalation.yml b/stories/azure_active_directory_privilege_escalation.yml index b379373393..ea48106a1d 100644 --- a/stories/azure_active_directory_privilege_escalation.yml +++ b/stories/azure_active_directory_privilege_escalation.yml @@ -3,6 +3,7 @@ id: ec78e872-b79c-417d-b256-8fde902522fb version: 1 date: '2023-04-24' author: Mauricio Velazco, Splunk +status: production description: Monitor for activities and techniques associated with Privilege Escalation attacks within Azure Active Directory tenants. narrative: Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. diff --git a/stories/backdoor_pingpong.yml b/stories/backdoor_pingpong.yml new file mode 100644 index 0000000000..bdcb1e61ac --- /dev/null +++ b/stories/backdoor_pingpong.yml @@ -0,0 +1,18 @@ +name: Backdoor Pingpong +id: 1231ff23-543e-4eb9-b9e0-a97d9333bebc +version: 1 +date: '2025-01-27' +author: Teoderick Contreras, Splunk +status: production +description: Leverage searches that allow you to detect and investigate unusual activities that might relate to Backdoor.PingPong malware, a legacy threat that provides unauthorized remote access to compromised systems. Look for signs such as unexpected pings or ICMP traffic patterns that deviate from normal behavior. Investigate unauthorized processes or network connections, particularly those attempting to establish external communication. Combining threat intelligence with behavioral analytics helps identify this backdoor’s attempts to exploit vulnerabilities. Early detection and response are critical to mitigating the risk of this malware. +narrative: Backdoor.PingPong is an older malware family designed to provide unauthorized remote access to compromised systems. It often utilizes ICMP traffic, including ping requests, as a covert communication channel to receive commands or exfiltrate data. Despite its simplicity compared to modern threats, it can still be effective in environments with inadequate monitoring. By exploiting system vulnerabilities or poor network segmentation, PingPong enables attackers to maintain persistence and control. Detecting its activity requires careful analysis of network traffic and unusual process behaviors. +references: +- https://www.crowdstrike.com/en-us/blog/an-analysis-of-lightbasin-telecommunications-attacks/ +tags: + category: + - Malware + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file diff --git a/stories/baron_samedit_cve_2021_3156.yml b/stories/baron_samedit_cve_2021_3156.yml index 2253b438a9..3030bc82b8 100644 --- a/stories/baron_samedit_cve_2021_3156.yml +++ b/stories/baron_samedit_cve_2021_3156.yml @@ -3,6 +3,7 @@ id: 817b0dfc-23ba-4bcc-96cc-2cb77e428fbe version: 1 date: '2021-01-27' author: Shannon Davis, Splunk +status: production description: Uncover activity consistent with CVE-2021-3156. Discovered by the Qualys Research Team, this vulnerability has been found to affect sudo across multiple Linux distributions (Ubuntu 20.04 and prior, Debian 10 and prior, Fedora 33 and diff --git a/stories/bishopfox_sliver_adversary_emulation_framework.yml b/stories/bishopfox_sliver_adversary_emulation_framework.yml index 555690d779..80229fc439 100644 --- a/stories/bishopfox_sliver_adversary_emulation_framework.yml +++ b/stories/bishopfox_sliver_adversary_emulation_framework.yml @@ -3,6 +3,7 @@ id: 8c2e2cba-3fd8-424f-a890-5080bdaf3f31 version: 1 date: '2023-01-24' author: Michael Haag, Splunk +status: production description: The following analytic story providers visibility into the latest adversary TTPs in regard to the use of Sliver. Sliver has gained more traction with adversaries as it is often seen as an alternative to Cobalt Strike. It is designed to be scalable and can be used by organizations of all sizes to perform security testing. Sliver is highly modular and contains an Extension package manager (armory) allowing easy install (automatic compilation) of various 3rd party tools such as BOFs and .NET tooling like Ghostpack (Rubeus, Seatbelt, SharpUp, Certify, and so forth) (CyberReason,2023). narrative: Sliver is an open source cross-platform adversary emulation/red team framework produced by BishopFox. references: diff --git a/stories/bits_jobs.yml b/stories/bits_jobs.yml index c37db375b3..ccd05ebe37 100644 --- a/stories/bits_jobs.yml +++ b/stories/bits_jobs.yml @@ -3,6 +3,7 @@ id: dbc7edce-8e4c-11eb-9f31-acde48001122 version: 1 date: '2021-03-26' author: Michael Haag, Splunk +status: production description: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. narrative: Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, diff --git a/stories/blackbyte_ransomware.yml b/stories/blackbyte_ransomware.yml index d9b5bab660..f74d3ff9c9 100644 --- a/stories/blackbyte_ransomware.yml +++ b/stories/blackbyte_ransomware.yml @@ -3,6 +3,7 @@ id: b18259ac-0746-45d7-bd1f-81d65274a80b version: 1 date: '2023-07-10' author: Teoderick Contreras, Splunk +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackByte ransomware, including looking for file writes associated with BlackByte, persistence, initial access, account registry diff --git a/stories/blacklotus_campaign.yml b/stories/blacklotus_campaign.yml index e111004c34..c1e9c19a7a 100644 --- a/stories/blacklotus_campaign.yml +++ b/stories/blacklotus_campaign.yml @@ -3,6 +3,7 @@ id: 8eb0e418-a2b6-4327-a387-85c976662c8f version: 1 date: '2023-04-14' author: Michael Haag, Splunk +status: production description: The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality narrative: "The number of UEFI vulnerabilities discovered in recent years and the failures in patching them or revoking vulnerable binaries within a reasonable time window hasn't gone unnoticed by threat actors. As a result, the first publicly known UEFI bootkit bypassing the essential platform security feature UEFI Secure Boot is now a reality. present the first public analysis of this UEFI bootkit, which is capable of running on even fully-up-to-date Windows 11 systems with UEFI Secure Boot enabled. Functionality of the bootkit and its individual features leads us to believe that we are dealing with a bootkit known as BlackLotus, the UEFI bootkit being sold on hacking forums for $5,000 since at least October 2022. (ESET, 2023) The following content aims to aid defenders in detecting suspicious bootloaders and understanding the diverse techniques employed in this campaign." diff --git a/stories/blackmatter_ransomware.yml b/stories/blackmatter_ransomware.yml index 3d24e928bb..8be2860351 100644 --- a/stories/blackmatter_ransomware.yml +++ b/stories/blackmatter_ransomware.yml @@ -3,6 +3,7 @@ id: 0da348a3-78a0-412e-ab27-2de9dd7f9fee version: 1 date: '2021-09-06' author: Teoderick Contreras, Splunk +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackMatter ransomware, including looking for file writes associated with BlackMatter, force safe mode boot, autadminlogon account registry diff --git a/stories/blacksuit_ransomware.yml b/stories/blacksuit_ransomware.yml index 836f605316..3f262c2c5e 100644 --- a/stories/blacksuit_ransomware.yml +++ b/stories/blacksuit_ransomware.yml @@ -3,6 +3,7 @@ id: 4c7bef12-679f-433c-92dd-d9feccc1432b version: 1 date: '2024-08-26' author: Michael Haag, Splunk +status: production description: This analytic story covers the tactics, techniques, and procedures (TTPs) associated with BlackSuit ransomware, as observed in a December 2023 intrusion. The story encompasses the full attack lifecycle, from initial access via Cobalt Strike beacons to lateral movement, credential access, and ultimately the deployment of BlackSuit ransomware. It aims to help security teams detect and respond to similar attacks by focusing on key behaviors such as Cobalt Strike activity, use of tools like ADFind and Sharphound, and the final ransomware deployment phase. narrative: In December 2023, a sophisticated intrusion culminating in the deployment of BlackSuit ransomware was observed. The attack began with the execution of a Cobalt Strike beacon, which initially communicated through CloudFlare to conceal the true C2 server. The threat actors leveraged various tools throughout the intrusion, including Sharphound, Rubeus, SystemBC, and ADFind, alongside built-in Windows utilities. diff --git a/stories/brand_monitoring.yml b/stories/brand_monitoring.yml index 221c2686c3..a6689bb9c8 100644 --- a/stories/brand_monitoring.yml +++ b/stories/brand_monitoring.yml @@ -3,6 +3,7 @@ id: 91c676cf-0b23-438d-abee-f6335e1fce78 version: 1 date: '2017-12-19' author: David Dorsey, Splunk +status: production description: Detect and investigate activity that may indicate that an adversary is using faux domains to mislead users into interacting with malicious infrastructure. Monitor DNS, email, and web traffic for permutations of your brand name. diff --git a/stories/braodo_stealer.yml b/stories/braodo_stealer.yml index e87f78166e..49ad3f50c9 100644 --- a/stories/braodo_stealer.yml +++ b/stories/braodo_stealer.yml @@ -3,6 +3,7 @@ id: ec5c8721-3c13-45ac-90e8-64c63a8fdc24 version: 1 date: '2024-10-24' author: Teoderick Contreras, Splunk +status: production description: Leverage searches that allow you to detect and investigate unusual activities that may be related to the Braodo Stealer malware, a malicious software designed to steal sensitive information from infected systems. This malware typically targets login credentials, browser history, cookies, and stored passwords. Braodo Stealer often infiltrates through phishing campaigns or malicious downloads, enabling attackers to gain unauthorized access to personal and financial data. By monitoring unusual system behaviors, such as unauthorized network connections or data exfiltration, you can help prevent data breaches and mitigate the impact of this threat. narrative: Braodo Stealer is a stealthy and dangerous piece of malware specifically engineered to siphon sensitive information from compromised systems. Often spread through phishing emails or disguised as legitimate downloads, it silently infiltrates a victim’s device. Once inside, it scours through browser histories, steals login credentials, captures cookies, and even extracts saved passwords from various applications. With this stolen data, cybercriminals can gain access to banking accounts, social media profiles, or business platforms. What makes Braodo Stealer particularly threatening is its ability to remain undetected, allowing attackers to exploit compromised systems for extended periods before the user becomes aware. references: diff --git a/stories/brute_ratel_c4.yml b/stories/brute_ratel_c4.yml index 53e0e14fec..02eaee9672 100644 --- a/stories/brute_ratel_c4.yml +++ b/stories/brute_ratel_c4.yml @@ -3,6 +3,7 @@ id: 0ec9dbfe-f64e-46bb-8eb8-04e92326f513 version: 1 date: '2022-08-23' author: Teoderick Contreras, Splunk +status: production description: Leverage searches that allow you to detect and investigate unusual activities that may be related to Brute Ratel Red Teaming tool. This includes creation, modification and deletion of services, collection or data, ping IP, DNS cache, process injection, debug privileges adjustment, winlogon process duplicate token, diff --git a/stories/caddy_wiper.yml b/stories/caddy_wiper.yml index 5606c2b246..cd9472011a 100644 --- a/stories/caddy_wiper.yml +++ b/stories/caddy_wiper.yml @@ -3,6 +3,7 @@ id: 435a156a-8ef1-4184-bd52-22328fb65d3a version: 1 date: '2022-03-25' author: Teoderick Contreras, Rod Soto, Splunk +status: production description: Caddy Wiper is a destructive payload that detects if its running on a Domain Controller and executes killswitch if detected. If not in a DC it destroys Users and subsequent mapped drives. This wiper also destroys drive partitions inculding boot partitions. narrative: Caddy Wiper is destructive malware operation found by ESET multiple organizations in Ukraine. This malicious payload destroys user files, avoids executing on Dnomain Controllers and destroys boot and drive partitions. references: diff --git a/stories/chaos_ransomware.yml b/stories/chaos_ransomware.yml index 5107153c54..651fc9d296 100644 --- a/stories/chaos_ransomware.yml +++ b/stories/chaos_ransomware.yml @@ -3,6 +3,7 @@ id: 153d7b8f-27f2-4e4d-bae8-dfafd93a22a8 version: 1 date: '2023-01-11' author: Teoderick Contreras, Splunk +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the Chaos ransomware, including looking for file writes (file encryption and ransomware notes), deleting shadow volume storage, registry key modification, dropping of files in startup folder, and more. diff --git a/stories/cisa_aa22_257a.yml b/stories/cisa_aa22_257a.yml index 4a73333fa0..0433f4fc47 100644 --- a/stories/cisa_aa22_257a.yml +++ b/stories/cisa_aa22_257a.yml @@ -3,6 +3,7 @@ id: e1aec96e-bc7d-4edf-8ff7-3da9b7b29147 version: 1 date: '2022-09-15' author: Michael Haag, Splunk +status: production description: The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations. narrative: This advisory updates joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, which provides information on these Iranian government-sponsored APT actors exploiting known Fortinet and Microsoft Exchange vulnerabilities to gain initial access to a broad range of targeted entities in furtherance of malicious activities, including ransom operations. The authoring agencies now judge these actors are an APT group affiliated with the IRGC. Since the initial reporting of this activity in the FBI Liaison Alert System (FLASH) report APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity from May 2021, the authoring agencies have continued to observe these IRGC-affiliated actors exploiting known vulnerabilities for initial access. In addition to exploiting Fortinet and Microsoft Exchange vulnerabilities, the authoring agencies have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities for initial access. The IRGC-affiliated actors have used this access for follow-on activity, including disk encryption and data extortion, to support ransom operations. diff --git a/stories/cisa_aa22_264a.yml b/stories/cisa_aa22_264a.yml index 26000c1c0b..fd98ccbb63 100644 --- a/stories/cisa_aa22_264a.yml +++ b/stories/cisa_aa22_264a.yml @@ -3,6 +3,7 @@ id: bc7056a5-c3b0-4b83-93ce-5f31739305c8 version: 1 date: '2022-09-22' author: Michael Haag, Splunk +status: production description: Iranian State Actors Conduct Cyber Operations Against the Government of Albania. narrative: The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory to provide information on recent cyber operations against the Government of Albania in July and September. This advisory provides a timeline of activity observed, from initial access to execution of encryption and wiper attacks. Additional information concerning files used by the actors during their exploitation of and cyber attack against the victim organization is provided in Appendices A and B. In September 2022, Iranian cyber actors launched another wave of cyber attacks against the Government of Albania, using similar TTPs and malware as the cyber attacks in July. These were likely done in retaliation for public attribution of the cyber attacks in July and severed diplomatic ties between Albania and Iran. diff --git a/stories/cisa_aa22_277a.yml b/stories/cisa_aa22_277a.yml index 8e1a97b986..a1fcb81711 100644 --- a/stories/cisa_aa22_277a.yml +++ b/stories/cisa_aa22_277a.yml @@ -3,6 +3,7 @@ id: db408f93-e915-4215-9962-5fada348bdd7 version: 1 date: '2022-10-05' author: Michael Haag, Splunk +status: production description: From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to advanced persistent threat (APT) activity on a Defense Industrial Base (DIB) Sector organization's enterprise network. During incident response activities, multiple utilities were utilized. narrative: CISA uncovered that likely multiple APT groups compromised the organization's network, and some APT actors had long-term access to the environment. APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim's sensitive data. references: diff --git a/stories/cisa_aa22_320a.yml b/stories/cisa_aa22_320a.yml index c8b9b560f2..c20685b733 100644 --- a/stories/cisa_aa22_320a.yml +++ b/stories/cisa_aa22_320a.yml @@ -3,6 +3,7 @@ id: c1fca73d-3a8d-49a6-b9c0-1d5d155f7dd4 version: 1 date: '2022-11-16' author: Michael Haag, Splunk +status: production description: CISA and the FBI have identified an APT activity where the adversary gained initial access via Log4Shell via a unpatched VMware Horizon server. From there the adversary moved laterally and continued to its objective. narrative: From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch (FCEB) organization where CISA observed suspected advanced persistent threat (APT) activity. In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence. CISA and the Federal Bureau of Investigation (FBI) assess that the FCEB network was compromised by Iranian government-sponsored APT actors. references: diff --git a/stories/cisa_aa23_347a.yml b/stories/cisa_aa23_347a.yml index b792b6a09a..f685852f97 100644 --- a/stories/cisa_aa23_347a.yml +++ b/stories/cisa_aa23_347a.yml @@ -3,6 +3,7 @@ id: 257a2f28-fcbe-4226-8d1f-957880098331 version: 3 date: '2024-12-09' author: Teoderick Contreras, Rod Soto, Splunk +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might be related to the SVR cyber activity tactics and techniques. While SVR followed a similar playbook in each compromise, they also adjusted to each operating environment and not all presented steps or actions below were executed on every host. diff --git a/stories/cisa_aa24_241a.yml b/stories/cisa_aa24_241a.yml index 1a7eba2bdf..3c36288c56 100644 --- a/stories/cisa_aa24_241a.yml +++ b/stories/cisa_aa24_241a.yml @@ -3,6 +3,7 @@ id: f075adb6-76a6-4476-b24a-ce9d471a1bdc version: 2 date: '2024-10-07' author: Michael Haag, Splunk +status: production description: This story covers the tactics of Iran-based cyber actors exploiting U.S. and foreign organizations across multiple sectors, as detailed in CISA Alert AA24-241A. It focuses on their methods of gaining initial access, establishing persistence, and enabling ransomware attacks through vulnerabilities in public-facing networking devices. narrative: As of August 2024, Iran-based cyber actors continue to exploit organizations across several U.S. sectors and other countries. The FBI assesses that a significant percentage of these operations aim to obtain network access for collaboration with ransomware affiliates. The actors typically use Shodan to identify vulnerable devices, then exploit public-facing networking equipment such as Citrix Netscaler, F5 BIG-IP, and various VPNs. They deploy webshells, create local accounts, and manipulate existing ones to maintain access. Post-exploitation, they repurpose credentials, disable security software, and use remote access tools. The group collaborates with ransomware affiliates like NoEscape, Ransomhouse, and ALPHV, actively participating in network lockdowns and extortion strategies. Defenders should prioritize patching public-facing devices, monitoring for unauthorized accounts and suspicious PowerShell activity, implementing strong access controls, and regularly reviewing logs for signs of compromise. references: diff --git a/stories/cisco_ios_xe_software_web_management_user_interface_vulnerability.yml b/stories/cisco_ios_xe_software_web_management_user_interface_vulnerability.yml index 2590025e80..a2aa3217ce 100644 --- a/stories/cisco_ios_xe_software_web_management_user_interface_vulnerability.yml +++ b/stories/cisco_ios_xe_software_web_management_user_interface_vulnerability.yml @@ -3,6 +3,7 @@ id: b5394b6a-b774-4bb6-a2bc-98f98cf7be88 version: 1 date: '2023-10-17' author: Michael Haag, Splunk +status: production description: Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks. Successful exploitation of this vulnerability allows an attacker to create an account on the affected device with privilege level 15 access, effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity. narrative: Cisco discovered early evidence of potentially malicious activity on September 28, 2023, when a case was opened with Cisco's Technical Assistance Center (TAC) that identified unusual behavior on a customer device. Upon further investigation, they observed what they have determined to be related activity as early as September 18. The activity included an authorized user creating a local user account under the username cisco_tac_admin from a suspicious IP address. On October 12, Cisco Talos Incident Response (Talos IR) and TAC detected what they later determined to be an additional cluster of related activity that began on that same day. In this cluster, an unauthorized user was observed creating a local user account under the name cisco_support from a second suspicious IP address. Unlike the September case, this October activity included several subsequent actions, including the deployment of an implant consisting of a configuration file (cisco_service.conf). The configuration file defines the new web server endpoint (URI path) used to interact with the implant. That endpoint receives certain parameters, described in more detail below, that allows the actor to execute arbitrary commands at the system level or IOS level. For the implant to become active, the web server must be restarted; in at least one observed case the server was not restarted so the implant never became active despite being installed. references: diff --git a/stories/citrix_netscaler_adc_and_netscaler_gateway_cve_2023_4966.yml b/stories/citrix_netscaler_adc_and_netscaler_gateway_cve_2023_4966.yml index 1f8b980b90..54310ad57b 100644 --- a/stories/citrix_netscaler_adc_and_netscaler_gateway_cve_2023_4966.yml +++ b/stories/citrix_netscaler_adc_and_netscaler_gateway_cve_2023_4966.yml @@ -3,6 +3,7 @@ id: b194d644-4095-431a-bee0-a8e6ec067414 version: 1 date: '2023-10-24' author: Michael Haag, Splunk +status: production description: A critical security update, CVE-2023-4966, has been released for NetScaler ADC and NetScaler Gateway. This vulnerability, discovered by our internal team, can result in unauthorized data disclosure if exploited. Reports of incidents consistent with session hijacking have been received. The Cybersecurity and Infrastructure Security Agency (CISA) has added an entry for CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog. No workarounds are available for this vulnerability, and immediate installation of the recommended builds is strongly advised. narrative: On October 10, 2023, Cloud Software Group released builds to fix CVE-2023-4966, a vulnerability affecting NetScaler ADC and NetScaler Gateway. This vulnerability, if exploited, can lead to unauthorized data disclosure and possibly session hijacking. Although there were no known exploits at the time of disclosure, we have since received credible reports of targeted attacks exploiting this vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) has added an entry for CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog, which contains detection and mitigation guidance for observed exploitations of CVE-2023-4966 by threat actors against NetScaler ADC and NetScaler Gateway. We strongly recommend that users of affected builds immediately install the recommended builds, as this vulnerability has been identified as critical. No workarounds are available for this vulnerability. references: diff --git a/stories/citrix_netscaler_adc_cve_2023_3519.yml b/stories/citrix_netscaler_adc_cve_2023_3519.yml index 67f648a756..40bcb23015 100644 --- a/stories/citrix_netscaler_adc_cve_2023_3519.yml +++ b/stories/citrix_netscaler_adc_cve_2023_3519.yml @@ -3,6 +3,7 @@ id: 094df1fe-4345-4c01-8a0f-c65cf7b758bd version: 1 date: '2023-07-20' author: Michael Haag, Splunk +status: production description: The CVE-2023-3519 vulnerability in NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway has been exploited by threat actors, as detailed in a recent advisory. The unauthenticated remote code execution vulnerability was utilized as a zero-day to establish a webshell on a non-production environment NetScaler ADC appliance within a critical infrastructure organization. This facilitated the execution of discovery on the victim's active directory and the collection and exfiltration of data. The advisory offers a comprehensive examination of the threat actors' tactics, techniques, and procedures (TTPs), alongside recommended detection methods and incident response guidelines. Immediate patch application from Citrix and the use of the detection guidance in the advisory is strongly recommended for critical infrastructure organizations to mitigate system compromises. narrative: Recent advisories have highlighted the exploitation of CVE-2023-3519, a critical vulnerability in Citrix's NetScaler Application Delivery Controller (ADC) and NetScaler Gateway. In June 2023, threat actors utilized this vulnerability to implant a webshell on a NetScaler ADC appliance within a critical infrastructure organization's non-production environment. This action granted them the ability to perform active directory discovery, data collection, and exfiltration. Notably, attempts for lateral movement to a domain controller were obstructed by network-segmentation controls. diff --git a/stories/citrix_sharefile_rce_cve_2023_24489.yml b/stories/citrix_sharefile_rce_cve_2023_24489.yml index 7ae133eb88..b6e0aace42 100644 --- a/stories/citrix_sharefile_rce_cve_2023_24489.yml +++ b/stories/citrix_sharefile_rce_cve_2023_24489.yml @@ -3,6 +3,7 @@ id: 10c7e01a-5743-4995-99df-a66f6b5db653 version: 1 date: '2023-07-26' author: Michael Haag, Splunk +status: production description: A critical vulnerability has been discovered in ShareFile's Storage Zones Controller software (CVE-2023-24489), used by numerous organizations for file sharing and storage. The vulnerability allows unauthenticated arbitrary file upload and remote code execution due to a cryptographic bug in the software's encryption but lack of authentication system. The risk comes from a failing encryption check, allowing potential cybercriminals to upload malicious files to the server. The bug was found in the Documentum Connector's .aspx files. The security risk has a potentially large impact due to the software's wide use and the sensitivity of the stored data. Citrix has released a security update to address this issue. narrative: The ShareFile Storage Zones Controller is a .NET web application running under IIS, which manages the storage of files in ShareFile's system. It was discovered that this software has a critical vulnerability (CVE-2023-24489) in the file upload functionality provided by the Documentum Connector's .aspx files. Specifically, the security flaw lies in the encryption check in the file upload process which could be bypassed, allowing for unauthenticated arbitrary file uploads and remote code execution. diff --git a/stories/cleo_file_transfer_software.yml b/stories/cleo_file_transfer_software.yml index 1a107919a1..56646f3b12 100644 --- a/stories/cleo_file_transfer_software.yml +++ b/stories/cleo_file_transfer_software.yml @@ -3,6 +3,7 @@ id: 058be65c-f007-4a3a-90f6-d2604f98a18b version: 1 date: '2024-12-11' author: Michael Haag, Splunk +status: production description: This analytic story addresses the exploitation of Cleo file transfer software products (LexiCom, VLTrader, and Harmony) through CVE-2024-50623. This vulnerability allows unauthenticated attackers to execute arbitrary system commands through the web interface, potentially leading to remote code execution and system compromise. narrative: In December 2024, threat actors began actively exploiting a critical vulnerability (CVE-2024-50623) in Cleo's file transfer software suite. The vulnerability affects multiple Cleo products including LexiCom, VLTrader, and Harmony. Attackers can exploit this flaw to execute system commands without authentication through the web interface, typically leveraging PowerShell commands for payload delivery and execution. The exploitation often involves accessing the software's autorun functionality and web interface to deploy malicious commands, potentially leading to data theft, ransomware deployment, or establishment of persistent access. Common installation paths include C:\LexiCom, C:\VLTrader, and C:\Harmony, with critical activity logged in their respective XML log files. references: diff --git a/stories/clop_ransomware.yml b/stories/clop_ransomware.yml index f743272a76..aecaa0c4b8 100644 --- a/stories/clop_ransomware.yml +++ b/stories/clop_ransomware.yml @@ -3,6 +3,7 @@ id: 5a6f6849-1a26-4fae-aa05-fa730556eeb6 version: 1 date: '2021-03-17' author: Rod Soto, Teoderick Contreras, Splunk +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the Clop ransomware, including looking for file writes associated with Clope, encrypting network shares, deleting and resizing shadow volume storage, diff --git a/stories/cloud_cryptomining.yml b/stories/cloud_cryptomining.yml index 201f5dbeb1..bce58d3fc1 100644 --- a/stories/cloud_cryptomining.yml +++ b/stories/cloud_cryptomining.yml @@ -3,6 +3,7 @@ id: 3b96d13c-fdc7-45dd-b3ad-c132b31cdd2a version: 1 date: '2019-10-02' author: David Dorsey, Splunk +status: production description: Monitor your cloud compute instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or compute instances started by previously unseen users diff --git a/stories/cloud_federated_credential_abuse.yml b/stories/cloud_federated_credential_abuse.yml index 2ecc0ac7a7..46d6fd6d48 100644 --- a/stories/cloud_federated_credential_abuse.yml +++ b/stories/cloud_federated_credential_abuse.yml @@ -3,6 +3,7 @@ id: cecdc1e7-0af2-4a55-8967-b9ea62c0317d version: 1 date: '2021-01-26' author: Rod Soto, Splunk +status: production description: This analytical story addresses events that indicate abuse of cloud federated credentials. These credentials are usually extracted from endpoint desktop or servers specially those servers that provide federation services such as Windows Active diff --git a/stories/cobalt_strike.yml b/stories/cobalt_strike.yml index b890d5f045..41beae52bc 100644 --- a/stories/cobalt_strike.yml +++ b/stories/cobalt_strike.yml @@ -3,6 +3,7 @@ id: bcfd17e8-5461-400a-80a2-3b7d1459220c version: 1 date: '2021-02-16' author: Michael Haag, Splunk +status: production description: Cobalt Strike is threat emulation software. Red teams and penetration testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature security programs. Most recently, Cobalt Strike has become the choice tool by threat diff --git a/stories/coldroot_macos_rat.yml b/stories/coldroot_macos_rat.yml index 22c8722f66..cbda3ac38f 100644 --- a/stories/coldroot_macos_rat.yml +++ b/stories/coldroot_macos_rat.yml @@ -3,6 +3,7 @@ id: bd91a2bc-d20b-4f44-a982-1bea98e86390 version: 1 date: '2019-01-09' author: Jose Hernandez, Splunk +status: production description: Leverage searches that allow you to detect and investigate unusual activities that relate to the ColdRoot Remote Access Trojan that affects MacOS. An example of some of these activities are changing sensative binaries in the MacOS sub-system, diff --git a/stories/collection_and_staging.yml b/stories/collection_and_staging.yml index 484b6aad63..309340254f 100644 --- a/stories/collection_and_staging.yml +++ b/stories/collection_and_staging.yml @@ -3,6 +3,7 @@ id: 8e03c61e-13c4-4dcd-bfbe-5ce5a8dc031a version: 2 date: '2024-09-24' author: Rico Valdez, Splunk +status: production description: 'Monitor for and investigate activities--such as suspicious writes to the Windows Recycling Bin or email servers sending high amounts of traffic to specific hosts, for example--that may indicate that an adversary is harvesting and exfiltrating diff --git a/stories/command_and_control.yml b/stories/command_and_control.yml index 4009173f30..c599c62581 100644 --- a/stories/command_and_control.yml +++ b/stories/command_and_control.yml @@ -3,6 +3,7 @@ id: 943773c6-c4de-4f38-89a8-0b92f98804d8 version: 1 date: '2018-06-01' author: Rico Valdez, Splunk +status: production description: Detect and investigate tactics, techniques, and procedures leveraged by attackers to establish and operate Command And Control channels. Implants installed by attackers on compromised endpoints use these channels to receive instructions diff --git a/stories/compromised_linux_host.yml b/stories/compromised_linux_host.yml index 7e2902252e..50f6105e26 100644 --- a/stories/compromised_linux_host.yml +++ b/stories/compromised_linux_host.yml @@ -3,6 +3,7 @@ id: d7ea2fc0-3710-4257-b64f-f3c2a6abebd3 version: 1 date: '2024-06-25' author: Teoderick Contreras, Splunk +status: production description: Monitor for activities and techniques associated with Compromised Linux Host attacks. These include unauthorized access attempts, unusual network traffic patterns, and the presence of unknown or suspicious processes. Look for unexpected changes in system files, modifications to configuration files, diff --git a/stories/compromised_user_account.yml b/stories/compromised_user_account.yml index 76cb25069f..92ed1d5d65 100644 --- a/stories/compromised_user_account.yml +++ b/stories/compromised_user_account.yml @@ -3,6 +3,7 @@ id: 19669154-e9d1-4a01-b144-e6592a078092 version: 1 date: '2023-01-19' author: Mauricio Velazco, Bhavin Patel, Splunk +status: production description: Monitor for activities and techniques associated with Compromised User Account attacks. narrative: Compromised User Account occurs when cybercriminals gain unauthorized access to accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic story groups detections that can help security operations teams identify the potential signs of Compromised User Accounts. references: diff --git a/stories/compromised_windows_host.yml b/stories/compromised_windows_host.yml index a4c8902e42..c8c8989695 100644 --- a/stories/compromised_windows_host.yml +++ b/stories/compromised_windows_host.yml @@ -3,6 +3,7 @@ id: 95c15513-180b-4534-9e34-a085a26ce481 version: 1 date: '2024-04-18' author: Teoderick Contreras, Splunk +status: production description: Monitor for activities and techniques associated with Compromised Windows Host attacks. A compromised Windows host refers to a computer system running the Windows operating system that has been infiltrated or attacked by unauthorized parties. Such compromises often result in security breaches, diff --git a/stories/confluence_data_center_and_confluence_server_vulnerabilities.yml b/stories/confluence_data_center_and_confluence_server_vulnerabilities.yml index b5e9404d20..77f25b44d7 100644 --- a/stories/confluence_data_center_and_confluence_server_vulnerabilities.yml +++ b/stories/confluence_data_center_and_confluence_server_vulnerabilities.yml @@ -3,6 +3,7 @@ id: 509387a5-ab53-4656-8bb5-4bc8c2c074d9 version: 1 date: '2024-01-22' author: Michael Haag, Splunk +status: production description: The following analytic story covers use cases for detecting and investigating potential attacks against Confluence Data Center and Confluence Server. narrative: The analytic story of Confluence Data Center and Confluence Server encompasses a comprehensive approach to safeguarding these platforms from a variety of threats. By leveraging the analytics created in the project, security teams are equipped to detect, investigate, and respond to potential attacks that target Confluence environments. references: diff --git a/stories/connectwise_screenconnect_vulnerabilities.yml b/stories/connectwise_screenconnect_vulnerabilities.yml index 624f135c0e..8fcb3d9dbb 100644 --- a/stories/connectwise_screenconnect_vulnerabilities.yml +++ b/stories/connectwise_screenconnect_vulnerabilities.yml @@ -3,6 +3,7 @@ id: fbee3185-748c-40d8-a60c-c2e2c9eb738b version: 1 date: '2024-02-21' author: Michael Haag, Splunk +status: production description: This analytic story provides a comprehensive overview of the ConnectWise ScreenConnect vulnerabilities. narrative: The following analytic story includes content for recently disclosed CWE-288 Authentication Bypass and CWE-22 Path Traversal. The vulnerabilities, identified as critical with CVSS scores of 10 and 9.8, respectively, enable unauthorized users to bypass authentication and perform path traversal attacks on affected ScreenConnect instances. The analytic story includes detection analytics for both vulnerabilities, which are crucial for identifying and responding to active exploitation in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issues, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. The analytic story also includes guidance on how to implement the detection analytics, known false positives, and references to additional resources for further analysis and remediation. references: diff --git a/stories/credential_dumping.yml b/stories/credential_dumping.yml index 729ac02a98..8778378f00 100644 --- a/stories/credential_dumping.yml +++ b/stories/credential_dumping.yml @@ -3,6 +3,7 @@ id: 854d78bf-d0e2-4f4e-b05c-640905f86d7a version: 3 date: '2020-02-04' author: Rico Valdez, Splunk +status: production description: Uncover activity consistent with credential dumping, a technique wherein attackers compromise systems and attempt to obtain and exfiltrate passwords. The threat actors use these pilfered credentials to further escalate privileges and diff --git a/stories/critical_alerts.yml b/stories/critical_alerts.yml index cbb7bc2d47..ac2c88d6aa 100644 --- a/stories/critical_alerts.yml +++ b/stories/critical_alerts.yml @@ -3,6 +3,7 @@ id: bc7056a5-c2b0-4b83-93ce-5f31739305c8 version: 1 date: '2024-06-21' author: Gowthamaraj Rajendran, Patrick Bareiss, Splunk +status: production description: This analytic story contains detections that monitor critical alerts data from security tools ingested into Splunk. By correlating these alerts and enriching them with MITRE ATT&CK annotations and other risk events, it offers a nuanced perspective on potential threats and security posture of your organization. narrative: Monitoring alerts from security tools is crucial because they act as an early warning system for potential threats. High and critical alerts signal serious issues that could compromise your systems if not addressed promptly. By keeping an eye on these alerts, you can quickly identify and respond to threats, minimizing damage and protecting sensitive data. This proactive approach not only strengthens your security posture but also ensures you're ready to tackle any compliance requirements by maintaining a detailed record of significant security events. This story has rules that integrates and assesses critical alerts from Endpoint, DLP, and firewall sources in Splunk. By correlating alerts and adding MITRE annotations, it provides a comprehensive view of customer risk. It triggers an alert when critical alerts are detected, preserving the source and assigning risk scores. This helps security analysts understand threats and respond effectively. references: diff --git a/stories/crushftp_vulnerabilities.yml b/stories/crushftp_vulnerabilities.yml index 45231703cc..a72cb1f9d8 100644 --- a/stories/crushftp_vulnerabilities.yml +++ b/stories/crushftp_vulnerabilities.yml @@ -3,6 +3,7 @@ id: 933df821-3b75-4669-a58a-e85d2cd7b9b0 version: 1 date: '2024-05-16' author: Michael Haag, Splunk +status: production description: CVE-2024-4040 identifies a critical server-side template injection vulnerability in all versions of CrushFTP prior to 10.7.1 and 11.1.0, allowing unauthenticated remote attackers to execute arbitrary code, bypass authentication, and access files outside of the VFS Sandbox. narrative: CVE-2024-4040 exposes a severe server-side template injection vulnerability in all versions of CrushFTP prior to 10.7.1 and 11.1.0. This critical flaw allows unauthenticated remote attackers to execute arbitrary code, bypass authentication mechanisms, and access files outside of the VFS Sandbox. The vulnerability was urgently addressed by CrushFTP with a patch after it was actively exploited in the wild, highlighting the necessity for immediate updates to secure server environments. Users operating behind a DMZ are reported to have an additional layer of protection against this exploit. The discovery and subsequent reporting of this vulnerability by Simon Garrelou of Airbus CERT prompted a swift response from CrushFTP, underscoring the critical nature of the flaw and the potential risks associated with delayed patching. This incident serves as a stark reminder of the importance of maintaining up-to-date software to defend against evolving cybersecurity threats. references: diff --git a/stories/crypto_stealer.yml b/stories/crypto_stealer.yml new file mode 100644 index 0000000000..4558db0b3e --- /dev/null +++ b/stories/crypto_stealer.yml @@ -0,0 +1,18 @@ +name: Crypto Stealer +id: 71efef85-aec7-46c7-bdaa-693b9d2bef4b +version: 1 +date: '2024-12-17' +author: Teoderick Contreras, Splunk +status: production +description: Crypto Stealer is a malware strain designed to exfiltrate cryptocurrency-related data from compromised systems. It scans the infected machine for wallet files, clipboard activity, and other cryptocurrency artifacts, focusing on intercepting sensitive information like private keys or transaction details. The malware communicates with a command-and-control (C2) server to transmit the harvested data and can dynamically adapt its behavior based on instructions received. Detection indicators include unusual network activity to suspicious IP addresses, unauthorized file access targeting cryptocurrency wallet directories, and anomalous clipboard usage associated with cryptocurrency strings (e.g., wallet addresses). Security solutions should monitor for these behaviors and implement heuristic analysis to identify deviations from normal system operations. Users are encouraged to maintain updated endpoint protection and avoid downloading files from untrusted sources to mitigate the risk posed by Crypto Stealer. +narrative: In the ever-evolving landscape of cybercrime, Crypto Stealer emerges as a sophisticated malware targeting the lucrative world of cryptocurrency. By exploiting system vulnerabilities, the malware actively scans for wallet files, clipboard data, and other digital assets, focusing on intercepting sensitive information like private keys and transaction details. Once deployed, Crypto Stealer communicates with a command-and-control (C2) server to exfiltrate stolen data and receive updated instructions for further exploitation. Notably, it often works in tandem with other malicious components, such as XMRig, a widely abused cryptocurrency miner that hijacks system resources for illicit mining operations, and ClipBanker, which manipulates clipboard activity to replace wallet addresses in transactions with those controlled by attackers. These combined tactics maximize the attack's profitability while minimizing the victim's ability to detect the theft. Indicators of compromise include unauthorized access to cryptocurrency wallet files, suspicious clipboard behavior, and outbound connections to known malicious IP addresses. By understanding and recognizing these patterns, defenders can develop effective strategies to detect and mitigate threats like Crypto Stealer before significant damage occurs. + +references: [] +tags: + category: + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file diff --git a/stories/cve_2022_40684_fortinet_appliance_auth_bypass.yml b/stories/cve_2022_40684_fortinet_appliance_auth_bypass.yml index 158f7e59c6..e9ab1a2528 100644 --- a/stories/cve_2022_40684_fortinet_appliance_auth_bypass.yml +++ b/stories/cve_2022_40684_fortinet_appliance_auth_bypass.yml @@ -3,6 +3,7 @@ id: 55721831-577e-41be-beef-bdc03c81486a version: 1 date: '2022-10-14' author: Michael Haag, Splunk +status: production description: Fortinet recently patched a critical authentication bypass vulnerability in their FortiOS, FortiProxy, and FortiSwitchManager projects CVE-2022-40684. narrative: FortiOS exposes a management web portal that allows a user configure the system. Additionally, a user can SSH into the system which exposes a locked down CLI interface. Any HTTP requests to the management interface of the system that match the conditions above should be cause for concern. An attacker can use this vulnerability to do just about anything they want to the vulnerable system. This includes changing network configurations, adding new users, and initiating packet captures. Note that this is not the only way to exploit this vulnerability and there may be other sets of conditions that work. For instance, a modified version of this exploit uses the User-Agent Node.js. This exploit seems to follow a trend among recently discovered enterprise software vulnerabilities where HTTP headers are improperly validated or overly trusted. (ref Horizon3.ai) references: diff --git a/stories/cve_2023_21716_word_rtf_heap_corruption.yml b/stories/cve_2023_21716_word_rtf_heap_corruption.yml index ba28e62bab..03398785ef 100644 --- a/stories/cve_2023_21716_word_rtf_heap_corruption.yml +++ b/stories/cve_2023_21716_word_rtf_heap_corruption.yml @@ -3,6 +3,7 @@ id: b1aeaf2c-8496-42e7-b2f7-15c328bc75d9 version: 1 date: '2023-03-10' author: Michael Haag, Splunk +status: production description: A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution utilizing a heap corruption in rich text files. narrative: This analytic story covers content that will assist organizations in identifying potential RTF RCE abuse on endpoints. The vulnerability was assigned a 9.8 out of 10 severity score, with Microsoft addressing it in the February Patch Tuesday security updates along with a couple of workarounds. diff --git a/stories/cve_2023_22515_privilege_escalation_vulnerability_confluence_data_center_and_server.yml b/stories/cve_2023_22515_privilege_escalation_vulnerability_confluence_data_center_and_server.yml index d26d93f9c5..9b6c3a8db2 100644 --- a/stories/cve_2023_22515_privilege_escalation_vulnerability_confluence_data_center_and_server.yml +++ b/stories/cve_2023_22515_privilege_escalation_vulnerability_confluence_data_center_and_server.yml @@ -4,6 +4,7 @@ id: ead8eb10-9e7c-4a07-a44c-c6e73997a1a3 version: 1 date: '2023-10-04' author: Michael Haag, Splunk +status: production description: On October 4, 2023, Atlassian disclosed a critical privilege escalation vulnerability, CVE-2023-22515, affecting on-premises instances of Confluence Server and Confluence Data Center. This flaw might allow external attackers to exploit accessible Confluence instances, creating unauthorized Confluence administrator accounts. Indicators suggest the vulnerability is remotely exploitable. The affected versions range from 8.0.0 to 8.5.1, but versions prior to 8.0.0 and Atlassian Cloud sites are unaffected. Atlassian advises customers to update to a fixed version or implement mitigation strategies. Indicators of compromise (IoCs) and mitigation steps, such as blocking access to /setup/* endpoints, are provided. narrative: Upon Atlassian's disclosure of CVE-2023-22515, there's an immediate need to assess the threat landscape of on-premises Confluence installations. As the vulnerability affects privilege escalation and may be exploited remotely, SIEM solutions should be poised to detect potential threats. diff --git a/stories/cve_2023_23397_outlook_elevation_of_privilege.yml b/stories/cve_2023_23397_outlook_elevation_of_privilege.yml index ff7b827a72..f6b6dd9616 100644 --- a/stories/cve_2023_23397_outlook_elevation_of_privilege.yml +++ b/stories/cve_2023_23397_outlook_elevation_of_privilege.yml @@ -3,6 +3,7 @@ id: b459911b-551f-480f-a402-18cf89ca1e9c version: 1 date: '2023-03-15' author: Michael Haag, Splunk +status: production description: Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows. narrative: Microsoft Threat Intelligence discovered limited, targeted abuse of a vulnerability in Microsoft Outlook for Windows that allows for new technology LAN manager (NTLM) credential theft. Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows. We strongly recommend all customers update Microsoft Outlook for Windows to remain secure. CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No user interaction is required. diff --git a/stories/cve_2023_36884_office_and_windows_html_rce_vulnerability.yml b/stories/cve_2023_36884_office_and_windows_html_rce_vulnerability.yml index c8d55e764e..fb78e6bd4c 100644 --- a/stories/cve_2023_36884_office_and_windows_html_rce_vulnerability.yml +++ b/stories/cve_2023_36884_office_and_windows_html_rce_vulnerability.yml @@ -3,6 +3,7 @@ id: dd7fb691-63d6-47ad-9a7f-1b9005cefad2 version: 1 date: '2023-07-11' author: Michael Haag, Splunk +status: production description: CVE-2023-36884 is an unpatched zero-day vulnerability affecting Windows and Microsoft Office products. The vulnerability allows for remote code execution through specially crafted Microsoft Office documents, enabling an attacker to operate in the context of the victim. As of now, there are no security updates available. However, users of Microsoft Defender for Office and the "Block all Office applications from creating child processes" Attack Surface Reduction Rule are safeguarded against this exploit. For other users, temporary mitigation can be achieved by adding specific application names to a designated registry key. narrative: CVE-2023-36884 is a serious security vulnerability that affects a range of Microsoft Office products and Windows systems. It is a zero-day flaw, meaning it was already being exploited before Microsoft became aware of it or had a chance to develop a patch. diff --git a/stories/cyclops_blink.yml b/stories/cyclops_blink.yml index 1572718ccf..f7a0ef5782 100644 --- a/stories/cyclops_blink.yml +++ b/stories/cyclops_blink.yml @@ -3,6 +3,7 @@ id: 7c75b1c8-dfff-46f1-8250-e58df91b6fd9 version: 2 date: '2024-03-14' author: Teoderick Contreras, Splunk +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the cyclopsblink malware including firewall modification, spawning more process, botnet c2 communication, defense evasion and etc. Cyclops Blink is a Linux ELF executable compiled for 32-bit x86 and PowerPC architecture that has targeted several network devices. diff --git a/stories/darkcrystal_rat.yml b/stories/darkcrystal_rat.yml index fdb6d3bbbb..f2e12cceac 100644 --- a/stories/darkcrystal_rat.yml +++ b/stories/darkcrystal_rat.yml @@ -3,6 +3,7 @@ id: 639e6006-0885-4847-9394-ddc2902629bf version: 1 date: '2022-07-26' author: Teoderick Contreras, Splunk +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the DcRat malware including ddos, spawning more process, botnet c2 communication, defense evasion and etc. The DcRat malware is known commercial backdoor that was first released in 2018. This tool was sold in underground forum and known to be one of the cheapest diff --git a/stories/darkgate_malware.yml b/stories/darkgate_malware.yml index c5c3119073..b30c1a1d2a 100644 --- a/stories/darkgate_malware.yml +++ b/stories/darkgate_malware.yml @@ -3,6 +3,7 @@ id: a4727b27-9e68-48f0-94a2-253cfb30c15d version: 1 date: '2023-10-31' author: Michael Haag, Splunk +status: production description: Telekom Security CTI has uncovered a new phishing-driven malware campaign distributing DarkGate malware. This campaign utilizes stolen email threads to trick users into downloading malicious payloads via hyperlinks. An initial false link to Emotet stirred the security community, but deeper analysis confirmed its true identity as DarkGate, with characteristics like AutoIt scripts and a known command-and-control protocol. This report by Fabian Marquardt details the intricate infection mechanisms, including MSI and VBS file deliveries, sophisticated evasion techniques, and a robust configuration extraction method surpassing current standards. The single developer behind DarkGate, active on cybercrime forums, has shifted the malware's use from private to a rent-out model, implying an expected rise in its deployment. Researchers have also developed a decryption technique for the DarkGate malware, which aids in static analysis and detection, though it requires careful validation to avoid false positives. narrative: Telekom Security CTi has recently put a spotlight on the proliferation of DarkGate malware via a sophisticated malspam campaign, initially mistaken for the notorious Emotet malware. The campaign smartly manipulates stolen email conversations, embedding hyperlinks that, once clicked, activate a malware download. Fabian Marquardt's analysis traces the infection's footprint, revealing a dual delivery mechanism through MSI and VBS files. These files, cloaked in legitimate wrappers or obscured with junk code, ultimately download the malware via embedded scripts. diff --git a/stories/darkside_ransomware.yml b/stories/darkside_ransomware.yml index 03c56d3d58..98f2265e2e 100644 --- a/stories/darkside_ransomware.yml +++ b/stories/darkside_ransomware.yml @@ -3,6 +3,7 @@ id: 507edc74-13d5-4339-878e-b9114ded1f35 version: 1 date: '2021-05-12' author: Bhavin Patel, Splunk +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the DarkSide Ransomware narrative: This story addresses Darkside ransomware. This ransomware payload has many diff --git a/stories/data_destruction.yml b/stories/data_destruction.yml index 40155991ec..961e2eb739 100644 --- a/stories/data_destruction.yml +++ b/stories/data_destruction.yml @@ -3,6 +3,7 @@ id: 4ae5c0d1-cebd-47d1-bfce-71bf096e38aa version: 1 date: '2023-04-06' author: Teoderick Contreras, Splunk +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the data destruction, including deleting files, overwriting files, wiping disk and unrecoverable file encryption. This analytic story may cover several known activities related to malware implants used in geo-political war to wipe disks or files to interrupt the network-wide operation diff --git a/stories/data_exfiltration.yml b/stories/data_exfiltration.yml index 75a4bfe197..b1381ee263 100644 --- a/stories/data_exfiltration.yml +++ b/stories/data_exfiltration.yml @@ -3,6 +3,7 @@ id: 66b0fe0c-1351-11eb-adc1-0242ac120002 version: 2 date: '2023-05-17' author: Bhavin Patel, Shannon Davis, Splunk +status: production description: Data exfiltration refers to the unauthorized transfer or extraction of sensitive or valuable data from a compromised system or network during a cyber attack. It is a critical phase in many targeted attacks, where adversaries aim to steal confidential information, such as intellectual property, financial records, personal data, or trade secrets. narrative: This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) leveraged by adversaries to exfiltrate data from your environments. Exfiltration comes in many flavors and its done differently on every environment. Adversaries can collect data over encrypted or non-encrypted channels. They can utilise Command And Control channels that are already in place to exfiltrate data. They can use both standard data transfer protocols such as FTP, SCP, etc to exfiltrate data. Or they can use non-standard protocols such as DNS, ICMP, etc with specially crafted fields to try and circumvent security technologies in place. diff --git a/stories/data_protection.yml b/stories/data_protection.yml index 1e9d60b76c..c15ea6c7dc 100644 --- a/stories/data_protection.yml +++ b/stories/data_protection.yml @@ -3,6 +3,7 @@ id: 91c676cf-0b23-438d-abee-f6335e1fce33 version: 1 date: '2017-09-14' author: Bhavin Patel, Splunk +status: production description: Fortify your data-protection arsenal--while continuing to ensure data confidentiality and integrity--with searches that monitor for and help you investigate possible signs of data exfiltration. diff --git a/stories/defense_evasion_or_unauthorized_access_via_sddl_tampering.yml b/stories/defense_evasion_or_unauthorized_access_via_sddl_tampering.yml index 10ab15d858..296d43b462 100644 --- a/stories/defense_evasion_or_unauthorized_access_via_sddl_tampering.yml +++ b/stories/defense_evasion_or_unauthorized_access_via_sddl_tampering.yml @@ -3,6 +3,7 @@ id: 8ccdd852-3878-4871-ae37-e5af5c67baf3 version: 1 date: '2024-12-06' author: Nasreddine Bencherchali, Michael Haag, Splunk +status: production description: This analytic story focuses on detecting potential defense evasion or unauthorized access attempts through tampering with Security Descriptor Definition Language (SDDL) settings. Attackers may modify SDDL configurations to alter permissions on critical system components, such as event logs and services, to obscure their activities or gain unauthorized access. This story includes detections for changes to 'ChannelAccess' and 'CustomSD' registry values, as well as the use of tools like 'sc.exe sdset', 'icacls' and 'subinacl' to modify securable objects (files, registry, services, etc) permissions. narrative: Adversaries may attempt to evade detection or gain unauthorized access by modifying ACLs or Security Descriptors of different securable objects on the Windows operating system. By altering these settings, attackers can grant themselves elevated privileges or suppress logging mechanisms, thereby hindering detection and response efforts. Monitoring changes to critical registry values and the execution of specific tools used for SDDL modifications can help identify such malicious activities. references: diff --git a/stories/deobfuscate_decode_files_or_information.yml b/stories/deobfuscate_decode_files_or_information.yml index 50940436d9..2e93f5198f 100644 --- a/stories/deobfuscate_decode_files_or_information.yml +++ b/stories/deobfuscate_decode_files_or_information.yml @@ -3,6 +3,7 @@ id: 0bd01a54-8cbe-11eb-abcd-acde48001122 version: 1 date: '2021-03-24' author: Michael Haag, Splunk +status: production description: Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. narrative: An example of obfuscated files is `Certutil.exe` usage to encode a portable diff --git a/stories/deprecated/aws_cryptomining.yml b/stories/deprecated/aws_cryptomining.yml index bac9eba53e..abd30eff4d 100644 --- a/stories/deprecated/aws_cryptomining.yml +++ b/stories/deprecated/aws_cryptomining.yml @@ -3,7 +3,7 @@ id: ced74200-8465-4bc3-bd2c-9a782eec6750 version: 1 date: '2018-03-08' author: David Dorsey, Splunk -type: batch +status: deprecated description: Monitor your AWS EC2 instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or EC2 instances started by previously unseen users are diff --git a/stories/deprecated/aws_suspicious_provisioning_activities.yml b/stories/deprecated/aws_suspicious_provisioning_activities.yml index 77bec41d05..c5403b49fa 100644 --- a/stories/deprecated/aws_suspicious_provisioning_activities.yml +++ b/stories/deprecated/aws_suspicious_provisioning_activities.yml @@ -3,7 +3,7 @@ id: 3338b567-3804-4261-9889-cf0ca4753c7f version: 1 date: '2018-03-16' author: David Dorsey, Splunk -type: batch +status: deprecated description: Monitor your AWS provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your network. diff --git a/stories/deprecated/common_phishing_frameworks.yml b/stories/deprecated/common_phishing_frameworks.yml index c052315506..055ff6b43a 100644 --- a/stories/deprecated/common_phishing_frameworks.yml +++ b/stories/deprecated/common_phishing_frameworks.yml @@ -3,7 +3,7 @@ id: 9a64ab44-9214-4639-8163-7eaa2621bd61 version: 2 date: '2024-09-24' author: Splunk Research Team, Splunk -type: batch +status: deprecated description: 'Detect DNS and web requests to fake websites generated by the EvilGinx2 toolkit. These websites are designed to fool unwitting users who have clicked on a malicious link in a phishing email.' diff --git a/stories/deprecated/container_implantation_monitoring_and_investigation.yml b/stories/deprecated/container_implantation_monitoring_and_investigation.yml index 46ec10568e..53ee1b98a8 100644 --- a/stories/deprecated/container_implantation_monitoring_and_investigation.yml +++ b/stories/deprecated/container_implantation_monitoring_and_investigation.yml @@ -3,6 +3,7 @@ id: aa0e28b1-0521-4b6f-9d2a-7b87e34af246 version: 1 date: '2020-02-20' author: Rod Soto, Rico Valdez, Splunk +status: deprecated description: Use the searches in this story to monitor your Kubernetes registry repositories for upload, and deployment of potentially vulnerable, backdoor, or implanted containers. These searches provide information on source users, destination path, container diff --git a/stories/deprecated/host_redirection.yml b/stories/deprecated/host_redirection.yml index 64b420529e..90953fb738 100644 --- a/stories/deprecated/host_redirection.yml +++ b/stories/deprecated/host_redirection.yml @@ -3,7 +3,7 @@ id: 2e8948a5-5239-406b-b56b-6c50fe268af4 version: 1 date: '2017-09-14' author: Rico Valdez, Splunk -type: batch +status: deprecated description: Detect evidence of tactics used to redirect traffic from a host to a destination other than the one intended--potentially one that is part of an adversary's attack infrastructure. An example is redirecting communications regarding patches diff --git a/stories/deprecated/kubernetes_sensitive_role_activity.yml b/stories/deprecated/kubernetes_sensitive_role_activity.yml index 6b06309c93..735eb620fa 100644 --- a/stories/deprecated/kubernetes_sensitive_role_activity.yml +++ b/stories/deprecated/kubernetes_sensitive_role_activity.yml @@ -3,7 +3,7 @@ id: 8b3984d2-17b6-47e9-ba43-a3376e70fdcc version: 1 date: '2020-05-20' author: Rod Soto, Splunk -type: batch +status: deprecated description: This story addresses detection and response around Sensitive Role usage within a Kubernetes clusters against cluster resources and namespaces. narrative: Kubernetes is the most used container orchestration platform, this orchestration diff --git a/stories/deprecated/lateral_movement.yml b/stories/deprecated/lateral_movement.yml index 6526b1196d..20c7ee6a69 100644 --- a/stories/deprecated/lateral_movement.yml +++ b/stories/deprecated/lateral_movement.yml @@ -3,7 +3,7 @@ id: 399d65dc-1f08-499b-a259-abd9051f38ad version: 3 date: '2024-09-24' author: David Dorsey, Splunk -type: batch +status: deprecated description: "DEPRECATED IN FAVOR OF ACTIVE DIRECTORY LATERAL MOVEMENT. Detect and investigate tactics, techniques, and procedures around how attackers move laterally within the enterprise. Because lateral movement can expose the adversary to detection, it should be an important focus for security analysts." narrative: "Once attackers gain a foothold within an enterprise, they will seek to expand their accesses and leverage techniques that facilitate lateral movement. Attackers will often spend quite a bit of time and effort moving laterally. Because lateral movement renders an attacker the most vulnerable to detection, it's an excellent focus for detection and investigation. Indications of lateral movement can include the abuse of system utilities (such as `psexec.exe`), unauthorized use of remote desktop services, `file/admin$` shares, WMI, PowerShell, pass-the-hash, or the abuse of scheduled tasks. Organizations must be extra vigilant in detecting lateral movement techniques and look for suspicious activity in and around high-value strategic network assets, such as Active Directory, which are often considered the primary target or \"crown jewels\" to a persistent threat actor. An adversary can use lateral movement for multiple purposes, including remote execution of tools, pivoting to additional systems, obtaining access to specific information or files, access to additional credentials, exfiltrating data, or delivering a secondary effect. Adversaries may use legitimate credentials alongside inherent network and operating-system functionality to remotely connect to other systems and remain under the radar of network defenders. If there is evidence of lateral movement, it is imperative for analysts to collect evidence of the associated offending hosts. For example, an attacker might leverage host A to gain access to host B. From there, the attacker may try to move laterally to host C. In this example, the analyst should gather as much information as possible from all three hosts. It is also important to collect authentication logs for each host, to ensure that the offending accounts are well-documented. Analysts should account for all processes to ensure that the attackers did not install unauthorized software." references: diff --git a/stories/deprecated/monitor_backup_solution.yml b/stories/deprecated/monitor_backup_solution.yml index 587bc3a31e..c3f2dc7a32 100644 --- a/stories/deprecated/monitor_backup_solution.yml +++ b/stories/deprecated/monitor_backup_solution.yml @@ -3,7 +3,7 @@ id: abe807c7-1eb6-4304-ac32-6e7aacdb891d version: 1 date: '2017-09-12' author: David Dorsey, Splunk -type: batch +status: deprecated description: Address common concerns when monitoring your backup processes. These searches can help you reduce risks from ransomware, device theft, or denial of physical access to a host by backing up data on endpoints. diff --git a/stories/deprecated/monitor_for_unauthorized_software.yml b/stories/deprecated/monitor_for_unauthorized_software.yml index cfdf6a1fc6..a9e7d9688d 100644 --- a/stories/deprecated/monitor_for_unauthorized_software.yml +++ b/stories/deprecated/monitor_for_unauthorized_software.yml @@ -3,7 +3,7 @@ id: 8892a655-6205-43f7-abba-06460e38c8ae version: 2 date: '2024-09-24' author: David Dorsey, Splunk -type: batch +status: deprecated description: 'Identify and investigate prohibited/unauthorized software or processes that may be concealing malicious behavior within your environment.' narrative: 'It is critical to identify unauthorized software and processes running diff --git a/stories/deprecated/office_365_detections.yml b/stories/deprecated/office_365_detections.yml index 139c6cd309..d2fb3d09b7 100644 --- a/stories/deprecated/office_365_detections.yml +++ b/stories/deprecated/office_365_detections.yml @@ -3,6 +3,7 @@ id: 1a51dd71-effc-48b2-abc4-3e9cdb61e5b9 version: 2 date: '2020-12-16' author: Patrick Bareiss, Mauricio Velazco, Splunk +status: deprecated description: Monitor for activities and anomalies indicative of potential threats within Office 365 environments. narrative: Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. Given the centralized storage of sensitive organizational data within O365 and its widespread adoption, it has become a focal point for cybersecurity efforts. The platform's complexity, combined with its ubiquity, makes it both a valuable asset and a prime target for potential threats. As O365's importance grows, it increasingly becomes a target for attackers seeking to exploit organizational data and systems. Security teams should prioritize monitoring O365 not just because of the sensitive data it often holds, but also due to the myriad ways the platform can be exploited. Understanding and monitoring O365's security landscape is crucial for organizations to detect, respond to, and mitigate potential threats in a timely manner. references: diff --git a/stories/deprecated/spectre_and_meltdown_vulnerabilities.yml b/stories/deprecated/spectre_and_meltdown_vulnerabilities.yml index 19d8afde1b..3b0bbf9c8d 100644 --- a/stories/deprecated/spectre_and_meltdown_vulnerabilities.yml +++ b/stories/deprecated/spectre_and_meltdown_vulnerabilities.yml @@ -3,7 +3,7 @@ id: 6d3306f6-bb2b-4219-8609-8efad64032f2 version: 1 date: '2018-01-08' author: David Dorsey, Splunk -type: batch +status: deprecated description: Assess and mitigate your systems' vulnerability to Spectre and Meltdown exploitation with the searches in this Analytic Story. narrative: Meltdown and Spectre exploit critical vulnerabilities in modern CPUs that diff --git a/stories/deprecated/suspicious_aws_ec2_activities.yml b/stories/deprecated/suspicious_aws_ec2_activities.yml index a7a1fe285d..89b5348253 100644 --- a/stories/deprecated/suspicious_aws_ec2_activities.yml +++ b/stories/deprecated/suspicious_aws_ec2_activities.yml @@ -3,7 +3,7 @@ id: 2e8948a5-5239-406b-b56b-6c50f1268af3 version: 1 date: '2018-02-09' author: Bhavin Patel, Splunk -type: batch +status: deprecated description: Use the searches in this Analytic Story to monitor your AWS EC2 instances for evidence of anomalous activity and suspicious behaviors, such as EC2 instances that originate from unusual locations or those launched by previously unseen users diff --git a/stories/deprecated/unusual_aws_ec2_modifications.yml b/stories/deprecated/unusual_aws_ec2_modifications.yml index 59910c8ff8..f0f1fc4b54 100644 --- a/stories/deprecated/unusual_aws_ec2_modifications.yml +++ b/stories/deprecated/unusual_aws_ec2_modifications.yml @@ -3,7 +3,7 @@ id: 73de57ef-0dfc-411f-b1e7-fa24428aeae0 version: 1 date: '2018-04-09' author: David Dorsey, Splunk -type: batch +status: deprecated description: Identify unusual changes to your AWS EC2 instances that may indicate malicious activity. Modifications to your EC2 instances by previously unseen users is an example of an activity that may warrant further investigation. diff --git a/stories/deprecated/web_fraud_detection.yml b/stories/deprecated/web_fraud_detection.yml index a709a3a6f9..81d8ee3448 100644 --- a/stories/deprecated/web_fraud_detection.yml +++ b/stories/deprecated/web_fraud_detection.yml @@ -3,7 +3,7 @@ id: 18bb45b9-7684-45c6-9e97-1fdd0d98c0a7 version: 1 date: '2018-10-08' author: Jim Apger, Splunk -type: batch +status: deprecated description: Monitor your environment for activity consistent with common attack techniques bad actors use when attempting to compromise web servers or other web-related assets. narrative: 'The Federal Bureau of Investigations (FBI) defines Internet fraud as the diff --git a/stories/derusbi.yml b/stories/derusbi.yml new file mode 100644 index 0000000000..7ad346c7d4 --- /dev/null +++ b/stories/derusbi.yml @@ -0,0 +1,20 @@ +name: Derusbi +id: 7cd48610-6f75-4b49-ae1d-3bf2cfff1c1c +version: 1 +date: '2025-01-27' +author: Teoderick Contreras, Splunk +status: production +description: Leverage searches that allow you to detect and investigate unusual activities that might relate to Derusbi malware, a sophisticated threat often linked to advanced persistent attacks. Monitor anomalies in network traffic, file execution patterns, and unauthorized access attempts to uncover potential compromises. Utilize behavioral analytics and endpoint detection tools to identify indicators such as pesistence, service creation, lateral movement via removable drive, driver loading and dll side loading. By correlating these findings with known threat intelligence, you can quickly respond to and mitigate Derusbi-related incidents. +narrative: Derusbi is a stealthy and versatile malware family often associated with advanced persistent threats (APTs) targeting high-value systems. Known for its adaptability, it employs techniques like process injection and encrypted communications to evade detection. This malware family is frequently used for espionage, data theft, and system compromise, leveraging custom modules tailored to specific targets. Derusbi’s ability to remain undetected for extended periods makes it a significant threat, emphasizing the need for robust monitoring and advanced detection mechanisms to mitigate its impact. +references: +- https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf +- https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html +- https://web.archive.org/web/20180310053107/https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf +tags: + category: + - Malware + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file diff --git a/stories/detect_zerologon_attack.yml b/stories/detect_zerologon_attack.yml index 892b2ac0c3..8046a670bc 100644 --- a/stories/detect_zerologon_attack.yml +++ b/stories/detect_zerologon_attack.yml @@ -3,6 +3,7 @@ id: 5d14a962-569e-4578-939f-f386feb63ce4 version: 1 date: '2020-09-18' author: Rod Soto, Jose Hernandez, Stan Miskowicz, David Dorsey, Shannon Davis Splunk +status: production description: Uncover activity related to the execution of Zerologon CVE-2020-11472, a technique wherein attackers target a Microsoft Windows Domain Controller to reset its computer account password. The result from this attack is attackers can now diff --git a/stories/dev_sec_ops.yml b/stories/dev_sec_ops.yml index 6f3ed76978..901e811304 100644 --- a/stories/dev_sec_ops.yml +++ b/stories/dev_sec_ops.yml @@ -3,6 +3,7 @@ id: 0ca8c38e-631e-4b81-940c-f9c5450ce41e version: 1 date: '2021-08-18' author: Patrick Bareiss, Splunk +status: production description: This story is focused around detecting attacks on a DevSecOps lifeccycle which consists of the phases plan, code, build, test, release, deploy, operate and monitor. diff --git a/stories/dhs_report_ta18_074a.yml b/stories/dhs_report_ta18_074a.yml index 2201c5b835..262be24ba6 100644 --- a/stories/dhs_report_ta18_074a.yml +++ b/stories/dhs_report_ta18_074a.yml @@ -3,6 +3,7 @@ id: 0c016e5c-88be-4e2c-8c6c-c2b55b4fb4ef version: 2 date: '2020-01-22' author: Rico Valdez, Splunk +status: production description: Monitor for suspicious activities associated with DHS Technical Alert US-CERT TA18-074A. Some of the activities that adversaries used in these compromises included spearfishing attacks, malware, watering-hole domains, many and more. diff --git a/stories/disabling_security_tools.yml b/stories/disabling_security_tools.yml index 53b7e4d996..ae54416e48 100644 --- a/stories/disabling_security_tools.yml +++ b/stories/disabling_security_tools.yml @@ -3,6 +3,7 @@ id: fcc27099-46a0-46b0-a271-5c7dab56b6f1 version: 2 date: '2020-02-04' author: Rico Valdez, Splunk +status: production description: Looks for activities and techniques associated with the disabling of security tools on a Windows system, such as suspicious `reg.exe` processes, processes launching netsh, and many others. diff --git a/stories/dns_amplification_attacks.yml b/stories/dns_amplification_attacks.yml index f30a899be4..5b0a291c06 100644 --- a/stories/dns_amplification_attacks.yml +++ b/stories/dns_amplification_attacks.yml @@ -3,6 +3,7 @@ id: a563972b-d2e2-4978-b6ca-6e83e24af4d3 version: 1 date: '2016-09-13' author: Bhavin Patel, Splunk +status: production description: DNS poses a serious threat as a Denial of Service (DOS) amplifier, if it responds to `ANY` queries. This Analytic Story can help you detect attackers who may be abusing your company's DNS infrastructure to launch amplification attacks, diff --git a/stories/dns_hijacking.yml b/stories/dns_hijacking.yml index 618219af3b..2190d33fc1 100644 --- a/stories/dns_hijacking.yml +++ b/stories/dns_hijacking.yml @@ -3,6 +3,7 @@ id: 8169f17b-ef68-4b59-aa28-586907301221 version: 1 date: '2020-02-04' author: Bhavin Patel, Splunk +status: production description: Secure your environment against DNS hijacks with searches that help you detect and investigate unauthorized changes to DNS records. narrative: 'Dubbed the Achilles heel of the Internet (see https://www.f5.com/labs/articles/threat-intelligence/dns-is-still-the-achilles-heel-of-the-internet-25613), diff --git a/stories/domain_trust_discovery.yml b/stories/domain_trust_discovery.yml index 8bf8f639df..212d1df5ec 100644 --- a/stories/domain_trust_discovery.yml +++ b/stories/domain_trust_discovery.yml @@ -3,6 +3,7 @@ id: e6f30f14-8daf-11eb-a017-acde48001122 version: 1 date: '2021-03-25' author: Michael Haag, Splunk +status: production description: Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. diff --git a/stories/double_zero_destructor.yml b/stories/double_zero_destructor.yml index a0d30d0bb3..39a8569f0d 100644 --- a/stories/double_zero_destructor.yml +++ b/stories/double_zero_destructor.yml @@ -3,6 +3,7 @@ id: f56e8c00-3224-4955-9a6e-924ec7da1df7 version: 1 date: '2022-03-25' author: Teoderick Contreras, Rod Soto, Splunk +status: production description: Double Zero Destructor is a destructive payload that enumerates Domain Controllers and executes killswitch if detected. Overwrites files with Zero blocks or using MS Windows API calls such as NtFileOpen, NtFSControlFile. This payload also deletes registry hives HKCU,HKLM, HKU, HKLM BCD. narrative: Double zero destructor enumerates domain controllers, delete registry hives and overwrites files using zero blocks and API calls. references: diff --git a/stories/dynamic_dns.yml b/stories/dynamic_dns.yml index 313c503b7b..526b9f03ce 100644 --- a/stories/dynamic_dns.yml +++ b/stories/dynamic_dns.yml @@ -3,6 +3,7 @@ id: 8169f17b-ef68-4b59-aae8-586907301221 version: 2 date: '2018-09-06' author: Bhavin Patel, Splunk +status: production description: Detect and investigate hosts in your environment that may be communicating with dynamic domain providers. Attackers may leverage these services to help them avoid firewall blocks and deny lists. diff --git a/stories/earth_estries.yml b/stories/earth_estries.yml new file mode 100644 index 0000000000..81202bfe35 --- /dev/null +++ b/stories/earth_estries.yml @@ -0,0 +1,18 @@ +name: Earth Estries +id: 608135e2-eb6b-41bf-9f0c-b12f41a1376a +version: 1 +date: '2025-01-27' +author: Teoderick Contreras, Splunk +status: production +description: Leverage searches that allow you to detect and investigate unusual activities that might relate to Earth Estries, a sophisticated threat actor targeting various sectors with espionage-focused campaigns. Monitor for indicators such as spear-phishing emails, unauthorized access attempts, and lateral movement within your network. Investigate anomalous data exfiltration patterns and command-and-control (C2) traffic consistent with known tactics, techniques, and procedures (TTPs) of this group. Combining threat intelligence with advanced monitoring tools helps identify potential Earth Estries activity early, enabling swift response to mitigate risks effectively. +narrative: Earth Estries is a highly capable threat actor known for conducting targeted espionage campaigns against diverse sectors, including government, technology, and critical infrastructure. This group leverages sophisticated tactics such as spear-phishing, credential theft, and exploiting software vulnerabilities to gain initial access. Once inside a network, Earth Estries demonstrates expertise in lateral movement, privilege escalation, and covert data exfiltration. Their use of custom malware and command-and-control (C2) infrastructures highlights their adaptability. Detecting their activity requires robust threat intelligence and proactive monitoring of unusual behaviors and network anomalies. +references: +- https://www.trendmicro.com/en_nl/research/24/k/earth-estries.html +tags: + category: + - Malware + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file diff --git a/stories/emotet_malware_dhs_report_ta18_201a.yml b/stories/emotet_malware_dhs_report_ta18_201a.yml index b651506c10..d148f02169 100644 --- a/stories/emotet_malware_dhs_report_ta18_201a.yml +++ b/stories/emotet_malware_dhs_report_ta18_201a.yml @@ -3,6 +3,7 @@ id: bb9f5ed2-916e-4364-bb6d-91c310efcf52 version: 2 date: '2024-09-24' author: Bhavin Patel, Splunk +status: production description: Detect rarely used executables, specific registry paths that may confer malware survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that the Emotet financial malware has diff --git a/stories/f5_authentication_bypass_with_tmui.yml b/stories/f5_authentication_bypass_with_tmui.yml index 4aee82e248..37de0dd946 100644 --- a/stories/f5_authentication_bypass_with_tmui.yml +++ b/stories/f5_authentication_bypass_with_tmui.yml @@ -3,6 +3,7 @@ id: e4acbea6-75bb-4873-8c22-bc2da9525e89 version: 1 date: '2023-10-30' author: Michael Haag, Splunk +status: production description: "Research into leading software revealed vulnerabilities in both Apache Tomcat and the F5 BIG-IP suite. Apache's AJP protocol vulnerability, designated CVE-2022-26377, relates to AJP request smuggling. Successful exploitation enables unauthorized system activities. F5 BIG-IP Virtual Edition exhibited a distinct vulnerability, an authentication bypass in the Traffic Management User Interface (TMUI), resulting in system compromise. Assigned CVE-2023-46747, this vulnerability also arose from request smuggling, bearing similarity to CVE-2022-26377. Given the wide adoption of both Apache Tomcat and F5 products, these vulnerabilities present grave risks to organizations. Remediation and vulnerability detection mechanisms are essential to address these threats effectively." narrative: Both Apache Tomcat's AJP protocol and F5's BIG-IP Virtual Edition have been exposed to critical vulnerabilities. Apache's CVE-2022-26377 pertains to request smuggling by manipulating the "Transfer-Encoding" header. If successfully exploited, this allows attackers to bypass security controls and undertake unauthorized actions. diff --git a/stories/f5_big_ip_vulnerability_cve_2022_1388.yml b/stories/f5_big_ip_vulnerability_cve_2022_1388.yml index f53cabb2b5..02c49083a8 100644 --- a/stories/f5_big_ip_vulnerability_cve_2022_1388.yml +++ b/stories/f5_big_ip_vulnerability_cve_2022_1388.yml @@ -3,6 +3,7 @@ id: 0367b177-f8d6-4c4b-a62d-86f52a590bff version: 1 date: '2022-05-10' author: Michael Haag, Splunk +status: production description: CVE-2022-1388 is a unauthenticated remote code execution vulnerablity against BIG-IP iControl REST API. narrative: CVE-2022-1388 is a critical vulnerability (CVSS 9.8) in the management interface of F5 Networks'' BIG-IP solution that enables an unauthenticated attacker to gain remote code execution on the system through bypassing F5''s iControl REST authentication. The vulnerability was first discovered by F5''s internal product security team and disclosed publicly on May 4, 2022, per Randori. This vulnerability,CVE-2022-1388, may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only per F5 article K23605346. diff --git a/stories/f5_tmui_rce_cve_2020_5902.yml b/stories/f5_tmui_rce_cve_2020_5902.yml index 6e5a2148cd..f50a00638b 100644 --- a/stories/f5_tmui_rce_cve_2020_5902.yml +++ b/stories/f5_tmui_rce_cve_2020_5902.yml @@ -3,6 +3,7 @@ id: 7678c968-d46e-11ea-87d0-0242ac130003 version: 1 date: '2020-08-02' author: Shannon Davis, Splunk +status: production description: Uncover activity consistent with CVE-2020-5902. Discovered by Positive Technologies researchers, this vulnerability affects F5 BIG-IP, BIG-IQ. and Traffix SDC devices (vulnerable versions in F5 support link below). This vulnerability allows diff --git a/stories/fin7.yml b/stories/fin7.yml index 720c5a6d80..04e667e2b5 100644 --- a/stories/fin7.yml +++ b/stories/fin7.yml @@ -3,7 +3,7 @@ id: df2b00d3-06ba-49f1-b253-b19cef19b569 version: 1 date: '2021-09-14' author: Teoderick Contreras, Splunk -type: batch +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the FIN7 JS Implant and JSSLoader, including looking for Image Loading of ldap and wmi modules, associated with its payload, data collection and diff --git a/stories/flax_typhoon.yml b/stories/flax_typhoon.yml index 49c8455b05..b55d5f0aee 100644 --- a/stories/flax_typhoon.yml +++ b/stories/flax_typhoon.yml @@ -3,6 +3,7 @@ id: 78fadce9-a07f-4508-8d14-9b20052a62cc version: 1 date: '2023-08-25' author: Michael Haag, Splunk +status: production description: Microsoft has identified a nation-state activity group, Flax Typhoon, based in China, targeting Taiwanese organizations for espionage. The group maintains long-term access to networks with minimal use of malware, relying on built-in OS tools and benign software. The group's activities are primarily focused on Taiwan, but the techniques used could be easily reused in other operations outside the region. Microsoft has not observed Flax Typhoon using this access to conduct additional actions. narrative: Flax Typhoon has been active since mid-2021, targeting government agencies, education, critical manufacturing, and IT organizations in Taiwan. The group uses the China Chopper web shell, Metasploit, Juicy Potato privilege escalation tool, Mimikatz, and SoftEther VPN client. However, they primarily rely on living-off-the-land techniques and hands-on-keyboard activity. Initial access is achieved by exploiting known vulnerabilities in public-facing servers and deploying web shells. Following initial access, Flax Typhoon uses command-line tools to establish persistent access over the remote desktop protocol, deploy a VPN connection to actor-controlled network infrastructure, and collect credentials from compromised systems. The group also uses this VPN access to scan for vulnerabilities on targeted systems and organizations from the compromised systems. references: diff --git a/stories/forest_blizzard.yml b/stories/forest_blizzard.yml index 11eface337..5fdf57613c 100644 --- a/stories/forest_blizzard.yml +++ b/stories/forest_blizzard.yml @@ -3,6 +3,7 @@ id: 2c1aceda-f0a5-4c83-8543-e23ec1466958 version: 1 date: '2023-09-11' author: Michael Haag, Splunk +status: production description: CERT-UA has unveiled a cyberattack on Ukraine's energy infrastructure, orchestrated via deceptive emails. These emails, once accessed, lead to a multi-stage cyber operation downloading and executing malicious payloads. Concurrently, Zscaler's "Steal-It" campaign detection revealed striking similarities, hinting at a shared origin - APT28 or Fancy Bear. This notorious group, linked to Russia's GRU, utilizes legitimate platforms like Mockbin, making detection challenging. Their operations underline the evolving cyber threat landscape and stress the importance of advanced defenses. narrative: APT28, also known as Fancy Bear, blends stealth and expertise in its cyber operations. Affiliated with Russia's GRU, their signature move involves spear-phishing emails, leading to multi-tiered cyberattacks. In Ukraine's recent breach, a ZIP archive's execution triggered a series of actions, culminating in information flow redirection via the TOR network. Simultaneously, Zscaler's "Steal-It" campaign pinpointed similar tactics, specifically targeting NTLMv2 hashes. This campaign used ZIP archives containing LNK files to exfiltrate data via Mockbin. APT28's hallmark is their "Living Off The Land" strategy, manipulating legitimate tools and services to blend in, evading detection. Their innovative tactics, coupled with a geofencing focus on specific regions, make them a formidable cyber threat, highlighting the urgent need for advanced defense strategies. references: diff --git a/stories/fortinet_fortinac_cve_2022_39952.yml b/stories/fortinet_fortinac_cve_2022_39952.yml index 708838a003..f972d5030f 100644 --- a/stories/fortinet_fortinac_cve_2022_39952.yml +++ b/stories/fortinet_fortinac_cve_2022_39952.yml @@ -3,6 +3,7 @@ id: 2833a527-3b7f-41af-a950-39f7bbaff819 version: 1 date: '2023-02-21' author: Michael Haag, Splunk +status: production description: On Thursday, 16 February 2023, Fortinet released a PSIRT that details CVE-2022-39952, a critical vulnerability affecting its FortiNAC product (Horizon3.ai). narrative: This vulnerability, discovered by Gwendal Guegniaud of Fortinet, allows an unauthenticated attacker to write arbitrary files on the system and as a result obtain remote code execution in the context of the root user (Horizon3.ai). Impacting FortiNAC, is tracked as CVE-2022-39952 and has a CVSS v3 score of 9.8 (critical). diff --git a/stories/gcp_account_takeover.yml b/stories/gcp_account_takeover.yml index fdf6641eb2..232540adff 100644 --- a/stories/gcp_account_takeover.yml +++ b/stories/gcp_account_takeover.yml @@ -3,6 +3,7 @@ id: 8601caff-414f-4c6d-9a04-75b66778869d version: 1 date: '2022-10-12' author: Mauricio Velazco, Bhavin Patel, Splunk +status: production description: Monitor for activities and techniques associated with Account Takeover attacks against Google Cloud Platform tenants. narrative: 'Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, diff --git a/stories/gcp_cross_account_activity.yml b/stories/gcp_cross_account_activity.yml index ed222ab4f3..f7c24e533c 100644 --- a/stories/gcp_cross_account_activity.yml +++ b/stories/gcp_cross_account_activity.yml @@ -3,6 +3,7 @@ id: 0432039c-ef41-4b03-b157-450c25dad1e6 version: 1 date: '2020-09-01' author: Rod Soto, Splunk +status: production description: Track when a user assumes an IAM role in another GCP account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity. diff --git a/stories/gomir.yml b/stories/gomir.yml index 515bb091e7..4a5c4c74a5 100644 --- a/stories/gomir.yml +++ b/stories/gomir.yml @@ -3,6 +3,7 @@ id: 02dbfda2-45fe-4731-a659-91fa871019ba version: 1 date: '2024-05-29' author: Teoderick Contreras, Splunk +status: production description: This analytic story includes detections that help security analysts identify and investigate unusual activities associated with the Gomir backdoor malware. Gomir is a sophisticated cyber threat that gains unauthorized access to systems. It communicates with a remote command-and-control (C2) server to execute malicious commands, steal diff --git a/stories/gozi_malware.yml b/stories/gozi_malware.yml index 5f54cdc3f4..06bb863062 100644 --- a/stories/gozi_malware.yml +++ b/stories/gozi_malware.yml @@ -3,6 +3,7 @@ id: a7332538-bb18-421e-874e-a20c9fcc34e7 version: 1 date: '2024-07-24' author: Michael Haag, Splunk +status: production description: This analytic story covers the detection and analysis of Gozi malware, also known as Ursnif or ISFB. Gozi is one of the oldest and most persistent banking trojans, with a history dating back to 2000. It has undergone numerous evolutions and code forks, resulting in several active variants in recent years. narrative: 'Gozi malware, first observed in 2006, has a complex lineage tracing back to the Ursnif/Snifula spyware from 2000. Over the years, it has evolved from a simple spyware to a sophisticated banking trojan, offered as Crimeware-as-a-Service (CaaS). Recent variants like Dreambot, IAP, RM2, RM3, and LDR4 demonstrate its ongoing development and threat. diff --git a/stories/graceful_wipe_out_attack.yml b/stories/graceful_wipe_out_attack.yml index c6aa134e1c..874e709974 100644 --- a/stories/graceful_wipe_out_attack.yml +++ b/stories/graceful_wipe_out_attack.yml @@ -3,6 +3,7 @@ id: 83b15b3c-6bda-45aa-a3b6-b05c52443f44 version: 1 date: '2023-06-15' author: Teoderick Contreras, Splunk +status: production description: This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive attack or campaign found by "THE DFIR Report" that uses Truebot, FlawedGrace and MBR killer malware. This analytic story looks for suspicious dropped files, cobalt strike execution, im-packet execution, registry modification, scripts, diff --git a/stories/hafnium_group.yml b/stories/hafnium_group.yml index 3df3f902fe..b2de32324d 100644 --- a/stories/hafnium_group.yml +++ b/stories/hafnium_group.yml @@ -3,6 +3,7 @@ id: beae2ab0-7c3f-11eb-8b63-acde48001122 version: 1 date: '2021-03-03' author: Michael Haag, Splunk +status: production description: HAFNIUM group was identified by Microsoft as exploiting 4 Microsoft Exchange CVEs in the wild - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. narrative: 'On Tuesday, March 2, 2021, Microsoft released a set of security patches diff --git a/stories/handala_wiper.yml b/stories/handala_wiper.yml index 5ae6560592..ee16a43719 100644 --- a/stories/handala_wiper.yml +++ b/stories/handala_wiper.yml @@ -3,6 +3,7 @@ id: 1590c46a-e976-4b4b-a166-d9be06ab0056 version: 1 date: '2024-07-31' author: Teoderick Contreras, Splunk +status: production description: Handala Destructive Wiper detection involves monitoring for suspicious activities such as unexpected `regasm` processes, unauthorized AutoIt script executions, and the dropping of malicious drivers. Indicators such as abrupt system slowdowns, and the creation of unknown files or processes. Early detection of these signs is crucial for mitigating the severe impact of this destructive malware. narrative: Handala Destructive Wiper is a potent malware strain known for its destructive capabilities. It targets and irreversibly wipes data from infected systems, rendering them inoperable. This malware is often used in cyber-attacks against critical infrastructure and organizations, causing significant disruption and data loss. This Wiper employs techniques to evade detection and spread rapidly across networks. Its deployment can lead to extensive downtime, financial loss, and compromised sensitive information, making it a severe threat in the cybersecurity landscape. references: diff --git a/stories/hermetic_wiper.yml b/stories/hermetic_wiper.yml index 5435256809..f3334cd04a 100644 --- a/stories/hermetic_wiper.yml +++ b/stories/hermetic_wiper.yml @@ -3,6 +3,7 @@ id: b7511c2e-9a10-11ec-99e3-acde48001122 version: 1 date: '2022-03-02' author: Teoderick Contreras, Rod Soto, Michael Haag, Splunk +status: production description: This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as "Hermetic Wiper". This analytic story looks for abuse of Regsvr32, executables written in administrative SMB Share, suspicious processes, disabling of memory crash dump and more. narrative: Hermetic Wiper is destructive malware operation found by Sentinel One targeting diff --git a/stories/hidden_cobra_malware.yml b/stories/hidden_cobra_malware.yml index 6a0dabf857..614cfa6d09 100644 --- a/stories/hidden_cobra_malware.yml +++ b/stories/hidden_cobra_malware.yml @@ -3,6 +3,7 @@ id: baf7580b-d4b4-4774-8173-7d198e9da335 version: 2 date: '2020-01-22' author: Rico Valdez, Splunk +status: production description: Monitor for and investigate activities, including the creation or deletion of hidden shares and file writes, that may be evidence of infiltration by North Korean government-sponsored cybercriminals. Details of this activity were reported diff --git a/stories/icedid.yml b/stories/icedid.yml index 81d190ed24..3344917afb 100644 --- a/stories/icedid.yml +++ b/stories/icedid.yml @@ -3,7 +3,7 @@ id: 1d2cc747-63d7-49a9-abb8-93aa36305603 version: 1 date: '2021-07-29' author: Teoderick Contreras, Splunk -type: batch +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the IcedID banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection. diff --git a/stories/iis_components.yml b/stories/iis_components.yml index 42fea6e5a3..0c5917fbb0 100644 --- a/stories/iis_components.yml +++ b/stories/iis_components.yml @@ -3,6 +3,7 @@ id: 0fbde550-8252-43ab-a26a-03976f55b58b version: 1 date: '2022-12-19' author: Michael Haag, Splunk +status: production description: Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. narrative: IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions - Get{Extension/Filter}Version, Http{Extension/Filter}Proc, and (optionally) Terminate{Extension/Filter}. IIS modules may also be installed to extend IIS web servers. diff --git a/stories/industroyer2.yml b/stories/industroyer2.yml index 250f1317ed..dd9e65c6d6 100644 --- a/stories/industroyer2.yml +++ b/stories/industroyer2.yml @@ -3,7 +3,7 @@ id: 7ff7db2b-b001-498e-8fe8-caf2dbc3428a version: 1 date: '2022-04-21' author: Teoderick Contreras, Splunk -type: batch +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the Industroyer2 attack, including file writes associated with its payload, lateral movement, persistence, privilege escalation and data destruction. diff --git a/stories/information_sabotage.yml b/stories/information_sabotage.yml index b7f1b51fda..c00eec7908 100644 --- a/stories/information_sabotage.yml +++ b/stories/information_sabotage.yml @@ -3,7 +3,7 @@ id: b71ba595-ef80-4e39-8b66-887578a7a71b version: 1 date: '2021-11-17' author: Teoderick Contreras, Splunk -type: Anomaly +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might correlate to insider threat specially in terms of information sabotage. narrative: Information sabotage is the type of crime many people associate with insider diff --git a/stories/ingress_tool_transfer.yml b/stories/ingress_tool_transfer.yml index 4cbcfb5a76..0bb0b12885 100644 --- a/stories/ingress_tool_transfer.yml +++ b/stories/ingress_tool_transfer.yml @@ -3,6 +3,7 @@ id: b3782036-8cbd-11eb-9d8e-acde48001122 version: 1 date: '2021-03-24' author: Michael Haag, Splunk +status: production description: Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the Command And Control channel to bring tools into the victim network diff --git a/stories/insider_threat.yml b/stories/insider_threat.yml index f8f425f404..623835b89a 100644 --- a/stories/insider_threat.yml +++ b/stories/insider_threat.yml @@ -3,6 +3,7 @@ id: c633df29-a950-4c4c-a0f8-02be6730797c version: 1 date: '2022-05-19' author: Jose Hernandez, Splunk +status: production description: Monitor for activities and techniques associated with insider threats and specifically focusing on malicious insiders operating with in a corporate environment. narrative: "Insider Threats are best defined by CISA: \"Insider threat incidents are possible in any sector or organization. An insider threat is typically a current or former employee, third-party contractor, or business partner. In their present or former role, the person has or had access to an organization's network systems, data, or premises, and uses their access (sometimes unwittingly). To combat the insider threat, organizations can implement a proactive, prevention-focused mitigation program to detect and identify threats, assess risk, and manage that risk - before an incident occurs.\" An insider is any person who has or had authorized access to or knowledge of an organization's resources, including personnel, facilities, information, equipment, networks, and systems. These are the common insiders that create insider threats: Departing Employees, Security Evaders, Malicious Insiders, and Negligent Employees. This story aims at detecting the malicious insider." references: diff --git a/stories/ivanti_connect_secure_vpn_vulnerabilities.yml b/stories/ivanti_connect_secure_vpn_vulnerabilities.yml index e14d1b41d7..e2a272010e 100644 --- a/stories/ivanti_connect_secure_vpn_vulnerabilities.yml +++ b/stories/ivanti_connect_secure_vpn_vulnerabilities.yml @@ -3,6 +3,7 @@ id: e3b5c3b8-082b-4b4e-b2c9-47ed79e2a5ab version: 1 date: '2024-01-16' author: Michael Haag, Splunk +status: production description: The following analytic story addresses critical vulnerabilities CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure and Ivanti Policy Secure Gateways. CVE-2023-46805 is an authentication bypass vulnerability, while CVE-2024-21887 is a command injection flaw, both presenting significant risks in versions 9.x and 22.x. Combined, these vulnerabilities enable unauthenticated threat actors to execute arbitrary commands, compromising system integrity. Immediate mitigation is imperative, with patches scheduled for staggered release. Ivanti has provided interim mitigation steps, and it's crucial for customers to apply these measures to protect their systems against potential exploits. narrative: Ivanti Connect Secure and Ivanti Policy Secure gateways face a severe security challenge with the discovery of CVE-2023-46805 and CVE-2024-21887. CVE-2023-46805 allows attackers to bypass authentication in critical web components of versions 9.x and 22.x. More alarmingly, when paired with CVE-2024-21887, a command injection vulnerability, it enables remote attackers to execute arbitrary commands without authentication. This combination poses a heightened threat, undermining the security of enterprise networks. Ivanti has mobilized resources to address these vulnerabilities, offering immediate mitigation advice and scheduling patch releases. Customers are urged to apply these mitigations without delay to safeguard their networks. references: diff --git a/stories/ivanti_epm_vulnerabilities.yml b/stories/ivanti_epm_vulnerabilities.yml index aa170bc81e..2475583cc2 100644 --- a/stories/ivanti_epm_vulnerabilities.yml +++ b/stories/ivanti_epm_vulnerabilities.yml @@ -3,6 +3,7 @@ id: 4dcadae4-df82-42f3-9e77-4d852d20ac78 version: 2 date: '2024-09-24' author: Michael Haag, Splunk +status: production description: |- This analytic story covers various vulnerabilities identified in Ivanti Endpoint Manager (EPM), including but not limited to SQL injection, remote code execution, and privilege escalation. These vulnerabilities can potentially be exploited by adversaries to gain unauthorized access, execute arbitrary code, and compromise the security of managed endpoints. narrative: |- diff --git a/stories/ivanti_epmm_remote_unauthenticated_access.yml b/stories/ivanti_epmm_remote_unauthenticated_access.yml index 8bbf25da4b..aadaf420e3 100644 --- a/stories/ivanti_epmm_remote_unauthenticated_access.yml +++ b/stories/ivanti_epmm_remote_unauthenticated_access.yml @@ -3,6 +3,7 @@ id: 7e36ca54-c096-4a39-b724-6fc935164f0c version: 2 date: '2023-08-08' author: Michael Haag, Splunk +status: production description: Ivanti, a leading technology company, has disclosed two critical zero-day vulnerabilities in its Endpoint Manager Mobile (EPMM) product, CVE-2023-35078 and CVE-2023-35081. A recent update concerning CVE-2023-35082, closely related to CVE-2023-35078, reveals its impact on more versions of Ivanti's software than initially believed. The former allows unauthenticated attackers to obtain sensitive data, modify servers, and access the API, potentially leading to data breaches or malicious system modifications. Meanwhile, CVE-2023-35081 lets authenticated administrators remotely write arbitrary files to the server. Both vulnerabilities have been exploited in targeted attacks against government ministries and could be used in conjunction. With the presence of PoC code for CVE-2023-35078, the risk of broader exploitation has increased. While initially leveraged in limited attacks, the exploitation is expected to rise, possibly involving state-sponsored actors. Organizations are urged to apply immediate patches and conduct regular system assessments to ensure security. narrative: Ivantis Endpoint Manager Mobile (EPMM) product, formerly known as MobileIron Core and extensively utilized by IT teams to manage mobile devices, applications, and content, has been found to harbor several critical vulnerabilities. Specifically, CVE-2023-35078 allows remote unauthenticated attackers to access sensitive data and make changes to servers. This flaw has been leveraged in targeted attacks against Norwegian government ministries. In addition, CVE-2023-35081 permits an authenticated attacker with administrative privileges to remotely write arbitrary files to the server. diff --git a/stories/ivanti_sentry_authentication_bypass_cve_2023_38035.yml b/stories/ivanti_sentry_authentication_bypass_cve_2023_38035.yml index 36c87ad257..04d54b663c 100644 --- a/stories/ivanti_sentry_authentication_bypass_cve_2023_38035.yml +++ b/stories/ivanti_sentry_authentication_bypass_cve_2023_38035.yml @@ -3,6 +3,7 @@ id: da229be2-4637-47a5-b551-1d4b64f411c6 version: 1 date: '2023-08-24' author: Michael Haag, Splunk +status: production description: A critical vulnerability, designated as CVE-2023-38035, has been identified in Ivanti Sentry (formerly MobileIron Sentry). It affects all supported versions, including 9.18, 9.17, and 9.16, as well as older versions. The vulnerability allows an unauthenticated attacker to access the System Manager Portal (typically hosted on port 8443) and make configuration changes, potentially executing OS commands as root. However, the risk is low for users who haven't exposed port 8443 online. This flaw is distinct from other Ivanti products. It's imperative for organizations to check for unrecognized HTTP requests to /services/* as a potential indicator of compromise. narrative: CVE-2023-38035 presents a significant security risk in the Ivanti Sentry administration interface. The vulnerability was identified shortly after another notable vulnerability in Ivanti EPMM (CVE-2023-35078) was discovered being exploited in the wild. The current vulnerability allows a malicious actor, without requiring authentication, to access the System Manager Portal, typically hosted on port 8443. Upon successful exploitation, the attacker can make configuration alterations to both the Sentry system and its underlying OS. The potential damage is significant, enabling the attacker to execute commands on the system with root privileges. diff --git a/stories/ivanti_virtual_traffic_manager_cve_2024_7593.yml b/stories/ivanti_virtual_traffic_manager_cve_2024_7593.yml index d9c54b17e0..1832c940aa 100644 --- a/stories/ivanti_virtual_traffic_manager_cve_2024_7593.yml +++ b/stories/ivanti_virtual_traffic_manager_cve_2024_7593.yml @@ -3,6 +3,7 @@ id: 28e88e97-3494-45a6-87d5-76065cccf8d2 version: 1 date: '2024-08-19' author: Michael Haag, Splunk +status: production description: This analytic story addresses the critical authentication bypass vulnerability (CVE-2024-7593) in Ivanti Virtual Traffic Manager (vTM). Disclosed in August 2024, this flaw affects vTM versions prior to 22.2R1 and 22.7R2, allowing unauthenticated remote attackers to access the admin panel and create new administrator accounts. Such access could potentially lead to full system compromise. The story provides detections for potential exploitation attempts, focusing on unauthorized account creation and suspicious administrative activities. It aims to help organizations identify and respond to possible attacks leveraging this vulnerability, emphasizing the importance of timely patching and thorough investigation of any suspicious events. narrative: In August 2024, a critical vulnerability (CVE-2024-7593) was disclosed in Ivanti Virtual Traffic Manager (vTM) versions prior to 22.2R1 and 22.7R2. This authentication bypass flaw allows unauthenticated remote attackers to access the admin panel and create new administrator accounts, potentially leading to full system compromise. Exploitation of this vulnerability typically involves an attacker accessing the vTM management interface, bypassing authentication using the vulnerability, creating a new administrator account without proper authorization, and potentially using the new account for further malicious activities. This analytic story includes detections to identify suspicious account creation events and other indicators of exploitation. It is crucial for organizations using affected Ivanti vTM versions to update to a patched version immediately and investigate any potential compromise. By leveraging these detections, security teams can enhance their ability to detect and respond to potential attacks exploiting this critical vulnerability in their Ivanti vTM deployments. references: diff --git a/stories/jboss_vulnerability.yml b/stories/jboss_vulnerability.yml index c138e1c36a..beb3d4f053 100644 --- a/stories/jboss_vulnerability.yml +++ b/stories/jboss_vulnerability.yml @@ -3,6 +3,7 @@ id: 1f5294cb-b85f-4c2d-9c58-ffcf248f52bd version: 1 date: '2017-09-14' author: Bhavin Patel, Splunk +status: production description: In March of 2016, adversaries were seen using JexBoss--an open-source utility used for testing and exploiting JBoss application servers. These searches help detect evidence of these attacks, such as network connections to external resources diff --git a/stories/jenkins_server_vulnerabilities.yml b/stories/jenkins_server_vulnerabilities.yml index 0f1a4727c3..20db656ed4 100644 --- a/stories/jenkins_server_vulnerabilities.yml +++ b/stories/jenkins_server_vulnerabilities.yml @@ -3,6 +3,7 @@ id: 789e76e6-4b5e-4af3-ab8c-46578d84ccff version: 1 date: '2024-01-29' author: Michael Haag, Splunk +status: production description: This analytic story provides a comprehensive view of Jenkins server vulnerabilities and associated detection analytics. narrative: The following analytic story provides a comprehensive view of Jenkins server vulnerabilities and associated detection analytics. Jenkins is a popular open-source automation server that is used to automate tasks associated with building, testing, and deploying software. Jenkins is often used in DevOps environments and is a critical component of the software development lifecycle. As a result, Jenkins servers are often targeted by adversaries to gain access to sensitive information, credentials, and other critical assets. This analytic story provides a comprehensive view of Jenkins server vulnerabilities and associated detection analytics. references: diff --git a/stories/jetbrains_teamcity_unauthenticated_rce.yml b/stories/jetbrains_teamcity_unauthenticated_rce.yml index 7845795041..51b746ebc5 100644 --- a/stories/jetbrains_teamcity_unauthenticated_rce.yml +++ b/stories/jetbrains_teamcity_unauthenticated_rce.yml @@ -3,6 +3,7 @@ id: 7ef2d230-9dbb-4d13-9263-a7d8c3aad9bf version: 1 date: '2023-10-01' author: Michael Haag, Splunk +status: production description: A critical security vulnerability, CVE-2023-42793, has been discovered affecting all versions of TeamCity On-Premises up to 2023.05.3. This vulnerability allows unauthenticated attackers to execute remote code and gain administrative control of the TeamCity server, posing a significant risk for supply chain attacks. Although the issue has been fixed in version 2023.05.4, servers running older versions remain at risk. A security patch plugin has been released for immediate mitigation, applicable to TeamCity versions 8.0 and above. Organizations are strongly advised to update to the fixed version or apply the security patch, especially if their TeamCity server is publicly accessible. No impact has been reported on TeamCity Cloud as it has been upgraded to the secure version. narrative: The CVE-2023-42793 vulnerability in TeamCity On-Premises allows an unauthenticated attacker to bypass authentication and gain administrative access through Remote Code Execution (RCE). Specifically, the attacker can send a malicious POST request to /app/rest/users/id:1/tokens/RPC2 to create an administrative token. Once the token is obtained, the attacker has the ability to perform various unauthorized activities, including creating new admin users and executing arbitrary shell commands on the server. For Splunk Security Content, the focus should be on identifying suspicious POST requests to /app/rest/users/id:1/tokens/RPC2 and other affected API endpoints, as this is the initial point of exploitation. Monitoring logs for changes to the internal.properties file or the creation of new admin users could also provide crucial indicators of compromise. Furthermore, Splunk can be configured to alert on multiple failed login attempts followed by a successful login from the same IP, which could indicate exploitation attempts. diff --git a/stories/jetbrains_teamcity_vulnerabilities.yml b/stories/jetbrains_teamcity_vulnerabilities.yml index 99603ed663..80046e8aca 100644 --- a/stories/jetbrains_teamcity_vulnerabilities.yml +++ b/stories/jetbrains_teamcity_vulnerabilities.yml @@ -3,6 +3,7 @@ id: 3cd841e8-2f64-45e8-b148-7767255db111 version: 1 date: '2024-03-04' author: Michael Haag, Splunk +status: production description: This story provides a high-level overview of JetBrains TeamCity vulnerabilities and how to detect and respond to them using Splunk. narrative: JetBrains TeamCity is a continuous integration and deployment server that allows developers to automate the process of building, testing, and deploying code. It is a popular tool used by many organizations to streamline their development and deployment processes. However, like any software, JetBrains TeamCity is not immune to vulnerabilities. references: diff --git a/stories/juniper_junos_remote_code_execution.yml b/stories/juniper_junos_remote_code_execution.yml index 5f4e0be4cc..28138bd251 100644 --- a/stories/juniper_junos_remote_code_execution.yml +++ b/stories/juniper_junos_remote_code_execution.yml @@ -3,6 +3,7 @@ id: 3fcef843-c97e-4cf3-a72f-749be480cee3 version: 1 date: '2023-08-29' author: Michael Haag, Splunk +status: production description: Juniper Networks has resolved multiple critical vulnerabilities in the J-Web component of Junos OS on SRX and EX Series devices. These vulnerabilities, when chained together, could allow an unauthenticated, network-based attacker to remotely execute code on the devices. The vulnerabilities affect all versions of Junos OS on SRX and EX Series, but specific fixes have been released to address each vulnerability. Juniper Networks recommends applying the necessary fixes to mitigate potential remote code execution threats. As a workaround, users can disable J-Web or limit access to only trusted hosts. Proof-of-concept (PoC) exploit code has been released, demonstrating the severity of these flaws and the urgency to apply the fixes. narrative: Juniper Networks, a networking hardware company, has released an "out-of-cycle" security update to address multiple flaws in the J-Web component of Junos OS that could be combined to achieve remote code execution on susceptible installations. The flaws have a cumulative CVSS rating of 9.8, making them critical in severity. They affect all versions of Junos OS on SRX and EX Series. The J-Web interface allows users to configure, manage, and monitor Junos OS devices. The vulnerabilities include two PHP external variable modification vulnerabilities (CVE-2023-36844 and CVE-2023-36845) and two missing authentications for critical function vulnerabilities (CVE-2023-36846 and CVE-2023-36847). These vulnerabilities could allow an unauthenticated, network-based attacker to control certain important environment variables, cause limited impact to the file system integrity, or upload arbitrary files via J-Web without any authentication. diff --git a/stories/kubernetes_scanning_activity.yml b/stories/kubernetes_scanning_activity.yml index 513e47012d..7c58c7452a 100644 --- a/stories/kubernetes_scanning_activity.yml +++ b/stories/kubernetes_scanning_activity.yml @@ -3,6 +3,7 @@ id: a9ef59cf-e981-4e66-9eef-bb049f695c09 version: 1 date: '2020-04-15' author: Rod Soto, Splunk +status: production description: This story addresses detection against Kubernetes cluster fingerprint scan and attack by providing information on items such as source ip, user agent, cluster names. diff --git a/stories/kubernetes_security.yml b/stories/kubernetes_security.yml index 06cf7ad5da..d22d14e2dc 100644 --- a/stories/kubernetes_security.yml +++ b/stories/kubernetes_security.yml @@ -3,6 +3,7 @@ id: 77006b3a-306c-4e32-afd5-30b6e40c1c41 version: 1 date: '2023-12-06' author: 'Patrick Bareiss' +status: production description: Kubernetes, as a container orchestration platform, faces unique security challenges. This story explores various tactics and techniques adversaries use to exploit Kubernetes environments, including attacking the control plane, exploiting misconfigurations, and compromising containerized applications. narrative: diff --git a/stories/kubernetes_sensitive_object_access_activity.yml b/stories/kubernetes_sensitive_object_access_activity.yml index 25f8925529..156b0a374a 100644 --- a/stories/kubernetes_sensitive_object_access_activity.yml +++ b/stories/kubernetes_sensitive_object_access_activity.yml @@ -3,6 +3,7 @@ id: c7d4dbf0-a171-4eaf-8444-4f40392e4f92 version: 1 date: '2020-05-20' author: Rod Soto, Splunk +status: production description: This story addresses detection and response of accounts acccesing Kubernetes cluster sensitive objects such as configmaps or secrets providing information on items such as user user, group. object, namespace and authorization reason. diff --git a/stories/linux_living_off_the_land.yml b/stories/linux_living_off_the_land.yml index 168a050fe4..acecbea633 100644 --- a/stories/linux_living_off_the_land.yml +++ b/stories/linux_living_off_the_land.yml @@ -3,6 +3,7 @@ id: e405a2d7-dc8e-4227-8e9d-f60267b8c0cd version: 1 date: '2022-07-27' author: Michael Haag, Splunk +status: production description: Linux Living Off The Land consists of binaries that may be used to bypass local security restrictions within misconfigured systems. narrative: Similar to Windows LOLBAS project, the GTFOBins project focuses solely on Unix binaries that may be abused in multiple categories including Reverse Shell, File Upload, File Download and much more. These binaries are native to the operating system and the functionality is typically native. The behaviors are typically not malicious by default or vulnerable, but these are built in functionality of the applications. diff --git a/stories/linux_persistence_techniques.yml b/stories/linux_persistence_techniques.yml index 689adb4398..51db20dc85 100644 --- a/stories/linux_persistence_techniques.yml +++ b/stories/linux_persistence_techniques.yml @@ -3,6 +3,7 @@ id: e40d13e5-d38b-457e-af2a-e8e6a2f2b516 version: 1 date: '2021-12-17' author: Teoderick Contreras, Splunk +status: production description: Monitor for activities and techniques associated with maintaining persistence on a Linux system--a sign that an adversary may have compromised your environment. narrative: Maintaining persistence is one of the first steps taken by attackers after diff --git a/stories/linux_post_exploitation.yml b/stories/linux_post_exploitation.yml index 8282d7c9aa..9054a00230 100644 --- a/stories/linux_post_exploitation.yml +++ b/stories/linux_post_exploitation.yml @@ -3,6 +3,7 @@ id: d310ccfe-5477-11ec-ad05-acde48001122 version: 1 date: '2021-12-03' author: Rod Soto +status: production description: This analytic story identifies popular Linux post exploitation tools such as autoSUID, LinEnum, LinPEAS, Linux Exploit Suggesters, MimiPenguin. narrative: These tools allow operators find possible exploits or paths for privilege escalation based on SUID binaries, user permissions, kernel version and distro version. references: diff --git a/stories/linux_privilege_escalation.yml b/stories/linux_privilege_escalation.yml index 6f05f0104b..a8303efda3 100644 --- a/stories/linux_privilege_escalation.yml +++ b/stories/linux_privilege_escalation.yml @@ -3,6 +3,7 @@ id: b9879c24-670a-44c0-895e-98cdb7d0e848 version: 1 date: '2021-12-17' author: Teoderick Contreras, Splunk +status: production description: Monitor for and investigate activities that may be associated with a Linux privilege-escalation attack, including unusual processes running on endpoints, schedule task, services, setuid, root execution and more. diff --git a/stories/linux_rootkit.yml b/stories/linux_rootkit.yml index fba28ae4af..5f54a85eef 100644 --- a/stories/linux_rootkit.yml +++ b/stories/linux_rootkit.yml @@ -3,6 +3,7 @@ id: e30f4054-ac08-4999-b8bc-5cc46886c18d version: 1 date: '2022-07-27' author: Michael Haag, Splunk +status: production description: Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. narrative: Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware. Rootkits have been seen for Windows, Linux, and Mac OS X systems. Linux rootkits may not standout as much as a Windows rootkit, therefore understanding what kernel modules are installed today and monitoring for new is important. As with any rootkit, it may blend in using a common kernel name or variation of legitimate names. diff --git a/stories/living_off_the_land.yml b/stories/living_off_the_land.yml index 01672b577a..9661923ab3 100644 --- a/stories/living_off_the_land.yml +++ b/stories/living_off_the_land.yml @@ -3,6 +3,7 @@ id: 6f7982e2-900b-11ec-a54a-acde48001122 version: 2 date: '2022-03-16' author: Lou Stella, Splunk +status: production description: Leverage analytics that allow you to identify the presence of an adversary leveraging native applications within your environment. narrative: Living Off The Land refers to an adversary methodology of using native applications already installed on the target operating system to achieve their objective. Native utilities provide the adversary with reduced chances of detection by antivirus software or EDR tools. This allows the adversary to blend in with native process behavior. references: diff --git a/stories/local_privilege_escalation_with_krbrelayup.yml b/stories/local_privilege_escalation_with_krbrelayup.yml index 668be242c0..0ff950dde9 100644 --- a/stories/local_privilege_escalation_with_krbrelayup.yml +++ b/stories/local_privilege_escalation_with_krbrelayup.yml @@ -3,6 +3,7 @@ id: 765790f0-2f8f-4048-8321-fd1928ec2546 version: 1 date: '2022-04-28' author: Michael Haag, Mauricio Velazco, Splunk +status: production description: KrbRelayUp is a tool that allows local privilege escalation from low-priviliged domain user to local system on domain-joined computers. narrative: In October 2021, James Forshaw from Googles Project Zero released a research blog post titled `Using Kerberos for Authentication Relay Attacks`. This research introduced, for the first time, ways to make Windows authenticate to a different Service Principal Name (SPN) than what would normally be derived from the hostname the client is connecting to. diff --git a/stories/lockbit_ransomware.yml b/stories/lockbit_ransomware.yml index 72821f3cde..cef23f6903 100644 --- a/stories/lockbit_ransomware.yml +++ b/stories/lockbit_ransomware.yml @@ -3,6 +3,7 @@ id: 67e5b98d-16d6-46a6-8d00-070a3d1a5cfc version: 1 date: '2023-01-16' author: Teoderick Contreras, Splunk +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the LockBit ransomware, including looking for file writes (file encryption and ransomware notes), deleting services, terminating processes, registry key modification and more. diff --git a/stories/log4shell_cve_2021_44228.yml b/stories/log4shell_cve_2021_44228.yml index 60b52778d9..eed0cdb2fa 100644 --- a/stories/log4shell_cve_2021_44228.yml +++ b/stories/log4shell_cve_2021_44228.yml @@ -3,6 +3,7 @@ id: b4453928-5a98-11ec-afcd-8de10b48fc52 version: 1 date: '2021-12-11' author: Jose Hernandez +status: production description: Log4Shell or CVE-2021-44228 is a Remote Code Execution (RCE) vulnerability in the Apache Log4j library, a widely used and ubiquitous logging framework for Java. The vulnerability allows an attacker who can control log messages to execute diff --git a/stories/lumma_stealer.yml b/stories/lumma_stealer.yml index eb0a23e343..09dfbad898 100644 --- a/stories/lumma_stealer.yml +++ b/stories/lumma_stealer.yml @@ -3,6 +3,7 @@ id: 6c8f76f6-1272-4c0e-afbd-5a9f58947fa5 version: 1 date: '2024-11-13' author: Michael Haag, Nasreddine Bencherchali, Splunk +status: production description: Lumma Stealer is a sophisticated information-stealing malware that has been operating as a Malware-as-a-Service (MaaS) platform since 2022. Recent campaigns in 2024 have shown increased sophistication in distribution methods, particularly through fake CAPTCHA verification pages, cracked game downloads, and phishing emails targeting GitHub users. The malware is designed to steal sensitive information including browser credentials, cryptocurrency wallet data, and password manager archives. narrative: As of late 2024, Lumma Stealer has emerged as one of the most prominent information stealers in the threat landscape, employing increasingly sophisticated distribution techniques. The malware's primary infection vector involves a deceptive CAPTCHA campaign where attackers create convincing phishing sites featuring fake Google CAPTCHA verification pages. When users interact with these pages by clicking "I'm not a robot," malicious code is automatically copied to their clipboard. Users are then socially engineered to paste this code into the Windows Run dialog (Win+R), triggering PowerShell commands that download and execute the Lumma Stealer payload. / diff --git a/stories/malicious_powershell.yml b/stories/malicious_powershell.yml index 402f1ceb0e..54fa231415 100644 --- a/stories/malicious_powershell.yml +++ b/stories/malicious_powershell.yml @@ -3,6 +3,7 @@ id: 2c8ff66e-0b57-42af-8ad7-912438a403fc version: 5 date: '2017-08-23' author: David Dorsey, Splunk +status: production description: Attackers are finding stealthy ways "live off the land," leveraging utilities and tools that come standard on the endpoint--such as PowerShell--to achieve their goals without downloading binary files. These searches can help you detect and investigate diff --git a/stories/masquerading___rename_system_utilities.yml b/stories/masquerading___rename_system_utilities.yml index 53dfe57ce1..245b7f5747 100644 --- a/stories/masquerading___rename_system_utilities.yml +++ b/stories/masquerading___rename_system_utilities.yml @@ -3,6 +3,7 @@ id: f0258af4-a6ae-11eb-b3c2-acde48001122 version: 1 date: '2021-04-26' author: Michael Haag, Splunk +status: production description: Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. narrative: 'Security monitoring and control mechanisms may be in place for system diff --git a/stories/meduza_stealer.yml b/stories/meduza_stealer.yml index b634ad526b..1def57797a 100644 --- a/stories/meduza_stealer.yml +++ b/stories/meduza_stealer.yml @@ -3,6 +3,7 @@ id: c3328a8a-565b-435e-b9cc-5410e34b821b version: 1 date: '2024-11-28' author: Teoderick Contreras, Splunk +status: production description: Meduza Stealer is a sophisticated and rapidly evolving malware designed to extract sensitive data from compromised systems. Detected primarily through anomalous network activities, its behavior often involves outbound connections to command-and-control (C2) servers, encrypting and exfiltrating stolen credentials, financial data, and other personal information. Analysts have identified Meduza Stealer leveraging advanced evasion techniques, including dynamic obfuscation, anti-analysis methods, and the use of polymorphic code to bypass detection by traditional antivirus systems. Once deployed, it scans for browser-stored passwords, cryptocurrency wallets, and keylogging opportunities, potentially exploiting unpatched software vulnerabilities. Security tools flag it through heuristic detections, anomalous process executions, or unusual registry modifications. Meduza Stealer's malicious payloads are often distributed via phishing emails, malicious attachments, or trojanized software downloads. Effective defense requires a multi-layered security approach, regular software updates, and employee training to minimize risks posed by this potent cyber threat. narrative: Meduza Stealer is a relatively new entrant in the cybercrime landscape, first identified in early 2023. It quickly gained notoriety among threat actors for its effectiveness and adaptability. Designed as a data-stealing malware, it targets sensitive information such as login credentials, financial details, and cryptocurrency wallets. Its developers market it on underground forums, often touting its advanced features like dynamic obfuscation and anti-analysis mechanisms, making it difficult for traditional antivirus solutions to detect. Meduza Stealer typically spreads through phishing campaigns, malicious email attachments, and trojanized software downloads. Once executed, it infiltrates systems silently, harvesting data from web browsers, password managers, and clipboard activities. It then transmits the stolen information to its command-and-control (C2) servers using encrypted communication channels, further complicating detection and analysis. Security researchers have noted its use of polymorphic code, enabling it to modify its structure with each infection to evade heuristic and signature-based detection methods.Meduza Stealer highlights a growing trend in sophisticated, modular malware that appeals to cybercriminals due to its efficiency and ease of deployment. Effective mitigation strategies include adopting behavioral analysis tools, implementing robust endpoint security solutions, and maintaining user awareness through regular cybersecurity training. Proactive measures are essential to combat the escalating threat posed by this advanced malware. references: diff --git a/stories/metasploit.yml b/stories/metasploit.yml index 4d5ccde433..ce914f9248 100644 --- a/stories/metasploit.yml +++ b/stories/metasploit.yml @@ -3,6 +3,7 @@ id: c149b694-bd08-4535-88d3-1f288a66313f version: 1 date: '2022-11-21' author: Michael Haag, Splunk +status: production description: The following analytic story highlights content related directly to MetaSploit, which may be default configurations attributed to MetaSploit or behaviors of known knowns that are related. narrative: 'The Metasploit framework is a very powerful tool which can be used by cybercriminals as well as ethical hackers to probe systematic vulnerabilities on networks and servers. Because it is an open-source framework, it can be easily customized and used with most operating systems. diff --git a/stories/meterpreter.yml b/stories/meterpreter.yml index c25790918e..b1fffe827c 100644 --- a/stories/meterpreter.yml +++ b/stories/meterpreter.yml @@ -3,6 +3,7 @@ id: d5f8e298-c85a-11eb-9fea-acde48001122 version: 1 date: '2021-06-08' author: Michael Hart +status: production description: Meterpreter provides red teams, pen testers and threat actors interactive access to a compromised host to run commands, upload payloads, download files, and other actions. diff --git a/stories/microsoft_mshtml_remote_code_execution_cve_2021_40444.yml b/stories/microsoft_mshtml_remote_code_execution_cve_2021_40444.yml index 1aa4aa9703..fdf5a657dc 100644 --- a/stories/microsoft_mshtml_remote_code_execution_cve_2021_40444.yml +++ b/stories/microsoft_mshtml_remote_code_execution_cve_2021_40444.yml @@ -3,6 +3,7 @@ id: 4ad4253e-10ca-11ec-8235-acde48001122 version: 1 date: '2021-09-08' author: Michael Haag, Splunk +status: production description: CVE-2021-40444 is a remote code execution vulnerability in MSHTML, recently used to delivery targeted spearphishing documents. narrative: "Microsoft is aware of targeted attacks that attempt to exploit this vulnerability, diff --git a/stories/microsoft_sharepoint_server_elevation_of_privilege_cve_2023_29357.yml b/stories/microsoft_sharepoint_server_elevation_of_privilege_cve_2023_29357.yml index 7e0a978864..47ca482750 100644 --- a/stories/microsoft_sharepoint_server_elevation_of_privilege_cve_2023_29357.yml +++ b/stories/microsoft_sharepoint_server_elevation_of_privilege_cve_2023_29357.yml @@ -3,6 +3,7 @@ id: 95ae800d-485e-47f7-866e-8be281aa497d version: 1 date: '2023-09-27' author: Michael Haag, Gowthamaraj Rajendran, Splunk +status: production description: This analytic story focuses on the Microsoft SharePoint Server vulnerability CVE-2023-29357, which allows for an elevation of privilege due to improper handling of authentication tokens. Exploitation of this vulnerability could lead to a serious security breach where an attacker might gain privileged access to the SharePoint environment, potentially leading to data theft or other malicious activities. This story is associated with the detection `Microsoft SharePoint Server Elevation of Privilege` which identifies attempts to exploit this vulnerability. narrative: Microsoft SharePoint Server is a widely used web-based collaborative platform. The vulnerability CVE-2023-29357 exposes a flaw in the handling of authentication tokens, allowing an attacker to escalate privileges and gain unauthorized access to the SharePoint environment. This could potentially lead to data theft, unauthorized system modifications, or other malicious activities. Organizations are urged to apply immediate patches and conduct regular system assessments to ensure security. references: diff --git a/stories/microsoft_support_diagnostic_tool_vulnerability_cve_2022_30190.yml b/stories/microsoft_support_diagnostic_tool_vulnerability_cve_2022_30190.yml index cff32f2ea0..e158f7399c 100644 --- a/stories/microsoft_support_diagnostic_tool_vulnerability_cve_2022_30190.yml +++ b/stories/microsoft_support_diagnostic_tool_vulnerability_cve_2022_30190.yml @@ -3,6 +3,7 @@ id: 2a60a99e-c93a-4036-af70-768fac838019 version: 1 date: '2022-05-31' author: 'Michael Haag, Teoderick Contreras, Splunk' +status: production description: On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability. narrative: A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user''s rights. diff --git a/stories/monitor_for_updates.yml b/stories/monitor_for_updates.yml index 7dbddf4806..4192362390 100644 --- a/stories/monitor_for_updates.yml +++ b/stories/monitor_for_updates.yml @@ -3,6 +3,7 @@ id: 9ef8d677-7b52-4213-a038-99cfc7acc2d8 version: 1 date: '2017-09-15' author: Rico Valdez, Splunk +status: production description: Monitor your enterprise to ensure that your endpoints are being patched and updated. Adversaries notoriously exploit known vulnerabilities that could be mitigated by applying routine security patches. diff --git a/stories/moonpeak.yml b/stories/moonpeak.yml index 01e6ffb4b2..dc35f041f2 100644 --- a/stories/moonpeak.yml +++ b/stories/moonpeak.yml @@ -3,6 +3,7 @@ id: b32c2bb4-ddb0-402f-a05d-9eae0ef4007a version: 1 date: '2024-08-21' author: Teoderick Contreras, Splunk +status: production description: Leverage searches that allow you to detect and investigate unusual activities linked to the MoonPeak malware, particularly focusing on command-and-control (C2) communications, data collection, file execution, and persistence mechanisms. Monitor network traffic for connections to known malicious IP addresses or domains associated with North Korean APT groups. Additionally, identify unexpected registry modifications and the presence of unauthorized binaries to uncover potential MoonPeak infections. narrative: The MoonPeak malware is a sophisticated cyber threat attributed to North Korean advanced persistent threat (APT) groups. This malware is designed to infiltrate targeted systems, establish persistence, and communicate with command-and-control (C2) servers, enabling remote attackers to execute malicious activities. MoonPeak often evades detection by leveraging encryption and obfuscation techniques, making it challenging for traditional security measures to identify its presence. It primarily targets government entities, critical infrastructure, and organizations of strategic interest, with the ultimate goal of espionage, data exfiltration, and disruption of operations. Its evolving tactics highlight the growing complexity of nation-state cyber operations. references: diff --git a/stories/moveit_transfer_authentication_bypass.yml b/stories/moveit_transfer_authentication_bypass.yml index d2dcbbd367..0e250786c9 100644 --- a/stories/moveit_transfer_authentication_bypass.yml +++ b/stories/moveit_transfer_authentication_bypass.yml @@ -3,6 +3,7 @@ id: b4c0b91f-eee5-47fd-ab02-11f68a9c0858 version: 1 date: '2024-06-28' author: Michael Haag, Splunk +status: production description: 'This analytic story addresses the critical authentication bypass vulnerability (CVE-2024-5806) in Progress MOVEit Transfer. The vulnerability allows attackers to impersonate any valid user on the system without proper credentials, potentially leading to unauthorized access, data theft, and system compromise. This story includes detections for key indicators of exploitation attempts, helping security teams identify and respond to potential attacks leveraging this vulnerability.' narrative: 'In June 2024, a severe authentication bypass vulnerability (CVE-2024-5806) was discovered in Progress MOVEit Transfer, a widely used file transfer solution. This vulnerability allows attackers to bypass authentication and impersonate any valid user on the system, even without prior access or the ability to upload files. diff --git a/stories/moveit_transfer_critical_vulnerability.yml b/stories/moveit_transfer_critical_vulnerability.yml index ba280b2fc9..a75ac0abb8 100644 --- a/stories/moveit_transfer_critical_vulnerability.yml +++ b/stories/moveit_transfer_critical_vulnerability.yml @@ -3,6 +3,7 @@ id: e8c05f9b-6ad4-45ac-8f5d-ff044da417c9 version: 1 date: '2023-06-01' author: Michael Haag, Splunk +status: production description: A critical zero-day vulnerability has been discovered in the MOVEit Transfer file transfer software, widely used by businesses and developers worldwide. The vulnerability has been exploited by unknown threat actors to perform mass data theft from organizations. Progress Software Corporation, the developer of MOVEit, has issued a security advisory urging customers to take immediate action to protect their environments. They recommend blocking external traffic to ports 80 and 445 on the MOVEit server, and to check the c:\MOVEitTransfer\wwwroot\ folder for unusual files. A patch is currently released. narrative: 'Hackers have been actively exploiting a zero-day vulnerability found in the MOVEit Transfer software. This software, developed by Progress Software Corporation, a US-based company and its subsidiary Ipswitch, is a managed file transfer solution. It is used by thousands of organizations worldwide, including Chase, Disney, GEICO, and MLB, and by 3.5 million developers. The software allows for secure file transfers between business partners and customers using SFTP, SCP, and HTTP-based uploads. diff --git a/stories/netsh_abuse.yml b/stories/netsh_abuse.yml index a0b592b345..128d4a00f0 100644 --- a/stories/netsh_abuse.yml +++ b/stories/netsh_abuse.yml @@ -3,6 +3,7 @@ id: 2b1800dd-92f9-47ec-a981-fdf1351e5f65 version: 1 date: '2017-01-05' author: Bhavin Patel, Splunk +status: production description: Detect activities and various techniques associated with the abuse of `netsh.exe`, which can disable local firewall settings or set up a remote connection to a host from an infected system. diff --git a/stories/network_discovery.yml b/stories/network_discovery.yml index 72008e8b8b..7d260e5bd3 100644 --- a/stories/network_discovery.yml +++ b/stories/network_discovery.yml @@ -3,6 +3,7 @@ id: af228995-f182-49d7-90b3-2a732944f00f version: 1 date: '2022-02-14' author: Teoderick Contreras, Splunk +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the network discovery, including looking for network configuration, settings such as IP, MAC address, firewall settings and many more. diff --git a/stories/nexus_apt_threat_activity.yml b/stories/nexus_apt_threat_activity.yml new file mode 100644 index 0000000000..bd6aed1350 --- /dev/null +++ b/stories/nexus_apt_threat_activity.yml @@ -0,0 +1,21 @@ +name: Nexus APT Threat Activity +id: 43f8062d-4da0-4f48-8cad-6a20e108961b +version: 1 +date: '2025-01-27' +author: Teoderick Contreras, Splunk +status: production +description: Leverage searches that allow you to detect and investigate unusual activities that might relate to Nexus, an advanced persistent threat (APT) group known for its stealth and strategic targeting of high-value sectors. Monitor for indicators such as spear-phishing campaigns, exploitation of zero-day vulnerabilities, and unauthorized lateral movement within your network. Investigate anomalous data exfiltration, encrypted communications, and behaviors aligning with their known tactics, techniques, and procedures (TTPs). Combining threat intelligence with real-time monitoring helps identify and respond to Nexus APT activity, minimizing potential damage and data loss. +narrative: Chinese state-nexus threat actors are known to target the telecommunications and technology sectors in multiple countries, including the US, to maintain sustained access as well as conduct espionage. Compromised entities in either sector represent potential supply chain vectors of concern to Splunk, although telecommunications entities are a more pervasive and acute concern in this regard. These actors are also known to broadly target unpatched routers, switches and other edge devices across various sectors. Given these threats, Splunk Threat Intelligence (TI) undertook a detailed investigation into China-nexus tactics and techniques that could be used in attempts to compromise Splunk. This report is the result of that investigation, detailing noteworthy behaviors and tools employed by China-nexus targeted intrusion actors. +references: +- https://news.sophos.com/en-us/2024/10/31/pacific-rim-neutralizing-china-based-threat/ +- https://www.wsj.com/tech/cybersecurity/typhoon-china-hackers-military-weapons-97d4ef95?st=oe1KKi&reflink=desktopwebshare _permalink +- https://www.judiciary.senate.gov/imo/media/doc/2024-11-19_pm_-_testimony_-_meyers.pdf +- https://go.crowdstrike.com/rs/281-OBQ-266/images/GlobalThreatReport2024.pdf +tags: + category: + - Malware + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file diff --git a/stories/njrat.yml b/stories/njrat.yml index 325156be0d..2f52c8e678 100644 --- a/stories/njrat.yml +++ b/stories/njrat.yml @@ -3,6 +3,7 @@ id: f6d52454-6cf3-4759-9627-5868a3e2b2b1 version: 2 date: '2023-09-07' author: Teoderick Contreras, Splunk +status: production description: NjRat is a notorious remote access trojan (RAT) predominantly wielded by malicious operators to infiltrate and wield remote control over compromised systems. This analytical story harnesses targeted search methodologies to uncover and investigate activities that could be indicative of NjRAT's presence. These activities include tracking file write operations for dropped files, scrutinizing registry modifications aimed at establishing persistence mechanisms, diff --git a/stories/nobelium_group.yml b/stories/nobelium_group.yml index 383a4590e8..f064d0c4f3 100644 --- a/stories/nobelium_group.yml +++ b/stories/nobelium_group.yml @@ -3,6 +3,7 @@ id: 758196b5-2e21-424f-a50c-6e421ce926c2 version: 3 date: '2020-12-14' author: Patrick Bareiss, Michael Haag, Mauricio Velazco, Splunk +status: production description: NOBELIUM, also known as APT29, The Dukes, Cozy Bear, CozyDuke, Blue Kitsune, and Midnight Blizzard, is a sophisticated nation-state threat actor, reportedly associated with Russian intelligence. Active since at least 2008, this group primarily targets government networks in Europe and NATO member countries, along with research institutes and think tanks. Their operations typically involve advanced persistent threats (APT), leveraging techniques like spear-phishing, malware deployment, and long-term network compromise to achieve information theft and espionage. Notably, APT29 has been implicated in significant cyber espionage incidents, including the 2015 breach of the Pentagon's Joint Staff email system and attacks on the Democratic National Committee in 2016. Their advanced tactics and persistent approach underscore the serious nature of threats posed by this group to global cybersecurity. narrative: This Analytic Story groups detections designed to trigger on a comprehensive range of Tactics, Techniques, and Procedures (TTPs) leveraged by the NOBELIUM Group, with a focus on their methods as observed in well-known public breaches. references: diff --git a/stories/office_365_account_takeover.yml b/stories/office_365_account_takeover.yml index c48d646683..5c7c84160a 100644 --- a/stories/office_365_account_takeover.yml +++ b/stories/office_365_account_takeover.yml @@ -3,6 +3,7 @@ id: 7dcea963-af44-4db7-a5b9-fd2b543d9bc9 version: 1 date: '2023-10-17' author: Mauricio Velazco, Patrick Bareiss, Splunk +status: production description: Monitor for activities and anomalies indicative of initial access techniques within Office 365 environments. narrative: Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The "Office 365 Account Takeover" analytic story focuses on the initial techniques attackers employ to breach or compromise these identities. Initial access, in this context, consists of techniques that use various entry vectors to gain their initial foothold . Identifying these early indicators is crucial for establishing the first line of defense against unauthorized access and potential security incidents within O365 environments. references: diff --git a/stories/office_365_collection_techniques.yml b/stories/office_365_collection_techniques.yml index a3a1141b14..b9fae2a9a4 100644 --- a/stories/office_365_collection_techniques.yml +++ b/stories/office_365_collection_techniques.yml @@ -3,6 +3,7 @@ id: d90f2b80-f675-4717-90af-12fc8c438ae8 version: 1 date: '2024-02-12' author: Mauricio Velazco, Splunk +status: production description: Monitor for activities and anomalies indicative of potential collection techniques within Office 365 environments. narrative: Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The 'Office 365 Collection Techniques' analytic story focuses on the strategies and methodologies that attackers might use to gather critical information within the O365 ecosystem. 'Collection' in this context refers to the various techniques adversaries deploy to accumulate data that are essential for advancing their malicious objectives. This could include tactics such as intercepting communications, accessing sensitive documents, or extracting data from collaboration tools and email platforms. By identifying and monitoring these collection activities, organizations can more effectively spot and counteract attempts to illicitly gather information references: [] diff --git a/stories/office_365_persistence_mechanisms.yml b/stories/office_365_persistence_mechanisms.yml index 7d0d386339..e49db88ddb 100644 --- a/stories/office_365_persistence_mechanisms.yml +++ b/stories/office_365_persistence_mechanisms.yml @@ -3,6 +3,7 @@ id: d230a106-0475-4605-a8d8-abaf4c31ced7 version: 1 date: '2023-10-17' author: Mauricio Velazco, Patrick Bareiss, Splunk +status: production description: Monitor for activities and anomalies indicative of potential persistence techniques within Office 365 environments. narrative: Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The "Office 365 Persistence Mechanisms" analytic story delves into the tactics and techniques attackers employ to maintain prolonged unauthorized access within the O365 environment. Persistence in this context refers to methods used by adversaries to keep their foothold after an initial compromise. This can involve actions like modifying mailbox rules, establishing covert forwarding rules, manipulating application permissions. By monitoring signs of persistence, organizations can effectively detect and respond to stealthy threats, thereby protecting their O365 assets and data. references: diff --git a/stories/okta_account_takeover.yml b/stories/okta_account_takeover.yml index 2447c01a8e..62bcd47abb 100644 --- a/stories/okta_account_takeover.yml +++ b/stories/okta_account_takeover.yml @@ -3,6 +3,7 @@ id: 83a48657-8153-4580-adba-eb0b3a83244e version: 1 date: '2024-03-06' author: Michael Haag, Mauricio Velazco, Bhavin Patel, Splunk +status: production description: The Okta Account Takeover analytic story encompasses a comprehensive suite of detections aimed at identifying unauthorized access and potential takeover attempts of Okta accounts. This collection leverages diverse data points and behavioral analytics to safeguard user identities and access within cloud environments. Monitor for activities and techniques associated with Account Takeover attacks against Okta tenants. narrative: Okta is a cloud-based identity management service that provides organizations with a secure way to manage user access to various applications and services. It enables single sign-on (SSO), multi-factor authentication (MFA), lifecycle management, and more, helping organizations streamline the user authentication process. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, access sensitive applications, or use any stolen information to access further accounts within the organization. This analytic story groups detections that can help security operations teams identify the potential compromise of Okta accounts. references: diff --git a/stories/okta_mfa_exhaustion.yml b/stories/okta_mfa_exhaustion.yml index ef6de41294..4bef5350dd 100644 --- a/stories/okta_mfa_exhaustion.yml +++ b/stories/okta_mfa_exhaustion.yml @@ -3,6 +3,7 @@ id: 7c6e508d-4b4d-42c8-82de-5ff4ea3b0cb3 version: 1 date: '2022-09-27' author: Michael Haag, Splunk +status: production description: A social engineering technique called 'MFA Fatigue', aka 'MFA push spam' or 'MFA Exhaustion', is growing more popular with threat actors as it does not require malware or phishing infrastructure and has proven to be successful in attacks. narrative: An MFA Fatigue attack is when a threat actor runs a script that attempts to log in with stolen credentials over and over, causing what feels like an endless stream of MFA push requests to be sent to the account's owner's mobile device. The goal is to keep this up, day and night, to break down the target's cybersecurity posture and inflict a sense of "fatigue" regarding these MFA prompts. diff --git a/stories/openssl_cve_2022_3602.yml b/stories/openssl_cve_2022_3602.yml index 8098e9f587..a5bab157e7 100644 --- a/stories/openssl_cve_2022_3602.yml +++ b/stories/openssl_cve_2022_3602.yml @@ -3,6 +3,7 @@ id: 491e00c9-998b-4c64-91bb-d8f9c79c1f4c version: 1 date: '2022-11-02' author: Michael Haag, splunk +status: production description: OpenSSL recently disclosed two vulnerabilities CVE-2022-3602 and CVE-2022-3786. CVE-2022-3602 is a X.509 Email Address 4-byte Buffer Overflow where puny code is utilized. This only affects OpenSSL 3.0.0 - 3.0.6. narrative: A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after diff --git a/stories/orangeworm_attack_group.yml b/stories/orangeworm_attack_group.yml index a8b1b54459..0e621be260 100644 --- a/stories/orangeworm_attack_group.yml +++ b/stories/orangeworm_attack_group.yml @@ -3,6 +3,7 @@ id: bb9f5ed2-916e-4364-bb6d-97c370efcf52 version: 2 date: '2020-01-22' author: David Dorsey, Splunk +status: production description: Detect activities and various techniques associated with the Orangeworm Attack Group, a group that frequently targets the healthcare industry. narrative: 'In May of 2018, the attack group Orangeworm was implicated for installing diff --git a/stories/outlook_rce_cve_2024_21378.yml b/stories/outlook_rce_cve_2024_21378.yml index 5313d30a96..7c44e285fc 100644 --- a/stories/outlook_rce_cve_2024_21378.yml +++ b/stories/outlook_rce_cve_2024_21378.yml @@ -3,6 +3,7 @@ id: d889fcf2-0265-4b44-b29f-4ec063c21880 version: 1 date: '2024-03-20' author: Michael Haag, Teoderick Contreras, Splunk +status: production description: CVE-2024-21378 exposes a critical vulnerability in Microsoft Outlook, allowing for authenticated remote code execution (RCE) through the manipulation of synced form objects. Discovered by NetSPI in 2023, this vulnerability capitalizes on the unchanged syncing capability of form objects, despite previous patches aimed at securing script code in custom forms. This technical blog delves into the discovery and weaponization of CVE-2024-21378, enhancing the Outlook penetration testing tool, Ruler, to exploit this flaw. A forthcoming pull request will provide a proof-of-concept code, aiding organizations in mitigating this security risk. narrative: CVE-2024-21378 is a weakness in Microsoft Outlook that lets hackers execute code remotely if they can authenticate themselves. Researchers at NetSPI found this issue in 2023. The problem started with a technique from 2017 by Etienne Stalmans at SensePost, who found a way to run code using VBScript in Outlook forms. Microsoft tried to fix it by only allowing approved script code in custom forms, but they didn't fix the main issue, which is how these forms sync. To exploit this vulnerability, you need to know how Outlook forms sync, using something called MAPI, and how they use certain properties and attachments when they're set up for the first time. Hackers can mess with these properties and attachments to run their own code. They do this by tricking the form's setup process, changing registry keys and files to get past Outlook's security. To show how this could be done, researchers modified Ruler, a tool for testing Outlook's security. They changed it so it could sync a harmful form with the right properties to run a specific type of file, a COM compliant native DLL. This not only showed that CVE-2024-21378 could be exploited but also that it could affect a lot of companies since so many use Microsoft Outlook. The discovery and the way it was exploited remind us that we always need to be on the lookout for security risks and work hard to protect against them. The cybersecurity world is always watching for the next big threat that could put our digital world at risk. As companies rush to fix this issue, it's a reminder of how important it is to stay ahead of these threats. references: diff --git a/stories/papercut_mf_ng_vulnerability.yml b/stories/papercut_mf_ng_vulnerability.yml index 5ff3d05d4d..5f2c746e72 100644 --- a/stories/papercut_mf_ng_vulnerability.yml +++ b/stories/papercut_mf_ng_vulnerability.yml @@ -3,6 +3,7 @@ id: 2493d270-5665-4fb4-99c7-8f886f260676 version: 1 date: '2023-05-15' author: Michael Haag, Splunk +status: production description: The FBI has issued a joint advisory concerning the exploitation of a PaperCut MF/NG vulnerability (CVE-2023-27350) by malicious actors, which began in mid-April 2023 and has been ongoing. In early May 2023, a group identifying themselves as the Bl00dy Ransomware Gang targeted vulnerable PaperCut servers within the Education Facilities Subsector. The advisory provides information on detecting exploitation attempts and shares known indicators of compromise (IOCs) associated with the group's activities. narrative: 'PaperCut MF/NG versions 19 and older have reached their end-of-life, as documented on the End of Life Policy page. Customers using these older versions are advised to purchase an updated license online for PaperCut NG or through their PaperCut Partner for PaperCut MF. For users with a currently supported version (version 20 or later), they can upgrade to any maintenance release version they are licensed for. If upgrading to a security patch is not possible, there are alternative options to enhance security. Users can lock down network access to their server(s) by blocking all inbound traffic from external IPs to the web management port (port 9191 and 9192 by default) and blocking all inbound traffic to the web management portal on the firewall to the server. Additionally, users can apply "Allow list" restrictions under Options > Advanced > Security > Allowed site server IP addresses, setting this to only allow the IP addresses of verified Site Servers on their network. diff --git a/stories/petitpotam_ntlm_relay_on_active_directory_certificate_services.yml b/stories/petitpotam_ntlm_relay_on_active_directory_certificate_services.yml index f8ac2cae36..1b8fe735fe 100644 --- a/stories/petitpotam_ntlm_relay_on_active_directory_certificate_services.yml +++ b/stories/petitpotam_ntlm_relay_on_active_directory_certificate_services.yml @@ -3,6 +3,7 @@ id: 97aecafc-0a68-11ec-962f-acde48001122 version: 1 date: '2021-08-31' author: Michael Haag, Mauricio Velazco, Splunk +status: production description: PetitPotam (CVE-2021-36942,) is a vulnerablity identified in Microsofts EFSRPC Protocol that can allow an unauthenticated account to escalate privileges to domain administrator given the right circumstances. diff --git a/stories/phemedrone_stealer.yml b/stories/phemedrone_stealer.yml index 495551ddc8..2ae36951b3 100644 --- a/stories/phemedrone_stealer.yml +++ b/stories/phemedrone_stealer.yml @@ -3,6 +3,7 @@ id: 386f64dd-657b-4dcf-8eb3-5e297d30924c version: 2 date: '2024-01-24' author: Teoderick Contreras, Splunk +status: production description: Phemedrone Stealer is a potent data-stealing malware designed to infiltrate systems discreetly, primarily targeting sensitive user information. Operating with a stealthy modus operandi, it covertly collects and exfiltrates critical data such as login credentials, personal details, and financial information. diff --git a/stories/plugx.yml b/stories/plugx.yml index f46c0ea342..fa2824c6ad 100644 --- a/stories/plugx.yml +++ b/stories/plugx.yml @@ -3,6 +3,7 @@ id: a2c94c99-b93b-4bc7-a749-e2198743d0d6 version: 2 date: '2023-10-12' author: Teoderick Contreras, Splunk +status: production description: PlugX, also referred to as "PlugX RAT" or "Kaba," is a highly sophisticated remote access Trojan (RAT) discovered in 2012. This malware is notorious for its involvement in targeted cyberattacks, primarily driven by cyber espionage objectives. PlugX provides attackers with comprehensive remote control capabilities over compromised systems, diff --git a/stories/possible_backdoor_activity_associated_with_mudcarp_espionage_campaigns.yml b/stories/possible_backdoor_activity_associated_with_mudcarp_espionage_campaigns.yml index e9564a1575..a64fe677f0 100644 --- a/stories/possible_backdoor_activity_associated_with_mudcarp_espionage_campaigns.yml +++ b/stories/possible_backdoor_activity_associated_with_mudcarp_espionage_campaigns.yml @@ -3,6 +3,7 @@ id: 988C59C5-0A1C-45B6-A555-0C62276E327E version: 1 date: '2020-01-22' author: iDefense Cyber Espionage Team, iDefense +status: production description: Monitor your environment for suspicious behaviors that resemble the techniques employed by the MUDCARP threat group. narrative: 'This story was created as a joint effort between iDefense and Splunk. diff --git a/stories/prestige_ransomware.yml b/stories/prestige_ransomware.yml index 3e3fe57945..bd2296488b 100644 --- a/stories/prestige_ransomware.yml +++ b/stories/prestige_ransomware.yml @@ -3,6 +3,7 @@ id: 8b8d8506-b931-450c-b794-f24184ca1deb version: 1 date: '2022-11-30' author: Teoderick Contreras, Splunk +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the Prestige Ransomware narrative: This story addresses Prestige ransomware. This ransomware payload seen by Microsoft diff --git a/stories/printnightmare_cve_2021_34527.yml b/stories/printnightmare_cve_2021_34527.yml index 56a6908367..65728a81c3 100644 --- a/stories/printnightmare_cve_2021_34527.yml +++ b/stories/printnightmare_cve_2021_34527.yml @@ -3,6 +3,7 @@ id: fd79470a-da88-11eb-b803-acde48001122 version: 1 date: '2021-07-01' author: Splunk Threat Research Team +status: production description: The following analytic story identifies behaviors related PrintNightmare, or CVE-2021-34527 previously known as (CVE-2021-1675), to gain privilege escalation on the vulnerable machine. diff --git a/stories/prohibited_traffic_allowed_or_protocol_mismatch.yml b/stories/prohibited_traffic_allowed_or_protocol_mismatch.yml index 28adf6d265..5587506c60 100644 --- a/stories/prohibited_traffic_allowed_or_protocol_mismatch.yml +++ b/stories/prohibited_traffic_allowed_or_protocol_mismatch.yml @@ -3,6 +3,7 @@ id: 6d13121c-90f3-446d-8ac3-27efbbc65218 version: 1 date: '2017-09-11' author: Rico Valdez, Splunk +status: production description: Detect instances of prohibited network traffic allowed in the environment, as well as protocols running on non-standard ports. Both of these types of behaviors typically violate policy and can be leveraged by attackers. diff --git a/stories/proxynotshell.yml b/stories/proxynotshell.yml index 2aac8530e9..ac8d66c666 100644 --- a/stories/proxynotshell.yml +++ b/stories/proxynotshell.yml @@ -3,6 +3,7 @@ id: 4e3f17e7-9ed7-425d-a05e-b65464945836 version: 1 date: '2022-09-30' author: Michael Haag, Splunk +status: production description: Two new zero day Microsoft Exchange vulnerabilities have been identified actively exploited in the wild - CVE-2022-41040 and CVE-2022-41082. narrative: Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker. Originally identified by GTSC monitoring Exchange, some adversary post-exploitation activity was identified and is tagged to this story. references: diff --git a/stories/proxyshell.yml b/stories/proxyshell.yml index ec6586c5f6..98e629822d 100644 --- a/stories/proxyshell.yml +++ b/stories/proxyshell.yml @@ -3,7 +3,7 @@ id: 413bb68e-04e2-11ec-a835-acde48001122 version: 1 date: '2021-08-24' author: Michael Haag, Teoderick Contreras, Mauricio Velazco, Splunk -type: batch +status: production description: ProxyShell is a chain of exploits targeting on-premise Microsoft Exchange Server - CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. narrative: "During Pwn2Own April 2021, a security researcher demonstrated an attack diff --git a/stories/pxa_stealer.yml b/stories/pxa_stealer.yml index 597e80e711..a44ad24c4f 100644 --- a/stories/pxa_stealer.yml +++ b/stories/pxa_stealer.yml @@ -3,6 +3,7 @@ id: 66f64651-e4e0-4d3b-8d7d-41d8e598e4e1 version: 1 date: '2024-11-18' author: Teoderick Contreras, Splunk +status: production description: This following analytic story contains detections related to the PXA Stealer, a malicious software tool designed to covertly extract sensitive information from infected systems. This data-stealing malware targets credentials, personal data, browsing information, and financial information by exploiting system vulnerabilities or tricking users into downloading it via phishing campaigns or malicious links. PXA Stealer often operates stealthily, bypassing security measures and transmitting stolen data to cybercriminals. Its capabilities make it a significant threat to individuals and organizations, emphasizing the need for robust cybersecurity defenses and awareness. narrative: The PXA Stealer initiates its attack in disguise, often concealed within phishing emails or dubious downloads. Once executed, it infiltrates the system undetected, harvesting credentials, financial information, and personal files. Its cunning lies in its ability to evade antivirus software and blend into normal processes. However, its subtle movements leave traces. Unusual system slowdowns, unauthorized login attempts, or increased network activity can indicate its presence. To detect and prevent it, maintain updated antivirus software, enable multi-factor authentication, and avoid clicking on suspicious links or attachments. Vigilance and proactive monitoring are key defenses against this silent intruder. references: diff --git a/stories/qakbot.yml b/stories/qakbot.yml index 48378bed4d..871ee43a36 100644 --- a/stories/qakbot.yml +++ b/stories/qakbot.yml @@ -3,6 +3,7 @@ id: 0c6169b1-f126-4d86-8e4f-f7891007ebc6 version: 2 date: '2022-11-14' author: Teoderick Contreras, Splunk +status: production description: QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware (ref. MITRE ATT&CK). narrative: QakBot notably has made its way on the CISA top malware list for 2021. QakBot for years has been under continious improvement when it comes to initial access, injection and post-exploitation. Multiple adversaries use QakBot to gain initial access and persist, most notably TA551. The actor(s) behind QakBot possess a modular framework consisting of maldoc builders, signed loaders, and DLLs that produce initially low detection rates at the beginning of the attack, which creates opportunities to deliver additional malware such as Egregor and Cobalt Strike. (ref. Cybersecurity ATT) diff --git a/stories/ransomware.yml b/stories/ransomware.yml index 9ea584be76..99abf2c501 100644 --- a/stories/ransomware.yml +++ b/stories/ransomware.yml @@ -3,6 +3,7 @@ id: cf309d0d-d4aa-4fbb-963d-1e79febd3756 version: 1 date: '2020-02-04' author: David Dorsey, Splunk +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware--spikes in SMB traffic, suspicious wevtutil usage, the presence of common ransomware extensions, and system processes run from unexpected diff --git a/stories/ransomware_cloud.yml b/stories/ransomware_cloud.yml index 21bc9adb1e..4f69a6c55e 100644 --- a/stories/ransomware_cloud.yml +++ b/stories/ransomware_cloud.yml @@ -3,6 +3,7 @@ id: f52f6c43-05f8-4b19-a9d3-5b8c56da91c2 version: 1 date: '2020-10-27' author: Rod Soto, David Dorsey, Splunk +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware. These searches include cloud related objects that may be targeted by malicious actors via cloud providers own encryption features. diff --git a/stories/redline_stealer.yml b/stories/redline_stealer.yml index 09bf787aca..aa49b2b562 100644 --- a/stories/redline_stealer.yml +++ b/stories/redline_stealer.yml @@ -3,6 +3,7 @@ id: 12e31e8b-671b-4d6e-b362-a682812a71eb version: 1 date: '2023-04-24' author: Teoderick Contreras, Splunk +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the Redline Stealer trojan, including looking for file writes associated with its payload, screencapture, registry modification, persistence diff --git a/stories/remcos.yml b/stories/remcos.yml index d9fcf5c0ba..4ae7d93336 100644 --- a/stories/remcos.yml +++ b/stories/remcos.yml @@ -3,6 +3,7 @@ id: 2bd4aa08-b9a5-40cf-bfe5-7d43f13d496c version: 1 date: '2021-09-23' author: Teoderick Contreras, Splunk +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the Remcos RAT trojan, including looking for file writes associated with its payload, screencapture, registry modification, UAC bypassed, persistence diff --git a/stories/remote_monitoring_and_management_software.yml b/stories/remote_monitoring_and_management_software.yml new file mode 100644 index 0000000000..f76cde7141 --- /dev/null +++ b/stories/remote_monitoring_and_management_software.yml @@ -0,0 +1,25 @@ +name: Remote Monitoring and Management Software +id: e405907a-273c-41c9-928c-768c9355c1f7 +version: 1 +date: '2025-01-14' +author: Steven Dick +status: production +description: |- + Fortify your remote access and unapproved software monitoring with searches that monitor for and help you investigate the use of unappoved or malicious remote monitoring and management softwares (RMM). +narrative: |- + Attackers can leverage a variety of 3rd party software to establish unapproved remote access or c2 channels to an enterprise network. Common techniques include the installation of these remote access software via channels via phishing, scam, or driveby malware compromise situations. While this Analytic Story is not a comprehensive listing of all RMM software it provides a useful starting point for well known indicators. + + Be sure to leverage the "RMM Software Tracking" dashboard provided with this story for a convienent way to vizualize RMM usage in your enviroment. +references: +- https://attack.mitre.org/techniques/T1219/ +- https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ +- https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ +tags: + category: + - Malware + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Security Monitoring diff --git a/stories/reverse_network_proxy.yml b/stories/reverse_network_proxy.yml index 5790f6e39e..f5257404f6 100644 --- a/stories/reverse_network_proxy.yml +++ b/stories/reverse_network_proxy.yml @@ -3,6 +3,7 @@ id: 265e4127-21fd-43e4-adac-ec5d12274111 version: 1 date: '2022-11-16' author: Michael Haag, Splunk +status: production description: The following analytic story describes applications that may be abused to reverse proxy back into an organization, either for persistence or remote access. narrative: This analytic story covers tools like Ngrok which is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. Ngrok in particular has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration. There are many open source and closed/paid that fall into this reverse proxy category. The analytic story and complemented analytics will be released as more are identified. diff --git a/stories/revil_ransomware.yml b/stories/revil_ransomware.yml index d1f11f81e4..801129da7d 100644 --- a/stories/revil_ransomware.yml +++ b/stories/revil_ransomware.yml @@ -3,6 +3,7 @@ id: 817cae42-f54b-457a-8a36-fbf45521e29e version: 1 date: '2021-06-04' author: Teoderick Contreras, Splunk +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the Revil ransomware, including looking for file writes associated with Revil, encrypting network shares, deleting shadow volume storage, registry diff --git a/stories/rhysida_ransomware.yml b/stories/rhysida_ransomware.yml index 1270c11c2e..ab821951ad 100644 --- a/stories/rhysida_ransomware.yml +++ b/stories/rhysida_ransomware.yml @@ -3,6 +3,7 @@ id: 0925ee49-1185-4484-94ac-7867764a9183 version: 1 date: '2023-12-12' author: Teoderick Contreras, Splunk +status: production description: Utilize analytics designed to identify and delve into atypical behaviors, potentially associated with the Rhysida Ransomware. Employing these searches enables the detection of irregular patterns or actions within systems or networks, serving as proactive measures to spot potential diff --git a/stories/router_and_infrastructure_security.yml b/stories/router_and_infrastructure_security.yml index a042290e74..f24e6c02fa 100644 --- a/stories/router_and_infrastructure_security.yml +++ b/stories/router_and_infrastructure_security.yml @@ -3,6 +3,7 @@ id: 91c676cf-0b23-438d-abee-f6335e177e77 version: 1 date: '2017-09-12' author: Bhavin Patel, Splunk +status: production description: Validate the security configuration of network infrastructure and verify that only authorized users and systems are accessing critical assets. Core routing and switching infrastructure are common strategic targets for attackers. diff --git a/stories/ryuk_ransomware.yml b/stories/ryuk_ransomware.yml index f3f58d9fbe..1b23726919 100644 --- a/stories/ryuk_ransomware.yml +++ b/stories/ryuk_ransomware.yml @@ -3,6 +3,7 @@ id: 507edc74-13d5-4339-878e-b9744ded1f35 version: 1 date: '2020-11-06' author: Jose Hernandez, Splunk +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the Ryuk ransomware, including looking for file writes associated with Ryuk, Stopping Security Access Manager, DisableAntiSpyware registry key modification, diff --git a/stories/samaccountname_spoofing_and_domain_controller_impersonation.yml b/stories/samaccountname_spoofing_and_domain_controller_impersonation.yml index c51978b246..81353384c7 100644 --- a/stories/samaccountname_spoofing_and_domain_controller_impersonation.yml +++ b/stories/samaccountname_spoofing_and_domain_controller_impersonation.yml @@ -3,6 +3,7 @@ id: 0244fdee-61be-11ec-900e-acde48001122 version: 1 date: '2021-12-20' author: Mauricio Velazco, Splunk +status: production description: Monitor for activities and techniques associated with the exploitation of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) vulnerabilities. diff --git a/stories/samsam_ransomware.yml b/stories/samsam_ransomware.yml index 3f5b4a718c..cae7c5ecc3 100644 --- a/stories/samsam_ransomware.yml +++ b/stories/samsam_ransomware.yml @@ -3,6 +3,7 @@ id: c4b89506-fbcf-4cb7-bfd6-527e54789604 version: 1 date: '2018-12-13' author: Rico Valdez, Splunk +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the SamSam ransomware, including looking for file writes associated with SamSam, RDP brute force attacks, the presence of files with SamSam ransomware diff --git a/stories/sandworm_tools.yml b/stories/sandworm_tools.yml index 1387a84de7..8cc6b5f357 100644 --- a/stories/sandworm_tools.yml +++ b/stories/sandworm_tools.yml @@ -3,6 +3,7 @@ id: 54146850-9d26-4877-a611-2db33231e63e version: 1 date: '2022-04-05' author: Teoderick Contreras, Splunk +status: production description: This analytic story features detections that enable security analysts to identify and investigate unusual activities potentially related to the destructive malware and tools employed by the "Sandworm" group. This analytic story focuses on monitoring suspicious process executions, command-line activities, Master Boot Record (MBR) wiping, data destruction, and other related indicators. narrative: The Sandworm group's tools are part of destructive malware operations designed to disrupt or attack Ukraine's National Information Agencies. This operation campaign consists of several malware components, including scripts, native Windows executables (LOLBINs), data wiper malware that overwrites or destroys the Master Boot Record (MBR), and file wiping using sdelete.exe on targeted hosts. references: diff --git a/stories/scheduled_tasks.yml b/stories/scheduled_tasks.yml index 7d038b6459..c55d37d90d 100644 --- a/stories/scheduled_tasks.yml +++ b/stories/scheduled_tasks.yml @@ -3,6 +3,7 @@ id: 94cff925-d05c-40cf-b925-d6c5702a2399 version: 1 date: '2023-06-12' author: Michael Haag, Splunk +status: production description: The MITRE ATT&CK technique T1053 refers to Scheduled Task/Job. Adversaries might use task scheduling utilities to execute programs or scripts at a predefined date and time. This method is often used for persistence but can also be used for privilege escalation or to execute tasks under certain conditions. Scheduling tasks can be beneficial for an attacker as it can allow them to execute actions at times when the system is less likely to be monitored actively. Different operating systems have different utilities for task scheduling, for example, Unix-like systems have Cron, while Windows has Scheduled Tasks and At Jobs. narrative: MITRE ATT&CK technique T1053, labeled "Scheduled Task/Job", is a categorization of methods that adversaries use to execute malicious code by scheduling tasks or jobs on a system. This technique is widely utilized for persistence, privilege escalation, and the remote execution of tasks. The technique is applicable across various environments and platforms, including Windows, Linux, and macOS. diff --git a/stories/shrinklocker.yml b/stories/shrinklocker.yml index f2e19acab4..dd7e9455b5 100644 --- a/stories/shrinklocker.yml +++ b/stories/shrinklocker.yml @@ -3,6 +3,7 @@ id: 11fb26d7-11d3-4839-9ee7-63c1329bff8c version: 1 date: '2024-06-17' author: Teoderick Contreras, Splunk +status: production description: ShrinkLocker is a new ransomware that uses Windows BitLocker to encrypt files by creating new boot partitions. It targets non-boot partitions, shrinks them, and creates new boot volumes. ShrinkLocker has attacked a government entity and companies in the vaccine and manufacturing sectors. The ransomware doesn't drop a ransom note but uses the boot partition label diff --git a/stories/signed_binary_proxy_execution_installutil.yml b/stories/signed_binary_proxy_execution_installutil.yml index ad01c1d41f..38575e2ad7 100644 --- a/stories/signed_binary_proxy_execution_installutil.yml +++ b/stories/signed_binary_proxy_execution_installutil.yml @@ -3,6 +3,7 @@ id: 9482a314-43dc-11ec-a3c9-acde48001122 version: 1 date: '2021-11-12' author: Michael Haag, Splunk +status: production description: Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. narrative: 'InstallUtil is a command-line utility that allows for installation and diff --git a/stories/silver_sparrow.yml b/stories/silver_sparrow.yml index e618ef203d..af931b88a5 100644 --- a/stories/silver_sparrow.yml +++ b/stories/silver_sparrow.yml @@ -3,6 +3,7 @@ id: cb4f48fe-7699-11eb-af77-acde48001122 version: 1 date: '2021-02-24' author: Michael Haag, Splunk +status: production description: Silver Sparrow, identified by Red Canary Intelligence, is a new forward looking MacOS (Intel and M1) malicious software downloader utilizing JavaScript for execution and a launchAgent to establish persistence. diff --git a/stories/snake_keylogger.yml b/stories/snake_keylogger.yml index f737c4cf14..7e6bf544d5 100644 --- a/stories/snake_keylogger.yml +++ b/stories/snake_keylogger.yml @@ -3,6 +3,7 @@ id: 0374f962-c66a-4a67-9a30-24b0708ef802 version: 1 date: '2024-02-12' author: Teoderick Contreras, Splunk +status: production description: SnakeKeylogger is a stealthy malware designed to secretly record keystrokes on infected devices. It operates covertly in the background, capturing sensitive information such as passwords and credit card details. This keylogging threat poses a significant risk to user privacy and security. diff --git a/stories/snake_malware.yml b/stories/snake_malware.yml index 5b6a3512e3..82ab496cb9 100644 --- a/stories/snake_malware.yml +++ b/stories/snake_malware.yml @@ -3,6 +3,7 @@ id: 032bacbb-f90d-43aa-bbcc-d87f169a29c8 version: 1 date: '2023-05-10' author: Michael Haag, Splunk +status: production description: The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia's Federal Security Service (FSB) for long-term intelligence collection on sensitive targets. narrative: The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia's Federal Security Service (FSB) for long-term intelligence collection on sensitive diff --git a/stories/sneaky_active_directory_persistence_tricks.yml b/stories/sneaky_active_directory_persistence_tricks.yml index b703db7c90..e89a019084 100644 --- a/stories/sneaky_active_directory_persistence_tricks.yml +++ b/stories/sneaky_active_directory_persistence_tricks.yml @@ -3,6 +3,7 @@ id: f676c4c1-c769-4ecb-9611-5fd85b497c56 version: 2 date: '2024-03-14' author: Dean Luxton, Mauricio Velazco, Splunk +status: production description: Monitor for activities and techniques associated with Windows Active Directory persistence techniques. narrative: Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Active Directory is a centralized and hierarchical database that stores information about users, computers, and other resources on a network. It provides secure and efficient management diff --git a/stories/spearphishing_attachments.yml b/stories/spearphishing_attachments.yml index 100efe95ec..6cf46e93a7 100644 --- a/stories/spearphishing_attachments.yml +++ b/stories/spearphishing_attachments.yml @@ -3,6 +3,7 @@ id: 57226b40-94f3-4ce5-b101-a75f67759c27 version: 1 date: '2019-04-29' author: Splunk Research Team, Splunk +status: production description: Detect signs of malicious payloads that may indicate that your environment has been breached via a phishing attack. narrative: 'Despite its simplicity, phishing remains the most pervasive and dangerous diff --git a/stories/spring4shell_cve_2022_22965.yml b/stories/spring4shell_cve_2022_22965.yml index 08345cf642..a0e425a25e 100644 --- a/stories/spring4shell_cve_2022_22965.yml +++ b/stories/spring4shell_cve_2022_22965.yml @@ -3,6 +3,7 @@ id: dcc19913-6918-4ed2-bbba-a6b484c10ef4 version: 2 date: '2024-09-24' author: Michael Haag, Splunk +status: production description: Spring4Shell is the nickname given to a zero-day vulnerability in the Spring Core Framework, a programming and configuration model for Java-based enterprise applications. narrative: 'An attacker could exploit Spring4Shell by sending a specially crafted request to a vulnerable server. However, exploitation of Spring4Shell requires certain prerequisites, whereas the original Log4Shell vulnerability affected all versions of Log4j 2 using the default configuration. diff --git a/stories/sql_injection.yml b/stories/sql_injection.yml index 0838a17274..b8cbeb1283 100644 --- a/stories/sql_injection.yml +++ b/stories/sql_injection.yml @@ -3,6 +3,7 @@ id: 4f6632f5-449c-4686-80df-57625f59bab3 version: 1 date: '2017-09-19' author: Bhavin Patel, Splunk +status: production description: Use the searches in this Analytic Story to help you detect structured query language (SQL) injection attempts characterized by long URLs that contain malicious parameters. diff --git a/stories/subvert_trust_controls_sip_and_trust_provider_hijacking.yml b/stories/subvert_trust_controls_sip_and_trust_provider_hijacking.yml index d446c2f408..3d06aa2123 100644 --- a/stories/subvert_trust_controls_sip_and_trust_provider_hijacking.yml +++ b/stories/subvert_trust_controls_sip_and_trust_provider_hijacking.yml @@ -3,6 +3,7 @@ id: 7faf91b6-532a-4f18-807c-b2761e90b6dc version: 1 date: '2023-10-10' author: Michael Haag, Splunk +status: production description: Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. This technique involves modifying the Dll and FuncName Registry values that point to the dynamic link library (DLL) providing a SIP's function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value, an adversary can apply an acceptable signature value to all files using that SIP. This can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. narrative: In user mode, Windows Authenticode digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code. The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. Because of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats and are identified by globally unique identifiers (GUIDs). Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed. references: diff --git a/stories/suspicious_aws_login_activities.yml b/stories/suspicious_aws_login_activities.yml index 8ec3aab745..19956ad2c3 100644 --- a/stories/suspicious_aws_login_activities.yml +++ b/stories/suspicious_aws_login_activities.yml @@ -3,6 +3,7 @@ id: 2e8948a5-5239-406b-b56b-6c59f1268af3 version: 2 date: '2024-09-24' author: Bhavin Patel, Splunk +status: production description: 'Monitor your AWS authentication events using your CloudTrail logs. Searches within this Analytic Story will help you stay aware of and investigate suspicious logins.' diff --git a/stories/suspicious_aws_s3_activities.yml b/stories/suspicious_aws_s3_activities.yml index 4d480bbffa..e39ac23014 100644 --- a/stories/suspicious_aws_s3_activities.yml +++ b/stories/suspicious_aws_s3_activities.yml @@ -3,6 +3,7 @@ id: 66732346-8fb0-407b-9633-da16756567d6 version: 3 date: '2023-04-24' author: Bhavin Patel, Splunk +status: production description: Use the searches in this Analytic Story using Cloudtrail logs to to monitor your AWS S3 buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open S3 buckets and buckets being accessed from a new IP, permission and policy updates to the bucket, potential misuse of other services leading to data being leaked. diff --git a/stories/suspicious_aws_traffic.yml b/stories/suspicious_aws_traffic.yml index 833fb4f004..d8d36dab50 100644 --- a/stories/suspicious_aws_traffic.yml +++ b/stories/suspicious_aws_traffic.yml @@ -3,6 +3,7 @@ id: 2e8948a5-5239-406b-b56b-6c50f2168af3 version: 1 date: '2018-05-07' author: Bhavin Patel, Splunk +status: production description: Leverage these searches to monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors, such as a spike in blocked outbound traffic in your virtual private cloud (VPC). diff --git a/stories/suspicious_cloud_authentication_activities.yml b/stories/suspicious_cloud_authentication_activities.yml index 44c0e56a6e..32c56b1591 100644 --- a/stories/suspicious_cloud_authentication_activities.yml +++ b/stories/suspicious_cloud_authentication_activities.yml @@ -3,6 +3,7 @@ id: 6380ebbb-55c5-4fce-b754-01fd565fb73c version: 2 date: '2024-09-24' author: Rico Valdez, Splunk +status: production description: 'Monitor your cloud authentication events. Searches within this Analytic Story leverage the recent cloud updates to the Authentication data model to help you stay aware of and investigate suspicious login activity.' diff --git a/stories/suspicious_cloud_instance_activities.yml b/stories/suspicious_cloud_instance_activities.yml index a150ffaa21..524ea6028b 100644 --- a/stories/suspicious_cloud_instance_activities.yml +++ b/stories/suspicious_cloud_instance_activities.yml @@ -3,6 +3,7 @@ id: 8168ca88-392e-42f4-85a2-767579c660ce version: 1 date: '2020-08-25' author: David Dorsey, Splunk +status: production description: Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment. diff --git a/stories/suspicious_cloud_provisioning_activities.yml b/stories/suspicious_cloud_provisioning_activities.yml index 72fdc5772d..1383242e55 100644 --- a/stories/suspicious_cloud_provisioning_activities.yml +++ b/stories/suspicious_cloud_provisioning_activities.yml @@ -3,6 +3,7 @@ id: 51045ded-1575-4ba6-aef7-af6c73cffd86 version: 1 date: '2018-08-20' author: David Dorsey, Splunk +status: production description: Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment. diff --git a/stories/suspicious_cloud_user_activities.yml b/stories/suspicious_cloud_user_activities.yml index f7ddc5ac2e..65b679c4d8 100644 --- a/stories/suspicious_cloud_user_activities.yml +++ b/stories/suspicious_cloud_user_activities.yml @@ -3,6 +3,7 @@ id: 1ed5ce7d-5469-4232-92af-89d1a3595b39 version: 1 date: '2020-09-04' author: David Dorsey, Splunk +status: production description: Detect and investigate suspicious activities by users and roles in your cloud environments. narrative: 'It seems obvious that it is critical to monitor and control the users diff --git a/stories/suspicious_command_line_executions.yml b/stories/suspicious_command_line_executions.yml index 76a5d1f9fc..d4bef5eca9 100644 --- a/stories/suspicious_command_line_executions.yml +++ b/stories/suspicious_command_line_executions.yml @@ -3,6 +3,7 @@ id: f4368ddf-d59f-4192-84f6-778ac5a3ffc7 version: 2 date: '2020-02-03' author: Bhavin Patel, Splunk +status: production description: Leveraging the Windows command-line interface (CLI) is one of the most common attack techniques--one that is also detailed in the MITRE ATT&CK framework. Use this Analytic Story to help you identify unusual or suspicious use of the CLI diff --git a/stories/suspicious_compiled_html_activity.yml b/stories/suspicious_compiled_html_activity.yml index e542ca58b4..d6650332b8 100644 --- a/stories/suspicious_compiled_html_activity.yml +++ b/stories/suspicious_compiled_html_activity.yml @@ -1,5 +1,6 @@ author: Michael Haag, Splunk date: '2021-02-11' +status: production description: Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code. id: a09db4d1-3827-4833-87b8-3a397e532119 diff --git a/stories/suspicious_dns_traffic.yml b/stories/suspicious_dns_traffic.yml index e2220a8d33..f940637476 100644 --- a/stories/suspicious_dns_traffic.yml +++ b/stories/suspicious_dns_traffic.yml @@ -3,6 +3,7 @@ id: 3c3835c0-255d-4f9e-ab84-e29ec9ec9b56 version: 1 date: '2017-09-18' author: Rico Valdez, Splunk +status: production description: Attackers often attempt to hide within or otherwise abuse the domain name system (DNS). You can thwart attempts to manipulate this omnipresent protocol by monitoring for these types of abuses. diff --git a/stories/suspicious_emails.yml b/stories/suspicious_emails.yml index e8b9a0ef5a..fa00f0c715 100644 --- a/stories/suspicious_emails.yml +++ b/stories/suspicious_emails.yml @@ -3,6 +3,7 @@ id: 2b1800dd-92f9-47ec-a981-fdf1351e5d55 version: 1 date: '2020-01-27' author: Bhavin Patel, Splunk +status: production description: Email remains one of the primary means for attackers to gain an initial foothold within the modern enterprise. Detect and investigate suspicious emails in your environment with the help of the searches in this Analytic Story. diff --git a/stories/suspicious_gcp_storage_activities.yml b/stories/suspicious_gcp_storage_activities.yml index 9f26360fb0..626784cb6f 100644 --- a/stories/suspicious_gcp_storage_activities.yml +++ b/stories/suspicious_gcp_storage_activities.yml @@ -3,6 +3,7 @@ id: 4d656b2e-d6be-11ea-87d0-0242ac130003 version: 1 date: '2020-08-05' author: Shannon Davis, Splunk +status: production description: Use the searches in this Analytic Story to monitor your GCP Storage buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open storage buckets and buckets being accessed from a new IP. The contextual and investigative diff --git a/stories/suspicious_mshta_activity.yml b/stories/suspicious_mshta_activity.yml index d39914c98d..3dcbf4634a 100644 --- a/stories/suspicious_mshta_activity.yml +++ b/stories/suspicious_mshta_activity.yml @@ -3,6 +3,7 @@ id: 1e5a5a53-540b-462a-8fb7-f44a4292f5dc version: 2 date: '2021-01-20' author: Bhavin Patel, Michael Haag, Splunk +status: production description: Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code. narrative: 'One common adversary tactic is to bypass application control solutions diff --git a/stories/suspicious_okta_activity.yml b/stories/suspicious_okta_activity.yml index 219a348ed0..59410c1899 100644 --- a/stories/suspicious_okta_activity.yml +++ b/stories/suspicious_okta_activity.yml @@ -3,6 +3,7 @@ id: 9cbd34af-8f39-4476-a423-bacd126c750b version: 1 date: '2020-04-02' author: Rico Valdez, Splunk +status: production description: Monitor your Okta environment for suspicious activities. Due to the Covid outbreak, many users are migrating over to leverage cloud services more and more. Okta is a popular tool to manage multiple users and the web-based applications they diff --git a/stories/suspicious_regsvcs_regasm_activity.yml b/stories/suspicious_regsvcs_regasm_activity.yml index 2196acbe57..ff6aadf5ea 100644 --- a/stories/suspicious_regsvcs_regasm_activity.yml +++ b/stories/suspicious_regsvcs_regasm_activity.yml @@ -1,5 +1,6 @@ author: Michael Haag, Splunk date: '2024-09-24' +status: production description: Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code. id: 2cdf33a0-4805-4b61-b025-59c20f418fbe diff --git a/stories/suspicious_regsvr32_activity.yml b/stories/suspicious_regsvr32_activity.yml index b14757bc11..bf8b318e92 100644 --- a/stories/suspicious_regsvr32_activity.yml +++ b/stories/suspicious_regsvr32_activity.yml @@ -3,6 +3,7 @@ id: b8bee41e-624f-11eb-ae93-0242ac130002 version: 1 date: '2021-01-29' author: Michael Haag, Splunk +status: production description: Monitor and detect techniques used by attackers who leverage the regsvr32.exe process to execute malicious code. narrative: One common adversary tactic is to bypass application control solutions diff --git a/stories/suspicious_rundll32_activity.yml b/stories/suspicious_rundll32_activity.yml index b15e91548d..92edab4242 100644 --- a/stories/suspicious_rundll32_activity.yml +++ b/stories/suspicious_rundll32_activity.yml @@ -3,6 +3,7 @@ id: 80a65487-854b-42f1-80a1-935e4c170694 version: 1 date: '2021-02-03' author: Michael Haag, Splunk +status: production description: Monitor and detect techniques used by attackers who leverage rundll32.exe to execute arbitrary malicious code. narrative: One common adversary tactic is to bypass application control solutions diff --git a/stories/suspicious_windows_registry_activities.yml b/stories/suspicious_windows_registry_activities.yml index 4362c447ad..8f069b1b62 100644 --- a/stories/suspicious_windows_registry_activities.yml +++ b/stories/suspicious_windows_registry_activities.yml @@ -3,6 +3,7 @@ id: 2b1800dd-92f9-47dd-a981-fdf1351e5d55 version: 1 date: '2018-05-31' author: Bhavin Patel, Splunk +status: production description: Monitor and detect registry changes initiated from remote locations, which can be a sign that an attacker has infiltrated your system. narrative: "Attackers are developing increasingly sophisticated techniques for hijacking diff --git a/stories/suspicious_wmi_use.yml b/stories/suspicious_wmi_use.yml index 7b1743dd5d..e36079c954 100644 --- a/stories/suspicious_wmi_use.yml +++ b/stories/suspicious_wmi_use.yml @@ -3,6 +3,7 @@ id: c8ddc5be-69bc-4202-b3ab-4010b27d7ad5 version: 2 date: '2018-10-23' author: Rico Valdez, Splunk +status: production description: Attackers are increasingly abusing Windows Management Instrumentation (WMI), a framework and associated utilities available on all modern Windows operating systems. Because WMI can be leveraged to manage both local and remote systems, it diff --git a/stories/suspicious_zoom_child_processes.yml b/stories/suspicious_zoom_child_processes.yml index 8a92a67596..c3ed962363 100644 --- a/stories/suspicious_zoom_child_processes.yml +++ b/stories/suspicious_zoom_child_processes.yml @@ -3,6 +3,7 @@ id: aa3749a6-49c7-491e-a03f-4eaee5fe0258 version: 1 date: '2020-04-13' author: David Dorsey, Splunk +status: production description: Attackers are using Zoom as an vector to increase privileges on a sytems. This story detects new child processes of zoom and provides investigative actions for this detection. diff --git a/stories/swift_slicer.yml b/stories/swift_slicer.yml index 940ff21fee..59ea094300 100644 --- a/stories/swift_slicer.yml +++ b/stories/swift_slicer.yml @@ -3,6 +3,7 @@ id: 234c9dd7-52fb-4d6f-aec9-075ef88a2cea version: 1 date: '2023-02-01' author: Teoderick Contreras, Rod Soto, Splunk +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the swift slicer malware including overwriting of files and etc. narrative: Swift Slicer is one of Windows destructive malware found by ESET that was used in a targeted organizarion to wipe critical files like windows drivers and other files diff --git a/stories/sysaid_on_prem_software_cve_2023_47246_vulnerability.yml b/stories/sysaid_on_prem_software_cve_2023_47246_vulnerability.yml index 5817f510fe..6e4bf82570 100644 --- a/stories/sysaid_on_prem_software_cve_2023_47246_vulnerability.yml +++ b/stories/sysaid_on_prem_software_cve_2023_47246_vulnerability.yml @@ -3,6 +3,7 @@ id: 228f22cb-3436-4c31-8af4-370d40af7b49 version: 1 date: '2023-11-09' author: Michael Haag, Splunk +status: production description: A zero-day vulnerability was discovered in SysAid's on-premise software, exploited by the group DEV-0950 (Lace Tempest). The attackers uploaded a WebShell and other payloads, gaining unauthorized access and control. SysAid has released a patch (version 23.3.36) to remediate the vulnerability and urges customers to conduct a comprehensive compromise assessment. narrative: The analytics tagged to this analytic story will aid in capturing initial access and some post-exploitation activities. In addition to the application spawning a shell, consider reviewing STRT's Cobalt Strike and PowerShell script block logging analytic stories. On November 2nd, SysAid's security team identified a potential vulnerability in their on-premise software. The investigation revealed a zero-day vulnerability exploited by the group known as DEV-0950 (Lace Tempest). The attackers uploaded a WebShell and other payloads into the webroot of the SysAid Tomcat web service, thereby gaining unauthorized access and control over the affected system. SysAid promptly initiated their incident response protocol and began proactive communication with their on-premise customers to implement a mitigation solution. SysAid has released a patch (version 23.3.36) to remediate the vulnerability and strongly recommends all customers to conduct a comprehensive compromise assessment of their network. references: diff --git a/stories/text4shell_cve_2022_42889.yml b/stories/text4shell_cve_2022_42889.yml index 4c89b47d19..770e32aa17 100644 --- a/stories/text4shell_cve_2022_42889.yml +++ b/stories/text4shell_cve_2022_42889.yml @@ -3,6 +3,7 @@ id: 95ae800d-485e-47f7-866e-8be281aa497b version: 1 date: '2022-10-26' author: Michael Haag, Splunk +status: production description: A new critical vulnerability CVE-2022-42889 a.k.a. Text4shell, similar to the old Spring4Shell and Log4Shell, was originally reported by Alvaro Munoz on the very popular Apache Commons Text library. narrative: Apache Commons Text is a Java library described as "a library focused on algorithms working on strings." We can see it as a general-purpose text manipulation toolkit. This vulnerability affects the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes the "script," "dns," and "url" lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups. diff --git a/stories/trickbot.yml b/stories/trickbot.yml index 9ecadb1d99..491f869347 100644 --- a/stories/trickbot.yml +++ b/stories/trickbot.yml @@ -3,6 +3,7 @@ id: 16f93769-8342-44c0-9b1d-f131937cce8e version: 1 date: '2021-04-20' author: Rod Soto, Teoderick Contreras, Splunk +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the trickbot banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection diff --git a/stories/trusted_developer_utilities_proxy_execution.yml b/stories/trusted_developer_utilities_proxy_execution.yml index 4c003ce7b9..0f034643fb 100644 --- a/stories/trusted_developer_utilities_proxy_execution.yml +++ b/stories/trusted_developer_utilities_proxy_execution.yml @@ -3,6 +3,7 @@ id: 270a67a6-55d8-11eb-ae93-0242ac130002 version: 1 date: '2021-01-12' author: Michael Haag, Splunk +status: production description: Monitor and detect behaviors used by attackers who leverage trusted developer utilities to execute malicious code. narrative: 'Adversaries may take advantage of trusted developer utilities to proxy diff --git a/stories/trusted_developer_utilities_proxy_execution_msbuild.yml b/stories/trusted_developer_utilities_proxy_execution_msbuild.yml index 3abbd91e73..060c17f32f 100644 --- a/stories/trusted_developer_utilities_proxy_execution_msbuild.yml +++ b/stories/trusted_developer_utilities_proxy_execution_msbuild.yml @@ -3,6 +3,7 @@ id: be3418e2-551b-11eb-ae93-0242ac130002 version: 1 date: '2021-01-21' author: Michael Haag, Splunk +status: production description: Monitor and detect techniques used by attackers who leverage the msbuild.exe process to execute malicious code. narrative: 'Adversaries may use MSBuild to proxy execution of code through a trusted diff --git a/stories/unusual_processes.yml b/stories/unusual_processes.yml index 2b14759889..4fd817acc6 100644 --- a/stories/unusual_processes.yml +++ b/stories/unusual_processes.yml @@ -3,6 +3,7 @@ id: f4368e3f-d59f-4192-84f6-748ac5a3ddb6 version: 2 date: '2020-02-04' author: Bhavin Patel, Splunk +status: production description: Quickly identify systems running new or unusual processes in your environment that could be indicators of suspicious activity. Processes run from unusual locations, those with conspicuously long command lines, and rare executables are all examples diff --git a/stories/use_of_cleartext_protocols.yml b/stories/use_of_cleartext_protocols.yml index 56ab8001ed..fc2e0cca7e 100644 --- a/stories/use_of_cleartext_protocols.yml +++ b/stories/use_of_cleartext_protocols.yml @@ -3,6 +3,7 @@ id: 826e6431-aeef-41b4-9fc0-6d0985d65a21 version: 1 date: '2017-09-15' author: Bhavin Patel, Splunk +status: production description: Leverage searches that detect cleartext network protocols that may leak credentials or should otherwise be encrypted. narrative: Various legacy protocols operate by default in the clear, without the protections diff --git a/stories/valleyrat.yml b/stories/valleyrat.yml index a53d866238..d40f36f218 100644 --- a/stories/valleyrat.yml +++ b/stories/valleyrat.yml @@ -3,6 +3,7 @@ id: e9703322-5462-4c4a-a427-b9895c1472de version: 1 date: '2024-09-11' author: Teoderick Contreras, Splunk +status: production description: This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might be related to ValleyRAT malware. ValleyRAT is a remote access trojan (RAT) known for targeting specific organizations and individuals to gain unauthorized access to systems. It enables attackers to execute commands, steal sensitive data, and manipulate files. This malware often uses phishing emails or malicious attachments to infect systems. Detecting ValleyRAT early is crucial to preventing data breaches and further exploitation. Analysts can use behavioral analysis and signature-based detection to mitigate its impact. narrative: ValleyRAT is a stealthy remote access trojan (RAT) used by cybercriminals to gain unauthorized control over compromised systems. It often infiltrates targets through phishing emails or malicious attachments, allowing attackers to execute commands, steal sensitive information, manipulate files, and monitor user activities remotely. Once inside, ValleyRAT can evade detection by blending in with legitimate processes, making it challenging to identify. references: diff --git a/stories/vmware_aria_operations_vrealize_cve_2023_20887.yml b/stories/vmware_aria_operations_vrealize_cve_2023_20887.yml index 479d8c0696..ea6d8b659b 100644 --- a/stories/vmware_aria_operations_vrealize_cve_2023_20887.yml +++ b/stories/vmware_aria_operations_vrealize_cve_2023_20887.yml @@ -3,6 +3,7 @@ id: 99171cdd-57a1-4b8a-873c-f8bee12e2025 version: 1 date: '2023-06-21' author: Michael Haag, Splunk +status: production description: CVE-2023-20887 is a critical vulnerability affecting VMware's vRealize Network Insight (also known as VMware Aria Operations for Networks). It allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges via the Apache Thrift RPC interface. The exploit, which has a severity score of 9.8, targets an endpoint ("/saas./resttosaasservlet") in the application and delivers a malicious payload designed to create a reverse shell, granting the attacker control over the system. VMware has released an advisory recommending users to update to the latest version to mitigate this threat. narrative: CVE-2023-20887 is a highly critical vulnerability found in VMware's vRealize Network Insight. This software is widely used for intelligent operations management across physical, virtual, and cloud environments, so a vulnerability in it poses a significant risk to many organizations. diff --git a/stories/vmware_esxi_ad_integration_authentication_bypass_cve_2024_37085.yml b/stories/vmware_esxi_ad_integration_authentication_bypass_cve_2024_37085.yml index 1287d494c8..9c78c40d9d 100644 --- a/stories/vmware_esxi_ad_integration_authentication_bypass_cve_2024_37085.yml +++ b/stories/vmware_esxi_ad_integration_authentication_bypass_cve_2024_37085.yml @@ -3,6 +3,7 @@ id: cb77a38a-bc37-42f8-9e34-64ccc7985277 version: 1 date: '2024-07-30' author: Michael Haag, Splunk +status: production description: This analytic story addresses the VMware ESXi Active Directory Integration Authentication Bypass vulnerability (CVE-2024-37085). It detects attempts to exploit this flaw, which allows attackers with sufficient AD permissions to gain full access to ESXi hosts by recreating the 'ESX Admins' group after deletion. narrative: VMware ESXi contains an authentication bypass vulnerability (CVE-2024-37085) that allows attackers to gain unauthorized access to ESXi hosts. Ransomware groups have been observed exploiting this flaw to deploy malware and encrypt virtual machines. This story focuses on detecting potential exploitation attempts, suspicious Active Directory group modifications. It aims to help defenders identify and respond to attacks leveraging this vulnerability in their virtualized environments. references: diff --git a/stories/vmware_server_side_injection_and_privilege_escalation.yml b/stories/vmware_server_side_injection_and_privilege_escalation.yml index c4b781a16e..2446d78bc8 100644 --- a/stories/vmware_server_side_injection_and_privilege_escalation.yml +++ b/stories/vmware_server_side_injection_and_privilege_escalation.yml @@ -3,6 +3,7 @@ id: d6d51cc2-a092-43b7-9f61-1159943afe39 version: 1 date: '2022-05-19' author: Michael Haag, Splunk +status: production description: Recently disclosed CVE-2022-22954 and CVE-2022-22960 have been identified in the wild abusing VMware products to compromise internet faced devices and escalate privileges. narrative: 'On April 6, 2022, VMware published VMSA-2022-0011, which discloses multiple vulnerabilities discovered by Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute. The most critical of the CVEs published in VMSA-2022-0011 is CVE-2022-22954, which is a server-side template injection issue with a CVSSv3 base score of 9.8. The vulnerability allows an unauthenticated user with network access to the web interface to execute an arbitrary shell command as the VMware user. diff --git a/stories/volt_typhoon.yml b/stories/volt_typhoon.yml index 235462c3e1..495436b753 100644 --- a/stories/volt_typhoon.yml +++ b/stories/volt_typhoon.yml @@ -3,6 +3,7 @@ id: f73010e4-49eb-44ef-9f3f-2c25a1ae5415 version: 1 date: '2023-05-25' author: Teoderick Contreras, Splunk +status: production description: This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the "Volt Typhoon" group targeting critical infrastructure organizations in United States and Guam. The affected organizations include the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. This Analytic story looks for suspicious process execution, lolbin execution, command-line activity, lsass dump and many more. narrative: 'Volt Typhoon is a state sponsored group typically focuses on espionage and information gathering. Based on Microsoft Threat Intelligence, This threat actor group puts strong emphasis on stealth in this campaign by relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity. diff --git a/stories/warzone_rat.yml b/stories/warzone_rat.yml index 6e01ce2079..6120cb00e2 100644 --- a/stories/warzone_rat.yml +++ b/stories/warzone_rat.yml @@ -3,6 +3,7 @@ id: 8dc84752-f4da-4285-931c-bddd5c4d440b version: 1 date: '2023-07-26' author: Teoderick Contreras, Splunk +status: production description: This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might related to warzone (Ave maria) RAT. This analytic story looks for suspicious process execution, command-line activity, downloads, persistence, defense evasion and more. narrative: Warzone RAT, also known as Ave Maria, is a sophisticated remote access trojan (RAT) that surfaced in January 2019. diff --git a/stories/whispergate.yml b/stories/whispergate.yml index ad0d9cd5e2..669be3bb55 100644 --- a/stories/whispergate.yml +++ b/stories/whispergate.yml @@ -3,6 +3,7 @@ id: 0150e6e5-3171-442e-83f8-1ccd8599569b version: 1 date: '2022-01-19' author: Teoderick Contreras, Splunk +status: production description: This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as "WhisperGate". This analytic story looks for suspicious process execution, command-line activity, downloads, DNS queries and more. diff --git a/stories/windealer_rat.yml b/stories/windealer_rat.yml new file mode 100644 index 0000000000..1417f913a4 --- /dev/null +++ b/stories/windealer_rat.yml @@ -0,0 +1,18 @@ +name: WinDealer RAT +id: 94fdd8b7-ae39-454a-85e8-9f0148eddea6 +version: 1 +date: '2025-01-27' +author: Teoderick Contreras, Splunk +status: production +description: Leverage searches that allow you to detect and investigate unusual activities that might relate to Windealer Remote Access Trojan (RAT), a versatile malware used for data theft and unauthorized system control. Monitor for signs such as unexpected process token adjustment, abnormal file activity, and unauthorized process execution. Investigate indicators of command-and-control (C2) communications, particularly encrypted or obfuscated traffic patterns. Behavioral analysis and endpoint monitoring can help identify suspicious activities linked to this RAT. Early detection and thorough investigation are essential to mitigate the risks posed by Windealer. +narrative: Windealer is a Remote Access Trojan (RAT) designed for stealthy infiltration and control of compromised systems. Often used in cyberespionage and data theft campaigns, it enables attackers to execute commands, exfiltrate sensitive information, and manipulate system functions remotely. Windealer is known for its ability to maintain persistence and communicate with command-and-control (C2) servers using encrypted or obfuscated protocols, making detection challenging. Its deployment often involves phishing, software exploits, or supply chain attacks. Effective detection requires advanced endpoint monitoring and analysis of unusual network behaviors to identify its covert operations. +references: +- https://malpedia.caad.fkie.fraunhofer.de/details/win.windealer +tags: + category: + - Malware + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file diff --git a/stories/windows_applocker.yml b/stories/windows_applocker.yml index 29aefad92e..2e6ec9d358 100644 --- a/stories/windows_applocker.yml +++ b/stories/windows_applocker.yml @@ -3,6 +3,7 @@ id: 7911b245-e74d-48db-b1cf-69f3eb02ca55 version: 1 date: '2024-03-21' author: Michael Haag, Splunk +status: production description: Windows AppLocker is a feature that enhances security by allowing administrators to specify which users or groups can run particular applications in their organization based on unique identities of files. This story covers various aspects of monitoring and managing AppLocker policies, including detecting unauthorized software installations, enforcing best practices for software usage, and identifying potential security breaches through advanced threat detection techniques. Through the use of Splunk Enterprise, Splunk Enterprise Security, and Splunk Cloud, organizations can gain insights into AppLocker events, ensuring compliance with corporate security policies and mitigating risks associated with unauthorized applications. narrative: AppLocker, a built-in Windows security feature, provides organizations with the ability to control application usage across their networks. It enables administrators to define rules based on file names, publishers, and file hashes to allow or deny the execution of applications. This level of control helps in preventing malware and unlicensed software from running, thereby enhancing the security posture of an organization. \ diff --git a/stories/windows_attack_surface_reduction.yml b/stories/windows_attack_surface_reduction.yml index 39c4e61de6..8bbfb015db 100644 --- a/stories/windows_attack_surface_reduction.yml +++ b/stories/windows_attack_surface_reduction.yml @@ -3,6 +3,7 @@ id: 1d61c474-3cd6-4c23-8c68-f128ac4b209b version: 1 date: '2023-11-27' author: Michael Haag, Splunk +status: production description: 'This story contains detections for Windows Attack Surface Reduction (ASR) events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This story contains detections for ASR events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule.' narrative: 'This story contains detections for Windows Attack Surface Reduction (ASR) events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This story contains detections for ASR events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. It includes detections for both block and audit event IDs. Block event IDs are generated when an action is blocked by an ASR rule, while audit event IDs are generated when an action that would be blocked by an ASR rule is allowed to proceed for auditing purposes.' references: diff --git a/stories/windows_bootkits.yml b/stories/windows_bootkits.yml index 0ca7e4baeb..e7e28cc70c 100644 --- a/stories/windows_bootkits.yml +++ b/stories/windows_bootkits.yml @@ -3,6 +3,7 @@ id: 1bef004d-23b2-4c49-8ceb-b59af0745317 version: 1 date: '2023-05-03' author: Michael Haag, Splunk +status: production description: Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly. narrative: A bootkit is a sophisticated type of malware that targets the boot sectors of a hard drive, specifically the Master Boot Record (MBR) and Volume Boot Record (VBR). The MBR is the initial section of the disk that is loaded following the hardware initialization process executed by the Basic Input/Output System (BIOS). It houses the boot loader, which is responsible for loading the operating system. In contrast, the VBR is located at the beginning of each partition and contains the boot code for that specific partition. When an adversary gains raw access to the boot drive, they can overwrite the MBR or VBR, effectively diverting the execution during startup from the standard boot loader to the malicious code injected by the attacker. This tampering allows the malware to load before the operating system, enabling it to execute malicious activities stealthily and maintain persistence on the compromised system. diff --git a/stories/windows_certificate_services.yml b/stories/windows_certificate_services.yml index d2985db1a3..6c7a1f7225 100644 --- a/stories/windows_certificate_services.yml +++ b/stories/windows_certificate_services.yml @@ -3,6 +3,7 @@ id: b92b4ac7-0026-4408-a6b5-c1d20658e124 version: 1 date: '2023-02-01' author: Michael Haag, Splunk +status: production description: Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. narrative: The following analytic story focuses on remote and local endpoint certificate theft and abuse. Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files), misplaced certificate files (i.e. Unsecured Credentials), or directly from the Windows certificate store via various crypto APIs.With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Abusing certificates for authentication credentials may enable other behaviors such as Lateral Movement. Certificate-related misconfigurations may also enable opportunities for Privilege Escalation, by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable Persistence via stealing or forging certificates that can be used as Valid Accounts for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts. (MITRE ATT&CK) references: diff --git a/stories/windows_defense_evasion_tactics.yml b/stories/windows_defense_evasion_tactics.yml index b700bfb835..d0e0023c25 100644 --- a/stories/windows_defense_evasion_tactics.yml +++ b/stories/windows_defense_evasion_tactics.yml @@ -3,6 +3,7 @@ id: 56e24a28-5003-4047-b2db-e8f3c4618064 version: 2 date: '2024-09-24' author: David Dorsey, Splunk +status: production description: 'Detect tactics used by malware to evade defenses on Windows endpoints. A few of these include suspicious `reg.exe` processes, files hidden with `attrib.exe` and disabling user-account control, among many others' diff --git a/stories/windows_discovery_techniques.yml b/stories/windows_discovery_techniques.yml index ea5d23e596..35401db53c 100644 --- a/stories/windows_discovery_techniques.yml +++ b/stories/windows_discovery_techniques.yml @@ -3,6 +3,7 @@ id: f7aba570-7d59-11eb-825e-acde48001122 version: 1 date: '2021-03-04' author: Michael Hart, Splunk +status: production description: Monitors for behaviors associated with adversaries discovering objects in the environment that can be leveraged in the progression of the attack. narrative: Attackers may not have much if any insight into their target's environment diff --git a/stories/windows_dns_sigred_cve_2020_1350.yml b/stories/windows_dns_sigred_cve_2020_1350.yml index 896a58e58d..778c179201 100644 --- a/stories/windows_dns_sigred_cve_2020_1350.yml +++ b/stories/windows_dns_sigred_cve_2020_1350.yml @@ -3,6 +3,7 @@ id: 36dbb206-d073-11ea-87d0-0242ac130003 version: 1 date: '2020-07-28' author: Shannon Davis, Splunk +status: production description: Uncover activity consistent with CVE-2020-1350, or SIGRed. Discovered by Checkpoint researchers, this vulnerability affects Windows 2003 to 2019, and is triggered by a malicious DNS response (only affects DNS over TCP). An attacker diff --git a/stories/windows_drivers.yml b/stories/windows_drivers.yml index 0788a08230..64313d67de 100644 --- a/stories/windows_drivers.yml +++ b/stories/windows_drivers.yml @@ -3,6 +3,7 @@ id: d0a9323f-9411-4da6-86b2-18c184d750c0 version: 1 date: '2022-03-30' author: Michael Haag, Splunk +status: production description: Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. narrative: A rootkit on Windows may sometimes be in the form of a Windows Driver. A driver typically has a file extension of .sys, however the internals of a sys file is similar to a Windows DLL. For Microsoft Windows to load a driver, a few requirements are needed. First, it must have a valid signature. Second, typically it should load from the windows\system32\drivers path. There are a few methods to investigate drivers in the environment. Drivers are noisy. An inventory of all drivers is important to understand prevalence. A driver location (Path) is also important when attempting to baseline. Looking at a driver name and path is not enough, we must also explore the signing information. Product, description, company name, signer and signing result are all items to take into account when reviewing drivers. diff --git a/stories/windows_error_reporting_service_elevation_of_privilege_vulnerability.yml b/stories/windows_error_reporting_service_elevation_of_privilege_vulnerability.yml index b7c5ec28eb..4fd737c217 100644 --- a/stories/windows_error_reporting_service_elevation_of_privilege_vulnerability.yml +++ b/stories/windows_error_reporting_service_elevation_of_privilege_vulnerability.yml @@ -3,6 +3,7 @@ id: 64dea1e5-2c60-461f-b886-05580ed89b5c version: 1 date: '2023-08-24' author: Michael Haag, Splunk +status: production description: In July 2023, CrowdStrike's Falcon Complete managed detection and response (MDR) team uncovered an exploit kit using an unknown vulnerability in the Windows Error Reporting (WER) component. The vulnerability, now identified as CVE-2023-36874, was also independently discovered by Google's Threat Analysis Group. The exploit came to light when suspicious binaries were observed on a European technology system. CrowdStrike's Counter Adversary Operations' analysis revealed a zero-day exploit targeting the WER service, allowing attackers to execute unauthorized code with elevated privileges. The exploit kit seen aimed to spawn a privileged interpreter, displaying the versatility and adaptability of the threat. CrowdStrike has listed some potential indicators of compromise, but these are of low fidelity due to their mutable nature. narrative: In June 2023, CrowdStrike's Falcon Complete team observed suspicious activities on a European technology entity's system. Multiple binaries were dropped onto the system via Remote Desktop Protocol (RDP), some of which were flagged as potential exploits for a known vulnerability. However, a string containing the Russian term for "0day" suggested an unknown vulnerability was at play. Subsequent investigations identified this as a zero-day vulnerability affecting the Windows Error Reporting (WER) component, now known as CVE-2023-36874. diff --git a/stories/windows_file_extension_and_association_abuse.yml b/stories/windows_file_extension_and_association_abuse.yml index 6316df6053..4e0b5c99a9 100644 --- a/stories/windows_file_extension_and_association_abuse.yml +++ b/stories/windows_file_extension_and_association_abuse.yml @@ -3,6 +3,7 @@ id: 30552a76-ac78-48e4-b3c0-de4e34e9563d version: 1 date: '2018-01-26' author: Rico Valdez, Splunk +status: production description: Detect and investigate suspected abuse of file extensions and Windows file associations. Some of the malicious behaviors involved may include inserting spaces before file extensions or prepending the file extension with a different diff --git a/stories/windows_log_manipulation.yml b/stories/windows_log_manipulation.yml index 9f4d430af5..96179a28d8 100644 --- a/stories/windows_log_manipulation.yml +++ b/stories/windows_log_manipulation.yml @@ -3,6 +3,7 @@ id: b6db2c60-a281-48b4-95f1-2cd99ed56835 version: 2 date: '2017-09-12' author: Rico Valdez, Splunk +status: production description: Adversaries often try to cover their tracks by manipulating Windows logs. Use these searches to help you monitor for suspicious activity surrounding log files--an essential component of an effective defense. diff --git a/stories/windows_persistence_techniques.yml b/stories/windows_persistence_techniques.yml index 246c73b6a2..1186855ba4 100644 --- a/stories/windows_persistence_techniques.yml +++ b/stories/windows_persistence_techniques.yml @@ -3,6 +3,7 @@ id: 30874d4f-20a1-488f-85ec-5d52ef74e3f9 version: 2 date: '2018-05-31' author: Bhavin Patel, Splunk +status: production description: Monitor for activities and techniques associated with maintaining persistence on a Windows system--a sign that an adversary may have compromised your environment. narrative: Maintaining persistence is one of the first steps taken by attackers after diff --git a/stories/windows_post_exploitation.yml b/stories/windows_post_exploitation.yml index ec3e4e8a17..8130205f46 100644 --- a/stories/windows_post_exploitation.yml +++ b/stories/windows_post_exploitation.yml @@ -3,6 +3,7 @@ id: 992899b7-a5cf-4bcd-bb0d-cf81762188ba version: 1 date: '2022-11-30' author: Teoderick Contreras, Splunk +status: production description: This analytic story identifies popular Windows post exploitation tools for example winpeas.bat, winpeas.exe, WinPrivCheck.bat and many more. narrative: These tools allow operators to find possible exploits or paths for privilege escalation and persistence on a targeted host. Ransomware operator like the "Prestige ransomware" also used or abuses these post exploitation tools such as winPEAS to scan for possible avenue to gain privileges and persistence to a targeted diff --git a/stories/windows_privilege_escalation.yml b/stories/windows_privilege_escalation.yml index fcecb3d990..d367f96e05 100644 --- a/stories/windows_privilege_escalation.yml +++ b/stories/windows_privilege_escalation.yml @@ -3,6 +3,7 @@ id: 644e22d3-598a-429c-a007-16fdb802cae5 version: 2 date: '2020-02-04' author: David Dorsey, Splunk +status: production description: Monitor for and investigate activities that may be associated with a Windows privilege-escalation attack, including unusual processes running on endpoints, modified registry keys, and more. diff --git a/stories/windows_registry_abuse.yml b/stories/windows_registry_abuse.yml index f38fad42ea..9d7c90ceb5 100644 --- a/stories/windows_registry_abuse.yml +++ b/stories/windows_registry_abuse.yml @@ -3,6 +3,7 @@ id: 78df1df1-25f1-4387-90f9-c4ea31ce6b75 version: 1 date: '2022-03-17' author: Teoderick Contreras, Splunk +status: production description: Windows services are often used by attackers for persistence, privilege escalation, lateral movement, defense evasion, collection of data, a tool for recon, credential dumping and payload impact. This Analytic Story helps you monitor your environment for indications diff --git a/stories/windows_service_abuse.yml b/stories/windows_service_abuse.yml index 9f196c709e..036fcb482c 100644 --- a/stories/windows_service_abuse.yml +++ b/stories/windows_service_abuse.yml @@ -3,6 +3,7 @@ id: 6dbd810e-f66d-414b-8dfc-e46de55cbfe2 version: 3 date: '2017-11-02' author: Rico Valdez, Splunk +status: production description: Windows services are often used by attackers for persistence and the ability to load drivers or otherwise interact with the Windows kernel. This Analytic Story helps you monitor your environment for indications that Windows services are diff --git a/stories/windows_system_binary_proxy_execution_msiexec.yml b/stories/windows_system_binary_proxy_execution_msiexec.yml index 9d96a9c31e..9d08d81b42 100644 --- a/stories/windows_system_binary_proxy_execution_msiexec.yml +++ b/stories/windows_system_binary_proxy_execution_msiexec.yml @@ -3,6 +3,7 @@ id: bea2e16b-4599-46ad-a95b-116078726c68 version: 1 date: '2022-06-16' author: Michael Haag, Splunk +status: production description: Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi). narrative: Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs. Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled. references: diff --git a/stories/winrar_spoofing_attack_cve_2023_38831.yml b/stories/winrar_spoofing_attack_cve_2023_38831.yml index cbe11a8304..b6559c8efd 100644 --- a/stories/winrar_spoofing_attack_cve_2023_38831.yml +++ b/stories/winrar_spoofing_attack_cve_2023_38831.yml @@ -3,6 +3,7 @@ id: 9ba776f3-b8c5-4390-a312-6dab6c5561b9 version: 1 date: '2023-08-29' author: Michael Haag, Splunk +status: production description: Group-IB Threat Intelligence unit discovered a zero-day vulnerability, CVE-2023-38831, in WinRAR, a popular compression tool. Cybercriminals exploited this vulnerability to deliver various malware families, including DarkMe and GuLoader, by crafting ZIP archives with spoofed extensions, which were then distributed on trading forums. Once the malware was executed, it allowed cybercriminals to withdraw funds from brokers' accounts. RARLAB was immediately notified about the vulnerability and released a patch. Group-IB recommends users update WinRAR to the latest version, stay informed about cyber threats, be cautious with unknown attachments, enable 2FA, backup data, and follow the principle of least privilege. narrative: Group-IB Threat Intelligence unit identified a critical zero-day vulnerability, CVE-2023-38831, in WinRAR, a widely used compression tool. This vulnerability was exploited by cybercriminals to craft ZIP archives containing malicious and non-malicious files, distributed on specialized trading forums. The exploit allowed them to spoof file extensions, hiding the launch of malicious scripts within an archive masquerading as a '.jpg', '.txt', or any other file format. When victims opened the specially crafted archive, it executed the malware, leading to unauthorized access to their broker accounts and enabling the cybercriminals to perform illicit financial transactions and withdraw funds. diff --git a/stories/winter_vivern.yml b/stories/winter_vivern.yml index 3c4c58cc0f..893645f94f 100644 --- a/stories/winter_vivern.yml +++ b/stories/winter_vivern.yml @@ -3,6 +3,7 @@ id: 5ce5f311-b311-4568-90ca-0c36781d07a4 version: 1 date: '2023-02-16' author: Teoderick Contreras, Splunk +status: production description: Utilize searches that enable you to detect and investigate unusual activities potentially related to the Winter Vivern malicious software. This includes examining multiple timeout executions, scheduled task creations, screenshots, and downloading files through PowerShell, among other indicators. narrative: The Winter Vivern malware, identified by CERT UA, is designed to download and run multiple PowerShell scripts on targeted hosts. These scripts aim to gather a variety of files with specific extensions, including (.edb, .ems, .eme, .emz, .key, .pem, .ovpn, .bat, .cer, .p12, .cfg, .log, .txt, .pdf, .doc, .docx, .xls, .xlsx, and .rdg), primarily from desktop directories. In addition to this, the malware captures desktop screenshots and performs data exfiltration using HTTP. To maintain its presence on the targeted host, Winter Vivern also establishes a persistence mechanism, such as creating a scheduled task. references: diff --git a/stories/wordpress_vulnerabilities.yml b/stories/wordpress_vulnerabilities.yml index ce4a55b09d..e5f3253bcd 100644 --- a/stories/wordpress_vulnerabilities.yml +++ b/stories/wordpress_vulnerabilities.yml @@ -3,6 +3,7 @@ id: baeaee14-e439-4c95-91e8-aaedd8265c1c version: 1 date: '2024-02-22' author: Michael Haag, Splunk +status: production description: This analytic story provides a collection of analytics that detect potential exploitation of WordPress vulnerabilities. The analytics are focused on the detection of known vulnerabilities in WordPress plugins and themes. narrative: The following collection of analytics are focused on the detection of known vulnerabilities in WordPress plugins and themes. The analytics are focused on the detection of known vulnerabilities in WordPress plugins and themes. references: diff --git a/stories/ws_ftp_server_critical_vulnerabilities.yml b/stories/ws_ftp_server_critical_vulnerabilities.yml index 909f19a49d..32625f6aa4 100644 --- a/stories/ws_ftp_server_critical_vulnerabilities.yml +++ b/stories/ws_ftp_server_critical_vulnerabilities.yml @@ -3,6 +3,7 @@ id: 60466291-3ab4-452b-9c11-456aa2dc7293 version: 1 date: '2023-10-01' author: Michael Haag, Splunk +status: production description: A critical security advisory was released by Progress Software on September 27, 2023, concerning multiple vulnerabilities in WS_FTP Server, a widely-used secure file transfer solution. The two critical vulnerabilities are CVE-2023-40044, a .NET deserialization flaw, and CVE-2023-42657, a directory traversal vulnerability. Rapid7 has observed active exploitation of these vulnerabilities. Affected versions are prior to 8.7.4 and 8.8.2. Immediate action is advised - upgrade to WS_FTP Server version 8.8.2. For those unable to update, disabling the Ad Hoc Transfer module is suggested as a temporary measure. This comes in the wake of increased scrutiny following the Cl0p ransomware attack on MOVEit Transfer in May 2023. narrative: Two critical vulnerabilities have been identified in WS_FTP Server, a widely-used secure file transfer solution. The first, CVE-2023-40044, is a .NET deserialization flaw that targets the Ad Hoc Transfer module of WS_FTP Server versions earlier than 8.7.4 and 8.8.2. This flaw allows an attacker to execute arbitrary commands on the server's operating system without needing authentication. The second vulnerability, CVE-2023-42657, is a directory traversal flaw that allows attackers to perform unauthorized file operations outside of their authorized WS_FTP folder. In severe cases, the attacker could escape the WS_FTP Server file structure and perform operations on the underlying operating system. Both vulnerabilities have been observed being exploited in the wild and immediate action for mitigation is strongly advised. Updating to WS_FTP Server version 8.8.2 is recommended. For those unable to update, disabling the Ad Hoc Transfer module is suggested as a temporary measure. references: diff --git a/stories/xmrig.yml b/stories/xmrig.yml index b9768c5c04..cd94009b32 100644 --- a/stories/xmrig.yml +++ b/stories/xmrig.yml @@ -3,6 +3,7 @@ id: 06723e6a-6bd8-4817-ace2-5fb8a7b06628 version: 1 date: '2021-05-07' author: Teoderick Contreras, Rod Soto Splunk +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the xmrig monero, including looking for file writes associated with its payload, process command-line, defense evasion (killing services, deleting diff --git a/stories/xorddos.yml b/stories/xorddos.yml index 4186ee24f2..d454d7fd86 100644 --- a/stories/xorddos.yml +++ b/stories/xorddos.yml @@ -3,6 +3,7 @@ id: 0958965b-82ea-48d0-bc00-01f1457bc93f version: 1 date: '2024-12-17' author: Teoderick Contreras, Splunk +status: production description: XorDdos is a sophisticated Linux malware that compromises devices to conduct high-capacity Distributed Denial of Service (DDoS) attacks. It employs XOR-based encryption to conceal its communications and utilizes rootkit capabilities to evade detection. The malware typically infiltrates systems through brute-force attacks on SSH services, enabling unauthorized access. Once installed, it can launch DDoS attacks exceeding 150 Gbps. To detect XorDdos, monitor for unusual network traffic patterns, unexpected processes, and unauthorized access attempts. Implementing strong, unique passwords and regularly updating system security measures are essential to mitigate the risk of infection. narrative: XorDdos is a sophisticated Linux malware strain known for leveraging infected devices to launch high-capacity Distributed Denial of Service (DDoS) attacks. First identified in 2014, XorDdos has evolved with advanced techniques to maintain stealth and effectiveness. The malware primarily targets Linux-based systems, infiltrating them through brute-force attacks on SSH services. Once compromised, it uses XOR-based encryption to mask its malicious activities and rootkit capabilities to evade detection. Detection involves monitoring for unusual system behavior, such as spikes in CPU usage, unexpected network traffic, and unauthorized SSH access attempts. Preventative measures include implementing strong passwords, disabling unused services, and ensuring systems are patched with the latest security updates. As this malware continues to adapt, maintaining robust cybersecurity practices is essential to defend against its growing threat. references: diff --git a/stories/zscaler_browser_proxy_threats.yml b/stories/zscaler_browser_proxy_threats.yml index 6c617d3011..7fffa92bd8 100644 --- a/stories/zscaler_browser_proxy_threats.yml +++ b/stories/zscaler_browser_proxy_threats.yml @@ -3,6 +3,7 @@ id: 5d4ba315-39df-4309-982f-a7052efccffd version: 1 date: '2023-10-25' author: Rod Soto, Gowthamaraj Rajendran +status: production description: Leverage searches that allow you to detect and investigate unusual activities that might relate to malicious activity from Zscaler. This also encompasses monitoring for events such as users downloading harmful files or accessing websites that pose a risk to system and network security. Additionally, the narrative extends to the detection of insider threats, ensuring comprehensive protection from both external and internal vulnerabilities. By leveraging Zscaler with Splunk, organizations can fortify their defenses, safeguarding against a wide spectrum of cyber threats and maintaining a secure operational environment. narrative: Zscaler Client Connector is an application installed on your device to ensure that your internet traffic and access to your organization's internal apps are secure and in compliance with your organization's policies, even when you're off your corporate network. references: